A "Gentle Reminder" for everyone to be extra vigilant with their Privacy!

Many of us actually turn a blind eye to the fact our private information is being, as this Australian reporter puts it, furiously scooped up by corporations, governments and others.

Why? Because we see it as a harmless tradeoff for whatever convenience or bit of entertainment we get in return. However, as this video details, more consumers are becoming aware of exactly what that tradeoff entails. And they're coming to it through social experiments like the one conducted in Australia. A reporter arranged for baristas to behave like an online app. After taking the java order, the baristas asked their customers to give them details like their home addresses or their last four text messages. The coffee buyers were super uncomfortable.

As we see in the video, the sharing of private information is no longer viewed as a harmless tradeoff when put in the faces of consumers. It's viewed with skepticism and dismay, just as some may argue, it always should be. The other day, a friend told me the fast-food restaurant chain app she downloaded asked for access to her camera and all the photos and videos stored on it!

The takeaway? Pay closer attention to the information your new apps are asking to access. If something throws up a red flag, investigate. Or simply don't install the app.

Facebook’s Browser-spying Campaign

Facebook using the browsing data of its members to target the ads of its advertising partners

The Facebook used by billions is sharing its users' online behavior in ways it previously said we could opt out of. 

As Venture Beat reports, anytime a Facebook user visits a site with a "Like" button (any site, not just a Facebook page), that visit is stored by Facebook and used to better target the ads of its advertising partners. No need for the user to actually click the Like button. The page visit is enough to trigger the storage of user data.

I actually tested this by visiting several types of websites I've never visited before. Low and behold, I started seeing ads for associated items on my Facebook page.

There are a few tools that allow you to block sites like Facebook from inserting tracking code into your browser. Learn about them here. 

What Becomes Of Your Online Accounts After You Die?

...until death do us part

Have you ever wondered what becomes of your online accounts after you die? The Washington Post recently looked into the question, and reports that "The immortality of one's digital accounts is one of the more morbid philosophical wrinkles of modern life."

Here are a few of the take-aways from the article: Family who want to access these accounts often can't. Digital asset laws vary greatly by state and country.

The spookiest take-away: Artificial intelligence-like technology may someday Tweet in a user's voice after he or she dies.

Creepy Way Facebook Advertisers Use You!

How Facebook Is Using Your Photos in Ads?

Gmail isn't the only online platform guilty of repurposing your photos. Facebook and its advertisers, too, have become really good at using your image to inspire your friends' confidence in the products they are pushing.

A friend who recently experienced this said, "I did not realize that 'friending' [a company on Facebook] to get coupons probably means I've agreed to be used in their ads. Seeing a friend's picture [used this way] makes me suspicious my picture is doing the same thing on other people's Facebook pages."

What I find particularly interesting is the way Facebook explains away its practices with this statement, (which you can see for yourself if you follow the prevention steps below): "Everyone wants to know what their friends like. That's why we pair ads and friends."

Fortunately, there is a way to stop Facebook from using your profile picture in advertisements.

1) Go to "Privacy Settings"

2) Click on the "Ads" tab on the left hand side.

3) In the Third Party Sites section click on "Edit"

4) In the drop down menu, click "No one" and then "Save Changes"

5) In the Ads & Friends section click "Edit"

6) In the drop down menu, click "No one" and then "Save Changes"

NOTE: You cannot opt out of receiving Sponsored Stories, which are essentially another type of ad. If you like a story on a brand page or share that you engaged with a brand, that brand can pay Facebook to ensure that it shows up in yours and your friends' timeline feeds.

How Much Information You Are Leaving Online?

Do you ever feel like you're being followed?

Perhaps that's because you are. While it may not be the boogeyman who's hot on your trail, there are many groups of watchers who have made it their business to know as much about you as possible.

Each day, we are tracked by the 'smart' systems, mobile apps, personal communication devices and other surveillance platforms that have become commonplace in our daily lives. In an effort to educate more people about the data trails they are leaving behind (and the companies, data bureaus and marketers who are sniffing out that trail).

