Online Security

It’s that time of year again. People are rushing to the stores on Black Friday. Other people, perhaps the saner people, are choosing to purchase items online. If they are in need of technological products, they are waiting until Cyber Monday.

Cyber Monday is the boon of nerds and geeks and people looking to purchase gifts for their beloved geeks and nerds. Laptops are discounted. E-readers are on sale. As all those people look for the best bargains, some of them may forget to take their usual precautions in regard to their data:

1. Don’t click on suspicious links. You may receive emails or tweets in the upcoming days advertising sales. Use caution when deciding to click on a link. 
2. Check the website address. Scammers will be busy creating sites that appear to be legitimate ones. Make sure you’re at the right site before browsing or entering any identifying information.
3. Look for security protocols. Always look for the HTTPS protocol. Also look for the padlock. Both are signs that your transaction is secure.
4. Don’t use public Wi-Fi. If you’re planning to buy anything online, make sure to do so via a private or secure Wi-Fi connection. Using public Wi-Fi has another danger: curious bystanders. Your data doesn’t have to be compromised through a computer connection. It can happen through people who are waiting for you to pull out some plastic.  
5. Use common sense. If a deal seems too good to be true, it probably is. If a site seems sketchy, escape as quickly as possible.

What will you do to keep your data safe this Cyber Monday?

While Facebook spam is relatively minuscule when compared to email spam, it appears that it is going to become an increasing problem in the future. Facebook spam usually is the result of compromised user accounts. For example, I once received a message from one of my friends saying I should watch a video from our college days on YouTube. I didn't find anything strange about the message and proceeded to the video. Bad idea: my account was compromised. Messages with the same video link were sent to my friends, and I had to change my password and settings. Only a small number of Facebook users have encountered spam messages and posts of that sort, but the number is large enough to warrant a study. 

A recent study performed at Northwestern University is examining trends and methods used by spammers on Facebook. The researchers downloaded over three million Facebook profiles in order to examine wall posts and other avenues of potential spam. While investigating the wall posts, the researchers found that out of 2.08 million posts containing web links, 200,000 posts from 57,000 different user accounts were spam. These spam posts were generated by 23 million users in total. Many of these posts offered free items, such as ringtones, or used social bait - "Somebody has a crush on you." Approximately 70 percent of the messages were phishing attacks; however, most of the attacks were attempts to gain Facebook account details in order to send out more spam.

The researchers expected to find that spammers were creating new accounts in order to send out spam, but, in reality, most spammers are finding ways to access existing accounts. While that tactic is more challenging than creating new accounts, it is much more effective to send spam to already existing friends. Once the account has been compromised, it begins to send out spam, working in much the same way as an email spam campaign would.

Facebook was pleasantly surprised by the study's results. The small number of spam posts in relation to the number of Facebook users suggests that Facebook is heading in the right direction with its security measures. The company sees other, potential uses for the information, such as developing an algorithm that would automatically identify accounts that have been accessed by spammers. One characteristic that could be included in the algorithm is time zone. Most compromised accounts send spam in the early hours of the morning, such as one or two a.m., for the compromised account's time zone. Another characteristic is sudden flares of activity; many compromised accounts send the same spam over and over again within a short period of time. This is one of the more common characteristics of spam, and researchers believe that it could be used to identify more than 90 percent of compromised accounts.

Researchers also believe that Facebook users are going to have to become more savvy in how they interact with the social network. Most people recognize spam email, but, for some reason, they feel safer on Facebook. BitDefender, an antivirus software vendor, performed their own study to prove this fact. One of their experiments found that approximately a third of people who were sent a friend request - regardless of whether they knew the "friend" or how many friends they had in common - from an account created by BitDefender accepted it. A quarter of those people would then click on a link sent by their new friend. 

Facebook is constantly trying to increase its security efforts, although privacy concerns and the selling of users' information to third parties may haunt the company for some time to come. Spammers are learning how to infiltrate Facebook, and they are creating specific targets because they can see people's interests, hobbies, et cetera. In general, users are going to have to learn to be more cautious in whom they accept as friends and to be more wary of messages and posts they receive.

Source: Technology Review

One of my least favorite things about Facebook is its privacy settings. First, they're hard to find. Second, they're not located in one place. Third, new applications, such as Facebook Places, constantly are added, meaning that users have to remember how they accessed their privacy settings in the first place and update them.

I recently spent some time reviewing how to change some of Facebook's privacy settings and making sure that my profile page was as secure as I would like it to be. Finding some of those settings and figuring out how to update them was rather tedious and, in some cases, downright complicated. I'm only going to address some of the common privacy settings; if you have a specific question, please submit a comment, write on the wall, or tweet IDS.

Make events private. This is one of the easier privacy settings to address, but it still seems that many users overlook them when setting up an event. As a result, strangers and, sometimes, party crashers, show up at what was meant to be a private party.

To make an event private, simply uncheck the "Anyone can view and RSVP." If you don't want people to know who's been invited to the party, also uncheck "Show the guest list on the event page." It's a handy feature if you're afraid of hurting someone's feelings by not including them in the invitation. 

Make your Wall Photos private. Wall Photos are kind of sneaky. When you upload a photo to your wall, it's saved in a new album. That album's settings are based on your status updates, so if your updates are set to "Everyone," guess what? "Everyone" can see your Wall Photos, too.

To access the settings for your Wall Photos album, go to the album. Click "Edit Album Info." You should see a privacy dropdown menu and a "Custom" option. Click on "Custom," and you will be able to customize your privacy settings for the album.

Keep your status private. When you first join Facebook, you inherit the default settings for everything - your photos, your updates, your News Feed. To change your status update settings, you will have to go to "Privacy Settings."

Once you're on the Privacy Settings page, you will need to click on "Customize Settings." Doing so takes you to a page where you can manage who sees your updates, photos, places, et cetera. To access the window pictured above, click on the dropdown menu for "Posts by Me." Click "Customize" and adjust your privacy settings to your liking. In this window you not only can choose who sees your updates, but you can also hide your updates from specific individuals.

Secure your profile. Your profile is one of the most dangerous places on Facebook. Almost any information you enter will be linked to a page with related information. Your hometown, for example, will link to pages populated by Wikipedia, thus granting access to advertisers.

You can add your location and hometown as long as you limit who can see them in your privacy settings. You should never show your full birthdate; in fact; it's recommended that you not show your birthdate at all. The other sections included in "Basic Information" are highly personal. If you don't want people to know information about you, don't share it. You don't have to fill in every single box with a checkmark or information. The other portions of your profile also need to be considered. If you don't want people to know your educational background or work history, don't share it. Most of the other sections - Arts and Entertainment, Sports, and Activities and Interests - are relatively neutral, but you should still be cautious. Only "like" things that you genuinely like and be careful about liking pages that may be inflammatory or derogatory. The Contact Information section is a minefield; use extreme caution. Only share information that can't cause you harm. For example, don't share your cell phone number or address. Do share your website and Twitter ID if you're comfortable doing so.

Protect your profile photo. Your profile photo can be seen by everyone, and it can be difficult to hide. Choose a sensible photo. Don't use a provocative photo (Remember, everyone can see it.) or one that is copyrighted.

Also remember that advertisers can use your profile photo unless you change your settings. To do so, go to your Privacy Settings. Click on "Manage." Now go to "Edit Your Settings" under Apps and Websites. There are several items of interest on this page, but you only need to visit "Instant Personalization" and "Public Search" and disable their abilities to access your profile.

Control the News Feed. This area isn't necessarily a privacy issue since the News Feed is for you; however, it's helpful to know how to hide or show statuses.

To access this window, click on "Most Recent" in the News Feed. You should see a small arrow next to "Most Recent." Click on it to access a dropdown menu. Click on "Edit Options." The window pictured above will appear. You can then add friends to the "Show More" or "Hide" categories. You can also control how many friends show in your feed. The higher the number, the more updates you will see in your feed.

Source: ZDNet

Facebook is, yet again, the target of spam. The spam is in the vein of the holiday spirit, but it bears a strong resemblance to the profile view scam from a few weeks ago. In this newest version, Facebook users are seeing messages from their online friends that claim they received a free dancing snowman for their farm followed by a link.

When users click on that link, they are taken to a page that appears to be within Facebook where they can "like" the snowman. If users click on the snowman, as they're directed to do, the snowman dances. At that point, users are presented with a page asking them to republish information about the dancing snowman. Users who decline the republishing prompt are told they won't be able to adopt the dancing snowman. That ploy is proving almost irresistible; based on the number of times the snowman story has already appeared in the News Feed, users find the temptation of a dancing snowman too hard to overcome.

Unfortunately, that's not the end of the scam. After republishing the story, another page appears telling users that they only have seventeen minutes to complete the online survey and that only "Superfarmers" can access the dancing snowman. Users who move forward with the survey ploy are then asked to share identifying information, such as name, birth date, and address. By the time users finish the "survey," the message about the snowman has spread across their network.

The intentions of the dancing snowman aren't known at this time. At best, it's annoying spam. At worst, it's a phishing technique. And the dancing snowman? Well, it's a myth. No one has gotten one after jumping through all the hoops. All they have done is shared personal information with an unknown party. 

Source: Sophos

We've all received "phishy" emails from unfamiliar email addresses. We know what to do with those emails: delete them. We also know to delete emails stating that a person is stranded in no-man's land and needs money so that he or she can be reunited with a family member. What do we do when we receive an email from someone we trust, though?

Unfortunately, I'm guessing that many of us have ignored the warning signs - no subject heading, for instance - because we thought we were opening an email from a trusted source. We then ran across other warning signs, such as no message or signature. Based on those warning signs, we probably decided to delete the email rather than risk our safety by replying or clicking on a link. Some people, though, don't know the warning signs and unwittingly click on a link that could unleash a potential virus. 

