Deloitte Hacked: Sensitive Personal Data and Confidential Filings Compromised.
Deloitte, a global accounting firm was a victim of a cyber- attack, the incident was reported on Monday by Deloitte providing few details about the breach that affected the data of some clients.
Deloitte, a registered company in London and is a victim of a cybersecurity attack that was unnoticed for months at their global Headquarters in New York.
Based on the report by the Guardian newspaper on Monday which broke the news of the Deloitte breach, confirmed the company’s statement with some details that the company’s email platform was the source in which the attackers accessed the data from which they used in the hack.
The U.S. Securities and Exchange Commission, Wall Street’s top regulator, and Equifax Inc, one of the largest credit-monitoring bureaus, reported this month that sensitive personal data and confidential filings were compromised by the hackers.
An independent consultant who helps financial firms investigate cyber attacks Shane Shook said the trend was going to continue growing because the attacks are targeted on financial firms.
The government authorities were immediately contacted said by the firm and the “very few clients” that were affected and victims of the hack were also notified instantly as soon as they became aware of the incident.
Deloitte is known as one of the worlds “big four” accountancy firm that provides accounting, consulting and auditing services, including advice on high-end Cybersecurity, mergence and acquirements/acquisitions. It also runs a cyber security business that helps customers defend their networks and investigate breaches.
The Guardian also reported that six clients were contacted by Deloitte. The company did not reveal the names of the clients, or affirm how many clients it had contacted or disclose the type of data stolen.
The statement said by the firm was “No disruption has occurred to clients businesses, to Deloitte’s ability to continue to serve clients, or to consumers”.
Deloitte said it had enforced a “comprehensive security protocol,” using internal and external experts to help respond. The comprehensive security protocol was put into effect as soon as the incident was discovered.
A former federal cyber crimes prosecutor, Mark Rasch, said it’s too early to say how severe the attack was due to so little is known of what really happened.
He said the attack was “a big deal” considering Deloitte holds sensitive information about its customers across business units that provide accounting services, review or audit data on potential acquisitions and perform cyber security services.
Spokeswoman A U.S. Federal Bureau of Investigation refuse to comment, enumerating agency policy to neither authenticate nor contradict investigations.
CISO to CISO: Combating the Ever-Growing Phishing Threat Together
As a CISO, I think the cybersecurity community is beginning to realize that the threats we face as security professionals are consistently evolving, and, more importantly, that we must evolve just as quickly to combat them. Recent data collected by the Webroot® Threat Intelligence Platform on the acceleration of phishing attacks and the maturation of new, related criminal methodologies demonstrates that, to respond effectively, we must develop and leverage solutions that don’t just keep up with today’s threats, but predict their next moves.
Most CISOs, myself included, want solutions that can respond in real time and assist us in making critical decisions to not only protect our businesses, but reduce risk overall. A lot of the new solutions that might interest us can be integrated into a platform and allow us to consume different types of threat intelligence and data feeds so we can automate responses to attacks in real time.
3 Steps to Mitigate Phishing Risks
Phishing is the number one cause of breaches. Webroot BrightCloud® Web Reputation is one of the solutions I look to as a critical asset for any security team because it provides the knowledge, within milliseconds of selecting a URL, whether a site is malicious. This efficiency and accuracy allows security teams to be proactive in protecting their organizations—to prevent compromises, not react to them after the fact. In addition to leveraging this type of real-time intelligence technology, I recommend several steps to reduce the phishing risk to any organization and its employees.
Social Media Security Awareness
Social media is increasingly used by cybercriminals to research their targets. As such, CISOs should add social media security awareness training to their corporate security awareness curriculum. Personnel should be trained on the risks and given insight into how the data they publish in their profiles could be used to target them, their families, and the organizations they represent. In my experience, the majority of people on social media don’t take even the most basic security precautions, such as only connecting with people whom they know, or not allowing their profiles to be searched or viewed publicly.
Executive Exposure Prevention
Additionally, I recommend directing threat intelligence toward executive staff and assistants. An organization can provide a list of executive staff, board members, executive assistants, and other company VIPs to a threat intelligence service. The service can then scan the dark web and watch for anything related to the client organization and the list of provided personnel. This gives the organization’s security team advanced notice of possible phishing attacks against specific employees, and allows them to warn employees to mitigate risk, change passwords, and even shut down compromised accounts.
