Stop annoying Internet videos from autoplaying

Photo

© Photocreo Bednarek - Fotolia.com

Video is fine, but you should decide when and if they play!

(Mark Huffman @ ConsumerAffairs) The case can be made that the Internet has gotten better in recent years. More resources and faster, more targeted searches.

But there is no doubt that it has also gotten more annoying. Like those creepy ads that follow you from website to website, just because a week ago you happened to look at a product the ad is promoting.

But perhaps the biggest annoyance is videos that automatically play once you open a page. Video content is a great feature and more providers are offering it. But since almost all videos start with a short advertisement, the sites aren't content to just offer the video content, they make their videos begin automatically.

This can be annoying for a couple of reasons. First, it's distracting. Maybe the user just wants to read the article first.

It's hard to concentrate with the audio from the video competing for your attention. In some cases, a page might have more than one video, with all starting at about the same time.

For people on measured bandwidth ISP accounts, autoplaying videos can be a nuisance for another reason. Video can gobble up bandwidth, and over time it can cause these users to exceed their allotment during a billing cycle.

Fortunately, there's something you can do about it. You can turn off the video autoplay in your browser.

Nearly all web videos use Flash, so you just have to prevent Flash from starting when the page opens. It's easily done but the routine is different for each browser.

Internet Explorer

PhotoWith Internet Explorer you can control autoplay through ActiveX filtering. That makes it fairly easy to turn it off.

According to Microsoft, you only have to go to “tools,” select “safety,” and enable ActiveX Filtering. When you come across a page containing Flash videos, there will be a blue icon in the URL bar, indicating that the autoplay has been blocked.

But if you want to see a video on the page, you have to click on the icon, which allows you to turn off ActiveX Filtering for that site. If you want to turn it back on, it's the same process over again. A bit cumbersome.

Firefox

PhotoThere are two ways to block autorun videos in Firefox but the simpler and more reliable method may be to download Flash Block. You can get it from Mozilla here.

Once it's downloaded, install and enable Flash Block. Restart Firefox and from then on, you'll have to click on Flash media to get it to play.

Chrome

To turn off Flash autorun in Chrome typechrome://chrome/settings/content into the URL bar. Up pops a “content settings” page.

Scroll down to “plug ins” and select “click to play,” and then “done. It's that simple. After that, every Flash screen will have a gray error message. Just click it to play the content.

Safari

To disable autostart in Safari, you will need to download some extensions. You'll find them here. The extention ClickToPlugin prevents plug-ins, including video, from launching content unless you allow it.

Many Facebook users may want to take the extra step of disabling autoplay in their Newsfeed. When logged into Facebook, click on the arrow in the upper right of your screen and, from the drop down menu, select “settings.”

From the left of the page, scroll through the sections to “videos.” You will find that the default position is to play videos automatically. Click on the button to turn it to the off position.

Spam – “We Are Going To Sue You”

"What do I do if my email account has been spamming to the outside? I just got an email warning me that I will be sued!"

Don't worry just yet. When spam cannot lure you, then they will try to scare you! Here is a spam social engineered to trick to you into launching malware.

Websense® ThreatSeeker® Network has detected that an email campaign broke out on 19th September, 2011. In this campaign, emails are spoofed to appear as though they are sent from established companies. The emails even formally claims that legal action will be taken because of the spam you have sent. These emails with the fake warning even attach a ZIP file that contains a scanned copy of a document that is supposed evidence of your spam. Read More – Click Here!

instagram - Facebook-owned site asserts right to sell users' photos to advertisers

(James Hood Consumer Affairs) Like to post stuff on the Web? Sure you do. It's yours after all, right? Umm, well, actually, it probably isn't once you've posted it.

Read the privacy policies and terms of use of the vast majority of Internet sites and you'll find that material posted there by users becomes the property of the site. This is not a bad thing, as the world would descend the rest of the way into chaos if every tiny bit of every Web site were owned by various individuals.

However, few Web sites have gone as far in asserting ownership of posted content as Facebook's Instagram. The photo-sharing site recently updated its privacy policy to explicitly give it the right to sell user-posted photos to advertisers without any notification or compensation to the user.

The new policy takes effect January 16. If you want to opt out, you'll need to delete your account before then. There is no opt-out provision other than quitting the site entirely.

In other words, post a nice photo of your dog Spot eating Purina kibble and you may soon see Spot on a billboard, but neither you nor Spot will be the richer for it. Spot will still have to buy his own kibble.

Photos of children

PhotoMore ominously, the new rules would allow the company to use images of children as young as 13 without their parents' permission.

Instagram's reasoning goes like this: You must say you are 13 or older to sign up for the service. The assumption is that when parents allow you to sign up, they are aware that you may become fodder for advertising, or worse.

There's also the little matter of photographing strangers. Amateur photographers -- just about everybody these days -- think nothing of snapping photos of people on the street or in other public or private venues and posting them on the Web, something no commercial photogrpher would dare do.

Using a photo of someone for commercial purposes without their permission is a serious matter and all photographers worth their camera strap always get a signed release before using such likenesses. (News photos are a slightly different matter).

Cookies & logs too

Here's the notice posted recently by Instagram:

Photo"We may share your information as well as information from tools like cookies, log files, and device identifiers and location data with organizations that help us provide the service to you... (and) third-party advertising partners."

"To help us deliver interesting paid or sponsored content or promotions, you agree that a business may pay us to display your username, likeness, photos, in connection with paid or sponsored content or promotions, without any compensation to you," Instagram added in its terms of use.

The change is not going down well in the social media world, where one poster called it "suicide."

But look at it from Facebook's perspective. Facebook paid $1 billion for Instagram in April, even though the site has nearly no revenue.

This is not unusual in Internetland, where the attitude generally is that if a site gets big enough fast enough it will be too big to fail, even though no one has figured out a business model.

Or as Facebook marketing executive Carolyn Everson put it earlier this month: "Eventually we'll figure out a way to monetize Instagram." Whether anyone who would make such a statement should be called a marketing executive is another story.

None of this is really very surprising, though. Facebook has stumbled into one pitfall after another as it tries to fiddle with privacy issues, attempting to install a rational business model that some would say shoud have been thought through before the site was ever started. 

It's a good thing civil engineers don't work this way. They'd start building bridges and railroads without knowing where they were supposed to end up. As long as they were big enough, maybe it wouldn't matter?

Read More - Click Here!

'Microsoft Offers $250K Bounty For Conflicter Virus Creator's Head

Microsoft and other leading companies in the tech industry said last week that they're offering a quarter million dollar reward for information that leads to the conviction of the authors/distributors of the Conficker virus that has infected 10 million Windows computers. If you could use an extra $250,000 and have a lead, read more about it here:

http://arstechnica.com/microsoft/news/2009/02/microsoft-puts-250k-bounty...

10 Ways to Avoid Cyber Crime

(Juliette Fairley @ NEW YORK (MainStreet) About 21% of companies use cloud providers to store and retrieve data. Of those, only 54% have an incident response plan for cyber breaches, including the theft of confidential customer information, according to Chubb's 2013 Private Company Risk Survey.

 

"This is surprising in light of the fact that a large number of these firms have been sued in recent years by employees, customers, government agencies and other parties," said Tracey Vispoli, senior vice president and specialty insurance global customer segments leader with Chubb.

 

While individuals and businesses continue to embrace the convenience of technology, it is also causing people greater concern.

"In general, everyone in the Information Age tends to think data is an asset and that if you can collect it, then you should, because it's cheap to store," said Marilyn Prosch, associate professor at Arizona State University. "If you don't need it, then don't collect it, and only keep what you need for the required amount of time."

According to the Travelers' Consumer Risk Index, 64% of individuals cite personal privacy loss or identity theft as a significant concern.

"Since the release of Zeus malware in 2007, electronic funds fraud has become common," said Dr. Ken Baylor, research vice president with NSS Labs, which tests firewall products and network security devices.

Electronic funds transfer fraud involves fraud crews, often based in ex-Soviet Republics, who scour LinkedIn for finance directors at companies and send them legitimate-looking emails about compliance and fraud. "Once the email is opened, the malware installs and accesses electronic transfer data," Baylor told MainStreet.

For the individual, electronic transfer fraud is less common because consumers can move small amounts of cash but not much more and banks tend to reimburse consumers under Regulation E, which refers to the Electronic Fund Transfer Act that was passed by Congress in 1978 and implemented by the Federal Reserve Board.

"Ideally, companies with which you do business, including financial institutions, use dual authentication and tokens to preserve the security of accounts," said Linda Kornfeld, partner in Kasowitz, Benson, Torres & Friedman in Los Angeles.

Other ways to lessen chances of cyber fraud include:

  • 1. Think before you share information with any site or person on the Internet.
  • 2. Be informed by doing your homework and reading privacy policies.
  • 3. Never log in to online banking sites from public networks at hotels, coffee shops, airports, etc.
  • 4. Use different passwords for finances than for social networks and games.
  • 5. Protect home computers by closing home networks. Otherwise, neighbors or their visitors and other strangers can gain access.
  • 6. Only give out social security numbers on a secured network. Look for https not http.
  • 7. On social networking sites, such as Facebook, switch all privacy settings to friends only. "Technology has changed so rapidly that it will take a while for controls to catch up but data minimization is the way we are moving," Prosch said.
  • 8. Do not answer 20-question lists on social networking sites.
  • 9. Periodically, review credit reports from credit bureaus, such as Experian.
  • 10. Do not allow children to have the location-based options activated on their mobile devices, including portable game devices.

3 surprising things that spy on you that you can't stop

(Kim Komando) With the hullabaloo about the NSA and its extensive spying programs, it's important to remember that it doesn't have a monopoly on tracking what you do. Other organizations and technology keep tabs on you as well.

I'm not just talking about online advertisers. In fact, you might be surprised at some of the things spying on you.

1. Your car
You may or may not have heard that beginning September 1, 2014, every new car is required to have a black box installed. This will record information about your speed, direction, braking, whether you're wearing a seat belt and everything else going on in the seconds surrounding a crash.

Investigators will know exactly what happened rather than trying to figure it out based on witness testimony. That might not be such a bad thing - if you're in the right.

Of course, the big worry is that the black box might eventually go beyond that. Paired with a GPS, a black box could easily record your entire driving history.

Insurance companies might eventually use the data to set your premiums. Some states, such as California, are already talking about including GPS to tax drivers based on how many miles they drive. What happens if hackers get hold of the data?

"Well," you might say, "I'm not going to buy a car made after 2013." I have some bad news for you. Around 96 percent of new cars already include a black box. In fact, they've been in use by some manufacturers since the early '90s. If your car has one, it will say somewhere in the owner's manual.

It's OK; soon, cars will be driving themselves anyway. Click here to see the future of self-driving cars in action.

2. Your favorite stores
Whenever you swipe a loyalty card, enter your phone number or use the same card at a store, your purchases go into a database profile. Based on what you buy, stores know way more about you than you think.

Back in 2012, the New York Times Magazine reported a shocking story. A father went ballistic in a Target after the store sent his 16-year-old daughter coupons for baby supplies. What was Target doing sending pregnancy promotions to a minor?

Well, it turns out the daughter really was pregnant. Target had a team that, crunching data from millions of consumers, were eerily accurate at such predictions. Target can tell how far along a pregnancy is and estimate a fairly accurate due date based on what a person buys.

Imagine what else they can figure out about your politics, beliefs, health, relationships and more. Scary stuff.

Target isn't the only store doing this, of course. Any business loves to have an inside edge on its customers so it can time promotions for the most impact.

Of course, imagine if the government got hold of that information (assuming it hasn't already) or your health-insurance provider. Even worse, what about identity thieves and scammers? Think what they could do with invaluable information into your habits.

Given the major data breaches happening lately, with Target coincidentally having the worst data breach in retail history, it isn't a stretch to think this information might get out as well.

And, aside from using fake information - which some people do - or shopping at the farmer's market, there isn't anything you can do about it.

Don't wait for stores to send you targeted coupons; download hundreds of money-saving coupons from these great sites.

3. Your Internet service provider
Quick: What's the one organization that knows everywhere you go online? If you read the title of the section, then you know the answer is your Internet service provider.

Not that it's necessarily trying to spy on you, but its business is connecting your computer to websites. And for various business reasons, it saves that information.

Some ISPs keep your traffic information for a few months and others for a year or more. And, of course, any ISP will turn the information over to law enforcement if asked.

Click here for more details about what ISPs keep and who keeps your traffic information the longest.

There is a way around this. You can use a service like Tor or KProxy. These route your traffic through servers around the world. No one can track where you're going.

I should point out that no routing system is foolproof and the government has cracked Tor in the past. So, do me a favor and don't use these proxy services for anything illegal.

Read More - Click Here!

With the hullabaloo about the NSA and its extensive spying programs, it's important to remember that it doesn't have a monopoly on tracking what you do. Other organizations and technology keep tabs on you as well.

I'm not just talking about online advertisers. In fact, you might be surprised at some of the things spying on you.

 

1. Your car
You may or may not have heard that beginning September 1, 2014, every new car is required to have a black box installed. This will record information about your speed, direction, braking, whether you're wearing a seat belt and everything else going on in the seconds surrounding a crash.

Investigators will know exactly what happened rather than trying to figure it out based on witness testimony. That might not be such a bad thing - if you're in the right.

Of course, the big worry is that the black box might eventually go beyond that. Paired with a GPS, a black box could easily record your entire driving history.

Insurance companies might eventually use the data to set your premiums. Some states, such as California, are already talking about including GPS to tax drivers based on how many miles they drive. What happens if hackers get hold of the data?

- See more at: http://www.komando.com/tips/index.aspx?id=15933&utm_medium=nl&utm_source...

8 of 10 Software Apps Fail Security Assessment

Eight out of 10 software applications fail to meet a security assessment, according to a State of Software Security report by Veracode. That’s based on an automated analysis of 9,910 applications submitted to Veracode’s online security testing platform in the last 18 months. The applications are submitted by both developers — in the government and commercial sectors — as well as companies and government agencies wanting an assessment of software they plan to purchase.

Read More - Click Here!

8-character passwords just got a lot easier to crack

(  NBC News) A password expert has shown that passwords can be cracked by brute force four times faster than was previously thought possible.

It's no magician's trick. Jeremi Gosney of the Stricture Consulting Group shared the findings at the recent Passwords^12 conference in Norway, where researchers do nothing but focus on passwords and PIN numbers.

What Gosney showed is that a computer cluster using 25 AMD Radeon graphics cards let it make 350 billion  — that's right, billion — password attempts per second when trying to crack password hashes made by the algorithm Microsoft uses in Windows.

Ars Technica reported on the finding, estimating that it would take less than six hours for the system to guess every single possible eight-character password. Gosney, in an email to the site, said, "We can attack (password) hashes approximately four times faster than we could previously."

Users should take action, especially those who have been using eight-character passwords and thinking they were safe (or safer than users with fewer characters in passwords), said Infosecurity, an online magazine. It doesn't even matter if you have numbers, upper case letters and symbols — you are not in the clear.

Eight-character passwords "are no longer sufficient," the magazine says, and users should come up with longer passwords to "help defeat brute forcing, and complex passwords to help defeat dictionary attacks." 

Dictionary attacks use pretty common words, names and places that many of us still come up with for passwords, like "LoveNewYork" or even "Jesus" because they're easy to remember. They're also incredibly easy to crack.

Dmitry Bestuzhev, of Kaspersky Lab, offers these suggestions:

1. Use a different password for each different online resource. Never reuse the same password for different services. If you do, all or many of your other online accounts can be compromised.

2.  Use complex passwords. This means, in a perfect scenario, a combination of symbols, letters and special characters. The longer the better.

3.  Sometimes our online service providers don’t let us create really complex passwords, but try to use long passwords, with at least 23 characters in a combination of uppercase and lowercase letters. A password of 23 characters (131 bits) would be ok. 

That may be an ambitious undertaking, especially with the abundance of services out there that all require authentication, but it's worth striving for.

Eight characters "just isn't long enough for a password these days," Sophos Labs' Paul Ducklin told NBC News in an email. "Even before this latest 'improvement' in cracking, standalone GPU (graphics processing unit)-based servers could do the job on eight-character Windows passwords in under 24 hours." And, he added, "cybercrooks with a zombie network, of course, could easily do something similar, even without GPUs."

Ducklin, writing about another password-cracking presentation at the password conference, made it clear that the findings are "yet another reminder that security is an arms race." But to stay ahead all you have to do is lengthen those passwords. At least for now.

Read More - Click Here!

Read Also - Click Here!

Key To A Strong Password - Click Here!

9 out of 10 emails now spam

LONDON, England (Reuters) -- Criminal gangs using hijacked computers are behind a surge in unwanted e-mails peddling sex, drugs and stock tips.

The number of "spam" messages has tripled since June and now accounts for as many as nine out of 10 e-mails sent worldwide, according to U.S. email security company Postini.

As Christmas approaches, the daily trawl through in-boxes clogged with offers of fake Viagra, loans and sex aids is tipped to take even longer.

"E-mail systems are overloaded or melting down trying to keep up with all the spam," said Dan Druker, a vice president at Postini.

His company has detected 7 billion spam e-mails worldwide in November compared to 2.5 billion in June. Spam in Britain has risen by 50 percent in the last two months alone, according to Internet security company SurfControl.

The United States, China and Poland are the top sources of spam, data from security firm Marshal suggests.

About 200 illegal gangs are behind 80 percent of unwanted e-mails, according to Spamhaus, a body that tracks the problem.

Experts blame the rise in spam on computer programs that hijack millions of home computers to send e-mails.

These "zombie networks", also called "botnets", can link 100,000 home computers without their owners' knowledge.

They are leased to gangs who use their huge "free" computing power to send millions of e-mails with relative anonymity.

While "Trojan horse" programs that invade computers have been around for years, they are now more sophisticated, written by professionals rather than bored teenagers.

"Before it was about showing off, now it's about ripping people off," said SurfControl's Harnish Patel.

Spam costs firms up to $1,000 a year per employee in lost productivity and higher computing bills, according to research published last year.

Home computer users are at risk from e-mails that ask them to reveal their bank details, a practice known as "phishing".

The latest programs mutate to avoid detection and send fewer e-mails from each machine. Fast broadband Internet connections, which are always connected, help the spammers.

The gangs send millions of e-mails, so they only need a fraction of people to reply to make a profit.

"This is a constant game of cat and mouse," said Mark Sunner, Chief Technology Officer at MessageLabs, an e-mail security company. "The bad guys will not stand still."

They disguise words to try to outfox filters searching for telltale words. So, Viagra would become V1úgra.

When anti-spam experts clamped down on this, the spammers began to send messages embedded in a graphic instead of plain text. It is harder for filters to scan pictures.

Random extracts from classic books are often included to confuse filters looking for keywords.

Anti-spam laws have had mixed results.

The first U.S. convictions came last year, while Britain has yet to charge anyone under 2003 anti-spam legislation.

It is difficult to fight spam because the problem crosses international borders, said a spokesman for the UK Information Commissioner's Office, the body which enforces the law.

Some believe laws and filters will not defeat spam.

It will only end when people stop buying diet pills, herbal highs and sexual performance enhancers, said Dave Rand, of Internet security firm Trend Micro.

"The products they are selling by spam are exactly the same products that they sold in the Middle Ages," he said. "This really is a human problem, not a computer problem."

A Single Ransomware Gang Made 121 Million In 2016

Intel Security released its McAfee Labs Threats Report: September 2016, which assesses the growing ransomware threat; surveys the “who and how” of data loss; explains the practical application of machine learning in cybersecurity; and details the growth of ransomware, mobile malware, macro malware, and other threats in Q2 2016. 

A single ransomware gang was able to collect 121 million dollars in ransomware payments during the first half of this year, netting 94 million dollars after expenses, according to the report. It is assumed they refer to the Locky strain. 

"Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs. 

Weafer estimated that total ransomware revenues could be in the hundreds of millions. "And that's on the conservative side," he said. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it. 

Get those users awareness trained! 

Another recently released report, this one from Bromium, confirms the most important key findings of the McAfee report. Surveying the past three years of attacks against businesses, Bromium's report ticks off a depressingly familiar list of dangerous trends in online threat landscape:

  • High profile data breaches are on the rise, with criminal gangs going the extra mile to penetrate corporate networks and pilfer valuable data.
  • Crypto-ransomware attacks are on a steep rise, with dozens of new ransomware families making their debut in 2016 and Locky taking a market-leading position.
  • Exploits (esp. those targeted at Adobe Flash) remain a problem, despite the limited success that software vendors have enjoyed in reducing the number of exploits in popular consumer applications.
  • Online criminals have proven flexible and resourceful in the face of law enforcement take-downs, quickly migrating their operations to newer exploit kits as older ones disappear.
  • Attacks are becoming increasingly sophisticated and complex, making the job of defenders ever more difficult.

Most importantly, however, Bromium's chief security architect, Rahul Kashyap, warns that although new attack methods are always being developed, malicious actors will continue to rely on proven tactics such as social engineering and watering hole attacks, coupling them with constantly morphing malware to effectively "render AV useless."

A Single Ransomware Gang Made 121 Million In 2016

Intel Security released its McAfee Labs Threats Report: September 2016, which assesses the growing ransomware threat; surveys the “who and how” of data loss; explains the practical application of machine learning in cybersecurity; and details the growth of ransomware, mobile malware, macro malware, and other threats in Q2 2016. 

A single ransomware gang was able to collect 121 million dollars in ransomware payments during the first half of this year, netting 94 million dollars after expenses, according to the report. It is assumed they refer to the Locky strain. 

"Ransomware has grown over the years, and in 2015 and 2016 we really saw a serious spike," said Vincent Weafer, vice president of Intel Security's McAfee Labs. 

Weafer estimated that total ransomware revenues could be in the hundreds of millions. "And that's on the conservative side," he said. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it. 

Get those users awareness trained! 

Another recently released report, this one from Bromium, confirms the most important key findings of the McAfee report. Surveying the past three years of attacks against businesses, Bromium's report ticks off a depressingly familiar list of dangerous trends in online threat landscape:

  • High profile data breaches are on the rise, with criminal gangs going the extra mile to penetrate corporate networks and pilfer valuable data.
  • Crypto-ransomware attacks are on a steep rise, with dozens of new ransomware families making their debut in 2016 and Locky taking a market-leading position.
  • Exploits (esp. those targeted at Adobe Flash) remain a problem, despite the limited success that software vendors have enjoyed in reducing the number of exploits in popular consumer applications.
  • Online criminals have proven flexible and resourceful in the face of law enforcement take-downs, quickly migrating their operations to newer exploit kits as older ones disappear.
  • Attacks are becoming increasingly sophisticated and complex, making the job of defenders ever more difficult.

Most importantly, however, Bromium's chief security architect, Rahul Kashyap, warns that although new attack methods are always being developed, malicious actors will continue to rely on proven tactics such as social engineering and watering hole attacks, coupling them with constantly morphing malware to effectively "render AV useless."

A guide if you are a victim of tax refund or tax return fraud.

(Rick) Tax return fraud is becoming a bigger and bigger problem every year. Most people panic when they find out they are a victim, and for a good reason.

Many times people discover they are a victim when they receive a bill from the IRS for a few thousand dollars, or cannot understand what they are being asked to provide during an audit. It is important to keep good records of your taxes and write down all information. Whenever you talk to an IRS agent, it can be very helpful to write down their name, ID, and location. This way you are able to reference that call in the future. Also keep in mind that there are many people who would prefer to blame their taxes on fraud instead of paying what is due. This is unfortunate but is the main reason that the IRS is not going to be welcoming the thought of fraud immediately. You will have to provide proof along the way.

It is critically important to get a transcript, and review all details on your record before agreeing to pay the IRS (if you have reason to believe that they are mistaken, or someone has illegally filed taxes using your personal information). A transcript will show a summary of your tax return along with any actions taken, expenses written, payments, amended returns, and corrections because of math mistakes.

Here are a few examples of what your transcripts will look like:

2009 Tax Year Transcript

2009 Tax Year Transcript

2009 Account Status Transcript

2009 Account Status Transcript

In order to get your tax transcript call 1.800.829.0922

When you are sure your refund was fraudulent do the following:

  1. Contact the IRS exam unit at 1.866.897.0161. Be sure to get a fax number or address in order to submit all of the necessary paperwork. If you have previously spoken with an IRS agent and they have suggested that you are a victim of identity theft, reference the date and time of that original call. If you have a reference number, contact name, and location of where the original call was routed that can also be a help.
  2. Print out a FORM 14039 which is the Identity Theft Affidavit. We have a copy here, or you can go to the IRS website and locate it. This form is very important and will switch your account status from being audited or non paid, to an identity theft case. Usually when your account is being audited, there will be specific things you need to make happen in a timely manner. Once you submit the FORM 14039, your putting everything back into the IRS’ court.
  3. File a police report. You will need the report number from your local police department.
  4. Call the following hotlines and let them know you are a victim of tax fraud.
    • Federal Trade Commission: 1.877.438.4338. or visit FTC.gov
    • Social Security Administration: 1.800.772.1213 or visit SSA.gov
    • Equifax (You need to contact one credit bureau and they will notify the others: 1.800.525.6285 or visit Equifax.com
  5. Get a copy of your W2 from the tax year in question. You can typically get this from the Social Security Administration by visiting a local office. To find an office close to you visit this link on the SSA.gov website. This will give you more evidence when you go to submit all of these forms to the IRS. Remember, you still have to prove that you are a victim of identity theft, and each item you can provide will help build your case. It is equally important to file your taxes for the tax year in question once you have a copy of your W2 from that year. If you are self employed, you will need to contact an accountant and have them file the correct return as well.
  6. Use the cover letter from your transcript (please see example below) as the cover letter when you fax or mail all of your information to the exam unit at the IRS. This information can be different based on each person specific case. During step (1) you should have received the Fax and Address to send everything to.
IRS Transcript / Cover Letter

IRS Transcript / Cover Letter

The process can be frustrating and identity theft is never going to be an easy process to go through. Check your status regularly by contacting the IRS directly, consulting with your CPA or tax professional, and keeping track of any notices you receive via mail or telephone.

If you follow this guide you will make the process smoother and will avoid any headaches.

Please leave a comment with any experiences that you have had. Let’s work together to prevent fraud from happening!

Note from one of the authors:

First Name: martin

Last Name: vivek

Company Name: xxxxxxx

Email Address: xxx@xxxxx.xxx

Phone Number: 00000000000

Message:

Hello, my name is Martin Vivek. I was on [http://www.active-technologies.com/content/scams-and-how-report-them-tex... and I noticed a ton of great resources that people can visit. I feel as though most fraud does not get the attention it deserves.

I recently had the honor of helping a few others put together a thorough guide about tax fraud. You can see it here:

http://www.taxreturnfraud.com/a-guide-if-you-are-a-victim-of-tax-refund-or-tax-return-fraud/

It has helped numerous people, and even CPA's have used it as a guide.

It is very important that people have this information in the event that they become a victim.

If you could please mention us under the FBI's website that would be greatly appreciated. I believe your readers will be thankful as well.

Let me know if you have any comments, or questions.

Read More - Click Here!

ACLU says police use of secret cell phone tracking program

No warrants, and no legislative or judicial oversight either

(Jennifer Abel @ ConsumerAffairs) The American Civil Liberties Union has released records it had obtained via Freedom of Information requests from police agencies across the state of Florida, detailing widespread law enforcement use of surveillance technology kept secret not only from ordinary American citizens, but from judges and the court system, too.

This secrecy is allegedly justified in the name of “national security” although, as the ACLU notes in the records it released yesterday, a detailed list of over 250 investigations from just one city's police department showed not a single case related to national security.

And although yesterday's ACLU investigation only looked at Florida, state and local law enforcement agencies in at least 20 states and Washington D.C. use this secret surveillance technology.

It's called Stingray, and its tracks people's whereabouts (more specifically, it tracks the whereabouts of people's phones) though the use of devices called “cell site simulators.” As the label suggests, such devices simulate cell phone towers in a way that forces cell phones in the area to broadcast information which can be used to locate and identify them.

How extensively does law enforcement use this program? The ACLU notes that Florida alone has spent more than $3 million on Stingrays and related equipment since 2008.

“The documents paint a detailed picture of police using an invasive technology — one that can follow you inside your house — in many hundreds of cases and almost entirely in secret.

“The secrecy is not just from the public, but often from judges who are supposed to ensure that police are not abusing their authority. Partly relying on that secrecy, police have been getting authorization to use Stingrays based on the low standard of “relevance,” not a warrant based on probable cause as required by the Fourth Amendment.”

Little oversight

In other words, police keep information about this program secret not only from the public they presumably serve, but from the judges who presumably are supposed to oversee those police to ensure their behavior stays within legal and constitutional guidelines.

Indeed, authorities would sooner let an armed robber avoid jail than reveal any details of how they use Stingray. On the same day the ACLU released its records about Stingray use in Florida, the Washington Post ran a story (based in part on the ACLU's revelations) illustrating that:

[Tadrae McKenzie] and two buddies robbed a small-time pot dealer of $130 worth of weed using BB guns. Under Florida law, that was robbery with a deadly weapon, with a sentence of at least four years in prison. But before trial, his defense team detected investigators’ use of a secret surveillance tool. ... In an unprecedented move, a state judge ordered the police to show the device — a cell-tower simulator sometimes called a StingRay — to the attorneys. Rather than show the equipment, the state offered McKenzie a plea bargain.

McKenzie took the plea: six month's probation, no jailtime.

Even elected officials are unable to learn details about the program. Last December, the Star-Tribune in Minneapolis ran an expose about a then-two-year-old agreement between the Minnesota Bureau of Criminal Apprehension (BCA) and the FBI to keep information about the tracking program secret from the public:

“The revelation comes after a lengthy attempt to obtain contracts and nondisclosure agreements for the FBI’s cellphone tracking devices, known as StingRay II and KingFish. The state Bureau of Criminal Apprehension (BCA) has long resisted disclosure requests from the public, news media and even the Minnesota Legislature, saying that doing so would violate trade secrets and expose investigative techniques that could be exploited by criminals.....”

The “trade secrets” mentioned belong to Harris Corp., the Florida-based company that manufactures the StingRay and similar cell phone tracking devices. There's a lot of money at stake; a single StingRay sells for anywhere from $68,000 to $134,000, according to Department of Justice documents quoted by the Washington Post.

The ACLU's records show that one Stingray customer, the city of Tallahasee, went on to use its Stingrays in 250 investigations over the six years spanning mid-2007 to early in 2014. As the Post noted, “That’s 40 or so instances a year in a city of 186,000, a surprisingly high rate given that the StingRay’s manufacturer, Harris Corp., has told the Federal Communications Commission that the device is used only in emergencies.”

The ACLU's records also show that police have not been obtaining warrants before using these cell phone trackers to determine peoples' locations. The full Florida Stingray records collected by the ACLU are available online here.

AVG Free 2013 Review by Seth Rosenblatt

CNET Review: AVG's updates for 2013 look to the future while struggling to overcome the problems of the past. There's a new interface optimized for Windows 8 that really does make the suite easier to use, and the suite once again tackles its lengthy installation procedure. However, one of the best new features in AVG was actually introduced as a midyear update during 2012.

Installation
We found that the program can go from completed download to ready to use in about 5 minutes.

AVG's touted its five-screen installation for several years now. While it's true that the process continues to be short, it's important to call out a few improvements and one glaring snag.

The installer itself now weighs in at 33MB, down from more than 100MB two years ago. The installer also does not require a reboot. This isn't surprising for Windows 8, but even on computers running Windows 7 and older, installing AVG will be reboot-free. Unfortunately, not only do you still have to opt out of AVG's toolbar and SafeSearch if you don't want them, but even when you choose only the toolbar, it commandeers your default location bar search in Firefox. This is, of course, problematic because the toolbar provides some important security options, such as AVG Do Not Track.

AVG loses points as well for force-shutting your browser without warning during installation, and for not adapting the installation options to Windows 8. AVG has retained the small check boxes from previous years, which are difficult to use by touch.

A more customer-friendly approach would be to go for an opt-in process that doesn't move forward until the user makes a decision. After all, this is what AVG does when asking you to choose between AVG Free or a 30-day trial of AVG Internet Security.

Shouldn't we be done with search engine commandeering by now?

Interface
Windows 8 has forced every Windows software maker around to reconsider how its programs look, and that's a good thing. Whether kicking and screaming, or gleefully leaping, software designers are changing how they make their Windows apps, and AVG is no different.

Although the security suite had been using a variation of the same interface for years, the 2013 suite has been overhauled with a new one that embraces large, boldly colored, tile-like buttons that ought to feel at home in Windows 8.

The new main interface lays out AVG's features in a clean, legible manner. The upper right corner has links to Reports, Support, and Options. At first blush, the Options list is overwhelmingly long, but navigating is impressively accurate on a touch screen. It contains direct links to features that are also available behind the tiles that take up most of the interface.

Next on your way down the main screen is a protection status notification in green for safe or red for unsafe, and then there are three rows of tiles. The first row of bright green tiles are links to core security options: Computer, Web Browsing, Identity, E-mails, and Firewall. The second row are blue, and link to AVG's performance optimizer, parental controls, and the backup service LiveKive. Next to LiveKive there's a button for AVG apps, new services that haven't been revealed at the time of writing.

The third row contains two teal buttons, one to commence a scan and one to update virus definition files. If you're running AVG Free, the bottom quarter of the interface is an ad to upgrade to AVG Internet Security 2013. Behind each of the buttons is a deeper dive into its associated functions. Under Computer, for example, you have access to antivirus and antirootkit scans, statistics, and configurations.

The interface is basically highly navigable, except that people with Windows 8 touch screens could find the third level down tricky without a mouse. If you go into Configurations or another deeper settings level, the advanced settings options could still be too small for some people to easily adjust.

Do note that AVG is essentially running a Windows 7 program with Windows 8 dressing. It opens to Desktop mode, and runs in a single window that doesn't take up the full screen. It's possible that there have been under-the-hood improvements that will allow AVG to adapt to a Metro interface easily, but that's not available yet.

Features and support
While the interface is new, and as you'll see below, the performance improvements are stunning, AVG's focus for 2013 has not been to push aggressive new security tech. That's okay. Instead, the focus this year was to bring some tech that exists at competitors to AVG's enormous, 128-million-strong active user base.

When you start AVG for the first time, a window appears over the main interface that promotes links to its new, free 24-7 telephone support; the AVG Android app; and a tutorial on getting started. As one of the best-known names in Windows security, we like that AVG is making it easy for newcomers to get acclimated.

There's a new file reputation system, which AVG also uses in conjunction with its scans to scan dramatically faster than before. Basically, it looks at a file in the order that its bits were saved to disk, not in order of the directory file tree. It may sound hokey, but as the benchmarks below show, it's an effective technique. By cross-referencing that data with what other AVG users are running, AVG is able to create a more effective net for blocking malicious files.

The file reputation is an extension of AVG's "smart scanning," which takes advantage of AVG's behavioral detection network to scan known safe files once, and rescan them only if it detects changes. As with its competitors, AVG's network is made up of its user base anonymously contributing data up to the cloud. You can choose to opt out of contributing your data when you install, or from the options menu. AVG says opting out won't negatively affect your security.

The smart scanning tech also gives you a built-in system resource manager that prioritizes scans. If a scan is scheduled to begin while the computer is in use, it will automatically restrict the scan so that it runs more slowly but doesn't interfere with the computer's other tasks. When it detects the computer idling, it will then allocate more power to the scan. The feature comes with a slider so you can customize how sensitive it is.

Another major change was introduced earlier in the year. AVG's Do Not Track add-on has been folded into the AVG toolbar. AVG's version lacks the nuance of Abine's Do Not Track Plus, making it more of a logger's chainsaw than a surgeon's scalpel, but it's still good to get privacy-protecting tools out to as many people as possible.

AVG offers a wide range of effective tools for keeping your computer safe. Along with the expected antivirus and anti-malware engines, it has rootkit detection and removal; fake antivirus and ransomware blocking; and basic e-mail and identity protection.

The LinkScanner tool has been improved to watch out for more dynamic code, which is essential in the security game because threats are mutating at such a rapid rate.

The PC Analyzer scans your system for Registry and disk errors. It includes a disk defragmenter and a broken-shortcut cleaner, as well. Although the feature is restricted in full to paid users, if you have the free version, the PC Analyzer comes with a one-time offer to clean all errors it finds. It provides a link to a download of the separate PC Analyzer tool, once the scan is completed. This is an interesting twist on the idea of letting users detect but not repair errors, and it provides more functionality while not affecting the basic security of your computer. However, it's likely that some users will shy away from the extra download.

Other features are restricted to users of AVG's paid upgrades. The paid upgrade version of AVG Anti-Virus 2013 distinguishes itself by offering a chat link shield, a Wi-Fi guard for open Internet connections, and a download scan for files sent via instant message that looks at all ports, not just port 80. The PC Analyzer option mentioned earlier is also included, and comes without restrictions.

AVG Internet Security 2013 includes all that AVG Anti-Virus 2013 offers, and adds in a firewall and antispam protections.

Performance
AVG claims major performance improvements in the 2013 versions, and both CNET's own tests and independent labs appear to bear this out.

CNET Labs' benchmarks found that this year's version leaves a lighter touch on your system than last year's, a big change for the better for AVG.

We can report that AVG's boot time impact was faster than average in general. AVG Anti-Virus 2013 was around 10 seconds faster than the average suite, while AVG Internet Security 2013 was about 5 seconds faster than average and AVG Anti-Virus Free 2013 was about 5 seconds slower. This is better than last year, when AVG was slower than average, and it's better in general, as AVG tends to have a big impact on startup.

Shutdown impact continued to be minimal, around the same as last year -- among the best we've seen at this point so far.

 

Security program Boot time Shutdown time Scan time MS Office performance iTunes decoding Media multitasking Cinebench
Unprotected system 40 6 n/a 395 120 342 17,711
Average of all tested systems (to date) 72.3 16.3 1,315 410 124 348 17,092
AVG Anti-Virus Free 2013 77.8 12.9 569 354 125 342 17,177
AVG Anti-Virus 2013 61.8 11.9 538 406 124 341 17,089
AVG Internet Security 2012 67.4 14.7 737 408 125 344 17,134

*All tests measured in seconds, except for Cinebench. On the Cinebench test, the higher number is better.

In our other tests, AVG was much faster than the median. The scan times on AVG Anti-Virus 2013 and its free sibling were the two fastest so far this year, and AVG Anti-Virus Free 2013 also notched the fastest time during the MS Office performance test. It wasn't just the fastest, either, it was faster than an unprotected computer with the same specs. AVG claims that this is because of how it reads your computer's files. Whatever the cause, it's clear that in some cases, AVG improves in-use system performance.

Third-party efficacy results haven't been published yet for AVG 2013, but the 2012 suite marks are excellent. In the AV-Test test on Windows 7 from the second quarter of 2012, AVG Internet Security 2012 scored 15 out of 18 overall, a lowish high score. The suite had a 5.5 rating out of 6 in Protection, a 5.0 in Repair, and a 4.5 in Usability. On the same test, AVG Anti-Virus Free 2012 scored slightly better with 15.5 out of 18 overall. The suite had a 5.5 rating out of 6 in Protection, a 5.0 in Repair, and a 5.0 in Usability.

The most recent AV-Comparatives.org Whole Product test, which looks at on-demand scanning, retroactive tests, and "real-world" guards including cloud-based protections, puts AVG Internet Security 2012 in the middle of the class, out of 21 suites tested. Looking at Whole Product test results cumulatively from January 2012 to June 2012 shows AVG came in 13th, blocking 97.7 percent of threats.

When it comes to security, AVG isn't hands-down the best out there. But it is more effective than it used to be, and it's clear that it takes a smaller toll on your system than it used to. Those are big gains for the suite.

Conclusion
AVG Anti-Virus Free continues to offer an excellent if not perfect level of security, and deserves a serious shot at being your go-to suite. If you're unhappy with your current suite because of its impact on your system performance, AVG is definitely worth checking out.

You get a fair number of extras when you pay to upgrade, but it's not essential and really only for people who either feel safer when they pay or want the added bonuses. However, if you're on a Windows Vista or XP computer, you definitely ought to have a firewall upgrade. You could get a free one, but if system resources are a concern, it's worth checking out one that's bolted to a security suite as with AVG's paid suites.

 

Publisher's Description

From AVG Technologies USA:

Our most fully featured Free product ever, AVG AntiVirus Free 2013 delivers security features usually only found in paid-for products, and that's not all.

We believe that antivirus software should never get in your way, so we've added smart performance technology that reduces scan times and keeps gaming without annoying lags and freezes caused by scheduled updates and scans.

AVG AntiVirus Free 2013 also goes beyond detecting and removing viruses on your PC. Its 'AVG Do Not Track' feature gives you control over which websites can collect and use your data (available if you take AVG Security Toolbar as part of your installation). This feature joins Anti-Spyware and WiFi hacker-defeating technology to deliver powerful personal protection at home or on the move.

Also new for the 2013 edition is AVG's Easy Interface, which makes managing your protection as simple as possible.

Together these features make AVG AntiVirus Free 2013 an easy, comprehensive free product, but it's not just the software that's free. So too is phone access to our team of support experts 24/7, 365 days a year (USA, UK, Canada).

What's new in this version: A) Even Greater Ease of Use
We've put a big emphasis for this release on making our product easy to use, for both our less-technically savvy customers, as well as those that wish to have greater levels of control with their PC protection. We've completely overhauled our interface, simplified our Firewall and improved our install experience.

  • New User Interface
    Our new User Interface has been developed with extensive involvement from our customers, helping us to build somet... See all new features

Read more: AVG AntiVirus Free 2013 - CNET Download.com http://download.cnet.com/AVG-AntiVirus-Free-2013/3000-2239_4-10320142.html#ixzz27lIUXUHZ

Active Technologies AVG Free 2013 Review

AVG has released their new 2013 line of Antivirus products, including AVG Free antivirus and Internet Security. AVG has redesign it’s interface so that it looks like, and works with Windows 8, adding bright contrasting colors and large buttons which should benefit touch screens and small display users.

Besides all of the new features, AVG is one of the most highly rated Antivirus programs, Free or Paid!

Free Tech Support: AVG now offers Free tech support, which is HUGE if you need it. Past product, however, run without much difficulty, and we have NEVER had to rely on their tech support to resolve Antivirus and program issues. Nice to know it is there if you need it.
 

New user interface: seems much better when compared to older version. Most of the unnecessary functions have been removed and they have reorganized the interface around four main functions: Computer, Web Browsing, Identity and Emails. Really nice work. However, the “Fix Performance” points to a “PC Analyzer” available at extra cost. CCLEAN does the same thing for free, is widely used and highly recommended in reviews.
 