I recently discovered this truth only a few days ago when one of my email accounts was used to send a message to all of my contacts. The email had no subject heading, message, or signature. It merely contained a link. Two of my family members, including my mother, clicked on the link, which took them to a site for Viagra of all things. I was horrified to learn that my mother had clicked on the link; I assumed that everybody knew better than to click on strange links. Of course, my mother had no reason to suspect anything. The email supposedly came from me, a trusted source. My only hope is that opening the email or clicking on the link didn't release some sort of virus into my mother's and other contacts' computers.

If your email account is ever used to go on a "phishing" expedition, you don't have to sit idly by while your computer and other people's computers are overrun with a virus. You can take steps to protect your computer and to protect your contacts. These steps include:

• Learn how your email account was hacked. Start by scanning your computer with a good, reliable, and updated antivirus program. If any viruses, malware, or spyware are identified, remove them immediately.
• Don't stop with a basic scan. If your basic antivirus program doesn't find any problems, you may need to pull out the "big guns," such as Malwarebytes or Combofix. A word of warning: Combofix is only to be used in the direst circumstances and only if you know how to use the program. Combofix can be just as devastating as a virus if used incorrectly.
• Update your information. Reset your password and update your security information on the compromised account and any other accounts you have. If you don't, the hacker will easily regain control of your account or hack some of your other accounts. Make your passwords as secure as possible; most hackers can figure out a password that is only moderately secure.
• Backup your addresses. Forward your address book to one of your other email accounts and delete the addresses from your hacked account. Also save a copy of your contacts on your hard drive. If you think that a hacker may try to regain control of your compromised account, consider deleting it entirely. This is the only foolproof way to stop a hacker from re-hacking your account.
• Notify your contacts. Send an email to your contacts stating that your email account was compromised. When possible, use an email address other than the one that was hacked to send a message to your contacts. Also tell your contacts to ignore any additional "phishy" emails that come from the compromised email address. Suggest that your contacts run a scan of their computers in case the email released a virus or other malicious program when it was opened. 
• Take legal action. File a report with the appropriate authorities, if required. If the hacker's activities resulted in you or one of your contacts losing money, you need to file a police report. You will also need to report the crime to the FBI at the IC3 division.
• Use common sense. If you don't recognize the email address, refuse to open the email. If you recognize the email address but don't see a subject heading, open the email with caution. If the email contains a strange link without a message or signature, do not click on the link. It's best to delete the email rather than to compromise your security and that of your contacts.

Anti-virus (AV) can only do so much. It senses a threat within the system and takes action. The process is reactive rather than proactive. That can lead to vulnerabilities within a system. What if AV doesn't sense the threat? What if it senses the virus or Trojan horse, but it doesn't respond quickly enough? What happens then?

What happens is skyrocketing costs. It takes time and money to deploy, manage, and update AV software. Performance on computer servers and networks running AV decreases as it monitors increasing network traffic and malware signatures. More calls have to be made to the help-desk, and more time is spent cleaning and re-imaging infected systems. Data often is lost. The network may have to be shutdown, resulting in a loss in productivity.

Although AV is vital to an organization, it can't be the only method of defense against malware and viruses. AV has a fundamental flaw. It can't prevent "zero-day" attacks - viruses that have yet to be identified by AV providers - because AV works on a "blacklist" approach. In that approach, all traffic is allowed to enter a system. AV then is supposed to identify and remedy whatever traffic has been deemed "bad," but it can't do that if the attack has yet to be pinpointed by AV.

Because of the limitations found within AV, it's a good idea to consider other approaches and how they can integrate with AV. One approach, called "whitelisting," is the opposite of blacklisting. Whitelisting only allows entrance to applications that have been approved. In the past, whitelisting was rather inflexible and was only popular with locked-down systems, such as point-of-sale terminals, e-commerce servers, and ATM machines. That isn't the case today. Whitelisting has become much more robust and easier to use. When that whitelisting is integrated with other endpoint security and management tools, including AV and patch management, it is referred to as "intelligent whitelisting."

Intelligent whitelisting has the potential to reduce costs year-over-year. It provides more effective endpoint security by reducing malware infection rates. It lessens endpoint complexity by incorporating application controls, patch management, and AV. It improves operations and productivity not only within the IT department but also the organization as a whole.

Source: SourceForge

On Tuesday, National Public Radio (NPR) announced that BP has made yet another blunder in a long list of them. One of the company's employees lost a laptop during routine business travel. That laptop was password-protected, but the information it contained was not encrypted. The data included the names of approximately 13,000 oil spill compensation claimants, Social Security numbers, addresses, and telephone numbers.

BP knew of the lost laptop almost a month ago but didn't tell the claimants about the loss until this week. The company explained that it was performing due diligence before raising any alarms. BP has reported the lost laptop to law enforcement and is offering credit monitoring through Equifax to everyone affected by the potential data loss. The company also has stated that claimants will not have to resubmit paperwork.

Lost laptops are nothing new. According to a survey done by Sophos in 2008, almost 12,000 laptops were lost per week in United States airports. That number has surely grown in the past three years, and it doesn't even begin to account for laptops that are lost in international airports every week. 

The latest BP incident and that statistic raises a number of pertinent questions. One, what are companies doing to keep information kept on laptops or flash drives safe? Is the information not only password-protected but also encrypted? Two, what protocols are in place for employees who use laptops or flash drives on a regular basis? For example, do employees have to have their laptops screened by an IT person at the company? Do employees have to scan a flash drive for viruses prior to using it on the desktop computer at work? Does someone at the company track what information is being accessed by users and saved to flash drives? Three, how long should a company wait before notifying its clients of a potential data loss? What is the best way to notify those people? What will the company offer them in return for potential or actual damages?

The answers to those questions will differ from company to company, but it's important to consider the questions and to develop answers. Protocols and standards are important. They prevent businesses from having to scramble for answers when a data breach occurs. They counter inane excuses and blame games. They thwart comments like the one Matt O'Brien made in response to the latest BP blunder: "[I]t's par for the course for them. They can't seem to do nothing right."

Sources: NPR, Sophos

Facebook is a treacherous place to navigate. It's entirely too easy for impostors to create fake accounts and to wreak havoc. Sometimes, those accounts are easily identifiable. No photo? No problem. I won't accept that friend request. Sometimes, though, the accounts aren't quite as easy to identify. They have photos and enough information in their profiles to appear to be legitimate.

What is the correct response to receiving a friend request from an account that may or may not be real? Many people accept the friend request without even thinking about it. In some cases, those people may initiate the request themselves because they think they know the owner of the Facebook account. In either scenario, a lingering question hasn't been answered: Is the account owned by an actual friend or an impostor?

Even if you believe that the account is owned by a friend, it may not be. Impostors sometimes duplicate existing Facebook accounts for a variety of reasons. One of them is to stalk your activities, a possibility that becomes an even scarier idea if you're using Facebook Places or a service like it. Another reason is to steal information. What are you sharing in your profile or on your wall? Could that information be used to steal your identity? A third reason is to spread malware. If you're friends with someone, you're more likely to click links he or she shares with you. When an impostor - whom you believe to be a friend - does the same thing, you may click the link without a second thought, releasing some sort of virus. A final reason is to scam you. If you see a post from a so-called friend saying that he or she is in trouble and needs cash, you may be tempted to send him or her money. 

What should you do with accounts that may be impostors? The only thing to do is to contact the actual person - in real life - and to verify that the account is a legitimate one. If it isn't, ignore the friend request from that account. If you continue to be contacted by the account, you may have to mark the account as spam to prevent additional requests or messages. If you've already accepted the request, the solution is a little different. The first step is to "unfriend" the person. The second step is to warn your actual friends about the bogus account; after all, an impostor's goal may not have been to affect you or to infect your computer alone. The final step is to check applications that have accessed your Facebook account, to change your password, and to tighten your security and privacy measures on your account.

Source: Sophos

Hacktivist groups, named and unnamed, continue to proliferate. Some of those groups, like LulzSec and Anonymous, have achieved notoriety. Their hacking attempts never go unnoticed; in fact, being noticed is one of their aims. They want the public to know what they're doing. They want to broadcast that they've hacked Sony or the Arizona Department of Public Safety. 

Hacktivist groups like Anonymous have become so well-known that IT professionals at the smallest of companies have started to worry whether their organization could be the next target. They want to know what they need to do to protect their company. Should they focus on a particular vulnerability, such as the SQL injection one that was favored by LulzSec?  

The truth is that IT professionals need to address SQL vulnerabilities as well as any other existing ones regardless of the potential of being targeted by a hacktivist group. They need to develop an all-encompassing security strategy that attempts to thwart hacks and that has protocols and procedures in place for when a hack does occur. They also need to recognize that hacktivist groups have motives.

If IT professionals were to analyze LulzSec's and Anonymous' activities, they would begin to see a pattern: hacktivist groups tend to target large, bureaucratic organizations that purportedly have mistreated people. Sony was hacked because of its reputation as a terrible company. The hack of the Arizona Department of Public Safety was motivated, at least in part, by Arizona's law regarding non-citizens.

It appears that hacktivist groups have a social impetus in addition to a media-seeking one. They target supposedly unscrupulous companies. They hack organizations that boast about their impervious security measures. They then broadcast those hacks, ensuring that their efforts garner attention. 

If IT professionals wish to keep their organization safe from hacktivist groups, then, they need to consider their company's business practices. Is it behaving responsibly? Is it treating its customers well and doing its best to protect those customers? If so, it's unlikely that the organization will be targeted by a hacktivist group. Even so, IT professionals need to implement an overarching security strategy. Hacktivists aren't the only people hacking these days.