Given that the number of new unique phishing sites averages over one million per month, and that the lifespans of many such sites can be measured in mere hours, it’s clear we need new techniques to stop modern attacks. With this in mind, I recommend CISOs employ real-time threat intelligence feeds with data specific to their industry, and that the data be contextual, meaning it should apply to the technology, applications, and security controls the CISO has deployed.
I also recommend engaging real-time URL filtering, since phishing emails typically drop a ransomware payload, which can significantly impact an organization’s business operations. Since phishing websites are active for an average of 4-8 hours, and given the new methods cybercriminals use to hide malicious sites in plain view, I believe it’s critical to be proactive and use real-time URL filtering. The methods of bygone years, in which we deployed domain block lists and IP address block lists, have been outpaced by the innovative phishing techniques cybercriminals use today. As threats have adapted, we too need to adapt.
The Bottom Line
The latest quarterly threat report focuses on phishing specifically, and is an informative read for all of my fellow CISOs, and a primer to help support and maintain the security of your own organizations. As CISOs, it’s time to level the online playing field to proactively detect and respond to threats in real time. The first step is by arming ourselves with the right threat intelligence to make more timely and better-informed cybersecurity decisions.
Cyber News Rundown: Edition 9/8/17
Consumer Credit Reporting Agency Equifax Suffers Cyberattack Affecting 143 Million Customers
Equifax announced hackers gained access to sensitive company data that potentially compromised information for 143 million American consumers, including Social Security numbers, driver’s license information, and credit card details. This is the third major cybersecurity incident for the agency since 2015. Most concerning, Equifax knew of the breach on June 29 but waited until September 7 to disclose the information.
Instagram Hack Exposes Millions of Accounts
A group of hackers recently gained access to a large number of Instagram accounts for high-profile celebrities and other victims. The attackers were able to use an exploit in the Insta app to retrieve the email addresses and phone numbers for millions of account holders. They then used this information to take control of more valuable accounts and posted the credentials for sale on the dark web. While Instagram was quick to fix the bug, it is still unclear just how many accounts were compromised.
Customer Databases Belonging to Time Warner Cable Publicly Exposed
In the last week, officials have been working to trace the cause of a data breach that could affect nearly 4 million Time Warner Cable customers. The breach appears to have stemmed from two databases, managed by Broadsoft Inc. (a partner of TWC), that were left fully accessible to the public. The data in question spans millions of transactions and communications with customers who have used the MyTWC mobile app in the last 7 years.
PrincessLocker Ransomware Uses Exploit Kit to Spread
While PrincessLocker may not be the newest or most dangerous ransomware variant currently making the rounds, it propagates through an unusual method: exploit kits. Along with a less expensive ransom demand, PrincessLocker has been spotted as the payload for a fully automated exploit kit known as RIG, which uses drive-by attacks to exploit system vulnerabilities.
Energy Grid Hackers Play Waiting Game
As cyberattacks focus more and more on infrastructure, rather than financial gain, they leave the future of many cities and countries uncertain. Many modern hackers have managed to work their way into countries’ infrastructures by easily bypassing the poor security used by numerous largescale energy facilities around the world. They’ve left backdoors into systems that could cause major disruption to the surrounding geographical areas, and, unfortunately, many of these very systems have never been updated appropriately. Meanwhile, attackers have nothing but time on their side to determine how and when it would benefit them to exploit these vulnerabilities.
Poker Site DDoSed, Then Ransomed
Late last week, America’s Cardroom and Winning Poker Network fell victim to the latest in a long string of DDoS attacks that have plagued such sites for years. This latest attack, however, brought with it a ransom demand to stop the attacks. The sites claim to have mitigated the DDoS attacks, though that comes after nearly 2 days of cancelling poker tournaments due to the insufficient bandwidth for their players.
Cyber News Rundown: Edition 9/1/17
IRS-Themed Ransomware Using Old-School Tactics
Over the past week, researchers have discovered a new ransomware variant that attempts to impersonate both the IRS and the FBI, similar to the FBI lockscreen malware that was popular several years ago. By tricking the victim into opening a link to a fake FBI questionnaire, the ransomware is downloaded onto the machine and begins encrypting. Fortunately, both the FBI and the IRS are taking great measures to alert possible victims and to catalog any scam emails that are being sent out.