How comprehensive profiles Google is capable of building based on all the information we voluntarily share?

How valuable your online information is to burglars?

Notice all they can get off of *your* social network sites...and those of your friends, family and co-workers. Be aware of what you put out there!

For those of you in charge of or influencing your company privacy policies, consider how you are gathering and sharing your customers' data. Are you doing so in a manner that is transparent and compliant?

Must-Watch Film On Cyber Crime Awareness

Every social media user should watch this movie!

"Likes" provide an incredible amount of insight into our private lives

Your 'Likes' Lead to Snap Judgments, False Assumptions

Much of our online behavior leaves a trail. Sometimes we are aware of it; sometimes we aren't. "Liking" on Facebook (or "+1-ing" on Google+, and all the other clickable options allowing you to show your appreciation for posts) may be one such behavior done with reckless abandon. Often a user will "Like" something only because a friend asked him or her to. These users may not be aware of the picture those "Likes" can paint.

The Wall Street Journal has written a fantastic article that may change mindless "Liking" behavior somewhat. The article highlights a recent study that revealed our "Likes" provide an incredible amount of insight into our private lives. Individually, the "Likes" may not reveal much; but monitored and analyzed overtime, they can shed light on very personal, private details. One example:

The researchers found that "Likes" for Austin, Texas; "Big Momma" movies; and the statement "Relationships Should Be Between Two People Not the Whole Universe" were among a set of 10 choices that, combined, predicted drug use.

Whoa. How's that for crazy assumptions? Or scarier, how's that for accuracy? You can bet this research is only the beginning and that the algorithms these researchers used are soon to be commercialized and sold to any number of entities... with any number of intentions.

The takeaway for now? Watch what you "Like," and keep up-to-date on the privacy settings that can prevent others from tracking your online trail. 

TIP

If you use the Chrome browser, you can go "incognito" and hide many of your online activity trails  automatically collected. To do this, press <CTRL><SHIFT><N>. See this Google resource for more information.  

How You Can Get Hacked at Starbucks?

Be extra careful when using free public Wi-Fi

For those who frequently use the free public Wi-Fi in coffee shops such as Starbucks and Dunkin' Donuts, you're likely already aware of how easy it is for hackers to steal your personal and financial information over the shared network.

But what you may not realize is how cybercriminals could gain access to sensitive data in other ways that might not be on your radar.

According to ThreatMetrix, a provider of cybercrime prevention solutions, some hackers even leave malicious USB drives on tables for curious customers to plug into their devices. This allows them to retrieve personal information and even social network passwords. Although this may seem unlikely, ThreatMetrix says the scenario actually occurs.

Cybercriminals can also use video cameras on a mobile device to capture what you're doing nearby. This means if you are entering your credit card or email login information into a smartphone, you could be recorded doing so. Creepy, right?

More sophisticated techniques include network scanners, which detect open ports on a device connected to the network, and "hotspot honeypots" which intercept a user’s Internet connection and give full access to that network.

Here's a look at what to keep your eyes peeled for when cozying into a coffee shop near you. 

Sex Tape Scam Featuring Rihanna and `His’ Boyfriend Hits Facebook

Popular celebrities used by cyber-criminals for hoaxes and fraud

BEWARE! Facebook users are being hit by yet another alleged sex tape featuring Rihanna, one of the most popular celebrities used by cyber-criminals for hoaxes and fraud on the social network.

This time, the scam alleges the American singer was caught with `his boyfriend’ [sic] during sexy times.

Check out how the #scam works and how to protect your Facebook account here: http://bit.ly/Rihanna_Sex_Tape_Scam

Need To Invest Time In Facebook Privacy

An Embarrassment is Coming

If they don't invest the time in reviewing the information that's been published about them, Facebook users are in for a potentially embarrassing surprise. That's because Facebook is working toward making more of its content searchable with its Graphs Search feature. 