Source: TechRepublic

Using the internet is a lot like driving. You have to be aware. You have to be on the defense and prepare an offense. If you don't have a defensive or offensive strategy, you’re likely to wreck your computer. You might have to pay for the damages yourself. You might not be able to recover from those damages or injuries, and, no matter what the television says, getting someone to pay for your bills when you’ve been injured in an accident is not easy.

Some people could become afraid of the risks and refuse to use the internet. Others use the internet without considering any of the dangers until they’ve been injured. Still others weigh the risks and watch for the danger zones:

1. Malware. Malware continues to invade people’s computers in a variety of ways. Anti-spam and anti-virus software helps, but it doesn’t provide a guarantee against infection. You have to pay attention and ensure that you’re visiting the right sites. You have to refuse to open email attachments from sketchy email addresses. You have to keep your anti-spam and anti-malware software up to date.
2. Windows XP. Windows XP has gaping holes in its security, and they aren’t going to be repaired. Your best - and really only - option is to upgrade to Windows 7.
3. Computer kiosks. Public computers always are a risk. You can’t be certain they’re free of malware. If you choose to use them, make sure you’re not visiting sites that require you to enter your email address, username, or password.
4. Public Wi-Fi. Public Wi-Fi means unsecured connections. It has the same dangers associated with it that computer kiosks do. If you’re planning to access sensitive information, it’s best to wait until you can use a secure connection.
5. Man-in-the-middle attacks. Man-in-the-middle attacks often occur in public Wi-Fi settings. You enter your information at a website, and the information is sent to both the wrong website - the “man in the middle” - and the correct one. You’ll never notice the attack until you receive a “surprise” bill in your email or mailbox.
6. Phishing. Phishing scams usually are found in the emails from the rich uncle in Nigeria or the stranded woman in London. The scams are becoming more sophisticated and targeted; therefore, you should use caution when deciding to click on any sort of link purportedly shared by one of your friends via email or a social network.
7. Passwords. The advice cannot be given enough: do not use the same password at multiple sites. If you’re concerned about remembering passwords, you can invest in password software.

What danger zones would you add? Let us know in the comments.

As stated last week, using the internet is a lot like driving. You have to pay attention. You have to be prepared. You have to buckle up prior to getting on the road. You must use your indicators when choosing to turn or to exit the freeway. All those measures help to keep you safe on the road; similar measures can be taken in order to keep you safe when online.

Of course, neither the measures you take while driving or online can prevent all vulnerabilities. They simply can help to mitigate some of them. They can increase your chances of arriving safely at your destination, whether that destination be someone’s house or someone’s website.

• Use authentication tools. Authentication tools are opt-in features. Google, E*Trade, and other companies allow you to augment your password with your cell phone or other security token.
• Prepare adequately. Most email providers and social networks ask you to provide other identification measures in order to safeguard your security. Most of those measures include alternative email addresses, cell phone numbers, or security questions. Such measures must be enabled prior to your account being compromised; they offer no help to you if your account already has been hacked.
• Set alerts. Some social networks will alert you if your account is accessed from a different browser. Such alerts can help you to monitor who is accessing your account. 
• Use multiple accounts. You probably don’t have a single email account. You probably have the one you use regularly, and the one to which you direct spam from retailers and other entities. If one of those accounts is hacked, you at least have the other one. Remember, though, that you need to keep a record of your contacts in both. If you lose one account to a hack and haven’t saved a copy of your contacts, you will have to start from scratch.
• Go offline. Keep offline copies of your data. Download the data to a disk or a disconnected hard drive.

How do you stay safe in the danger zones? Share your thoughts in the comments.

Security strategies often are thought of in terms of protection. If you have the right software, hardware, and applications, your business will be fine. Those are components of a security strategy, but having those things in place aren’t going to do you much good if you haven’t established an internal infrastructure regarding your IT personnel. What would happen if they decide to play hookie one day or if one of them chooses to rage against your business because he or she has been terminated? Would you have protocols in place that would protect your business in such scenarios?

Unfortunately, many businesses don’t. They take a hands-off approach to IT and leave all the security elements in the hands of their IT personnel. Such a strategy may work short-term, but it’s certain to have repercussions in the long one. IT has to be an all-pervasive thing. If you are the business owner, you have to know what is happening with your business’ IT structures and strategies.

You should start by considering your password management. Which people in your IT department have access to passwords? What occurs when passwords are changed? How often are they changed? What are the considerations when creating those passwords? When passwords are changed, are you notified and given those passwords? 

Next, consider what happens when an employee or consultant no longer works for you. Are their accounts revoked? How soon are they revoked? In general, an employee’s or consultant’s access privileges should be deactivated immediately, regardless of whether the parting was on good or bad terms. In order to protect your business, you need to keep your information in-house. That can’t happen if everyone who has ever worked for you retains their accounts.

You also should have reporting systems in place. Decide how often you need your IT personnel to report to you. The frequency is going to depend on your type of business. If you own a telecommunications company, you may need daily reports with status updates regarding projects. If you own an art gallery, you may only need to receive reports weekly. Do decide on a schedule; if you don’t have one, the reporting will be haphazard and, more than likely, will not occur.

Also be conscious of whom you hire as a consultant. If, at some point, your business requires an IT consultant, you need to do your due diligence before hiring one. Ask for customer references. Inquire about certifications. Ask to see a portfolio of his or her work. That, more than anything else, will tell you whether your potential consultant has any real knowledge. Also consider with whom the person works. If your consultant is planning to deploy a product developed by Microsoft or Cisco, it’s likely that he or she is a member of a partner program. The consultant could still be questionable, but you at least have some insurance via the overarching company if that proves to be the case.

Finally, condense those four components into a written policy. Make sure that your IT department reads it and signs it. Include every possible facet in the policy that you can. It’s better to be over-protective than to be under-protective. Remember to update your policies on a regular basis; they should be reviewed at least once a year in order to ensure that they provide adequate protection and that they clearly outline your expectations for your IT personnel.

What do you do to protect your business? Do you have policies in place regarding your IT department? Why or why not? Let us know in the comments.

Social media can be both a blessing and a curse. You can stay connected with friends and family even though you live thousands of miles away from each other. You can stay up to date with the news and trending topics. You also can broadcast your activities to almost any type of criminal.

Yes, criminals. They use social networks, too, and they often use them for nefarious purposes. They are looking for their next target, and, if you aren’t careful, you could be it. You could return from that long-awaited vacation and find that your home has been burglarized. You could be meeting friends for dinner and have your purse or wallet snatched by a thief who was monitoring your check-in activities. You can mitigate some of those scenarios with the following steps: 

1. Check your privacy settings. Each network you use has different privacy settings. Make sure they are doing what they are supposed to be doing - protecting your privacy. Also ensure you are only sharing information with the people you want to see it.
2. Watch your connections. You can connect with a number of people online. If you don’t know who they are - even if you have friends in common - you may want to take a few seconds before confirming that you want to connect. You do not have to accept every friend request nor do you have to follow everyone who follows you. 
3. Don’t submit press releases. If you’re going out of town for the weekend or for a couple of weeks, don’t broadcast the news on your social networks. Even if you’ve availed yourself of the privacy settings and have watched your connections, it’s a bad idea to disclose your vacation plans. Social media makes a small world even smaller. News will spread. Where it goes is anybody’s guess.
4. Guard your location and belongings. You may love the fall decorations around your home and want to share photos of them online, but it’s not a good idea. You shouldn’t post photos that reveal your address or landmarks near your home. You also shouldn’t post photos of expensive items in your home. Yes, you may love that new flatscreen. Guess what? So does your soon-to-be burglar. 
5. Be aware. As with all things, use common sense. If you think that the information you’re posting could put you in harm’s way, it’s best not to post that information. Share it another way, such as a phone call to the person who will be watching your home while you’re spending time in Aruba.

How do you keep your friends and family, your belongings, and yourself safe? Let us know in the comments.

Unfortunately, rogue security programs are out there. They promise to protect your computer and your personal information; however, they actually do harm. Other programs mimic the real thing and scare you into paying money for nothing. For those reasons, rogue security programs are better known as scareware. How can you avoid scareware? Here are a few guidelines followed by corresponding visual aids:

Copycats. Many rogue programs copy user interface elements from real programs. They may also copy or include a company logo; the multi-color Windows security shield remains ever popular. Think of how easy it is to obtain a logo from a legitimate company. Merely visit the company's site or go to Google Images, and you can usually download a logo for any company in existence. Don't assume that a program is trustworthy because it has a supposed nod of approval from a company like Symantec, Sophos, or Microsoft.

The name game. Rogue programs will often use names that are similar to actual security software programs. Once upon a time, it was easy to spot rogues; if the name game didn't give them away, the poor grammar and spelling did. Today's programs are much more refined. You can't rely on poor language skills identifying them anymore. 

Warnings. If a security program you have never installed suddenly pops up with a warning of imminent danger, you're probably being scammed. Close the pop-up window and proceed to scan your computer with your security software.

Sticky fingers. If it's very difficult to close a program or to escape from the registration process, it's probably a rogue. Again, escape the window and scan your computer with an actual security software program.

High speeds. Rogue security programs have high-speed virus scanning because they're not actually scanning anything. Remember, the program's goal is to scam you and possibly to harm your computer.

Registries. Scareware wouldn't exist if people would stop registering it with fake registries. Plenty of people pay upward of $70 to register a fraudulent site. That money funds additional scams. A clue that the registry's a fake? It asks you to remove any existing security software prior to registering a rogue program.

False reviews. Rogue programs sometimes will go to great lengths to appear reputable, so be careful. Beware of fake sites with fake reviews. Find reviews of programs at well-known sites, such as PCMag or Sophos. Do your own research to find the best antivirus programs and security suites.