History Repeats Itself at UK NHS District
Back in May, the UK’s National Health Services fell victim to a large WannaCry ransomware attack. While most of the districts have since regained full functionality, the district of Lanarkshire has once again been targeted. A cyberattack on its staffing and telephone systems left the district with only emergency services for several days. This event just reinforces the importance of updating security on critical systems before an attack, and even more so after one as devastating as WannaCry.
Worldwide Spread of Android DDoS Malware
A recent study found that hundreds of thousands of Android mobile devices had been compromised by a malware variant designed to turn them into a large-scale DDoS botnet. With hundreds of apps carrying the malicious code, it’s unsurprising that devices in more than 100 different countries have been linked to this WireX botnet, which was recently dismantled by security researchers from several different companies.
Hurricane Harvey Brings Out Scammers
As donations have poured in to support the victims of Hurricane Harvey, so too have stories of scammers looking to profit from their tragedy. Many fraudulent non-profit websites have already been registered and are seeing an exponential increase in traffic, along with large donations that will never reach the intended recipients. Phone scams have also been on the rise, with people impersonating relief organizations and other assistance groups to get information and money from victims of the storm.
Payment Records Compromised at UK Tech Retailer
In more tough news for UK citizens, officials at CeX have confirmed unauthorized access to payment records of nearly two million user accounts on their online site, webuy.com. Fortunately for many of the site’s users, CeX stopped storing customer payment information back in 2009, so most of the cards on file are likely expired. Customers have been advised to watch their accounts for any suspicious activity in the coming months, and to change their passwords as a precaution.
The 32 Things You Should Do Right Now To Make Data Protection Day Count
28 January is Data Protection Day (or Data Privacy Day in the US) and is observed in almost fifty countries world-wide. Data Protection Day was established in 2007 as an annual occasion to raise awareness of data protection best practices and the importance of protecting data; consumer data, health care data, proprietary data, personally identifiable data, essentially all data that is not explicitly intended to be in the public domain.
With so many data breaches occurring around the world, and the bad data protection practices that are at least partially involved in these and other breaches, taking a day now to raise awareness is a great idea. Since data protection is everyone’s responsibility, we wanted to share a list of the 32 things you should be doing right now to help protect data and keep it private. Some of these are personal, others are more things to do at the office, but all are important.
Take the opportunity this Thursday, 2016-01-28, to improve your own data privacy as well as the protections your organization takes with its data.
Here are some things you can do now to ensure that your personal data is more secure. Just because you are not a major corporation or a celebrity, don’t assume your personal data is not at risk or that you are not a target. Phishing attacks can use everything they find about you online to target you and may leverage data stolen in corporate breaches to seem even more legitimate when placing you in their sights.
1. Change your passwords
Seriously, you know you haven’t changed your email password since 2008. Go change it, and every other password on any site you use now, and make sure you use a unique and complex password on every service you use.
2. Enable two-factor authentication everywhere you can
Better still, for any site that supports it, enable two-factor authentication.
3. Review the privacy policies of the websites and applications you use
And actually read them, don’t just click Agree, so that you know exactly what they can do with your personal data. Some might make you wonder if the service is worth using.
4. Review your privacy settings and opt-out of anything you don’t explicitly want
And some of them might at least enable you to opt-out of that sharing. Review your account settings, tighten up protections and restrictions, and opt-out of anything that is optional or unnecessary for how you use the service.
5. Review your social media settings and update if necessary or retire if no longer used
How many of you have an abandoned Twitter account, an unchecked email account, an orphaned Facebook account, or a forgotten MySpace page. Take a moment to go through and delete anything you are not using anymore, and redact anything you don’t want to still be online. Yes, once on the Internet it is there forever, but you can at least make it harder to find out who your high-school English teacher was, since that is a surprisingly common security question.
6. Stop sharing everything
If you want to brag about your vacation, do it after the fact. When you post about you upcoming travel plans, you are announcing to the world when you are going to be out of the office, away from home, and unreachable.
7. Update your WHOIS data and take advantage of your registrar’s services if available
It’s against the rules to post fake data with domain registrations, but you can put less revealing data, such as your home address in or take advantage of your registrar’s services to represent you. It costs a couple of dollars extra, but is well worth the extra layer between you and cold callers or phishers.
8. Review your children’s/spouse’s/significant other’s/parents’ settings and help them to make their data private
All of the above should apply to your family as well. You know better than to post your upcoming travel itinerary, but do your kids?