What will be searchable? All the information (personal, professional, pictorial) you post, and that other Facebook users post about you. Additionally, your likes, and in many cases simply the websites you've visited that have hooks back into Facebook, will be searchable.

This article explains it well, and in it, writer Meghan Kelly gives one of the best analogies for Facebook I have read:

Facebook is like a safe containing a ton of your personal information - which you've purposefully and willfully cracked with an axe.

Beyond searching for what's already out there about you, commit to practicing good social etiquette. Don't "check in" your friends for them (without their knowledge!), post pictures of them they may not appreciate or tag them to one of your posts without their permission. Even the tamest of details may cause trouble for them, not to mention, trouble for your relationship. 

How To Control "Tagging" on Facebook?

Tame the "Tagging"

Being "tagged" on Facebook means another user has added content and publically associated you with that content. A friend may post a picture of you at the beach. By tagging you, that photo will show up on your profile (if your settings allow).

There is a setting in Facebook that allows users to approve any tags before they are posted to their timeline. This blog post on Business2Community does a great job of showing readers exactly how to set Facebook to alert them to requests for tags.

This isn't just a good way to easily give friends permission to tag you; it's an excellent way to keep track of the content in which you've been tagged. Who needs to have someone else associate them with things to which they have no legitimate connection?

The post goes on to explain the difference between Facebook Profiles (now known as "Timelines") and Facebook Pages. There are some unique features about Pages that make these tags post differently, so if you manage a Product, Brand or Person Facebook Page, this will be an especially good article for you. 

For more emerging tagging concerns, see: 

• Tags becoming easier to find
• Disabling tag suggestions
• Difficulty in removing damaging content

US FFIEC: Proposed Guidance on Social Media

Regulators Address Emerging Social Media Risks to Banking Institutions

The US Federal Financial Institutions Examination Council has issued proposed risk management guidance for the use of social media.

"Social Media: Consumer Compliance Risk Management Guidance," was posted on the Federal Register Jan. 23. It provides an overview of the impact social media sites have on compliance with consumer protection and other applicable laws, especially when interactions between institutions and consumers take place on social media sites such as Facebook and Twitter.

Employees could be using social media from different devices or from home at night. If their accounts are taken over, then a criminal could be posting on that site, giving advice to steer customers to do something they shouldn't, or posting a link that leads them to a malicious site.

There certainly are a lot risks banks need to think about when they start to use social media. The proposed guidance is really about risk assessment. The guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation and operational risks associated with the use of social media, along with expectations for managing those risks.

Although the guidance does not impose additional obligations on financial institutions, the FFIEC expects financial institutions to take steps to manage potential risks associated with social media, as they would with any new process or product channel.

The FFIEC will accept comments on the proposed guidance through March 25. It will publish a final version once it reviews comments received.

More Privacy Changes from Facebook

Mark Zuckerberg's Sister Complains Of Facebook Privacy Breach

In November, Facebook made changes, including several improvements, to its privacy policies. At the same time, those changes allowed everyone who has a Facebook account to become searchable. Whereas users were once able to block certain people from finding them on the social network, that functionality has now been removed.

This has implications for victims of stalkers, violent ex's, or really anyone others are trying to track down. By finding a person in a search, there are ways to then get more information about them through unsecured or unblocked information posted on their Facebook friends' timelines.

The recent changes had some unintended consequences that ultimately resulted in a private photo of no-other-than Mark Zuckerberg going viral.

This is a good example of how you should expect ANYTHING you post online could be seen by the world, even if you think you have privacy settings set correctly.

You can still block certain users from seeing some of your content. However, you will be findable as a Facebook user. Be aware of this, particularly if you have certain people interested in locating you, learning of your connections, your whereabouts or your appearance.

Careful with your Instagrams

Did Instagram ever find itself in hot water just before the holidays!