Sources: PCMag, Sophos

When my brothers and I were kids, we had several forts scattered throughout the neighborhood. Each one had a unique and equally lame password: "open sesame," "password," "konnichiwa." Our passwords, while simple, usually prevented unwanted guests from entering, including siblings that weren't on the favored list for the day. How? We were constantly changing our passwords, often without warning, and attempting to make them more difficult to remember and say.

The same principles can be applied to passwords used for online accounts. Passwords need to be strong, and they need to be changed every so often. With the recent security breach at the Gawker Media family of sites, the necessity of changing passwords and making them stronger should seem obvious. Twitter, LinkedIn, World of Warcraft, and Yahoo are only some of the popular sites urging users to change their passwords. Will they?

History doesn't seem to think so. According to Sophos' 2009 online survey, thirty-three percent of respondents use the same password on every single site. If their password were to be stolen in only one place, such as Gawker's Gizmodo or Lifehacker sites, it could be used to unlock other sites, too. People also are continuing to choose poor passwords, despite warnings. An analysis of the passwords stolen in the Gawker hack showed that "123456" and "password" were the most popular. When the 2009 Conficker worm started to spread, it, too, targeted computers with poorly chosen passwords. The common passwords? "Password" and "123456."

Although LinkedIn and Twitter may be warning users to change their passwords, what's to stop users from changing their "123456" password to the equally unsafe "password" password? Websites could test users' passwords to ensure that they're strong enough. Until all websites offer that option, though, users are going to have to rely on their own wits and avoid these common passwords:

Do any of those passwords look familiar? Maybe it's time to change some of the ones you're using. Here are a couple of tips when it comes to creating a strong password:

• Passwords need to be at least six characters long, if not longer.
• Passwords should contain a mix of upper and lowercase letters.
• Passwords should include numerals, special characters, and punctuation.
• Passwords should not be based on any personal information.
• Passwords should not be based on any dictionary word.

Creating multiple passwords may seem problematic; after all, how are we expected to remember all of our passwords, especially when they're a hodge-podge of letters and numbers? Fortunately, a solution exists to that problem. Password management software programs like 1Password, KeePass, and LastPass can help remember all your different passwords.

Sources: Hitachi ID Systems, Inc., Sophos

It's a question that never gets old: "How do I stay safe online?" It's a good question. Some people might answer it by recommending antivirus software. Other people will argue that it has to do with how people use and interact on the web. Both statements are true. Both elements are necessary to staying safe online.

It seems, though, that we sometimes focus too much on the antivirus component. We read the ratings of the software, trying to determine which one's the best. Which one will protect us and our information? Which one is best for the workplace? Is a different program a better choice for our homes? For instance, should we focus on a software package that includes more stringent parental controls?

In doing so, we neglect an equally important component - the choices we make. What do we choose to do online? What kind of information are we sharing? Are we blithely clicking on links without evaluating whether they're poisoned? Are we implementing extensions and software that have the ability to alert us to compromised websites?

One of ZDNet's writers, Ed Bott, has the following advice: "Pay attention to your surroundings, and don't be stupid." What does he mean by that? He offers insight into that statement through a couple of steps:

1. Don't panic: If you inadvertently stumble onto a compromised website or are faced with a pop-up claiming your computer is infected with a virus, don't panic. Take a breath. If you can, leave the infected website or close the pop-up. If you can't, turn to your friend Ctrl/Alt/Delete and escape. If that doesn't work, either, do a hard reboot of your system. If you're worried that your computer has been infected, take it to a specialist for a diagnosis.
2. Stay up to date: If your hardware and software is up-to-date, your system is much more difficult to compromise. If you use Windows, turn on Windows Update and set it to download and install updates automatically. If you're a Mac person, do the same thing with the Apple Software Update - set it to download and install updates automatically. Also remember to update browsers and utilities, such as Adobe Reader and Java, and media players.
3. Learn to spot the scams: Anytime you visit a website or open your email, you need to ask if you should trust the site or the sender of the email. Most email providers provide some sort of spam filter. It usually catches most of the spam, but it's still best to be wary if the email is from someone you don't know. Use caution when an email says you've received some sort of e-card or asks you to click on a link. Email scams are becoming more sophisticated, but the usual ones still carry the telltale signs: poor grammar, misspellings, the wrong title (calling you Mr. instead of Ms., for instance), et cetera. Websites are trickier. The first step is to be leery of any site asking for your login credentials. If you have any doubts about the page you're visiting, close your browser and reopen it. Type the domain name in the address bar and navigate to the login page from the website's home page. Second, look for the secure connection symbol. You'll see it when you use PayPal; you'll see the padlock icon and the HTPPS in the address bar.
4. Make sure the software is safe: Bott's rule of thumb when it comes to software is as follows: "If you have any doubts about a software program, you should not install it. Period." Bott also offers three questions worth considering before installing any sort of software. One, is the software from a trusted source? Two, is it signed with a valid digital signature? Three, what does the security community say about the software?
5. Think about your passwords: It's a refrain these day: use different passwords at different sites and make sure that they are unique and difficult to guess. Bott says, "Repeat after me: Never use the same password in multiple places, and be especially vigilant with passwords for e-mail accounts." Why the emphasis on email accounts? Think about the question for a minute. What would happen if a hacker could access your email? Could he or she wreak havoc within your workplace? Could they access your financial records or transactions with companies like Amazon or eBay? It's imperative that you create strong passwords.

Do you agree with Bott's advice? What tips would you add? Let us know in the comments or on Facebook or Twitter.

Source: ZDNet

Every day, we connect to a myriad of sites. We sign into our email accounts. We might check our bank account online. We visit Facebook or Twitter. We might not think about it, but all of those sites have varying levels of secure connections.

Any online bank, of course, is supposed to have a secure connection in place. We look for it and know it’s there because we see the “HTTPS.” Depending on our browser or the banking entity, we might see the SSL certificate accompanied by a green padlock. Those things assure us. They tell us that our names, passwords, and account information are secure. 

Email accounts are different. Most email providers, such as Gmail or Yahoo!, have security protocols in place. Our messages, including any identifying information, are encrypted before they are sent to a recipient. That’s not always the case with Microsoft Exchange Server or other corporate email systems. Sometimes, those systems aren’t configured correctly. In some cases, they are configured correctly, but it’s up to us to turn on the secure login method, which is typically found in the Authentication tab of most email systems.

Other connections occur on a frequent basis. For instance, we probably transfer files to and from certain locations regularly. We might use a shared folder, or we might use an online service such as Dropbox or Carbonite to expedite that process. Most of the time, though, we rely on FTP which, by default, is not encrypted. FTP can be made secure, but it has to be configured correctly via its SSL Settings.

Facebook and Twitter are an entirely different matter because of the way we use those networks. We can choose to use a secure login, which can be set up in both Facebook’s and Twitter’s settings. That secure connection only protects our internet connection, passwords, and account information. It does not protect the details we choose to share on those networks. If we’re protecting our passwords and account information from prying eyes while posting that we’re going out of town for the weekend, we only have ourselves to blame when we return to find that our homes have been vandalized.

Those are only a few of the connections we make on a day-to-day basis. We could visit each of the sites to which we connect and ensure that they’re secure, but that would be a monumental task. Tech Republic suggests that we instead check our outgoing connections by using the command “netstat.” Once the command is typed into the command window, we receive tabulated data. The third column of the data shows a list of the remote hosts with the ports used. Any time those ports show “443,” they’re using a secure connection. Another suggestion is to use a packet sniffer, such as Microsoft Network Monitor or Wireshark.

What connections do you make on a daily basis? Do you check their security protocols? What do you do to protect your passwords and account information? Let us know in the comments.

The Wi-Fi Alliance released a new report in conjunction with Wakefield Research. According to the alliance, an estimated 201 million households use Wi-Fi networks and as many as 750,000 Wi-Fi hotspots are available worldwide. Those numbers translate into more personal data being carried on networks and devices, resulting in vulnerabilities for everyone.

Most consumers know that they need to protect their Wi-Fi network password. The alliance's survey found that forty percent of people would be more likely to trust someone with their house key than with their Wi-Fi network password. One quarter of the respondents also stated that sharing their Wi-Fi network password would be akin to sharing their toothbrush.

Despite those facts, many consumers don't protect their Wi-Fi networks. Doing so is relatively simple, but it appears that consumers aren't taking the time to install precautions. In addition, consumers accessing open networks at places like McDonald's or Starbucks has increased. In 2008, only eighteen percent of people felt comfortable using a network with which they were unfamiliar. Today, that percentage stands at thirty-two percent.

The Wi-Fi Alliance is urging consumers to use more caution with their personal networks and when accessing open networks. If consumers don't safeguard their information, it is more than likely that some, if not all, of that information will be stolen. The alliance offers the following recommendations:

• Set personal networks for Wi-Fi Protected Access® 2 (WPA2™) Security. WPA2 is the latest network security technology. It controls who can access the network and encrypts data for privacy. Many devices often come with the security options disabled, so it's a good idea to check all devices and ensure that they have WPA2 security.
• Look for Wi-Fi CERTIFIED™ products. If a product has the Wi-Fi certification, it necessarily must have WPA2 security.
• Look for devices with Wi-Fi Protected Setup™. Some devices come with a Wi-Fi Protected Setup, which makes the process of adding the device to an existing network securely as simple as the push of a button.
• Create strong passwords. This tip has been reiterated time and time again. Passwords need to be, at minimum, eight characters long. They should not include any dictionary words or personal information. They also should be a mixture of upper and lower case letters, numbers, and symbols.
• Be aware of the environment. If accessing the internet via an open network, sensitive data, such as credit card information or bank account login information, should not be transmitted. Kelly Davis-Felner, marketing director for the Wi-Fi Alliance, told The Seattle Times: "'If [I'm] in an unsecured hotspot, I would not transmit anything that I wouldn't write on the back of a postcard.'"
• Turn off automatic connectivity. Automatic connectivity not only drains a device's battery, but it also increases risk. Consumers should turn off the automatic connectivity option and only connect to and from networks with which they're familiar.

