Tag Archive for PII

| April 7, 2016
Comments Off on 9 Emails You Should Never Open

9 Emails You Should Never Open

9 Emails You Should Never OpenThe increasing pace of life coupled with mobile computing which bombards us with emails and messages, from more sources, and across more devices than ever before has created what Proofpoint calls a generation of trigger-happy clickers.

fake emails from cyber criminals.Trigger-happy clickers are falling more and more for fake emails from cybercriminals. These fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link according to the article. To put that into context a legitimate marketing department typically expects <2% click rate on their advertising campaigns.

So, despite the best efforts of security professionals, too many people are still falling prey to email scams at home and work. Whether it’s a get-rich-quick scheme or a sophisticated spearphishing attack, here are some emails to steer clear of:

1. The government scam

These emails look as if they come from government agencies, such as the IRS, FBI, or CIA. If these TLA’s want to get a hold of you, it won’t be through email.

2. The “long-lost friend”

tries to make you think you know themThis scammer tries to make you think you know them, but it might also be a contact of yours that was hacked.

3. The billing issue

These emails typically come in the form of legitimate-looking communications. If you catch one of these, log into your member account on the website or call the call center.

4. The expiration date

A company claims your account is about to expire, and you must sign in to keep your data. Again, sign in directly to the member website instead of clicking a link in the email.

5. You’re infected

you’re infected with a virusA message claims you’re infected with a virus. Simple fix: Just run your antivirus and check. In a recent twist, scammers claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need.

Scammers have been peddling bogus security software for years. They set up fake websites, offer free “security” scans, and send alarming messages to try to convince you that your computer is infected with malware. Then, they try to sell you software to fix the problem. At best, the software is worthless or available elsewhere for free. At worst, it could be malware — software designed to give criminals access to your computer and your personal information.

But wait it gets worse – If you paid for their “tech support” you could later get a call about a refund. The refund scam works like this: Several months after the purchase, someone might call to ask if you were happy with the service. When you say you weren’t, the scammer offers a refund.

Or the caller may say that the company is going out of business and providing refunds for “warranties” and other services.

The scammers eventually ask for a bank or credit card account number. Or they ask you to create a Western Union account. They might even ask for remote access to your computer to help you fill out the necessary forms. But instead of putting money in your account, the scammers withdraw money from your account.

6. You’ve won

you won a contest you never enteredClaims you won a contest you never entered. You’re not that lucky; delete it. It’s illegal to play a foreign lottery. Any letter or email from a lottery or sweepstakes that ask you to pay taxes, fees, shipping, or insurance to claim your prize is a scam.

Some scammers ask you to send the money through a wire transfer. That’s because wire transfers are efficient: your money is transferred and available for pick up very quickly. Once it’s transferred, it’s gone. Others ask you to send a check or pay for your supposed winnings with a credit card. The reason: they use your bank account numbers to withdraw funds without your approval, or your credit card numbers to run up charges.

7. The bank notification

An email claiming some type of deposit or withdrawal. Give the bank a call to be safe.

8. Playing the victim

emails make you out to be the bad guyThese emails make you out to be the bad guy and claim you hurt them in some way. Ignore.

9. The security check

A very common phishing scam where a company just wants you to “verify your account.” Companies almost never ask you to do this via email.

What To Do Instead of Clicking Links

In the case of your bank or other institution, just go to the website yourself and log in. Type in the address manually in the browser or click your bookmark. That way you can see if there’s something that needs taken care of without the risk of ending up on a phishing site.

In the case of your friend’s email, chances are that they copied/pasted the link into the message. That means you can see the full address. You can just copy/paste the address into the browser yourself without clicking anything. Of course, before doing that make sure you recognize the website and that it’s not misspelled.

Proofpoint’s bottom line is that unless you explicitly know and trust it, avoid it. That’s all there is to it. Make this a habit and you can avoid one of the biggest mistakes in internet safety.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| January 25, 2016
Comments Off on 2015’s Worst Passwords

2015’s Worst Passwords

2015's Worst PasswordsFollowers of Bach Seat know that passwords suck. For even more proof that passwords suck, the password-management company SplashData released its fifth annual list of the most popular passwords. SplashData studied more than 2 million passwords that were leaked in 2015 and identified the most commonly leaked passwords and those that were least secure from Western European and North American users according to Business Insider.