Reports: AVG has always been known for adequate reporting capability. Reports section is located on top of the screen and features a rotating icon. Reports are in text format and can be easily imported into a spreadsheet or email. What is new in 2013 is an “Archive all” button that makes it easier to save reports to disk.
 

Footprint: .AVG claims that it now requires a smaller footprint to run effectively. Our own experience with recent installations shows that the new program requires less disk and memory to operate, leaving more to be used by programs, data, and operating system. Overall, this should result in better performance.
 

Runtime, however, is where the “rubber meets the road”. In the past, when installing AVG 2012 (last year’s product), the system slowdown after installing the software was quite noticeable. Some end-users complained that their computers were as much as 25% slower. After installing AVG Free 2013 on new computers, we noticed very little slowdown, if any. On Older systems running AVG 2012, we notice that the computers ran faster.

Less Nags: Programs like AVG should just sit in the background and do their job in silence. However, to push their “Brand Names”, ALL Antivirus companies started telling users every time they did something, so you wouldn’t forget them. Sometimes you can’t go 5 minutes without a message or NAG about this or that, and some end-users became frightened every time they saw an Antivirus message. AVG was not the worst offender, but now they have far less Nags, and the ones they do have are timely (the way it should be).

Installation: The Installation completes quickly when compared to previous versions of AVG. The download file installer, required to install AVG, is only 4 MB in size. Number of screens shown during install have been reduced, the interface asks less question, and reboot is usually not required.

Complaint 1: Our biggest installation complaint is that one in three upgrades failed to complete. This required a manual uninstall of AVG 2012 and install of AVG 2013. So much time was wasted that we now opt for a manual install. Please keep in mind that upgrade issues appear to be common with most Antivirus software (nature of the beast).

Complaint 2: Our second installation complaint occurs with the AVG Free product. Though the installation download is smaller in size, we suspect that AVG artificially throttles the download over the internet so that it takes longer, sometimes as much as 30 minutes. Their paid product, roughly the same size, downloads in less than 10 minutes. Why???

Complaint 3: The AVG Express Install Option, by default, also installs the AVG Security toolbar and AVG Search, which sets and keeps AVG Secure Search as default provider for IE, Firefox , and Chrome browsers. AVG Search and Toolbar are useless (as far as I’m concerned), and it takes extra time to disable AVG Toolbar and reactivate Google, Yahoo, or Bing. In addition, I don't appreciate it when a program tries to dominate my browser.  

Observation: AVG file reputation: When you opt-in to participate in the “AVG Product Improvement Program”, which appears with the "Finish" button, then AVG checks some files on your computer against their cloud service to improve their detection capabilities. That may be nice for them, but I don’t want ANYONE snooping around my computer. I always check NO!

Bottom Line: I suggest upgrading to AVG Free as soon as possible:

Better protection
Faster computer
Less Nags

We began upgrading our maintenance customers last weekend and should have it complete by next Monday.

Read More - Click Here!

Adobe Security Bulletin May 13 2014

Adobe customer data breach worse than originally reported

Photo(Jennifer Abel @ ConsumerAffairs) If you have an Adobe account, beware: you should change your password and keep a closer-than-usual eye on your credit report and other financial activities.

Last month Adobe admitted it had suffered a major cyber attack that compromised the data of 2.9 million users; in addition to passwords and email information, that compromised data might also have included customers’ debit or credit card information.

It gets worse. Adobe’s initial report of 2.9 million compromised data accounts was bad enough, but three weeks later, on Oct. 29, Adobe revised the estimate upward to 38 million accounts., over 10 times higher than their original number.

Then, on Nov. 4, Paul Ducklin at Sophos’ Naked Security blog reported that data from over 150 million hacked Adobe accounts had appeared online.

Adobe, however, is sticking to its earlier 38 million figure. But tech and computer security journalists everywhere from GeekWire to the Guardian seem to believe Ducklin over Adobe. This is an important point of contention because Adobe said it has sent warning letters to, and arranged credit alerts for, all customers whose data has been compromised—presumably, to 38 million people. But if Ducklin’s is the correct number, that leaves an additional 112 million Adobe customers at risk and unaware of it.

LastPass has created an online tool Adobe customers can use to see if their emails have been compromised—and it’s worth noting that LastPass thus far says it hasn’t noticed any signs of unauthorized activity in any Adobe user’s emails.

We’re not tech-security experts; if you’re a concerned Adobe user, the tech articles we’ve linked to here offer far more specific advice than we can. However, we do have some generalized online security tips that all people, not just Adobe users, should keep in mind.

If a hacker breaches the database of a company that has your personal information, well, there’s really nothing you can do to prevent that. Even adopting a Luddite lifestyle — “I will never ever buy anything, or undergo any financial transaction, online!”— offers no guarantees. (We personally had to put a credit alert on our accounts a few years ago, after somebody working for our state’s tax-collection bureaucracy lost a laptop computer loaded with the names, Social Security numbers and other information about tens of thousands of state taxpayers, including us.)

But what you can do — what you should do — is conduct your online affairs so that the damage from any one company data breach will be limited to your activities with that company.

For example: never use the same password for more than one account. Some people, for simplicity’s sake, like to use a single password for everything: online email, online banking, online shopping, maybe an online chat forum or two. That definitely makes it easier for you to remember your passwords — and also means a hacker who breaches one of your accounts gets access to all of them.

If you only have a few regular online activities, you might also consider opening a separate web-based email account for each one: use this email address to register for Facebook, use that email for shopping at Amazon. (Confession: we don’t strictly follow that advice ourselves, because we have too many online accounts; however, we do limit ourselves to only two or three accounts per email address.)

And every few days or so, you might try typing terms like “hacker” or “compromised data” into an online news search engine, and see what recent stories pop up; if you read the names of companies with whom you have an account, that’s when you know to be extra-vigilant.

Airplane Systems In-Flight Wi-Fi Is Ripe For Hackers

Cybersecurity researcher Ruben Santamarta says he has figured out how to hack the satellite communications equipment on passenger jets through their Wi-Fi and in-flight entertainment systems.

Andrea Comas/Reuters/Landov

Two years a group at Las Vegas’s annual hacker convention announced it could break into air traffic control systems.

At this year’s Black Hat convention, a cybersecurity consultant, Ruben Santamarta, will discuss how he went even further: By showing it’s possible to interfere with an airplane’s navigation and safety systems — while on the plane and in the air — using the plane’s own Wi-Fi and inflight entertainment systems. As Reuters reports:

“Santamarta published a 25-page research report in April that detailed what he said were multiple bugs in firmware used in satellite communications equipment made by Cobham, Harris, Hughes, Iridium and Japan Radio Co for a wide variety of industries, including aerospace, military, maritime transportation, energy and communications.

“The report laid out scenarios by which hackers could launch attacks, though it did not provide the level of technical details that Santamarta said he will disclose at Black Hat.”

The manufacturers say the risk of break-ins is very small, but, according to Reuters, Santamarta says simple steps can be taken to make the systems more secure: “One vulnerability that Santamarta said he found in equipment from all five manufacturers was the use of ‘hardcoded’ log-in credentials, which are designed to let service technicians access any piece of equipment with the same login and password.”

Other topics on tap for the Black Hat convention this week include an ad network data link that can let hackers take over Android phones; how Microsoft administrator tools can be used for nefarious purposes; uncorrected security gaps during desktop computers’ boot-up processes; and the potential threat of hacks in computers’ USB peripherals.

All Three Billion Yahoo Account Hacked

Sitting down? An epic and historic data breach at Yahoo in August 2013 affected every single customer account that existed at the time, Yahoo parent company Verizon said on Tuesday.

That's three billion accounts -- including email, Tumblr, Fantasy and Flickr -- or three times as many as the company initially reported in 2016.

Names, email addresses and passwords, but not financial information, were breached, Yahoo said last year.

The new disclosure comes four months after Verizon (VZTech30acquired Yahoo's core internet assets for $4.48 billion. Yahoo is part of Verizon's digital media company, which is called Oath.

Verizon revised the number of breached accounts to three billion after receiving new information.

"The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft," Verizon said in a statement.

Verizon would not provide any information about who the outside forensics experts are.

Yahoo will send emails to the additional affected accounts. Following the hacking revelations last year, Yahoo required password changes and invalidated unencrypted security questions to protect user information.

According to experts, it's not uncommon for forensic investigations to expose a greater number of victims than initial estimates.

"This often happens with breaches, on a much smaller scale," said Wesley McGrew, a security expert at Horne Cyber. "Initially, the investigation establishes a set of compromised systems and data that encompasses a set of users, then later something is discovered that expands the compromised systems [or] access."

He also said that internal investigations might miss something, and outside experts focused on digital forensics will find more than an internal team.

Ben Johnson, chief technology officer at Obsidian Security, says Yahoo may never know exactly what was accessed. In any breach it's safe to assume the number of affected accounts will be adjusted, he said.

In the case of the massive breach at credit monitoring firm Equifax, for instance, the company initially said the hacking affected 100,000 Canadians, but later revised that number to just 8,000.

Johnson said it's possible that during due diligence of the company's sale, investigators found new information. Another scenario is that accounts thought not to be compromised may have appeared for sale or are being used by criminals.

"The fact is attackers are having field days and the problem is only going to get worse," Johnson said.

Yahoo was also hit by a hack in 2014, which affected around 500 million people and is believed to be separate from the 2013 breach. In March of this year, the Department of Justice indictedfour people in connection with the 2014 attack -- two Russian spies and two hackers.

It's unclear who exactly was behind the 2013 break-in, but cybersecurity analysts reported in December that the stolen data was up for sale on the dark web, a murky network only accessible through certain software.

Whether or not people use Yahoo servicesthey should always practice proper computer hygiene, experts say, such as not reusing passwords and implementing two-factor authentication on all their accounts.

Amazon phishing scams

Joseph Steinberg recently got an email that appeared to be from Amazon, thanking him for making a purchase on Prime Day.

The email promised him a $50 bonus if he would click a link and post a review about the item. Steinburg, who is CEO of SecureMySocial, a firm that watches out for problematic posts, didn't bite. Writing in Inc. Magazine, he said he recognized it as one of the countless phishing schemes using Amazon's name and logo.

But many others might easily fall for it. If you had not made a Prime Day purchase you might be highly suspicious, but if you did make a purchase -- and millions of consumers did -- you might throw caution to the wind and go for the 50 bucks.

How to protect yourself

So if you are an Amazon customer, how do you protect yourself from all the scams that try to take advantage of that relationship. Amazon gets asked that question a lot, and has a page on its website that explains how to protect yourself.

For example, if you get an email about an order you didn't place, it's not from Amazon. The company would like you to send the email as an attachment to stop-spoofing@amazon.com. Make sure you don't open any attachments or click on any links in the email.

Amazon says other scams use a variety of reasons to ask for your user name and password. Should you turn that information over to a scammer, they can buy all kinds of merchandise on your account, charging it to the credit card you have on file.

Other scams will tell you that it's necessary to update your payment information. By directing you to a spoofed site, made to look like it's part of Amazon, the scammer can steal your credit card information.

Black market websites

There are black market sites on the web where scammers can then sell your user name and password, or your credit card info, for a small amount, such as $50 to $100. The purchaser can then use it to make a major purchase -- maybe more than one -- before the fraud is detected.

If you receive a suspicious email that you think could be from Amazon, there is a very simple way to tell if it is. Simply close the email and use your browser to go directly to Amazon.com.

If the email says you need to update your payment information, click on YourAccount and then Manage Payment options. If you really do need to update your payment information, the website will have that information.

There are other dead giveaways as well. Phishing emails sometimes are filled with typos and misspellings. In a legitimate link, the URL should start with https://www.amazon.com, followed by the code for the particular page on the Amazon site. If you don't see that in the link, then it's not a real Amazon webpage.

Android Brightest Flashlight app shared user location without permission

Photo(Jim Hood @ ConsumerAffairs) You wouldn't expect your flashlight to spy on you, but the Federal Trade Commission says that's just what one of the most popular Android apps does.

The "Brightest Flashlight Free" app has been download millions of times by Android users who, presumably, never expected that the app would report their whereabouts to the app developer, Goldenshores Technologies LLC, and its clients. 

The FTC filed a complain against the company and its manager, Erik M. Geidl, charging that the company's privacy policy deceptively fails to disclose that the app will report their geolocation and unique device identifier to third parties, mostly advertising and marketing networks.

In addition, the complaint alleged that the company deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless.

The company has settled the complaint by agreeing to stop spying on its users and delete any information it still has about them.

“When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “But this flashlight app left them in the dark about how their information was going to be used.”

A few facts omitted

In its complaint, the FTC alleges that Goldenshores’ privacy policy told consumers that any information collected by the Brightest Flashlight app would be used by the company, and listed some categories of information that it might collect. The policy, however, did not mention that the information would also be sent to third parties, such as advertising networks.

Consumers also were presented with a false choice when they downloaded the app, according to the complaint. Upon first opening the app, they were shown the company’s End User License Agreement, which included information on data collection. At the bottom of the license agreement, consumers could click to “Accept” or “Refuse” the terms of the agreement.

Even before a consumer had a chance to accept those terms, though, the application was already collecting and sending information to third parties – including location and the unique device identifier.

The settlement with the FTC prohibits the defendants from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used. The settlement also requires the defendants to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers’ affirmative express consent before doing so.

The defendants also will be required to delete any personal information collected from consumers through the Brightest Flashlight app.

Anomymous Online Study

Photo(Truman Lewis @ ConsumerAffairs) If anyone still doubts Americans are concerned about their privacy online, a new Pew Researcher Center study should dispel those doubts. The researchers found that nearly nine in 10 Web users try to remain anonymous online by clearing their cookies and browser histories, encrypting email or using proxy servers.

Pew also found that consumers frequently edit or delete things they've posted in the past, set their browser to disable cookies, avoid websites that asked for their real names and use fictitious names and email addresses.

The report also found that people are more concerned about the amount of data available about them today online than in the past. In July, 50% of Web users said they were concerned about how much information about them was online, up from 33% in September of 2009, Pew found.

Real problems

The researchers said consumers' fears are often based on problems they've experience because others stole their personal information or took advantage of their visibility online. 

It cited these examples:

  • 21% of internet users have had an email or social networking account compromised or taken over by someone else without permission.
  • 13% of internet users have experienced trouble in a relationship between them and a family member or a friend because of something the user posted online.
  • 12% of internet users have been stalked or harassed online.
  • 11% of internet users have had important personal information stolen such as their Social Security Number, credit card, or bank account information.
  • 6% of internet users have been the victim of an online scam and lost money.
  • 6% of internet users have had their reputation damaged because of something that happened online.
  • 4% of internet users have been led into physical danger because of something that happened online.
  • 1% of internet users have lost a job opportunity or educational opportunity because of something they posted online or someone posted about them.

Some 68% of internet users believe current laws are not good enough in protecting people’s privacy online and 24% believe current laws provide reasonable protections.

Photo

Concern is growing

Consumers' concerns about their privacy have been growing steadily in recent years. Pew found that 50% of those surveyed say they are worried about the amount of personal information about them that is online — a figure that has jumped from 33% who expressed such worry in 2009.  

Another study, this one conducted by advertising agency Omnicom's Annalect, also found consumers increasingly concerned. The study found 57% of web users in July were "concerned" or "very concerned" about their online privacy, up from 48% in June. The jump was attributed to the news that the NSA has been collecting metadata about U.S. citizens for years.

"People would like control over their information, saying in many cases it is very important to them that only they or the people they authorize should be given access to such things as the content of their emails, the people to whom they are sending emails, the place where they are when they are online, and the content of the files they download," the Pew researchers said.

Companies try to duck

The rising tide of consumer resistance, often bordering on outrage, doesn't seem to be making an impression on companies, which are trying to find ways to hide their surveillance activities rather than cutting back on them.

After conducting its study that found 57% of consumers concerned about their online privacy, Annalect, a market research company, said it would "continue to evolve how we measure and triangulate consumer consumption patterns."

Adam Gitlin, global managing director for digital analytics at Annalect's data group, told Online Media Daily his company was "looking at all possibilities" for tracking people without cookies.

Some industry executives have been talking about "device fingerprinting," a method of tracking people by keeping track of the characteristics associated with their computers. 

Anonymous But Controversial Way to Surf the Internet

(Geoffrey Awle. For Wall Street Journal) For more than four years, William Weber has helped run a free service called Tor that makes Web surfing anonymous for anyone.

Then on Nov. 28, the police showed up at the 20-year-old's home in Graz, Austria, and accused him of distributing child pornography. He says the authorities confiscated his computers, and he now awaits formal charges that could lead to jail time.

Mr. Weber says the porn isn't his. But it might have come through his computers as the unavoidable cost of serving as a volunteer for the fast-growing Tor network. "Sure it's bad" that Tor can be used by criminals, he says, but "there is nothing I or the Tor Project can do."

His experience underscores the challenges facing the Tor Project Inc., a 10-year-old Walpole, Mass., nonprofit that is hoping to take anonymous Web surfing mainstream. The network depends on volunteers such as Mr. Weber whose computers help reroute and conceal Internet traffic.

Created in part to hide the online activity of dissidents in countries such as Iran and China that censor the Internet, Tor has seen its popularity grow in the U.S. and Europe amid concerns about online privacy. In the past year, use of the free software nearly doubled to about 600,000 people every day, the group says.

"Ten years ago, no one had this concept of privacy," says Andrew Lewman, Tor's executive director. "But with the [former General David] Petraeus scandal and cellphones recording your location, now this doesn't seem so far-fetched anymore." Today, some 14% of Tor's traffic connects from the U.S.; people living in Internet-censoring countries are now Tor's second-largest user base.

American users include Andrew Whitacre, 32, who works in the comparative media studies department at the Massachusetts Institute of Technology. He set the Tor software to run automatically on his home computer after learning about it from colleagues. "I can't be confident that I know everything out there that might do my computer or contacts harm," he says.

Tor gets about 80% of its $2 million annual budget from branches of the U.S. government that support free speech and scientific research, with the rest coming from the Swedish government and other groups.

To grow further, Tor must convince more volunteers to sign on to extend its network. That is because Tor, which began in 1996 as a project of the U.S. Naval Research Laboratory called Onion Routing, routes a user's Internet data between a series of random volunteer "node" computers.

This process makes it virtually impossible to trace the data request back to the original user. From the outside, it looks like the data request came from the last node on the chain, such as the one Mr. Weber was running.

Today, Tor has enough volunteer nodes—some 3,200—to allow the network to handle two million daily users. But to sustain millions more users and keep traffic from slowing down, Mr. Lewman says it needs 10,000 nodes.

Tor is developing hardware that volunteers could buy and plug into their home Internet connections to automatically become nodes. For people uncomfortable about running their own nodes with illegal activity on the network, Tor offers a program to sponsor a larger one that is operated by someone and serves as the final, and riskiest, node in the chain.

Tor is "a challenge for law enforcement," says John Shehan, executive director of the National Center for Missing & Exploited Children in Alexandria, Va. It is being used regularly to trade sexually exploitative images of children, he says, but there is little Tor's creators can do about it.

A spokeswoman for the Federal Bureau of Investigation, which polices child pornography, declined to comment.

Services such as Tor "provide lifesaving privacy and security for people who otherwise could face extreme reprisal from their governments," says Andre Mendes, director of technology, services and innovation at the U.S. government's International Broadcasting Bureau, which has given $2.5 million to Tor since 2006.

Tor's Mr. Lewman says the organization has received subpoenas, but hasn't ended up in court because it doesn't actually store any data that could be of use. "We spend a lot of time talking to various law enforcement agencies," he says, adding that some police use Tor themselves for undercover work.

Marcia Hofmann, senior staff attorney at digital-liberties group and Tor partner Electronic Frontier Foundation, says Tor volunteers are likely protected by U.S. law, but it hasn't been tested in court. "At the end of the day, a Tor is a neutral tool," she says, noting that Internet service and telephone providers aren't held accountable for how criminals use their networks.

Still, she recommends Tor volunteers with the largest exit nodes set up their servers at third-party server facilities rather than their homes or offices, if only to prevent authorities from temporarily seizing computers that they are using for other purposes.

In San Francisco, members of a nonprofit hacker workspace called Noisebridge decided a year ago to spend about $800 per month to run a node of their own. "We really care about freedom of expression," says Andy Isaacson, 35, one of the group's founders.

Initially, some of Noisebridge's members were concerned about potential legal challenges. So the group decided to host its node at a commercial server facility in Los Angeles instead of their San Francisco office. Still, they field queries from law-enforcement officials about three times a month, and twice have had officers show up at their San Francisco office.

To deal with these situations, Mr. Isaacson says Noisebridge keeps handouts about Tor near its front door to hand out to any police who show up. "We haven't had any really bad interactions," he says. "But it is always uncomfortable to have them stop by."

Write to Geoffrey Awle. For at geoffrey.fowler@wsj.com

AntiVirus Only Stops 45% - Symantec

Photo(Jennifer Abel  @ ConsumerAffairs) Computer technology has evolved considerably in the past quarter-century, but hacking-into-computer technology has too.

Symantec Corporation, which introduced the first commercially available anti-virus software 25 years ago, is shifting its focus away from anti-virus programs into other security strategies, the Wall Street Journalreports. Symantec senior VP for information security Brian Dye told the Journal that anti-virus “is dead.”

Here's why: traditional anti-virus software focuses primarily on keeping hackers out of computers, specifically by looking for certain bits of code hackers use to break in where they don't belong. But hackers develop new viruses so quickly, anti-virus writers simply can't stay ahead of them.

Dye estimated that anti-virus software now only succeeds in stopping 45% of cyberattacks. Furthermore, viruses are far from the only method hackers have of gaining entrance to a system, anyway.

When all else fails ...

Since keeping hackers out of a system doesn't always work, computer security now focuses also on how to minimize the damage hackers can do once they're in.

Last March, for example, a U.S. Senate committee released a “kill chain” report about the various ways Target ignored chances to stop the massive security breach which put up to 40 million customers at risk (and cost their banks and credit card companies a lot of money, too).

Among other things, the report said that Target ignored multiple automated warnings from its own security software indicating that hackers were in the system, installing damaging malware and sending secure files out.

The security software Target chose to ignore was created by FireEye Research Labs, the security firm which recently made headlines after discovering the zero-day security flaw which potentially gave hackers access to all versions of Internet Explorer from IE6 on up. Target's first line of defense — keep hackers out of the system altogether — failed after a hacker acquired fake credentials sufficient to enter the system; no anti-virus software could possibly have prevented that, since “a virus” wasn't the problem.

The second line of defense — prevent hackers from causing trouble once they're in the system — might have worked, had Target acted upon its security warnings.

Though Brian Dye said anti-virus is “dead,” that does not mean that you, the everyday computer user, should stop using properly updated anti-virus software on your machine; it means you can't blithely assume “Since I have an updated anti-virus program, I have nothing to worry about.”

You still need to exercise due diligence yourself: for starters, don't click on suspicious-looking links, open spammy-looking emails or download unsolicited files. And if you are Target or any other enormous multinational corporation, don't give third-party air-conditioner repairmen access to the super-sensitive database where you store your customers' confidential financial information, either.

If you can't keep hackers out, you can at least limit what happens once they're in!

AntiVirus Only Stops 45% - Symantec

Photo(Jennifer Abel  @ ConsumerAffairs) Computer technology has evolved considerably in the past quarter-century, but hacking-into-computer technology has too.

Symantec Corporation, which introduced the first commercially available anti-virus software 25 years ago, is shifting its focus away from anti-virus programs into other security strategies, the Wall Street Journalreports. Symantec senior VP for information security Brian Dye told the Journal that anti-virus “is dead.”

Here's why: traditional anti-virus software focuses primarily on keeping hackers out of computers, specifically by looking for certain bits of code hackers use to break in where they don't belong. But hackers develop new viruses so quickly, anti-virus writers simply can't stay ahead of them.

Dye estimated that anti-virus software now only succeeds in stopping 45% of cyberattacks. Furthermore, viruses are far from the only method hackers have of gaining entrance to a system, anyway.

When all else fails ...

Since keeping hackers out of a system doesn't always work, computer security now focuses also on how to minimize the damage hackers can do once they're in.

Last March, for example, a U.S. Senate committee released a “kill chain” report about the various ways Target ignored chances to stop the massive security breach which put up to 40 million customers at risk (and cost their banks and credit card companies a lot of money, too).

Among other things, the report said that Target ignored multiple automated warnings from its own security software indicating that hackers were in the system, installing damaging malware and sending secure files out.

The security software Target chose to ignore was created by FireEye Research Labs, the security firm which recently made headlines after discovering the zero-day security flaw which potentially gave hackers access to all versions of Internet Explorer from IE6 on up. Target's first line of defense — keep hackers out of the system altogether — failed after a hacker acquired fake credentials sufficient to enter the system; no anti-virus software could possibly have prevented that, since “a virus” wasn't the problem.

The second line of defense — prevent hackers from causing trouble once they're in the system — might have worked, had Target acted upon its security warnings.

Though Brian Dye said anti-virus is “dead,” that does not mean that you, the everyday computer user, should stop using properly updated anti-virus software on your machine; it means you can't blithely assume “Since I have an updated anti-virus program, I have nothing to worry about.”

You still need to exercise due diligence yourself: for starters, don't click on suspicious-looking links, open spammy-looking emails or download unsolicited files. And if you are Target or any other enormous multinational corporation, don't give third-party air-conditioner repairmen access to the super-sensitive database where you store your customers' confidential financial information, either.

If you can't keep hackers out, you can at least limit what happens once they're in!

AntiVirus Only Stops 45% - Symantec

Photo(Jennifer Abel  @ ConsumerAffairs) Computer technology has evolved considerably in the past quarter-century, but hacking-into-computer technology has too.

Symantec Corporation, which introduced the first commercially available anti-virus software 25 years ago, is shifting its focus away from anti-virus programs into other security strategies, the Wall Street Journalreports. Symantec senior VP for information security Brian Dye told the Journal that anti-virus “is dead.”

Here's why: traditional anti-virus software focuses primarily on keeping hackers out of computers, specifically by looking for certain bits of code hackers use to break in where they don't belong. But hackers develop new viruses so quickly, anti-virus writers simply can't stay ahead of them.

Dye estimated that anti-virus software now only succeeds in stopping 45% of cyberattacks. Furthermore, viruses are far from the only method hackers have of gaining entrance to a system, anyway.

When all else fails ...

Since keeping hackers out of a system doesn't always work, computer security now focuses also on how to minimize the damage hackers can do once they're in.

Last March, for example, a U.S. Senate committee released a “kill chain” report about the various ways Target ignored chances to stop the massive security breach which put up to 40 million customers at risk (and cost their banks and credit card companies a lot of money, too).

Among other things, the report said that Target ignored multiple automated warnings from its own security software indicating that hackers were in the system, installing damaging malware and sending secure files out.

The security software Target chose to ignore was created by FireEye Research Labs, the security firm which recently made headlines after discovering the zero-day security flaw which potentially gave hackers access to all versions of Internet Explorer from IE6 on up. Target's first line of defense — keep hackers out of the system altogether — failed after a hacker acquired fake credentials sufficient to enter the system; no anti-virus software could possibly have prevented that, since “a virus” wasn't the problem.

The second line of defense — prevent hackers from causing trouble once they're in the system — might have worked, had Target acted upon its security warnings.

Though Brian Dye said anti-virus is “dead,” that does not mean that you, the everyday computer user, should stop using properly updated anti-virus software on your machine; it means you can't blithely assume “Since I have an updated anti-virus program, I have nothing to worry about.”

You still need to exercise due diligence yourself: for starters, don't click on suspicious-looking links, open spammy-looking emails or download unsolicited files. And if you are Target or any other enormous multinational corporation, don't give third-party air-conditioner repairmen access to the super-sensitive database where you store your customers' confidential financial information, either.

If you can't keep hackers out, you can at least limit what happens once they're in!

Antivirus Makers Struggle to Keep Up

(The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses.

Security experts at the Symantec Security Operation Center in Alexandria, Va. The word “antivirus” is less used on its products.

Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. That is prompting start-ups and other companies to get creative about new approaches to computer security.

“The bad guys are always trying to be a step ahead,” said Matthew D. Howard, a venture capitalist at Norwest Venture Partners who previously set up the security strategy at Cisco Systems. “And it doesn’t take a lot to be a step ahead.”

Computer viruses used to be the domain of digital mischief makers. But in the mid-2000s, when criminals discovered that malicious software could be profitable, the number of new viruses began to grow exponentially.

In 2000, there were fewer than a million new strains of malware, most of them the work of amateurs. By 2010, there were 49 million new strains, according to AV-Test, a German research institute that tests antivirus products.

The antivirus industry has grown as well, but experts say it is falling behind. By the time its products are able to block new viruses, it is often too late. The bad guys have already had their fun, siphoning out a company’s trade secrets, erasing data or emptying a consumer’s bank account.

A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.

On average, it took almost a month for antivirus products to update their detection mechanisms and spot the new viruses. And two of the products with the best detection rates — Avast and Emsisoft — are available free; users are encouraged to pay for additional features. This despite the fact that consumers and businesses spent a combined $7.4 billion on antivirus software last year — nearly half of the $17.7 billion spent on security software in 2011, according to Gartner.

“Existing methodologies we’ve been protecting ourselves with have lost their efficacy,” said Ted Schlein, a security-focused investment partner at Kleiner Perkins Caufield & Byers. “This study is just another indicator of that. But the whole concept of detecting what is bad is a broken concept.”

Part of the problem is that antivirus products are inherently reactive. Just as medical researchers have to study a virus before they can create a vaccine, antivirus makers must capture a computer virus, take it apart and identify its “signature” — unique signs in its code — before they can write a program that removes it.

That process can take as little as a few hours or as long as several years. In May, researchers at Kaspersky Lab discovered Flame, a complex piece of malware that had been stealing data from computers for an estimated five years.

 Mikko H. Hypponen, chief researcher at F-Secure, called Flame “a spectacular failure” for the antivirus industry. “We really should have been able to do better,” he wrote in an essay for Wired.com after Flame’s discovery. “But we didn’t. We were out of our league in our own game.”

Symantec and McAfee, which built their businesses on antivirus products, have begun to acknowledge their limitations and to try new approaches. The word “antivirus” does not appear once on their home pages. Symantec rebranded its popular antivirus packages: its consumer product is now called Norton Internet Security, and its corporate offering is now Symantec Endpoint Protection.

Imperva, which sponsored the antivirus study, has a horse in this race. Its Web application and data security software are part of a wave of products that look at security in a new way. Instead of simply blocking what is bad, as antivirus programs and perimeter firewalls are designed to do, Imperva monitors access to servers, databases and files for suspicious activity.

The day companies unplug their antivirus software is still far off, but entrepreneurs and investors are betting that the old tools will become relics.

“The game has changed from the attacker’s standpoint,” said Phil Hochmuth, a Web security analyst at the research firm International Data Corporation. “The traditional signature-based method of detecting malware is not keeping up.”

Investors are backing a new crop of start-ups that turn the whole notion of security on its head. If it is no longer possible to block everything that is bad, the thinking goes, then the security companies of the future will be the ones whose software can spot unusual behavior and clean up systems once they have been breached.

The hottest security start-ups today are companies like Bit9, Bromium, FireEye and Seculert that monitor Internet traffic, and companies like Mandiant and CrowdStrike that have expertise in cleaning up after an attack.

Bit9, which received more than $70 million in financing from top venture firms like Kleiner Perkins and Sequoia Capital, uses an approach known as whitelisting, allowing only traffic that the system knows is innocuous.

McAfee acquired Solidcore, a whitelisting start-up, in 2009, and Symantec’s products now include its Insight technology, which is similar in that it does not let any unknown files run on a machine.

McAfee’s former chief executive, David G. DeWalt, was rumored to be a contender for the top job at Intel, which acquired McAfee in 2010. Instead, he joined FireEye, a start-up with a system that isolates a company’s applications in virtual containers, then looks for suspicious activity in a sort of digital petri dish before deciding whether to let traffic through.

The company has received more than $35 million in financing from Norwest, Sequoia Capital and In-Q-Tel, the venture arm of the Central Intelligence Agency, among others.

Seculert, an Israeli start-up, approaches the problem somewhat differently. It looks at where threats are coming from — the command and control centers used to coordinate attacks — to give governments and businesses an early warning system. As the number of prominent online attacks rises, analysts and venture capitalists are betting that corporate spending patterns will change.

“Technologies that once were only used by very sensitive industries like finance are moving into the mainstream,” Mr. Hochmuth said. “Very soon, if you are not running these technologies and you’re a security professional, your colleagues and counterparts will start to look at you funny.”

Companies have started working from the assumption that they will be hacked, Mr. Hochmuth said, and that when they are, they will need top-notch cleanup crews. Mandiant, which specializes in data forensics and responding to breaches, has received $70 million from Kleiner Perkins and One Equity Partners, JPMorgan Chase’s private investment arm.

Two McAfee executives, George Kurtz and Dmitri Alperovitch, left to start CrowdStrike, a start-up that offers a similar forensics service. Less than a year later, they have already raised $26 million from Warburg Pincus.

If and when antivirus makers are able to fortify desktop computers, chances are the criminals will have already moved on to smartphones.

In October, the F.B.I. warned that a number of malicious apps were compromising Android devices. And in July, Kaspersky Lab discovered the first malicious app in Apple’s app store. The Defense Department has called for companies and universities to find ways to protect mobile devices from malware. McAfee, Symantec and others are working on solutions, and Lookout, a start-up whose products scan apps for malware and viruses, recently raised funding that valued it at $1 billion.

Read More - Click Here!

Apple Finally Released Standalone Virus Removal Tool

In its ongoing battle against the widespread Flashback malware attack, Apple has released a standalone removal tool. The utility is available only for users of the most recent version of OS X who have chosen not to install Java.

In its ongoing battle to clean up the Flashback malware mess, Apple has now released a standalone removal tool.

The downloadable utility is available exclusively for Mac owners running OS X Lion. It will not run on Mac OS X 10.6 (Snow Leopard) or earlier versions.

A description and download link are available here. The accompanying security bulletin says “This update is recommended for all OS X Lion users without Java installed.”

Read More - Click Here!

Apple MAC Flashback Virus How To Detect And Fix

With 500,000+ MACS reportedly infected with this trojan virus, Kaspersky Labs, the company to first inform the public about the Flashback threat, has introduced a website called Flashbackcheck. There, you can check to see if your computer is infected, and if it is, download software to delete the rogue virus. Similarly, anti-virus company F-Secure has released its own cure, a tool called Flashback Removal. The download is a relatively small file that scours your computer for the virus and helps isolate and eliminate the threat if your Mac is infected.

Neither of these are official solutions from Apple. Still, with no word on exactly how long Apple's fix will take, they make a really good substitute for anyone who's developed a well-founded case of digital germophobia.

Read More - Click Here!

Apple operating systems vulnerable to password theft

Apple released a new macOS operating system Monday, but already security experts are saying it is vulnerable to a zero-day exploit that puts users’ passwords at risk.

Patrick Wardle, a white-hat hacker who formerly worked for the National Security Agency, posted a video of how the exploit can steal plaintext passwords that are stored in Mac keychain – an app that stores passwords on Mac operating systems. In a statement to Ars Technica, he explains that Apple’s security measures have long fallen short of the mark.

“As a passionate Mac user, I’m continually disappointed in the security on macOS,” said Wardle. “I don’t mean that to be taken personally by anybody at Apple – but every time I look at macOS the wrong way, something falls over. I felt that users should be aware of the risks that are out there.”

Hacking users’ passwords

In his demonstration, Wardle shows how using a “keychainStealer” app can expose users’ passwords for several different accounts, including Facebook, Twitter, and even Bank of America.

In a statement, Apple said that macOS is “designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in [Wardle’s video], and prevents them from launching the app without explicit approval [from the user].”

It’s true that Gatekeeper keeps Mac users from installing apps that aren’t digitally signed, such as the one that Wardle used in his video. However, it should be noted that a hacker can easily digitally sign an app by applying for membership in the Apple Developer Program, which costs $99 per year. With those credentials, hackers could then use an app similar to Wardle’s to execute the same actions.

Additionally, Wardle says that he reported the vulnerability to Apple back in August so that the company could fix it before rolling High Sierra out to the public. Unfortunately, it seems that Apple decided to release the new OS without fixing the issue first.

Wardle points out that the vulnerability may not be exclusive to High Sierra, and that earlier versions of macOS could be similarly affected.

Are Apps Uploading Your Address Book to the Internet

Photo(Jim Hood @ ConsumerAffairs) Does the information in your online address book have any value? A group of online developers say it doesn't and that, therefore, you shouldn't complain if they copy it without bothering to ask. 

 

Using that argument, the developers want a federal judge to throw out a lawsuit accusing them of violating consumers' privacy by swiping the names and email addresses stored on their computer or smartphone. 

The developers basically say the consumers have no "standing" -- meaning that they have not been harmed or affected in any way and therefore should, basically, sit down and shut up. 

Besides, the developers note, in most cases they didn't charge the consumers anything for the apps they downloaded so there were no economic damages.

You might ask why somebody would bother to steal something that has no value, but that's another question.

It all started ...

The origin of the case dates back to March 2012, when a Texas resident, Marc Opperman, sued Path and other developers who allegedly uploaded address books from his iPhone. A month earlier, the Federal Trade Commission had sued Path for allegedly violating its users' privacy by swiping their address books.

Path, a somewhat obscure social network, apologized and said it had deleted the information. It also settled the FTC complaint.

Since then, Opperman's original case has expanded to include many more developers, including Instagram, Yelp, Hipster and Twitter.

The developers have asked U.S. District Court Judge Jon Tigar in San Francisco to dismiss the suit with prejudice, meaning that it could not be refiled, saying that consumers have not demonstrated any damage. 

“Plaintiffs have not identified any use of their address books by any defendant or third party that caused plaintiffs any harm or that devalued plaintiffs’ address book information,” they argue.

Are Cloud Services Secure

Photo(Mark Huffman @ ConsumerAffairs) To make it easier to share huge files, as well as ensure the safety of important data, businesses are making increasing use of the cloud – storing their computer files on remote servers.

 

But two researchers at Johns Hopkins have questioned the security of the growing number of companies now offering cloud storage services.

Lead author Duane Wilson, a doctoral student, and his faculty adviser, Giuseppe Ateniese, an associate professor of engineering, say they have found a flaw that could allow the company storing the supposed secure data to view it.

Zero-knowledge environment

When a company stores its secure data in the cloud, they typically are promised that the information will remain in a “zero-knowledge environment,” meaning that no one except those who have permission to access the data can see it.

Encryption is supposed to protect the data. The researchers say it doesn't always work that way.

“Our research shows that as long as the data is not shared with others, its confidentiality will be preserved, as the providers claim,” Wilson said. “However, whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers’ files and other data.”

In other words, the company that is holding and protecting the data is also able to view it. This weakness, the researchers say, calls into question the privacy protection these digital warehouses claim to offer.

Trusted middleman

In cloud-based storage, a trusted third party acts as sort of a middleman to verify the identity of the parties accessing the data, making sure they are cleared for access.

After completing an authentication process, the middleman issues “keys” that can unscramble and later recode the data. But Wilson says he found that many cloud storage companies were not turning to an outside third-party, but carrying out the verification function in-house.

That might not be a problem in a perfect world, where all employees are committed to maintaining the clients' confidentiality. Unfortunately, says Wilson, it's not a perfect world.

“The storage businesses could use a phony ‘key’ to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient,” Wilson said.

Reverse engineering

The researchers say they substantiated the security flaw by reverse engineering a typical cloud storage system. They also carried out a network traffic analysis to study the type of communication that occurs between a secure cloud storage provider and its customers.

They stress that they have no evidence that any cloud storage provider is illegally accessing their customer's confidential data, but say it is important that consumers and businesses using these services understand the potential risks.

The study focused on storage providers that promise their clients complete confidentiality. File-sharing services commonly used by consumers, like Dropbox and Google Drive, don't guarantee privacy and consumers shouldn't assume they have it.

The flaw is easily fixable, Wilson says, if storage companies are required to actually use third-party companies to serve as the file-sharing middleman, instead of performing the function in-house.

Still dealing with Heartbleed

The revelations from the Johns Hopkins researchers come at a time when security experts are still scrambling to deal with the fallout from the recently-revealed Heartbleed flaw.

“Everyone should worry about Heartbleed and should change passwords,” said Guy Hembroff, associate professor and chair of the Computer Network and System Administration program at Michigan Technological University. “An average user logging into their Amazon account may be logging into a server that was compromised.”

If that happened to be the case, he says their username, password, and account information – such as address and credit-card information -- would be in the memory of the server where the vulnerability is targeted.

“Therefore changing passwords of these accounts is important,” he said.

Are We Sharing Too Much On Facebook?

Facebook is all about sharing, but things may be getting out of hand.

Facebook has developed an Open Graph platform for apps, to facilitate "frictionless sharing." That means we can share whatever has captured our attention on the web with our friends.

Social media apps take the multimedia content we access online and publish the information to our Facebook profiles without the need to click on anything, such as the "Like" button.

But many users aren’t even aware what these new social apps are posting to their profiles. These apps are busy broadcasting your content without your ever being aware of it.

The folks at Facebook claim to think they are doing their members a favor. As they claim to see it, they are making it easier to share information, assuming the things you access online were going to be shared anyway. They've just saved you a step.

Read More - Click Here!

Are you giving away too much information

(Mark Huffman @ ConsumerAffairs) Scammers are really good at playing head games with their victims, in hopes they will reveal things they shouldn't. Sensitive information can be used to steal identities, money, or both.

Whatever the scammers are doing, it appears to be working. The 2016 American Mobile Usage Survey found consumers are revealing twice as much sensitive information than they did last year.

First Orion, the company sponsoring the survey, says consumers are bombarded by dubious telemarketers placing over 30 million calls to their mobile phones every day. With those kinds of numbers, it only makes sense that many consumers getting these calls will spill too much information.

In particular, the survey found consumers are a bit too willing to give out their credit card numbers. First Orion estimates about 15 million consumers fell for a caller's pitch and request for a credit card. Worse, an estimated 10 million consumers gave scammers their Social Security numbers in response to a call.

Getting more aggressive

"Scammers are getting more aggressive and becoming more effective at targeting our mobile phones," said Jonathan Sasse, CMO of First Orion. "Nearly three quarters of the people we surveyed received a scam call this year, which is over 60 million more mobile phone owners than in 2015.”