Source: The Seattle Times, Wi-Fi Alliance

'Twas the week before Christmas, and no presents had been bought. "What to do?" the parents implored. "I know," said Father, "to the online stores!"

That scenario probably isn't too far off of the mark. During the holidays, the number of online shoppers increases. Shoppers go online because it's convenient; they can find great deals if they're willing to look; shipping is fast; and returns are pretty simple, depending on the e-tailer. Unfortunately, the number of phishing scam sites also increases, seemingly exponentially, during the holiday season. 

Phishing scam sites proliferate during the holidays because many more potential victims are to be had. Consumers sometimes lay aside their usual caution and common sense. They have to have a certain toy or gadget and will do anything to get it. We've seen what happens in the stores when people have to have something; someone gets trampled. The same thing happens online, except in that case, the person who gets hurt is the person doing the purchasing.

This year, keep your precautions in place. You may have to tell your kids you weren't able to get a certain toy this year. I promise, they'll get over it. It's much better to stay safe than to watch your bank account dwindle because someone has stolen your money or identity. Here are a few, specific tips to keep you safe during the holiday shopping season:

1. Don't talk to strangers. Always start your search for an item at a trusted site, not at a search engine. Search engines can produce rigged results, especially if you're beyond the first two pages of links. Also beware of misspellings or sites using a different top-level domain. For example, don't visit bestbuy.net, walmart.net, or wallmart.com; they're likely to be scam sites. The sales on those sites may be tempting, but they're supposed to be. That's how you end up sharing information that you shouldn't.
2. Look for the padlock. Never, never buy anything online from a site that doesn't have secure sockets layer (SSL) encryption. You'll know if the site has SSL if the address begins with "https://" rather than "http://." You should also see an icon of a locked padlock in the status bar of your web browser. 
3. Be secretive. Online shopping stores don't need your social security number or birth date to process an order. Always share as little personal information as possible. If a phishing scam site gets your credit card number, that's one thing. If it gets your personal information, you're likely to encounter more troubles than a high credit card bill.
4. Check the numbers. Don't wait until the end of the month to check your statements for your credit card, debit card, or checking account. You should check your statements regularly regardless of the season. Look for fraudulent charges, even ones that seem to originate from legitimate companies, such as PayPal. If anything's hinky, take care of the matter quickly. The longer you wait to address the problem, the bigger it will get. You could end up paying overdraft fees, being held liable for the fraudulent charges, or facing more fraudulent charges.
5. Vaccinate. You are responsible for what information you disseminate, but scammers don't always wait for you to share. They may use malware to access your information, which is why you need to protect your computer with an up-to-date anti-virus program.
6. Get creative. Make sure you're using strong passwords, especially when banking or shopping. Since you'll probably be visiting many different sites and setting up new accounts on them during the holiday shopping season, you need to have strong passwords for each of those accounts.
7. Go mobile. Many people are using their phones to browse inventory at stores. That's fine, but why not shop via your smartphone? As long as you use strong passwords and the other tips listed above, you'll be safe. Download apps for specific stores, such as Amazon, and start shopping. 
8. Don't shop in public. It's best not to use a public computer to do your shopping. If you do, make sure that you logout from every application before logging out of the terminal. If you're shopping on your laptop in a public place, remember that you're a prime target for an over-the-shoulder snooper. Prevent snooping by sitting with your back against a wall.
9. Don't share. If you do use your laptop to shop while drinking your latte at Starbucks, you'll be on a Wi-Fi connection. Only use the wireless if you can access the web over a virtual private network (VPN) connection and if you're familiar with the network.
10. Go for the real thing. If you choose to purchase gift cards, get them from the actual retailer. Scammers love to auction gift cards on sites like eBay. When the cards arrive, they have little or no funds on them.
11. Be a skeptic. If you're offered a free product with your purchase - and it's something much grander than a Snuggie - be skeptical. Many of these offers are sent via social media. Your friends may even send you the offer without realizing that it's a scam. Stay alert and remember the age-old adage, "If it's too good to be true, it probably is."

Source: PCMag

Most of us can identify an email scam at first glance. We see the sender’s name in all capital letters, or the subject line is some sort of entreaty: “PLEASE I BEG YOU.” As soon as we see either one of those things, our suspicions are raised, and we immediately delete the offending email without ever opening it. Every so often, though, a scam arrives that isn’t quite as suspicious, and we wonder, “Is this is a scam or is it a legitimate offer?”

In such a scenario, it pays to look for other warning signs. Is the email missing a personal salutation? People often are casual in their emails, especially when addressing a female because they may not know whether they should use “Mrs.,” “Miss,” or “Ms.” We can allow for that, but an email attempting to make an offer should, at the very least, address you by your first name even if the sender doesn’t use “Dear so-and so.”

Another warning sign is the writing itself. Is it vague? Does it shy away from specifics, much like a fortune-teller does? Does it drop a few keywords based on information that could be found out about you via a basic Google search? Also, does the writing have a cut-and-paste quality to it? Such a quality is immediately noticeable; try to read the email aloud, and you will find that the writing starts, stops, and sputters.

Another item to watch is capitalization. Does the sender capitalize strange words, such as “month” or “after”? Unless either of those words start a sentence, they shouldn’t be capitalized. Even if the sender of the email is from a different country, most grammar rules regarding capitalization are the same in every language. 

Also look for requests for money. This particular scam tends to proliferate when you use the internet to sell merchandise. The scam artist will contact you and offer to send you a check, but that check will include “excess money.” You then are to send that excess money to the scam artist’s associate. You do so, and, in a week or a couple of weeks, you receive a notice from your bank. The bank states that the check was fraudulent and that you are to be held responsible for the full amount of the check as well as any bounced checks that occurred due to the fraudulent one.

What should you do when you spot a scam? You could ignore it, but that doesn’t solve the problem. Your best option is to report the scam to the Internet Crime Complain Center. If you were the victim of a scam, it’s unlikely that you’ll ever see your money again, but, at the very least, you have helped, in a seemingly small way, in stemming the scam-artist tide. You can also share your experience so that others won’t fall prey to the same or similar scam.

How do you identify a scam? What do you do when you spot one or have been the victim of one? Let us know in the comments or share your story on Facebook or Twitter.

With the plethora of news stories about data breaches and hacks, it would seem that most people’s identities are stolen in those fashions. That’s not true. People’s identities are stolen all the time in much less glorious ways.

Many of those ways occur in the offline world. A waiter steals a person’s credit card number. Somebody sifts through the trash looking for unclaimed credit cards. Either one of those scenarios could happen, but, for the sake of this article, we’ll examine some of the more common, online methods. Those methods include:

• Malware. Malware, which includes items such as keyloggers, could be installed on your computer. Such an action could be done by another person who uses the computer, or it could happen when you download a file from the internet. You can avoid much of this malware by keeping your antivirus, operating system, and applications up-to-date and by exercising common sense when choosing to open or download a file.
• Misconfigured peer-to-peer applications. If you use an application like Limewire to share files and don’t use some discretion when deciding which files to share with other users, you may accidentally share too much information. Remember to safeguard any and all files with personally identifying information, such as tax documents.
• Phishing. Phishing isn’t nearly as common anymore, but “spear phishing” is becoming more prevalent. Spear phishing involves the use of targeted emails and often incorporates some information about you or your business. Use caution whenever you receive unsolicited emails with embedded links in them.
• Scams. You would think foreign scams would eventually disappear, but they haven’t and probably won’t. These scams usually are easily identifiable, but people still fall for them. Again, exercise caution and remember that if a deal sounds too good to be true, it probably is.

What are other ways that people’s identities are stolen online? How do you combat identity theft? Let us know in the comments.

A few weeks ago, I received a direct message from a friend on Twitter. The message and the link it contained seemed more than a little sketchy; however, the message was from a friend. I should be able to trust a message from a friend even if it isn’t written in her usual style, right?

The answer is “no.” Even if a message comes from a friend, it’s a good idea to be wary. If something seems amiss with the message’s style, proceed with caution. Don’t blindly click on links. Instead, consider the following options before clicking on a link:

• Preview the link. Some browsers allow you to preview a link before clicking on it. Some applications allow you to do the same thing.
• Contact your friend. Ask if the message came from your friend. Your friend may not know that his or her account has been compromised and that it’s sending spam messages to followers. 

The question is what to do if you click on the link. Once you do so, the message usually goes viral. What do you do then? It’s not as though you can retract your message. You can, though, do the following:

• Change your password. If you clicked on the link, and the message has gone viral, you need to change your password.
• Contact your followers. Let your followers know what happened. Tell them not to click any links that you supposedly sent. 

What do you do when you receive a sketchy message, whether it be via Twitter or email? What do you do when your account is the one sending the messages? Let us know in the comments.

Websense, a content security company that researches threats through a large, worldwide network of honeypots and scanners, released its 2010 threat report. Their consensus: be on the alert and take precautions. Use common sense and protect your computer with a good antivirus and spamware program.

Websense scans over 40 million websites and ten million emails per hour. Those scans led to findings that should alarm all internet users. The report shows that malicious attacks are up 111.4 percent over last year. Nearly 80 percent of those attacks came from legitimate sites that had been compromised, possibly through a software vulnerability.