2015’s worst passwords

SplashData logoMost of the 2015 results are not surprising.

  • 123456 is the most common password. It has been #1 since 2013.
  • Password is the second most common password. It too has been #2 since 2013. Password was the most common password in 2012 and 2011.
  • 12345678 is the third most common password found in the Splash data results. In fact, 12345678 has been the most consistent performer, having been in the #3 place four of the past five years.

One surprise was that the Disney marketing machine was able to get Star Wars related terms into the top 25 worst passwords in 2015.

  1. princess
  2. solo
  3. starwars

Here’s SplashData’s full list. If your password is on here, think about changing it.

25 Worst passwords

20152014201320122011
1123456123456
123456
password
password
2passwordpasswordpassword123456
123456
3123456781234512345678
12345678
12345678
4qwerty12345678
qwerty
1234
qwerty
512345qwertyabc123qwertyabc123
612345678912345678912345678912345
monkey
7football1234
111111dragon
1234567
81234baseball
1234567pussy
letmein
91234567dragoniloveyou
baseball
trustno1
10baseballfootballadobe123
football
dragon
11welcome1234567123123
letmein
baseball
121234567890 monkey
admin
monkey
111111
13abc123letmein
1234567890
696969
iloveyou
14111111abc123
letmeinabc123
master
151qaz2wsx111111photoshopmustang
sunshine
16dragonmustang1234michaelashley
17masteraccessmonkey
shadow
bailey
18monkeyshadow
shadowmasterpassw0rd
19letmeinmastersunshinejennifer
shadow
20loginmichael
12345
111111
123123
21princesssupermanpassword1
2000
654321
22qwertyuiop696969princessjordansuperman
23solo123123azertysupermanqazwsx
24passw0rdbatmantrustno1harleymichael
25starwarstrustno10000001234567football

 

Protect yourself

keep your passwords secureTo keep your passwords secure, you definitely shouldn’t use any of the passwords on the list.

SplashData offers three simple tips to help people protect themselves:

  1. Use passwords or passphrases of twelve characters or more with mixed types of characters;
  2. Avoid using the same password over and over on different websites
  3. Use a password manager such as SplashID to organize and protect passwords, generate random passwords, and automatically log into websites.

rb-

What to do if you are responsible for securing systems where your users use these passwords? Stop Them!

This is what makes passwords suck – Implement complexity rules:

  • Minimum of 8 characters
  • A mix of characters, UPPER CASE, lower case, numbers, and special characters.
  • Prevent reusing passwords
  • Blacklist all the above passwords so they can never be used again.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| December 30, 2015
Comments Off on Target Wish List Leaking Your Data

Target Wish List Leaking Your Data

Target Wish List Leaking Your DataThe holiday shopping season has not been merry for mega-mart Target. You would think the mega-retailer that leaked info on 110 million customers would learn how to keep their customers’ info secure but NOOOO. The anti-virus firm AVAST has discovered the Target (TGT) Wish List app is leaking your data, your personally identifiable information (PII).

Data leakThe Avast Blog says that if you created a Christmas wish list using the Target app it is leaking your data.  it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and email addresses.

Alarmingly, for a firm that has privacy issues, the Target app’s backend interface is not secured. This allowed the database to be accessed over the Internet. The author reports that the Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need to parse all the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

Leaking your data

while developers investigate

The JSON file that the AVAST researchers requested from Target’s API leaked lots of interesting data. The leaked data included: users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. The AVAST researchers did not store any PII, but they did aggregate data from 5,000 inputs for statistical analysis.

The AVAST researchers took the sample and looked at which some of the data they got. It included; brands, states the Target app users are from, and the most common names of people using Target’s app.

Leasked info

This appears to be a classic case of security by obfuscation. The app developers created the online API for data that is uploaded by Target. They also set up a separate API in tandem so that the retail chain could download and process the uploaded data – but without any security measures in place.

Target has reached a $39.4 million settlementIn a post on Ars Technica, a Target spokesperson said that it has suspended elements of the app while developers investigate. Hopefully, this should mean that the data-leaking has stopped while the backend has been disabled.

In other Target data breach news FierceITSecurity reports that Target has reached a $39.4 million settlement with banks and credit unions over claims they lost millions of dollars as a result of the massive 2013 data breach at the retailer. The massive data breach at Target exposed the credit and debit card numbers of 40 million customers to hackers and personal information on another 70 million.