Sasse says scammers have moved to mobile phones in a big way, with 3% of consumers saying they got at least 10 such calls in the last month. Many people said they changed their mobile phone number in an effort to stop the calls.

First Orion, of course, is in the business of blocking unwanted calls. Its PrivacyStar service is marketed to phone companies as well as consumers as a way to identify and block calls from robocallers, who are often scammers.

As we reported last year, the PrivacyStar app also has a feature that could allow consumers to profit from all those unwanted robocalls, if they are from a real company doing business in the U.S. For consumers hounded with hundreds of robocalls from the same company, the app will refer them to consumer lawyers in their area.

PrivacyStar provides the lawyers with the documentary evidence and the lawyers pursue settlements, often in the thousands of dollars.

In the meantime, it goes without saying that anyone calling your cellphone out of the blue and trying to sell something or solicit information is probably up to no good. It's best to hang up, then use the feature on your smartphone to block the number in the future.

August 2012 Patch Tuesday

August brings a wild array of Microsoft technologies to update this month, with both significant client side and server side targets in this month's list of vulnerable software. Nine security bulletins (MS12-052 through MS12-060) are being released to update 26 enumerated vulnerabilities (13 from Microsoft, 13 from Oracle), most urgently including the code in Internet Explorer, an ActiveX Control exposed via Microsoft Word and Excel, and multiple network services. The Microsoft community is faced with five bulletins that contain secured code for a slew of critical rated CVE's.

The MSCOMCTL.ocx ActiveX component exposed by Word, Excel, IE, and Wordpad has been actively and heavily abused in high value targeted attacks around the world over the past handful of months, because of flawed code described by CVE-2012-0158. We described an example of such an APT related exploit in June, and on a global scale, we continue to prevent newly developed exploits abusing CVE-2012-0158, especially with our "automatic exploit prevention". Well, we are going to see the Word and Excel spearphish bait continue to chum the proverbial waters, as Microsoft patches CVE-2012-1856 this month. My guess is that we will see attackers casting their lines with more password protected archives containing these exploits, as network defenders tighten up their networks and network security solution developers improve their product capabilities to make it somewhat more difficult to reach better defended, high-value targets.

MS12-052 patches critical flaws in Internet Explorer code, including another one from the problematic "use-after-free" class of memory corruption errors described by CVE-2012-1526. These bugs are the sort that make their way into the COTS exploit packs like Blackhole and Phoenix, and have been included in mass exploitation schemes when Wordpress and other platform bugs crop up. Multiple other bugs for Internet 7, 8 and 9 are all being patched, including the missing MSXML5 update for CVE-2012-1889 (only "certain versions" of Office 2003 and 2007 delivered that version of the component).

An odd set of bugs in string parsing network service code provides attackers already inside a network with a way to make their post-intrusion lateral movement within an enterprise. Microsoft predicts that public exploits will be available for these vulnerabilities within 30 days of this patch release. MS12-054 provides this critical but harder to reach path with secured code.

On the server side, Oracle's buggy "Outside In" third party libraries running on Exchange are being patched - public reports and investigations of bugs in the content-indexing code first started surfacing in July. The US-CERT delivered a descriptive note for the problem on Jul 17th for not only Exchange, but Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise. It appears to be the first time Microsoft has ever included a patch for Oracle code in their releases, but unfortunately, it's probably not an indication that Oracle updates will be maintained and pushed with Microsoft Update on Windows anytime soon.

Bottom Line - Restart your computers Wednesday Morning 8/15/2012.

Read More - Click Here!

 

Average Security Incident Costs SMBs $85k

The average cost of a security incident for large businesses is $861,000, and for SMBs is $86,500, according to new research from Kaspersky Lab. The report, Measuring the Financial Impact of IT Security on Businesses, released this week, details the financial impact of security breaches and what companies around the world are doing about it.

The report is based on the 2016 results of the annual Corporate IT Security Risks survey, conducted by Kaspersky and B2B International. The survey included 4000 respondents from different sized organizations in 25 countries.

Roughly half of businesses in the U.S. (49 percent) and globally (52 percent) assume that their IT security will be breached sooner or later. This is a recognition of reality, as 77 percent of U.S. businesses and 82 percent globally have experienced between 1 and 5 seperate data security incidents in the last year.

Over one-third of businesses (38 percent) have lost productivity to malware or viruses in the last 12 months, while 36 percent have had inappropriate IT resource used by employees, and 21 percent have experienced data loss or exposure caused by targeted attacks.

Additionally, close to 3 out of 10 companies physically lost a device containing data. Of all security incidents, 43 percent resulted in data loss or exposure of some kind, adding significantly to the high cost of incidents. The largest area of additional cost from security incidents is additional wages for IT staff.

Considering the costs breaches entail, it makes sense that SMBs are particularly concerned with security when selecting cloud hosting providers, as indicated by a recent survey. A survey of SMBs in the U.S., U.K., and Australia released late last year by Webroot suggested their cybersecurity budgets would increase by 22 percent this year.

In part because of the difference in overtime costs, fast recognition of a breach greatly reduces cost, with attacks recognized over a week later costing almost four times as much for SMBs and almost three times as much for enterprises as those recognized nearly instantly by a detection system. Shockingly, 1 in 10 U.S. businesses said it can take up to a year to discover a breach.

1 in 10 U.S. businesses say it can take up to a year to discover a #security breach: Kaspersky

“The survey proves that reaction time post-breach has a direct impact on financial losses,” Vladimir Zapolyansky, Head of SMB Marketing, Kaspersky Lab said in a statement. “This is something that cannot be remedied via budget increases. It requires talent, intelligence and an agile attitude towards protecting one’s business. As a security vendor, our goal is to provide tools and intelligence for businesses of all sizes, keeping in mind the difference in ability to allocate security budgets.”

It security budgets are increasing, however, by an average of 14 percent over the next three years. Similar numbers of enterprises (48 percent) and SMBs (42 percent) see IT infrastructure complexity as a driver of security budgets. Enterprises are more impacted by hacktivism, while SMBs have a higher proportion of exploitation of mobile devices.

Backdoor found in D-Link home routers

Hand on cables The backdoor could let attackers spy on net traffic

An easy-to-exploit backdoor has been found in seven different models of domestic routers made by D-Link and Planex.

The backdoor, if used, would let an attacker take complete control of a router or modem and spy on a home's browsing activity.

D-Link has acknowledged the existence of the backdoor and said a fix would be available by the end of October.

So far, the backdoor does not seem to have been exploited "in the wild".

The backdoor was discovered by security researcher Craig Heffner, who reverse-engineered the software used to control a D-Link DIR-100 router. Deep analysis of the code revealed a string of letters that, if used in the right way, unlocked remote access to the gadget.

Writing about his findings on his blog, Mr Heffner speculated that the password string was included to make it easier for D-Link to remotely update some of its products.

The same string has been found to work on seven D-Link routers (DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and the TM-G5240) and two from Planex (BRL-04UR and BRL-04CW).

Many thousands of people are believed to have bought the routers before they were revealed to be vulnerable.

In a statement, D-Link said it was working with Mr Heffner and other security researchers to find out more about the backdoor. And it was also conducting a review of its other products to see if it was present in other models.

It added that it would soon produce a update for the software that keeps the routers running, known as firmware, that would close the backdoor. The company urged users to be vigilant and to disable remote access to their router if it was not needed.

Planex has yet to issue a statement about its products.

Banking ATMs Face Deadline to Upgrade From Windows XP

ATMs Face Deadline to Upgrade From Windows XP(@ BusinessWeek) One-dollar bills. Envelope-free deposits. Stamp dispensers. These are a few of the features that Wells Fargo (WFC), Bank of America (BAC), JPMorgan Chase (JPM), and other banks tout as the latest and greatest features of their fleets of ATMs. It’s hardly stuff to set the heart racing.

When ATMs were introduced more than 40 years ago, they were considered advanced technology. Today, not so much. There are 420,000 ATMs in the U.S., and on April 8, a deadline looms for nearly all of them that underscores how sluggishly the nation’s cash delivery system moves forward. That’s the day Microsoft (MSFT) cuts off tech support for Windows XP, meaning that ATMs running the software will no longer receive regular security patches and won’t be in compliance with industry standards. Most machines that get upgraded will shift to Windows 7, an operating system that became available in October 2009. (Some companies get a bit of a reprieve: For ATMs using a stripped-down version of XP known as Windows XP Embedded, which is less susceptible to viruses, Microsoft support lasts until early 2016.)

Inside every ATM casing is a computer, and like all such devices, each one runs on an OS. Microsoft’s 12-year-old Windows XP dominates the ATM market, powering more than 95 percent of the world’s machines and a similar percentage in the U.S., according to Robert Johnston, a marketing director at NCR (NCR), the largest ATM supplier in the U.S.

The many offshoots of the country’s jumbled ATM network, ranging from convenience stores that operate a single antiquated cash machine to national banks that oversee tens of thousands of terminals, are feeling the deadline in different ways, says Suzanne Cluckey, the editor of ATM Marketplace, a news site that serves the industry. More advanced ATM fleets can do the update over their networks. Older ATMs must be upgraded one by one or even replaced entirely if they don’t have enough computing power to run the newer, more demanding software. “My bank operates an ATM that looks like it must be 20 years old, and there’s no way that it can support Windows 7,” says Cluckey. “A lot of ATMs will have to either have their components upgraded or be discarded altogether and sold into the aftermarket—or just junked.”

Aravinda Korala, chief executive officer of ATM software provider KAL, says he expects only 15 percent of bank ATMs in the U.S. to be on Windows 7 by the April deadline. “The ATM world is not really ready, and that’s not unusual,” he says. “ATMs move more slowly than PCs.” While ATMs seem to be everywhere, their total number—an estimated 3 million worldwide, according to consulting firm Retail Banking Research—isn’t very many compared with the global base of Windows users. As a rule, security patches that directly affect the machines might be issued only once a quarter, Korala says.

Microsoft is selling custom tech support agreements that extend the life of Windows XP, although the cost can soar quickly—multiplying by a factor of five in the second year, says Korala. JPMorgan is buying a one-year extension and will start converting its machines to Windows 7 in July; about 3,000 of its 19,000 ATMs need enhancements before the process can begin, according to spokeswoman Patricia Wexler. A Wells Fargo spokeswoman says that the company is working with Microsoft and ATM manufacturers to upgrade its machines.

The cost to upgrade a single ATM to Windows 7 can range from a few hundred dollars if its hardware is adequate, says Stewart, to thousands of dollars if new components are required.

ATMs whose operators ignore the deadline will continue to function, says Dean Stewart, an executive at Diebold (DBD), which makes ATMs. They’ll just become more vulnerable to malware and other attacks against weaknesses discovered over time in Windows XP. (Customer balances are safe under the standard protections banks offer to ATM users against fraud.) “It’s a very real risk,” Stewart says. “No ATM operator wants to get his name in the paper.”

The ATM industry has faced deadlines of this kind before. “Basically, since the year 2000, they’ve gotten pretty good at these kind of planned crises,” says Rob Evans, the director of marketing at Nautilus Hyosung, another ATM manufacturer. New encryption standards became mandatory in 2002. In 2011 banks had to upgrade ATMs with audio technology to comply with the Americans With Disabilities Act.

with secure microchips. Amid reports of the recent theft of as many as 40 million card records from Target (TGT), some ATM operators are upgrading to the chip-based hardware at the same time they ditch Windows XP. “Banks will also look at this from a business perspective: If I’m tearing apart the machine, what else can we do?” says Evans.

U.S. Bancorp (USB), with the fifth-largest bank ATM network, began planning for the switch in 2010, when its 5,000 machines were an average of 13 years old. That will be cut to five years by the April deadline, says Senior Vice President Patty Henneke. If all goes as planned, customers won’t notice any differences. “We hope it’s invisible,” she says.

Windows 7 brings new features such as support for multitouch interfaces. “Windows 7 allows a true, modern touch ability,” says NCR’s Johnston. “You can swipe, pinch, drag things around. That starts to meet customers’ expectations of what self-service should be as they move into the 21st century.” With iPad-like functionality on the horizon, ATMs would finally enter, if not the future, at least the recent past.

Bash Shellshock security flaw worse than Heartbleed

Photo

A typical Bash screen

(My customer system were fixed over the weekend)

(Jennifer Abel @ConsumAffairs) Shellshock, a newly discovered security flaw in a type of software widely used in UNIX, Linux and Mac OS X systems, is considered even worse than last April's “Heartbleed” security flaw, and Heartbleed was bad enough and far-reaching enough to threaten any [supposedly secure] website using OpenSSL encryption.

The list of potentially infected sites from Heartbleed included Yahoo and the FBI, and it's only a slight exaggeration to say, “As a result of Heartbleed, dang-near everybody on the Internet had to change dang-near every password they had.”

Shellshock, also called simply “the BASH bug,” is even worse. After all: “change your passwords” is something you can actually do, an active step you take to protect yourself. So far, though, it appears there's no equivalent step ordinary, everyday Internet users can take to protect themselves from Shellshock; identifying and fixing the problem is in the hands of webmasters and systems administrators.

Even worse: Heartbleed would only allow hackers to see what you were doing on or with your computer; they couldn't actually control it. Hackers exploiting the BASH bug might be able to.

BASH is an acronym for Bourne Again Shell, an open-source software system found in UNIX-type systems. Like all shells, it basically translates commands (from a server or website) into something which your computer or device can read.

The newly discovered security bug basically lets hackers take over the shell and slip in malicious bits of code.

In home-security (rather than computer-security) terms, Heartbleed was like a situation where the front door to everybody's house suddenly unlocked all at once, so everybody had to lock their doors (change their passwords) before any burglars walked in through those unlocked doors to steal things. But the BASH bug is more like a new device a burglar can use to break into a locked door.

The security flaw is bad enough that the U.S. Computer Emergency Response Team issued a security alert to “experienced users and administrators” – another subtle reminder that, while everyday Intenet users are at risk from Shellshock, there's little if anything they personally can do about it.

Behavioral Tracking Widespread on Children's Sites Says FTC

The FTC (Federal Trade Commission), CDD (Center for Digital Democracy (CDD), along with 16 consumer, health, privacy, and child advocacy groups, endorsed the Commission’s proposals to update the Children’s Online Privacy Protection Act (COPPA) rules. The "Groups"  recommend critical changes in its regulations aimed at addressing contemporary data collection and marketing practices. 

CDD also released an analysis of tracking and targeting techniques employed by the leading child-targeted websites, which found that the great majority of the sites (81%) engage in some form of tracking through the use of such “persistent identifiers” as flash cookies, web bugs, and other online data collection tools. 

“The online data collection practices we originally identified in the 1990s have been eclipsed by a new generation of tracking and targeting techniques, as online data collection in this era of Big Data,” commented Kathryn Montgomery, Professor of Communication at American University, who, along with CDD Executive Director, Jeff Chester, spearheaded the campaign to pass COPPA in 1998. “It is imperative that the rules be changed if they are going to continue protecting children’s privacy in the growing digital marketplace.” 

Nearly half of the sites (48%) appear to be using behavioral targeting technologies...

Read More - Click Here!

Best Free Antivirus Protection of 2016

(Neil J. Rubenking @ PC) Early adopters, daredevils, and purchasers of new computers are all running Windows 10 by now. Those who err on the side of caution, or whose IT department forbids them to, are still running Windows 8. Whether you run Windows 8 or Windows 10, your computer is theoretically under the protection of the built-in Microsoft Windows Defender. However, our hands-on tests and independent lab tests show that you're better off with a third-party solution. Fortunately, you've got plenty of free choices, and the best of them are better than many competing commercial products. Which one is best for you? We've rounded them up to help you choose.

Quite a few of these products are free only for noncommercial use; if you want to protect your business, you have to pony up for the paid edition. At that point, you should probably consider upgrading to a fullsecurity suite. After all, it's your business's security on the line. And if you've grown beyond SMB status, investing in a SaaS endpoint protection system will let you monitor and manage security across your entire organization.

Related StorySee Our Top Paid Antivirus Solutions

Your antivirus should definitely have the ability to root out existing malware, but its ongoing task is to prevent ransomware, botnets, Trojans, and other types of nasty programs from getting a foothold. All of the antivirus programs in this collection offer real-time protection against malware attack. Some take the fight upstream, working hard to ensure you never even browse to a malware-hosting site, or get fooled into turning over your credentials to a phishing site.

Independent Antivirus Lab Test Results

Around the world, researchers at independent antivirus testing labs spend their days putting antivirus tools to the test. Some of these labs regularly release public reports on their findings. I follow five such labs closely: AV-ComparativesAV-Test InstituteSimon Edwards Labs(the successor to Dennis Technology Labs), Virus Bulletin, and MRG-Effitas. I also take note of whether vendors have contracted for certification by ICSA Labs and West Coast Labs.

Security companies typically pay for the privilege of being included in testing. In return, the labs supply them with detailed reports that can help improve their products. The number of labs that include a particular vendor serves as a measure of significance. In each case, the lab considered the product important enough to test, and the vendor felt the price was worthwhile. The labs don't necessarily test a vendor's free product, but most vendors pack full protection into the free product, enhancing premium versions with additional features.

PCMag Antivirus Test Results

In addition to carefully perusing results from the independent labs, I also run my own hands-on malware blocking test. I expose each antivirus to a collection of malware samples, including a variety of different malware types, and note its reaction. Typically the antivirus will wipe out most of the samples on sight, and detect some of the remaining ones when I try to launch them. I derive a malware blocking score from 0 to 10 points based on how thoroughly the antivirus protects the test system from these samples.

Since I use the same samples month after month, the malware-blocking test definitely doesn't measure a product's ability to detect brand-new threats. In a separate test, I attempt to download malware from 100 very new malicious URLs supplied by MRG-Effitas, typically less than a day old. I note whether the antivirus blocked all access to the URL, wiped out the malicious payload during download, or did nothing. Avira Free Antivirus holds the current top score in this test, followed by McAfee and Symantec, both paid products.

If you're interested in learning more about my testing techniques, you're welcome to read more about how we test security software.

Useful Features

Just about every antivirus product scans files on access to make sure malware can't launch, and also scans the entire system on demand, or on a schedule you set. Once that cleaning and scheduling is done, blocking all access to malware-hosting URLs is another good way to avoid trouble. Many products extend that protection to also steer users away from fraudulent websites, phishing sites that try to steal login credentials for financial sites and other sensitive sites. A few rate links in search results, flagging any dangerous or iffy ones.

Behavior-based detection, a feature of some antivirus products, is a two-edged sword. On the one hand, it can detect malware that's never been seen before. On the other hand, if it's not done right, it can baffle the user with messages about perfectly legitimate programs.

One easy way to keep your PC protected is to install all security updates, both for Windows and for browsers and other popular applications. Windows 10 makes it easier than ever to stay up to date, but there are plenty of security holes in older Windows versions, in popular apps, and in add-ons. Scanning for vulnerabilities in the form of missing updates is a feature most often found in commercial antivirus products, but it does turn up in some free ones. In the chart above you can see which products include these useful features.

What's Not Here

This article reports only on free antivirus products that received at least a good rating in our reviews—three stars or better. Among those that didn't make the cut is Microsoft Windows Defender, with 2.5 stars. All of the independent labs I follow do include Microsoft in testing, but most use it as a baseline. If a product can't do better than the baseline, it's got real problems.

FortiClient fans may notice that this product doesn't appear in chart. It did get three stars, but it's quite different from the rest. FortiClient is actually designed to work as a client for Fortinet's network security appliance, but is incidentally available as a free standalone.

Furthermore, I'm aware that my review of Bitdefender's Free Antivirus is getting long in the tooth, but the company simply doesn't update its free utilities as often as its premium ones. Rest assured, I'm in close contact with Bitdefender and I'll review its new offering when it becomes available. Now that the commercial Bitdefender 2017 line is out, perhaps the developers will have more time to work on the free edition.

There are also numerous free antivirus utilities that work solely to clean up existing malware infestations. You bring out these cleanup-only tools when you have a nasty malware infestation. When the problem's gone, they have no further use, since they offer no ongoing protection. Our Editors' Choice in this category is Malwarebytes Anti-Malware 2.0, and it's definitely one you should try if you've got a malware problem. But since they're free, you can keep trying others if the first one doesn't do the job. When the scare is over, you'll need a full-blown antivirus for ongoing protection.

What's Best

Our current Editors' Choice products for free antivirus utility are Avast Free Antivirus, AVG AntiVirus Free, and Panda Free Antivirus. All three get very good scores from the independent labs, and in our own tests as well. All three include some useful bonus features. Avast in particular packs a password manager and a network security scanner in its toolkit. If you do have a little cash in your budget for security, the best paid antivirus products do tend to offer more and better protection. If not, try a few of these free tools and see which one you like best.

Best Way to Protect Your Data Online

Nowadays, using social networks and buying merchandise from online retail stores is as common as washing the dishes, and the more it becomes ingrained into our everyday lives, the more we get comfortable and maybe even complacent when it comes to guarding our personal information.

Throughout the years we've all heard millions of tips on how to protect our private data, and with all of those warnings, it's easy to be a little confused about just what's the most important safeguard.

So what's the first thing one should remember while losing themselves inside the vast world of the Internet?

“Don't click on links in email messages or open attachments purporting to come from retail or social networking sites as notifications. When you do, you might be taken to a fake site and prompted to type in personal account information, or infected with malware, said security researcher Cameron Camp in an interview with ConsumerAffairs.

“If you click on an attachment in a notification email, you may be unwittingly starting the process of infecting your computer. Instead, visit the website directly to make sure you're visiting the legitimate one, then interact with your account directly,” said Camp, a researcher at ESET, a company that deals in IT security.

What can be so tricky in today's digital world is the fact that hackers perpetually develop new ways to steal your information, so just as consumers protect themselves from one hacking scheme, a new and more advanced one follows.

Fake notifications

And just what do some of these new hacker tactics entail?

“Fake notification emails with malicious attachment payloads,” said Camp. “Leaving your mobile device unprotected (no password or other lock), paving the way for scammers to open it up and harvest information in a few easy steps, especially if they steal the device.”

Consumers should also not be “using Java when it really isn't needed, or isn't patched and up to date,” he added. “This can allow tricky malware in the back door, so to speak, and can allow disturbingly powerful tools and techniques to be used against you, regardless of the platform or operating system.”

Camp also says using the same password for all of your accounts is still one of the most common mistakes people make in their daily computer use.

“If one of your accounts becomes compromised by hacking or any other means, your others might soon follow in a cascading fashion, messing up a lot more of your life,” he said.

“Shopping at websites that aren't reputable, or connecting to shopping websites using unencrypted connections,” are also common errors people make, said Camp. “Instead, use https (encrypted), rather than http (unencrypted). Your browser should tell you when you are using an encrypted site by displaying a lock symbol.”

More risks

PhotoHe also says that although there are more ways to guard your data nowadays, there are also a lot more ways for you to be scammed.

“While there may be some improvement in securing single pieces of your information, the average user interacts with hundreds more services directly, and many more third party services that share that information secondarily,” explained Camp.

“This mean there are now exponentially higher numbers of ways to scam you and/or get a very complete digital snapshot of your life, and they would all have to be secure which is unlikely,” he added.

Camp also says using only one method of protection to guard your information isn't good enough, and online users should install backup safety measures just in case the first level of protection is compromised.

“This is the argument that it's better to have one super-secure lock on a box and hope no one breaks it, because if they do then they get everything,” he says. “A better approach is to have a reasonable lock on the box, and also a reasonable lock on the door to the room, the front door to the house, and the gate.”

“Layering defenses in this manner creates a sufficiently high barrier that criminals will go elsewhere to look for easier targets,” said Camp.

Such as ...

And what are some of the software and other safeguards consumers should buy to protect their personal data?

“Find a method (other than post-it notes, don't laugh, that's extremely common) to keep track of your passwords, and make sure it's encrypted in case it falls into the wrong hands, says Camp. “Sometimes a browser has this feature, but search customer and security reviews before you choose.”

Also “have basic anti-malware software for your computer devices, both traditional PC's and mobile. Remember, users interact with their mobile devices in many of the same ways as they did on their PC and the same protections and scams are also both applicable too, especially in the future,” he said.

“Have a firewall on your primary network you use. This doesn't have to cost many thousands of dollars, just try to enable the defenses on the unit you have. Many modern home routers have surprisingly sophisticated defenses, like intrusion detection/prevention (IDS/IPS) — if you enable them,” Camp said.

Read More - Click Here!

Best privacy protection plan is lying

Photo(James Hood @ ConsumerAffairs) Consumers frequently complain that they're always being asked for personal information they'd rather not disclose -- like their phone number, email address or birthdate.

Well, there's a simple way to deal with that. It's called lying and a survey finds it's also a very popular strategy. Researchers said Americans routinely hide their personal details and intentionally falsify information when asked for it by websites, services and mobile app providers.

The findings suggest that many people are skeptical of the need for services to collect personal data, leading people to lie, click away or decline app downloads. According to the survey, people engage in these behaviors to create a sense of privacy and control over their personal information.

Afraid and angry

“Before we did the survey, we’d heard from data aggregators that something like 50% of their data might be incorrect. The survey showed that much higher rates of obscuring data is happening," said study co-author Mary Hodder. "People are afraid and angry, as reflected in their comments to the survey, and they are doing the only thing they can to protect themselves: hiding, lying or withdrawing."

Hodder is on the board of directors of Customer Commons, the California-based non-profit that conducted the study.

The study found that some people will accurately represent themselves only when online services show a clear upside. Otherwise, people don’t want to reveal more than is necessary when all they want to do is download apps, watch videos, shop or engage in social networking.

Key findings in the report include:

  • Only 8.5 percent of respondents always accurately disclose personal information.

  • As many as 70% of respondents regularly withhold at least some personal data.

  • Many respondents lie about various line items as a strategy to protect their privacy. For example, 34.2% intentionally provided an incorrect phone number, and 13.8% provided incorrect employment information.

The concept of trust was raised in 22% of the written responses explaining why people hide their information. Some examples include:

  • “I cannot trust a random website”

  • “I do not want spam and do not want to expose others to spam. I also don't know how that information could be used or if the people running the site are trustworthy.”

  • “If I know why info is needed then I might provide, otherwise no way”   

People are afraid or distrustful of sites, services and phone apps that request their personal data. They withhold or falsify information because they do not believe the sites need their data, and because they do not want to disclose information that might lead to spamming or other intrusions. Moreover, the techniques that people employ to preserve their sense of privacy online are largely improvised, informed by fear, and based on their subjective evaluation of entities that solicit personal information.

Customer Commons describes itself as "a not-for-profit working to restore the balance of power, respect and trust between individuals and the organizations that serve them, especially in the online world." Funding for the study came from CommerceNet, a not-for-profit research institute.

 

Beware of Fake emails from Homeland Security

(Reuters) - The U.S. government on Thursday warned computer users to beware of fake emails they may receive from hackers claiming to be from the Department of Homeland Security and demanding money to reinstate use of their computer.

Homeland Security's U.S. Computer Emergency Readiness Team, or US-CERT, published an alert on its website warning it had received reports of DHS-themed "ransomware."

"Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it," the warning said, adding that the ransomware falsely claims to be from the department and its National Cyber Security Division.

Ransomware is increasingly widespread malicious software that purports to encrypt a user's files and then demands payment to unlock them.

US-CERT urged users and systems administrations to use caution if they find a questionable email message that could contain the ransomware. It said to urge users not to click on the messages or submit any information to Web pages.

(Reporting by Deborah Charles; Editing by Doina Chiacu)

Blacklisted Again?

So your email is being blocked by their spam filters. You didn't use any questionable words or send pictures or HTML mail or do anything else that would make your message look like spam, but it's still being blocked. Why is this happening?

It might be because your address is on one of the many "known spammer lists" (also called blacklists or black hole lists) that are compiled and used by some spam filtering software. But you aren't a known spammer - you've never sent a spam message in your life! So how did you end up on a blacklist?

Here's the problem: some of the black list organizations will put an ISP's entire domain name on the list because some of that ISP's customers are spammers. When the entire domain is blacklisted, that includes the mail of innocent customers who send mail from that ISP's mail servers, too. What can you do about it if you find yourself in that situation?

You could change ISPs, of course - but that can be a big inconvenience if you've had your address for a long time and it's widely known. You can ask people with whom you want to correspond to configure their "white lists" or "safe senders" lists to allow your mail through; most anti-spam software gives precedence to the white list and allows mail from addresses on it even if those addresses/domains are also on a black list. But if you can't send them mail in the first place, this means you'll have to call each correspondent or send snail mail or contact them in some other way to let them know to do this. Some ISPs use blacklists themselves to protect their users from incoming spam, but this means if you get on the list, you won't be able to send mail to customers of that ISP and the customers themselves may have no control and no way to "whitelist" you so your mail can get through. You're just considered "collateral damage" in the war against spam.

Being on this black list is bad for our reputation ... if it were any other media, you could probably sue the blacklist company for slander. In this case they don't even respond to messages ... There should be a way to be protected from the behaviour of blacklist companies if you don't produce spam. A simple way would be to forbid them to blacklist ranges of IP addresses, only those addresses that have been proven to be used for spam."

For a company, being blacklisted is more than just frustrating - it can result in real monetary losses if you're unable to correspond with customers, partners, vendors and others critical to your day-to-day business. For an individual, being blacklisted can interfere with your personal relationships, keep you from getting a job or prevent you from communicating with organizations with which you do business.

One of the first and most popular blacklists was the Mail Abuse Prevention System Real-time Blackhole List (MAPS RBL). It compiled thousands of entries and is used by hundreds of servers all over the world. It was acquired by Trend Micro in 2005. Spamcop.net is another service that takes spam reports and provides a free DNS-based blocking list.

Unfortunately, when it comes to getting blacklisted, you're guilty until proven innocent, and guilt by association (merely having the same ISP as a spammer) is the order of the day for some lists. Black list compilers (also known as DNSBL operators) publish their lists of individual addresses, domain names, or IP addresses without any sort of warranty that those on the list really are spammers. Spamcop, for example, explicitly states on its web site that their list is provided "as is" and they do not in any way guarantee it or take any responsibility for the results of using it.

There's nothing regulating the operation of a blacklisting service; all you need is a domain, a DNS server and a list of addresses to publish. Different blacklist operators have different policies regarding how they verify their information, how long an address stays on the list, procedures for challenging the listing and having it removed, etc. Some lists add addresses submitted by users, and it's possible to get on a blacklist just because you made the wrong person mad at you.

Nobody wants to get spam, and the intent of the lists is good, but as with any technology, good intentions aren't always enough to prevent bad results. Intelligent spam filtering requires more than just consulting a list; modern filtering programs such as IHateSpam use sophisticated metrics to examine the content of messages themselves and determine whether they're likely to be spam. This results in far fewer false positives.

Block Unwanted Facebook Posts

(Kim Komando USA TODAY) ...It's easy to block updates from Facebook friends who are temporarily getting under your skin. Hover over your friend's name, then hover over the Friends menu and deselect Show in News Feed.

Selecting Settings under the Friends menu allows you to control the amounts and types of updates you receive from a friend. You can screen a friend's status updates, life events and photos, for example, but continue to receive her music and video posts.

Not in the mood for a Facebook quiz this week? You can hide stories and unsubscribe from any person, Page, group or app.

If you encounter a political post or other story that is particularly annoying, report it as spam. That will remove it from your news feed, and Facebook's filters will try to block similar content in the future.

For more industrial-strength filtering, install a browser extension such as Social Fixer.

Social Fixer lets you define rules - similar to email - to control what stories you want to see and hide. You can quickly choose one or all of your friends, then choose to hide status updates, photos and other types of posts. The ability to add key words makes this free tool even more powerful.

Keep in mind that Social Fixer is a browser plug-in; it has no effect on your Facebook account or what you'll see on a different computer or gadget.

On Twitter, there isn't much you can do to filter content short of blocking or unfollowing users. But Twitter's own TweetDeck app for mobile and desktop contains a global filter in Settings to block people, words, and hashtags.

You might also want to visit the extension galleries of Firefox, Chrome and Safari to find other plug-ins that promise to clean up your Twitter news feeds.

If you like to watch movie or video game trailers on YouTube, but avoid the site because of all the nasty comments and spoilers, there's help.

Clea.nr Videos for YouTube not only blocks comments, it also removes the clutter of ads and promoted videos. The free extension works with Safari, Chrome and Firefox; there's also an Apple iOS app ($1).

More generalized browser plug-ins can help you hide the comments sections across blogs and other websites you visit.

These controls and tweaks aren't perfect -- an irritating post will get through somehow -- but they should help you regain some of your sanity.

Read More - Click Here!

Bots roam the internet, threatening businesses and consumers

(Mark Huffman @ ConsumerAffairs) You're expecting a package from Amazon, or from one of the package delivery services. An email pops into your inbox about a problem, and there's a link where you can get more information.

Only the email is not from any legitimate company. It's a scammer posing as the legitimate company.

While it's a big problem for consumers, it's a huge problem for the companies that are being impersonated. Their brand can suffer as a result.

MarkMonitor is in the brand protection business, on the lookout for cases where a client's brand has been misappropriated, for any reason.

“We are basically monitoring across multiple digital channels – websites, marketplaces, social media, mobile apps and emails,” Akino Chikada, MarkMonitor's Senior Brand Protection Manager, told ConsumerAffairs. “We're scanning through the entire internet looking for any potential online abuse of that brand.”

It's a never-ending job because scammers keep getting more technologically powerful. The latest wrinkle is the deployment of bots – web robots – to seek out and engage victims, meaning one scammer can become a million times more effective.

“As we know there is a significant number of bots driving internet traffic,” Chikada said. “A recent report found humans account for about 51% of traffic. The rest is driven by bots.”

Whole new dating game

And these bots have added a whole new dimension to the online dating scam. A decade ago, this scam consisted of an individual scammer seeking out and engaging a potential victim, building trust, then swindling him or her out of thousands of dollars. It was a labor-intensive and time-consuming enterprise.

Today, bots do the work, engaging males on Tinder, pretending to be females. Chikada says it's easy to program these bots to engage in dialog.

“They can remember user details like names, age, location, so it's easy to start engaging a victim,” she said. “They're definitely a lot smarter and more sophisticated.”

Tinder's popularity makes it a target-rich environment. Scammers are using bots to persuade victims to send them money, and also download malware.

How to spot a bot

How can you tell if the “person” you are engaging with on Tinder is actually a machine? If you pay close attention, you can do it.

Bots tend to type faster than the average human and yet they don't make as many typos. Also, responses can be generic and not always specific to what you have said.

The big tip off? Chikada says they will eventually ask you to do something for them, and it either requires clicking on a link or giving them your credit card information.

And finally, if the “person” is really attractive, you just might be conversing with a machine.

Business Gone In 60 Seconds vis a vis Poor Email Policy

Just this week, an area manager for a local company decided to go into business for himself. 

The company policy allowed each employee to use their own personal email accounts to conduct company business. As a result of that policy, ALL sales leads in that area now go to “HIS” iCloud email account, and there is nothing the company can do about it. 

Essentially, their business in that geographical area is GONE. Their current customer base in that area only communicates with the company through “HIS” email address. They can forget about repeat business. And their long list of current prospects use “HIS” email to request new service, AND, the new prospect contact list is only in “HIS” contact list. The company does not even know who their prospects are. OUCH!!!

Lesson learned: Never Never Never allow an employee to use their own email account to conduct company business, and Never Never Never use free email gmail, yahoo, iCloud, knology... as a business email address.

Why? According the Dr. W. Edwards Deming, “he who owns the data owns the business”. In this case, the former employee owns their business.

How can a business email account make a difference?

  1. Email and Contact information could be archived so that the company could have full use of the data for sales, marketing, and customer service .

  2. Products like Thunderbird provide the ability to monitor company email in real-time. An employee defection may have been detected much earlier.

  3. With a click of a mouse or password change, emails and contacts can be securely blocked from one employee and made to another employee (“HIS” replacement), thus denying future access to company data.

There are hundreds of reasons why a business should control their company email like Control, 
Security, Brand Recognition, Credibility, and the memorable impression that it makes. But this one incident really makes the case.

If you need assistance setting up a company email account or policy, please let us know.

CBS - Cicada 3301: Code-breaking scavenger hunt has the Internet mystified

Cicada 3301: Code-breaking scavenger hunt has the Internet mystified

A screenshot of a Cicada 3301 clue from a website.

A screenshot of a Cicada 3301 clue from a website. net-netz-blog.de

Is there a secret society attempting to recruit the best coder breakers in the world, using clues that spans across the globe and Internet? That’s what some people believe the case is with the elusive Cicada 3301 online puzzle, which, if history repeats itself, will make a return within days.  

Tekk Nolagi, a teenager from the San Francisco Bay Area who asked not to be identified by his real name, says he was sitting in a high school robotics lab in 2012 with his friends when the photo first appeared on the image message board 4chan.org.

“It was posted on the paranormal activity thread or something like that.” Tekk told CBS News over the phone. “A bunch of people said, ‘wow, that’s creepy’ and didn’t say anything else.”

It was an image of white text against a black background that said:

“Hello. We are looking for highly intelligent individuals. To find them, we have devised a test. There is a message hidden in this image. Find it, and it will lead you on the road to finding us. We look forward to meeting the few that will make it all the way through. Good luck. 3301.”

And with that image, a scavenger hunt began that involved online images, cryptography, number theory, physical clues, phone calls, QR codes and websites on the “darknet.”

Some of the theories about who is behind the puzzle include the National Security Agency, Central Intelligence Agency or a secret society. Some have speculated that the puzzle is a recruitment program or an alternate reality game, where players collect clues, interact with other players and solve puzzles in real life.

According to the participants online, when the image was opened in a text editing program, a cryptic message appeared that was interpreted as a Web address. Those who were trying to solve the mystery were led to a website, which in turn led to a Reddit.com forum called "a2e7j6ic78h0j" that revealed a series of symbols and coded messages.

Several more clues were uncovered -- including hidden messages that suggested the key to breaking the code was already posted on the a2e7j6ic78h0j forum. Once decoded, a U.S. phone number was revealed. 

The number, which has since been disconnected, had a message for callers that was yet another clue. This time, a riddle led to a website that had a picture of a cicada and what appeared to be geographic coordinates.

According to online reports, posters were found at some of the locations around the world, including Paris, Warsaw, Seoul and Miami. Each poster had an image of a cicada and a QR code that, when scanned, revealed a message.

Tekk says he worked with a group of nine active participants and several additional helpers to solve the breadcrumb trail of clues left by the game’s creators. One of the people working with him sent his brother out to see one of the posters, which was located in Australia, in real life. It was a physical piece of the worldwide puzzle that they could confirm existed.

“I was in awe and frightened because I didn’t know exactly what the reach of these people were. Imagining they have access to all these different places around the world at the same time kind of blew all our minds. We started getting a little bit nervous in the chat room,” he said.

After a series of increasingly intricate clues, a final message was discovered on the Reddit forum with the symbols and coded text that read:

“We have now found the individuals we sought. Thus our month-long journey ends. For now. Thank you for your dedication and effort. If you were unable to complete the test, or did not receive an email, do not despair. There will be more opportunities like this one.”

Soon after, the trail went cold and no new clues were release until a year later on Jan. 4, 2013, when a new image appeared on 4chan.

Tekk chose not to continue chasing the clues the following year, saying, “I stopped after my first year because it was too time consuming.”

Just like the previous year, a similar trail of clues was revealed after the initial image appeared on 4chan, including a sequence of prime numbers, an audio file and a mysterious Twitter account tweeting coded messages.  

One of the clues post on Wikia led to a bizarre test that was reportedly emailed to participants asked multiple-choice questions like: “I am the voice* inside my head” and “Observation changes the thing being observed.” The choices in answers included: true, false, indeterminate, meaningless, self-referential, game rule, strange loop and none of the above.

One of the final pieces of the 2013 puzzle is an email that was reportedly sent to those who passed the test. There hasn’t been much activity since that time, and much of the community following Cicada 3301 anxiously waits for Jan. 4, 2014 to arrive, when a new clue might be posted online.

What little information is known about Cicada 3301 has been posted on websites like Wikia and Github, but no one seems to know who is behind the puzzle and what their motives may be for creating such an elaborate trail of clues.

Tekk has some theories of what the group’s end game may be, which he says was revealed to him when he found himself in a chat room, of sorts, with people claiming to the organizers the Cicada 3301 puzzle.

“It seems like their end goal would be to have some kind of free and open cryptography and anonymity software released to the public, but that’s just a small facet of what they’re trying to do. I don’t think anybody actually knows what they’re going to do from there,” he said. 

CCLEANER Hacked

Consumers who downloaded the CCleaner security program thought that they were protecting their devices from malware, but security researchers at Cisco Talos say the app directly delivered malware to millions of users.

The discovery made earlier this month involves what the researchers call a “supply chain attack.” Supply chain attacks happen when hackers target a company or manufacturer that delivers a product to consumers.

In this case, the download servers used by Avast (CCleaner’s parent company) were breached. Hackers used their access to the servers to modify CCleaner’s download package to include malicious malware that was delivered to users.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” explained the researchers.

Millions of users affected

CCleaner is an extremely popular tool amongst consumers for ridding computers of malware and improving speed and performance. In November, Avast boasted that the program had been downloaded over 2 billion times, with 5 million users downloading the app per week. Unfortunately, the researchers say that these high growth numbers can be disastrous from a security standpoint.

“If even a small fraction of those systems were compromised, an attacker could use them for any number of malicious purposes,” said Cisco Talos researcher Edmund Brumaghin in a blog post.

Piriform, the company that operates the affected download servers, has confirmed that versions 5.33.6162 and 1.07.3191 of CCleaner for 32-bit systems were compromised by hackers. The company estimates that as many as 2.27 million people are using the affected software or have downloaded a compromised version of CCleaner Cloud.

“The compromise could cause the transmission of non-sensitive data…to a 3rd party computer server in the USA,” the company said. “We sincerely apologize for this and are committed to making sure nothing similar happens again.”

What to do

Brumaghin says that users who have downloaded a malicious version of the CCleaner program need to restore their devices to a state before August 15, 2017 and update to the latest available version of the program to avoid infection.

Piriform encourages users to download the latest version of the software here. (Note that visiting this link will initiate a download for the latest version of CCleaner.)

CNN Says Online privacy is dead

 online anonymity

 

(Jose Pagliery  @ Jose_Pagliery) It's getting harder to remain faceless online. Even far-out measures of data encryption are under attack. These are dark times for online privacy.The U.S. government is spying on its own citizens' online activities. The FBI was able to suss out and shut down the anonymous black market Silk Road. Even the Internet-within-the-Internet called the Tor network -- the most secretive way to browse the Web -- is being monitored by the National Security Agency.

