What Becomes Of Your Online Accounts After You Die?

...until death do us part

Have you ever wondered what becomes of your online accounts after you die? The Washington Post recently looked into the question, and reports that "The immortality of one's digital accounts is one of the more morbid philosophical wrinkles of modern life."

Here are a few of the take-aways from the article: Family who want to access these accounts often can't. Digital asset laws vary greatly by state and country.

The spookiest take-away: Artificial intelligence-like technology may someday Tweet in a user's voice after he or she dies.

Quick Round-up of Some of the Latest Tricks and Traps

Beware of new scams and privacy pitfalls

New ways to fool people out of their money, information and identities pop up nearly every day. Here's a quick round up of some of the latest tricks and traps:

New Scam Targets Homeless: Fraudsters pay homeless people to take out cell phone contracts in their names. The fraudsters keep the phones, rack up the bills and then sell the phones, ruining the homeless person's credit.

Getty Images Allows Free Embedding, but at What Cost to Privacy? People can embed images in their sites for free, so long as they use the provided embed code and iframe. Because of the scope of Gettys' reach, this may allow the company to correlate more information about a user's browsing history than any single site could. Just another reminder that nothing's truly free in this world!

Human Error Tops Ponemon Patient Data Security Study Threats: 75 percent of healthcare organizations view employee negligence as the greatest data breach threat. This result underscores the importance of good security and privacy controls (and excellent employee training!) in healthcare environments. This extends to medical device manufacturers, who often work off very old technology software and continue to insist that controls are too cost-prohibitive.

The Data Brokers - Selling Your Personal Information: 60 Minutes' Steve Kroft recently reported on his investigation of the multibillion dollar industry that collects, analyzes and sells the personal information of millions of Americans with virtually no oversight.

Facebook Users should enable Two-Factor Authentication

Securing Your Facebook Account With 2-Factor Authentication

This Facecrooks article discusses a very important topic - "Securing your Facebook profile" - and gives step-by-step instructions for enabling two-factor authentication. The idea is to keep out anyone attempting to access your profile from a device Facebook doesn't recognize.

Astoundingly, two years ago at least  13 million U.S. Facebook users didn't use or weren't aware of the social network's privacy control settings. Based on various news reports covering Facebook privacy, it is anticipated that this number has not gotten smaller, but more likely has increased (perhaps by a significant amount now that there are more than a billion active mobile Facebook users).  

How many of these millions are within your employee, patient or customer communities? How does this impact you personally, or put your own information at risk? Remember, your privacy can be impacted simply by being associated with "friends" who don't activate their privacy control settings. 

Understanding how your stakeholders use Facebook and other social networks is a critical component to protecting yourself, your organization and the people it serves.   

USB Attacks Need Physical Access Right? Not Any More

Exploiting USB Driver vulnerabilities

NCC Group Research Director Andy Davis presented 'USB Attacks Need Physical Access Right? Not Any More...' at this year's BlackHat Asia in Singapore.

Due to recent advances in a number of remote technologies, USB attacks can now be launched over a network. The talk went into detail about how these technologies work, the resulting impact on the world of USB bugs and included a live demo remotely triggering a USB kernel bug in Windows 2012 server.

It's an interesting research, refer here to download the paper and learn more about USB Bugs.

The Internet of Things

"The Internet of Things" is now finding its way into mainstream conversation!

Once a term used mostly by MIT professors and those steeped in the privacy and security field, "The Internet of Things" is now finding its way into mainstream conversation. Loosely defined as the practice of equipping all objects and people in the world with wirelessly connected, identifying, computing devices, the term represents what could be a hugely transformational way of life.  