9. Ensure your systems are fully patched and up to date
So many exploits are against vulnerabilities that could be patched. It’s really simple. Turn on automatic updates, and when prompted, apply them.
10. Ensure your systems all run fully up-to-date and current antimalware
Anyone running a computer without antimalware software is just asking for trouble, and yes, that includes Macs. There’s even antivirus software for mobile devices, which is good since there’s malware that targets them.
11. Unsubscribe from anything you don’t really want to receive
Do you spend the first five minutes of every morning deleting messages in your inbox without reading them. Take ten next time to unsubscribe from any you don’t want to receive anymore. It will reduce the junk in your inbox and the amount of tracking data the senders keep on you.
12. Ensure “do not track” is enabled in your browsers
See https://www.eff.org/deeplinks/2012/06/how-turn-do-not-track-your-browser and follow the steps to disable tracking in your browser of choice.
13. Review all data you store in the cloud
There’s a ton of data available for mining in the cloud, and some of what you are keeping there may be years old and of no real use to you anymore. Delete what you don’t really need anymore, and make doubly sure you have reset your password to protect that data. Finally, review what machines are synching that and with whom you have shared data, and drop what is no longer needed.
14. Enable encryption on your hard drives and portable media
Really, encryption should be on by default in everything, but it’s not, so it is up to you to encrypt your portable media, and your laptop hard drive. Just make sure that the decryption method is not a simple password taped to the case.
It’s even more important to ensure you organization is protecting the privacy of all data under their control. Proprietary data that gets out could serious impact your competitive advantages in your market, and the loss of customer data could ruin your company or cost millions in credit monitoring and litigation. Just ask Target, whose costs related to the data breach that exposed customer data including credit card data were estimated as approaching half a billion US dollars.
15. Raise employee awareness of the importance of data protection
Your users are your last line of defense, your most vulnerable attack surface, and the most fallible part of your data protection measures. Train them, equip them, and educate them to help protect corporate data, especially customer data.
17. Enforce the use of encryption, EVERYWHERE
This is a no brainer. Encrypt EVERYTHING. Use encryption in transit for anything that isn’t publicly accessible/anonymous access, encrypt all hard disks everywhere, whether in a server or a desktop or a laptop, enforce encryption on USB and other portable media, and use MDM or EAS policies to encrypt data on mobile devices.
18. Review and update filesystem ACLs, data custodian assignments, and administrative permissions
Make it a requirement to review all data ACLs, data ownership, and admin group memberships at least annually. Any permissions or group memberships that cannot be validated should be removed.
19. Disable unused accounts and delete unneeded ones
Run a script to disable any account that hasn’t been used in the past 30 days, and then another to delete any that haven’t in 90 days. There is no good reason to keep those around.
20. Review and revise your WHOIS data
Take a look at all the corporate names you have registered and network ranges you control, and make sure the admin/tech contact data is accurate but that it also doesn’t give away any specific person’s details. Use a distribution list for the email contact and list the switchboard number for telephone.
21. Conduct vulnerability scans on your external networks (all of them!)
The bad guys are already doing this all the time to you (whether you realize it or not) so better if you see what they do so you can address it before they exploit it!
22. Conduct vulnerability scans on your internal networks
Estimates vary widely but one thing every security expert will agree upon is that insider threats are both common and real. Make sure your defenses are as strong internally as externally.
23. Review and update your firewall ACLs, closing anything you cannot verify needs to be open
Legacy firewall rules have been an attack vector for plenty of breaches. Review your firewall rules every month, and if you don’t know why a PERMIT is in place, remove it. Better to break something (knowing is half the battle) than to leave open a path an attacker could exploit in the future.
24. Ensure you are using a messaging hygiene system
No messages, in our out, should pass through without being screened for malware, spam, and phishing.
25. Train your users on phishing
But still, some will get through, so make sure you spend extra time teaching your users how to spot phishing messages. Especially as they may be targeted as a member of your organization, but on their personal email account.
26. Ensure all your systems are fully patched, up to date, and stay that way
There really is no easier way to protect systems than to keep them patched. Use patch management software to ensure 100% compliance.
27. Confirm antimalware is current, up to date, and is performing real-time and scheduled scan on every system
Any system without antimalware should be removed from the network with extreme prejudice (bolt cutters to the Ethernet cable) and the sysadmin publicly shamed. Seriously, there is NO reason good enough to justify a machine running without antivirus software on a corporate network. None.