Strong passwords and encrypted email services were never truly enough to protect users' online privacy. But recent revelations about government surveillance even throw into doubt the effectiveness of far-out measures of data encryption used by the most careful people surfing the Web.

Silk Road serves as a prime example. It operated as a hidden service on Tor, an anonymizing tool that helps users and sites keep their identities secret. Everyone buying and selling drugs, weapons and other illicit items on the site thought they couldn't be tracked.

But federal agents managed to track down a computer server Silk Road used, and the FBI monitored more than 1.2 million private communications on the site.

Related story: Facebook kills search privacy setting

If online privacy can't stand up to good, old-fashioned police work, it doesn't stand a chance against some of the more potent tools the government uses:

 

  • The NSA figured out how to track down who's who on Tor by exploiting weaknesses in Web browsers, according to documents former NSA contractor Edward Snowden leaked to The Guardian -- a bug that was only recently fixed.
  • PRISM, the government's hush-hush mass data collection program, lets even low-level NSA analysts access email, chats and Internet phone calls.
  • The U.S. government issues frequent, secret demands for customer data from telecommunications companies.

 

It's no wonder, then, that many have declared the death of online privacy.

Shopping for LSD and AK-47s online
 

"Unfortunately, online anonymity is already dead," said Ladar Levison, founder of e-mail service LavaBit that closed its doors in the wake of the NSA's PRISM controversy. "It takes a lot more effort and skill than most have in order to keep your anonymity today."

Remaining unrecognizable and keeping conversations private online is immensely important. It's not just an issue for civil libertarians -- online privacy is crucial for crime victims, whistleblowers, dissidents and corporations trying to keep secret the latest high-tech research.

The result has been tantamount to a cryptographic arms race. On one side are independent programmers usually writing free software. On the other are a dozen U.S. intelligence agencies supported by a $52.6 billion black budget.

And while some claim unbreakable encryption is coming, large-scale availability is still years away.

"It's an open question how much protection Tor or any other existing anonymous communications tool provides against the NSA's large-scale Internet surveillance," said Roger Dingledine, Tor's lead developer.

Still, Aleecia McDonald, a privacy expert at Stanford University's Center for Internet & Society, said there's still a benefit to guarding yourself with a network like Tor. At least you make it harder to get spied on.

"The NSA has to attack Tor users one by one, not en masse as they do with non-Tor users," she said

Can FaceBook and Twitter Affect Your Credit Score and Insurance?

Facebook and Google are big names in the online privacy debate, but maybe the real threat is from unseen data brokers behind the scenes. In observance of Data Privacy Day, here are some things to know and consider in conducting your online life.

Did you know January 28 is Data Privacy Day in the United States, Canada, and the European Union? The intention behind Data Privacy Day is to raise awareness of the importance of protecting the privacy of personal information—not just amongst individual users of things like social networking, but also amongst businesses, organizations, and corporations that collect, retain, and access information about their clients, customers, and users. Companies like Facebook, Google, Microsoft, and Yahoo have been drawing the attention of privacy advocates and regulators in recent years, but the reality is that there are tens of thousands of companies out there collecting, processing, and distributing personal information about individuals all the time. Increasingly, those companies are looking to things like social networking for cues about individuals’ behaviors, lifestyle, interests, and activities.

Facebook CEO Mark Zuckerberg — Time’s 2010 Man of the Year — once famously declared privacy is not a “social norm,” and Facebook and other companies have consistently borne out that idea in the online world, collecting increasing amount of information about individuals and hiding behind privacy policies longer than the U.S. Constitution. Clauses of implied consent decree that users legally agree to having their information gathered and tracked, so long as they continue using accounts or services. In other words: Users can either agree to be tracked, or they can agree not to use a service. However, this cavalier approach to data collection and user profiling is drawing increased scrutiny not just from consumer and privacy advocates, but by governments and everyday people. The European Commission has just proposed new data protection laws that would enshrine a “right to be forgotten” for individuals, and the U.S. Federal Trade Commission has forced Facebook to toe the line on sharing user information with third parties. Google’s recent ground-up revamp of its privacy policies and user tracking is almost certain to draw FTC scrutiny as well.

Read More - Click Here!

Can Facebook videos be a scam?

Q. I tried to watch a video on Facebook, but it didn't work. It made me install a new driver and then still didn't play the video. What gives?

A. I doubt that was a real video at all. This is a scam that is common on Facebook. The post looks like a really interesting or scandalous video. When you click it, it asks you to install a driver to watch it. What you actually download is usually a junk file or a virus. When you try to install the "driver," you share the scam video with all your friends so they'll be tricked. When you see a video on Facebook, do a search for the video on YouTube or Google. If you can't find the video, it's probably a scam. You can also see if the scam has been reported on sites like Facecrooks and Snopes.

Can GPS Spy On You

The Supreme Court issued a landmark decision 1/16/2012 regarding warantless surveillance that could have vast implications for privacy and technology in the years to come. In a unanimous ruling, the justices said the police violated the Constitution when they placed a GPS device on the underside of a suspect’s car and used the device to track and record his movements for a month. The court, however, was closely divided on its reasoning for the decision, and the split could leave several important privacy-related questions unresolved.

The question in the case was whether Washington, D.C. police violated the Fourth Amendment rights of the defendant, Antoine Jones, when they placed a GPS tracking device on his car to gather evidence for a potential drug trafficking case. The government argued that Jones had no “reasonable expectation of privacy” in either the location of the device — the underside of his car — or in the places where he drove the car, such as public roads. The police failed to obtain a warrant before attaching the device to Jones’s car.

All nine of the justices agreed that the action was unconstitutional, but split 5-4 on why. Writing for the majority, Justice Antonin Scalia offered a narrow justification for the ruling, citing the Fourth Amendment’s guarantee that the “right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated.” A vehicle, Scalia wrote, counts as an “effect,” and physically placing a GPS device on a person’s car counts as an “unreasonable search.” Once the court determined that a physical trespass had occurred, Scalia wrote, there was no need to go any further:

It is important to be clear about what occurred in this case: The Government physically occupied private property for the purpose of obtaining information. We have no doubt that such a physical intrusion would have been considered a “search” within the meaning of the Fourth Amendment when it was adopted.

This reasoning, however, leaves unanswered the broader and arguably more important question of whether the government’s use of technologies that don’t involve physical trespassing — cell phone location tracking, for example — violates the Constitution. What if, instead of attaching a GPS device to your car, the police decide to intercept the digital information that streams from your iPhone to cell towers every time you use Yelp to find nearby restaurants or search for directions on Google Maps?

This ruling, according to the majority, leaves that question unresolved. In concurring opinions, the four remaining justices argued that the court should have used this case as an opportunity to answer the bigger, privacy-related questions now. Those justices said they would have used a different and more far-reaching standard than the physical trespass analysis used by Scalia.

That standard, Justice Sonia Sotomayor wrote in a concurring opinion, is irrelevant to many modern forms of surveillance which don’t involve physical intrusion. Auto manufacturers can install tracking devices in cars right there in the factory. Smartphones come equipped with location-tracking GPS technology. These devices can reveal a wClick ealth of data about a person’s relationships, political and religious affiliations and so forth, without requiring any physical intrusion on a person’s private property. But they may still violate a person’s reasonable expectation of privacy, Sotomayor wrote:

Awareness that the Government may be watching chills associational and expressive freedoms.  And the Government’s unrestrained power to  assemble data that reveal private aspects of identity is susceptible to abuse. The net result is that GPS monitoring — by making available at a relatively low cost such a substantial quantum of intimate information about any person whom the Government, in its unfettered discretion, chooses to track — may “alter the relationship between citizen and government in a way that is inimical to democratic society.”

Read More - Click Here!

Can Hackers Attack My Laser Printer?

Computerworld reports that millions of Web Enabled  printers contain a security weakness that could allow attackers to take control their systems, steal data, and issue commands that could cause the devices to overheat and catch fire. This finding is cooberated by reseachers from Columbia University. Whilst HP was named specifically, it is likely that printers manufactured by other vendors may have the same issue, leaving users of those devices exposed to similar threats, the researchers said. Read More – Click Here!

Can They Hack Your Voicemail

First, I hacked my own voice mail. Then, when colleagues came around to see, several volunteered their phones, too.

With a few clicks of a mouse, we accessed our mobile phone voice mails from a desktop computer. No password needed. No cellphone needed.

It was surprisingly easy.

The alleged phone hacking at the heart of the scandal at the now-defunct News of the World tabloid can be performed here in the U.S. — and easily. 

It works because some voice mail systems allow you to hear your messages without a password when you're calling from your own phone. They system knows you're calling from your own phone based on your caller ID number.

But there are several online services which, for a small fee, allow you to "spoof" — or fake — a caller ID number. Just $10 gets you access to this trickery, and to clear access to voice mail messages.

I first heard about the technique this morning, in a tweet by Chirstopher Soghoian, a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. Within an hour, I'd hacked my own phone.

Our WNYC experiment was not a scientific study — and, again, we accessed only our own cell phone accounts — but we tried two AT&T accounts, two Sprint accounts, two T-Mobile accounts and two Verizon accounts. Once we figured out the technique, we had easy access to voice mail messages in both AT&T accounts and one of the Sprint ones. We couldn't get into those of the T-Mobile and Verizon phones.

The Password Issue

You probably have a password for your voice mail account, which you use to access your messages remotely.

But AT&T spokesman Mark Siegel said that for convenience, AT&T customers "also have the option of not entering your password when accessing your voice mail from your mobile phone."

That's certainly true for my AT&T iPhone. Siegel said for the best security, AT&T recommends customers change their settings to require a password even when checking voicemail from their own phone, which people can do by logging into their account on the AT&T website.

Having that functionality definitely blocked our "spoofing" access to several accounts — though together, one of our newsroom staffers and I were able to access her AT&T account even though her phone requires a password every time she checks her voice mail.

A spokeswoman for Verizon Wireless said the company's customers must enter a password every time they check voice mail, from any phone. That seemed to be why we couldn't access those phones. A spokesman for Sprint said it offers customers the option of disabling their access password, and warns them that doing so can make their account vulnerable.

Is This Legal?

Spoofing caller IDs does not, in itself, appear to be illegal. There are actually several services that use this technique to legitimately offer people an alternative telephone number.

But, under the Truth in Caller ID Act of 2009 it's clearly not legal if you're faking a caller ID "with the intent to defraud, cause harm, or wrongfully obtain anything of value."

Steps You Can Take

First, you can set up your phone to require a password every time, even when checking from your own phone.

But quick access to your messages is pretty convenient. Our in-office experiments suggest another way to help protect yourself is to delete (not just skip) messages you've already heard. That way there's nothing to listen to.

And here's a big red flag: A missed call that looks like it's from your own phone number. That was a byproduct of the trick we used — and a clear sign of our "hacking."

Read More - Click Here!

 

Can They Really Hack Your Car

High-tech car thieves are using electronic devices to easily unlock vehicles.

( @ Credit.com) With AAA predicting the biggest Labor Day travel weekend since the recession hit, many Americans will be stealing away for that final summer trip. Unfortunately, they won't be the only ones stealing.

There's a new type of crime happening on America's highways and byways. A nationwide crime spree in the making, if you will, whereby high-tech thieves can unlock vehicles easier than you'd like to think possible.

We're way beyond rocks, cobblestones, baseball bats, shims and crowbars now. Using improvised electronic devices that recreate the same signals as the key fobs many of us carry, thieves can pop the lock on your car from afar, then rifle through your belongings and steal whatever they like, all without the noise and trouble of breaking a window or jimmying a lock.

Once the stuff of urban legend, this kind of crime is now on the rise, according to police. "We believe that this code-grabbing technology was utilized and we are looking into it," Sgt. Andrew Schoeff of the Chicago Police Department told ABC News after thieves there broke into multiple cars in one neighborhood.

Technology experts have warned for years that key fob crimes were possible. In 2011 Swiss researchers announced they had cracked the encrypted remote entry systems of ten car models by eight different manufacturers, using equipment that cost as little as $100. That research has now become reality, as crime rings from Chicago to Long Beach have figured it out.

The way this crime works is still somewhat of a mystery in crime-fighting circles. And while there are doubtless ways to avoid becoming a victim, I'm not sure what they might be beyond owning a car that doesn't use the fob system.

A Terrifying Turn

While it's unsettling to have your car invaded or stolen while you're on a Labor Day trip with your family, it's not life threatening. What scares me is when a car hacker evolves from messing with your doors to invading your car's computer system.

The possibility of this even stranger and more dangerous crime is lurking on the horizon. Most modern cars use computers to control everything from engine compression to cruise control, airbags and brakes. Those computers communicate with each other on open networks. Using an $80,000 grant from the Defense Advanced Research Projects Agency (DARPA), two researchers recently hacked the onboard computers of a Toyota Prius and a Ford Escape SUV.

They made the Prius accelerate and brake, as well as jerk the wheel while traveling at high speeds. They managed to turn the Ford's steering wheel at low speeds and disable the brakes, which caused researcher Charlie Miller to drive the SUV into his garage and totally destroy his own lawnmower. This is the stuff of nightmares.

"Once you are through that initial barrier, you can and will be able to do almost anything you want to," security researcher Don Bailey recently told NPR.

Beyond Account Takeovers

It gets worse. At last month's Def Con, an annual convention for hackers, Miller and his co-researcher Chris Valasek showed a packed audience how they could drive a brand-new Prius using a Nintendo video game controller from the 1980s. They did it by plugging a laptop into the car's On-board Diagnostics (OBD) jack, which mechanics use to diagnose mechanical problems. Experts believe that soon it will be possible to accomplish this by way of a wireless hack.

Can You Avoid Identity Theft

Photo(Daryl Nelson @ ConsumberAffairs) “Identity theft cannot be prevented. It can’t.”Those were the words uttered by identity theft expert Adam Levin, who’s the chairman and co-founder of Identity Theft 911, a company that provides data protection services for businesses.

This could make a consumer feel pretty helpless.  After all, there are things you can do to prevent home burglaries and auto theft, but identity theft? That's another matter.

By now, you’ve probably heard that the Social Security numbers and credit reports of some famous individuals were posted by a covert group of folks  who have, so far, done a pretty decent job of staying anonymous and remaining behind digital walls.

So far, the data bandits posted the Social Security numbers of former Vice President Al Gore, presidential candidate Mitt Romney, Michelle Obama and a bunch of entertainment and sports figures like Tiger Woods, Britney Spears, Jay-Z, Kim Kardashian and Mel Gibson.

Additionally, the hackers released bank account and credit card balances of the celebrities since this information was on most of the credit reports.

Now let’s face it, some of you will probably roll your eyes at the fact that some of the rich and famous were hacked into, since it’s logical to think their level of wealth and celebrity makes them bigger targets and more likely to be stolen from.

Too much information

But Levin says everyday consumers should be just as worried, because identity theft isn’t something that can be completely halted, for the mere reason that there’s an unprecedented amount of information being exchanged today.

“There’s way too much information out there about people," said Levin in an interview with ConsumerAffairs.

“People have a tendency to overshare information and there have been so many breaches at so many levels of government and business. And oftentimes businesses put in fairly well-thought-out security systems, but the problem is a security system is only as good as its weakest link and historically people are the weakest link.”

“So you see a company like RSA, which is arguably the most secure company in the world getting breached, because a low-level employee clicked on a "spearfishing" email that allowed [others] to crawl into the bowels of the company by collecting his email and following the trail to where it led them and basically comprising the security codes of the company and forcing the company to replace 40 million fobs.”

Levin says that between people’s newly developed need to share, state-sponsored hackers and independent hactivists, the world presents a new kind of danger that hasn’t been fully grasped by the everyday consumer, and because identity theft is still relatively new—at least in digital realms—a lot of people haven’t realized that they need to do more than change their password every now and then.

New mindset

What needs to happen, says Levin, is that people need to develop a completely new mindset when it comes to dealing with data thieves.

“You’ve got to have a paradigm shift in the way you think, stop thinking you can prevent it,” he says. “It doesn’t mean you shouldn’t do everything you possibly can to minimize your risk of exposure.

“That means you do everything that everybody from the beginning of time when the subject of identity theft comes up has told you: Don’t carry your Social Security number, don’t give information to people you don’t know, don’t click on things ever if you can avoid it, certainly not things that don’t look right."

Photo"Have the best security systems on your computer and your smartphone. People think smartphones are communication devices they’re really mini storage devices. Shred everything in sight," said Levin.

One of the most effective ways to learn if your identity or financial information has been tampered with is to request a free credit report, which helps people understand and manage their credit better.

If possible, people should look at their credit information on a daily basis to determine if anything looks off, even slightly, and if it does you should immediately jump into action, instead of assuming something was your fault and that maybe you forgot to pay something off on time.

Joining a transactional monitoring program through your bank and credit card company will help you stay on top of each daily transaction, which may sound a bit drastic to some, but Levin says these are the measures that consumers need to take these days.

In short, the level of consumer vigilance needs to be stepped up tenfold if people expect to keep their information secure, Levin says.

Once you sign up with the transactional monitoring program you can either ask to be notified after every transaction or only on those transactions that reach a certain limit.

In addition, Levin says that thieves are stealing information in much more advanced ways today and often it’s not by hacking or by breaking your password.

He says scammers are moving a lot more slowly and more methodically these days and they'll take long amounts of time to gather the information they need to begin their scam.

Not a hack

In the case of the celebrities, Levin says their information wasn’t actually hacked, it was gradually collected.

“It wasn’t a hack,” he said. “What they did was they assembled all of this information, because that’s what these guys do. They [gather] together information slowly, sometimes from social networking sites, sometimes from businesses of social networking sites and their goal is how much information can they get together to answer the authentication questions.”

Another piece of advice Levin has for consumers is to make up answers for those authentication or security questions that ask you for your mother’s maiden name, for example. Although you may have to write your answer down to remember it, it’ll be hard for someone to use that piece of information in their intended scam.

A big place that people slip up and release personal information is when they’re faced with convenience over using slow and careful safety measures, Levin says.

But even with all of the statistics on identity theft and even after the numerous stories of people having their identities used in a number of different frauds, a lot of people still consider all of the identity theft talk just another scare tactic and just like other dangers in the world, many people don’t believe those dangers will happen to them, at least not on a large scale.

In a poll conducted by research company GFK and released by telecommunications company Omnitel, researchers interviewed 1,000 people, consisting of 500 adult males and 500 adult females.

When the participants were asked if they believed the issue of identity theft was just a scare tactic and not a serious problem, 390 people (39%) said they strongly agreed with that statement. That's a substantial amount and indicative of just how many opportunities there are for people that want to steal your data.

And they’re not just stealing money, scammers are into all kinds of nasty little deeds from child identity theft to medical theft, where a person can steal your information, get medical care under your name and create all types of confusion and harm, says Levin.

What to do

Besides doing all of the traditional things if you learn your information has been stolen or compromised, like changing your passwords and contacting your banks and credit reporting agencies, it’s important to communicate with your insurance company to see what type of identity theft protection you have. In some cases the protection may be free, Levin says.

In addition, filing a police report is imperative.

“You’ve got to file a police report,” Levin says. “If you don’t file a police report it is a nonstarter, because the sense is, if you don’t file a police report that means maybe you’re the identity thief.”

And if your information isn’t just compromised but outright stolen, you’ll have to do a little more legwork, which can be labor-intensive, but extremely necessary to start fixing some of the wrongs that were committed against you.

“You’ve got to communicate with those government agencies that are appropriate,” says Levin.

“There are some states that have an identity password and that’s something where a card is issued in most cases by the Attorney General confirming that you’re a victim, so if you encountered any issues you have the card.”

Can You Hear Me Scam

(Mark Huffman @ ConsumerAffairs) If you answer the phone and hear that question, just hang up!!!

Scammers will often try to bring back old scams that have fallen out of style and make them work. Now, one of the oldest ones, with a new wrinkle, is making a comeback. It's called the "can you hear me" scam.

Not to be confused with Verizon Wireless's old marketing slogan, the "can you hear me" scam is used by outlaws who have established valueless telecommunication services that they trick telephone customers into purchasing.

It works like this: a robocaller dials your number and if you answer, a human being comes on the line. The first thing he or she says is "can you hear me?"

It seems like a perfectly reasonable question. After all, maybe he's having trouble hearing you and thinks there is a bad connection. So you instinctively answer "yes."

The caller hangs up because he's got you. The next thing you know, a charge for some weird service shows up on your phone bill.

So, how did that happen?

Your answer is recorded

When the scammer asked "can you hear me," he or she was recording your answer. The scammer now has your voice saying "yes." The question might have been "can you hear me," but your answer will be spliced to another question, something like "do we have your permission to add the Acme call forwarding service to your telephone account?"

If you'll recall, anytime you change your telephone account, the customer service rep transfers you to a third party who verifies that you are making the change to your account. You give your consent by saying "yes."

But how can the scammer begin to charge your account? You can thank Congress.

Telecommunications Act of 1996

In 1996, Congress updated the Telecommunications Act, adding a provision allowing small, third party companies to market and sell their services to consumers. If a consumer wanted the service, he or she would be billed for it through their local telephone provider.

It was supposed to increase competition, allowing little companies to go head to head with the big boys. But the unintended consequence was the proliferation of something called "cramming" -- whereby unscrupulous companies and outright scammers added these services to customers' phone bills without their permission.

The current scam takes it to another level. It's been reported so far in Virginia, Florida, and Pennsylvania, but there's no reason to think it won't go nationwide soon, if it hasn't already.

So if you answer the phone and the first thing you hear is "can you hear me," fight the urge to respond. Just hang up. You've got a scammer on the other end of the line and engaging him in any kind of conversation could be dangerous.

Can Your Computer Make You An Easy Target For Criminals?

I know many other people, in many different occupations, whose work has been made easier by the Internet. I know many others whose jobs wouldn't even exist if not for the 'net. But it's not just those of us with legitimate jobs who are aided by today's technology. Unfortunately, in our increasingly connected society, it's also easier for criminals to do their dirty work. And I'm not just talking about phishes and hackers and others who operate solely at a distance.Believe it or not, local thieves and con artists benefit from the internet as well...

Take burglars, for instance. Once upon a time, it took some time and effort to be a successful "break and enter" guy. Since most burglars don't want a confrontation - they just want to get in and get the loot and get out as quickly as possible without getting caught - they would spend some time conducting surveillance ("casing the joint") to learn the habits of occupants, to be able to predict when they would be away. They would knock on doors, pretending to be door-to-door salespeople or survey takers, to get a look inside the house so they could determine if there was anything worth stealing. They used clues such as newspapers piling up in the driveway to signal them that homeowners were away on vacation.

Today fewer people subscribe to newspapers - many of us get all our news online or via TV - but that's okay, because burglars have much better sources for finding out that your house is empty. They can just follow you on Twitter or become your FaceBook friend, and you'll let them know not just that you're leaving town, but where you're going and how long you're going to be away. If they're really lucky, you might even post other useful info, such as the fact that your dog died last week, or that your alarm system has been on the blink.

And it's even better (for the burglar) if you also recently bragged about the expensive painting that you just added to your collection or the high-dollar TV that you bought last week. Now there's no need to try to guess, based on the outside of the home, what goodies might be inside. Our bad guy can "shop online" for exactly the merchandise he's interested in stealing. Last year, an Arizona man tweeted that he was going out of town and his home was promptly burglarized. Computer equipment worth thousands of dollars was stolen:

http://www.abc15.com/content/news/southeastvalley/mesa/story/Home-burglarized-after-owner-twittered-he-was/Jq5LLx3ra0exDfw_pwFwOg.cspx

Of course, it could take a lot of time to try to follow the comings and goings of everyone in the neighborhood that you're targeting. Surely, with today's technology, there's a way to expedite the process. Indeed there is; our would-be crook can just go to a helpful web site and find "new opportunities" - posts gathered from social networking sites indicating that people are not at home:

http://pleaserobme.com/

The site ostensibly exists not to help burglars, but to raise people's awareness about posting their location data in public venues. There's nothing illegal about it; they're just aggregating posts that are available to anyone from social networking pages that are open to the public. And according to a survey done by a British insurance and investment management company, 40% of social networking users share their holiday plans on sites like FaceBook and Twitter. If you absolutely must post that you and your whole family are five hundred miles away from home, it might be a good idea to mention in that post how much you're missing your three pit bulls, who had to stay home, or how thankful you are that your cousin, the Marine sharpshooter, volunteered to house-sit while you're gone.

Even if you're diligent about not revealing your location in your posts, that doesn't mean you're safe. Location-aware applications are becoming more and more popular, especially for smart phones, which have built-in GPS chips. Now some laptop computers also include GPS. This means software programs can access the information from the GPS hardware and know where you're located (or more precisely, where your cell phone or laptop is located). Some apps use this information to provide you with location-specific information; for example, if I look up a restaurant with Bing on my Omnia II phone, it displays ads for restaurants that are here close to my house.

Location-awareness can be used by program developers for all sorts of purposes. Some apps (such as Twittelator for the iPhone) let you automatically send your location to your followers. The intent is to be able to keep up with where your friends are so you can get together when you're in the same vicinity. But if you aren't careful, these applications can also expose your location to burglars, stalkers, or other people who will use the information for nefarious purposes.

Google Buzz is a new service that integrates with your Gmail account, and there is a mobile version of it for iPhone, Windows Mobile, Android and Symbian phones. According to the Google folks, "Rather than simply creating a mobile version of Buzz, we decided to take advantage of the unique features of a mobile device - in particular, location." The app can attach location tags to your posts and although this can be turned off, it is one of the key features of the program so many people will be using it without thinking about the ramifications.

https://sites.google.com/a/pressatgoogle.com/googlebuzz/mobile-blog

Another location-centric phone application is Foursquare, which comes in versions for iPhone, Android, Blackberry and Palm. I guess the Foursquare folks are anti-Microsoft, so we WinMo users aren't at risk from this one. The purpose of Foursquare is to "check in" - which means divulging your location so the app can then tell your friends where you are.

http://foursquare.com/learn_more

Yet another similar application is Loopt, which "shows users where friends are located and what they are doing via detailed, interactive maps on their mobile phones. Loopt helps friends connect on the fly and navigate their social lives by orienting them to people, places and events."

http://www.loopt.com/

All of these apps can be fun to use and useful, but it's important to think about the downside of constantly having your whereabouts known. And it's not just your own posts and apps that you have to worry about. If your friend comes over to your house and he tweets that he's visiting his friend, (insert your name here), and his location-aware app sends a map out to all his followers, those people now have your address.

For kids, the dangers are even greater - and they are often too naïve to understand that giving out information about where they are can put them at risk. With so many teenagers and pre-teens carrying cell phones these days, it's something parents need to keep in mind. Of course, location-awareness can also be used by parents to keep tabs on those kids. AccuTracking is just one company that offers real-time cell phone tracking services:

http://www.accutracking.com/

Google Latitude can be used to do basically the same thing, and it's free:

http://forums.wxpnews.com/messageview.aspx?catid=36&threadid=3345&enterthread=y

As for me and my household, we will keep our privacy!

Captcha Battles SpamBots on Web Forms

Once upon a time, you could put a form on the internet, capture good information about your visitor, and use it to service their needs. Today, SpamBots peruse WebSites and fill unprotected online forms with profanity, vulgarity, or at the very least, a bunch of nonsense. Then, to add insult to injury, the SpamBots capture the email address that the form is directed to, and fills that mailbox with email spam. What to do?

CAPTCHA is an answer.

CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human or a SpamBot. The purpose of CAPTCHA is to block form submissions by SpamBots, which are automated scripts that post spam content everywhere they can.

clip_image002

The idea is to place on the form a security code that humans can read and that computer programs and SpamBots can’t read. Computers can read letters and number text and images. But if you add a background, a strikethrough, very spacing, pitch, and distort the image, it knocks them dead in their tracks. The trick is to find that balance where humans can read the code but computers can’t.

The CAPTCHA we use presents 5 characters randomly picked from 0-9, a-z, plus @#$=?. This character set alone offers 69090840 permutation. However, the computer SpamBot has no idea what character set we used, so it must assume that we used the entire keyboard. That means that it must go through 137^32 or 137 followed by 32 zeros.

To further confuse SpamBots, in the background we add either a grid or a salt ‘n’ pepper background, present the characters at different angles and different spacing, and sizes. Then we add a little character distortion. Of course the characters change, a new random character pick is made, with each screen refresh. This has been enough to eliminate virtually all automated form spam.

We tried other methods. For instance, CAPTCHA can present a simple math problem where the human has to supply the answer, like 1+2-2=. But we found that many of the humans could not add and subtract. Another popular method is to present a riddle. But what if the human can’t figure it out? Since we do have a successful track record with 5 character random pick CAPTCHA, we’ll stick with it until something better comes along.

Careful What You “Like” & “Share” on Facebook

Careful What You “Like” & “Share” on Facebook

You might inadvertently be showing support for Terrorists, Organized Crime, A Religious Organization that you do not agree with, or for material that is Vulgar, Violent, Raciest, and Sexist.

I know, the picture looks funny, cute, or tugs at you heart strings. But the link behind the the picture can lead to a place on the Internet you don't want your friends and family to go, and, more importantly, may imply that you support risqué or illicit activity.

Example:

  • “I Can't Believe I Work This Hard To Be So Poor”… points to a website with adult humor that is Vulgar, Raciest, and Sexist.
  • “When they keep talking to the cashier after they already paid for the stuff...” Profanity!
  • “There are only three things that tell the truth...” Leads to Profanity, risqu'e talk, and “a curse”
  • “Simple way of explaining our God Exists” Leads to an evangelical group in the Philippians. They use Social Media to promote their website and their religion.

Protect your reputation! Careful What You “Like” & “Share” on Facebook

Carnegie Mellon study says cell phone apps are tracking you more than you know

Photo(Jennifer Abel @ ConsumerAffairs) Smartphone users take note: you know that your apps sometimes share information with “third parties” – it's one of those fine-print phrases you see everywhere nowadays – but there's a high chance you'd be horrified if you knew just how much information those apps share: enough to make tracking your movements and whereabouts ridiculously easy.

That's the conclusion computer scientists from Carnegie Mellon reached in a peer-reviewed study they released this week. As Carnegie Mellon News announced: “An experiment at Carnegie Mellon University shows that when people learn exactly how many times these apps share that information they rapidly act to limit further sharing.”

That experiment was simplicity itself: 23 smartphone users in the study signed up to receive a daily message called a “privacy nudge” telling them how many times their apps shared their location, phone call logs, contact lists or other information.

Those numbers were considerably higher than any of the study participants expected. One smartphone user received this notable privacy nudge: “Did you know? Your location has been shared 5398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days.”

Study participants were not happy with the results. “4,182 [times] — are you kidding me?” one of them asked. “It felt like I’m being followed by my own phone. It was scary. That number is too high.”

Sometimes it's necessary

Of course, a certain amount of location-tracking is necessary for various location-specific apps: you can't get discount offers from your local neighborhood businesses unless the app can determine exactly where “your local neighborhood” actually is.

Problem is, many apps seem to check locations far more frequently than necessary to provide their services. For example, the Weather Channel's app doesn't merely request device locations when necessary to provide location-specific weather forecasts; the Wall Street Journal noted that the app requested locations an average of once every ten minutes during the study period.

Groupon's app, which offers discount deals to local businesses, requested one smartphone user's coordinated 1,062 times in two weeks. Tracking a device's location every 10 minutes, or even every 20, is enough to provide a pretty comprehensive overview of that device-holder's regular movements and whereabouts.

Norman Sadeh, one of the Carnegie Mellon professors who co-wrote the study, said: “Does Groupon really need to know where you are every 20 minutes? The person would have to be accessing Groupon in their sleep.” (Neither Groupon nor the Weather Channel have offered comment about the study.)

Further complicating the problem is the fact that, as Sadeh noted, “The vast majority of people have no clue about what’s going on.” Indeed, most smartphone users have no way of accessing the relevant data about their apps' behavior anyway — but the study shows that when smartphone users do manage to get this information, they quickly change their privacy settings.

Change default password on home router before hackers do it for you

 

Photo

Photo © Rawpixel - Fotolia

(Jennifer Abel @ ConsumerAffairs) This rule applies to any password-protected device you buy - Here's a piece of home-computer-security advice which sounds too insultingly obvious to mention: when you buy a password-protected wireless-controlled anything, you need to assign it a new custom password right away. Otherwise, your new device can easily be hacked by anybody who knows its factory-set default password.

As obvious as this recommendation sounds, astonishing numbers of people continue to ignore it. There are even voyeurism websites devoted to streaming camera footage from unprotected personal IP (Internet protocol) cameras, of the sort found in wireless home baby monitors, or even laptop or computer webcams.

It's especially important to set a strong password on your home wireless Internet router, or else hackers will find it ridiculously easy to steal your online banking information and any other sensitive data you send over your home connection.

This week, security blogger Brian Krebs reported a new scam which so far seems limited to home Internet users in Brazil but could come to the United States with ridiculous ease, because the scammers operate by takling control of home wireless routers whose owners never changed their factory-set default passwords:

Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

What makes such security threats especially dangerous is that they can completely bypass ordinary computer-security tools, such as antivirus protection.

Did you change the default password on your router when you first installed it? As Krebs said, “If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t.”

If you visit RouterPasswords.com and type in the make and model of your router, you will learn its default password. If you do need to change yours, remember as always to give it its own unique password, rather than use the same one across multiple accounts.

Chase slapped for illegally robo-signing court documents

(Truman Lewis @ ConsumerAffairs) The bogus debt sales led to collection efforts against consumers

JPMorgan Chase faces more than $200 million in penalties and refund payments for selling "zombie debts" and illegally robo-signing court documents as a result of enforcement actions by the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and 47 states.

Chase allegedly sold bogus debts to third-party debt buyers -- accounts that were inaccurate, settled, discharged in bankruptcy, not owed, or otherwise not collectible. Many of the debt buyers then began hounding consumers in an attempt to collect the non-existent debts.

“Chase sold bad credit card debt and robo-signed documents in violation of law,” said CFPB Director Richard Cordray. “Today we are ordering Chase to permanently halt collections on more than 528,000 accounts and overhaul its debt-sales practices. We will continue to be vigilant in taking action against deceptive debt sales and collections practices that exploit consumers.”

The order requires Chase to document and confirm debts before selling them to debt buyers or filing collections lawsuits. Chase must also prohibit debt buyers from reselling debt and is barred from selling certain debts. Chase is ordered to permanently stop all attempts to collect, enforce in court, or sell more than 528,000 consumers’ accounts.

Chase will pay at least $50 million in consumer refunds, $136 million in penalties and payments to the CFPB and states, and a $30 million penalty to the Office of the Comptroller of the Currency (OCC) in a related action.

The CFPB found that Chase violated the Dodd-Frank Wall Street Reform and Consumer Protection Act’s prohibitions against unfair, deceptive, or abusive acts and practices. Chase sold faulty and false debts to third-party collectors, including accounts with unlawfully obtained judgments, inaccurate balances, and paid-off balances.

Chase also sold debts that were owed by deceased borrowers. Chase also filed misleading debt-collections lawsuits against consumers using robo-signed and illegally sworn statements to obtain false or inaccurate judgments for unverified debts.

Chinese hackers seen as increasingly professional

Beijing hotly denies accusations of official involvement in massive cyberattacks against foreign targets, insinuating such activity is the work of rogues. But at least one element cited by Internet experts points to professional cyberspies: China's hackers take the weekend off.

Accusations of state-sanctioned hacking took center stage this past week following a detailed report by a U.S.-based Internet security firm Mandiant. It added to growing suspicions that the Chinese military is not only stealing national defense secrets and harassing dissidents but also pilfering information from foreign companies that could be worth millions or even billions of dollars.

Experts say Chinese hacking attacks are characterized not only by their brazenness, but by their persistence.

"China conducts at least an order of magnitude more than the next country," said Martin Libicki, a specialist on cyber warfare at the Rand Corporation, based in Santa Monica, California. The fact that hackers take weekends off suggests they are paid, and that would belie "the notion that the hackers are private," he said.

Libicki and other cyber warfare experts have long noted a Monday-through-Friday pattern in the intensity of attacks believed to come from Chinese sources, though there has been little evidence released publicly directly linking the Chinese military to the attacks.

Mandiant went a step further in its report Tuesday saying that it had traced hacking activities against 141 foreign entities in the U.S. Canada, Britain and elsewhere to a group of operators known as the "Comment Crew" or "APT1," for "Advanced Persistent Threat 1," which it traced back to the People's Liberation Army Unit 61398. The unit is headquartered in a nondescript 12-story building inside a military compound in a crowded suburb of China's financial hub of Shanghai.

Attackers stole information about pricing, contract negotiations, manufacturing, product testing and corporate acquisitions, the company said.

Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.

China denies any official involvement, calling such accusations "groundless" and insisting that Beijing is itself a major victim of hacking attacks, the largest number of which originate in the U.S. While not denying hacking attacks originated in China, Foreign Ministry spokesman Hong Lei said Thursday that it was flat out wrong to accuse the Chinese government or military of being behind them.

Mandiant and other experts believe Unit 61398 to be a branch of the PLA General Staff's Third Department responsible for collection and analysis of electronic signals such as e-mails and phone calls. It and the Fourth Department, responsible for electronic warfare, are believed to be the PLA units mainly responsible for infiltrating and manipulating computer networks.

China acknowledges pursuing these strategies as a key to delivering an initial blow to an opponent's communications and other infrastructure during wartime -- but the techniques are often the same as those used to steal information for commercial use.

China has consistently denied state-sponsored hacking, but experts say the office hours that the cyberspies keep point to a professional army rather than mere hobbyists or so-called "hacktivists" inspired by patriotic passions.

Mandiant noticed that pattern while monitoring attacks on the New York Times last year blamed on another Chinese hacking group it labeled APT12. Hacker activity began at around 8:00 a.m. Beijing time and usually lasted through a standard workday.

The Rand Corporation's Libicki said he wasn't aware of any comprehensive studies, but that in such cases, most activity between malware embedded in a compromised system and the malware's controllers takes place during business hours in Beijing's time zone.

Richard Forno, director of the University of Maryland Baltimore County's graduate cybersecurity program, and David Clemente, a cybersecurity expert with independent analysis center Chatham House in London, said that observation has been widely noted among cybersecurity specialists.

"It would reflect the idea that this is becoming a more routine activity and that they are quite methodical," Clemente said.

The PLA's Third Department is brimming with resources, according to studies commissioned by the U.S. government, with 12 operation bureaus, three research institutes, and an estimated 13,000 linguists, technicians and researchers on staff. It's further reinforced by technical teams from China's seven military regions spread across the country, and by the military's vast academic resources, especially the PLA University of Information Engineering and the Academy of Military Sciences.

The PLA is believed to have made cyber warfare a key priority in its war-fighting capabilities more than a decade ago. Among the few public announcements of its development came in a May 25, 2011 news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China's "online" army.

"Currently, China's network protection is comparatively weak," Geng told reporters, adding that enhancing information technology and "strengthening network security protection are important components of military training for an army."

Unit 61398 is considered just one of many such units under the Third Department responsible for hacking, according to experts.

Greg Walton, a cyber-security researcher who has tracked Chinese hacking campaigns, said he's observed the "Comment Crew" at work, but cites as equally active another Third Department unit operating out of the southwestern city of Chengdu. It is tasked with stealing secrets from Indian government security agencies and think tanks, together with the India-based Tibetan Government in Exile, Walton said.

Another hacking outfit believed by some to have PLA links, the "Elderwood Group," has targeted defense contractors, human rights groups, non-governmental organizations, and service providers, according to computer security company Symantec.

It's believed to have compromised Amnesty International's Hong Kong website in May 2012, although other attacks have gone after targets as diverse as the Council on Foreign Relations and Capstone Turbine Corporation, which makes gas microturbines for power plants.

Civilian departments believed to be involved in hacking include those under the Ministry of Public Security, which commands the police, and the Ministry of State Security, one of the leading clandestine intelligence agencies. The MSS is especially suspected in attacks on foreign academics studying Chinese social issues and unrest in the western regions of Tibet and Xinjiang.

Below them on the hacking hierarchy are private actors, including civilian universities and research institutes, state industries in key sectors such as information technology and resources, and college students and other individuals acting alone or in groups, according to analysts, University of Maryland's Forno said.

China's government isn't alone in being accused of cyber espionage, but observers say it has outpaced its rivals in using military assets to steal commercial secrets.

"Stealing secrets is stealing secrets regardless of the medium," Forno said. "The key difference is that you can't easily arrest such electronic thieves since they're most likely not even in the country, which differs from how the game was played during the Cold War."

Read More - Click Here!

Cisco VoIP Security Fears

(Mark Huffman Consumer Affairs) Voice over Internet Protocol (VoIP) telephones are much more common now, providing an alternative to traditional phone service. But because the system uses the Internet for its voice communications, the technology may have more security vulnerabilities than a traditional telephone system.

Columbia University computer science professor Salvatore Stolfo and PhD candidate Ang Cui says they have found serious vulnerabilities in VoIP telephones made by Cisco. They note these devices are used around the world by a broad range of networked organizations from governments to banks to major corporations.

At a recent conference on the security of connected devices, Cui demonstrated how it is easy to insert malicious code into any of the 14 models of Cisco VoIP phones. Not only can the hacker start eavesdropping on private telephone conversations, the telephone mouthpiece also acts as a microphone when the phone is not in use, allowing the hacker to listen in on what's going on in the room.

Software flaw

According to Cui and Stolfo, the problem stems from the software running on the small computer inside the phone. The software, they say, has many security flaws.

They say they are particularly concerned with embedded systems that are widely used and networked on the Internet, including VoIP phones, routers and printers. And they say the problem is not limited to just one company.

“It’s not just Cisco phones that are at risk,” Stolfo said. “All VoIP phones are particularly problematic since they are everywhere and reveal our private communications. It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones -- they are not secure.”

The professor and his student have proposed a fix, developing a new defensive software called Symbiotes. It's designed to safeguard embedded systems from malicious code injection attacks into these systems, including routers and printers. It can be installed on new systems as well as old systems that are already in place.

Patch called 'ineffective'

Since Stolfo and Cui first made their findings public Cisco has issued a patch for its VoIP systems but Cui said it's ineffective.

“It doesn’t solve the fundamental problems we‘ve pointed out to Cisco,” Cui said. “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”

Consumer use of VoIP services has taken off since 2004. Consumers utilize existing broadband Internet access and can place and receive telephone calls just like they would on a traditional telephone system. Since that time, Vonage has become a major provider of consumer VoIP services.