When the popular photo sharing social network updated its policies on sharing users' images, the backlash was immediate. 

For any Tips readers using Instagram (which is now owned by Facebook), please be aware of the upcoming changes, taking effect January 16.

You will not be able to opt-out. Be sure to read the new Terms of Use; if you don't like them, you may want to delete all your Instagram accounts and content before Jan 16.

In response to the severe negative reaction, Instagram has apologized, saying the misunderstanding is due to what it calls "confusing" language in the Terms of Use statement.

They have promised to revise it and said "it is not our intention to sell your photos." Yet it remains unclear exactly how much access will be given to user content... and to whom.

Stay tuned, as I will be watching the new Terms of Use language closely and will plan to report on it here in the Tips message.

Beware of 12 SCAMS during Christmas

Study investigated behaviours of Americans but it's still relevant to Australians

A Harris Interactive study, conducted online among over 2,300 U.S. adults, investigates the online habits and behaviors of Americans, including those who indicate that they will engage with the Internet and mobile devices while shopping this holiday season.

While Americans have become accustomed to shopping online, and will do so in droves, they are also using their mobile phones for more of their everyday activities.

As 70% of those surveyed plan to shop online this holiday season, a surprising 1 in 4 (24%) of them plan to use their mobile devices, and while aware of the risks, they are willing to give away their personal information if they can get something they value in return.

In fact, despite the fact that 87% of smartphone or tablet owners surveyed are at least somewhat concerned that their personal information could be stolen while using an app on a smartphone or tablet, nearly nine in ten of them are willing to provide some level of personal information in order to receive an offer that is of value to them.

Among those Americans planning on using smartphones and/or tablets to purchase gifts this holiday season, over half (54%) are specifically planning to use apps for shopping and/or banking during the holiday season; as such, mobile devices have proven irresistible to cybercriminals, and now they are targeting mobile users through malicious applications.

With roughly three in ten (28%) American smartphone and/or tablet owners admitting they do not pay attention at all to app permissions and 36% paying attention but specifying they do not always do so, Cyber-Scrooge criminals are ready to pounce.

‘Tis the season for consumers to spend more time online - shopping for gifts. 88% of those Americans who plan on shopping online during the 2012 holiday season plan on using a personal computer to do so, and 34% will use a tablet (21%) and/or smartphone (19%).

But with nearly half (48%) of Americans planning to shop online on Cyber Monday for sales (45% using a computer, 10% using a mobile device), here are the “12 Scams of Christmas,” the dozen most dangerous online scams to watch out for this holiday season, revealed by McAfee.

1. Social media scams - Cybercriminals know social media networks are a good place to catch you off guard because we’re all “friends,” right? Scammers use channels, like Facebook and Twitter, just like email and websites to scam consumers during the holidays.

Be careful when clicking or liking posts, while taking advantage of raffle contests, and fan page deals that you get from your “friends” that advertise the hottest Holiday gifts, installing apps to receive discounts, and your friends’ accounts being hacked and sending out fake alerts. Twitter ads and special discounts utilize blind, shortened links, many of which could easily be malicious.

2. Malicious mobile apps - As smartphone users we are app crazy, downloading over 25 billion apps1 for Android devices alone! But as the popularity of applications has grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge.

3. Travel scams - Before you book your flight or hotel to head home to see your loved ones for the holidays, keep in mind that the scammers are looking to hook you with too-good-to-be-true deals. Phony travel webpages, sometimes using your preferred company, with beautiful pictures and rock-bottom prices are used to get you to hand over your financial details.

4. Holiday spam/phishing - Soon many of these spam emails will take on holiday themes. Cheap Rolex watches and pharmaceuticals may be advertised as the “perfect gift” for that special someone.

5. iPhone 5, iPad Mini and other hot holiday gift scams - The kind of excitement and buzz surrounding Apple’s new iPhone 5 or iPad Mini is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests (example: “Free iPad”) and phishing emails as a way to grab computer users’ attention to get you to reveal personal information or click on a dangerous link that could download malware onto your machine.

6. Skype message scare - People around the world will use Skype to connect with loved ones this holiday season, but they should be aware of a new Skype message scam that attempts to infect their machine, and even hold their files for ransom.

7. Bogus gift cards - Cybercriminals can't help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties; just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!

8. Holiday SMiShing - “SMiSishing” is phishing via text message. Just like with email phishing, the scammer tries to lure you into revealing information or performing an action you normally wouldn’t do by pretending to be a legitimate organization.

9. Phony e-tailers - Phony e-commerce sites, that appear real, try to lure you into typing in your credit card number and other personal details, often by promoting great deals. But, after obtaining your money and information, you never receive the merchandise, and your personal information is put at risk.

10. Fake charities - This is one of the biggest scams of every holiday season. As we open up our hearts and wallets, the bad guys hope to get in on the giving by sending spam emails advertising fake charities. 

11. Dangerous e-cards - E-Cards are a popular way to send a quick “thank you” or holiday greeting, but some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting.

12. Phony classifieds - Online classified sites may be a great place to look for holiday gifts and part-time jobs, but beware of phony offers that ask for too much personal information or ask you to wire funds via Western Union, since these are most likely scams.

Using multiple devices provides the bad guys with more ways to access your valuable “Digital Assets,” such as personal information and files, especially if the devices are under-protected. One of the best ways for consumers to protect themselves is to learn about the criminals’ tricks, so they can avoid them.

Beyond that they should have the latest updates of the applications on their devices in order to enjoy a safe online buying or other experience. We don’t want consumers to be haunted by the scams of holidays past, present and future – they can’t afford to leave the door open to cyber-grinches during the busy holiday season.”

BeAware of Facebook Scams

Scammers are targeting Facebook users

There is a new phishing scheme targeting Facebook users. Falsely notifying the user of a blocked account via email, the scam attempts to get victims clicking - leading them straight to a malicious website that will steal their information. 

See below for example this current social engineering attempt.

If you get an email like this, simple delete and never click anything! Optionally, before deleting you can forward the email to the Facebook security team so they can fight against such scams.

Don't post risqué photos online

Hackers Have Home-Field Advantage

Many of you reading that warning may be thinking "No kidding." But, you'd be surprised how many seemingly self-aware, intelligent, should-know-better adults continue to participate in this risky behavior. 

Even if you believe you are posting photos in a private or password-protected location, keep this in mind: If it's on the Internet, it's vulnerable. Hackers have been at this for years and know exactly how to get into "protected sites" to gain access to your information. Plus, the people to whom you've given access to your spicy photos can also copy and post them elsewhere for the world to see and to your embarrassment.

This is particularly evident with the emergence of a recent hacker trend called "fusking." Fuskers hack their way into secure sites with the sole intention of finding nude and other compromising images. And doing unthinkable and unsavory things with them.

Keep in mind the young people in your life may lack the common sense or the perspective necessary to understand just how vulnerable images like these can be, nor what kind of an impact their publication could have on their lives. Frequent reminders and modeling appropriate online behavior are the best ways to prevent your children and others from a potentially life-changing bad move online.

How to protect your Facebook account from hackers?

Nine Major Ways Criminals Use Facebook

1. Hacking Accounts
   
   When criminals hack a Facebook account, they typically use one of several available “brute force” tools, Grayson Milbourne, Webroot’s Manager of Threat Research for North America, told 24/7 Wall St. in an interview. These tools cycle through a common password dictionary, and try commonly used names and dates, opposite hundreds of thousands of different email IDs.
   
   Once hacked, an account can be commandeered and used as a platform to deliver spam, or — more commonly — sold. Clandestine hacker forums are crawling with ads offering Facebook account IDs and passwords in exchange for money. In the cyber world, information is a valuable thing.
   
2. Commandeering Accounts
   A more direct form of identity theft, commandeering occurs when the criminal logs on to an existing user account using an illegally obtained ID and password. Once they are online, they have the victim’s entire friend list at their disposal and a trusted cyber-identity.
   
   The impostor can use this identity for a variety of confidence schemes, including the popular, London scam in which the fraudster claims to be stranded overseas and in need of money to make it home. The London scam has a far-higher success rate on Facebook — and specifically on commandeered accounts — because there is a baseline of trust between the users and those on their friends list.
   
3. Profile Cloning
   Profile cloning is the act of using unprotected images and information to create a Facebook account with the same name and details of an existing user. The cloner will then send friend requests to all of the victim’s contacts. These contacts will likely accept the cloner as a friend since the request appears to be from someone they’re familiar with. Once accepted, the crook has access to the target’s personal information, which they can use to clone other profiles or to commit fraud.
   
   As Grayson Milbourne puts it, “Exploiting a person’s account and posturing as that person is just another clever mechanism to use to extract information.” Perhaps what’s scariest about this kind of crime is its simplicity. Hacking acumen is unnecessary to clone a profile; the criminal simply needs a registered account.
   
4. Cross-Platform Profile Cloning
   
   Cross-platform profile cloning is when the cyber criminal obtains information and images from Facebook and uses them to create false profiles on another social-networking site, or vice versa. The principle is similar to profile cloning, but this kind of fraud can give Facebook users a false sense of security because their profile is often cloned to a social platform that they might not use. The result is that this kind of fraud may also take longer to notice and remedy.
   
5. Phishing
   Phishing on Facebook involves a hacker posing as a respected individual or organization and asking for personal data, usually via a wall post or direct message. Once clicked, the link infects the users’ computers with malware or directs them to a website that offers a compelling reason to divulge sensitive information. A classic example would be a site that congratulates the victims for having won $1,000 and prompts them to fill out a form that asks for a credit card and Social Security number.
   
   Such information can be used to perpetrate monetary and identity fraud. Grayson Milbourne of Webroot, also explained that spearphishing is becoming increasingly common, a practice that uses the same basic idea but targets users through their individual interests.
   
6. Fake Facebook
   A common form of phishing is the fake Facebook scam. The scammers direct users via some sort of clickable enticement, to a spurious Facebook log-in page designed to look like the real thing. When the victims enter their usernames and passwords, they are collected in a database, which the scammer often will sell.
   
   Once scammers have purchased a user’s information, they can take advantage of their assumed identity through apps like Facebook Marketplace and buy and sell a laundry list of goods and services. Posing as a reputable user lets the scammer capitalize on the trust that person has earned by selling fake goods and services or promoting brands they have been paid to advertise.
   
7. Affinity Fraud
   In cases of affinity fraud, con artists assume the identity of individuals in order to earn the trust of those close to them. The criminal then exploits this trust by stealing money or information. Facebook facilitates this type of fraud because people on the site often end up having a number of “friends” they actually do not know personally and yet implicitly trust by dint of their Facebook connection.
   
   Criminals can infiltrate a person’s group of friends and then offer someone deals or investments that are part of a scheme. People can also assume an identity by infiltrating a person’s account and asking friends for money or sensitive information like a Social Security or credit card number.
   
8. Mining Unprotected Info
   Few sites provide an easier source of basic personal information than Facebook. While it is possible to keep all personal information on Facebook private, users frequently reveal their emails, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information is often used as passwords or as answers to secret security questions.
   
   While the majority of unprotected information is mined for targeted advertising, it can be a means to more pernicious ends such as profile cloning and, ultimately, identity theft.
   
9. Spam
   Not all spam — the mass sending of advertisements to users’ personal accounts — is against the law. However, the existence of Facebook and other social sites has allowed for a new kind of spam called clickjacking. The process of clickjacking, which is illegal, involves the hacking of a personal account using an advertisement for a viral video or article.
   
   Once the user clicks on this, the program sends an advertisement to the person’s friends through their account without their knowledge. This has become such an issue for the social media giant that earlier this year that the company has teamed up with the U.S. Attorney General to try to combat the issue.

The Risk of Social Engineering on Control Systems

Social engineering provides an effective means for attackers to gain access to systems


While many social engineering attempts, such as those that we receive in our inbox every day in the form of spam and phishing emails, are easy for most to recognize, these attempts can also be highly targeted and conducted in a way that is much more difficult to detect.


Phone-based social engineering attempts were recently experienced at two or more power distribution companies. The utilities received a call from a representative of large software company – yes, that one that sold them the operating system on their computers – warning them that their PCs had viruses and to “Please take the following steps so I can help you correct the problem.” 


The calls purported to be from the “Microsoft Server Department” informing the utilities that they had a virus. Of course, it wasn’t really Microsoft calling, but rather an attacker, attempting to socially engineer the utilities to gain access to their systems. The caller tried to convince the transmission managers to start certain services on their computer (likely, those services would have allowed unauthorized remote access).


Fortunately for the customers of those utilities, the transmission managers recognized the social engineering attempts, refused to comply, and hung up. This event points out the need for continued vigilance for everyone involved in critical infrastructure, particularly regarding recognition of social engineering attempts.


If you are unsure whether the request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided in a URL or link connected to the request; instead, check previous statements or go to the website directly for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).


ICS-CERT recommends that organizations remind users to review US-CERT TIP Avoiding Social Engineering and Phishing Attacks to learn more about what to look out for and what to do if you have fallen victim to this. If you have experienced something similar or think you have revealed sensitive information about your organization, ICS-CERT recommends reporting it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.


In addition, immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. ICS-CERT also encourages reporting these incidents to ICS-CERT or your local ISAC’s for tracking and correlation.


ICS-CERT issued an alert on the US-CERT Secure Portal warning asset owners and operators of this observed activity. ICS-CERT often releases information pertaining to a wide variety of threats on the US-CERT Secure Portal as well as to the ICS-CERT public web page.


Asset owners and operators can request access to this vetted access portal by e-mailing ICS-CERT@dhs.gov.

Source: http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_March_2012.pdf and infosecisland.

Ten little things to secure your online presence

Life online can be a bit of a minefield, especially when it comes to avoiding malicious hacker attacks.

Here’s some basic advice on the tools and tricks you can implement immediately to secure your identity and online presence.

You’ve all heard the basic advice — use a fully updated anti-malware product, apply all patches for operating system and desktop software, avoid surfing to darker parts of the Web, etc. etc.

Those are all important but there are a few additional things you can do to secure your online presence and keep hackers at bay. Here are 10 little things that can provide big value:

1. Use a Password Manager

Password managers have emerged as an important utility to manage the mess of creating strong, unique passwords for multiple online accounts. This helps you get around password-reuse (a basic weakness in the identity theft ecosystem) and because they integrate directly with Web browsers, password managers will automatically save and fill website login forms and securely organize your life online.

Some of the better ones include LastPass, KeePass, 1Password, Stenagos and Kaspersky Password Manager. Trust me, once you invest in a Password Manager, your life online will be a complete breeze and the security benefits will be immeasurable.

2. Turn on GMail two-step verification

Google’s two-step verification for GMail accounts is an invaluable tool to make sure no one is logging into your e-mail account without your knowledge. It basically works like the two-factor authentication you see at banking sites and use text-messages sent to your phone to verify that you are indeed trying to log into your GMail. It takes a about 10-minutes to set up and can be found at the top of your Google Accounts Settings page. Turn it on and set it up now.

While you’re there, you might want to check the forwarding and delegation settings in your account to make sure your email is being directed properly. It’s also important to periodically check for unusual access or activity in your account. You can see the last account activity recorded at the bottom of GMail page, including the most recent IP addresses accessing the account.

