Three Fast 'Data Privacy Day' Tips

In advance of the annual international Privacy Data Day, please share these three action tips to protect the privacy of consumers and businesses:

• Nothing is truly free, including mobile apps. Be aware of the personal information you give mobile app providers. Many free apps sell your information to a wide range of companies, some of which may have malicious intents. Studies have shown most apps do not have many, or even any, security controls built in. Check privacygrade.org to see if the app you want respects your privacy and has security built in.
   
• Be cautious with new "smart" devices. A wide range of new and unique gadgets -- from socks to smart cars -- connects you directly to other entities (and even to the Internet) to automatically share information about your activities, location and personal characteristics. Before using such devices, make sure you know which data they are collecting, how it will be used and with whom it will be shared.
   
• Only share personal information with trusted sources. Be extra careful not to share sensitive personal information, such as social security numbers, credit card numbers and driver's license numbers. Don't do business with an entity that does not have a posted privacy notice.

Be Mindful - Does Mobile Apps Respect Your Privacy?

'Stickybeak' Apps Threaten User Privacy 

Not surprisingly, a new report has found mobile apps are failing to provide users with basic privacy protections.

The report's authors put the failures they detected into three basic categories. Sixty percent of the apps they studied either:

• Did not disclose how they used personal information
• Required the user to give up an excessive amount of personal data
• Communicated privacy policies in type too small to be read on a phone's screen

As the Wall Street Journal points out in this blog post, it's not currently required for apps to have a privacy policy. However, we may soon see changes in this area of the law, especially where health apps are concerned. Currently, there are more than 100,000 health-related apps just available via smartphones.

Be mindful of any app that does not include a privacy policy, and train yourself not to just hit "Accept" on those data-gathering permission requests that pop up after you download a new one.

You should absolutely understand what you are being asked to give up to take advantage of the app. Is it worth it?

Facebook’s Browser-spying Campaign

Facebook using the browsing data of its members to target the ads of its advertising partners

The Facebook used by billions is sharing its users' online behavior in ways it previously said we could opt out of. 

As Venture Beat reports, anytime a Facebook user visits a site with a "Like" button (any site, not just a Facebook page), that visit is stored by Facebook and used to better target the ads of its advertising partners. No need for the user to actually click the Like button. The page visit is enough to trigger the storage of user data.

I actually tested this by visiting several types of websites I've never visited before. Low and behold, I started seeing ads for associated items on my Facebook page.

There are a few tools that allow you to block sites like Facebook from inserting tracking code into your browser. Learn about them here. 

Video Footages: ATM Skimming!

Be on the lookout for these four tricks and traps

A Handy Way to Foil ATM Skimmer Scams - Thieves continue to place hidden cameras at ATMs to surreptitiously record customers entering their PINs. This previously reported way to stop from being a victim still works against the hidden cameras.

Basic Security for Personal Cloud Storage

Avoid using Personal Cloud Storage for confidential/sensitive data

Dropbox and other file-storage and sharing applications like it are incredibly helpful to business travelers. Not having to lug along a laptop or risk misplacing a thumb drive certainly add to the enjoyment of time away from the office.

However, these applications do come with some risks. This is especially true when users generate links to share information with others. Several basic flaws within Box and Dropbox specifically allow the shared documents to be viewed by third parties.

It comes down to this: Many people do not take basic security steps, even when communicating highly sensitive information. Worse, they may even mix their personal communications and information with confidential workplace data.

For its part, Dropbox disabled all access to public links and created a patch to keep shared links from becoming public. However, this is the third security breach for Dropbox in as many years, so diligence on the site and others like it has to be considered among users.

When considering a file-sharing service site, follow these rules of thumb:

1. Use a strong password.
2. Encrypt files in storage ("files at rest").
3. Encrypt files sent to and obtained from the site ("files in motion").
4. Look for a third-party security and privacy audit or some other validation that the site truly is secure.
5. Do an online search to see if the service has been breached in the past year or two.
6. Make sure that you can completely remove all files from the site when you stop using it.

Havex Malware targeting SCADA/ICS

Havex Summary Report - Threats & Mitigation

A previous spot report released by Cimation's ICS Threat Intelligence team provided a threat overview of Havex, the malware family being used for targeted attacks against specific industry sectors. What many reports fail to mention is that this malware code has been altered to specifically target ICS/SCADA systems.

In this newly-released summary report, Cimation's ICS Threat Intelligence and Vulnerability Research Teams expose the operational-level impact and technical indicators of compromise from this attack.

Download the Report to access:

• A detailed Havex threat summary and overview.
• How Havex infects and affects your systems.
• Technical analysis and breakdown of the Havex threat.
• Tactical mitigation strategies for prevention, detection and removal of this threat.

Infographic - 78% of Organizations Experienced a Data Breach in the Past 2 Years

Cybercriminals steal $1 billion every year from small and medium-sized businesses in the U.S. and Europe

The folks at Imprima have compiled this infographic, complete with facts about data loss and data breaches in the small business community.

What Becomes Of Your Online Accounts After You Die?