In recent years corporations have also made the move to VoIP systems because they tend to be much cheaper to operate.

Read More - Click Here!

Cloud Security IT Managers Speak Their Mind

Imagine being able to tap into the knowledge of 200 IT managers all in some stage of cloud development. Imagine being able to get a better understanding of how they are handling the biggest questions of cloud deployment, security. Imagine if their experiences could be boiled down to 5 common feedback points. Well imagine no longer.

Watch this video, IT Managers Speak Out about Cloud Security, for the comprehensive results of a survey of 200 IT managers and what they are saying, but more importantly doing about the cloud in their organizations.

Read More - Click Here!

Comcast using YOUR Wi-Fi as a hotspot – how to disable it

( @ BGR) Comcast has a brand new feature for its Internet subscribers called Xfinity Wi-Fi, but it’s going about it the wrong way, likely making even more enemies in the process. SeattlePi reports that Comcast is turning some of the Wi-Fi routers placed in the homes of subscribers into a “massive public Wi-Fi hotspot network,” but it’s doing so without giving customers the opportunity to opt out before the service is rolled out.

In theory, Xfinity Wi-Fi sounds like a neat idea, as it can provide free Internet access to other Xfinity subscribers as long as they’re within reach of such an Xfinity Wi-Fi hotspot. Moreover, the extra load on the router does not affect the bandwidth of the customer who houses it, as the device creates two independent networks, one private, and one public, using additional bandwidth for the public one.

As such, any users on the public Xfinity Wi-Fi network will not slow down customers’ connections, according to the company.

Comcast apparently informed its subscribers about the move in the mail a few weeks ago, and then email notifications go out after the service is turned on for each user. The company on Tuesday turned 50,000 Comcast Internet customers into public Wi-Fi providers in Houston, with 100,000 more hotspots to be activated by the end of June.

Users only have the opportunity to disable the service after it’s activated. A Comcast FAQ section further details Xfinity Wi-Fi, while the following guide, as listed by SeattlePi, should help Comcast customers disable the new Xfinity Wi-Fi hotspot feature:

Log into your Comcast account page at customer.comcast.com.
Click on Users & Preferences.
Look for a heading on the page for “Service Address.” Below your address, click the link that reads “Manage Xfinity WiFi.”
Click the button for “Disable Xfinity Wifi Home Hotspot.”
Click Save

Companies Salt Servers With Fake Data To Thwart Hacjers

And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception.

The Waseca, Minn., company began planting fake data in Web servers to lure hackers into “rabbit holes” in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.

“We’re taking the hackers’ strengths and we’re making it their weaknesses,” said Nathan Hosper, a senior information technology officer at Brown. “They get caught up in this cycle of fake information.”

Brown is only one of a number of companies that are adopting tactics long used by law enforcement and intelligence agencies to turn the tables on hackers.

The emerging trend reflects a growing sense in industry that companies need to be more aggressive in fighting off intruders as the costs of digital espionage soar. The theft of intellectual property and other sensitive documents — from military weapon designs to files on contract negotiations — is so rampant that senior U.S. officials say it may be the most significant cyberthreat the nation faces over the long term.

“Companies are tired of playing defense,” said Michael DuBose, a former chief of the Justice Department’s Computer Crime and Intellectual Property Section who now handles cyber-investigations for Kroll Advisory Solutions. “They want to feel like they actually can fight back. Most of us in the industry agree that we ought to push the envelope to protect the rights and properties of U.S. businesses.”

In the parlance of network security, digital deception is known as a type of “active defense,” a controversial and sometimes ill-defined approach that could include techniques as aggressive as knocking a server offline. U.S. officials and many security experts caution companies against taking certain steps, such as reaching into a person’s computer to delete stolen data or shutting down third-party servers.

Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire — hackers who identify data as bogus may be all the more determined to target the company trying to con them.

Just how far companies should be allowed to go to defend themselves is the subject of intense debate in the industry and on Capitol Hill.

Rep. Mike Rogers (R-Mich.), the chairman of the House Intelligence Committee, said at a recent conference that disrupting another party’s server is an offensive act that could trigger retaliation that a company might not be prepared for. “It’s best not to go punch your neighbor in the face before you hit the weight room,” he said.

Nonetheless, most experts say deceptive tactics fall within legal boundaries, as long as fake data are planted only inside a company’s network and do not damage a third party’s computer system. Such tactics, they argue, can also be highly effective.

Digital deception tools date back at least 20 years in the academic research community. They are sometimes called “honey pots,” reflecting the notion that they not only attract hackers but keep them inside a network long enough so that they can be watched.

“The use of deception is a very powerful tool going back to Adam and Eve,” said Salvatore Stolfo, a Columbia University computer science professor who has created a technique that uses decoy data to trick intruders. “If the hackers have to expend a lot of energy and effort figuring out what’s real and what’s not, they’ll go elsewhere.”

Anecdotal evidence suggests the techniques can work in the private sector.

Stolfo, whose research is funded by the Pentagon and the Department of Homeland Security, tested his technology with a major U.S. bank two years ago. The bank put $1,000 in an online decoy account registered to a fictitious user, then Stolfo exposed the account to malware from Web sites controlled by hackers. Within three days, the bank began seeing attempts to shift money from the dummy account into a real account, whose owner the bank knew, Stolfo said.

The bank shut the fake account. Had it been a real theft, the bank would have turned the culprit in to the FBI, said Stolfo, who has created the firm Allure Security to bring the technology to market.

In another case, a Northern Virginia cybersecurity firm that works closely with U.S. intelligence agencies and has been targeted by hackers in China has used honey pots to collect data on intruders. The firm, whose director requested anonymity to avoid drawing attention to the company, has created encrypted data files labeled with the names of Chinese military systems and put them in folders ostensibly marked for sharing with the National Security Agency and the CIA.

With such bait, the firm has been able to document how individual hackers work and has linked their pseudonyms, which are sometimes embedded in source code, to real people. The honey pot “has given us a lot of information about these guys,” the director said. “It confounds them.”

Some experts point out that deceptive tactics can inadvertently ensnare ordinary customers and possibly pose liability risks. But software companies say they are mindful of that danger.

Mykonos Software, a San Francisco company that created the tools used by Brown Printing, began using fake data commercially about three years ago, said David Koretz, the firm’s founder and general manager. Mykonos places the false data on clients’ Web sites in places no ordinary customer would look, such as in source code and in configuration files that only a real system administrator or a hacker would find useful.

“When the good guy uses the site, they’re never going to touch the fake things,” Koretz said. When a hacker hits a piece of false code, Mykonos, which is owned by juniper Networks, tags him with a “super cookie,” a digital file that tracks his device. “We’re now tracking every bad thing he does,” he said.

Sometimes, he said, a hacker trying to trick a client’s server into giving him access might be met with a surprise. He might see a Google Map pop up on his screen identifying his location, next to a list of nearby lawyers and a note reading, “It looks like you’re going to need a criminal attorney.”

Within the first week that Brown Printing installed the deception tools in 2010, it detected 375 suspicious probes against its Web sites. “That was the first time that we could say, ‘Wow, we’re seeing those events and we know what’s occurring,’ ” said Hosper, the senior information technology officer.

The bottom line, he said, is the feeling that “you’re no longer just having to sit passively by and take it. You have the ability to take control of the situation.”

Read More - Click Here!

Computer Crime When and How To Report It

You hear a lot about computer crime, and you know that good citizens report criminal activities to the proper authorities. But you also know that, in practice, the police often don’t have the time and manpower to deal with every minor offense.

As good citizens, we should report computer crimes to the proper authorities. However, many are not be sure exactly which activities observed are illegal and should be reported, and to whom should we report to.

This article is designed to assist in making that decision with confidence. We will cover ten potentially-reportable activities and groups them into three categories: activities you should not report, activities you may report, and activities you should always report. We’ll also provide contact information for the law enforcement agencies that investigate computer crime.

In general, computer crime laws in the U.S. can be divided into two categories: federal offenses and state offenses. If a state statute applies, you can call your local police department or state police agency – but they may or may not have the technical expertise and resources to conduct a proper investigation. The FBI and other federal agencies, on the other hand, may be able to get more done – if the case is important enough for them to get involved.

Before reporting any incident to law enforcement, follow your chain of command within the company and ensure that upper management approves. Involving law enforcement can result in significant costs. For example, personnel may be required to take time off to prepare for and appear at trial, equipment may be confiscated as evidenced and not returned for long periods, the company's "inside" information may be subpoenaed by the defense attorneys and exposed to the public through the media before and during the trial. It's not a decision that you would want to make alone.

Don’t report port scanning and similar “non-intrusive” activities.

Although port scanning is often a precursor to intrusion or attack, in most jurisdictions it’s not, in itself, a crime. It’s more like walking down a hallway in an apartment building and trying each door to see if it’s locked. If they find an unlocked door and go inside, that’s criminal trespass – but as long as they don’t go inside, they haven’t committed a crime.

Don’t report viruses, Trojans, worms, and Spyware to law enforcement agencies.

Although malicious software is a huge problem that does a great deal of damage and costs companies millions of dollars, law enforcement agencies generally don’t (can’t) respond to individual malware reports. While those who release viruses and other malware can be prosecuted under Title 18 of the U.S. Code, prosecutors generally go after those whose malware is widely distributed and causes a large amount of harm. If you encounter a new variety of malware, check the pages of popular antivirus vendors and report to them if it isn’t listed. Remember that the sender of a virus often doesn’t even know he/she is sending it. However, if you have evidence that a particular person actually wrote and originally released a piece of malware, you should contact local law enforcement or the FBI computer crime squad.

You may report intrusions and attacks that bring down the network.

Unauthorized access to a computer network is a crime under the laws of many states. If there is little or no documentable injury or monetary loss, however, you may find that law enforcement agencies simply file a report and don’t do much more. Jurisdictional issues and caseload often prevent in-depth investigation of computer crimes that are considered “minor.”

Report intrusions/attacks on large corporate dealing with sensitive data.

If sensitive data such as client financial information, medical records, customer credit card information, social security numbers, and the like has been compromised, you should report it to the authorities. This is also true if the company has government / defense contracts or deals with other types of regulated information. The FBI’s computer crime squad investigates major network intrusions and network integrity violations. You can report these types of attacks to both federal and local/state authorities and let them sort out the jurisdictional issues.

Report intrusions or attacks that result in large monetary losses.

The amount of monetary loss often determines whether a theft type offense is considered a misdemeanor or felony. Felony offenses will get more attention from law enforcement agencies.

Report cases of suspected industrial espionage.

If an intruder goes after your company’s trade secrets, this is a serious federal offense that will be investigated by the FBI.

Report cases involving child pornography.

This is an offense that is taken very seriously by law enforcement, and if child pornography is discovered on any company computer and is not promptly reported, as the company and management may be implicated or held liable in a civil lawsuit.

Report e-mailed or other digitally transmitted threats.

All states have laws against threatening and harassing communications. Physical threats against individuals, terroristic threats, bomb threats, blackmail, and similar electronic communications should be reported to local police.

Report Internet fraud to the IFCC.

If one of your users is a victim of “phishing” scams or other fraudulent activities perpetrated by e-mail or the Web, report it to the Internet Fraud Complaint Center (IFCC), which is operated by the FBI in conjunction with the National White Collar Crime Center.

Report suspected terrorist activities.

If you suspect that your network is being used for communications between terrorists, report it to your local police agency, the U.S. Department of Homeland Security, or via the FBI’s “tips” Web site.

Local/State Law Enforcement: Call your local police department, county sheriff’s office or state police agency. Do not call 9-1-1. Ask for the agency’s high tech crimes unit or, in smaller agencies, the criminal investigation division.

FBI Computer Crimes Squad: nccs@fbi.gov or 202-324-9164

FBI Tips site: https://tips.fbi.gov/

US Secret Service Form 4017 - Cyber Threat/Network Incident Report: http://www.secretservice.gov/net_intrusion_forms.shtml

Internet Fraud Complaint Center: http://www.ifccfbi.gov/index.asp

National White Collar Crime Center (NW3C): http://www.nw3c.org/

FTC Identity Theft Web site: http://www.consumer.gov/idtheft/index.html

Computer Virus Got You Down - What To Do

“Boy, is my computer S L O WWW.” “Some of my programs don’t run at all.” “The internet just crawls.” Have you experienced these problems?  One person purchased a new computer because the old one was so slow. In a couple of weeks the new computer was slow too. It wasn’t the computer, it was computer viruses.

Where do they come from? Most folks today still think that viruses come from teenagers sowing some wild oats, kind of like kids spray-painting graffiti on a bridge, toilet papering a house, or putting dish soap in a public fountain. But not so.  According to TechNewsDaily, much of the virus threat comes from organized crime in the U.S., Russia, China,  and North Korea., and it is a billion dollar industry.

How do they make their money? Viruses or BotNets can bombard unprotected computers with pop-up ads. It just amazes me that people buy stuff that they see on a virus generated pop-up ad, but they do – bunches of it!

Other BotNets are designed to watch what you do with your computer. They look at where you go on the internet, how long you stay on an internet site, and where you go next…, without your knowledge or permission. This data is sent to and collected on websites. Companies buy this data and use it to optimize their websites in order to make their products and services more attractive and accessible. Over time, your computer may attract hundreds of BotNet viruses that can tie up computer resources and monopolize your internet bandwidth, making your speedy computer run like a sloth.

Still other BotNets scourer computers for personal information that can be used to empty bank accounts and max out your credit cards.

How do they get on my computer? On Windows computers, the number one method for computer infection is a computer that does not have the latest Microsoft updates and patches. WebBots crawl the internet looking for such computers. Once found, they exploit the unpatched vulnerability, install themselves, and go to work infecting your computer. 

The number two way to infect a computer is to convince the computer owner to infect himself. Deceptive emails are sent promising jobs, love, or a little internet humor. These emails usually carry an attachment that packs a lethal virus payload OR a link to a website that installs the virus. Once installed, the virus will disable your antivirus, then it will open a “back door” on your computer and download other viruses. Next it will propagate itself by using your email software to send the virus to your friends and family, while it collects sellable data. What Rotten Scoundrels!

How can we protect ourselves from Viruses?

1. Use a good antivirus software and keep it up-to-date. All of the expensive brands work, and there are some free antivirus packages, like AVG Free and AVAS, that will do a good job too. The key is, keep the antivirus software up-to-date by using the automatic function within the software!

2. Install the Microsoft patches and updates. Windows has an Auto Update function that can be turned on so that updates occur without you doing anything. Turn it on and use it!

3. Handle your email with care. If you receive something from somebody you don’t know, why look at it? If the email is a “get rich quick” scheme, or looks like it is too good to be true, it probably is, and may be a virus, too. And most importantly, do not click the attachment or link.

4. Also, look closely at email you receive from friends and family. If the email is out of character for what that person usually sends to you, it may be infected with a virus.

Even folks that do all the right things get viruses occasionally. If you get a virus, simply turn your computer off and call an expert. Acting quickly will help minimize the damage caused by viruses. There is no reason to live in fear of viruses. Simply following these suggestions, use a little common sense, and your computer experience will be enjoyable, productive, and virtually virus free.

Consumers Give Little Thought to Online Privacy

PhotoPresident Obama last week unveiled a proposed Consumer Privacy Bill of Rights that, in essence, gives consumers the the right to control what information companies can collect from their web browsing and how they use it.

For such a system to be effective, however, one privacy expert says consumers are going to have to become more serious about privacy issues. Fred Cate, who directs the Center for Applied Cybersecurity Research at Indiana University, says Obama's proposal is noble, but will probably fail because "it puts the power of consent into the hands of a public that, for the most part, doesn't know what to do with it and cannot use it effectively to protect privacy."

At the core of the legislative proposal is what the Obama administration calls the "Consumer Control Principle," which would give consumers the right to exercise control over what personal data is collected and how it is used. That is typically achieved through voluntary consent.

Read More - Click Here!

Corporate Networks Infected by Porn Viewing Managers

porn virus

(Jose Pagliery @ CNNMoney) Want to stop nasty worms from spreading on corporate networks? It would help if bosses stopped going to porn sites. A surprising number of IT professionals say they have to clean up corporate devices infected by executives who went to porn sites.

According to a recent survey by software firm ThreatTrack Security, 40% of tech support employees admit they've had to clean an executive's corporate device after the boss visited an infected porn website.

The survey, conducted in October, shows that while it's generally gotten easier for companies to defend themselves from outside attacks, bosses' bad habits make it difficult to keep up. Here are some other mistakes executives make:

  • 56% got malware from clicking on a bad link or getting duped by a fake "phishing" email.
  • 47% attached an infected device, like a thumb drive or smartphone, to their PC.
  • 45% got a virus when they let a family member use a company computer.
  • 33% installed a malicious app on their company device.

Related: Google's dreaded blacklist

Part of the problem is that employees are less cautious with their iPhones and Android smartphones than they are with their office computers, said Dipto Chakravarty, an engineering and products executive at ThreatTrack. But the risk is the same, because the devices are connected to a company's network.

The problem seems to be getting worse now that many companies have adopted the "bring your own device" approach, allowing workers to connect to company networks with their personal devices.

Currently, 36% of companies have a BYOD policy, according to networking giant Cisco (CSCO, Fortune 500) and the British telecom BT (BT).

Companies quiet about hacks: The study also found that 57% of IT analysts say they've confronted a data breach that the company decided to keep secret from customers, partners or shareholders.

Smaller corporations are the least likely to hide that they've been hacked. Those spending less than $500,000 a year on IT security kept quiet less than 30% of the time. Mid-sized companies were most likely to keep things under wraps. Companies with budgets between $500,000 and $10 million remained mute about 76% of breaches.

The scary reality of hacking infrastructure
 

But the largest companies -- those spending more than $10 million annually on tech security -- stayed silent on just 37.5% of cases.

Chakravarty said it's understandable why some companies try to avoid the scrutiny that would come from admitting they've been hacked.

"It's not in the company's interest to admit there's a data breach," Chakravarty said, adding that the time and money spent to combat the problem will be "astronomically high."

Companies are worried about losing their customers' trust as well. If a business admits it has been hacked, consumers might worry about the firm's ability to keep their credit cards or passwords protected -- and take their business elsewhere.

But it looks like many of these data breaches could be avoided if executives just didn't do stupid things like viewing porn on their phone. To top of page

Could Your Business Be Hacked

The latest massive data breach of Visa and MasterCard customers that occurred at Global Payments is just another reminder of how sensitive information can be. While up to three million accounts may be affected, small business owners should take note—experts say no matter what size your company is or how much data you have in your possession, you are just as susceptible to hackers as your larger counterparts.

Alan Wlasuk, managing partner at 403 Web Security, said small businesses almost never give data protection the attention necessary to properly safeguard their information.

“Most believe they are too small, or their data or business is not large enough for hackers to care about them,” Wlasuk said. “They’re not aware of the security problems they might have in their environment.”

Even what may seem like insignificant data like user logins and passwords, for example, should always been encrypted, he said. Most consumers will reuse their logins and passwords on Websites across the board, so hackers will have access to more sensitive information than just what your business has on file.

Ondrej Krehel, CISO at Identity Theft 911, said small businesses often overlook the regulations they must be in compliance with when securing consumer information.

“They need to get more familiar with the standard industry requirements—that should be their number one priority,” Krehel said.

So while you may think your small business is off the radar for hackers, Krehel and Wlasuk said that’s not so.  Here are their tips for getting your business in check with data protection, and keeping your information, and your customers’ data, safe.

Read More - Click Here!
 

Could hackers seize control of your car?

A student at the Freie Universitaet Berlin steers a converted Dodge minivan remotely with an iPhone in November 2009.

(CNN) -- When car companies begin exhibiting at mobile phone shows, it's a sign that the "connected" vehicle has truly arrived -- allowing us to take our digital lives with us as we hit the highway.

But while Ford's unveiling of its latest car at Mobile World Congress -- a major cell phone industry event -- this week may have heralded a new automotive age, it also heightens fears that our technology-crammed cars could be hijacked by hackers.

Just like our PCs and smartphones, the computerized components that have infiltrated almost every aspect of modern vehicles could potentially be broken into, experts say. Only, with a car, this could have far more dangerous consequences.

"We typically don't drive our smartphones at 80 miles an hour," said Brian Contos, security strategist at technology protection firm McAfee. "But safety concerns and privacy concerns all culminate when you talk about automobiles."

Ford isn't alone in integrating mobile phone technology into its cars.

While its networked B-Max compact and its prototype Evos were big hits at the Mobile World Congress in Barcelona, also on display was a BlackBerry-embedded Porsche 911 and a Toyota with an integrated Samsung phone application.

Read More - Click Here!

Could this be the answer to the ransomware threat

 

Photo

Photo (c) santiago silver - Fotolia

(Mark Huffman @ Consumer Affairs) For hackers and cybercriminals, ransomware is literally money in the bank.

If a target clicks on a link in an email, designed to appear as though it is from a familiar source, the malware is unleashed on the victim's computer, encrypting every file.

The only way for the victim to regain access to these files – photos, documents, or multimedia files – is to pay the hacker a ransom in Bitcoin. The threat has grown exponentially, ensnaring individual consumers as well as businesses and organizations.

Researchers at the University of Florida (UF) now say they have developed a solution, a software tool that will stop ransomware in its tracks. They call it CryptoDrop. The researchers say it works in a very different way than antivirus software.

Limiting the damage

 Instead of identifying the ransomware before it can download to a target computer, CryptoDrop springs into action a nanosecond after the process begins. As a result, only a tiny fraction of files get encrypted.

“Our system is more of an early-warning system,” said Nolen Scaife, a UF doctoral student and founding member of UF’s Florida Institute for Cybersecurity Research.

Scaife says CryptoDrop steps in to prevent the ransomware from completing its task. A victim might lose a few photographs, but that is the limit of the damage. There is no reason to pay a ransom.

The UF researchers say antivirus software has a hard time stopping ransomware because it needs to have seen the malware before in order to be effective. But hackers are constantly tweaking their ransomware bugs, making them unrecognizable.

CrytoDrop is like a security guard, always looking for signs of a ransomeware attack. When it sees the malware encrypt a file, it springs into action to stop the process from going further.

Instead of looking for a particular software profile, it is instead looking at what the software does. If hackers come up with a new malware every week, it won't matter.

Growing threat

In the last few years ransomware attacks have targeted hospitals and even police departments. In 2015 police in Tewksbury, Massachusetts, admitted that they'd had to pay an untraceable $500 Bitcoin ransom to the hackers who'd encrypted the department's computer files.

Also last year, a new form of ransomware emerged, in which hackers planted child pornography images on victims' phones until a ransom was paid.

It's gotten so bad that some companies now build ransoms into their operating budgets, expecting that sooner or later they'll have to pay up. The UF researchers, however, say that might not be necessary.

“We ran our detector against several hundred ransomware samples that were live and in those case it detected 100% of those malware samples and it did so after only a median of 10 files were encrypted,” Scaife said.

The research team says its prototype works with Windows-based systems and the researchers are now seeking a partner to put it on the market.

Court challenges the Constitution and your privacy rights

vizio laptop profile.jpg

  •  

     

(Kim Komando @ Foxnews) It's pretty obvious that we as a society are now made up of two groups. There are those who, for better or worse, have moved their lives into the digital realm, and those who haven't.

I would like to introduce you to someone in the latter category. His name is Edward Korman and he is a federal judge in New York state. He had a case before him involving a U.S. citizen – a Ph.D. student at McGill University in Montreal – who had his computer confiscated while returning to the States. The judge ruled, sweepingly, that, yes, the federal government had a right to confiscate laptops at the border without probable cause.

In other words: You are traveling overseas, with your laptop, tablet or smartphone. As you re-enter the United States, a federal official, for any reason or none, can take it away from you and look through it, and there's nothing you can do about it.

Here's what I have on my laptop. Years of email. Private conversations from close friends about personal matters, some of them tragic, heart-wrenching, and life-changing, and similar messages from my husband. There are thousands of family photos, 99.9 percent of which I would prefer to be private. There is medical information about me and my family. I have business plans that are the culmination of years of work and affect my family's current and future livelihood.

Something else is there as well – something more intimate. What's on my laptop is a reflection of my mind – the unadorned evidence, good and bad, flattering and embarrassing, of my victories and pratfalls, my joys and losses, my most elated moments and deepest thoughts. It's me.

Either you live in a world in which this extension of your very consciousness – and your constant access to it – is an inextricable part of your life, or you don't. You either appreciate that a laptop is a costly and delicate instrument you'd just as soon not be cavalierly tossed around by a TSA employee, or you do not. And you recoil at the thought of strangers pawing through that information on a whim, with trivial legal oversight, or you do not.

The taking of a laptop today is a striking act of confiscation almost without an equivalent 25 years ago. Back then, it would have taken a team of FBI agents days if not weeks to so comprehensively vacuum up a single American's health, business, financial and personal information, not to mention that of so many of his or her friends, family members, and business associates.

Today, Nosy McPatterson, your local TSA staffer, or Roscoe the border agent who got up on the wrong side of the bed that morning, can accomplish the same feat, and in an instant. They can paw through your photos and email during their lunch hour. And anyone present with a 13-year-old's understanding of computing can easily and unnoticeably make a quick copy of it onto a device that slips easily into a pants pocket.

Judge Korman says it doesn't happen very often, though there's evidence he's wrong. I don't think it should happen at all.

It was odd – there's surprisingly little talk about the ruling online. (It came down on New Year's Eve afternoon.) The more you read, the weirder the rules are. The so-called "border exemption" extends 100 miles inland from the border. That includes the population of the Eastern Seaboard, Miami, Houston, the west coast, and Chicago.

I wanted to find a smart legal mind who'd considered the issue. I finally found someone who had. He came up with a simple encapsulation to prevent this sort of intrusion into our private lives for no reason. It went like this:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized

That's the Fourth Amendment, of course. The writer was a guy named James Madison, with help from a few friends. Judge Korman, I am quite sure, isn't the sort to carry his life around in his laptop. It's OK that he doesn't. The ironic thing about his ruling is that while initially I thought it encapsulated a division between people who live in the past (the judge) and the future (me and I assume you), but it's obvious this issue was well-debated – and from our point of view, resolved – by some smart people a very long time ago.

In the end, Judge Korman is the one with a different vision for the future. As a professional, mother, friend and citizen, I really don't like the looks of it. 

Copyright 2014, WestStar Multimedia Entertainment. All rights reserved.

Craigslist - How to Avoid Scams


(Alexandra Panzer @ yahoo.com) You really can find everything on Craigslist.org, like amazing deals — and also scams, crooks, and dangerous situations. 

Last month, one Michigan woman went to buy a car she discovered on Craigslist and found herself being robbed at gunpoint, for example, and a Connecticut man was arrested for allegedly selling phony Justin Bieber concert tickets to unsuspecting Craigslist users. 

Craigslist crime isn’t going anywhere, unfortunately, but there are some basic steps you can take to ensure both your safety and privacy.

Craigslist is a fantastic place to find everything from old furniture to exercise equipment to home appliances, so shop smart and don’t be scared off!

1. When browsing for products, avoid these red flags

sellers who post product photos pulled from the Internet instead of shots they have taken themselves
egregious errors in spelling and grammar that could have been generated by a bot
outrageous deals that are simply too good to be true
messages from auto-generated email accounts (i.e., addresses that look like this: “kydixororaqep”)

2. Do the research

Ask detailed questions about the product you want to buy over multiple emails or calls. This gives you information about the product and helps you gauge whether the product is real and the seller has firsthand knowledge of it.

Find out what your product is worth. Search similar listings on Craigslist, or search “completed listings” on eBay to see how much similar products have sold for.

Research the seller. Type the seller’s name, email address, address, or phone number into White Pages, Google, Facebook, or even Craigslist to verify that he or she is a real seller and that there aren’t any existing complaints lodged against her or him.

3. Simple steps for a safe exchange of goods

Local police stations across the country have started offering their lobbies and parking lots as Craigslist “safe zones” for wary users looking to secure the in-person aspect of their online purchase. If there’s one in your area, take advantage.

Meet in person and try to meet in public.

4. Payment “don’ts” to avoid having your money or identity stolenExchange only cash.

Test the product. If you are buying electronics, make sure you meet somewhere with electrical outlets.

Bring a friend.

Do not allow a buyer or seller to change the location of your exchange at the last minute.

4. Payment “don’ts” to avoid having your money or identity stolen

Do not wire funds.
Do not accept cashier checks, certified checks, or money orders.
Do not give out your bank info.
Refuse background or credit checks.

CryptoLocker Ransom Ware Virus

Virus:   CryptoLocker

REAL VIRUS

Example:   [Collected via e-mail, October 2013]

there's a rumor going around that there's a virus called CryptoLocker. It apparently takes all of your files and you have a specific amount of time to pay the person the money they want for you to give it back. You cannot get rid of the virus without wiping your entire computer of all files and nobody's cracked it down yet... The big name virus companies don't even know about the virus quite yet.

Origins:   The so-called "CryptoLocker virus" is an example of ransomware, a class of malware that, once it has infected a particular computer system, restricts access to that system until the user pays a ransom. CryptoLocker is a particular form of ransomware known as cryptoviral extortion, a scheme in which key files on the system's hard drive are encrypted and thus rendered inaccessible to the user unless and until that user pays a ransom to obtain a key for decrypting the files.

The CryptoLocker worm is generally spread via drive-by downloads or as an attachment to phony e-mails disguised as legitimate messages from various business, such as fake FedEx and UPS tracking notifications. When a user opens such a message, CryptoLocker installs itself on the user's system, scans the hard drive, and encrypts certain file types, such as images, documents and spreadsheets. CryptoLocker then launches a window displaying a demand for ransom (to be paid in less-traceable forms such as Bitcoins and Green Dot Moneypaks) and a countdown timer showing the date and time before which the user must submit payment in order to obtain the decryption key before it is destroyed:

According to various accounts, users whose computers have been infected by CryptoLocker have been able to restore their files by paying the demanded ransom (usually $300 to be paid within 72 hours), and computer security companies haven't yet come up with a solid defense against the CryptoLocker malware:

If the ransom is paid before the deadline, a key is given to decrypt the files. If not, the key is destroyed and the files are effectively lost forever. Even advanced software security companies don't really have ways to restore the locked hard drive. Catching the hackers behind CryptoLocker may be the only way to retrieve the files.

The good news is that paying the ransom does actually decrypt the files, and the hackers behind CryptoLocker so far have been honest and not reinfected computers after the ransom is paid.

Security companies are working on a protection, but there isn’t one yet. Users should remain vigilant about their security online, double-checking the legitimacy of links received in emails and social media messages.

As the Guardian noted of CryptoLocker and its victims:

"If you haven't got a backup and you get hit by CryptoLocker, you may as well have dropped your PC over the side of a bridge," says Paul Ducklin, security adviser for anti-virus software company Sophos. Even if you had backed up your files, he says, if your back-up device was connected to your computer when CryptoLocker struck, you may not be able to recover them. Similarly, all the files in shared network drives that were connected at the time of the attack could also become encrypted and inaccessible.

CryptoLocker currently only affects PCs and can easily be removed with anti-virus software, but its effects cannot. "I don't think anyone in the world could break the encryption," says Gavin O'Gorman, spokesman for internet security firm Symantec. "It has held up for more than 30 years."

Ryan Rubin, MD of global risk consultancy Protiviti, agrees: "CryptoLocker has been designed to make money using well-known, publicly available cryptography algorithms that

 

were developed by governments and other [legitimate] bodies. Unless you have the key, you simply cannot unlock the data that is encrypted."

So should anyone hit by CryptoLocker pay up? "You'd be in the same situation if your laptop got stolen — it just feels worse because you know that there is someone out there who has got this key. If your data is worth $300 to you, it must be very tempting to pay up, just in case it works," Ducklin says.

According to Symantec, around 3% of people hand over money in the hope of getting their data back. "But remember, you're dealing with criminals," Rubin says. "There is no guarantee they'll send you the key, and if they know you're susceptible to blackmail what is to stop them from doing it again?"

Bear in mind that every penny you pay them will fund their endeavors to target other victims. "If even a few victims pay then the cybercriminals will think they have got a viable business model and keep infecting people and asking for ransoms. If nobody pays, they will stop these campaigns," says Dmitri Bestuzhev, spokesperson for Kaspersky anti-virus software

 

CryptoWall Ransomware FBI Warning

 

Photo

Photo © santiago silver - Fotolia

(Jennifer Abel @ ConsumerAffairs) The FBI's Internet Crime Complaint Center (IC3) issued an alert yesterday identifying a virulent form of ransomware known as CryptoWall as “the most current and significant ransomware threat targeting U.S. individuals and businesses.” Since April 2014, IC3 said it received 992 CryptoWall-related complaints, with victims' collective losses totaling over $18 million.

CryptoWall and its variants have been attacking targets in the U.S. since at least April 2014. The IC3 said that:

The financial impact to victims goes beyond the ransom fee itself, which is typically between $200 and $10,000. Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers.

Demanding a ransom payout

As with most ransomware infections, CryptoWall is usually spread after the victim clicks on an infected link, opens an infected email, downloads an infected file or visits an infected website. Once it gets on your device, it encrypts your files so that you can't read them, and demands a ransom payout (usually via Bitcoin, because it's untraceable) to decrypt your data again.

In April, Karen from Raleigh, North Carolina fell victim to CryptoWall, which she suspects came from a Trojan virus infection on the TaxACT website. She wrote ConsumerAffairs in April to report:

When I downloaded the tax program, a notice popped up along with it that said all of our files were now encrypted and will not open. I closed the message and ran my virus scan. … This virus gets around your virus scan. I had to run the scan in Safe Mode in order to find it and delete it. But all our files, photos, etc. are corrupted and will not open. This type of virus demands you pay a "ransom" to get encryption code. We will have to bring our computer to someone to take it back to factory settings, but we lost all documents and photos.

Bad as Karen's experience was, Christine from Washington State, who wrote us in February, suffered even worse losses. Like Karen, she learned that virus scans won't necessarily detect CryptoWall; she didn't mention (or doesn't know) where she caught the virus, but:

[The virus scan] failed to stop the Cryptowall virus from infecting our computers. This resulted in over 20+ years of client data to be destroyed, a significant loss of income, additional financial expense in having to replace the computers, and on-going problems in attempting to rebuild lost data. Our e-mail program was destroyed as well.

Protecting yourself from malware

How can you protect yourself from CryptoWall and other forms of ransomware? By following the same protection rules for all malware, including:

  • Make sure your operating system, anti-virus, firewall, and other security software are all up-to-date.

  • Install and enable pop-up blockers. Criminals often use pop-up ads to spread malware, and the easiest way to avoid accidentally clicking a malicious pop-up is if it never pops up in the first place.

  • Never click on a link in an unsolicited email, text, or other messages.

  • Never download a zip file or any other attachments in emails from senders you don't know and trust.

  • Make sure the settings on your phone, tablet, computer or any other Internet-connected device are set so that nothing can be downloaded without your permission.

  • When getting messages allegedly from some company or service provider, remember the anti-scam rule “Don't call me; I'll call you” – and don't interact with anyone who breaks it.

In addition to these anti-malware rules, you should also remember to always make regular backup copies of your data and files, just in case some nasty malware (or an ordinary bad-luck hard-drive crash) damages or destroys your files.

The FBI's Internet Crime Complaint Center also recommends:

If you receive a ransomware popup or message on your device alerting you to an infection, immediately disconnect from the Internet to avoid any additional infections or data losses. Alert your local law enforcement personnel and file a complaint at www.IC3.gov.

Cryptolocker Ransomware hits systems and pocketbooks hard

Cryptolocker, a ransomware Trojan virus, encrypts a victim's files and then demands payment for the key, and is indicative of the lengths nefarious types will go to for a few dollars of ill-gotten gains.

Ransomware is on the rise and thanks to more than a few nefarious types and their victims, is proving to be an all too common way for electronic extortion to move into an enterprise. In many cases, it proves to be cheaper to pay for the privilege to unlock your data than it would be to remediate the impacted system, which only makes matters worse.

(TechRepublic) Take for example Cryptolocker, a ransomware Trojan that encrypts files and can spread in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe and can be hard to recognize, simply because Windows hides file extensions by default - that file may look like a PDF file rather than an executable.

Double clicking on the Cryptolocker infected file launches an executable, which infects computers just like any other malware by placing its files in Windows directories and creating registry entries that allow it to restart after a reboot. Cryptolocker also attempts to contact its command and control (C&C) server using a random domain name generation algorithm to try and find a current C&C server. Some sample Crytpolocker domains might look like this:

jkamevbxhupg.co.uk

uvpevldfpfhoipn.info

Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for the specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker's C&C servers, but the public key is saved in a registry entry on the computer. Cryptolocker then uses that key pair to encrypt many different types of files on the computer, including

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

After the encryption process completes, Cryptolocker displays screen with a warning that requires a payment of either $300 or £200 within 72 hours to regain access to the files.

What should I do if I get infected?

If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can't access its C&C, it can't encrypt files. Disconnecting the machine may prevent further files from being encrypted.

There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker's encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today.

If Cryptolocker encrypts some of your files, you should check if you have a backup, which would be the best chance for recovering the lost data. Adding insult to injury is that there are reports claiming Cryptolocker's decryption does work, and paying the ransom may only result in the loss of your money.

How can I avoid Cryptolocker?

Most commercial antivirus (AV) products can detect many variants of Cryptolocker, which means protection starts with using both host-based and network-based AV products that are kept up to date. However, Cryptolocker's authors are very aggressive at re-packing their malware to make the same executable file look different on a binary level, which helps it evade some AV solutions. In short, though AV helps, some variants may get past some AV solutions. Other defenses are becoming a must as well, such as reputation based defense systems that keep track millions of malicious URLS and web sites. That means access to sites that distribute or support malware can be blocked, effectively preventing infected hosts from reaching C&C servers.

Awareness proves to be one of the best defenses, Cryptolocker typically spreads via some obvious phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. Training users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on should prove to be an effective first line of defense

Cyber Mercenaries

(Stu Sjouwerman @ CyberheistNews) There is an interesting development I thought you should be aware of, and perhaps communicate to the powers that be in your organization.

By now it is well known that organizations get attacked all the time, and 91 percent of the organizations that were recently polled by Kaspersky suffered a successful cyber-attack at least once in the preceding 12-month period, while 9 percent were the victims of Advanced Persistent Threats.

What's new is the increasing rate of businesses turning to cyber mercenaries to penetrate their competitors’ networks. Outsourced cybercriminal gangs penetrated networks and exfiltrated terabytes of sensitive information. Other attacks were outright sabotage using malware to wipe data, block infrastructure operations, or DDoS attacks that shut down a competitor's public-facing websites. A data-wipe example was Saudi Aramco where 30,000 workstations were completely wiped out by malware this year.

Unfortunately cybercrime is incredibly innovative, they are constantly improving their malware using unconventional approaches. The most recent wave is a so-called encryptor which spreads both in corporate environments and at the house. Once the Crypto-locker malware takes over the workstation, it asks for $300 ransom to release the files. If this "ransomware" has been able to encrypt the files on a workstation and/or network shares, you better hope you have a working backup and wipe/rebuild that machine.

In 2013 we saw the first instance of targeting full supply chains. An example is discussed in a new research paper (link below) on the discovery of "Icefog"; a small but energetic APT group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. It's obviously some Chinese operation, it started in 2011 and has increased in size and scope over the last few years.

That’s a good example what is now called of cyber mercenaries, small hit-and-run gangs that attack with surgical precision. They appear to know exactly what they need from the victims.

"They come, steal what they want and leave, they are for hire, provide cyber-espionage/cyber-sabotage activities on demand, following the orders of anyone who pays them,” said the report. The Icefog targeted attacks rely on spear-phishing e-mails that attempt to trick the victim into opening a malicious attachment or a website. Security Awareness Training is not a nice-to-have these days, it is a must... Link:
http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf

http://active-technologies.com/content/cyber-mercenaries

 

 

Cyber Threat 2013 Live On Your Devices

(Mark Huffman ConsumerAffairs) The Internet has become more sophisticated over the years and so have the threats to users. Today, hackers are doing more than sending out infected spam emails -- they're exploiting the system's vulnerabilities to threaten consumers.

Experts at Georgia Tech -- the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI) -- constantly work to stay one step ahead of the hackers. They say the coming year will pose some steep challenges.

Here are some threats they say consumers should be aware of:

Cloud-based botnets

The ability to create vast, virtual computing resources will further persuade cyber criminals to look for ways to co-opt cloud-based infrastructure for their own ends. For example, attackers can use stolen credit card information to purchase cloud computing resources and create dangerous clusters of temporary virtual attack systems.

Search history poisoning

Cyber criminals will continue to manipulate search engine algorithms and other automated mechanisms that control what information you see when you do a search. Moving beyond typical search-engine poisoning, researchers believe that manipulating users’ search histories may be a next step in ways that attackers use legitimate resources for illegitimate gains.

Mobile browser and mobile wallet vulnerabilities

This, unfortunately, may be a fertile growth area for scammers. While only a very small number of U.S. mobile devices show signs of infection, the explosive proliferation of smartphones will continue to tempt attackers in exploiting user and technology-based vulnerabilities, particularly with the browser function and digital wallet apps.

Malware counteroffensive

Unfortunately, your anti-virus software may prove less effective against emerging threats. The developers of malicious software will employ various methods to hinder malware detection, such as hardening their software with techniques similar to those employed in Digital Rights Management (DRM), and exploiting the wealth of new interfaces and novel features on mobile devices.

"Our adversaries, whether motivated by monetary gain, political/social ideology or otherwise, know no boundaries, making cyber security a global issue,” said Bo Rotoloni, director of GTRI’s Cyber Technology and Information Security Laboratory. “Our best defense on the growing cyber warfront is found in cooperative education and awareness, best-of-breed tools and robust policy developed collaboratively by industry, academia and government.”

The bottom line, say the Georgia Tech experts, is users must keep their guard up in the coming year.

Read More - Click Here!

Cylab Researchers Expose How Our Ability To Spot Phishing Is Spotty

Interesting news item from Carnegie Mellon's Cylab. Each year, tens of millions of phishing emails make it to employees' inbox, not caught by spam filters. Of the ones that make it through, millions slide past your user's judgment and are clicked and opened. A recent study revealed just how likely users are to take the bait.

“Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems,” says Casey Canfield, a CyLab researcher from Carnegie Mellon’s Department of Engineering and Public Policy.

