Compromised Data Not Just an Online Deal

As consumers when we hear that data was hacked or compromised immediately we think of online transaction. Well that is not the case, this past week Barnes & Noble hackers stole credit information over the last month in 63 of their stores according to the New York Times. The hackers broke into the key pad where customer enter their credit card information and PIN number. The company is still trying to determine how it happened, what is more interesting about the case is that only on key pad per store was compromised. Security experts said company insiders could have inserted malicious code, or criminals could have persuaded unsuspecting employee to click on a link containing malicious code in order to penetrate Barnes & Noble systems.

This case is not an isolated case; on December 7 2011 a Federal Indictment was unsealed in New Hampshire, the case was against four Romanians that allegedly from 2008 to May 2011 conspired to remotely hack into more than 200 US based merchants point-of-sale systems to obtain credit card information, the victim in this case was Subway restaurants.

There are more than just these few examples out in there, this is much more sophisticated than the old credit card skimming issues, this is one problem that consumers have no control over. The only way consumers can avoid this is paying cash, which many no longer do so.

References

Perlroth, N., & Schmidt, M. S. (2012, October 23). Credit Card Data Breach at Barnes & Noble Stores. Retrieved October 31, 2012, from New York Times.

Singer, B. (2012, September 17). Subway Restaurant POS Hacking Case Yields Guilty Pleas. Retrieved October 31, 2012, from Forbes.

Once Again Android Users Beware

I am a recent convert to the world of mobile phones; I have to say that one aspect that I never thought I should consider is security vulnerabilities, until now. The first line of today’s article in Cnet is what caught my attention and prompted to research this matter further. The article first line read “Android applications are once again in the hot seat over possible security vulnerabilities.”

So what happened? In June of 2010 an article came out stating the 20% of the 48,000 Android applications allow third-party applications access to private or sensitive data. In fact some applications were found to make calls or send text message without any interaction from the user. In this article Google said that they make sure application developers confirm their real identities, if they are unable they disable their accounts. The reason for these checks and balances is because many developer names are aliases.

Fast forward two years and four months, when researchers at the Leibniz University of Hanover in Germany release a study looking at ways where legitimate Android applications respond to attacks on security protocols. The study finds that eight percent the applications used the security protocols improperly leaving sensitive data open to hackers. The team found in their study that over 1,000 applications were willing to communicate over SSL with anything that sends out certificate to communicate. Compare to the incident of 2010 Google did not offer any comments.

So if you remember in my last week blog I mentioned the FTC penalizing Wyndham Hotels and some it franchises for not having proper security measure in place. To me these issues with the Androids applications is another example where the FTC needs to intervene. Google needs to be more responsible and closely test and monitor the products that developers are creating. Ultimately no one is going to remember what developer did what, all they are going to remember is the name “Google”, bad applications in the end could tarnish Google’s image. Google needs to learn from the error Wyndham Hotels made, because I do not think the FTC is to far behind.

References Mills, E. (2010, June 22). Report says be aware of what your Android app does. Retrieved October 22, 2012, from Cnet Reisinger, D. (2012, October 22). Some Android apps could leak personal data, researchers find. Retrieved October 22, 2012, from Cnet

Who is looking out for us?

So after my last blog “Hackers are at Again” it left wondering who is protecting us the public. I can understand that some attacks are inevitable, but what about others that could have been prevented if the organization would have taken the appropriate measures. You will be glad to know that yes, there is an organization that is looking out for us the public and is call Federal Trade Commission.

In a testimony in 2003 the FTC Commissioner Orson Swindle addressed the House Commerce, Trade, and Consumer Protection Subcommittee, to discuss the importance of preventing information security breaches. Swindle stated that good security is an ongoing process of assessing risks and vulnerabilities. In addition, companies must assess risks they face on an ongoing basis and make constant adjustments to reduce those risks. Well apparently some companies have not paid attention, like Wyndham hotels.