...until death do us part

Have you ever wondered what becomes of your online accounts after you die? The Washington Post recently looked into the question, and reports that "The immortality of one's digital accounts is one of the more morbid philosophical wrinkles of modern life."

Here are a few of the take-aways from the article: Family who want to access these accounts often can't. Digital asset laws vary greatly by state and country.

The spookiest take-away: Artificial intelligence-like technology may someday Tweet in a user's voice after he or she dies.

Pace and Volume of Regulatory Change are the Biggest Factors in Leading to Risk Evaluation Failures

Results of Bank Director’s 2014 Risk Practices Survey

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren't doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren't getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Quick Round-up of Some of the Latest Tricks and Traps

Beware of new scams and privacy pitfalls

New ways to fool people out of their money, information and identities pop up nearly every day. Here's a quick round up of some of the latest tricks and traps:

New Scam Targets Homeless: Fraudsters pay homeless people to take out cell phone contracts in their names. The fraudsters keep the phones, rack up the bills and then sell the phones, ruining the homeless person's credit.

Getty Images Allows Free Embedding, but at What Cost to Privacy? People can embed images in their sites for free, so long as they use the provided embed code and iframe. Because of the scope of Gettys' reach, this may allow the company to correlate more information about a user's browsing history than any single site could. Just another reminder that nothing's truly free in this world!

Human Error Tops Ponemon Patient Data Security Study Threats: 75 percent of healthcare organizations view employee negligence as the greatest data breach threat. This result underscores the importance of good security and privacy controls (and excellent employee training!) in healthcare environments. This extends to medical device manufacturers, who often work off very old technology software and continue to insist that controls are too cost-prohibitive.

The Data Brokers - Selling Your Personal Information: 60 Minutes' Steve Kroft recently reported on his investigation of the multibillion dollar industry that collects, analyzes and sells the personal information of millions of Americans with virtually no oversight.

Facebook Users should enable Two-Factor Authentication

Securing Your Facebook Account With 2-Factor Authentication

This Facecrooks article discusses a very important topic - "Securing your Facebook profile" - and gives step-by-step instructions for enabling two-factor authentication. The idea is to keep out anyone attempting to access your profile from a device Facebook doesn't recognize.

Astoundingly, two years ago at least  13 million U.S. Facebook users didn't use or weren't aware of the social network's privacy control settings. Based on various news reports covering Facebook privacy, it is anticipated that this number has not gotten smaller, but more likely has increased (perhaps by a significant amount now that there are more than a billion active mobile Facebook users).  

How many of these millions are within your employee, patient or customer communities? How does this impact you personally, or put your own information at risk? Remember, your privacy can be impacted simply by being associated with "friends" who don't activate their privacy control settings. 

Understanding how your stakeholders use Facebook and other social networks is a critical component to protecting yourself, your organization and the people it serves.   

WARNING! Your Flash Player may be out of date.

Adobe Flash Malware driven by infected "Router" The Moon Malware

Few days ago, I started to receive a pop-message "WARNING! Your Flash Player may be out of date". Please update to Continue., when I was trying to access websites like Facebook, YouTube, Google, etc.

If you're receiving a similar message then continue to read but make sure you don't click on anything nor try to update the flash player from the pop-window. You may check your current version of the "Adobe Flash Player" by visiting "Adobe" official website. If you're using Google Chrome browser, it already includes Adobe Flash Player built-in. Google Chrome will automatically update when new versions of Flash Player are available.

You will also notice that the same message is poping-up on all the devices which are connected to the same router (mobile phones, laptops etc.).

Now even the dumbest person should know it is not coming from computer but from the network which means your router is infected. It's commonly happening with Linksys, Asus and few other manufacturers.

How to fix this?

• Reset your router (by holding down the reset button under the router for 6 seconds). Note after restart all your ISP settings will be lost.
• Configure your router again with the ISP settings (username and password also required).
• Clear your browsers cache and pop-up message will not appear again.

Refer here for some basic tips on hardening your router to avoid such things happening again.

Why You Need Security Strategy and How to Develop one?

Some questions we need to address before we embark on Information Security Improvement journey!

Edward Snowden’s leaks to the press, we now know that there has been systematic, broad and deep surveillance of online activity at a scale that could not have been previously imagined. Beyond simply snooping, the revelations pointed to infiltration of the hardware and software we rely on to secure our communications.

When it comes to policies and strategies, it’s hard to go past the tried and tested ways of the past. The best way to make a start is by doing SWOT analysis: Strengths, Weaknesses, Opportunities and Threats. 

Strengths
Look within your organisation. There are bound to be some really good things happening when it comes to Information Security. For example, you might have a very well-educated workforce that never open unexpected attachments. Or your IT team is very conscious of the potential threats to your business and have solid systems and processes in place to deal with them.

Weaknesses
Over the last 15 years, the focus of security in enterprises has been on vulnerability tracking and making sure that your systems are protected from external attacks. While that’s still important, it should only be one facet of your total security strategy. Have you considered what happens once someone gets past your firewalls and other blocking mechanisms? Or if the attack starts from within?