28. Review your compliance with all applicable laws, contractual obligations, and internal policies
This may need your legal counsel’s help, but it’s important to make sure you are in compliance with all the laws and regulations that impact you. Things like local laws, state laws, and national laws are key, but so are things like PCI DSS, HIPAA, and in many cases, the laws where your customers are, even if you aren’t.
29. Review your data breach response plan, or create and practice one if you don’t have it already
You have a DR plan, now make sure you have a DB plan too. Practice it and be sure you can execute it if anything happens. How you report any breach, how you provide protection to your employees and your customers, and how you recover are all key.
30. Talk to your insurance agent about coverage
These days, it really is more a case of when you will get hacked, rather than if you will get hacked. And a hack that includes customer data loss can be extremely expensive to recover from. Talk to your insurance company about policies to help protect you should the worst occur.
31. Review all data exposed on your corporate websites and update as appropriate
Run through every page of your public facing website and make sure you are not giving out TMI. Make sure your company directory is not exposed to the Internet, unless that is something you really want to do.
32. Review your email policies on Out of Office responses
OOF replies can be very helpful but can also give away a lot of information. Find the right balance for what your business needs, and if you don’t need your internal users telling every single person who might email them that they are on a cruise for the next two weeks, block those OOF replies sent to external senders. And if your sales team has to have those go out, make sure they know how to reduce the amount of sensitive information they reveal. Say replies will be delayed, list an alternate contact, and leave the details of where/when/why out of it. Perhaps even limit external OOF to only those senders who are in contact lists.
Knowing is half the battle-and now you know. Take responsibility for your personal data protection and work with your colleagues so that everyone takes responsibility for corporate data protection. The 28th may be Data Protection Day, but the importance of what it highlights is a year-round thing.
Top 8 Most Dangerous Blind Spots of IT Security
“For all practical purposes, we can never secure or trust the … endpoint participants in any computing environment.”
Amit Yoran, president of RSA, keynote speaker of RSA 2015 conference
The real message of the quote above is that minor and major security incidents are already part of an average day. Sony, Ashley Madison, Target, Uber and NSA are only a small snippet of those organizations that have suffered a very serious data breach recently. These stories also confirm the fact that attackers are, and will always be, ahead of us. It’s not a matter of if these attackers will infiltrate our network. If our data is valuable enough for them, they will keep on trying until they get in – or they are already inside.
One of the key points of the success of attackers is that corporations have several blind spots in their IT environment. There is a common theme in most of these so-called blind spots: the activities connected to them appear absolutely normal in 99.99% of the cases – but although sometimes it seems that monitoring these potential security holes is infeasible, the experience of the last years prove that the most serious data breaches and security incidents originate from these security holes.
Top 8 most dangerous blind spots of IT security
- 0-day & 0-hour threats
- Lateral movement inside the network
- Shadow IT
- Business applications
- Shared accounts
- Database manipulation
- Scripts running on personal accounts
- File servers & file transfers
0-day & 0-hour threats
According to Symantec’s annual Internet Threat Security Report, 24 new 0-day vulnerabilities emerged in 2014, and the top 5 of them were left unpatched for a total of 295 days, compared to a total vulnerability window of 19 days in 2013. 0-day threats could be public enemy nr. 1 of IT security – every CISO knows how dangerous they can be to his or her protected IT infrastructure. Since threat prevention is very difficult and challenging using the current 0-day protection solutions, it is highly recommended to apply alternative forms of defense in the network.
Lateral movement inside the network
Most monitoring solutions focus on authenticated logins to the company’s IT system, not considering when an attacker might have compromised an employee’s trusted credentials and infiltrated the network. In this case, the attacker can freely move in the system for months. According to research by Ponemon and IBM, 90% of recent data breaches went undetected for over 3 months, which means IT security solutions shouldn’t concentrate only on authentication.
IT departments are unable to keep pace with the continuous flow of newly launched cloud and mobile applications. According to a study by IBM Security, about 33 percent of Fortune 1000 employees regularly save and share company data to an external cloud-based platform that the company cannot track. These GTD, notetaking, instant messaging or other kind of apps have become extremely popular among users, but in most cases, these are not approved by IT – users still find ways to install and use them. As IT departments do not know about them, do not pay attention what happens in these applications and can’t prevent the leakage of valuable company data from there.