Recently the FTC filed a suit against Wyndham Worldwide Corporation and three of its subsidiaries for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. In 2008 hackers gained access to breach the network in AZ in one of their branded hotels, the intruders were able to install “memory scraping” malware and access the corporate mainframe, which allow them access to other property. The end result 500,000 payment credit card accounts were extracted to a domain in Russia. There were two more incidents one in the first part of 2009 which they were able to access 50,000 credit accounts and later in 2009 accessing 69,000 consumer accounts.

In addition the FTC reach goes further. I think at one point or another all of us have receive a message on a computer saying that is infected and to click on the banner or seen an advertisement offering a free scan . Well us in the IT business we know better and we know is a scam. Unfortunately millions of American falls for these types of scams, for example recently AARP publish an article titled "FEDS Crack Down on Tech Fix-it Scam” where the FTC issued 14 restraining orders against 14 companies that were scamming users. In this scam the “fake” tech support person would call code a consumer and pretend to be from Hewlett-Packard, Microsoft, amongst others. They would tell the user they received notification that they computer was infected. Once the scammer removed the bogus malware of course after a generous fee the scammer also got access to the system taking personal information or leaving a program that would allow them back door access to that computer.

There are more cases like this one, like in 2008 the FTC requested the courts to impose a $163 million dollar judgment against Kristy Ross (the defendant) for using “scare ware” tactics, making users think their PC were infected. The list just goes on, as we can see the government is finally doing something good, unfortunately I don’t think is enough. I know this because the number of scammers keeps growing, so either we need more than one agency or group protecting consumers or the fines or penalties imposed are not enough to deter scammers. I think in the meantime all I can suggest is to better educate the public in the dangers that lurk in cyberspace.

References:

FTC Working to Protect Consumers and Businesses From Information Security Breaches. (2003, November 19). Retrieved October 16, 2012, Federal Trade Commission

FTC Case Results in $163 Million Judgment against “Scareware" Marketer. (2012, October 2). Retrieved October 18, 2012, from FTC

Kirchheimer , S. (2012, October 3). Feds Crack Down on Tech Fix-it Scam. Retrieved October 18, 2012, from AARP

l

Hackers are at it Again

Are we able to stop hackers? The answer seems too obvious, NO! This last week a on Ocober 3 agroup of hackers calling themselves GhostShell claim to have stolen thousands of personal records by breaching servers of more than 50 universities around the world, including the top universities for higher learning here in the United States according to a report in Cnet. The group claims to have leaked about 120,000 records but they have more in their servers. In addition, the group says they have more projects in the works. What is worse this past August the same group released a vast quantity of data from banks, governments, consulting firms and many more.

How scary is hacking? Well after some searching I found some statics in a website called StopTheHacker that it would give anyone some pause and make them realize how serious is this problem.

• Play Station Network – Computers are not the only hacked, in 2007 the Sony Playstation Network had to shut down due to an “external intrusion” which compromised around 77 million accounts
• Intellectual Property – In 2008 alone around $1 Trillion dollars’ worth of intellectual properties were stolen.
• Password - it takes 10 minutes to hack a password that is 6 character longs, add two extra letters and it takes three years
• Victims – 73% of American have fallen victim to some type of cybercrime
• Time is not on your side – there is 156 days between the time a computer resources is compromised and the time the compromised is detected
• Business is Booming – StopTheHacker conducted a survey where 90% of the business that responded suffered some sort of hack and 77% of those felt they were successfully attacked
• Zombies – In 2009 a security firm Finjan discover a bot net run by a Ukrainian gang that consisted over 1.9 million zombie computers. Who much did the thieves make? Close to $190,000 per day
• Infected Sites – Currently there are over 30, 000 sites that are considered infected
• Vulnerable Sites – In 2010 the average website was found over 230 serious vulnerabilities
• Identity Theft – 27 million Americans have fallen victims, 9 million last year alone

So how all of this started? First of hacking was not all about stealing and malicious attacks. Hacking started for fun by two brothers from Lahore Pakistan in September 1986 to show the vulnerabilities in PC’s running DOS, demonstrating that they were not as secure as IBM and Microsoft lead to believe. Fast forward 25 years where 99 percent of malware comes from criminal gangs (Honan, 2011).