In the study, on average participants were only able to correctly identify just over half of the phishing emails presented to them. Fortunately, participants displayed a little more caution when it came to their behavior: roughly three-quarters of the phishing links were left un-clicked.

Based on the results, the authors of the study suggest interventions such as providing users with feedback on their abilities and emphasizing the consequences of phishing attacks. One effective training method that companies commonly use, Canfield explains, is sending out fake phishing emails and teaching a user about phishing emails if they open the email. 

“It seems like those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” Canfield says. “Helping people tell the difference may not be as useful as just encouraging them to be more cautious.”

 

D-Link inadequate security on internet cameras and routers

(Truman Lewis @ ConsumerAffairs) The Federal Trade Commission has been warning electronics manufacturers that they must do more to protect consumer privacy. Its latest action is a complaint against D-Link, the Taiwan-based company that mnufactures network routers, internet cameras and other devices.

The complaint alleges that inadequate security measures taken left the devices vulnerable to hackers and put U.S. consumers’ privacy at risk.

“Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”         

The D-Link complaint is part of the FTC’s efforts to protect consumers’ privacy and security in the Internet of Things (IoT), which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

 "Easy to secure"

According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite those claims, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:

  • “hard-coded” login credentials integrated into D-Link camera software -- such as the username “guest” and the password “guest” -- that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods. For example, using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC alleges that by using a compromised camera, an attacker could monitor a consumer’s whereabouts in order to target them for theft or other crimes, or watch and record their personal activities and conversations.

The complaint was filed in the U.S. District Court for the Northern District of California.

NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. The case will be decided by a federal district court judge.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook (link is external), follow us on Twitter (link is external), read our blogs and subscribe to press releases for the latest FTC news and resources.

Why people still fall for phishing emails

(Mark Huffman @ ConsumerAffairs) Emails that pop into your inbox, appearing to be from a bank, utility, or shipping company, are favorite vehicles for scammers.

These phishing emails are intended to hook you, persuading you to click on a link or provide logins, passwords, and other sensitive data. Many of these scams are seemingly easy to spot, but millions of people still fall for them.

H.R. Rao, a security expert at the University of Texas at San Antonio (UTSA), did a study to find out why. He concludes that too many consumers are overconfident in their ability to determine which email is for real and which one is a scam.

Rao thinks most people believe they're smarter than the criminals behind these schemes, and that is one reason so many fall easily into the trap. Other recent research on the subject has reached similar conclusions.

"A big advantage for phishers is self efficacy," Rao, a UTSA College of Business faculty member, said. "Many times, people think they know more than they actually do, and are smarter than someone trying to pull of a scam via an e-mail."

Remember the Nigerian prince?

Long-time internet users have seen all sorts of phishing emails. A decade or so ago, it was very common to hear from a deposed Nigerian prince who was desperate to get his fortune out of the country and just needed access to your bank account to accomplish that.

But if that is still your view of what a phishing email is, Rao says you could be vulnerable to today's updated, refreshed phishing schemes. Today, he says phishing emails come disguised as messages from companies, and even people, that the recipient knows and trusts.

"They're getting very good at mimicking the logos of popular companies," Rao said.

Speaks from experience

Rao speaks from experience. Last year he says he got an email that appeared to come from UPS, informing him there was a problem with a package he had sent. Since he had just sent out a package via UPS, Rao said his initial reaction was that the message was legitimate.

Remember that the scammer is playing a numbers game. If he sends out 20 million messages that there is a problem with a UPS shipment, the majority of recipients would disregard the message because they had not sent anything recently using UPS.

But suppose 40,000 of the recipients had just sent a package with the carrier. If half fell for the scheme, the scammer would have ensnared 20,000 victims.

Overconfidence is a killer

"In any of these situations, overconfidence is always a killer," Rao said.

In a recent study, participants were asked to judge a large number of emails, identifying the ones that were real and the ones that were fakes. Participants also gave the reasons for their conclusions.

Rao and his colleagues found overconfidence played a major role when participants misidentified a scam email as real.

The defense against these schemes, says Rao, is a healthy dose of skepticism about any email that lands in your inbox.

In the event of a message from UPS that there is a problem with your shipment, don't click on a link. Instead, contact UPS customer service directly.

DNS Changer Fix

If you think you have been affected by this malware, you do need to fix your computer.  The malware tool kits used that change your computer’s DNS settings are very pervasive.  Initially, the only way researchers could ensure that a machine was fixed was to reformat the hard drive and reinstall the operating system from scratch.  The malware affected the boot blocks on the hard disk of the computer, so even if people just reverted their operating system to a prior backup, the malware could reclaim the PC.  Later on, several anti-malware software companies came up with fixes that removed software correctly. Some of them are listed below.

In addition to modifying your computer’s DNS settings, the malware also looked for home routers to which the computer was attached and modified their DNS settings as well.  Not only were the infected computers using rogue DNS services, but other devices in the household or office as well, including wifi-enabled mobile phones, tablets, smart HDTVs, digital video recorders, and game consoles.  The criminals would change the web content that users downloaded to suit their needs and make money.

Below are some steps to follow:

  1. The first thing you want to do is make a backup of all of your important files.  You might go to a computer store or shop online for a portable hard drive and copy all of your files onto that drive.
  2. Either you or a computer professional that you rely upon and trust should follow the “self help” malware clean up guides listed below.  The goal is to remove the malware and recover your PC from the control of the criminals that distributed it.  If you were already thinking of upgrading to a new computer, now may be a good time to make the switch.
  3. Once you have a clean PC, follow instructions for ensuring that your DNS settings are correct.  If you’re not using a new PC, you’ll want to check that your computer’s DNS settings are not still using the DNS Changer DNS servers.  We hope to have some of our own instructions soon.  Until then, the instructions and screen shots found in step 2 at http://opendns.com/dns-changer are quite good if you want to manually set your DNS settings.  You also have the option to return to using your ISP-provided automatic settings by choosing the “automatically” option (Windows) or deleting any DNS servers listed (MacOS).
  4. After you have fixed your computer, you will want to look at any home router you’re using and make sure they automatically use DNS settings provided by the ISP.  We’ll have a document for this soon.
  5. Changing DNS is only one of the functions of the malware kits.  The malware could have been used for capturing keystrokes or acting as a proxy for traffic to sensitive sites like bank accounts or social media.  It would be a good idea to check your bank statements and credit reports as well as change passwords on any online accounts especially saved passwords from your applications or web browsers.

How can you fix, remove, and recover from a DNS Changer Violation?

Please take immediate steps to safe guard your computer and data  if any of the test indicate that you might be violated with DNS Changer. If the Check-Up Site indicates that you are affected then either follow the instructions on that site or run one of the following free tools listed below to remove DNSChanger and related threats:

Name of the Tool URL
Hitman Pro (32bit and 64bit versions) http://www.surfright.nl/en/products/
Kaspersky Labs TDSSKiller http://support.kaspersky.com/faq/?qid=208283363
McAfee Stinger http://www.mcafee.com/us/downloads/free-tools/stinger.aspx
Microsoft Windows Defender Offline http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
Microsoft Safety Scanner http://www.microsoft.com/security/scanner/en-us/default.aspx
Norton Power Eraser http://security.symantec.com/nbrt/npe.aspx
Trend Micro Housecall http://housecall.trendmicro.com
MacScan http://macscan.securemac.com/
Avira http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 Avira’s DNS Repair-Tool

 

How can I use these tools to clean my computer?

Each of these tools has instructions for their use. BUT, the best recommendation is to use one of the proven “self help” malware clean up guides – using several tools to insure you clean all the infections from your computer. Most malware will disable your software and anti-virus updates. The procedures below address that problem, using several tools to remove the blocks, remove the malware, and then update your computer.

Guide How to Use Language
Microsoft's Safety and Security Center Microsoft's authoritative portal for all their security guidance, tools, and capabilities. English
Apple's Security Page with pointers to keep your MAC safe Scroll down to the section on "Checking Security in your System." This has the pointers to insure your MAC is as secure as possible. English
DSL Report’s Security Cleanup FAQ A community driven self help guide to fix malware problems on your systems. English
Andrew K’s Malware Removal Guide Andrew K is an individual who share's his experience on-line. This guide is an often referenced guide to remediate malware problems on a computer. English
Public Safety Canada’a Malware Infection Recovery Guide The Canadian Public Safety office (publicsafety.gc.ca) has a malware removal guide updated and focused to help the general population. English
Australia’s Stay Smart Online Factsheet to help Remove Malware Stay Smart Online Factsheet 11, Part 1 - You suspect your computer is infected with malicious software - what should I do? English

 

 

DVR Malware Hackers Paradise

When looking for the source of a malicious infection on a computer network, a digital video recorder (DVR) might not make it on the radar of a malware fighter. That could be a mistake, according to one security expert.

“I can show you today 10,000 hacked DVRs in the United States alone,” NorseCorp CTO Tommy Stiansen said in an interview.

NorseCorp bills itself as a gatherer of intelligence from the dark side of the Internet. It has more than 1000 computers acting as honeypots around the globe raking in 19TB of data a day on malicious activity and providing real-time threat information to organizations that plug into its API.

Norse recently discovered that one of its clients, a credit union, was spewing malicious traffic to the intelligence firm’s honeypots. “The bank was completely infiltrated with malware,” Stiansen said.


DVR
Protect DVRs from hackers.

The scary part about the situation was that traffic wasn’t being generated by the bank’s infrastructure. “The traffic was coming from a DVR from a cable provider connected to the banks network,” Stiansen added. “The DVR had been compromised and had compromised the whole network of the bank.”

The credit union posted a warning on its website to its customers alerting them that they may be the target of scams, not realizing that the financial institution itself was infecting its customers with the malware that was making them the targets, Stiansen said.

No firewall for the DVR was provided by the cable company, so it was up to the network administrator to segment the DVR from the network. That’s the kind of security precaution most administrators would overlook, Stiansen said. After all, what network administrator would think that their DVR had been compromised?

“It’s scary, but that’s the state of technology today,” he said.

Cybercriminals have long been using malware that allows them to infect banking websites and steal customers credentials with bogus forms and such but recently they’ve adopted automation techniques that allow them to eavesdrop on live banking sessions and perform transactions under a customer’s nose.

However, one of the most popular ways to compromise banking credentials remains the use of banking Trojans like Zeus, whose writers have expanded its targets in recent times to include Facebook members, and payroll services.

Zeus can be a particularly difficult pernicious infection to counter because there are so many variants of it. “There is one new variant of Zeus created every day,” Stiansen said.

Read More - Click Here!

Dangerous Rise in RansomWare

Photo(Mark Huffman @ ConsumerAffairs) Ransomware, malware that takes over your computer and holds your files hostage, is nothing new. But it's latest incarnation is something that has the FBI and other law enforcement officials worried.

That has galvanized official attention and terrorized some computer users is Cryptolocker, a Trojan that encodes all the files on your computer so that you cannot access them without the key. And the key will cost you. A spokesman for the FBI in Boston says having Crytolocker on your computer is about the same as having your computer “destroyed.”

Launched with email

It all starts when you receive an email purporting to contain tracking information about a package that is in transit. This time of year millions of consumers are expecting packages.

The email contains a link with instructions to click on it to find out where your package is. However, if you click on the link you launch cryptolocker and your computer locks up. A screen pops up with instructions to follow, along with a countdown clock. When the clock reaches zero and you have not submitted payment the program destroys all the files on your computer. Yeah, these guys don't mess around.

According to report by WBZ-TV, even the Swansea, Mass., Police Department fell victim. The entire department's computer system fell under control of Cryptolocker and it cost the police $750 to get it unlocked.

The security software firm Sophos says Cryptolocker is a worldwide problem and could get much worse in the year ahead. Once a computer is infected, Sophos experts say the Cryptolocker gang demands a payment of about $300 in untraceable bitcoins in exchange for the encryption key to unlock the files. But as in any extortion scheme, there is no guarantee that they will unlock your computer after they have received the ransom.

Dangerously simple

The danger, says James Lyne, Global Head of Security Research at Sophos, is Cryptolocker's simplicity. It requires no special set of skills and your average non-hacker scammer can easily figure out how to use it. Not only will it become widespread but we could see even more variations of it in the years ahead.

”Cryptolocker is very much a deviation from the norm, and I actually think it is a sign of things to come,” James said in an interview with the BBC.

Security experts at McAfee say Cryptolocker is a significant jump in the threat level from so-called “scareware.” This type of malware flashes a warning that your computer has been infected with a virus and offers to remove it for a the small cost of a download.

McAfee says most scareware programs are easily removed and consumers soon learned they didn't have to pay. Cryptolocker, however, significantly raises the bar.

“The encryption method may be known but if the key used is unknown then decryption is, if not actually impossible (the NSA could probably do it), then not feasible for almost everyone who is affected,” McAfee warns on its website. “Cryptolocker is the most recent and most widespread of this class of ransomware, and someone somewhere is raking in the cash as a result. Note that payment for decryption cannot be done using credit cards: you have to make payments using MoneyPak vouchers or BitCoins.”

In the video below, a British security expert purposely infected a computer and walks you through the steps of paying off the extortionists and getting your files back. As you will see, it is not a simple process.

To avoid falling prey to this scam, never click on a link in an email.  Easier said than done, perhaps, but that's the unfortunate truth.

 

Data Recovery Experience: Lightning Struck Twice

Unbelievable! Two catastrophic failures with total potential data loss within the same company, three years apart. Each time, it was a miracle that the data was recovered. But man was it close.

First time it happened was on a Friday in March 2008. The company was running a ten-year-old NT 4.0 server. One of the old 16 bit SCSI hard drives failed and I was called in to install a new server and transfer data. I thought it was simple because it was the boot drive that failed, and rarely do you find important data on a boot drive. However, in this case, the software vendor insisted on placing their program and data on the boot drive and would,'t you know it, the drive would not spin (work). The boot drive and data was lost.

The administrative assistant was responsible for backups. She used flash drives and carried them home with her each evening. However, this evening, she was on a cruise in the Caribbean and could not be contacted. So here we are, data drive won’t spin and the backups are in the middle of the ocean. What to do:

I contacted every vendor I know to see if I could find a scsii drive like the one that failed. Could not find one. So I broke the news to my customer (they were devastated) and I began setting up the new server, minus critical data. The next day, Saturday, my wife and I went to a local flea market. Wouldn’t you know it, one of the flea market vendors that sold old computer parts, had the right scsii card and cables with three drives attached to it that matched my customer’s broken scsii drive. I bought them all for ten dollars. Next I plugged them into a workbench computer, and they all worked! (In fact, they still had company data on it from a local accounting firm, but that’s another story).

What I did was take one of the flea market drives apart, removed the platters, and replaced them with  my customer’s drive platters. Drive platters degredate quickly when exposed to air, so if this was to work, I would have a limited time to read and backup the data. Talk about good fortunate, the drive spun, and I was able to get all the data off of the drive and onto the new server. Can you imagine the odds against that happening, being successful? I’m not that good, but sometimes it’s better to be lucky than good. There was jubilation and celebration in the office Monday morning when I installed the server with data intact!

We implanted a three-teir backup system. Data on the server mirrored data drives was backup to the boot drive. Data was backed up from the server to the Admin Workstation. Data was also placed on removable media that went home with the Admin each night. Sounds like an “air tight” system, aah.

Fast forward to November 2011. My customer dropped maintenance a year ago due to the economy. They also lost half of their employees, including the one that was responsible for the backup system on the new server. Since her computer was turned off, there were no internal backups, and, of course, and no external backups to removable media. In my absence, their crital data was moved from the mirrored data drives to the “boot drive” by the software vendor, thus negating the backup that occurred within the server. So here was are, three years later, a blown hard drive and no backup! Lightning struck twice!

So here I am, again, reporting to the customer the possibility of catastrophic failure. This isn't good for me, but I feel the pain and anxiety as much or perhaps more than the customer. Each time this happened, I sware it took ten years off my life from worry and stress. Fortunatly, this was a sada drive, and fairly new. I was able to find an exact match that day. But would swapping the platters work again? This is very risky. Well, it worked again, and the next day, their system was up and running with data intact. We reinstated the old backup system with new people, moved the critical data to the mirrored drives and made certain the software vendor had it in their record NOT TO MOVE IT AGAIN. Hopefully, we won’t be doing this again in three years.

Bottom line: make sure you have good backups every day. Make sure you are backing up the right data, and make sure you know how to restore you data if needed. Many companies that lose their critical data go out of business. Don’t let this happen to you!

Disable McAfee Auto Renewal

Photo(Mark Huffman @ ConsumerAffairs) Here's a simple fact that too often gets overlooked: Once you sign up for subscription services, chances are you will find your subscription renewed automatically unless you take steps to prevent it.

Some consumers have trouble with that, particularly with McAfee anti-virus software, which is supposed to protect your computer from viruses and malware.

"I am disappointed in McAfee for auto-renewing my anti-virus subscription,” Steven, of Richardson, Texas, wrote in a ConsumerAffairs post. “I did not authorize McAfee to charge me nor did I authorize McAfee to retain my billing information. I will not be doing business with McAfee again and I will instruct my staff to no longer do business with McAfee.”

By now Steven and other consumers should realize that anti-virus software vendors – and not just McAfee – default to auto renewal when you set up an account. The companies realize that when the contract expires, there's a very good chance you will decide not to renew.

Beat the system?

Anne, of Gilbert, Ariz., thought she didn't have to worry about an auto-renewal since she got a new debit card from her bank and didn't update  her McAfee account to show the new card number. She figured when McAfee tried to charge her for another year, they would hit a brick road. She was wrong.

“I received an email stating that my debit card had been charged $103 for auto renewal,” Anne wrote. “I called and had the charges reversed and cancelled McAfee online. When I asked how they had my new debit card number the customer service rep told me that they had a deal with the bank to send updated card info. Is this sharing of credit card info actually legal and if so then it is definitely not an ethical business practice.”

It's legal, though some consumers might debate whether it is ethical. It's called Visa Account Updater, an automated system that Visa says "enables the electronic exchange of updated account information among participating merchants, their Visa Merchant Bank, and Visa card Issuers.” So without your being aware of it, your bank will provide your updated account information to a company you have been doing business with so they can continue to charge you. 

How to disable

PhotoIf you want to end your subscription service to McAfee, or any other service for that matter, you are going to have to go onto the company's website and disable the auto-renew. Here's how to do it for McAfee:

  • Open a web browser and go to http://home.mcafee.com.
  • Click My Account at the top right of the McAfee Downloads website.
  • Log in using your email address and password, and click Log In. If you do not have a McAfee account, select New User? Register Now, follow the prompts to create your McAfee account, then click Log In.
  • Click Auto-Renewal Settings.
  • Select Turn Off. If your Auto-Renewal is set to Off, you don't need to do anything.

If you require additional assistance, contact Customer Service by chat or phone. Other services likely have similar disabling procedures. To find instructions for the company you're dealing with, Google “how to disable auto renewal for (name of company).

One last thing: You need to disable auto-renew before the subscription renews. The day after is one day too late.

Read More - Click Here!

 

Discard Old Computer Hardware Without The Corporate Secretes

For many companies, the best solution for getting rid of old personal computers is to donate them to schools, churches, or other organizations. But while donating old desktops to tax-exempt organizations is a great idea, donating your corporate data isn't.

When it comes time to purchase new computers, how do you decide what to do with the old hardware? This is a growing concern for organizations, particularly when you consider the rate at which new technology makes its way to the market. The problem has even spawned its own buzzword, e-waste.

For many companies, the best solution is to recycle old personal computers, donating them to schools, churches, or other organizations. While this approach is good for the environment, your corporate image, and a worthy cause, that doesn't necessarily mean your corporate security will fare as well.

Donating old desktops to tax-exempt organizations is a great idea, but donating your corporate data isn't. Before donating or trashing your old computers, you need to take several steps to make sure that is all you are discarding.

Unless you have been using your computers to store nuclear secrets, trademark secrets, or some other top-secret data, the following steps should be sufficient to ensure your own corporate secrets stay safe. First, let's look at what you don't need to worry about.

Memory
You don't need to crush or destroy the computer's memory. Turning off the computer automatically clears the random access memory (RAM).

Monitor
At one time, people used to degauss (i.e., neutralize the magnetic field) the computer's monitor to ensure the removal of any remnant images. With today's monitors, however, this is no longer necessary.

Printers
If your printer uses a ribbon, you can throw it away or burn it if you're really paranoid. Otherwise, there's no need to disassemble the printer and throw away good ink cartridges.

Hard drives
This is the only area that requires special attention. Hard drives should receive a low-level format. And if the data is particularly sensitive, take the drive apart and grind the platters.

Disk Encryption Why You Should Always Use It

Disk encryption is one of those physical security features that determine whether I install a Linux distribution on any computer I use for serious computing. Whether it’s a server, notebook, ultrabook or any other type of *book, if it’s not a crash-and-burn unit, the hard disk drive (HDD) has to be encrypted.

And no, it’s not because I have anything to hide, it’s just that personal data should be just that – personal, and private. If you are not authorized (by the owner) to see it, you don’t.

This becomes especially important in this age of warrantless orders, sational national security letters, and judicial overreach, where a bunch of trigger-happy guys from any government agency can show up at your place and cart everything and anything they can get their paws on.

Take the case of Kim Dotcom, who leaves lives in New Zealand. Back in January 2012, based on charges of copyright infringement related to the Megaupload file-sharing website, the New Zealand police raided his residence and bagged everything they could find. Cloned copies of his HDDs were sent to the FBI in the US of A.

Now, Kim Dotcom is not without blemishes in his character; the guy has a criminal history that dates back to his teenage years. But that’s not the point of discussion here. The gist of this article is what we can learn from the legal aspect of the case against him.

Since the raid of his residence and seizure of his assets, the raid has been deemed, by the courts, to be illegal and the warrant detailing what could be seized too broad. Virtually every single court case has come out in his favor.

 

In the latest decision, the judge overseeing the case ruled that all digital material taken from his residence that are not relevant to the case should be returned (to Kim). And that any copies of HDDs sent to the FBI be returned.

Too late!

Do you think the US government is going to comply with the decision of a New Zealand judge? Fat chance. Even if they did, don’t you think they’ve already made copies of the copies, and copies of the copies of the copies. And if those HDDs were not encrypted, what good will returning them at this point do.

Again, it’s too late. Lesson? Always encrypt your HDDs. It’s not about who is a good or bad guy, or who has something or nothing to hide. It’s about having the final say on who can have access to your personal data. In cases of this sort, it’s better to be in a position where the authorities are going to court to get you to give up your encryption passphrase(s).

Regarding full disk encryption in the graphical installation programs of Linux and BSD distributions, Anaconda, the Fedora systems installer, the Debian Installer, and PC-BSD‘s installer are the best. Note that the graphical installer of Sabayon is a fork of an older version of Anaconda, but it, too, has support for full disk encryption.

Do Not Keep Important Information On Flash Drives

(Mark Huffman ConsumerAffairs) 

A reporter faces the loss of important data and sees the error of his ways. It's a modern nightmare. I had stopped at a 7-11 in Fredericksburg, Va., Wednesday on my way to meet a colleague for lunch. As I was getting back in my car my cellphone rang.

As I retrieved it from my pocket I thought I heard something hit the asphalt parking lot. I looked, saw nothing, continued my conversation and then resumed my journey. Hours later I realized my 64 GB flash drive was not in my pocket where it was supposed to be.

A 64 GB flash drive holds a lot of data and I had put a lot on it, transferring things from one computer to the next. Then I got lazy and started using the drive for storage, meaning I didn't always back up files to other computers, a huge no-no. Worse still, some of the files on the drive were financially sensitive, another taboo.

Violating my own rules

I've written a number of articles about data breaches and have urged consumers to be careful with their data and I had violated nearly all the rules. Not willingly, of course. I had meant to clean up the drive but somehow just never got around to it. Then suddenly, I lost my opportunity.

Returning to the 7-11 hours after my first visit I held out little hope the flash drive would still be where it fell. There was even a young employee sweeping the driveway and he said he was sure he hadn't swept up a flash drive.

That evening I changed passwords and accepted the fact that many original files were lost. But the next morning there was an email from Chris, a computer science student at Germanna Community College, who had found the drive, taken it home and repaired it after a car had run over it. By the end of the day, it was back in my possession.

Better lucky than good

Mine was an extremely humbling experience but in the end, I got very lucky. However, you can't count on luck.

Besides the mistake of storing original and sensitive files on the drive the other mistake I made was carrying it in a pocket. These things are small and it's a sure way to lose them.

Instead, if I continue to use a flash drive I will use some type of accessory to secure it. One of the most common accessories is a key chain attachment. The drive stays on your key ring, and as long as you don't lose your keys you probably won't lose the flash drive.

If a drive contains sensitive data, it should also be password protected. You can use encryption software or you can buy an encrypted flash drive.

But finding ways not to use a flash drive may be the most prudent course of action. A service called Dropbox, for example, allows you to store files in the cloud and sync up all your devices, so files are available on your desktop, laptop, tablet or smartphone. There are other similar services.

Carrying a flash drive in a secure way, password protecting it and not keeping original or sensitive data on it is the way to sleep at night. Lesson learned.

Read More - Click Here!

Read Also - Click Here!

Do You Own Your Digital Music Video And Books

As Bruce Willis considers a legal bid to bequeath his iTunes library, we look at who actually owns your digital content – from music and books to film – and what your rights are

A Kindle and a pile of books
Unlike hard copies, you cannot pass on the digital books you store on your Kindle. Photograph: AP

It used to be so easy: your photographs filled up boxes and albums; your CDs, books and films filled up shelves; your thoughts and ideas filled up notebooks and diaries, and when you died there were physical things to be distributed among your family and friends.

Technology has changed the way we keep and share our memories, and also the way many of us own our books and music. News that Bruce Willis is reportedly considering legal action against Apple to make sure he can leave his virtual record collection to his daughters will have surprised anyone who thought their online possessions were theirs to dispose of as they choose. So what rights do you have over the accounts and goods that exist only virtually?

"Across the world the law is in a state of flux – it hasn't evolved to keep up with innovation in digital content," says Jas Purewal, interactive entertainment and digital media lawyer at Osborne Clarke. "It is set up to deal with physical goods, and it is not clear therefore what the position is with social network accounts, iTunes accounts, your subscription to Netflix, and so on."

There are not yet statutory laws around ownership of virtual goods, nor is there case law. The EU is looking at consumer protection in this area, but nothing has yet been passed, so Purelaw says it is being left to the providers of content to decide what they will allow consumers to do with items they buy and share online. He says there are promising signs judges recognise that virtual content can be owned like physical content, citing the 2011 case of a man jailed for stealing online poker chips.

Music and films

You might be surprised to find that in most cases you are effectively leasing the content, not buying it. This is because you are generally being sold a licence to use the song or film, not the item itself. Where the music is downloaded on to a device you can leave that to someone, but you cannot leave instructions to share out the holdings in your iTunes account after you are gone.

When it comes to the account's contents, "from a legal perspective there is nothing to leave," Purewal says. He works with online entertainment companies and says: "I can't think of any digital content providers who freely and openly allow the passage of ownership from one person to another." Either the terms and conditions will explicitly rule out sharing downloads, or will use language which implicitly rules against it.

Workarounds are possible: you could share your password and other account details with your family or even the person who will execute your estate, but you will be taking a risk as the content provider could suspend the account. But if US courts do decide iTunes has to allow users to pass on licences, this whole area may be opened up.

Books

As with music and films, when you die your virtual library will die with you. Amazon tells Kindle users: "The purchase and download of digital content from Amazon.co.uk, including content from the Kindle Store, is associated with the Amazon.co.uk account used to make the original purchase. As a result, Kindle content cannot be shared like a physical book."

So you can't move a book from one device to another, and you won't be able to split up a collection of books between family and friends. You could leave the device holding your collection to someone else, but if they needed to access the account for any reason they could run in to difficulties. Again, you cannot leave it to someone else with complete certainty.

Social media

"Most social media account holders are bound by their terms of business, and it is common for executors to be unable to access a deceased's customers account," says Nick Rhodes, associate solicitor at Blacks Solicitors. "The service providers seem reluctant to allow access as the accounts contain personal data about the deceased and fear breaching privacy rights. There is no established legislation or cases dealing with the release of personal data to executors."

Facebook's terms and conditions include the line: "You will not transfer your account (including any Page or application you administer) to anyone without first getting our written permission", which effectively rules out handing over your account when you die. However, it will let your family turn your page into a memorial page, provided they provide proof of your death.

Twitter says that when you sign up it "gives you a personal, worldwide, royalty-free, non-assignable and non-exclusive license to use the software", which implies an account cannot be transferred. It seems unlikely it would pursue an individual for logging into a relative's account after their death, but there are inactivity rules. Your account will not stay around forever if nothing is happening with it.

Yahoo!, which owns the photo-sharing site Flickr as well as running a webmail service, also states that users are granted "personal, non-transferable and non-exclusive right and licence" to use its software. It also makes it clear in its terms and conditions that it reserves the right to shut down inactive accounts. This is worth bearing in mind if you want to pass on photos which you are storing online – the account holding them could be deleted one day.

Despite these rules some companies are trying to trade on the idea that people may want to leave their accounts to their families when they die. Loccit, for example, offers to pull together your Facebook, Twitter, Instagram and Foursquare accounts to create an online version of "the secret shoebox of photos and memories we used to keep as children".

iCloud

Apple is very clear about ownership of iCloud accounts. It states in its terms and conditions: "You agree that your Account is non-transferable and that any rights to your Apple ID or Content within your Account terminate upon your death. Upon receipt of a copy of a death certificate your Account may be terminated and all Content within your Account deleted."

Emails

English law states that the copyright of emails and other material stored online forms part of people's estates, and should therefore pass to executors. However, lawyers say internet service providers do not always allow access. There can also be jurisdictional issues where ISPs may be based in a different country to where the user lived.

Rhodes says anyone worried about their digital legacy should "have a will stating that chosen executors have the right to access social accounts and digital assets, and to direct the executors on how the accounts and assets shall be dealt with.

"If the executors still meet resistance from the online providers then they could apply to court for an order allowing them to deal with everything in accordance with the will."

However, he says it remains to be seen how a court would react.

Read More - Click Here!

 

Document Retention Policy - Why and How

If you have grown your business to a profitable and viable enterprise, then chances are you need to have a procedure for the organization, retention, (and periodic destruction) of your important documents and other business information. This is often handled through a Record Retention and Destruction Policy.

Policies of this nature can offer many tangible and intangible benefits to your business:

First and foremost, a policy will assist in the organization and management of your day-to-day business operations, by allowing you to easily locate and access key documents. You will also be able to preserve and enhance your business’ institutional knowledge by archiving key documents and information in a manner so that they can be easily located and accessed.

In today’s environment, businesses are subject to a number of legal, accounting, contractual, and other ongoing requirements and restrictions concerning record retention and destruction. A Record Retention and Destruction Policy will allow you to keep track of (and remain in compliance with) these various requirements.

Policies of this nature typically include procedures for the periodic purging and destruction of documents that are no longer required to be retained. Thus you are able to reduce costs and expenses associated with the retention and storage of obsolete and unnecessary records.

Today’s record retention software will often allow you to control the internal and external dissemination of sensitive or confidential information—allowing you to safeguard and protect your most critical business secrets.

If your business ever gets involved in litigation, a Record Retention and Destruction Policy will help you manage costs, and well as remain in compliance with the various court rules concerning electronic records and discovery.

Finally, a policy will allow you to respond in the event of a potential sale or other strategic opportunity, by allowing you to quickly locate and assemble your corporate documents to facilitate due diligence and other deal-related activities.

Although each policy is different, and depends upon the specific nature and requirements of the business, there are a couple of general considerations to keep in mind:

Assemble your team.  Implementing a Document Retention and Destruction Policy is a multi-disciplinary exercise, and will require coordination among various employees and advisors, including legal, financial, accounting, human resources, information technology, and other professionals. Most companies are now able to use computer software to automate and manage a large portion of the process. Accordingly, a key partner in this project will be your software provider and implementation consultant.

Understand the legal and regulatory requirements.  Odds are that there are a number of statutes and administrative regulations that are applicable to your business—including those that require you to retain certain records for some designated period of time. These requirements increase exponentially if your business operates in a regulated industry, has an international component, or is involved in government contracting. You may also have certain contracts or certification requirements in place that include a document retention component.

Draft a written policy. Your business’ specific document retention and destruction requirements should be memorialized through the preparation of a written Document Retention and Destruction Policy, which will typically designate specific “retention periods” based on document type and content. Your legal and human resources advisors can assist in this process.

Include procedures for implementing a litigation “hold.” In the event of actual or threatened litigation, you will be required to place a “hold” on the destruction of potentially relevant information—even though it might otherwise be destroyed in the ordinary course under the terms of your policy. Your written Document Retention and Destruction Policy should include procedures for implementation of any litigation hold, including: (a) specifying the facts and circumstances triggering a hold; (b) assigning responsibility for initiating the hold; and (c) setting procedures on how the hold is communicated to employees and implemented

Account for “off site” information.  Managing, storing, and disposing of e-mails and other information stored on employee desktop computers is often a fairly straightforward process. However, it may be more difficult to account for documents or information that is stored “off site”—e.g., on an employee's personal computer, laptop, or PDA. Any policy that you implement should include a mechanism for capturing and managing such information.

Ensure that your policy is properly implemented and enforced. Once you have developed a policy, the real work often begins in the form of implementation and enforcement (including employee training). In some cases, it may be more harmful to have a policy that is not enforced, than if you simply had no policy at all. You should also conduct periodic audits of your retention and destruction program, in order to see if any updates or changes are necessary.

Compiling, organizing, and managing your company’s records can often be a daunting task. However, it is critical that you stay on top of your business’ records and other key information. In today’s information age, there is almost no other way to do business

Document Retention and Destruction Policy

Sample policy language can streamline the policy adoption process and is a good starting point. But it is never a good idea to simply insert your organization’s name and present the document to the board for approval. The policy MUST be discussed and tailored to reflect your organization’s culture and to conform to your other policies.

 

This sample policy is distributed with the understanding that Active Technologies, LLC is not engaged in rendering legal or accounting counsel. We urge you to seek professional services to address your specific concerns.

I. Purpose

In accordance with the Sarbanes-Oxley Act, which makes it a crime to alter, cover up, falsify, or destroy any document with the intent of impeding or obstructing any official proceeding, this policy provides for the systematic review, retention and destruction of documents received or created by Arts Organization in connection with the transaction of organization business. This policy covers all records and documents, regardless of physical form, contains guidelines for how long certain documents should be kept and how records should be destroyed. The policy is designed to ensure compliance with federal and state laws and regulations, to eliminate accidental or innocent destruction of records and to facilitate Arts Organization’s operations by promoting efficiency and freeing up valuable storage space.

II. Document Retention

Arts Organization follows the document retention procedures outlined below. Documents that are not listed, but are substantially similar to those listed in the schedule will be retained for the appropriate length of time.

III. Corporate Records

Annual Reports to Secretary of State/Attorney General

 

Permanent

Articles of Incorporation

 

Permanent

Board Meeting and Board Committee Minutes

 

Permanent

Board Policies/Resolutions

 

Permanent

By-laws

 

Permanent

Construction Documents

 

Permanent

Fixed Asset Records

 

Permanent

IRS Application for Tax-Exempt Status (Form 1023)

 

Permanent

IRS Determination Letter

 

Permanent

State Sales Tax Exemption Letter

 

Permanent

Contracts (after expiration)

 

7 Years

Correspondence (general)

 

3 Years

     

Accounting and Corporate Tax Records

   

Annual Audits and Financial Statements

 

Permanent

Depreciation Schedules

 

Permanent

General Ledgers

 

Permanent

IRS 990 Tax Returns

 

Permanent

Business Expense Records

 

7 Years

IRS 1099s

 

7 years

Journal Entries

 

7 years

Invoices

 

7 years

Sales Records (box office, concessions, gift shop)

 

5 years

Petty Cash Vouchers

 

3 Years

Cash Receipts

 

3 Years

Credit Card Receipts

 

3 Years

     

Bank Records

   

Check Registers

 

Permanent

Bank Deposit Slips

 

7 Years

Bank Statements and Reconciliation

 

7 Years

Electronic Fund Transfer Documents

 

7 Years

     

Payroll and Employment Tax Records

   

Payroll Registers

 

Permanent

State Unemployment Tax Records

 

Permanent

Earnings Records

 

7 Years

Garnishment Records

 

7 Years

Payroll Tax returns

 

7 Years

W-2 Statements

 

7 Years

     

Employee Records

   

Employment and Termination Agreements

 

Permanent

Retirement and Pension Plan Documents

 

Permanent

Records Relating to Promotion, Demotion or Discharge

 

7 years after termination

Accident Reports and Worker’s Compensation Records

 

5 years

Salary Schedules

 

5 years

Employment Applications

 

3 Years

I-9 Forms

 

3 Years After Termination

Time Cards

   
     

Donor Records and Acknowledgement Letters

 

7 Years

Grant Applications and Contracts

 

5 Years after completion

     

Legal, Insurance and Safety Records

   

Appraisals

 

Permanent

Copyright Registrations

 

Permanent

Environmental Studies

 

Permanent

Insurance Policies

 

Permanent

Real Estate Documents

 

Permanent

Stock and Bond Records

 

Permanent

Trademark Registrations

 

Permanent

Leases

 

6 years after expiration

OSHA Documents

 

5 Years

General Contracts

 

3 Years

 

IV. Electronic Documents and Records

Electronic documents will be retained as if they were paper documents. Therefore, any electronic files, including records of donations made online, that fall into one of the document types on the above schedule will be maintained for the appropriate amount of time. If a user has sufficient reason to keep an email message, the message should be printed in hard copy and kept in the appropriate file or moved to an “archive” computer file folder. Backup and recovery methods will be tested on a regular basis.

V. Emergency Planning

Arts Organization’s records will be stored in a safe, secure and accessible manner. Documents and financial files that are essential to keeping Arts Organization operating in an emergency will be duplicated or backed up at least every week and maintained off site.

VI. Document Destruction

Arts Organization’s chief financial officer is responsible for the ongoing process of identifying its records, which have met the required retention period and overseeing their destruction. Destruction of financial and personnel-related documents will be accomplished by shredding.

Document destruction will be suspended immediately, upon any indication of an official investigation or when a lawsuit is filed or appears imminent. Destruction will be reinstated upon conclusion of the investigation.

VII. Compliance

Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against Arts Organization and its employees and possible disciplinary action against responsible individuals. The chief financial officer and finance committee chair will periodically review these procedures with legal counsel or the organization’s certified public accountant to ensure that they are in compliance with new or revised regulations.

Does July Mean The End Of The Internet For Some Computers

Google plans to warn more than half a million users of a computer infection that may knock their computers off the Internet this summer.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system will be shut down July 9 -- killing connections for those people.

The FBI has run an impressive campaign for months, encouraging people to visit a website that will inform them whether they're infected and explain how to fix the problem. After July 9, infected users won't be able to connect to the Internet.

An online ad scam is having some unintended ramifications: The fix may prevent as many as 360,000 from getting online. Several sites will show if you're infected:

DNS Changer Working Group: can discern whether you’re infected and explain how to fix the problem.

DNSChanger Eye Chart: if the site goes red, you’re in harm’s way. Green means clean.

The FBI website: type in the IP address of your DNS server to find out if it is infected.

Read more on how to stay safe

On Tuesday, May 22, Google announced it would throw its weight into the awareness campaign, rolling out alerts to users via a special message that will appear at the top of the Google search results page for users with affected computers, CNET reported

“We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results,” wrote Google security engineer Damian Menscher in a post on the company’s security blog.

“If more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it,” he wrote.

The challenge, and the reason for the awareness campaigns: Most victims don't even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

Last November, when the FBI and other authorities were preparing to take down a hacker ring that had been running an Internet ad scam on a massive network of infected computers, the agency realized this may become an issue.

"We started to realize that we might have a little bit of a problem on our hands because ... if we just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service," said Tom Grasso, an FBI supervisory special agent. "The average user would open up Internet Explorer and get `page not found' and think the Internet is broken."

On the night of the arrests, the agency brought in Paul Vixie, chairman and founder of Internet Systems Consortium, to install two Internet servers to take the place of the truckload of impounded rogue servers that infected computers were using. Federal officials planned to keep their servers online until March, giving everyone opportunity to clean their computers.

But it wasn't enough time.

Does Safely Ejecting From a USB Port Actually Do Anything

Does Safely Ejecting From a USB Port Actually Do Anything?

Is there any harm to be incurred by just pulling a flash drive out? Why do we need safe removal at all?

Historically, Operating Systems treat disks as objects that can be trusted not to change state suddenly. When reading or writing files, the OS expects the files to remain accessible and not suddenly disappear in mid-read or mid-write.

If a file is open, a program reading the file expects to be able to return to it and continue reading. Similarly, write commands may be dispatched to a writing subroutine and forgotten by the main program. If a drive disappears between the time the subroutine is called and the data is written to disk, that data is lost forever.

Advertisement

 

 

In ye olde days, there were formal processes to physically “mount” and “unmount” storage media, and the physical act of mounting a tape or a disk pack triggered some mechanical switch to detect the presence or absence of media. Once the mechanism was engaged, the software could start to use the media (a “soft mount.”). Some media even had mechanical interlock to prevent media from being ejected or removed until the software processes using the media released the lock.

The Macintosh floppy and optical disk provide more modern examples of an interlocked physical and soft mount. One could only eject media through a software command, but that command might fail if some program was holding a file open on the medium. Enter USB connected storage. There is no mechanical interlock in a USB connection to coordinate the hard and soft mount. The user can decide to rip the disk out from under the operating system at any time, and endure all manner of programs freaking out about the sudden loss of media. “Hey! I was using that!”

Symptoms could include: Lost data, corrupted filesystems, crashing programs, or hanging computers requiring a reboot. A safe removal executes the “soft unmount” needed to prevent any unexpected Bad Things that may happen if a program loses its access to media.

A safe removal does a few things:

  • It flushes all active writes to disk.
  • It alerts all programs (that know how to be alerted) that the disk is going away, and to take appropriate action.
  • It alerts the user when programs have failed to take action, and still are holding files open.

You can remove a disk at any time, but you are at the mercy of how well programs using the disk cope with the sudden disappearance of that disk.

In the modern computer, many steps have been taken to defend against the capricious and careless removal of media. For example, Windows even introduced a feature called “Optimize for Quick Removal” that makes sure data is written quickly instead of batched up and written efficiently. It is very hard to get people to change habits. If you are doing exclusively reads on a media, safe removal is probably not needed. If you are doing writes, you are probably OK to skip safe removal if you haven’t written recently and you aren’t doing something silly like indexing that disk.