At one time, "The Internet of Things" probably sounded like science fiction; but today, it's becoming very real. Here are a few examples of where you can literally see, hear and almost feel this phenomenon occurring in some very ordinary places:

• TRENDnet marketed its SecurView video cameras as "secure." In fact, the cameras had faulty software that allowed anyone with the cameras' Internet addresses to hear and see what the cameras were capturing. In fact, more than 700 were hacked, creating live-streams of private locations and private moments online for the world to hear and see.      
• Google possesses possibly more data about consumers' online activities than any other organization (Facebook, Microsoft, IBM would probably be close behind.). Now it seems, the Internet giant is on track to know as much about your offline behavior. The company recently purchased Nest, which makes "smart" thermostats and smoke/fire alarms that track indoor-activity data. They have stated they plan to create many more of these types of smart gadgets. How much personal information will Nest share with Google, and how will that information be used?
• A range of smart-home and smart-car technology allows consumers the ability to control access and features of their houses and vehicles. But who else might gain the same level of control? And what will happen when "smart" cars and appliances can function on their own without human intervention? As this Guardian article contends, they will certainly be tempting to hackers.

How and why the Chief Information Security Officer role is evolving?

A new standard for security leadership

How can security leaders help achieve business objectives?

Am I doing enough to protect our enterprise?

How can I measure success?

These questions come up time and time again for Chief Information Security Officers (CISOs) and other security leaders. Just as technology constantly evolves and threats shift, the needs of the business change with regards to security and risk. Security leaders have to constantly reassess, adjust, and improve their skills. Those with the right combination of business practices, technology maturity and measurement capabilities are evolving into more versatile security leaders.

Download full graphic version from here.

How Would People React and Deal with an Attack on the Electrical Grid?

Could a cyber attack destroy the electrical grid and leave the nation powerless and in the dark for days, weeks or even months? Would we be prepared, or would chaos ensue?

On Oct. 27, National Geographic will premiere “American Blackout,” a movie that tells the story of a national power failure in the U.S. caused by a cyber attack. The film is told in real time, over the span of 10 days, by the characters depicted in the film who kept filming on their cameras and phones. It will air on the National Geographic Channel.

According to Richard Andres, a consultant for the film, the threat isn’t all that far-fetched. “This was a dramatization of something that is not unrealistic. We don’t need to be this vulnerable. But the first step is people need to be aware that this is a problem”.

The film depicts a nationwide power outage caused by a cyber attack. It takes a point-of-view look by different characters affected by the blackout. Some of the characters depicted include a doomsday prepper family, a family awaiting the birth of their second child, and a group of college students stranded in an elevator.

As depicted in the movie, ATMs would not work and neither would credit cards. Andres said that 20 years ago people were more reliant on cash, which would be able to keep commerce going. But now people are more reliant on virtual money, which would stop commerce.

Andres consulted the film and reviewed the script for elements of realism. He told the creators what scenarios he believed were realistic and said he thought that the movie put the experience into terms that the average viewer could relate to. Although many families are not prepared for an event like this, the doomsday preppers in the film had enough food to last them two years. And although he wouldn’t say if that was extreme or not, Andres said food and water are essential and he would advise people to have more than three days worth on hand at any given time.

New Targets for Hackers - Plane Cockpit/Voice Hijacking?

Criminal hackers can generally be divided into two groups - thieves and showboats

They breach secure systems either to steal or simply to demonstrate that it can be done. A few recent hacking incidents indicate the showboat sector may be picking up steam.

Smartphone used to hack into a plane cockpit

The power and rapid evolution of technology is exposed by a security researcher armed with an Android.

"By using a Samsung Galaxy handset, Teso demonstrated how to use ACARS to redirect an aircraft's navigation systems to different map coordinates. He was able to insert code into a virtual aircraft's Flight Management System, and by passing the code between the aircraft's computer unit and the pilot's display, Teso was able to take total control of what the aircrew would see in the cockpit.

Scientist's voice hijacked during high-profile presentation

Hackers accessed the computer synthesizer controlling Stephen Hawking's voice during a public speak he was making to a large audience, overriding his control and forcing him to make statements against his will.

"It wasn't until hours later when the Syrian Electronic Army - a group of hackers working in support of Bashar al-Assad - claimed responsibility for the attack, breaking into Stephen Hawking's voicebox one last time to announce "the Syrian Electronic Army was here" just as the scientist was leaving the stage."

Securing The Smart Grid

With reports of regular cyber attacks targeting the US smart grid, should UK energy and utilities rethink their approach to security?