The settlement, if accepted, will resolve class-action lawsuits by the banks and credit unions seeking reimbursement for fraudulent charges and issuing new cards. Of the $39.4 million, $20.25 million will be paid to banks and credit unions, and $19.11 million will be paid to reimburse MasterCard card issuers.

cautionary taleThis follows settlements that Target reached with Visa card issuers for $67 million and with customers for $10 million. Target estimated that the breach so far has cost it $290 million, with insurers picking up $90 million, according to a filing with the Securities and Exchange Commission last week. Target is not out of the woods yet. It still has to deal with shareholder lawsuits and a probe by the Federal Trade Commission and state attorneys general related to the data breach.

Fred Donovan at FierceITSecurity says Target is a cautionary tale for any enterprise. Despite handling billions of dollars in credit card transactions, the retailer did not have one person responsible for IT security at the time of the breach. While it had a network security system in place, it did not have IT security personnel skilled enough to recognize an alarm the system set off months before Target discovered the breach.

rb-

Cash is king, especially at Target.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| November 24, 2015
Comments Off on Television Sells Your Viewing Habits

Television Sells Your Viewing Habits

– Updated 03-26-2017 –  Vizio will pay $2.2 million to the FTC and the state of New Jersey to settle a lawsuit alleging it collected customers’ television-watching habits without their permission.

In addition to the $2.2 million in payments, Vizio will now have to get clear consent from viewers before collecting and sharing data on their viewing habits. It’ll also have to delete all data gathered by these methods before March 1st, 2016 according to the Verge.

Television Sells Your Viewing HabitsJust in time for the Black Friday consumerism orgy of spending, Help Net Security reports that you are giving away more than cash when you buy a Smart Television from Best Buy or whoever. It turns out that owners of Smart TVs manufactured by California-based consumer electronics company Vizio (VZIO) viewing habits are being tracked and sold to third parties. The Vizio privacy policy says;

Vizio logo… VIZIO will use Viewing Data together with your IP address and other Non-Personal Information in order to inform third party selection and delivery of targeted and re-targeted advertisements … delivered to smartphones, tablets, PCs or other internet-connected devices that share an IP address or other identifier with your Smart TV.

Vizio’s competitors Samsung (005930) and LG Electronics (LGLD) can also track users’ viewing habits via their smart TV offerings, ProPublica‘s Julia Angwin pointed out, but the feature has to be explicitly turned on by the users. The collection of viewing data by Vizio’s Smart TVs is turned on by default, as is the Smart Interactivity feature that manages it.

Data miningAccording to the IEEE, Vizio smart TVs can track data related to whatever TV programming and related commercials you’re watching and link such data with the time, date, channel, and TV service provider. On most of the over 15 million Smart TVs sold, Vizio will also track whether you view TV programs live or later on. Vizio knows what you’re watching even if it’s a DVD being played on a gaming console or a show being watched via cable TV. The identification tracking technology can differentiate between 100 billion data points.

While, in theory, IP addresses are not personal information, they actually can be linked to individuals if there is enough information (specific attributes like age, profession, etc.) tied to it.

Data collectionProPublica‘s Angwin’s sources, tell her that Vizio has been working with data broker Neustar to combine viewing data with this type of information about the user.

Even though users can turn off the spy technology, which will not won’t affect the device’s performance, the problem is that many, many users won’t bother reading the privacy policy or change the default settings once they set up the TV and start using them.

TechHive reports that backlash against intrusive spying has started. Two lawsuits (Reed v. Cognitive Media Network, Inc. (PDF) and David Watts et. al. v Vizio Holdings Inc et. al. (PDF)) have been filed in California against Vizio and their partners about their data collection habits.

The suits accuse Vizio and Cognitive of secretly installing tracking software on the former’s smart TVs in a way that violates various federal and state laws.

Legal systemThe suits allege that Vizio violated the Video Privacy Protection Act. The Video Privacy Protection Act prohibits any company engaged in rental, sale, or delivery of audio-visual content and not necessarily just videotapes from divulging any personally identifiable information about its customer to a third party, except where the customer has clearly consented to such data sharing.

Of course, Vizio has previously argued it’s not a videotape service provider at all, and so this particular law doesn’t apply to it.

rb-

I pointed out as far back as 2011 that Smart TVs are a dumb idea for privacy.