As a good friend of mine once said: Life is too short to safely eject the disk.

However, Safe Removal does a number of important things and is, in fact, the only assuredly safe way to remove a disk. You probably don’t need it most of the time, but it is a good habit to have since data loss sucks

Does Safely Ejecting From a USB Port Actually Do Anything

Does Safely Ejecting From a USB Port Actually Do Anything?

Is there any harm to be incurred by just pulling a flash drive out? Why do we need safe removal at all?

Historically, Operating Systems treat disks as objects that can be trusted not to change state suddenly. When reading or writing files, the OS expects the files to remain accessible and not suddenly disappear in mid-read or mid-write.

If a file is open, a program reading the file expects to be able to return to it and continue reading. Similarly, write commands may be dispatched to a writing subroutine and forgotten by the main program. If a drive disappears between the time the subroutine is called and the data is written to disk, that data is lost forever.

Advertisement

 

 

In ye olde days, there were formal processes to physically “mount” and “unmount” storage media, and the physical act of mounting a tape or a disk pack triggered some mechanical switch to detect the presence or absence of media. Once the mechanism was engaged, the software could start to use the media (a “soft mount.”). Some media even had mechanical interlock to prevent media from being ejected or removed until the software processes using the media released the lock.

The Macintosh floppy and optical disk provide more modern examples of an interlocked physical and soft mount. One could only eject media through a software command, but that command might fail if some program was holding a file open on the medium. Enter USB connected storage. There is no mechanical interlock in a USB connection to coordinate the hard and soft mount. The user can decide to rip the disk out from under the operating system at any time, and endure all manner of programs freaking out about the sudden loss of media. “Hey! I was using that!”

Symptoms could include: Lost data, corrupted filesystems, crashing programs, or hanging computers requiring a reboot. A safe removal executes the “soft unmount” needed to prevent any unexpected Bad Things that may happen if a program loses its access to media.

A safe removal does a few things:

  • It flushes all active writes to disk.
  • It alerts all programs (that know how to be alerted) that the disk is going away, and to take appropriate action.
  • It alerts the user when programs have failed to take action, and still are holding files open.

You can remove a disk at any time, but you are at the mercy of how well programs using the disk cope with the sudden disappearance of that disk.

In the modern computer, many steps have been taken to defend against the capricious and careless removal of media. For example, Windows even introduced a feature called “Optimize for Quick Removal” that makes sure data is written quickly instead of batched up and written efficiently. It is very hard to get people to change habits. If you are doing exclusively reads on a media, safe removal is probably not needed. If you are doing writes, you are probably OK to skip safe removal if you haven’t written recently and you aren’t doing something silly like indexing that disk.

As a good friend of mine once said: Life is too short to safely eject the disk.

However, Safe Removal does a number of important things and is, in fact, the only assuredly safe way to remove a disk. You probably don’t need it most of the time, but it is a good habit to have since data loss sucks

Does Safely Ejecting From a USB Port Actually Do Anything

Does Safely Ejecting From a USB Port Actually Do Anything?

Is there any harm to be incurred by just pulling a flash drive out? Why do we need safe removal at all?

Historically, Operating Systems treat disks as objects that can be trusted not to change state suddenly. When reading or writing files, the OS expects the files to remain accessible and not suddenly disappear in mid-read or mid-write.

If a file is open, a program reading the file expects to be able to return to it and continue reading. Similarly, write commands may be dispatched to a writing subroutine and forgotten by the main program. If a drive disappears between the time the subroutine is called and the data is written to disk, that data is lost forever.

Advertisement

 

 

In ye olde days, there were formal processes to physically “mount” and “unmount” storage media, and the physical act of mounting a tape or a disk pack triggered some mechanical switch to detect the presence or absence of media. Once the mechanism was engaged, the software could start to use the media (a “soft mount.”). Some media even had mechanical interlock to prevent media from being ejected or removed until the software processes using the media released the lock.

The Macintosh floppy and optical disk provide more modern examples of an interlocked physical and soft mount. One could only eject media through a software command, but that command might fail if some program was holding a file open on the medium. Enter USB connected storage. There is no mechanical interlock in a USB connection to coordinate the hard and soft mount. The user can decide to rip the disk out from under the operating system at any time, and endure all manner of programs freaking out about the sudden loss of media. “Hey! I was using that!”

Symptoms could include: Lost data, corrupted filesystems, crashing programs, or hanging computers requiring a reboot. A safe removal executes the “soft unmount” needed to prevent any unexpected Bad Things that may happen if a program loses its access to media.

A safe removal does a few things:

  • It flushes all active writes to disk.
  • It alerts all programs (that know how to be alerted) that the disk is going away, and to take appropriate action.
  • It alerts the user when programs have failed to take action, and still are holding files open.

You can remove a disk at any time, but you are at the mercy of how well programs using the disk cope with the sudden disappearance of that disk.

In the modern computer, many steps have been taken to defend against the capricious and careless removal of media. For example, Windows even introduced a feature called “Optimize for Quick Removal” that makes sure data is written quickly instead of batched up and written efficiently. It is very hard to get people to change habits. If you are doing exclusively reads on a media, safe removal is probably not needed. If you are doing writes, you are probably OK to skip safe removal if you haven’t written recently and you aren’t doing something silly like indexing that disk.

As a good friend of mine once said: Life is too short to safely eject the disk.

However, Safe Removal does a number of important things and is, in fact, the only assuredly safe way to remove a disk. You probably don’t need it most of the time, but it is a good habit to have since data loss sucks

Don't Use PcAnywhere Symantec Warns Customers

Symantec (NSDQ:SYMC) told customers Thursday not to use pcAnywhere until the company can secure the PC remote control software following the theft of its underlying code by hacker collective Anonymous. Symantec issued the warning after completing an analysis of the source code taken by an Indian chapter of Anonymous from an unidentified third party. Samples of the code were given to Infosec Island, an online community of security professionals that handed the code to Symantec, the vendor reported about two weeks ago.

Read More - Click Here!

Don't let identity thieves steal your tax refund

Photo(Mark Huffman @ ConsumerAffairs) Identity theft is already a growing consumer problem. When a hacker assumes your identity they can open up lines of credit in your name and even clean our your bank account.

To add insult to injury, they can even steal your federal income tax refund. In fact, the Internal Revenue Service (IRS) reports this is happening with alarming frequency.

All a hacker needs is your Social Security number. With it, they can file a phony tax return with a made-up W-2 form that shows you are getting a big refund. When the IRS gets the return it processes it, sending out the refund check to the bad guy. The theft isn't discovered until you get around to filing your real return.

Easy money

To the hacker it's easy money. If he has somehow gotten his hands on your actual W-2, you may have a very difficult time getting your money back. In any case, the U.S. taxpayers end up getting victimized as well.

The IRS has stepped up efforts in recent years on finding and prosecuting these specialized identity thieves. In Fiscal Year 2013 the agency began nearly 1,500 criminal investigations related to tax return identity theft, a 66% increase over the previous year. It's better, of course, to stop identity theft before it happens.

“The IRS has taken numerous steps to combat identity theft and protect taxpayers,” the agency said in a statement. “We are continually looking at ways to increase data security and protect taxpayers' identities with assistance from our Identity Protection Specialized Unit. Identity theft cases are among the most complex ones we handle.”

Take action

If you have reason to believe that someone has stolen your personal information you need to take action. For example, you may receive a letter from the IRS stating or learn from a tax professional that you filed more than one tax return, or that someone has already filed a return using your information. You may also learn that you have a balance due, refund offset or have had collection actions taken against you for a year you did not file.

Your identity may also have been stolen if you receive a notification of wages form an employer you have not worked for. If you receive such a letter from the IRS and you suspect your identity has been stolen, respond immediately to the name, address, phone number or fax listed on the IRS letter. Better yet, contact the IRS to determine if the letter is a legitimate IRS letter.

Another tip-off is when you learn that someone is using your Social Security number to seek employment, or for some other purpose not connected to your activities.

People to call

When you find out you have been a victim of identity theft, or suspect that you have been, there is a long list of people to call. First, contact the three credit reporting agencies to place a fraud alert on your credit files. Next, cancel all your credit cards. If someone is using your Social Security number, contact the Social Security Administration.

The IRS asks that you also place it on the list of people to call. Once you do it will place a hold on your account so that the thief will be unable to file a bogus return.

For other identity theft protection tips, check out the IRS video below:

 

 

Browsing Topic: IRS Regulations

Don’t Google anything that enables Google to define your identity

Source: Thinkstock

Source: Thinkstock

If you’re really serious about finding a way around Google’s propensity for constructing a profile to define who you are and how much you’re worth to specific advertisers, then there’s not much recourse but to avoid searching anything that could give Google or advertisers a clue about your identity. As Jeffrey Rosen reported for The New York Times a few years ago, the privacy threats go beyond creepy ads. “Computers can link our digital profiles with our real identities so precisely that it will soon be hard to claim that the profiles are anonymous in any meaningful sense,” Rosen writes.

Paul Ohm, a law professor at the University of Colorado at Boulder, told the Times that companies can combine hundreds or thousands of facts about you into what he terms “a database of ruin.” With discrete and unconnected facts about you, an algorithm could sort through profiles of hundreds of thousands of users like you and accurately predict something unrelated about you or your activity. Ohm argues that there’s at least one closely-guaraded secret that could lead to harm if revealed, like “a medical condition, family history or personal preference,” and the database of ruin makes that secret hard to conceal.

Even if many classifications are inaccurate, they can still harm you with effects like price discrimination, in which companies profile you and determine how much to charge you for goods or services. Rosen reports, “the new world of price discrimination is one where it’s hard to escape your consumer profile, and you won’t even know if companies are offering discounts to higher-status customers in the first place.” He imagines that “As personalization becomes ubiquitous, the segmented profiles that advertisers, publishers and even presidential candidates use to define us may become more pervasive and significant than the identities we use to define ourselves.”

If you’re looking to minimize the amount of information that search engines and advertisers collect on you, there are a few steps you should take. Choose an alternative search engine, like DuckDuckGo, to keep your search history from being recorded and analyzed. Install an extension like AdBlock Plus, Ghostery, or Disconnect to protect yourself against companies who want to track your activity online. Check your privacy settings on popular sites, and always log out of social networks when you’re browsing the web.

Don’t give your search engine hints about your insecurities

Source: Thinkstock

Source: Thinkstock

Advertising is notoriously formulated to create and capitalize upon viewers’ insecurities. Giving your search engine — and all of the advertisers that leverage the information it collects on you — easy access to the insecurities you already have just does the dirty work for them. Making things easier for advertisers who want to capitalize on your insecurities to sell you products and services doesn’t sound like a huge deal compared to what happens when you search for medical information. But it still has some unsettling effects that you should avoid, if you can.

Amanda Hess recently reported for Slate that a category of searches she’s dubbed “Google, am I normal?” is a “scintillating resource for advertisers.” Hess explains, “I’ve been tipping Google off to all the real ailments and imagined insecurities that I already have, at a pace of about once an hour, every hour of the day: celebrity diet, pants are uncomfortablemigraine difficulty speaking, before and after plastic surgery, and worst cramps ever why.” Each of those gives an easy in to advertisers, who don’t even have to show you an ad first to get you to think about your insecurities, and how their products might help.

It may not seem like a big deal compared to having ads about treatments for an illness you may or may not have following you around the Internet. But if you don’t want to see ads that are specifically tailored to things that you already don’t like about your body, even if, objectively, they aren’t a huge deal, you should avoid sharing those insecurities with your search engine in the first place.

Don’t search for anything suspicious (especially at work)

Source: iStock

Source: iStock

A couple of years ago, a story on how a series of Google searches led to a visit by local authorities made the rounds. As Jared Newman reported for Time, searches by different members of a New York family for terms including “backpack” and “pressure cooker bomb” triggered a visit by local authorities when the suspicious Google searches were reported by an employer. Michele Catalano, the matriarch of the family in question, later wrote, “I had researched pressure cookers. My husband was looking for a backpack. And maybe in another time those two things together would have seemed innocuous, but we are in ‘these times’ now.” She continued, “And in these times, when things like the Boston bombing happen, you spend a lot of time on the Internet reading about it and, if you are my exceedingly curious, news junkie 20-year-old son, you click a lot of links when you read the myriad of stories. You might just read a CNN piece about how bomb making instructions are readily available on the Internet and you will in all probability, if you are that kid, click the link provided.”

The lesson learned? Don’t search for suspicious terms, or anything that could be construed as crime-related, when someone is watching your browsing history. (The safest course of action is to assume that someone always is.) On a similar note, it’s a bad idea to search anything crime-related if you have something to hide. Obviously we don’t condone committing a crime. But it’s worth noting that people’s Google searches have been used to convict them of crimes, especially when they just so happen to Google the crime right before or after they’ve committed it. See this Palo Alto case as an example, or read Lee Rowland’s report on how a New York case highlights the problem with finding someone guilty of a conspiracy or an attempt to commit a crime when the only evidence is words shared online. “It’s one thing to use a Google search as evidence of intent or knowledge, when an actual crime has resulted and there’s a real victim.”

Don’t search for information on medical issues or drugs

Source: Thinkstock

Source: Thinkstock

While Google says that it prohibits advertisers “from remarketing based on sensitive information, such as health information or religious beliefs,” the company’s privacy policy reserves the right to record your search results, associate them with your IP address or Google account, and then use that information to target ads on Google properties and across the web. Neal Ungerleider recently reported that researchers have found looking up medical and drug information online is a major privacy risk.

Tim Libert, a doctoral student at the University of Pennsylvania’s Annenberg School for Communication found that more than 90% of the 80,000 health-related pages he looked at exposed user information to third parties. The pages he researched included commercial, nonprofit, educational, and government websites, and the finding is particularly unsettling given a Pew Research Center finding that 72% of Internet users in the United States look up health-related information online. Even worse? Google collects information from 78% of the pages that Libert looked at, which gives advertisers an easy way to figure out that a user has specific health issues, and find out what issues those are. Visits to pages on HIV/AIDS, for instance, can be combined with a user’s browsing history and lead to ads for HIV and AIDS treatments, which Ungerleider notes effectively outs their HIV status.

A bigger privacy issue, Libert worries, are leaks that could expose people’s intimate health information to anyone willing to buy a hacked database. Stolen medical information is routinely trafficked on criminal websites, and are often used for Medicaid fraud and other scams. Third parties could match you with your medical search results, and advertisers could even discriminate against you based on your medical searches, even if they’re never connected to you definitively.

Don’t search for things that clue Google in to your location

Source: Thinkstock

Source: Thinkstock

As Jay Stanley reported last year for the ACLU, one of the earliest instances in which the powerful privacy implications of having your search history recorded occurred in 2006, when AOL released a large set of searches that had been conducted on its sites. While the identity of the searcher was replaced with an arbitrary number — so that all of the searches by an individual were still gathered around the same identifier — members of the media found that it wasn’t difficult to identify searchers’ hometowns, neighborhoods, age, sex, and other identifying details through their searches. The result was “an electrifying sense of just how intimate and revealing the information one ‘shares’ with a search engine can be.”

About a year ago, New York Times columnist David Leonhard told NPR about how search terms differ geographically, with major differences between counties where life is easiest and counties where life is hardest. A high prevalence of searches on health problems like blood sugar and diabetes, searches on “what might be called the dark side of religion,” searches about selling Avon or getting Social Security checks, and searches about “specific kinds of guns” occurs in areas where people are more likely to struggle with money or suffer health problems. Your searches give your search engine a view of how economic trends manifest themselves in your everyday life — something you may not want advertisers capitalizing upon.

 

Doxing What Is It

(Ryan Goodrich @ TechNewsDaily) Doxing, a derivation of the phrase "document tracing," is the act of scouring the Internet for an individual's personal data, usually for a malicious purpose.

While many people may use the Internet to learn more about someone they met at a party, for example, doxing has become more akin to social protest, using publicly available information to identify individuals with the goal of publicly sharing or exposing their personal details.

Example of doxing

Doxing is a common strategy used by hacking groups such as Anonymous and its spinoffs LulzSec and AntiSec.

One such example of Anonymous' work dates back to December 2011, when the group targeted several law-enforcement agencies that had been scrutinizing hacking activities.

The end result of this doxing attack resulted in hackers infiltrating secured databases and exposing the information of 7,000 law-enforcement personnel, which included names, addresses, Social Security numbers, email addresses and passwords.

While Anonymous did not specifically do anything else with the information beyond sharing it with the public, this act potentially opened the floodgates for Internet cutthroats to commit fraud, email theft and more against each of the names exposed. [Related: Bill Gates Joins Ranks of 'Doxed' Notables]

Combating doxing

The more personally identifiable information you share on the Internet, the more at risk you are of doxing. All it takes to begin doxing is a person's email address, which can then be used to find other information throughout the Internet, such as your name, phone number or even your Social Security number.

Considering how long many individuals have used the Internet and the number of websites visited and registered for in the past, it's quite impossible to remove or hide one's digital footprint entirely.

Moving forward, making changes to the sources you have access to immediately can help prevent many instances of doxing.

Several pieces of information commonly targeted include:

  • First and last name
  • Gender
  • Birth date
  • Email address
  • Social networking profile
  • Website

While your employer's IT department is ultimately responsible for the security and safety of your personal information internally, external websites are purely under your control.

When information is optional, such as a birthday on Facebook, don’t share it. You may like getting birthday well-wishing, but such information can put hackers one step closer to exposing your personal life or committing identity theft.

 

Doxxing is Like Hacking only Legal

(Christine Pelisk @ thedailybeast) Hillary, Beyoncé, Ashton: they all got ‘doxxed’ . Christine Pelisek on the cyber pranksters who post stars’ private info for all to see—and why that’s often perfectly legal.

Michelle Obama’s supposed social security number was posted. So was Beyoncé’s purported address. And Ashton Kutcher’s phone number, too. The list goes on: Joe Biden, Donald Trump, Hillary Rodham, Britney Spears, Mel Gibson, and Attorney General Eric Holder were all targeted in the information dump.

In what must have been a particularly galling note for law-enforcement officials, the cyberattack also sussed out the alleged credit report of LAPD chief Charlie Beck. All of these details and more were posted to the mysterious website The Secret Files, which as of Wednesday afternoon was back online after going dark the day before. 

But this wasn’t a hack attack, police and cybersecurity experts say. It was a classic case of “doxxing,” the act of obtaining and posting private information about a person by scouring the Internet. And it’s surprisingly easy to do. In many cases, it’s not even illegal.

“You can post it as long as there is nothing nefarious about it,”  says LAPD cyber crimes detective Andrew Kleinick. “They are public figures and that kind of thing happens. It’s not right, [but] I know of no crime.”

The exception, says Kleinick, occurs when information obtained through doxxing is used to threaten someone, steal someone’s identity, or infiltrate private emails. That was the case with 36-year-old Christopher Chaney, who three months ago was sentenced to 10 years in prison after hacking into the email accounts of actresses Scarlett Johansson and Mila Kunis.

It’s still unclear who’s accountable for the The Secret Files stunt. LAPD officer Bruce Borihanh says the department is partnering with the FBI to find out more information and determine whether criminal charges apply. “They are looking at the sourcing of it,” Borihanh says, “and if it was obtained through illegal means. Otherwise, it is information that was put out there before.”

This isn’t the first time the LAPD has been doxxed. In 2011, a group affiliated with the online hackers Anonymous claimed responsibility for posting personal information of more than 40 officers, including their home addresses, campaign contributions, property records, and names of family members after they claimed the LAPD oppressed them by shutting down the Occupy L.A. Movement.

But it doesn’t take a master hacker to pull off such a feat. Experts say that doxxing has become almost commonplace when it comes to major celebrities. After all, finding a person’s address or phone number is easy to do by searching the web or paying small fees to online search providers. For an extra fee, plenty of search engines will also hand out phone numbers and addresses of next-door neighbors as well as some criminal background information.

“It’s not right, [but] I know of no crime.

Credit reports and social security numbers are also obtainable on the Web, though they are harder to track down—and this is where the case of The Secret Files may have veered into criminal hacking territory. On Tuesday, the nation’s three biggest credit-report agencies said that the perpetrator had input “considerable amounts” of information, including social security numbers, to impersonate the famous victims and come away with their credit reports, which would be illegal. Due to the connection to Obama and Clinton, the Secret Service is reportedly looking into the mess.

Chaney impersonated his victims, too, scouring celebrity magazines and websites for clues to stars’ email passwords. After clearing common security hurdles—mother’s maiden name, favorite pet’s name—he was able to infiltrate the Google, Apple, and Yahoo email accounts of Johansson and Kunis, leaking several nude photos. In fact, during a four-month period, he cracked the passwords of close to 50 celebrities’ accounts.

He pled guilty to nine felony counts including identity theft, wiretapping, and unauthorized access and damage to a protected computer.

"There is no such thing as complete cybersecurity," says John Villasenor, a UCLA professor and nonresident senior fellow at the Brookings Institution. "As the number of devices and services continues to increase, personal information is stored on more and more systems. Not all of those systems are sufficiently secure, which means that we're likely to see more of these sorts of data compromises in the coming years."

The Secret Files bore the Internet suffix .su, originally assigned to the Soviet Union. The front page of the site featured a creepy picture of a zombie-like girl who looks like she is asking viewers to be quiet. Music from the Showtime series Dexter plays in the background; near the girl’s picture is written: “If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve.”

Before it went offline, the website had more than 147,000 visitors.

Kleinick, the cyber crimes expert, says the line between legal doxxing and criminal activity is fairly clear. “You cannot use it to make financial gains,” he said. “You can’t say, ‘I am Tom Cruise send me money for this or that.’ You can’t impersonate someone. I can post Tom Cruise’s birth date because it is public information. If the information was taken illegally or if it was stolen, then it would be something we would handle.”

Kleinick himself says he became a victim of cyber intrusion after a person he was investigating posted some of his private information on the Web. Still, he says that while plenty of people have incurred the wrath of these pesky cyber seekers, it is “technically not a reportable crime.”

“If it is just posting personal information we don’t take a report, because it is not illegal.”

Electronic Monitoring by Justice Department Up 60 Percent

The instances of the Justice Department monitoring electronic communications such as phone calls, emails and even social network updates without a warrant has increased by as much as 60 percent in recent years, according to the American Civil Liberties Union.

The surveillance tools – known as either a “pen register” or a “trap and trace” – record such information as phone numbers and the time and length of calls, but not the content.

Orders to track phone calls increased 60 percent -- from 23,535 in 2009 to 37,616 in 2011 -- according to Justice Department documents, including ones recently acquired by the ACLU.

Orders to track emails and computer network data increased by 361 percent over the same period, though the number of orders was less compared to those for phone calls.

The ACLU argues the legal standard to use the devices is lower because they don’t capture content -- unlike wiretaps, which require a judge’s permission. And the government needs submit only to a court a certification stating that it seeks information relevant to an ongoing criminal investigation.

However, the Justice Department said that in “every instance cited” in the documents a federal judge authorized the law enforcement activity.

“As criminals increasingly use new and more sophisticated technologies, the use of orders issued by a judge and explicitly authorized by Congress to obtain non-content information is essential for federal law enforcement officials to carry out their duty to protect the public and investigate violations of federal laws," the agency said in a statement.

Still, Naomi Gilens, writing in a blog for the ACLU, says the information in the documents “underscore the importance of regulating and overseeing the government’s surveillance power.”

She also calls both devices “powerfully invasive surveillance tools” and points out that nowadays no special equipment is needed to record such information because it is part of phone companies’ call-routing hardware, unlike 20 years ago.

Fox News' Steve Centanni contributed to this report.

Email Account Hacked–What To Do???

In the past week we have witnesses a huge increase in spam email, particularly from AT&T/BellSouth , Gmail, and sc.rr.com email accounts. What is really surprising is that some of these emails came from “top-notch computer geeks” and corporate executives. But Why?

First of all, more folks have email accounts with those 4 vendors than all of the other vendors put together. But the real root cause, these folks are not using strong passwords on their email accounts, and these are the people that should know better!

What’s happening? These email accounts have been hacked by organized crime to disseminate spam advertizing, for anything from legitimate products, to porn sites, to sites that can seize control of your computer and use it as a zombie for more spam. Once your email account has been hacked, the hacker has access to your email address AND your address book, and, you guessed it, they send this filth FROM: You TO: your friends and family. How nice!

But how do they hack email accounts? Not by sitting at a keyboard and trying various passwords. They write a script that does it for them. The script goes from email address to email address, and tries the obvious stuff. And when it gains access, it starts another script that sends out spam email.

What makes this possible is the fact that folks STILL don’t use STRONG PASSWORDS!.Instead, they use stuff like 123456, or abc123, or their name, or birth date. You see, simple alpha numeric passwords can be hacked by these scripts in 5 seconds or less. Simply using a combination of UPPER and lower case letters with numbers moves the time from 5 seconds to 5 minutes. To make it a strong password, though, it needs to be 10 or 12 characters long, and must have a mixture of UPPER CASE, lower case letters, numbers, and special characters like !@#$?*. Put that stuff in your password and you increase hack time from minutes to hours, and the hacker script gives up and moves on to the next.

Problem:

Bottom line is: The password must be impossible to remember and you should never write it down. How’s that for security – even the computer user can’t get into their own computer. OR they write it on a sticky note and stick it on the monitor for all to see. How secure is that!

Solution:

However, there is a system for creating and remembering strong passwords, Start off with your favorite saying such as:

Gladly Pay You Tuesday For A Hamburger Today. To create a strong password from your favorite saying, take the first letter of each word and alternate between upper and lower case, IE GpYtFaHt Now you have something you can remember. To really spice it up, change the first t to a 2 and the a to an @, and put ! at the end, IE GpY2F@H!. Now add the year of your Grandfather’s birth, and you have GpY2F@H!1883. And that’s the easy way to create and remember a strong password with 12 characters, upper and lower case with numbers and symbols. Hack that one spammer!

1. Peter Piper Picked a Peck of Pickled Peppers just won’t get it!

2. Don’t use GpY2F@H!1883 – That’s my password! ☺

As for securing your existing email account, contact your email vendor, tell them that your email account has been hacked and ask them if simply changing the email address will be sufficient to secure the account. If not, you may need to get a new email account. However, if they will allow you to continue using your existing account, have them change the password. Then immediately change it again to your new strong password to secure your account.

Email Policy Template

Procedure ID Department Operation Controlled By: Effectively:

 

 

 

 

12/1/2011

 

 

Description:

The purpose of this policy is to ensure the proper use of  {Company} email system and make certain users are aware of what {COMPANY} deems as acceptable and unacceptable use of its email system. The {COMPANY} reserves the right to amend this policy at its discretion. In case of amendments, users will be informed appropriately.

Legal RISKS

Email is a business communication tool and users are obliged to use this tool in a responsible, effective and lawful manner. Although by its nature email seems to be less formal than other written communication, the same laws apply. Therefore, it is important that users are aware of the legal risks of email:

1. If you send emails with any libelous, defamatory, offensive, racist or obscene remarks, you and {COMPANY} can be held liable.

2. If you forward emails with any libelous, defamatory, offensive, racist or obscene remarks, you and {COMPANY} can be held liable.

3. If you unlawfully forward confidential information, you and {COMPANY} can be held liable.

4. If you unlawfully forward or copy messages without permission, you and {COMPANY} can be held liable for copyright infringement.

5. If you send an attachment that contains a virus, you and {COMPANY} can be held liable.

By following the guidelines in this policy, the email user can minimize the legal risks involved in the use of email. If any user disregards the rules set out in this Email Policy, the user shall be fully liable and {COMPANY} will disassociate itself from the user as far as legally possible.

Legal requirements

The following rules are required by law and are to be strictly adhered to:

1. It is strictly prohibited to send or forward emails containing libelous, defamatory, offensive, racist or obscene remarks. If you receive an email of this nature, you must promptly notify your supervisor.

2. Do not forward a message without acquiring permission from the sender first.

3. Do not send unsolicited email messages.

4. Do not forge or attempt to forge email messages.

5. Do not send email messages using another person’s email account.

6. Do not copy a message or attachment belonging to another user without permission of the originator.

7. Do not disguise or attempt to disguise your identity when sending mail.

 

Best practices

{COMPANY} considers email as an important means of communication and recognizes the importance of proper email content and speedy replies in conveying a professional image and delivering superior customer service. Therefore {COMPANY} wishes users to adhere to the following guidelines:

Writing emails:

1. Write well-structured emails and use short, descriptive subjects for retrieval, sorting, and archive purposes.

2. {Company} email style is informal. This means that sentences can be short and to the point. Use of “bullets” and “Outlines” to quickly convey main points is recommended. You may start your email with ‘Hi’, or ‘Dear’, and/or the name of the person. Messages can be ended with ‘Best Regards’. The use of Internet abbreviations and characters such as “smileys” however, is not encouraged and deemed unprofessional.

3. Emails must include a signatures containing your name, job title , company name, followed by {COMPANY} standard disclaimer (see Disclaimer)

4. Use the spell checker before sending out an email.

5. Do not send unnecessary attachments. Compress attachments larger than 200K before sending them.

6. Don't forward top-10 lists, chain letters, or jokes.

7. Do not write emails in capitals. Write emails as you would a letter.

8. Do not use cc: or bcc: fields unless the cc: or bcc: recipient is aware that you will be copying a mail to them and understands what action, if any, to take.

9. If you forward mails, state clearly what action you expect the recipient to take.

10 Only send emails of which the content could be displayed on a public notice board. If they cannot be displayed publicly in their current state, consider rephrasing the email, using other means of communication, or protecting information by using a password (see {COMPANY} Confidential Policy).

11. Only mark emails as “important” and/or “confidential” if they truly are such.

12. Never turn off your antivirus and anti-Adware software.

Receiving emails:

1. Email is the preferred method used by hackers to deliver Viruses, Zombies, Adware and Malware….

2. If you do not know the person sending the email – don’t open it

3. If you know the person but the email appears out of character for that person, call the sender before opening the email

4. If the attachment is not expected, call the sender before opening it.

5. Never open email and attachment with the following file extensions: exe, com, bat, html, htm, srn, pid, jas, jav, or active X.

6. We discourage the use of “Preview Panes” and “Auto Preview” as these may automatically start an email virus or Malware.

Replying to emails:

1. General emails should be answered the same day they are received, or within 8 working hours.

2. Priority emails should be acknowledged immediately and, if necessary, it should include a commitment time for detailed response.

3. Priority emails are emails from existing customers, perspective customers, and business partners.

4. If you don't have anything to say, don't reply. Example, if someone sends a note asking if anyone in the company has “the installation disk” and you don’t have it, don’t reply. To reply would be a waste of your time, the person to whom you are replying, and a waste of network/computer resources.

5. Don't automatically click Reply All. If someone sends a note addressed to a large group, stop and think before you click Reply All. Maybe you need to take your discussion with the original sender offline. If the whole group doesn't need your input, don't waste their time and inbox space.

6. Time used in checking and replying to emails should be managed and scheduled like any other activity. Don’t become a slave to your email system.

Newsgroups:

Users need to request permission from their supervisor before subscribing to a newsletter, news group, or Usenet.

Maintenance:

1. Delete any email messages that you do not need to have a copy of, and set your email client to automatically empty your ‘deleted items’ on closing.

2. Retained emails are subject to {COMPANY} document retention policy.

Personal Use

Although {Company} email system is meant for business use, {COMPANY} allows “occasional” use of email for personal use if certain guidelines are adhered to:

1. Personal use of email must not interfere with work.

2. Personal emails must also adhere to the guidelines in this policy.

3. Personal emails are kept in a separate folder, named ‘Private’. The emails in this folder must be deleted weekly so as not to clog up the system.

4. The forwarding of chain letters, junk mail, jokes and executables is strictly forbidden.

5. On average, users are not allowed to send more than 2 personal emails a day.

6. Do not send mass mailings.

7. All messages distributed via the company’s email system, even personal emails, are {Company} property meaning that you must have no expectation of privacy

Confidential information

Avoid sending confidential information by email. If you do, you must secure the information by including it in a Microsoft Word or Excel file and protecting it with a password. Then provide the recipient with the password by means of other communication, for instance by telephone.

Disclaimer

The following disclaimer must be added to each outgoing email:

‘This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Email administrator. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. Whilst taking reasonable precautions against such, company accepts no liability for any damage caused by any virus transmitted by this email.’

System Monitoring

You must have no expectation of privacy in anything you create, store, send or receive on the company’s computer system. Your emails can be monitored without prior notification if {COMPANY} deems this necessary. If there is evidence that you are not adhering to the guidelines set out in this policy, the {COMPANY} reserves the right to take disciplinary action, including termination and/or legal action.

Email accounts

All email accounts maintained on our email systems are property of {COMPANY}. Passwords must not be given to other people and must be changed according to {COMPANY} security policy. Email accounts not used for 60 days will be deactivated and possibly deleted.

 

 

End to computer viruses

An end to computer viruses? Start-up claims it can stop malware

That’s because viruses are copycats, said Liran Tancman, CEO and co-founder of the 10-person software firm Cyactive. Creating new code for each new piece of malware is expensive and impractical – and nearly impossible, he said.

"There has never been a documented attack that has not used at least one recycled component," Tancman, who headed cybersecurity at an elite military intelligence unit in Israel, told FoxNews.com in a phone call. "Hackers modify the original code and then, voilà! A new threat is born."

'We have the ability to see the future and prepare for it.'

- Cyactive CMO Danny Lev

But not everyone is ready to jump on the bandwagon. Claims of a cure for all computer viruses are made all the time, PC Magazine editor Neil Rubenking, a leading cybersecurity expert, told FoxNews.com.

"This claim gets made year after year, again and again," he wrote in an email. He said a similar product called Prevx “created a very nice behavior-analysis tool some years ago.” And Cyactive might even be simpler than that product, he said.

"[Cyactive is] just looking for re-used code from known malware. I'll be interested to see if it holds up in testing by the independent labs. But just looking at the claims, I see nothing new."

But Tancman insists his software is innovative and will hold up to industry standards.

Consider the recent hack of millions of Target customers' credit card numbers, where hackers used a remodeled version of an existing piece of malware called BlackPOS. Tancman claims the attack would have been thwarted before it caused serious damage if Target had been protected by Cyactive.

"When a threat is exposed, we predict that malware's evolution to protect an organization before the black-hat hackers even write it," said Danny Lev, Cyactive’s chief marketing officer. "We have the ability to see the future and prepare for it."

Added Tancman: "You have today a lot of security companies that are trying to build smarter detection systems. We also give you smart rules, but those rules are not learned on the past but they are learned on the future."

Another way that Cyactive is different from other virus-protection companies is that it also protects the "Internet of things,” a term coined by British technologist Kevin Ashton in the ’90s that refers to the growing trend of connecting all of our devices to the Internet. From lightbulbs to refrigerators and toothbrushes, everything is web-connected today -- and therefore at risk of being hacked.

"The detectors that we use are very lightweight," Tancman said, "meaning we are not restricted to one kind of device. Our security can be deployed on normal PCs as well as ... things like refrigerators to turbines and critical devices."

But even Cyactive is not completely safe from hackers, he admitted.

"It will be more difficult for hackers to overcome, but they will," Tancman said. "We continue to ask our smart algorithms to tell us ways in which hackers might fool our own detectors. This is how we maintain an advantage."

"We hope that with our solution crime doesn't pay anymore," Lev said.

Even if you power off your cell phone the U.S. government can turn it back on

government phone set The government can't really turn your phone back on. But it can keep the phone from actually turning off.

Even if you power off your cell phone, the U.S. government can turn it back on.

(Jose Pagliery  @ CNN) That's what ex-spy Edward Snowden revealed in last week's interview with NBC's Brian Williams. It sounds like sorcery. Can someone truly bring your phone back to life without touching it?

No. But government spies can get your phone to play dead.

It's a crafty hack. You press the button. The device buzzes. You see the usual power-off animation. The screen goes black. But it'll secretly stay on -- microphone listening and camera recording.

How did they get into your phone in the first place? Here's an explanation by former members of the CIA, Navy SEALs and consultants to the U.S. military's cyber warfare team. They've seen it firsthand.

Government spies can set up their own miniature cell network tower. Your phone automatically connects to it. Now, that tower's radio waves send a command to your phone's antennae: the baseband chip. That tells your phone to fake any shutdown and stay on.

A smart hack won't keep your phone running at 100%, though. Spies could keep your phone on standby and just use the microphone -- or send pings announcing your location.

John Pirc, who did cybersecurity research at the CIA, said these methods -- and others, like physically bugging devices -- let the U.S. hijack and reawaken terrorists' phones.

"The only way you can tell is if your phone feels warm when it's turned off. That means the baseband processor is still running," said Pirc, now chief technology officer of the NSS Labssecurity research firm.

Recovery mode. Put your phone on what's known as Device Firmware Upgrade (DFU) mode. This bypasses the phone's operating system. Every phone has a different approach for this.

It's fairly easy (albeit cumbersome) for iPhone users. Plug it into a computer with iTunes open. Hold down the Power and Home buttons for 10 seconds (no less) then let go of the Power button. Wait for an iTunes pop-up. That's it.

For Android users, recovery mode varies by model. Android Magazine has a great tutorial here.

Create a barrier. Use a signal-blocking phone case. You can buy them (Off Pocket,HideCell) or even make your own -- assuming you have the patience to do so.

Pull out the battery. Without a power source, the phone can't come back on. This is the best, most surefire option. It's also, annoyingly, no longer a choice on most top-of-the-line smartphones. The iPhone, HTC One and Nokia Lumia don't have removable batteries. Luckily, the Samsung Galaxy and LG G3 still do.

Silent Circle, a company that enables top-end private communication, kept these issues in mind when it co-created the Blackphone. It has a removable battery. It uses PrivatOS, a stripped-down version of Android that reduces tracking.

And because spoofed cell towers can target its antennae too, Blackphone's makers are working with chipmaker Nvidia (NVDATech30) to develop their own custom, more secure baseband chip.

Silent Circle CEO Mike Janke, a former Navy SEAL, said they designed the phone based on revelations that the NSA can find powered off phones and the FBI can tap their microphones.

You probably don't need to fear that the National Security Agency is using this strategy on your phone, Janke said. Those spies are focused on hunting down a specified list of terrorists and foreign fighters. But he noted that the FBI is using these kinds of surveillance tactics in the U.S. for all sorts of crimes. 

Expiring Windows XP support may mean many more Target-sized data breaches

Photo(Jim Hood @ ConsumerAffairs) There's a lot of sound and fury being generated over the Target data breach that may have exposed the credit and debit card data of more than 100 million Americans. But the list of potential villains includes not just the hackers who broke into Target's system but also the millions of consumers, businesses and institutions that are still running Windows XP.

 

Microsoft is officially ending support for the legendary operating system soon, meaning that it will no longer issue updates to fix security problems.

This is bad news for everyone. Even if you are running the very latest version of Windows, OS X or Linux, it's a near certainty that some of your most personal and valuable data is stored on or passes through systems still running XP.

That's because the relatively light, simple and reliable OS has for years been the first choice for point-of-sale terminals, medical devices and back-office systems of every size and description. These tend to be install-and-forget applications that are easily overlooked as IT people come and go.

Zombie recruits

PhotoGoogle Chromebook -- simple, inexpensive, secure

When Microsoft support ends, all these devices and systems will be even more vulnerable than they are now -- vulnerable not only to data theft but also to being taken over and used as zombie computers that send out malware, infecting other computers and smartphones, possibly including yours.

Don't believe it? Read any story about Windows 8 and scroll down to the comments. You'll find hordes of consumers proudly reporting that they would never think of upgrading their system because they continue to use XP with no problems.

It's sort of like Typhoid Mary. She lived a long and healthy life. Too bad about all those others.

Making matters worse is that the criminal underworld knows this is happening and has already written code to take advantage of it. After all, crime is big business and these days, the Internet is the path of least resistance for criminal enterprises, thanks in no small part to the individuals and businesses that don't take computer security seriously.

What to do

PhotoMacbook Pro -- svelte, secure, expensive

What can you do to make sure your computer is not part of the problem? The most obvious answer is, if you're still running Windows XP, it's time to bid it farewell. It is long past its prime and simply is not equipped to handle the security risks that today's Internet presents.

A perfectly acceptable replacement is Windows 7 -- a stable OS that is easy to set up and easy to manage. You can buy Windows 7 for as little as $65 and find instructions for upgrading on Microsoft.com.

Don't want a new version of Windows? Well, if your needs center mostly around email, web surfing and so forth, you can pick up a Google Chromebook for around $200. It's very secure and very easy to use but you can't install programs; you can only run apps through the Chrome browser.

Obviously you could buy a Mac but chances are anyone still running XP is not likely to shell out the bucks required for an Apple product. They are high-end, top-quality and quite secure but a bit on the pricey side.

You could also download a free copy of Linux Mint, an excellent lightweight OS that is secure and easy to use. It's very similar to Windows 7 in appearance and includes a complete package of office software, including word processing and spreadsheet programs.

We have all of these systems running in our office and try to use each of them daily, just to keep up with what's what. (Unfortunately, we also have Windows 8.1, a powerful OS with a horrible interface that is a source of endless frustration.) Any of them will be a perfectly adequate replacement for Windows XP and will upgrade your security to 21st Century levels.

It's not something to put off. Yes, Target and other retailers will be pilloried, sued, boycotted and generally reviled. But anyone using XP or any system that is not kept up to date is a big part of the problem as well.

EyePrints Provides Biometric Smartphone Security

(Mark Huffman Consumer Affairs) It sounds like something out of a James Bond movie but it could be available on your smartphone next year. It's a biometrics application that uses your "eye print" to access sensitive information with your mobile device.

EyeVerify has produced what it calls "the first eyeprint solution" for mobile users to verify their digital identity. It allows them to securely access highly personal information on the Web in the blink of an eye -- literally. The system uses the hardware that is already part of your smartphone, namely the built-in camera.

The camera scans the user's eye to image and pattern match the unique veins in users' whites of the eyes. If it's a match, the user gains access to the information. If it's not a match, he doesn't.

Just like fingerprints

"Similar to how fingerprints historically were the standard in identifying individuals, EyeVerify is the first and only mobile authentication solution leveraging the uniqueness of eye vein patterns to obtain a person's 'eyeprint,'" said Toby Rush, CEO EyeVerify. "This new method is redefining standards for simple, yet secure authentication for personal or business use leveraging existing mobile devices without requiring additional hardware."

Currently most mobile devices are protected by passwords but Rush says that's no longer effective. He maintains they're not secure, there are too many, and these types of passwords are no longer a viable method for digitally proving we are who we say we are.