Give some consideration in your strategy to dealing with attacks once they are in action. Are your people ready to react once there is a breach? Are they across the latest threats and attack vectors?

Perhaps the most often seen security weakness (in our observation) is that managing compliance with the security policy is seen as an annual project that’s executed in order to keep auditors happy.

If that’s the case in your business, look for ways to alter that culture.

Opportunities
Aside from using security as a way to get lots of shiny new gear into your server racks or to justify new services, getting your Information Security right can be a great chance to re-engage IT with the business. Look for ways to turn the security conversation into an opportunity to change service delivery. It’s also a great way to further the professional development of your staff.

If you have some strong skills in data analytics in the business, you might find you can give them a new challenge by engaging them in threat intelligence.

Employing red/blue team exercises regularly doesn’t just improve your security response but can be a great way to add some excitement to how you manage security.

Review existing systems and processes to find the security issues. You might find it becomes an opportunity to ditch an old legacy system that’s costing lots of time and resources to maintain.

Threats
Over the last year, it’s become apparent that the threats of last decade are really just background noise today. Sure, we need to keep our firewalls locked down and end-point protection up to date but what can you do when your hardware is compromised or a nation-state can break through your encryption?

These are real threats today. Stuxnet, back in 2010, compromised a nuclear power plant. It is believed by many that it was part of an attack by one government against another. Today, Snowden’s documents tell us that the NSA can intercept a massive array of data. And not just from enemies but from within friendly states.

• So, when was the last time you reviewed your security policy?
• Does it take into account new security mitigation techniques?
• Have you adjusted the skills in your business to manage changing attack methods?
• Is security a once-a-year audit activity?

USB Attacks Need Physical Access Right? Not Any More

Exploiting USB Driver vulnerabilities

NCC Group Research Director Andy Davis presented 'USB Attacks Need Physical Access Right? Not Any More...' at this year's BlackHat Asia in Singapore.

Due to recent advances in a number of remote technologies, USB attacks can now be launched over a network. The talk went into detail about how these technologies work, the resulting impact on the world of USB bugs and included a live demo remotely triggering a USB kernel bug in Windows 2012 server.

It's an interesting research, refer here to download the paper and learn more about USB Bugs.

Three of the Biggest Threats to Company’s Cyber Security

Phishing, Malicious Political Attacks & Monetary Fraud

Every business needs to address the ever-changing cyber threats that now make their way the Internet. It is not enough to merely install anti-virus software and believe that this will solve all of a business’ problems. Here are three of the biggest threats to company’s cyber security that you should know.

Phishing

Phishing is a practice in which hackers gain access to private consumer data. Frequently, a hacker creates an email to look like it was issued by your company. A customer may then respond to the email and provide his or her personal information. The hacker then preys upon this disclosure and uses it to open credit cards, make unauthorized charges and take advantage of the consumer’s identity. The essence of a phishing crime is that the hacker gains the trust of the customer. They may use sophisticated tactics to learn information about your customers, such as the names of relatives. The hacker then may pretend to be one’s distant relative to ask for financial assistance from the consumer.

Businesses have a duty to protect their customers from phishing attacks. Businesses should realize that information even like consumer names can be private information. If a hacker gains access to consumer names, then he or she may use social networks like Facebook to learn more information about the customer. Businesses need to be aware of these practices and work with cyber security firms to prevent information disclosures.

Malicious Political Attacks

Businesses should also be aware that not every hacker is motivated by profits. Some hackers are residents of foreign nations and discontented with the notion of capitalism in general. These hackers are very sophisticated and using numerous methods to target specific businesses. One example of a recent attack included an attack on a satirical news company by the Syrian Electronic Army. The Syrian Electronic Army was able to hack into the servers for the news company and then make its own postings on the site. One mistake that businesses make is underestimating the abilities and sophistication of enemy nations or politically-motivated hackers.

The best way for businesses to handle attacks from politically-motivated data hackers is to be proactive in preventing attacks. Businesses should not use a reactive method of dealing with politically-motivated data hackers. A reactive method does not solve the actual issues that lead to the hacking of business accounts. A reactive method also does not provide security to a business, because a business may still be attacked by army hackers in the future.

Monetary Fraud Hackers

Unlike the Syrian Electronic Army, some hackers are only motivated by financial gain. These hackers only seek to gain access to checking accounts, savings accounts, trust funds, Social Security information and credit card information. These hackers attempt to gain access to the internal data systems of highly-profitable companies. They are very sophisticated in the tactics that they use to hack corporate accounts.

Businesses need to take preventative measures in protecting internal corporate data systems. Many businesses are realizing this and are now working with sophisticated firms to protect their internal data systems. A company can also be very selective in the access that it provides to internal information systems. If many employees have access to internal data systems, then a company may be jeopardizing the information of its customers.

More than ever, companies need to be proactive in addressing cyber security threats. Cyber threats can cause serious legal issues for companies in the event of a hack or leak. Taking time to improve a company’s data system security is an investment in the future of the company. Cyber threats are only likely to increase in the future years, and businesses must be ready to prevent these attacks.