Consumer Reports offers tips on how to stop your Smart TV from spying on you here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| October 6, 2015
Comments Off on Online Dangerous Celebrities 2015

Online Dangerous Celebrities 2015

Online Dangerous Celebrities 2015It that time of year again! McAfee Intel Security has named the most dangerous celebrities on the Intertubes. And I have no idea who Electronic Dance Music (EDM) DJ Armin van Buuren is. Despite that, he is Intel’s most dangerous web celeb. To regain my street creds – I have been gone to DEMF –YO PEACE OUT. The EDM DJ replaces talk show host Jimmy Kimmel as Intel Security’s most dangerous celebrity to search for online.

For the ninth year in a row, The Intel Security Most Dangerous Celebrities™ study revealed that searches for certain musicians and comedians tend to expose Internet searchers to more possible viruses and malware.

The presser from Intel (INTC) Security warns that cybercriminals are always looking for ways to take advantage of consumer interest around popular culture events including award shows, TV shows, and movie premieres, album releases, celebrity breakups, and more. They capitalize on this interest by enticing unsuspecting consumers to sites laden with malware, which enables them to steal passwords and personal information.

Stacey Conner, online safety expert at Intel Security says that trying to download or listen to free music can be especially risky.

Celebrity names combined with the terms ‘free MP4, ‘HD downloads,’ or ‘torrent’ are some of the most searched terms on the Web … When consumers search for music that is not made available through legitimate channels, they put both their digital lives and devices at risk.

Top 10 risky celebrities

The top 10 celebrities from the 9th annual Intel Security Most Dangerous Celebrities™ study with the highest risk percentages are:

  1. Armin van BuurenBetty White one 2015s most dangerous celebs online
  2. Luke Bryan
  3. Usher
  4. Britney Spears
  5. Jay Z
  6. Katy Perry
  7. Amy Schumer
  8. Betty White
  9. Lorde
  10. Nina Dobrev

Musicians are 7 of the top 10 riskiest online celebrities (and good click-bait). Other risky artists in the top 20 are:
Justin Bieber (No. 11),
Rihanna (No. 12),
Jennifer Lopez and Kenny Chesney (tied at No. 13),
Selena Gomez (No. 14),
Zendaya (No. 15),
Kanye West (No. 16),
Afrojack and Miley Cyrus (tied at No. 19), and
Nick Jonas (No. 20).

Other celebrities who round out the 20
Sandar Bullock one 2015s most dangerous celebs onlineriskiest online celebrities.
Antonio Banderas (No. 14),
Nicole Kidman (No. 15),
Zac Efron (No. 17),
Natalie Portman (No. 18),
Paul Wesley (No. 18)
Sandra Bullock (No. 19),
Jennifer Lawrence (No. 20),

Riskiest celebrities around the world

Better Protect Yourself

While doing your star-struck surfing, Intel Security offers some suggestions on How You Can Better Protect Yourself:

  • Katie Perry one 2015s most dangerous celebs onlineBeware of clicking on third-party links. You should access content directly from the official websites of content providers. For example, visit reputable site ComedyCentral.com to find Amy Schumer’s latest episodes.
  • Use web protection that will tell you of risky sites or links before you visit them and it’s too late. Stick to official news sites for breaking news.
  • Only download videos from well-known, legitimate sites. Most news clips you’d want to see can easily be found on official video sites and don’t require you to download anything.
  • Use caution when searching for “HD downloads.” This term is by far the highest virus-prone search term. Consumers searching for videos or files to download should be careful not to unleash unsafe content such as malware onto their computers.
  • Always use password protection on all mobile devices. If you don’t and your phone is lost or stolen, anyone who picks up the device could have access to your personal information online.
  • Don’t “log in” or give other information. If you receive a message, text, or email or visit a third-party website that asks for your information — including your credit card, email, home address, Facebook login — to grant access to an exclusive story, don’t give it out. Such requests are a common tactic for phishing that could lead to identity theft.
  • Search online using a tool, such as McAfee® WebAdvisor software, which protects users from malicious websites and browser exploits.

rb-

Maybe I’m just being grumpy, but McAfee has done this for 9 years and people are still falling for this online celebrity malware staff – sigh – They were right – One born every day.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »