Sometimes you just wonder about the decision making process. The SEC told the New York Stock Exchange that computers which have sensitive information about its Trading and Markets Division were left open to cyber attacks. It gets worse. The people who have those computers brought them unprotected to a Black Hat conference, a convention that computer hacking experts love to attend to learn about the latest trends.
What an invitation to hack! The SEC claims there is no evidence that data was compromised, but we've heard that before, usually followed by a company's promising free credit monitoring for a year to its customers. Just to be sure, the SEC spent at least $200K and hired a third-party firm to conduct an exhaustive analysis to determine if any data was indeed compromised.
What I can't wrap my head around is that this is government. There are policies. Or so there should be. People who work on laptops in the office tend to take them home because they don't want to incur the costs of buying their own. But. It's. Not. Their. Personal. Property. Also, the SEC isn't sure why their staffers brought their computers to the convention. My guess? WiFi. They wanted to check their personal email and Facebook.
It's a tough call, but someone in every organization has to set up rules, and employees should use their judgment. Even though it's a nuisance, I carry two smartphones and my personal iPad with me. I do not want my personal email on my company devices. For me, it's about separation of church and state. But enough about me. I don't want to be called into a group meeting and be told to be careful. Put it in an employee handbook in the first place. No company laptops or tablets may be removed from the premises without prior authorization. No unprotected devices may leave the building. Ever. How difficult is that?
Tuesday, November 13, 2012
Wednesday, October 24, 2012
A Book, A Nook and A Crook
Pity Barnes and Noble. While Borders was going belly-up and Amazon released the Kindle Fire, Barnes and Nobel started to look for a buyer for itself and took its eyes off security. It doesn't take long for bad things to happen. Recently the bookseller admitted that hackers hit 63 of its stores in nine states, including at least nine stores in the New York area.
Barnes and Noble first learned of the attack in mid-September and happily complied with the Justice Department's request not to disclose the problem yet, but wait until December 24 to tell its customers so that the FBI can conduct an investigation.
That would have been one nasty Christmas present. Barnes and Noble explained that the hackers "planted bugs in tampered PIN pad devices" and when credit cards were swiped for payment, so were credit card and pin numbers.
Flashback to 30 years ago when capsules of Extra-Strength Tylenol were tampered with and laced with cyanide. In theory, McNeil Consumer Products, the subsidiary of Johnson and Johnson, was not responsible for the tampering. The product left their distribution centers and they had no control once the product was placed on the shelves. But the company immediately pulled the product, halted advertising and changed their packaging to regain customers' trust.
Note to Barnes and Noble's CEO: Take a page from that playbook. When a crisis happens, manage it and fix it. Don't hide it.
Every individual who has a credit card, should spend time looking online at the account activity. Most major credit cards now post pending transactions in real time. I get notices when my card is being used. I even spooked my wife by calling her and asking what she just bought at a particular store.
One more thing, Barnes and Noble. Don't skimp on security. It doesn't make you look good.
Barnes and Noble first learned of the attack in mid-September and happily complied with the Justice Department's request not to disclose the problem yet, but wait until December 24 to tell its customers so that the FBI can conduct an investigation.
That would have been one nasty Christmas present. Barnes and Noble explained that the hackers "planted bugs in tampered PIN pad devices" and when credit cards were swiped for payment, so were credit card and pin numbers.
Flashback to 30 years ago when capsules of Extra-Strength Tylenol were tampered with and laced with cyanide. In theory, McNeil Consumer Products, the subsidiary of Johnson and Johnson, was not responsible for the tampering. The product left their distribution centers and they had no control once the product was placed on the shelves. But the company immediately pulled the product, halted advertising and changed their packaging to regain customers' trust.
Note to Barnes and Noble's CEO: Take a page from that playbook. When a crisis happens, manage it and fix it. Don't hide it.