"With greater connectivity comes the even bigger need for better energy efficiency, from which the concept of the smart grid was born. The idea of the smart grid is to use IT to gather and act on behavioural information from both consumers and suppliers in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. However, along with higher energy consumption, greater connectivity also entices a far greater number of security risks."

Continue reading on the Guardian Media Network.

10 Great Online Privacy Guides

Best Practice Guidelines for Maintaining Your Privacy Online

I've stumbled across so many great privacy resources online lately, that I just can't keep them to myself. Here's a good collection for you to consider bookmarking.

1. Facebook Privacy Settings Guide   
2. 4 Tips to Keep Your Privacy on LinkedIn 
3. Security and Privacy Tips for Twitter Users 
4. 3 Tips to Keep Your Privacy on Twitter 
5. 3 Tips to Keep Your Privacy on Google+ 
6. Snap Chat Privacy Issues 
7. Help Avoid Instant Message Viruses 
8. Using Instant Messaging and Chat Rooms Safely 
9. A Renter's Guide to Privacy: Top 5 Privacy Tips for Renters 
10. 10 Online Privacy Tips for Librarians (that can be used by anyone)  

How You Can Get Hacked at Starbucks?

Be extra careful when using free public Wi-Fi

For those who frequently use the free public Wi-Fi in coffee shops such as Starbucks and Dunkin' Donuts, you're likely already aware of how easy it is for hackers to steal your personal and financial information over the shared network.

But what you may not realize is how cybercriminals could gain access to sensitive data in other ways that might not be on your radar.

According to ThreatMetrix, a provider of cybercrime prevention solutions, some hackers even leave malicious USB drives on tables for curious customers to plug into their devices. This allows them to retrieve personal information and even social network passwords. Although this may seem unlikely, ThreatMetrix says the scenario actually occurs.

Cybercriminals can also use video cameras on a mobile device to capture what you're doing nearby. This means if you are entering your credit card or email login information into a smartphone, you could be recorded doing so. Creepy, right?

More sophisticated techniques include network scanners, which detect open ports on a device connected to the network, and "hotspot honeypots" which intercept a user’s Internet connection and give full access to that network.

Here's a look at what to keep your eyes peeled for when cozying into a coffee shop near you. 

Dishing-Off Your Old Device?

Did you know that in the wrong hands that "old" device can mean "new" problems for you?

Have you, like many adults, given a child in your life a hand-me-down mobile device? Maybe it's a "disabled" cell phone or your old iTouch that you let them play around on.

Savvy criminals are increasingly targeting mobile devices (even outdated ones) because they are very often loaded with personal data, including bank and credit cards numbers cached on mobile browsers, passwords, contact information, email and GPS histories.

If you are dead-set on letting your children play with these devices, be sure they have been wiped completely clean of your personal and business information. For tips on how to do this, give this eHow Tech post a thorough read.

Need To Invest Time In Facebook Privacy

An Embarrassment is Coming

If they don't invest the time in reviewing the information that's been published about them, Facebook users are in for a potentially embarrassing surprise. That's because Facebook is working toward making more of its content searchable with its Graphs Search feature. 

What will be searchable? All the information (personal, professional, pictorial) you post, and that other Facebook users post about you. Additionally, your likes, and in many cases simply the websites you've visited that have hooks back into Facebook, will be searchable.

This article explains it well, and in it, writer Meghan Kelly gives one of the best analogies for Facebook I have read:

Facebook is like a safe containing a ton of your personal information - which you've purposefully and willfully cracked with an axe.

Beyond searching for what's already out there about you, commit to practicing good social etiquette. Don't "check in" your friends for them (without their knowledge!), post pictures of them they may not appreciate or tag them to one of your posts without their permission. Even the tamest of details may cause trouble for them, not to mention, trouble for your relationship. 

Security audit finds Developer OUTSOURCED his JOB to China

Pro-active Log Review Might Be A Good Idea

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.

The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company's main server from Shenyang, China, using the credentials of the firm's top programmer, "Bob".

"The company's IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob's desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator," said Verizon. "Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one."

After getting permission to study Bob's computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob's typical work day consisted of: 

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos 

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn 

4:30 p.m. – End-of-day update e-mail to management 

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm's human resources department, he was the firm's top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking for a new Detective Mittens video.

Bob is no longer employed by the firm. ®

Source from The Register

Refer here to read further details.

Why Information Sharing is Key to Security?

In order to fight an attack, you have to know the attacker

Booz Allen Hamilton issued a list of the top 10 cyberthreat trends for financial services in 2013. Among the top trends: 

• Information sharing will be more critical, as legislation could push industry standards to improve threat intelligence information sharing.
• Vendor and third-party risks will pose security challenges for financial institutions of all sizes.
• Boards of directors must create and embrace a culture that encourages information sharing across the industry.
• Hacktivists and extremist groups will increasingly target institutions to disrupt services and destruct data.
• Cyber-benchmarking will be used to show how banks stack up, from a security standpoint, to their competition.

The remaining five trends highlight the need for stronger identity and access controls, more focus on risk-protection processes and people, the need for predictive threat intelligence, and why reliance on the cloud and mobile is critical.

Underlying those 10 trends is the need for banking institutions to understand who's behind attacks waged against them, says Bill Wansley, a financial fraud and risk consultant for Booz Allen Hamilton.

Wansley's three-pronged approach to fighting cyberthreats:

Identify the attackers' capabilities, know their intent and appreciate the opportunities they have to do harm.

A distributed-denial-of-service attack, for instance, may not cause long-term damage to your infrastructure or compromise consumer privacy, but it definitely can do some damage to your reputation, depending on the intent of the attack and the actors behind it.

Hacktivists attack to damage reputation; criminals attack to commit fraud. Until you understand the actors, you can't adequately prepare for the threat. That's Wansley's key point, and it makes perfect sense. But I believe that the most critical step is information sharing.

The more we share about attacks - vulnerabilities and vectors - the more we will learn about how the attacks are waged, what they're after and who's behind them. Besides, that need for more information sharing supports, we need to understand the actors without that we can't adequately prepare for the threat.

Refer here to download the report.

When universities will take SECURITY seriously?

Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. The group of hackers, calling themselves Team GhostShell, claimed responsibility for the attack on Twitter and published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site Pastebin.com.

In most cases the data was already publicly available, but in some instances the records included additional sensitive information such as students’ dates of birth and payroll information for university employees. Typically, hackers seek such information because it can be used to steal identities, crack bank accounts or can be sold on the black market.

Universities make ripe targets because they store vast numbers of personal records, often in decentralized servers. The records can be a gold mine because students often have pristine credit reputations and do not monitor their account activity and credit scores as vigilantly as adults. Dozens of universities have been plagued by breaches recently.

Last August alone, the University of Rhode Island warned that students and faculty that their information may have been exposed. And at the University of Arizona, a student discovered a breach after a Google search exposed her personal information — and that of thousands of others at the university. Smaller computer breaches at Queens College and Marquette University were also reported.

In this case, the hackers said they were not motivated by profit but to “raise awareness towards the changes made in today’s education.” In a message accompanying the stolen data, they bemoaned changing education laws in Europe and spikes in tuition fees in the United States. But they also noted that in many cases, the servers they breached had already been compromised. 

“When we got there, we found that a lot of them have malware injected,” the hackers wrote on Pastebin. To breach servers, the hackers used a technique known as an SQL injection, in which they exploit a software vulnerability and enter commands that cause a database to dump its contents.

In the case of some universities, the hackers breached multiple servers. At colleges across the country, some students set up sites that allowed students and faculty to search the leaked data for their information. For instance, at the University of Pennsylvania, Matt Parmett, a junior, created a Web site that made it possible for classmates to search the leaked data by name.

Real video footage of what skimmers "see"

"Handy" way to foil ATM skimming

Source from Krebsonsecurity:

I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code.

Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn’t quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.

 

Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.

ENISA Report: Ten Smart Grid Security Recommendations

Smart Grids need protection from cyber attacks


The EU Agency ENISA has launched a new report on how to make smart grids and their roll out a success, in particular by making sure that IT security aspects are properly taken into account from the beginning.