Websense's report also cautions users not to assume that some websites are more likely to spawn attacks than others. For instance, many users assume that they will be attacked if they visit sites containing objectionable content. That's not necessarily true. According to Websense, searching for breaking trends and current news presents a slightly higher risk (22.4 percent) than searching for objectionable content (21.8 percent). 

When it comes to browsing the web, be very, very careful. It's a webby world, full of lurking bugs. Make sure your computer is protected with a solid antivirus and spyware program. Also remember to remove browser cookies and Flash cookies on a regular basis. Finally, if your computer is acting strangely, and you've run all of your protocols, seek assistance from one of our technicians.

Source: Websense

Not all phishing attacks are obvious. They don't come from a strange e-mail address. They don't have a subject line, "Please help me," in all capital letters. No, some phishing attacks are very clever. They appear to be official. They're spelled correctly. Even the grammar is correct. Unfortunately, those clever e-mails do the same thing as the not-so-clever ones: they ask people to share personal identifying information or to click on a link. Suddenly, the credit card has strange charges on it, or the network is being bombarded by some sort of nasty virus.

Even the most conscientious and intelligent person can become the victim of a phishing attack, so it's important for businesses and individuals to review security measures. Businesses, for example, could send e-letters to their personnel about phishing attacks and how to avoid being victimized by them. Businesses also could require mandatory trainings and refresher courses. The strategy behind all those efforts is to keep employees alert to the possibility of a phishing attack and to prevent complacency.

Businesses also need to have policies in place about requesting an employee's personal credentials. For instance, a phishing attack could appear to come from a business' HR department. The e-mail seems a little wonky to the employees reading it, but the e-mail came from HR, so it has to be legit, right? Wrong. It's situations like that one that make it paramount for businesses to develop policies regarding credentials. For example, a business could decide to enact a policy that states it will never ask an employee for his or her credentials over the telephone or in an e-mail.

Finally, businesses may decide to "test" employees with fake phishing attacks. Employees who fail the test would not be berated or ridiculed in front of their peers; rather, they would be asked to take a refresher course in security measures. The employees who pass the test - by not clicking on the link or by notifying the IT department - would be rewarded for their good security. When security becomes a positive rather than a negative, it becomes easier to support, and more people are likely to participate in practicing good security.

Source: TechRepublic

Epsilon, a provider of electronic direct marketing services for several large companies in America, recently admitted that the company had been hacked. The hack resulted in the theft of a number of customers' names and e-mail addresses tied to companies such as Target, Best Buy, and Walgreen's. Epsilon has been attempting to downplay the hack by relying on the fact that personally identifiable information, such as addresses, credit card numbers, and Social Security numbers, was not stolen.

That fact is a small comfort, if it is one. Merely having access to those e-mail addresses and the related companies gives the hackers an edge. The hackers now know something about those e-mail addresses and the people behind them. Those people shop at such and such a store and are likely to purchase x, y, z. Suddenly, the hackers can target their spam. They can send even better phishing messages. They can exploit people's vulnerabilities.

Most people ignore phishing messages, especially when they come from a company with which they haven't interacted. The danger with the Epsilon breach is that the hackers could send phishing messages, including fake warning e-mails about the breach, from a seemingly legitimate company. Will people be as cautious with e-mails coming from companies from whom they have purchased items or have had business dealings? Perhaps not.

Epsilon has identified the source of the hack and is working with law enforcement, but will catching the hacker do any good? Did that hacker or hackers keep the e-mail addresses to themselves or did they share them? Even if they didn't share them, the fact remains that Epsilon was breached. What is the company doing to prevent a similar situation from occurring in the future? What preventative measures are consumers taking to protect themselves from phishing schemes and data breaches?

Sources: Dallas News; Sophos

Most of us know to be careful when downloading attachments, especially attachments that are sent from suspicious addresses or have strange names. We know that those attachments probably are laden with malware, so we don't download them. Unfortunately, the malware problem isn't limited to our inboxes. It has spread to our phones, too.

The most recently compromised Android application is Steamy Windows. The legitimate application is rather nifty; it creates a steamy window effect on your phone's screen upon which you can doodle without being reprimanded by your mother. The rogue application does the same thing but with some not-so-fun additions. The rogue application has the Android.pjapps Trojan - so named by Symantec - embedded within it. That Trojan begins to build a botnet that is controlled by a number of Command and Control (CnC) servers. The capabalities of that botnet are many; it can install applications, navigate to websites, add bookmarks to your browser, send text messages, and filter text message responses - all without your knowledge. 

While all of the botnet's capabilities are unnerving, it's the text messaging that's raising the most concern. Your phone will start sending text messages to premium rate numbers. Every time that occurs, the creators of the Android.pjapps Trojan receive a commission. Since the botnet prevents certain text messages from reaching you - such as the ones warning you that you're about to exceed your texting limits - you don't know that anything's wrong with your phone until you receive your next bill.

To date, the rogue application can only be found on unauthorized application stores. If you're only using registered Android marketplaces, you should be safe. That doesn't mean you should throw caution to the wind. If you're installing an application, make sure that it is doing only what it's supposed to do. If it requests excessive access permissions, it may be a rogue application, and you should stop downloading it immediately. Check user comments on the marketplace prior to downloading an application; their comments often can help you to determine if an application is legitimate. You also should change the settings in your Android OS so that your phone can't download non-market applications.

Sources: cnet, Computer World, Symantec

It has recently been reported that the FBI has seized a server in Texas as part of the investigation into the pro-WikiLeaks denial-of-service attacks that were committed in December against PayPal and other sites.

This is a stark reminder that anyone can fall victim to hackers who commonly try to compromise systems of unsuspecting users in an effort to carry out larger coordinated attacks. As global citizens and users of the Internet it is our responsibility to keep our systems secure.

• Ensure all of your software is up to date with the latest security patches.
• Keep your anti-virus up to date.
• Have adequate firewalls in place.
• Have an Intrusion Detection/Prevention System in place with current rule sets.

The best strategy is one of defense in depth. Let's all do our part and keep ourselves and our computing systems safe this coming year and beyond.

Source: CNET News Article

On March 16, 2011, the death knell sounded for Rustock. It was an amazing feat. For five years, Microsoft and U.S. law enforcement agencies had been trying to shutdown the botnet.

Rustock had a lengthy and healthy life. It first appeared on the internet in 2006. At its height, Rustock consisted of two million spam-sending zombies and was capable of sending thirty billion spam e-mails per day. Security experts speculated that the death of Rustock would result in spam e-mail levels decreasing by at least thirty-nine percent. 

Rustock's death was neither fast nor easy. It had to be dismantled, piece by piece, in a manner akin to the take down of the Mega-D botnet in 2009. The command and control (CnC) servers, the machines that send commands to the "zombies," first had to be identified and disabled. Next, Microsoft had to "black hole" - a process that causes incoming traffic to be dropped without informing the source - the IP addresses of whomever was controlling the botnet. Microsoft then worked with Chinese CN-CERT to block the registration of domains that could be manipulated by new CnC servers. Finally, Microsoft, along with other ISPs and CERTs, has been working to clean the Rustock malware from approximately one million infected machines worldwide.

It would seem that the magnitude of the endeavor to bring down Rustock would have resulted in a sharp drop in spam e-mail. A decrease in spam between March 17 and 20 was noted by Kaspersky, but it wasn't very significant. According to Kaspersky, "[T]he amount of spam in mail traffic fell by 3 percentage points compared with the average figure for the first half of March. The overall number of spam emails fell by approximately 15 percentage points." 

By March 22, spam e-mails were on the rise again. It appears that spammers and botmasters have been studying the falls of other botnets and learning to adapt their efforts. As a result, spammers and botmasters have already compensated for the fall of Rustock, and the anti-spam fighters are back on the job. As the saying goes, "A hero's work is never done."

Sources: CNET; Kaspersky

Social engineering tactics work. If they didn't, we'd stop receiving emails from the poor souls lost in Nigeria or the Sahara or wherever it is that they're lost. We wouldn't be sent messages about some miraculous weight-loss drug. We'd stop seeing scams and click-jacking on social networks. We wouldn't see videos with the ever-popular title, "She did what?!" populating our news feeds.

What is social engineering?

Social engineering is an act of manipulation that causes people to perform actions, including clicking on a link, or to divulge confidential information, such as a credit card or social security number. It shares a similarity with talking to strangers. We're told not to talk to strangers when we're kids. Most of us are never tempted to speak to one. Some of us, though, run into the stranger with the candy. He promises to give it to us if we'll talk with him, tell him our name, or get into the car. Do we receive the candy? Maybe, but it's at a high cost. In most cases, we'll only be hurt and never see the candy. That's somewhat akin to how social engineering works. We'll probably never see the "stranger" behind the social engineering; however, we will come across various tactics that will tempt us to share identifying information or to click on a link.

How does social engineering work?

Social engineering tactics haven't changed all that much with time. They've improved; we don't see quite as many misspelled and grammatically incorrect emails. The basis of those tactics haven't changed, though. They tempt us where we are most vulnerable. They tell us we can be feel better, look better, or become wealthier. In other cases, they prey on our fears. We're told our credit card payment is late. We receive a message - often via a popup - stating our computer is infected with a virus and that we need to take action immediately.

What are the goals of social engineering?

The goals vary. Sometimes, social engineering is meant to part us from our money. The tactic can be meant to disperse malware. It might be an attempt to turn our computer into a botnet so that the engineers can disperse malware to more computers. It could be a way to gain our identifying information and to commit identity theft.

What can we do?