3. Switch to Google Chrome and install KB SSL Enforcer

With sandboxing, safe browsing and the silent patching (auto-updates), Google Chrome’s security features make it the best option when compared to the other main browsers. I’d also like to emphasize Google’s security team’s speed at fixing known issues, a scenario that puts it way ahead of rivals.

Once you’ve switched to Chrome, your next move is to install the KB SSL Enforcer extension, which forces encrypted browsing wherever possible. The extension automatically detects if a site supports SSL (TLS) and redirects the browser session to that encrypted session. Very, very valuable.

4. Use a VPN everywhere

If you’re in the habit of checking e-mails or Facebook status updates in coffee shops or on public WiFi networks, it’s important that you user a virtual private network (VPN) to encrypt your activity and keep private data out of the hands of malicious hackers.

The video above explains all you need to know about the value of VPNs and how to set it up to authenticate and encrypt your web sessions. If you use public computers, consider using a portable VPN application that can run off a USB drive.

5. Full Disk Encryption

The Electronic Frontier Foundation (EFF) has made this a resolution for 2012 and I’d like to echo this call for computer users to adopt full disk encryption to protect your private data. Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key.

This works independently of the policies configured in the operating system software. A different operating system or computer cannot just decide to allow access, because no computer or software can make any sense of the data without access to the right key. Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer.

Here’s a useful primer on disk encryption and why it might be the most important investment you can make in your data. Windows users have access to Microsoft BitLocker while TrueCrypt provides the most cross-platform compatibility.

6. Routine Backups

If you ever went through the sudden death of a computer or the loss of a laptop while travelling, then you know the pain of losing all your data. Get into the habit of automatically saving the contents of your machine to an external hard drive or to a secure online service.

Services like Mozy, Carbonite or iDrive can be used to back up everyone — from files to music to photos — or you can simply invest in an external hard drive and routinely back up all the stuff you can’t afford to lose. For Windows users, here’s an awesome cheat sheet from Microsoft.

7. Kill Java

Oracle Sun’s Java has bypassed Adobe software as the most targeted by hackers using exploit kits. There’s a very simple workaround for this: Immediately uninstall Java from your machine. Chances are you don’t need it and you probably won’t miss it unless you’re using a very specific application. Removing Java will significantly reduce the attack surface and save you from all these annoying checked-by-default bundles that Sun tries to sneak onto your computer.

8. Upgrade to Adobe Reader X

Adobe’s PDF Reader is still a high-value target for skilled, organized hacking groups so it’s important to make sure you are running the latest and greatest version of the software. Adobe Reader and Acrobat X contains Protected Mode, a sandbox technology that serves as a major deterrent to malicious exploits.

According to Adobe security chief Brad Arkin says the company has not yet been a single piece of malware identified that is effective against a version X install. This is significant. Update immediately. If you still distrust Adobe’s software, you may consider switching to an alternative product.

9. Common sense on social networks

Facebook and Twitter have become online utilities and, as expected, the popular social networks are a happy hunting ground for cyber-criminals. I strongly recommend against using Facebook because the company has no respect or regard for user privacy but, if you can’t afford to opt out of the social narrative, it’s important to always use common sense on social networks.

Do not post anything sensitive or overly revealing because your privacy is never guaranteed. Pay special attention to the rudimentary security features and try to avoid clicking on strange video or links to news items that can lead to social engineering attacks. Again, common sense please.

10. Don’t forget the basics

None of the tips above would be meaningful if you forget the basics. For starters, enable Windows Automatic Updates to ensure operating system patches are applied in a timely manner. Use a reputable anti-malware product and make sure it’s always fully updated.

Don’t forget about security patches for third-party software products (Secunia CSI can help with this). When installing software, go slowly and look carefully at pre-checked boxes that may add unwanted crap to your machine. One last thing: Go through your control panel and uninstall software that you don’t or won’t use.