Every individual who has a credit card, should spend time looking online at the account activity. Most major credit cards now post pending transactions in real time. I get notices when my card is being used. I even spooked my wife by calling her and asking what she just bought at a particular store.
One more thing, Barnes and Noble. Don't skimp on security. It doesn't make you look good.
Get ready for Halloween: Scareware, Scams and other Nasty Tricks!
Top 4 Scary Internet Threats Users NEED to Know
Guest Blog Post by Nick Nascimento
Amid a season of Halloween horrors, the scariest thing most of us will contend with are the litany of Internet threats that can readily crash our computer system and wreak havoc on our personal and business lives.
To compute with confidence this season, heed this hit list of "scareware"-the 4 creepiest threats Internet surfers should be aware of right now:
1. The FBI MoneyPak Trojan. This is in a class called "ransomware." which are Trojans or Virus' that force you to PAY for them to "remove it " and of course after you pay they never do, If while surfing the Internet your computer screen is filled with a FBI warning page that claims you have to pay the $100 fine, you're infected! Most of the time, ransomware locks up the user's desktop, disables task manager and other system utilities to avoid the termination of the process by the user as well. However, FBI MoneyPak ransomware takes it to the entirely new level by adding a little video recording square in the top right corner of the fake FBI warning page. It supposed to be your built-in web camera. Curiously, this little square shows up even if your laptop doesn't have a built-in camera.
FBI MoneyPak is a very convincing looking scam. It has the official FBI logo at the top and lists victim's IP address, location, and the name of their ISP. The fake warning claims that your PC has been locked by FBI because you downloaded or distributed copyrighted material or viewed child pornography. Creepy, isn't it? And, it asserts that if you don't pay the fine you will go to jail. Simply visiting an infected web site is enough to trigger this exploit kit which will download a malicious DLL file onto your computer. This is an Advanced level Bug to deal with so if you are not familiar with more advanced parts of your computers operating system such as editing the registry etc. it's advisable to consult a professional Removal Specialist.
2) Malicious 'eventvwr' SCAM from Offshore Call Centers. This second troublemaker doesn't START with your computer but it very well ends there. This scam can be especially dangerous for unsuspecting, less computer-savvy target victims. The scam goes like this: You get a call from a guy with a generic name such as "Adam Smith" who explains to you that he's a registered Microsoft technician and received a call alerting him that your IP address is the source for serious attacks on their servers due to multiple computer virus infections on your end. If you ask for any information on the source or target IP addresses involved, the person will attempt to deflect the question, and inform you that he/she is unauthorized to provide you that information!
They will proceed to try convincing you that your computer is full of viruses (based on some standard status and error messages automatically generated by your computer), and they try to get you to grant them complete access to your entire computer, including passwords, credit cards, and other sensitive information, via the free "Ammyy Admin" remote desktop control software. If you don't agree to buy their useless, thieving "support services", they'll use the computer access you openly granted them to damage your computer and randomly delete files.
3) Fake Virus Alerts / Scareware. One of the most virulent is known as "MSREMOVAL TOOL".?It is just ONE of the Fake Virus removal programs that install themselves onto your PC and request Money to make them work.?THEY WILL NOT WORK AND IF YOU PAY THEM THEY WILL NOW HAVE YOUR CREDIT CARD INFORMATION. Here are the two most common ways they are distributed:
(a) Via Infected IMAGES you may view Via Search engines!
(b) Via Pop - UNDERS (pop-ups that hide behind the page you are viewing.) When you see that FLASH be sure to LOOK QUICKLY. You just may see a very small window that is downloading the Malware CLOSE IT!! If it completes its task it will then launch that warning window. That is the other way they are delivering this malware.
4) FakeInst SMS Trojan and its variants. Now we turn to the most overlooked segment for attacks: mobile users. Mobile users are MUCH easier to attack, not just because of their cell phone vulnerabilities but the fact that people do not even THINK about their phones as the Small Computers they are.