Business applications – such as SAP and others – play a crucial role in the everyday operation of almost every company. These contain a huge amount of valuable information ranging from the financial data to client lists – even traditional IT security defenses are unable to monitor what happens in these systems, e.g. which privileged user leaks out what kind of important information using these applications.
“Three can keep a secret, if two of them are dead“, as Benjamin Franklin famously said, and it’s true for shared accounts as well. The cornerstone of most security policies is to have personally identifiable accounts and only use shared accounts when it’s absolutely unavoidable and do it in a controlled way.
Databases contain a lot of valuable company information – they are home to almost all sensitive information from bank account numbers of employees to the detailed lists of invoices issued by the company. Unfortunately, most enterprises do not have reliable methods to detect when someone manipulates their databases.
Scripts running on personal accounts
When a sysadmin automates some tasks he has to perform regularly and allows a script to use his own credentials, he creates a huge security risk. If an attacker finds a way to hack the script (and such ad-hoc developments are often prone to trivial attacks like SQL or shell injections) or gains access to the stored credentials the script is using, he gains access to all the services the admin has access to.
File servers & file transfers
Besides databases, file servers are the second most important sources of critical data. And similar to databases, traditional IT security solutions do not defend these very well, do not pay extra attention, for example, to the transfer of sensitive files.
A defensive strategy that is based purely on access control, incident management and identity management is not sustainable. The complexity is overwhelming and the constraint on business is unacceptable. Besides, the greatest risk usually comes from someone who has gained access and is able to abuse privileges already granted.
Experts agree that the new perimeter, where we have to focus, is our users. They are the new focus of our security measures instead of the infrastructure. Users present too big a challenge for most of the current security solutions, as the required level of data, analytic capability or the contextual information to catch their potential malicious activities isn’t available.
Traditional IT security solutions are mostly target known threats – but these 8 blind spots prove that the most dangerous threats frequently arrive in unknown forms. User Behavior Analytics is the next generation of IT security solutions, which is able to identify unknown threats by monitoring users and gathering logs of system and application activity. The continuous and real-time analysis of these activities will minimize the time to detect, assess and prevent data breaches by thorough and rapid investigation.
Why You Should be Using a Password Manager
From streaming entertainment to social media to our online bank accounts and software, we are inundated every day with the need to create and remember new passwords. In fact, one study revealed that Americans have an average of 130 online accounts registered to a single email address. And what are the chances that those 130 passwords are each unique and difficult to crack? Slim to none.
You’ve probably heard about the infamous Yahoo breach that came to light last year, in which hackers stole the credentials and other sensitive information of more than 1 billion users. For people who used their Yahoo password for other sites, those accounts were also compromised.
Unfortunately, many people admit their passwords are less secure than they should be. See for yourself:
So how, exactly, can we all be expected to create and remember an average of 130 unique passwords?
The best solution available today, offering both convenience and security, is a password manager. These applications address all the above issues. Password managers come in the form of lightweight plugins for web browsers such as Google Chrome or Mozilla Firefox and can automatically fill in your credentials after saving them in an encrypted database.
The major benefit of using a password manager is that you only need to remember a single master password. This allows you to easily use unique, strong passwords chosen for each of your online accounts. Just remember one strong password and the manager will take care of the rest.
Avoid these common password security risks:
- Typing passwords to login each time can be dangerous in itself. Malicious keyloggers designed to secretly monitor keystrokes can record your passwords as you type them. (You can eliminate these with good antivirus software.)
- Remembering multiple passwords, especially if you have carefully picked a password that is complicated. Most people tend to use the same or similar passwords for different accounts, which means that if one password is exposed, criminals can log into all those accounts.
- Storing passwords in a document or writing them down, which creates a very high risk of being affected by a breach or simply losing the information.
Fending Off Privacy Invasion
Internet users in the U.S. have seen internet privacy protections diminish significantly in the post-9/11 era. In just March of this year, Congress swiftly (and quietly) did away with federal privacy regulations that prevented internet service providers from selling their customers’ browsing histories without consent.
In recent years, products intended to deliver conveniences directly to our doorsteps have begun to present tacit privacy intrusions into the modern home. Always-on smart speakers from online retailers make it easier than ever to order products, but they also enable those companies to listen to our every word. Those same companies are monitoring our behaviors across the web.
