Author Archive
Amazon / Google Spam
Posted by: | CommentsBut it looks like an Amazon ad. It’s Not!
Beware of a email that looks like an product selection or monthly deal from Amazon. There are many places to click to see pictures, unsubscribe, etc. It is spam to get access to your computer.
Businesses today are using more online shopping carts and online marketing services to inform customers about their products. As spammers start coping the look and feel of your emails then they cause everyone to erase anything that come electronically from any company. Legitimateor not. I can’t tell you how many deals I have been offered by companies simply because I don’t trust the email. And some of these deals were legit.
So if you do use auto-responders only use ones from reputable companies.
Individuals, if in doubt always check the links by hovering you mouse over it and reading the URLdata. If it does no look right, don’t click. If by chance you have, be sure you have a strong anti-virus program so block access and protect your computer and data.
The Cloud Goes Green, but is it Secure?
Posted by: | CommentsRecently I received an invite to a webinar discussing how companies are transforming their business by using more cloud-like infrastructure. The argument is that it saves the company’s enery and reduces their carbon footprint.
While I am not here to dispute these claims, I do warn any company that migrates to more cloud infrastructure to make security of the data paramount in their plan. Especially with the many state and federal privacy protection laws on the books. As been blogged about before, the average cost on a company from a data breach in 2009 was $6.7 million per incident. Read More→
It’s 10pm, do you know where your PII is?
Posted by: | CommentsThe federal government recently published a guide on protection Personal Identifiable Information (PII). There are two aspects to PII that every company must be aware of:
1) What information information is considered confidential, &
2) Where this information is stored in the company. Read More→
Tufin Survey Finds One in Six New York Teenagers Hack — And Rarely Get Caught
Posted by: | Comments(NOTE from the IDProtectionExpert: Here is an article that I wanted to share. The teenage hacker is alive and well.)
Ramat Gan, Israel, April 14, 2010: Tufin Technologies, the leading provider of Security Lifecycle Management Solutions, today announced survey results that reveal the hacking habits of 1000 New York City teenagers. Exactly half (50%) of US kids sampled revealed they’d had their Facebook or email account hacked, which may explain why 75% feel hacking is wrong and 70% think it should be considered a criminal offense. However, 39% of the teens surveyed think hacking is “cool” and 16%, or roughly one in six, admitted to trying their hand at it. Only 15% of the entire sample has either been caught or knows someone who has – particularly disturbing considering 7% of young hackers reported they did so for money and 6% view it as a viable career path. Read More→
Power LogOn Secures the Cloud by Bringing Security Down to Earth
Posted by: | CommentsWhy are cyber thieves attacking the clouds? Because that’s where the information is!
Power LogOn by Access Smart® has proven itself to secure cloud application access without the high cost of ownership found in other security solutions. The cloud has helped make businesses more competitive, employees more efficient and consumers more connected. Cloud solutions are available for almost every business need: legal forms to healthcare patient records, accounting data to word-processing, CRMs to order processing. With so much valuable data out in the clouds data, the allure is too great for cyber thieves.
Cyber attacks are becoming an epidemic. While companies are trying to add more backend security like firewalls, encryption and CAPTCHAs to protect their data, the user’s access point or “front door” is still being locked with a virtual hook and eye latch.
The law may consider your business a bank!
Posted by: | CommentsThere’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?
There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers – but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable – or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.
The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they loose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.
So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you – I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.
Twitter, Facebook, etc. Cyber Terrorism
Posted by: | CommentsPhishing and Shear phishing emails from unknown babes and beef cakes want to frined you and they want you to click on the link to add. These people are trying to place a virus on your computer.
Don’t friend these people.
A tip off is you see how many people are following them it usually a very low number. You also want to be sure you have a strong anti-virus program to protect your computer.
Be careful of who you friend and if you don’t know them or they are not part of your circle don’t accept them. And no matter what don’t click onto any of their links or pictures.
Justin Williams’ on Twitter Security
Posted by: | CommentsJustin writes a great article about the Twitter hack (see below). Password security is much more than about just having strong passwords, it is also about managing passwords. If a company’s IT department puts the burgen on users to change passwords frequently and to have longer passwords, then users will write them down on notes for people to find.
SOLUTION: Invest in a secure password manager that is based on smartcard technology.
JUSTIN WILLIAMS: Twitter hacking points out need to secure information
Back in May, Twitter was hacked by someone who got into the accounts of several of the company’s employees. The hacker also gained access to the Twitter accounts of several high-profile users.
Besides just snooping around, the hacker gathered hundreds of documents from Twitter’s Google Docs account — including employee lists, credit card numbers, contracts, meeting notes and salaries. Last week those documents ended up in the hands of TechCrunch, a popular Internet blog, which posted many of the documents outlining Twitter’s business strategies and financial forecasts.
How did the hacker gain access to this information? Relatively easily, actually. He acquired a Twitter employee’s Google password, which gave him access to e-mail, Google Docs and more. He didn’t use a dictionary attack or guess the password. Instead, he used the password recovery features of Gmail which will e-mail the password to a secondary e-mail account. In this case, the secondary account was an expired Hotmail account that, when reregistered, had the recovery e-mail from Google waiting there.
While your e-mail and secrets may not be as tantalizing as Twitter’s, this episode should serve as a reminder to think hard about how secure your computing practices are.
First and foremost you want to make sure you have a good password — a mixture of letters, numbers and symbols. It also should have a mixture of upper and lowercase letters. You want to avoid common words and names because they can be cracked fairly easily by trying to log in using every word in the dictionary.
You also should have a unique password for each Web site you visit. Having a unique password per site gives you an extra layer of protection should that account be compromised because the intruder won’t be able to access any other sites you may use.
Remembering dozens of passwords isn’t practical, so I recommend using a password manager that integrates with your Web browser. On the Mac, I swear by 1Password (agilewebsolutions.com/products/1Password). I let it generate and manage all my passwords, personal information and online credit cards. I also use 1Password to fill out online forms for me through its integrated browser plug-in. RoboForm (www.roboform.com) offers an excellent alternative to 1Password for the Windows platform. It seamlessly integrates with both XP and Vista machines and works in Firefox and Internet Explorer.
Twitter’s misfortune is a reminder of good password practices, but it also may be a warning sign of what the future holds for cloud computing. The blow to Twitter would have been much less if the company had not been storing all of its sensitive documents and information in Google Docs, an online equivalent to Microsoft Office. If you can’t imagine something getting in the hands of wrongdoers, it is probably better to keep it stored locally in your home or office instead of on a server somewhere on the Internet.
Justin Williams is the owner of Second Gear, a local Web and software development firm. He can be reached at justin@secondgearllc.com.
Security Talk #8 – Cyber Crime Protection
Posted by: | CommentsTodd Stefan – President of Talon Cyber Tec – discusses how business owners can protect their business from cyber crimes. Proper security also allows business owners to qualify for data breach insurance. 
Protecting Your Company From An Online Data Breach
Posted by: | CommentsWhy do data thieves attack corporate computer networks? Well, to paraphrase Willie Sutton, it’s because that’s where the data is. As I said in a previously blog, a data breach is usually done in one of two ways.
A data thief will either employ physical means, such as dumpster diving, social engineering or a simple break-in; or via the internet. No business today can afford to be left behind technologically, meaning that in every corporate environment there are computers, networks and electronically stored information.