"FakeInst disguises itself as popular apps like Instagram, Opera Browser, and Skype, and sends SMS messages to premium-rate numbers. There are more than a dozen variants of this bug and growing. There are well-known companies that produce security software for mobile phones and many of them have FREE versions that can and do help keep you safe from these types of attacks. Remember, by simply getting your apps from the OFFICIAL app sources, either your phone's app store or the app developer's own site, you can virtually eliminate this type of threat all together.
"Computer users need not despair," Nick notes. "Sometimes we do win the fight as was the case when a Federal court imposed a $163 million judgment on a woman who the FTC says helped run a scareware ring that tricked more than one million consumers across six countries into purchasing fake security software. But it's imperative to be vigilant and 'in the know' as dangers definitely lurk."
Nick Nascimento is Chief Executive Geek at aGeek2Go LLC Computer Repair, San Diego's most trusted provider of IT Services & Support as well as computer repair for home and business users both on-site and remote. He may be reached online at www.ageek2go.com.
Guest Blog Post by Nick Nascimento
Amid a season of Halloween horrors, the scariest thing most of us will contend with are the litany of Internet threats that can readily crash our computer system and wreak havoc on our personal and business lives.
To compute with confidence this season, heed this hit list of "scareware"-the 4 creepiest threats Internet surfers should be aware of right now:
1. The FBI MoneyPak Trojan. This is in a class called "ransomware." which are Trojans or Virus' that force you to PAY for them to "remove it " and of course after you pay they never do, If while surfing the Internet your computer screen is filled with a FBI warning page that claims you have to pay the $100 fine, you're infected! Most of the time, ransomware locks up the user's desktop, disables task manager and other system utilities to avoid the termination of the process by the user as well. However, FBI MoneyPak ransomware takes it to the entirely new level by adding a little video recording square in the top right corner of the fake FBI warning page. It supposed to be your built-in web camera. Curiously, this little square shows up even if your laptop doesn't have a built-in camera.
FBI MoneyPak is a very convincing looking scam. It has the official FBI logo at the top and lists victim's IP address, location, and the name of their ISP. The fake warning claims that your PC has been locked by FBI because you downloaded or distributed copyrighted material or viewed child pornography. Creepy, isn't it? And, it asserts that if you don't pay the fine you will go to jail. Simply visiting an infected web site is enough to trigger this exploit kit which will download a malicious DLL file onto your computer. This is an Advanced level Bug to deal with so if you are not familiar with more advanced parts of your computers operating system such as editing the registry etc. it's advisable to consult a professional Removal Specialist.
2) Malicious 'eventvwr' SCAM from Offshore Call Centers. This second troublemaker doesn't START with your computer but it very well ends there. This scam can be especially dangerous for unsuspecting, less computer-savvy target victims. The scam goes like this: You get a call from a guy with a generic name such as "Adam Smith" who explains to you that he's a registered Microsoft technician and received a call alerting him that your IP address is the source for serious attacks on their servers due to multiple computer virus infections on your end. If you ask for any information on the source or target IP addresses involved, the person will attempt to deflect the question, and inform you that he/she is unauthorized to provide you that information!
They will proceed to try convincing you that your computer is full of viruses (based on some standard status and error messages automatically generated by your computer), and they try to get you to grant them complete access to your entire computer, including passwords, credit cards, and other sensitive information, via the free "Ammyy Admin" remote desktop control software. If you don't agree to buy their useless, thieving "support services", they'll use the computer access you openly granted them to damage your computer and randomly delete files.
3) Fake Virus Alerts / Scareware. One of the most virulent is known as "MSREMOVAL TOOL".?It is just ONE of the Fake Virus removal programs that install themselves onto your PC and request Money to make them work.?THEY WILL NOT WORK AND IF YOU PAY THEM THEY WILL NOW HAVE YOUR CREDIT CARD INFORMATION. Here are the two most common ways they are distributed:
(a) Via Infected IMAGES you may view Via Search engines!