This blog is meant scare anyone, this blog is meant raise awareness as we celebrate security awareness during the month of October.

The FBI Scam & Safety article has some very easy but yet effective tip to keep your PC safe:

• Keep your firewall turned on
• Install or update your Antivirus software
• Install or Update Your Antispyware Technology
• Be careful what you download
• Turn off Your Computer

Just remember security is just like mother’s day, it does not happen just once a year, security awareness has to be 24/7.

References

Ten Scariest Hacking Statistics. (2012, Arpril 12). Retrieved October 7, 2012, from StopTheHacker

Honan , M. (2011, Augsut 13). Why hackers write computer viruses . Retrieved October 7, 2012, from MSNBC

How to Protect Your Computer. (n.d.). Retrieved October 7, 2012, from FBI

Musil, S. (2012, October 3). Hackers post data from dozens of breached college servers. Retrieved October 7, 2012, from Cnet

Are Employers Going too Far?

This week blog is in a way ties to last weeks. To refresh everyone’s mind Last week blog “The Enemy from Within” dealt with employees being the threat to employers as oppose to hacker and viruses. While researching this week blog I found articles that dealt with employers asking for social media account information from potential employees for screening purposes. Are employers looking for potential trouble makers before they are hired? What happened to the old methods, references, credit report, and background checks? Are employers trying to find more cost effective measures?

According to Alison Doyle from About.com this is a practice more commonly known as “Shoulder Surfing”, and that at the time this article which was written on August 11 of this year there were no laws that specifically protected the social networking privacy of job seekers from sneaky employers. This is now changing. This past Thursday September 27, California Governor Jerry Brown signed Assembly Bill 1844 and Senate Bill 1349 prohibiting universities and employers from demanding e-mail and social media passwords from prospective employees (Kerr, 2012).

This billed was authored by assembly member, Nora Campos. According her office there are more than 100 cases currently before the National Labor Relations Board that involve employers workplace policies around social media. According to the article Facebook has also said it has experienced and increase in reports of employers seeking to gain inappropriate access to people’s account.

Campos is not the only politician taking notice, Sen. Richard Blumenthal of Connecticut plans to propose legislation to ban employers from requesting access to Facebook accounts as a term of employment (Cooper, 2012).

As a reader I don’t even know what to think, this is such a violation of privacy and security. I think HR managers or who ever thought that this policy was legal missed the 101 class of policy making when they were in school. The last week chapter (Chapter 4) clearly outlines some basic rules:

• Policy should never conflict with law
• Policy must be able to stand up in court if challenged
• Policy must be properly supported and administered

So it is obvious these employers fail to follow the first two steps, these employers not only are violating the invasion of privacy of rules by the ACLU, but major network’s terms of service, furthermore these companies which have gained access to the social media account can be liable for any content posted therein (Buck, 2012) . Mrs. Buck states that if the prospective employee posted admission of guilt to a crime, his or her employer may find itself legally vulnerable.

I say employers need to continue with traditional methods of screening their perspective employees without violating their rights to privacy. Now, once employed by all mean they can snoop all the want is their right as an employer to make sure resources are used appropriately and is not a violation of privacy because employees have agreed to it.

References

Buck, S. (2012, April 5). What’s at Stake When Employers Ask for Social Media Passwords? [INFOGRAPHIC]. Retrieved September 30, 2012, from Mashable

Cooper, C. (2012, March 24). Fork over your Facebook log-on or you don't get hired. What? Retrieved September 30, 2012, from Cnet

Doyle, A. (2012, August 11). Employers Asking for Facebook Passwords. Retrieved September 30, 2012, from About.com

Kerr, D. (2012, September 27). Calif. law passed to halt employer snooping on social media. Retrieved September 30, 2012, from Cnet

Whitman, M., & Mattford, H. (2010). Why Policy? In M. Whitman, & H. Mattford, Management of Information System (p. 119). Boston: Course Technology.