“Google knows quite a lot about all of us,” said cybersecurity expert Bruce Schneier in a recent interview with the Harvard Gazette. “No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”
Giant corporations aren’t the only ones intruding into our daily lives to collect our personal data for financial gain—cybercriminals are intent on doing the same. Crimes such as identity theft and extortion can be carried out with stealthy malware, such as remote access tools (RATs) used to spy on users via laptop webcams.
We asked people in downtown Denver, CO what they are doing to protect their privacy. Their answers were rather bleak:
While public awareness of this ominous trend has mounted somewhat since 2013, when revelations of America’s government surveillance surfaced via the Snowden leaks, virtually nothing has been done to reverse it. Faced with this constant barrage of privacy invasion, pulling the plugs and disconnecting entirely may seem like the only way out—but rejecting “the way things are” is a pill most people are unlikely to swallow.
Until there’s a major shift in our society’s attitudes (and public policies) toward internet privacy, the duty falls on individual users to safeguard their own private data, identities, and other sensitive information. Follow and share the tips below to take back control over your privacy.
Tips for protecting your online privacy
- Configure your web browser to delete cookies after closing. You can also take control of other advanced privacy features in your web browser to have greater control of what you’re sharing with websites you visit.
- Cover your webcam with tape, a sticker, or something else that can block the camera lens and also be easily removed when you need to use it. (Webroot SecureAnywhere® solutions protect against webcam spying and other potentially unwanted applications.)
- Don’t share sensitive information on social media. Check your privacy settings on sites like Facebook and Twitter and make sure only your trusted followers can see your complete profile. For instance, do your Facebook friends really need to know your real birthday? Deliberately sharing a fake birthday on social media can be a crafty way to enhance your privacy.
- Lock your screens. All of them. Losing a device like your laptop or smartphone could spell disaster if they were to end up in the wrong hands. Strong, uncommon PINs and passwords can lock down your devices from would-be thieves.
- Use fake answers for password security questions. Honest answers to security questions can often be found with just a little online digging. Why can’t your mother’s maiden name be “7O7F1@!3kgBj”? This brings us to our next tip…
- Use a password manager app to generate and store strong, unique passwords for all of your accounts. (A password manager can also safely store those fake security answers mentioned above.)
- Use security software to monitor and protect your digital devices from threats like malware, spyware, and phishing attacks, which can steal your private data.
Cyber News Rundown: Edition 8/25/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
UK NHS Database Exposes Over 1 Million Patient Records
During the past week, a breach was discovered in patient booking system SwiftQueue, which is widely used by several National Health Service (NHS) facilities. The database may have contained patient information for up to 1.2 million UK citizens, though the actual data has yet to be fully examined. Even worse, attackers now claim they have found additional SwiftQueue vulnerabilities and are in possession of all 11 million records stored by the company.
Booking Provider’s Data Found in Public Data Dump
Researchers recently discovered a large customer data dump in a publicly-facing Amazon S3 bucket. The data in question belongs to Groupize, a groups and meetings solution, and contains everything from customer interactions to full credit card information used to book hotels and other meeting spaces. Fortunately for anyone who has used the service, the data was properly secured within a week of the discovery.
Phishing Site Hosted on .fish Domain
A new phishing site using a .fish domain was found in the past few weeks. .Fish is one of many generic top level domains (TLDs) created several years ago. While the site itself appears to have been compromised, rather than created maliciously, it was issuing redirects to an actual phishing page disguised as a French banking cooperative in Vietnam. This is the second .fish-hosted phishing site in the past 2 weeks; the first was a Netflix phishing attack that emerged just one week prior.
U.S. Navy Considers Possible Cyberattack to Blame for Recent Collision
Over the last few days, U.S. Navy officials have been trying to determine the exact cause of a large ship collision in the busy shipping lanes near Southeast Asia. Although there is currently no conclusive evidence of hacking in the ship’s systems, a steering failure occurring without initiating the backup procedures created for this very scenario raises some eyebrows. This is not the first occasion that a ship was purposely sent off-course by external interference, and officials are right to be concerned, as these are major vehicles of war.
Nearly All Hacked Companies Running Unpatched Systems
A new report by the Fortinet cybersecurity firm shows that 90% of all companies hacked in the last year were running unpatched software and network policies. Even worse for many of these companies: suitable patches had been available for months, which could have prevented the attacks, had they been implemented in a timely fashion. With a continually increasing number of attacks on unpatched system protocols, it’s crucial that companies ensure they’re taking sufficient steps to update infrastructure as part of their regular security measures.