(b) Via Pop - UNDERS (pop-ups that hide behind the page you are viewing.) When you see that FLASH be sure to LOOK QUICKLY. You just may see a very small window that is downloading the Malware CLOSE IT!! If it completes its task it will then launch that warning window. That is the other way they are delivering this malware.
4) FakeInst SMS Trojan and its variants. Now we turn to the most overlooked segment for attacks: mobile users. Mobile users are MUCH easier to attack, not just because of their cell phone vulnerabilities but the fact that people do not even THINK about their phones as the Small Computers they are.
"FakeInst disguises itself as popular apps like Instagram, Opera Browser, and Skype, and sends SMS messages to premium-rate numbers. There are more than a dozen variants of this bug and growing. There are well-known companies that produce security software for mobile phones and many of them have FREE versions that can and do help keep you safe from these types of attacks. Remember, by simply getting your apps from the OFFICIAL app sources, either your phone's app store or the app developer's own site, you can virtually eliminate this type of threat all together.
"Computer users need not despair," Nick notes. "Sometimes we do win the fight as was the case when a Federal court imposed a $163 million judgment on a woman who the FTC says helped run a scareware ring that tricked more than one million consumers across six countries into purchasing fake security software. But it's imperative to be vigilant and 'in the know' as dangers definitely lurk."
Nick Nascimento is Chief Executive Geek at aGeek2Go LLC Computer Repair, San Diego's most trusted provider of IT Services & Support as well as computer repair for home and business users both on-site and remote. He may be reached online at www.ageek2go.com.
Sunday, October 21, 2012
Standardize That!
Recently I bought an iPad and I must admit that I love it. My Crackberry contract has been up for several months, but I wanted to wait until the new iPhone came out. Still, I've been postponing it because of the cost.
The demand for iPhones continues to be strong and, surprisingly, many businesses are giving into the demands of employees who prefer them to BlackBerry devices. The iPhones are much cooler than any other smartphone, and that's why, I think, most people want them. Really want them. To the point where they will shell out their own money for both the phone and the plan if their employers won't supply them with them and they'll carry the company-issued phone as well.
But I'm digressing. The real issue is that no matter who provides the phone, security is key. Ditto for the iPad. Recently I spoke to someone at a financial firm who said his sales staff members are using the iPad for everything and they need to address this potential problem.
The real problem is that there are no standards for security on mobile devices because there are multiple plan providers. It seems to me that wireless companies spend more time figuring out how they can get more and more in revenues than how to protect their clients' data when they shop online via smartphones. I hope that the company that never stops working for you is working on security.
The demand for iPhones continues to be strong and, surprisingly, many businesses are giving into the demands of employees who prefer them to BlackBerry devices. The iPhones are much cooler than any other smartphone, and that's why, I think, most people want them. Really want them. To the point where they will shell out their own money for both the phone and the plan if their employers won't supply them with them and they'll carry the company-issued phone as well.
But I'm digressing. The real issue is that no matter who provides the phone, security is key. Ditto for the iPad. Recently I spoke to someone at a financial firm who said his sales staff members are using the iPad for everything and they need to address this potential problem.
The real problem is that there are no standards for security on mobile devices because there are multiple plan providers. It seems to me that wireless companies spend more time figuring out how they can get more and more in revenues than how to protect their clients' data when they shop online via smartphones. I hope that the company that never stops working for you is working on security.
Harry Potter and Healthcare IT
I just came across the best reason for doctors to embrace electronic medical records.
Farzad Mostashari, M.D., reminded members of the College of Healthcare Information Management Executives (CHIME) that a paper file is worthless. "You can't use it for anything. You can't move it, you can't learn from it." The data lover reportedly said that paper is great if you’re Harry Potter.