Social engineering isn't going to stop. The best thing we can do is to be vigilant and to use common sense. Look for the common warning signals in an email. Examine the sender's address. Do you recognize it? Read the subject heading. Is it in all capital letters? Is it asking for money? If you decide to open the email, scan it for links. That can be a warning sign. Also look for spelling and grammatical errors as well as address errors - for instance, calling you "ma'am" instead of "sir." Social engineering tactics on social networks can be harder to spot, especially if the link seemingly has been endorsed by a friend. Hover over the link until you can see where it leads. If you can't see that destination, consider the context of the link. Is there any sort of description with it? Did the person sharing the link say anything about it? Also beware shortened links. They're especially prevalent on sites like Twitter. Most of the time, you can still hover over the link to see where it leads. If you can't see that information, again consider the context of the link. Also examine the profile of the person sharing the link. Are all of that person's tweets about the same subject or similar ones? If so, that's usually a good indicator of a suspect link.

What advice do you have for countering social engineering tactics? Have you ever been the victim of such a tactic? What did you learn from it? Let us know your story or your ideas in the comments or on Facebook or Twitter.

Despite warnings from well-known entities such as Symantec and Sophos concerning Facebook profile-view scams, people continue to fall for them. I know that some of my acquaintances have; I've seen their posts stating they know who is viewing their profiles. I wince every time I see those posts. I know that my acquaintances have been duped by a spammer at best and a scammer at worst.

I don't blame people for wanting to know who's viewing their profile. I understand the curiosity. Unfortunately, spammers and scammers understand that curiosity, too. That's why their schemes continue to proliferate and to succeed.

The most recent scam surfacing on Facebook is a variation of the profile-view theme. It works in almost the same way as all other profile-view scams do. Once the user grants the application the requested privileges, the scam sends a post to the user's wall as well as the walls of his or her friends. The spam then redirects the user to a download instruction site where he or she is asked to download the Firefox browser and to install a Firefox extension that supposedly is downloaded over 27,000 times per week. Installing the extension should create a new menu entry, entitled "Profile Stats," in the left-hand column of the user's Facebook page. 

The extension does not provide what it promises. What it actually delivers is a compiled Greasemonkey script that opens a remote site in a pop-up browser window every time the user visits Facebook. That window displays the same profile-view scam as seen on Facebook, but the profile-view feature now can only be accessed through the completion of a survey. Again, completing the survey doesn't lead anywhere except to more pop-up windows. In addition, the extension isn't hosted by the official Mozilla domain. The extension is offered through a third-party provider. That's not particularly alarming, so many users have ignored the generic warning displayed during the installation of the extension. 

As of today, this particular scam has been stopped by the forces of good at Facebook. The extension is being promoted elsewhere and has probably already updated from Firefox 3.6 to Firefox 4, so it may continue to make occasional appearances on Facebook. The scam also is a variation on a theme; even if it disappears, new scams will arise to take its place.

The extension can be removed once it has been installed. The process to remove it is relatively easy for the time being. Users simply need to uninstall the extension via Firefox's browser menu: Tools>Add-ons. Ironically, the extension is honest enough to identify its nefarious purposes within the Add-ons window; it says, "Automatically open popup on facebook."

Another option is to enable the SSL login on Facebook. The scam extension only works on the HTTP version of Facebook, not the HTTPS one. Enabling the SSL login will not only protect users against the Facebook-Firefox scam and ones like it but will also protect accounts against sidejacking.

Sources: Help Net Security; Symantec

The truth is that very few of us are going to be targeted by the Stuxnet virus or the Darkshell botnet. We're more likely to be targeted by insidious individuals mining for personal information so that they can access our credit card information, medical records, et cetera. Not many people in the security industry are going to paint that picture, though. Oh no, they're going to sell you a product - often the same one that they tried to sell you two years ago - with the claim that it will protect you against the dangerous Stuxnet or Darkshell.

That marketing ploy is no surprise. Everybody uses it at some point or another, regardless of the industry. It's called the "scare tactic." It usually has a good return on investment, too. Frighten enough people, and some of them are likely to be so afraid that they'll purchase a product without reviewing what it actually does or protects against. Those people then rest upon the guarantees of said product only to find that their systems have been compromised by age-old techniques: SQL injection, malicious attachments, phishing, et cetera.

Those age-old techniques are the real danger, not necessarily Stuxnet or Darkshell. Stuxnet and Darkshell aren't all that new. Those attacks have taken place previously, and they will be taken again. They aren't worth all that worry, either. Attacks made by Stuxnet and Darkshell seek specific targets. They have a particular aim, unlike the generic, everyday malware that simply wants to infiltrate systems and wreak havoc of every variety.

In addition, systems are compromised every day by the users themselves. How many times has someone at the office placed sensitive information on a flash drive, then taken the drive home with them simply because they forgot they put it in their pocket or because they had more work to do? Think of all the compromising possibilities. The flash drive could have had malware on it, and that virus is now making its way through your network. The person could lose the flash drive between work and home. The person could access the data on an unsecured network. The person's kid could take the flash drive and lose the data or compromise it in some way because of what he or she downloaded to the drive.

While it's alright to have some consideration for Stuxnet and Darkshell, it isn't healthy to focus on those two alone. It's like focusing on two trees rather than the forest. Do that, and you're bound to trip over a limb or to get whacked in the face by a sharp branch. It's essential to consider what a security product does and what it will do to protect your network and systems. It's also important to establish protocols for accessing sensitive information. Do that, and you should be well-prepared for the "generic" malware as well as most of the big baddies out there.

Source: Threatpost

Flash Cookies have been on computers' diets for awhile, but Flash Cookies are relatively unknown to most people. Flash Cookies are a by-product of Adobe's Flash plug-in, which allows sites to store data on your computer. These data stores are properly called Local Storage Objects (LSO); however, they are more commonly known as Flash Cookies.

Flash Cookies, unlike regular browser cookies, can't be controlled within your browser's privacy settings. That presents several problems, one being that Flash Cookies aren't the easiest crumbs to find. In addition, many sites don't notify users that the Adobe Flash plug-in is active, meaning that many users are completely unaware of the fact that their computers are on a Flash and regular cookie diet. Flash Cookies also have the ability to re-spawn - a term in reference to zombies coming back to life after being "killed" - regular browser cookies. Thus, even if you delete all of your tracking cookies, Flash Cookies possibly could restore the cookies you just deleted.

Websites, such as Pandora, YouTube, and Hulu, like the Flash plug-in because it allows them to improve services. Advertisers like the plug-in because they can prove to their companies and clients that an ad has been viewed by one million distinct users rather than only being viewed ten times by the same 100,000 people. Advertisers also use the cookies to better target potential consumer groups, such as car fanatics or fashionistas. Websites and advertisers both like the fact that Flash Cookies can store up to 100K of information, which is 25 times more than what a regular browser cookie can hold. 

Most sites and advertisers defend their use of Flash Cookies by stating that cookies merely identify a browser, not an individual person. Advertisers suggest that users prefer relevant ads, which can only occur with the use of Flash Cookies. The websites and advertisers also are fans of the slogan, "Everybody's doing it"; that is, everybody is using Flash Cookies these days.

While that slogan may be true, consumers should be aware of what is happening with their browsers. People can change their Flash Cookie settings at Adobe, but, even then, the controls are a little complicated. People can also invest time - and sometimes money - in cookie removal applications. For example, CCleaner can identify and sometimes remove Flash Cookies. Mac OS X has a Flash Cookie removal tool called Flush. PCMag recently released a new Flash Cookie tool, the Flash Cookie Cop. The tool allows users to block Flash Cookies encountered while browsing the web and to disable existing cookies.

Sources: ghacks, PCMag, Wired

Like Facebook, Twitter has seen an increase in spam, scams, and malware. Like Facebook, Twitter is taking action against those threats. Twitter has released an "Always use HTTPS" option for its users.

HTTPS is mostly seen during financial transactions. The point of using it is to create a secure channel over an insecure network. Doing so provides protection against eavesdropping, man-in-the-middle attacks, and sidejacking, a term used in reference to anyone who steals cookies. Once a sidejacker has stolen those cookies, he or she can impersonate the owners of the cookies and access accounts associated with the cookies.

Twitter, of course, has nothing to do with finances but everything to do with information, and information is power. Having control over what information is disseminated can lead to all sorts of havoc and panic. Ashton Kutcher experienced that reality; his account was hacked by a "sidejacker" and used to push tweets that weren't his. Kutcher, unfortunately, had to learn the hard way that accessing Twitter over an unencrypted Wi-Fi connection is not the smartest thing to do.

Setting the HTTPS option on Twitter is easy to do. Users merely need to access their account settings and choose the "Always use HTTPS" option. Once set, the HTTPS not only protects users during the login process but also during their entire session on Twitter. While HTTPS isn't impervious to all attacks, it should dissuade all but the most dedicated of people from sidejacking.

If you've frequented Twitter this week, you may have seen some strange tweets with only the link "goo.gl/R7f68" in them. The "goo.gl" isn't strange to see; after all, it's Google's URL shortening site. If the "goo.gl" is accompanied by "R7f68," beware. The link leads to malware-laden sites.

According to The Next Web, the culprits behind the attack appear to have seized a legitimate French furniture website and loaded forwarding scripts that take users to a number of different malicious domains. It was thought that Fllwrs had been affected by the worm; however, developers at Fllwrs state that the excess number of automated messages recommending the service was a by-product of code used for testing purposes. The issue has been resolved. 

Most people seem to realize that the "goo.gl/R7f68" link is a worm. A search on Twitter for "goo.gl/R7f68" mostly results in tweets warning people not to click on the link. Twitter is resolving the problem and is pushing password resets to users affected by an off-Twitter attack. Twitter also recommends that users check oAuth connections and revoke any they didn't approve. To check on your oAuth connections, go to your connections, which are found within your settings. Find the application that has compromised your account and revoke its access.