A smart grid is an upgraded electricity network with two-way digital communication between supplier and consumer. The adoption of smart grids will dramatically change the distribution and control of energy for solar panels, small wind turbines, electric vehicles, etc.


By making energy distribution more efficient, smart grids give clear benefits to users, electricity suppliers, grid operators, and society as a whole. At the same time, their dependency on computer networks and Internet makes our society more vulnerable to cyber-attacks, with potentially devastating results. 


Therefore, to prepare for a successful roll-out of smart grids, this study proposes 10 security recommendations for the public and private sector out of almost 100 findings.


Some key report recommendations include:

• The European Commission (EC) and the competent authorities of the Member States (MS) need to provide a clear regulatory and policy framework on smart grid cyber security at the national and EU level, as this presently is missing.
• The EC, in collaboration with ENISA, the MS, and the private sector, should develop a minimum set of security measures based on existing standards and guidelines.
• Both the EC and the MS authorities should promote security certification schemes for the entire value chain of smart grids components, including organisational security.
• The MS authorities should involve Computer Emergency Response Teams to play an advisory role in power grids’ cyber security.

Cyber security aspects of smart grids Smart grids give rise to new information security challenges for electricity networks. Information systems’ vulnerabilities may be exploited for financial or political motivation in cyber-attacks to shut off power plants.


This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing.


The top 10 recommendations, aimed at various European Union and member-state organizations, are: 

1. Improve the regulatory and policy framework on smart-grid cybersecurity at both the national and EU level.
2. Create a public-private partnership to coordinate cybersecurity initiatives. 
3. Promote initiatives to raise awareness of cybersecurity threats and conduct training.
4. Foster knowledge-sharing initiatives.
5. Develop minimum security measures based on existing standards and guidelines.
6. Develop security certifications for components, products and organizational security.
7. Create test beds and security assessments.
8. Develop and refine joint strategies to counter large-scale cyberattacks on power grids.
9. Involve computer security incident response teams in an advisory role.
10. Promote academic and R&D research into smart-grid cybersecurity, including through existing research programs.

The full ENISA smart grid report can be downloaded here.

Facebook Email: What You Need to Know!

Facebook Knocks Your Email off the Podium


Facebook is receiving a decent amount of backlash from its most recent privacy misstep. The social media giant recently forced their @facebook.com email addresses upon all users who had not previously signed up to use it - and did so without their permission.


If you don't want this default email used by your Facebook friends, read this article to learn how to change your email back to the preferred address.


From a privacy standpoint, I'd recommend you not use the @facebook.com email address at all. That is unless you want to give everyone at Facebook (and possibly their third parties) access to your email messages.

Law firms are a prime target for hackers

Mobile devices and apps provide multiple avenues for hackers to access confidential information


Laptops, cell phones and mobile apps for devices such as iPhones and Androids keep us constantly connected to friends, family and colleagues. Unfortunately, they also may be connecting lawyers to predatory hackers, according to an article in the Wall Street Journal.


Law firms are a prime target for hackers seeking to access valuable confidential information, such as documents related to upcoming mergers and acquisitions or litigation. Over the past few years, several Canadian and U.S. law firms have been targeted by hackers linked to Chinese computers, according to the article. In 2010, lawyers at Gipson Hoffman & Pancione received emails—ostensibly from members of the firm—that were designed to steal data from their computers.


At the time, the firm was representing a software company in a $2.2 billion lawsuit against the Chinese government and computer manufacturers. Emails are just one way for hackers to retrieve sensitive information. Popular cloud storage applications such as Dropbox, for instance, afford lawyers the convenience of accessing their files on multiple devices.


But these applications potentially leave information vulnerable to third parties—Dropbox reserves the right to turn over files in response to legal or regulatory requests.


To protect data security, many firms are advising attorneys to take increased security measures, such as encrypting messages, avoiding free Wi-Fi connections, password protecting their devices and deleting suspicious emails or text messages.


Read the full story at the Wall Street Journal.