Vendors like standardization, he told CHIME. Patients do, too. Whenever my family needs medical care, we ask for the records. My sons' pediatricians use Webview, a program that healthcare providers and patients can access from any computer. It's terrific. We may forget the dosage of ibuprofen that the doctor recommended, but we can easily access it, even if we're traveling.
Recently, we met a seasoned doctor who said that as of February, he will have to reduce the number of patients he'll be seeing. Why? Because the hospital he's affiliated with is going to be using EPIC. It's going to be a long learning curve because he is not computer-literate, he admitted, but in the long run it will be worth it.
Farzad Mostashari, M.D., reminded members of the College of Healthcare Information Management Executives (CHIME) that a paper file is worthless. "You can't use it for anything. You can't move it, you can't learn from it." The data lover reportedly said that paper is great if you’re Harry Potter.
Vendors like standardization, he told CHIME. Patients do, too. Whenever my family needs medical care, we ask for the records. My sons' pediatricians use Webview, a program that healthcare providers and patients can access from any computer. It's terrific. We may forget the dosage of ibuprofen that the doctor recommended, but we can easily access it, even if we're traveling.
Recently, we met a seasoned doctor who said that as of February, he will have to reduce the number of patients he'll be seeing. Why? Because the hospital he's affiliated with is going to be using EPIC. It's going to be a long learning curve because he is not computer-literate, he admitted, but in the long run it will be worth it.
Snopes Is Not Enough
Every once in a while, I get a well-meaning email from a relative or friend to warn me about a new virus that comes with an email with the subject line of XYZ or whatever. Some of the emails come with the promise that the person who sent it checked it out on Snopes, so “it’s real.” I ignore those because invariably I get an email later saying that it’s a hoax.
That particular virus may be a hoax, but the fact is that email-based attacks still keep happening. A recent report by FireEye Malware Intelligence Labs claims that in the first half of this year, computer infections have nearly quadrupled in volume in comparison to last year. These viruses have circumvented traditional security measures. Additionally, the rate of successful email based-threats have increased by 56 percent.
This is in addition to hacking and phishing!
What makes the security situation more disturbing is a 2011 survey of by the Homeland Security Department’s National Cyber Security Division reported that among 162 state, territorial and city governments found a low awareness of the full risks. This is despite the fact that the majority have adopted controls. The report was obtained by FierceGovernment IT through FOIA (Freedom of Information Act).
I realize that since the financial meltdown, municipalities have had less revenue and corporations have been reluctant to invest in newer security measures and qualified people. But that’s like not carrying insurance and running the risk of damage to your home or getting sick and possibly losing your assets. There needs to be a concerted effort to prioritize where money is most needed. There is no silver bullet to balancing the budget. Just like with your personal budget, you have to give up something in order to ensure safety.
That particular virus may be a hoax, but the fact is that email-based attacks still keep happening. A recent report by FireEye Malware Intelligence Labs claims that in the first half of this year, computer infections have nearly quadrupled in volume in comparison to last year. These viruses have circumvented traditional security measures. Additionally, the rate of successful email based-threats have increased by 56 percent.
This is in addition to hacking and phishing!
What makes the security situation more disturbing is a 2011 survey of by the Homeland Security Department’s National Cyber Security Division reported that among 162 state, territorial and city governments found a low awareness of the full risks. This is despite the fact that the majority have adopted controls. The report was obtained by FierceGovernment IT through FOIA (Freedom of Information Act).
I realize that since the financial meltdown, municipalities have had less revenue and corporations have been reluctant to invest in newer security measures and qualified people. But that’s like not carrying insurance and running the risk of damage to your home or getting sick and possibly losing your assets. There needs to be a concerted effort to prioritize where money is most needed. There is no silver bullet to balancing the budget. Just like with your personal budget, you have to give up something in order to ensure safety.