Source: PCMag

Signcryption is the merging of digital signatures and encryption. The two things - the signatures and the encryption - often are disparate components. Signcryption seeks to unite the two. Although it’s a relatively new concept, it’s receiving notice from Homeland Security and other entities. If it were to gain traction - which it appears to be doing - it could help with maintaining the confidentiality and integrity of systems.

It is gaining traction and attention because of Yuliang Zheng’s work with signcryption. His efforts have been formally recognized by the International Organization of Standardization (ISO). The technology could impact anything from online banking to cloud computing.

In essence, signcryption prevents a person’s username and password from being viewed by unauthorized individuals while simultaneously confirming the person’s identity with the authorized viewer. Zheng believes that signcryption could affect smaller devices, such as smartphones and wireless sensor networks. The technology itself could impact productivity. By combining digital signatures and encryption, time, energy, and resources could be saved.

It’s not clear when signcryption will become an everyday household term. The recognition by the ISO is a step in the right direction, though. The technology, too, should help in the war against cyber crime.

Have you heard of AET? If you haven't, you aren't alone. The acronym is relatively new and refers to an "advanced evasion technique." AETs are used to breach network perimeters in order to unleash some sort of attack, such as a DDoS (distributed denial of service) one; an exploit, such as a vulnerability in Javascript or Adobe; or a variety of malware. AETs live up to their name; unlike their mainstream compatriots, they are much harder to detect by an intrusion detection system (IDS) or intrusion prevention system (IPS).

AETs are worrisome in that they don't receive much attention. They aren't the sort of techniques that garner media attention. They typically aren't the products of social hacktivism; they're usually the results of hackers who are motivated by the dollar sign. Thus, while IT professionals are focused on other, more well-known threats such as worms and "zero-day" attacks - attacks that occur prior to a patch being released for a vulnerable application - some hackers are devising methods to avoid detection by IDS/IPS in order to attack an intended target.

AETs also are disquieting because IDS/IPS have difficulty in identifying them. IDS/IPS can defend against simple evasion techniques, but they are challenged by AETs. AETs layer and combine other techniques and use them simultaneously, creating a "packet" that can confuse the detection system. That confusion is to the attacker's advantage. When an IPS/IDS can't "normalize" - i.e., make sense of - a packet, it must, by design, allow the packet to enter the network.

Some progress is being made in the area of IPS/IDS. Many in the security community are recommending changes that would help IDS/IPS to process simple and more complex evasion techniques better and faster. Others aren't sure that AETs are a valid threat. Even so, it doesn't hurt to be more vigilant. It's better to be safe than to be sorry.

If you would like to learn more about AETs, you can read TechRepublic's article. If you have information you would like to share, please leave a comment. You can also contact us via Facebook or Twitter.

Source: TechRepublic

QR codes are championed by many marketers. It’s no surprise; one can fit a large amount of information within a small space. Bar codes come with a twenty-character limit, but QR codes can use upward of 1,000 characters depending on the characters and the codes’ data capacity. QR codes also are easier to scan, and they have a built-in error correction. When space is at a premium or the space itself is awkward, such as the spaces found on subway stations or bus terminals, it makes sense to invest in the QR code.

The problem is that QR codes can be hacked. They can send people to malicious websites. They can install viruses, especially if a person has unchecked some of the security features that come with his or her smartphone. They can masquerade as legitimate applications. If the person scanning a QR code isn’t careful and doesn’t pay attention, he or she could have welcomed trouble ranging from malware to identity theft.

Fortunately, people can take pre-emptive actions. They don't have to be the victims of devious QR codes just as they don't have to be the victims of phishing schemes. When it comes to QR codes, people should:

• Use a QR-code scanner. To be more specific, use a QR-code scanner that provides a preview of a scanned link before taking action. Both Google Goggles and ZXing Barcode Scanner offer such previews.
• Turn off the “Unknown sources” option on smartphones. If it's enabled, the phone will download anything and everything. It’s better to turn it off or to remember to be extra vigilant when scanning QR codes or downloading applications.
• Pay attention to the “spidy” sense. If anything seems wrong or fishy during the process of scanning a QR code, exit the scan as quickly as possible.
• Stay informed. Spammers and scammers exploit what people know about QR codes. The more a person knows and the more familiar he or she is with real QR codes, the less likely it is that that person will fall for the fakes.

Do you use QR codes? Tell us your thoughts about them in the comments.

Social media is here to stay. That reality may scare some people, particularly parents and business owners. Parents might be concerned about cyber bullying. Business owners could worry about productivity, information leaks, and infiltration of their networks.

The only way to combat those worries and concerns is to take a pro-active approach to social media. Parents can monitor their children’s use of social media. They can teach their children about the right way to use social media. They can take action when they discover a case of cyber bullying. 

Business owners, too, can monitor their employees’ use of social media. They can place some social networks off-limits during work hours. They can provide their employees with training. 

That training could include many tips and suggestions. All of them are applicable to both users at home and at work. Some of those tips and suggestions include:

• Check your security and privacy settings. Many default security settings do not have you in mind. They have the platform’s best interests in mind. If you don’t change those settings, much of your information may be available to the public.
• Check your security settings again. When platforms make updates, your security settings may be reset to their original settings. Check your security settings often to ensure that you’re not sharing more than you want.
• Be selective in whom you follow or befriend. Don’t accept every friend request you receive. If you don’t know the person offline or on another network, you probably shouldn’t accept the friend request. Being safe is much more important than being superficially popular.
• Be wary of suspicious links. Suspicious links are found in emails and on social networks. Use judgment before clicking on a link. Even if it appears to be sent from a friend, you still should be cautious. Your friend may not know about the link, particularly if he or she has fallen prey to that same link.
• Be aware of your own behavior. What information are you sharing? Are you making yourself a target for burglars and identity thieves? Think about the information you post before you post it.
• Restrict access when necessary. If you are a business owner, you may need to restrict access to certain social networks. You may even have to give access only to employees who need it, such as the people on your marketing team.

Who’s in your social network? How do you stay safe online? Let us know in the comments.

About a week ago, I saw a post from one my friends in my Facebook feed stating she'd found an application that allowed her to know who was viewing her profile. The wording of her post wasn't in her vernacular, so I was suspicious. In addition, the wording was entirely too similar to e-mails that show up in the spam folder: "Who's your secret admirer?" Needless to say, I didn't click on the link in my friend's post, which turned out to be a very good decision indeed.

If you're the least bit curious about who's viewing your Facebook profile, you might be tempted to click on a link claiming insider's knowledge despite the warning signs that it's a scam (the vernacular; the similarities to e-mail spam). You might have even thought the link was legitimate since it came via a status update, a page, or a Facebook group. According to Facebook's policies, it's not possible to know who's viewing your profile or how many times it has been viewed, nor is it possible for others to create such a function. Facebook states:

If you click on the link, it takes you to a scam site that is owned by a third party and often is filled with ads. The site won't appear to be an official website; it looks like Facebook. The "disguise" is used so that you believe you are within the confines of Facebook, which makes you feel safe and possibly more apt to share the link. Once you are at the mock Facebook page, you are told to "like" it and to "share" it a certain number of times before being given the ability to see who is viewing your profile. That ability never materializes no matter how many times you share the supposed app. By the time you realize that the site's a scam, it's too late. You've shared and endorsed the link. That means a number of your friends may click on that link and possibly share it, too, thus creating an instant, viral network for the scam. 

Facebook is trying to address these types of scams, but they tend to proliferate no matter how actively the company pursues them. Facebook urges users to report websites, pages, and applications that purport to show profile views. Graham Cluley, a senior technology consultant at Sophos, also encourages victims of the scam to remove references to the scam from their newsfeed and to revoke the right of rogue applications to access their profile via Account/ Privacy Settings/ Applications and Websites.

Sources: PCMag, Sophos

Do you need a security strategy? The answer is yes. Whether you are self-employed and work from home or you are the owner of a business, you need a security strategy. You need to protect yourself not only from external attacks but also from internal data losses. You also need to have protocols in place for when a data loss or breach occurs.

The reasons for having a security strategy are fairly obvious. Not having one or having one that fails costs money. The data breach at Sony is costing the company upward of $170 million in security improvements, customer compensation, and investigative services. A lackluster security strategy affects more than money; as Sony is discovering, consumer confidence in the company is at an all-time low.

External attacks are only one way that data is lost. Data also is lost through negligence, ignorance, and impatience, what is commonly referred to as the "human factor." An employee takes the work laptop, which has client information stored on it, on a business trip and loses it at the airport. Another employee decides to charge his smartphone on his work computer, not knowing that his phone is infected with a virus. Suddenly, his computer is infected with the virus, and any computer connected to the business' network is at risk. An employee is in a rush to turn in a file to her supervisor and leaves a hard copy of the file lying on her desk.

Unfortunately, data breaches and losses are inevitable. External attacks are going to increase as more and more people store their data in various clouds. Internal data losses are going to occur, if only due to the human factor. The news isn't all doom and gloom; businesses and individuals can and should take a proactive stance toward date breaches and losses.

The first step is to mitigate potential breaches and losses as much as possible. David Talbot, fromTechnology Review, offers the following advice: "To protect themselves, businesses can impose access controls on confidential data, encrypt this data and appropriately manage encryption keys, audit user activities, and bring on consultants to make sure security practices are up to date." Other steps to be taken include backing up data either on local backups or in other clouds. It doesn't do any good to back up to the cloud only to have that cloud server fail for one reason or another. Businesses also need to account for the human factor. Employees - in every branch of the company - need to be trained in best practices regarding data security. Finally, businesses need to be able to respond to data breaches and losses. They need to have countermeasures, and they need to be transparent with their clients. They can't wait a full week before disclosing the breach or loss. By then, it's too late.

Source: Technology Review