Wednesday, October 10, 2012
Forget the Publicity
My wife writes both advertorial and editorial articles. Although the former is her main course, even she won't get lured into believing things from self-promoters and popular resources (e.g., consumer magazines). If you read women's magazines, the hottest web sites for shopping are fashion sites such as Blufly and Zappos. Reality: the 25 fastest growing mobile commerce sites* in the West are 16 retail business, 3 travel, 3 hotel and 3 ticketing. Retail sites that have grown 200 percent or more include the British retailer, Marks & Spencer, Netshoes and the University of South Carolina's Gamecocks football team's GarnetandBlackTraditions.com. Stubhub and Fandago take it for ticketing. Orbitz is still doing well and Hilton and Best Western are popular for hotels. Fab.com grew 567 percent from a single app!
Three things to think about: Security, security and security. Mobile commerce is not going away anytime in the foreseeable future. If an app is worth creating, there better be security to go along with it.
*Source: The Mobile 400 Guide from Internet Retailer
Three things to think about: Security, security and security. Mobile commerce is not going away anytime in the foreseeable future. If an app is worth creating, there better be security to go along with it.
*Source: The Mobile 400 Guide from Internet Retailer
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Wednesday, September 5, 2012
Think Different
It's time for Apple to follow its own slogan: think different. This time about security.
The hacking group AntiSec claims to have 12 million numbers for iPhones, iPods and Ipads as well as some personal data on the owners. AntiSec stated that its goal was to prove that the F.B.I. uses device information to track people.
There is no doubt that the F.B.I. tracks people, but my concern is that if AntiSec can hack into Apple, so can others, and others can hack into AntiSec. Call me paranoid, but hackers are out to get us. They want our personal data for one reason: to steal. They're not curious about our favorite stores or our favorite meals. They want our money. They are career criminals, a tech-savvy version of the lot who used to steal television sets and jewelry to sell because they want the money.
One of Apple's selling points to computer users is that there were few viruses written for the Mac. In fact, my wife's aunt by marriage got an iMac years ago because her PC was always getting infected with viruses. (The reason is, of course, that she didn't run her anti-virus software daily, as we do.) But mobile devices, whether they are smartphones or tablets are vulnerable to hacking. People use banking apps. People shop from their iPads. That means that their bank account numbers and credit card numbers can be stolen. Fill in with name, addresses, date of birth and Social Security number and you've got potential identity theft. (Remember, when you buy a cell phone, you have to give the merchant your Social Security number.) Hackers like to put the pieces of the puzzle together. They concentrate on crime, not finding a cure for cancer.
So, Apple. Think different. Don't just make your hardware pleasing to look at. Make sure yo have a superhero preventing hackers.
The hacking group AntiSec claims to have 12 million numbers for iPhones, iPods and Ipads as well as some personal data on the owners. AntiSec stated that its goal was to prove that the F.B.I. uses device information to track people.
There is no doubt that the F.B.I. tracks people, but my concern is that if AntiSec can hack into Apple, so can others, and others can hack into AntiSec. Call me paranoid, but hackers are out to get us. They want our personal data for one reason: to steal. They're not curious about our favorite stores or our favorite meals. They want our money. They are career criminals, a tech-savvy version of the lot who used to steal television sets and jewelry to sell because they want the money.
One of Apple's selling points to computer users is that there were few viruses written for the Mac. In fact, my wife's aunt by marriage got an iMac years ago because her PC was always getting infected with viruses. (The reason is, of course, that she didn't run her anti-virus software daily, as we do.) But mobile devices, whether they are smartphones or tablets are vulnerable to hacking. People use banking apps. People shop from their iPads. That means that their bank account numbers and credit card numbers can be stolen. Fill in with name, addresses, date of birth and Social Security number and you've got potential identity theft. (Remember, when you buy a cell phone, you have to give the merchant your Social Security number.) Hackers like to put the pieces of the puzzle together. They concentrate on crime, not finding a cure for cancer.
So, Apple. Think different. Don't just make your hardware pleasing to look at. Make sure yo have a superhero preventing hackers.
Subscribe to:
Posts (Atom)