Other authentication technologies, such as fingerprint, Iris and keyfob tokens may offer comparable accuracy, but they require additional hardware and expense.

Everything's going mobile

Rush says something else was needed. Mobile devices are increasingly becoming the standard for how we manage our work and personal lives, potentially exposing ourselves to identity theft and fraud.

According to Aberdeen Group, there were $221 billion in identity-related crimes reported in 2011. The average user today manages over 25 online accounts, plaguing consumers with the battle of "password sprawl."

Dr. Arun Ross, Associate Professor at West Virginia University and a leader in biometric research, says that the applications for eyeprint technology are limitless. Eye vein biometrics can potentially be used for applications such as mobile banking, enterprise security and healthcare. And almost everyone has a smartphone with a camera.

EyeVerify's eyeprint technology isn't available just yet. The company says it is currently in beta test on the Apple iOS and Android mobile platforms. It should be available for general release in early 2013.

FBI Drive-By Ransomware Virus Locks Computers Demands Payment Now

New Internet Scam
‘Ransomware’ Locks Computers, Demands Payment

There is a new “drive-by” virus on the Internet, and it often carries a fake message—and fine—purportedly from the FBI.

“We’re getting inundated with complaints,” said Donna Gregory of the Internet Crime Complaint Center (IC3), referring to the virus known as Reveton ransomware, which is designed to extort money from its victims.

Reveton is described as drive-by malware because unlike many viruses—which activate when users open a file or attachment—this one can install itself when users simply click on a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.

The bogus message goes on to say that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated with child pornography sites or other illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service.

“Some people have actually paid the so-called fine,” said the IC3’s Gregory, who oversees a team of cyber crime subject matter experts. (The IC3 was established in 2000 as a partnership between the FBI and the National White Collar Crime Center. It gives victims an easy way to report cyber crimes and provides law enforcement and regulatory agencies with a central referral system for complaints.)

  fbithisweek.jpg  
  Podcast: Reveton Ransomware  

“While browsing the Internet a window popped up with no way to close it,” one Reveton victim recently wrote to the IC3. “The window was labeled FBI and said I was in violation of one of the following: illegal use of downloaded media, under-age porn viewing, or computer-use negligence. It listed fines and penalties for each and directed me to pay $200 via a MoneyPak order. Instructions were given on how to load the card and make the payment. The page said if the demands were not met, criminal charges would be filed and my computer would remain locked on that screen.”

The Reveton virus, used by hackers in conjunction with Citadel malware—a software delivery platform that can disseminate various kinds of computer viruses—first came to the attention of the FBI in 2011. The IC3 issued a warning on its website in May 2012. Since that time, the virus has become more widespread in the United States and internationally. Some variants of Reveton can even turn on computer webcams and display the victim’s picture on the frozen screen.

“We are getting dozens of complaints every day,” Gregory said, noting that there is no easy fix if your computer becomes infected. “Unlike other viruses,” she explained, “Reveton freezes your computer and stops it in its tracks. And the average user will not be able to easily remove the malware.”

The IC3 suggests the following if you become a victim of the Reveton virus:

  • Do not pay any money or provide any personal information.
  • Contact a computer professional to remove Reveton and Citadel from your computer.
  • Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programs.
  • File a complaint and look for updates about the Reveton virus on the IC3 website.

Resources

- New e-scams and warnings
- Computer scams and safety webpage

- The IC3 website
- FBI Cyber Division

Read More - Click Here!

FBI Warns That Ransomware Attacks Are Getting More Dangerous And Expensive

In an alert published this week, the U.S. Federal Bureau of Investigation warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) and multiplying the number of infected servers and devices on a network. 

Powerful Ammo For Budget 

This FBI alert is powerful ammo for budget. It explains one more time what ransomware is, how fast it mutates, and that infections are skyrocketing. They explain what the potential losses are -- service disruptions, financial loss, and in some cases, permanent loss of valuable data -- and that it is challenging for the FBI to keep pace. I strongly suggest you send this link to the decision-making team that holds the infosec purse strings:
https://www.ic3.gov/media/2016/160915.aspx 

Knowing that the FBI only have about 800 cyber agents, including just 600 agents who conduct investigations, the agency doesn’t have the ability to address every attack, and must triage the most significant ones. You are on your own if the damage is less than a few hundred thousand dollars. 

FBI: "Tell Us How Much Ransom You Have Paid" 

The FBI is requesting victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center, at www.IC3.gov, with the following ransomware infection details (as applicable):

  • Date of Infection
  • Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  • Victim Company Information (industry type, business size, etc.)
  • How the Infection Occurred (e-mail, browsing websites, etc.)
  • Requested Ransom Amount
  • Bad Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  • Ransom Amount Paid (if any)
  • Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  • Victim Impact Statement

The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers. 

What To Do About It 

"The FBI recommends users consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack:

  • Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
  • Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
  • Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
  • Only download software – especially no charge software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
  • Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
  • Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
  • Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

The FBI suggests additional considerations for businesses and note their first bullet where we can help you:

  • Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
  • Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
  • Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
  • Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have write access to those files, directories, or shares.
  • Use virtualized environments to execute operating system environments or specific programs.
  • Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and/or network segment as an organization’s e-mail environment.
  • Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type in information or enter a password when the system communicates with an uncategorized Web site.
  • Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy."

One thing missing from the FBI list is email server configuration. We all know that your users are the weak link in your IT security, and one of the very successful tactics the bad guys use is spoofed email addresses. When an email seems to come from a person they know, or has authority, the chance they fall for an attack increases dramatically.

FCC orders Internet providers to protect consumer privacy

 

Photo

Photo © hultimus

(Jennifer Abel @ ConsumerAffairs) Here's possible good news for Internet users: yesterday the Federal Communications Commission issued an Enforcement Advisory (available in .pdf form here) warning Internet service providers (ISPs) that “broadband providers should take reasonable, good faith steps to protect consumer privacy.”

 

Of course, the terms “reasonable” and “good-faith” are widely open to interpretation. What does the FCC mean? Basically, since ISPs are being reclassified as “common carriers” next month, similar to telephones in the pre-Internet era, they must respect similar types of privacy protections.

“The Commission has found that absent privacy protections, a broadband provider’s use of personal and proprietary information could be at odds with its customers’ interests,” as the FCC noted in an admirable example of understatement.

Not hypothetical

It's not just a hypothetical problem. In February, for example, AT&T introduced its high-speed GigaPower home Internet service to Kansas City residents (who already had the option of buying high-speed Internet through Google Fiber for $70 per month).

AT&T, by contrast, offered a two-tiered GigaPower price plan: $70 monthly for a standard GigaPower connection, or $99 per month to “opt out” of what AT&T called its “Internet Preferences” program — “Internet Preferences” basically being a euphemism for “tracking and monitoring your online activities”:

When you select AT&T Internet Preferences, we can offer you our best pricing on GigaPower because you let us use your individual Web browsing information, like the search terms you enter and the web pages you visit, to tailor ads and offers to your interests.

How thoughtful of them.

Not that AT&T deserves to be singled out; as early as 2013, Verizon was (among other things) offering select advertisers a then-new service called Precision Marketing that allowed sports clubs and athletic venues to track their smartphone-owning fan's activities before and after a game. When Pizza King, for examples, buys ads on the in-game scoreboards, are sports fans more likely to actually visit a Pizza King afterwards? Precision Marketing could let you know!

Vast potential

For modern Americans, the Internet (and any devices connected to it) arguably plays a much bigger role in everyday life than old-fashioned landline telephones ever did — and as a result, the potential privacy violations that arise from monitoring people's online activities is correspondingly greater than what applied to telephones.

For now, as the FCC explains in its Enforcement Advisory, the Commission has not gone so far as to take the specific telephone-based privacy regulations currently in existence and explicitly apply them to ISPs. The FCC does have the option of setting broadband-specific standards later, if necessary — but first, it's giving ISPs the benefit of the doubt and giving them the chance to take “reasonable, good faith steps” toward doing so on its own.

FTC End History Sniffing

(James Limbach ConsumerAffairs) An online advertising company has agreed to settle Federal Trade Commission (FTC) charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues.

Areas of interest ranged from fertility and incontinence to debt relief and personal bankruptcy.

The settlement order bars Epic Marketplace Inc., from continuing to use history sniffing technology, which allows online operators to “sniff” a browser to see what sites consumers have visited in the past. It also bars future misrepresentations by Epic and requires the company to destroy information that it gathered unlawfully.

“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” said FTC Chairman Jon Leibowitz. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”

Huge online presence

Epic Marketplace is a large advertising network that has a presence on 45,000 Websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed. The cookies allowed Epic to serve consumers ads targeted to their interests, a practice known as online behavioral advertising.

In its privacy policy, Epic claimed that it would collect information only about consumers’ visits to sites in its network. However, the FTC accuses Epic of employing history-sniffing technology that allowed it to collect data about sites outside its network that consumers had visited, including sites relating to personal health conditions and finances.

According to the FTC complaint, the history sniffing was deceptive and allowed Epic to determine whether a consumer had visited any of more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief and personal bankruptcy.

The FTC complaint alleges that depending on which domains a consumer had visited, Epic assigned the consumer an interest segment, including categories such as “Incontinence,” “Arthritis,” “Memory Improvement,” and “Pregnancy-Fertility Getting Pregnant.” Epic used these categories to send consumers targeted ads.

Destruction of data ordered

The consent order bars Epic Marketplace, Inc., and Epic Media Group, LLC from using history sniffing, and requires that they delete and destroy all data collected using it. It also bars misrepresentations about the extent to which they maintain the privacy or confidentiality of data from or about a particular consumer, computer or device, including misrepresenting how that data is collected, used, disclosed or shared.

It further prohibits misrepresentations about the extent to which software code on a Webpage determines whether a user has previously visited a Website.

Read More - Click Here!

FTC Says Aaron's stores spied on customers through webcams on rented computers

Photo(Truman Lewis @ ConsumerAffairs) The Aaron’s furniture rental chain has settled a federal complaint that it played a "direct and vital role" in its franchisees’ use of software on rental computers that secretly monitored consumers, taking webcam pictures of them in their homes.

 

The disclosures came in the settlement of a Federal Trade Commission (FTC) complaint that said Aaron's franchisees surreptitiously tracked consumers’ locations and captured images through the computers’ webcams – including those of adults engaged in intimate activities.

The software also functioned as a keylogger that captured users’ login credentials for email accounts and financial and social media sites, the FTC said.

The FTC charges echo those leveled in a 2011 class-action lawsuit. A similar suit was filed against Rent-A-Center in September 2013.   

“Consumers have a right to rent computers free of cyberspying and to know when and how they are being tracked by a company,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “By enabling their franchisees to use this invasive software, Aaron’s facilitated a violation of many consumers’ privacy.”

Who knew what

Aaron Rents Oct. 23, 2013, 5:29 p.m.Consumers rate Aaron Rents

The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent.

In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.

The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.

Under the terms of the proposed consent agreement with the FTC, Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

Must give notice

In addition, Aaron’s will be required to give clear notice and obtain express consent from consumers at the time of rental in order to install technology that allows location tracking of a rented product. For computer rentals, the company will have to give notice to consumers not only when it initially rents the product, but also at the time the tracking technology is activated, unless the product has been reported by the consumer as lost or stolen. The settlement also prohibits Aaron’s from deceptively gathering consumer information.

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Facebook 5 Essential Security Settings

(Kim Komando USA Today) Facebook is a fabulous way to connect with friends and family. Of course, Facebook is also a spectacular way to embarrass yourself. And it happens almost every day.

Users post personal photos and intimate status updates that they think only a few friends will see. Then the posts get broadcast to friends of friends or — worse — everyone.

Anyone can be surprised by an episode of oversharing if they're not paying attention — even Randi Zuckerberg, a former Facebook executive and sister of CEO Mark Zuckerberg. Last month, she posted a family photo intended for friends, but didn't choose the right privacy setting. A friend of another Zuckerberg sister grabbed it and posted it on Twitter.

And Facebook's announcement this week of a new tool call Graph Search – which will let you sift through photos, places and more that have been shared on Facebook – also makes this a really good time to check some of your privacy settings. For now, it's in a very limited beta trial as Facebook develops the product.

Fortunately, Facebook has a new tool to help simplify your privacy settings. In the hustle and bustle of the holidays, you probably also missed it. That's OK; it's easy to find.

When you're logged into Facebook, you'll notice a new lock icon in the top tool bar. Clicking on that brings up the new Privacy Shortcuts menu, where you can manage the Big Three privacy concerns: Who can see my stuff? Who can contact me? How do I stop someone from bothering me?

Without dropping what you're doing and navigating somewhere else, you can quickly block (unfriend) someone, verify that only friends are seeing your posts, filter how you receive messages and control who can send you friend requests.

This dropdown menu also provides a shortcut to your Activity Log, where you can review your past activity. And you can use the new Request and Removal tool to ask friends to take down pictures of you.

The Privacy Shortcuts area is an improvement, but there are other important settings buried away that still need attention. To access these, click on See More Settings in the Privacy Shortcuts menu. (This is the same as clicking on the gear icon next to it and choosing Privacy Settings.)

Under Privacy, check the answer to the all-important "Who can look me up?" You probably don't want that set to Everyone! I recommend Friends at least.

You probably don't want search engines finding your Facebook profile, either. I'd make sure that option is turned off.

If you regularly log in to websites with your Facebook account, you might be surprised by how many apps have access to your profile. Some apps may also have permission to make posts on your behalf. Modify these settings or remove apps you no longer use by going to Apps>>Apps You Use.

The "Apps others use" and "Instant personalization" subheadings also need attention.

You likely allow most of your friends to see your birthday, hometown and other personal data. "Apps others use" controls whether apps that your friends use can also grab that information. I recommend that you uncheck all the boxes.

"Instant personalization" allows information you've made public on Facebook to be used by partner sites, such as TripAdvisor and Yelp, to customize your experience. If your goal is to share less, disable it.

Finally, make a pit stop under the Ads setting. Change "Third Party Sites" and "Ads & Friends" to No One from the two dropdown menus.

If these options are set to "Only my friends," Facebook can pair your name and profile picture with a paid ad and show it to your friends. You don't want that.

Spend a few minutes covering these bases, and you should have a safe and secure 2013 on the No. 1 social network.

Read More - Click Here!

 

Facebook Briefly Killed the Internet

(For a few minutes this evening, Facebook was redirecting users visiting dozens of websites — including Mashable — to cryptic error pages.

The reaction online was pretty much what you'd expect, with — as the The Next Web noted — hashtags like "Facebookmageddon" and "Facebocalypse" common amongst Twitter users.

So what happened, exactly? There was an issue with the Facebook Connect API that caused users on sites that use that API to redirect users to Facebook error page.

For example, if you were visiting Mashable and logged into our site using your Facebook account (and you were also signed into Facebook), you were automatically redirected to a page that looked like this:

Exiting the page or attempting to re-access the original site would lead to another redirect. Back to this:

 

Sites such as The Huffington Post, Kayak, Hulu, The Daily Dot, Pinterest and hundreds of others were all impacted. The bug lasted less than 10 minutes.

In a statement, Facebook told Mashable: "For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites. The issue was quickly resolved and Login with Facebook is now working as usual."

The bug may have been brief, but it has highlighted just how many important websites use Facebook Connect for user authentication. Over the span of just a few years, Facebook logins have become so pervasive that they are nearly second nature. It also shows that if Facebook has an issue, it can affect more than just its site — it can also impact the hundreds of thousands (millions?) of sites that integrate with Facebook's APIs.

What's interesting is that a user didn't even need to be performing the action for the error — and hijacking — to occur. Instead, simply being logged into both places (and having the accounts linked) was enough to force users off of a third-party website and onto Facebook's error page.

Read More - Click Here!

Facebook Improves User Privacy Controls

PhotoBacking away from Zuckerberg's dream of a world without privacy—at least for now.

(Jennifer Abel @ ConsumerAffairs) A common complaint which Facebook users have had almost as long as there's been a Facebook is this: its confusing and oft-changing privacy policies make it extremely easy to overshare without realizing it — in other words, you post something you think will be visible only to a small select group of people, only to learn it's visible to anybody with an Internet connection.

That's because Facebook accounts used to default to a public setting — in other words, any post you made was visible to everybody unless you specifically changed your settings to make them private. And for years, Facebook mostly hand-waved away any complaints about its confusing privacy policies.

Indeed, a few years ago Mark Zuckerberg went so far as to call privacy an obsolete value. “When I got started in my dorm room at Harvard, the question a lot of people asked was 'Why would I want to put any information on the Internet at all? Why would I want to have a website?'”

Sharing is noble?

Of course, that idea didn't need long to change, and Zuckerberg seemed to feel that ending privacy altogether was a cause worth working toward:

“People have gotten really comfortable not only sharing more information and different kinds, but more openly and with more people …. That social norm is just something that evolved over time. We view it as our role in the system to constantly be innovating and updating what our system is to reflect what the current social norms are.”

If Facebook's privacy settings were any indication, Zuckerberg seemed to think those “current social norms” included “Sharing more and different information is synonymous with sharing all information” or “Sharing information with more people should entail sharing information with all people” or “When I tell my friends about my wild-n-crazy weekend, I always hope my boss and my super-strict grandmother hear about it, too” and other things which nobody actually believes, which is why pretty much everybody who's not Mark Zuckerberg always hated Facebook's public-default system.

But Facebook is finally paying attention to those complaints. On May 22, Facebook announced that it was changing its default settings, in part because of user complaints: “We've … received the feedback that [Facebook users] are sometimes worried about sharing something by accident, or sharing with the wrong audience.”

Set to "private"

As a result of these changes, new Facebook accounts will automatically be set to “private,” and you'll have to deliberately change the settings to make your posts public. For people already on Facebook, the company will start giving what it calls “privacy checkups” over the next few weeks, especially for people with “public” settings: try making a post and first, a pop-up window will remind you that this post will be publicly visible, and ask if you want to change that.

Regular Facebook users should also expect to see occasional pop-ups offering tutorials about other aspects of Facebook settings.

Facebook users risk identity theft, says famous ex-conman

(Mark Sweney @ guardian) Frank Abagnale explains the dangers of identity theft for Facebook users at Advertising Week Europe Link to video: Ex-conman Frank Abagnale warns how Facebook users risk identity theft

Frank Abagnale, the man dubbed the world's greatest conman, has issued a stark warning about the dangers of identity theft and children using Facebook.

Abagnale, portrayed by Leonardo DiCaprio in Steven Spielberg's film Catch Me If You Can, said that children in particular need to be made aware of the serious risks of unwittingly revealing information on social networking sites.

He has nearly 40 years experience as a security expert for US law enforcement agencies, having switched sides when he was eventually caught by the FBI after spending half his teenage years on the run as a confidence trickster, imposter, cheque forger and escape artist in the 1960s.

"I'm not on it [Facebook, but] I have no problem with it," he said, addressing the Advertising Week Europe conference in London on Wednesday. "I have three sons on it. I totally understand why people like it. But like every technology you have to teach children, it is an obligation of society to teach them how to use it carefully."

He said having accrued 37 years' work with the FBI he has also become aware of many widely available techniques to gather dangerous amounts of personal data from Facebook.

He gave the example of a creeper virus that allows the tracking of a Facebook user even if their phone is not transmitting.

Another readily available programme, which Abagnale said is owned by Google, uses facial recognition that can match an individual with their personal information on the social networking website "in just seven seconds".

"If you tell me your date of birth and where you're born [on Facebook] I'm 98% [of the way] to stealing your identity," he said. "Never state your date of birth and where you were born [on personal profiles], otherwise you are saying 'come and steal my identity'."

He also advised Facebook users to never choose a passport-style photograph as a profile picture, and instead use group photographs.

Abagnale, who uses a document shredder so he knows that even the FBI cannot reassemble the paper, also warned about the dangers of the seemingly innocuous details given away by users who "like" Facebook postings.

Leonardo DiCaprio as Frank Abagnale Jr in Steven Spielberg's Catch Me If You Can. Con air … Leonardo DiCaprio as Frank Abagnale Jr in Steven Spielberg's Catch Me If You Can. Photograph: Moviestore Collection/Rex Features

"What [people] say on a Facebook page stays with them," he said. "Every time you say you 'like' or 'don't like' you are telling someone [things like] your sexual orientation, ethnic background, voting record."

He said he has a "tremendous amount of respect" for the UK's privacy laws, which are "way ahead" of the US.

Abagnale said that while it was common to see companies such as Facebook being criticised for privacy issues in the media, it is up to people to take action to keep their data private.

"Your privacy is the only thing you have left," he said. "Don't blame all the other companies – Google, Facebook – you control it. You have to keep control of your own information."

Between the ages of 16 and 21 Abagnale claims to have impersonated airline pilots, a doctor and a lawyer while forging and cashing $2.5m in cheques and employing other confidence scams. However, he has admitted in the past that his co-writer on the book Catch Me If You Can, on which the DiCaprio film was based, "over dramatised and exaggerated" some of his exploits.

The 64-year-old, who said he has voluntarily paid back every penny he gained illegally, added that airline Pan Am estimates he flew more than a million miles for free on 250 aircraft to 26 countries during his teenage crime spree.

He said that counter-intuitively the rise of technology has made it harder, not easier, for law enforcement. "What I did 40 years ago as a teenage boy is 4,000 times easier now," he said. "Technology breeds crime."

He gave the example of creating a fake British Airways cheque which in his time required finding a $1m printing press the size of an auditorium and three operators. He managed this himself with scaffolding.

"Today one simply opens a laptop," he said. "Each time we add technology it makes it a little easier for criminals. I would have thought technology would have made it harder to do what I did."

He also lamented the rise of an iPhone generation of children who have come to rely on technology and have lost the ability to be resourceful in a more traditional way.

"It is unfortunate today that many young children are not resourceful," he said. "If you took a child in London and took their iPhone and took them somewhere else in the country they'd probably not be able to find their way back. That's a shame."

He added that he avoids the trappings of fame – books, a current TV series, a broadway musical and dozens of offers to front shows and make guest appearances – and has perhaps surprisingly not benefited from royalties or fees due to restrictions of his FBI contract.

Abagnale said he had "nothing to do with the film Catch Me If You Can but was happy Steven Spielberg recreated a relatively realistic version of his life, despite some factual errors. His father, portrayed in the film by Christopher Walken, in fact died while Abagnale was in jail in France aged 21. He did not see him again after he ran away from home after his parents divorced when he was 16.

Despite the glamorous image built up around his past, the 64-year old admitted remorse for his actions.

"I always knew I would get caught. Only a fool would think otherwise. The law sometimes sleeps, it never dies. Some say you were brilliant, a genius, I was neither, I was a child. If I had been brilliant or a genius I wouldn't have needed to break the law just to survive. I've had to live with it the rest of my life".

Abagnale said he has turned down three pardons from three different US presidents.

"I do not believe, nor will ever believe a piece of paper will excuse my actions. Only my actions will."

Facial Recognition Allows Merchants To Watch You While You Shop

Image

NEC has unveiled facial recognition technology for merchants to help them analyze who visits their stores, how often.

When you next shop for that perfect pair of jeans, know that retailers may be harnessing facial recognition technology to determine your age, gender and how regularly you shop at their stores. The data collected will help retailers fine tune their marketing pitches and in-store displays.

Such a service is already being rolled in out Japan via NEC. It runs via the company’s cloud computing technology, which means all a retailer needs is a web-connected computer, a video camera and about $880 a month to pay for it, according to video news website Diginfo TV

While facial recognition technology is hardly new, the service highlights the transition of the technology from the land of high security and casinos to the shopping mall – and is one more data point showing that all anyone needs is your picture to know everything about you

 – via Diginfo TV

John Roach is a contributing writer for NBC News Digital. To learn more about him, check out his website. For more of our Future of Technology series, watch the featured video below.

 

Read More - Click Here!

Fake Virus - Alert Let Us Fix Your Computer - Scam

Photo(Mark Huffman @ ConsumerAffairs) You could be completing a purchase, browsing the the latest news or checking out your Facebook page when suddenly a message pops up on your computer, warning you've just been infected with a virus.

Yikes! But never fear, the helpful pop-up offers a “c.

Great! But wait a minute, how did they know you've downloaded something nasty?

They don't know, because you haven't. At least, not yet. You might if you fall for their gambit, which is to get you to either buy something you don't need or download a file that will really mess you up for real.

Scareware

It's called “scareware,” for the obvious reason that the people behind the pop-ups are trying to scare you into taking action without thinking it through. According to the Federal Trade Commission (FTC), which has devoted more time wrestling with this issue in recent months, the “free scan” will invariably find all sorts of problems on your computer that it says can be fixed by paying $40 for a special software.

Once you run the software you are told that all your problems have been fixed. Of course, there weren't any to begin with. But in some cases, that software you paid for could be loading all sorts of unwanted files on your computer.

According to Symantec, maker of Norton anti-virus products, the typical scareware pitch will always try to produce panic as a first response. The scammers will take great pains to produce very legitimate looking pop-up “alert” or “update” windows, the kind you might see from a legitimate anti-virus provider. But the tone will be a lot more alarming.

It can go from bad to worse

PhotoBesides spending $40 needlessly you've just handed over your credit or debit card information to a criminal enterprise. If the scammers choose to, they can hit your card for bogus charges or clean out your bank account.

In an emerging threat, they may even resort to extortion. The software you download might take over your PC and hold all your files hostage until you make a ransom payment to get control of your computer again.

Microsoft warns that it has seen cases where scareware, once downloaded to a victim's PC, has disabled Windows security updates and even disabled legitimate antivirus software. The company says the rogue software might also attempt to spoof the Microsoft security update process.

Be careful when searching for antivirus software

Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to be selective about what software you choose. It should be a brand you are familiar with. If you haven't heard of it, look for online reviews from several different sources.

Who are the scammers behind scareware? Many are offshore, operating in Russia, China or other countries safely outside the jurisdiction of U.S. law enforcement. But every once in a while consumer authorities find domestic scareware operations.

Late last month a federal appeals court handed the FTC a victory when it upheld the $163 million judgment a lower court imposed against Kristy Ross for her role in a scareware operation. In 2008 the FTC charged Ross and six other defendants with running a scareware scheme that defrauded consumers. The other defendants either settled the charges or had default judgments entered against them.

If you have fallen victim to this scam, you may be able to undo the damage to your computer without professional help. Computer experts at Indiana University (IU) say scareware files can piggy-back with browser add-ons, custom social networking media or chat platforms, games, or online advertisements. Fortunately, they tend to be few in number, install themselves in one of a few possible hidden locations, and can be deleted easily once you're able to access and modify the file system.

Favorite Hacked Passwords 123456 AND Your Birthday

Recently a niche programming-oriented website called phpbb.com had its user database hacked into and the passwords for 20,000 members stolen. The hacker who broke in then posted the account info and passwords online for the world to see. And while this is really bad news for those 20,000 unlucky souls, it offers an instructive lesson on password security for the rest of us.

InformationWeek analyzed the hacked password list and found a number of interesting trends in the data, primarily revolving around the fact that most people do exactly what they've been told not to do since passwords were first invented.

Author/analyst Robert Graham has tons of analysis on offer. I'm ordering my favorite/most enlightening data points from the piece here, starting with the most interesting. On thing to remember: These passwords are from a group of people interested in computer programming, so if anyone should know better, it's these guys.

> The most popular password (3.03% of the 20,000) was \"123456.\" It's also generally considered the most common password used today.

> 4 percent used some variant of the word \"password.\" Seriously, people, there's no excuse for this one. \"password\" was the 2nd most popular password used, also in keeping with historical trends.

> 16 percent of passwords were a person's first name. No word on if it was their first name, but someone's. Joshua is the most commonly used first-name password, a likely reference to the movie WarGames.

> Patterns abound. In addition to \"123456,\" other pattens like \"12345, "qwerty,\" and \"abc123\" were common, comprising 14 percent of the passwords used.

> 35 percent of passwords were six characters long. 0.34 percent were only one character long.

> For reasons no one can explain, \"dragon,\" \"master,\" and \"killer\" all crack the top 20 passwords. (On the top 500 password list linked above, \"dragon\" is #7.)

> One thing Graham doesn't discuss is that phpbb.com is really just a message board, and many users may simply have not cared about the security of their passwords here (unlike, say, with a bank account). In other words, they may very well have intentionally chosen something simplistic here to avoid re-using a password they save for an important login, just in case this site got hacked. Which, it turns out, it did.

I could go on, but Graham's post has way more detail than I can digest here and it's easy-reading too. Worth a close look for any citizen of the web.

Federal Law To Protect Children Unwittingly Exposes Them On Facebook

(SOMINI SENGUPTA NY Times) A federal law intended to protect children’s privacy may unwittingly lead them to reveal too much on Facebook, a provocative new academic study shows, in the latest example of how difficult it is to regulate the digital lives of minors.

Facebook prohibits children under 13 from signing up for an account, because of the Children’s Online Privacy Protection Act, or Coppa, which requires Web companies to obtain parental consent before collecting personal data on children under 13. To get around the ban, children often lie about their ages. Parents sometimes help them lie, and to keep an eye on what they post, they become their Facebook friends.  This year, Consumer Reports estimated that Facebook had more than five million children under age 13.

That relatively innocuous family secret that allows a preteen to get on Facebook can have potentially serious consequences, including some for the child’s peers who do not lie. The study, conducted by computer scientists at the Polytechnic Institute of New York University, finds that in a given high school, a small portion of students who lie about their age to get a Facebook account can help a complete stranger collect sensitive information about a majority of their fellow students.

In other words, children who deceive can endanger the privacy of those who don’t.

The latest research is part of a growing body of work that highlights the paradox of enforcing children’s privacy by law. For instance, a study jointly written  this year by academics at three universities and Microsoft Research found that even though parents were concerned about their children’s digital footprints, they had helped them circumvent Facebook’s terms of service by entering a false date of birth. Many parents seemed to be unaware of Facebook’s minimum age requirement; they thought it was a recommendation, akin to a PG-13 movie rating.

“Our findings show that parents are indeed concerned about privacy and online safety issues, but they also show that they may not understand the risks that children face or how their data are used,” that paper concluded.

Facebook has long said that it is difficult to ferret out every deceptive teenager and points to its extra precautions for minors. For children ages 13 to 18, only their Facebook friends can see their posts, including photos.

That system, though, is compromised if a child lies about her age when she signs up for Facebook – and thus becomes an adult much sooner on the social network than in real life, according to the experiment by N.Y.U. researchers.

The key to the experiment, explained Keith W. Ross, a computer science professor at N.Y.U. and one of the authors of the study, was to first find known current students at a particular high school. A child could be found, for instance, if she was 10 years old and said she was 13 to sign up for Facebook. Five years later, that same child would show up as 18 years old – an adult, in the eyes of Facebook — when in fact she was only 15. At that point, a stranger could also see a list of her friends.

The researchers conducted their experiment at three high schools. They were able to construct the Facebook identities of most of the schools’ current students, including their names, genders and profile pictures.

The researchers identified neither the schools nor any of the students. Their paper is awaiting publication.

Using a publicly available database of registered voters, someone could also match the children’s last names with their parents’ — and potentially, their home addresses, Professor Ross pointed out.

The Coppa law, he argued, seemed to serve as an incentive for children to lie, but made it no less difficult to verify their real age.

“In a Coppa-less world, most kids would be honest about their age when creating accounts. They would then be treated as minors until they’re actually 18,” he said. “We show that in a Coppa-less world, the attacker finds far fewer students, and for the students he finds, the profiles have very little information.”

How children behave online is one of the most vexing issues for parents, to say nothing of regulators and lawmakers who say they wish to protect children from the data they scatter online.

Independent surveys suggest that parents are worried about how their children’s social network posts can harm them in the future. A Pew Internet Center study released this month showed that most parents were not just concerned, but many were actively trying to help their children manage the privacy of their digital data. Over half of all parents said they had talked to their children about something they posted.

Teenagers seem to be vigilant, in their own way, about controlling who sees what on the pages of Facebook.

A separate study by the Family Online Safety Institute that was released in November found that four out of five teenagers had adjusted privacy settings on their social networking accounts, including Facebook, while two-thirds had placed restrictions on who could see which of their posts.

Read More - Click Here!

Federal Trade Commission Asked To Shut Down $70 Million Cramming Operation

PhotoThe Federal Trade Commission (FTC) wants to shut down an operation that allegedly placed more than $70 million in bogus charges on consumers’ phone bills -- charges for services the consumers never ordered, did not authorize and often did not know they had.

In addition, the agency has asked a U.S. district court to freeze the operation's assets while the case moves forward.

Cramming crackdown

As part of a continuing crackdown on fraud and deception, the FTC filed a complaint against American eVoice, Ltd., eight other companies, Steven Sann, and three other people for "cramming" unauthorized charges onto consumers’ phone bills.

The complaint also alleges that the Missoula, Montana-area defendants transferred the proceeds from their illegal cramming operation to a purported non-profit, Bibliologic, Ltd., controlled by Steven Sann.

Hundreds of consumers complained that charges from $9.95 to $24.95 per month suddenly appeared on their phone bills without their authorization. The FTC claims defendants told phone companies and third party “billing aggregators” that the consumers had authorized the charges by filling out forms on the internet. Since January 2008, according to the complaint, the defendants have billed consumers for more than $70 million.

Additional charges

The FTC alleged that the defendants violated the Federal Trade Commission Act by:

  • unfairly billing consumers for services they did not authorize; and
  • deceptively representing that consumers were obligated to pay for the services.

The FTC also alleged that defendants channeled their illegal proceeds to Bibliologic, and that the purported non-profit organization has no right to the funds and must disgorge them to the FTC.

The complaint names as defendants Steven Sann; Terry Lane (aka Terry Sann); Nathan Sann; Robert Braach; American eVoice, Ltd.; Emerica Media Corp.; FoneRight, Inc.; Global Voice Mail, Ltd.; HearYou2, Inc.; Network Assurance, Inc.; SecuratDat, Inc.; Techmax Solutions, Inc.; and Voice Mail Professionals, Inc. The complaint also names Bibliologic, Ltd. as a relief defendant.

Read More - Click Here!

Feds mobilize industry for war on robocalls

(Mark Huffman @ ConsumerAffairs) The Federal Communications Commission (FCC) is preparing to wage war on robocalls and is trying to mobilize the technology industry to join the cause.

The FCC held a meeting with 30 of the industry's major players to talk about ways to hang up on these machine-generated calls, which are closely associated with scams, or products and services of dubious value.

You may be familiar with these calls. A recorded voice might congratulate you on winning a free cruise or tell you your business qualifies for a $250,000 loan. Or, the voice may claim to be calling from the IRS, warning you of impending jail time if you don't pay back taxes immediately – as in right now, over the phone, with a prepaid money card.

Biggest source of consumer complaints

The meeting was intended as a brainstorming session in hopes that Google, Apple, AT&T, and Verizon could find ways to limit or prevent these calls, which FCC Chairman Tom Wheeler calls “a scourge” and the biggest source of consumer complaints.

“They are an invasion of privacy, and this scourge is rife with fraud and identity theft,” Wheeler told the group. “The problem is that the bad guys are beating the good guys with technology right now.”

Wheeler says scammers outside the U.S. can use Voice over Internet Protocol (VoIP) to mislead voice networks. The bad guys have the ability to spoof a legitimate phone number that easily fools most caller ID programs.

FCC Commissioner Ajit Pai pointed out that there has already been some productive accomplishments in this area. He points to a 2013 competition among developers that resulted in Nomorobo, an app that he says has already stopped more than 126 million robocalls.

“We know there is a problem,” said FCC Commissioner Mignon Clyburn. “We know how much consumers dislike these calls. We know the public is frustrated, because they assumed that after they registered for the Do Not Call list, this would stop. It did not, so now it is time to take some real action.”

Previous action

The FCC has already taken some action. A year ago it adopted a proposal making clear that consumers have the right to control the calls they receive on both landline and wireless phones. That move also gave providers permission to implement robocall-blocking technologies.

Wheeler says the government needs tech firms to take it from here, noting that scammers are using technology to stay well ahead of regulators.

“It’s not as if good guys [are] standing idly by,” Wheeler said. “But we need more urgency.”

The tech firms attending the meeting apparently got the message. Reuters reports most have signed on to become part of a robocall strike force that will report back to the FCC in October on what it has come up with.

Feds outline new privacy rules for internet providers

(Mark Huffman @ ConsumerAffairs) Federal Communications Commission (FCC) Chairman Tom Wheeler has issued a proposal for new privacy rules governing broadband internet service providers (ISP), the companies that connect you to the internet.

Wheeler says the rules give consumers the tools they need to control how ISPs use their data, such as what sites they visit online.

Under the proposal, for example, ISPs would have to notify customers about what types of information it collects about them. It would have to specify how and for what purposes it uses and shares the data, including identifying the types of entities with whom it is sharing the information.

Positive reaction

Consumer Watchdog welcomed the proposal, saying it would give consumers much-needed control over how their personal information is used.

"Internet Service Providers like Comcast, Time Warner Cable, Verizon and Frontier Communications have a unique window into our online lives because they connect us to the Internet,” said John Simpson, Consumer Watchdog's Privacy Project Director. “ISPs must not be able to use the vast amount of information that they can get about our online lives simply because they provide the connection for any other purpose without our explicit permission."

Free Press Policy Counsel Gaurav Laroia also praised Wheeler's proposal, calling it a signal that the FCC is on track towards restoring consumers' privacy rights.

“The FCC’s proposal follows the law, and stems from the agency’s rightful decision to treat broadband as a common-carrier service,” she said. “The companies that carry all of our speech online and bring us to every destination on the internet have no business profiting from all the information they gather without our consent.”

But there are limitations

But Laroia said it is important to remember that the proposed rule would not ban marketing, it just gives internet users the ability to control how their information is used.

The Electronic Privacy Information Center (EPIC) says the rule should have gone farther. In a statement, the group said an earlier proposal would have provided more safeguards.

“The original proposal offered privacy protections for all consumer data,” the group said. “ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review.”

The full Commission will take up the proposal at its meeting later this month.

Find Out Who is Tracking You On The Web

Ghostery is a browser add-on available for Chrome, Firefox, IE, Opera, and Safari. With it, you can detect when your browsing is being tracked. It will then show you who's tracking you, along with information about the company. You can then choose to block the service or choose other options moving forward.

Detect: Ghostery™ sees the invisible web - tags, web bugs, pixels and beacons. Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.

Learn: After showing you who's tracking you, Ghostery™ also gives you a chance to learn more about each company it identifies. How they describe themselves, a link to their privacy policies, and a sampling of pages where we've found them are just a click away.

Cotrol: Ghostery™ allows you to block scripts from companies that you don't trust, delete local shared objects, and even block images and iframes. Ghostery puts your web privacy back in your hands.

Find out who's searching for you On The Internet?

If you've spent more than five minutes online, you've probably seen an ad that promises "find out who's searching for you." It sounds like a scam, but is it possible? Can someone find out if you've been looking at their Facebook or LinkedIn profile? Can you tell if someone's unfriended you? And can you see what searches have been performed with your name?

First the warning: there are scams aplenty promising to show you who is "stalking" your Facebook page. I put in a call to Facebook and spoke with their technical folks, the truth is, NO ONE can see who's been on your Facebook page. There are no features buried in the Facebook settings with that data. There are no apps that can unearth that info. Facebook says it is one of the most common scam come-ons on the site. Don't fall for it; you cannot see who's looking at your profile (and no one can see if you've been looking at theirs).

BUT there are apps and tools to see who's unfriended you. Facebook tries to squelch these apps, but I found a couple — one that you download to your computer called UnFriend Finder and one for Android called Friends Checker. Sign in, and they store a list of your friends.  Then every time you check back, it tells you who's no longer on the list.  UnFriend Finder also reminds you of friend requests you've made that haven't been answered. For Twitter, Qwitter does the same thing, telling you who's unfollowed you each week.

Read More - Click Here!

Five Disturbing Lessons Learned From Social Media

(Kim Komando) From Facebook's never-ending privacy changes to a whole new crop of troubling social media sites and apps, there was no shortage of controversy in 2013.

Here are some hard lessons social media taught us this year - and what you can do to protect yourself in 2014 and beyond.

1. Don't count on Facebook for privacy
Social media is great when it helps keep you connected to friends and family. But it's not so great when it invades your privacy or makes you the target of advertisers.

This year, Facebook made it clear that when you post something on the site, you are giving Facebook permission to use your name and image in ads. There's no opt-out option, either. Click here to stop Facebook from using you in ads anyway.

Facebook also changed its privacy settings for teens. It now allows minors to post public status updates, pictures and videos. Previously, only friends and friends-of-friends could see content posted by minors.

And let's not forget about Facebook's powerful new Graph Search feature. It lets friends pull up old posts you might wish you hadn't shared. I show you how to use this feature and still protect your privacy in this tip.

2. Google can use your face and name in ads
Facebook wasn't the only one making money with your information this year. Earlier this year, Google announced it would be including users' faces, names and comments in ads.

So, if you've ever left a comment or review on Google+, or other Google services like YouTube or Google Play, your face and name could end up in an ad. Click here to stop Google from using you in ads.

3. Twitter is tracking you
Twitter jumped on the ad-tracking bandwagon this year, too. It can follow users from site to site in order to sell their information to advertisers.

The worst part is that the service can track you even when you're not using Twitter. Find out how to stop Twitter from tracking your surfing in this tip.

4. Teens are using troubling new social media
Kids are always looking for the next big thing in social media. But with new social networks cropping up all the time, it can be hard for adults to keep up with what's popular. Even worse, these new social sites aren't always safe.

Messaging apps like Snapchat and Kik, for example, became wildly popular with teens this year. Unfortunately for parents, these apps have been associated with sexting and cyberbullying. Click here for 10 social networks you didn't know kids are using - and how to keep them safe.

5. What you post matters
A Florida high school teacher lost her job earlier this year after racy photos of her were discovered online. It's just one example of how social media can make or break your reputation - and even cost you your job.

A new Jobvite survey found that recruiters are placing increasing emphasis on candidates' social media profiles. A whopping 93 percent of recruiters acknowledged reviewing social profiles as part of the screening process!

And a Kaplan Test Prep survey found that colleges are increasingly using Facebook and Twitter to recruit - and sometimes screen out - new students.

It only takes one careless post to do serious damage to your reputation. Locking down your Facebook profile and learning how to manage your online reputation can help. Even better, don't post anything that can come back to haunt you!

Five Phishing Attacks Targeting Executives

Twice a year, KnowBe4 publishes the Top 5 spear-phishing attacks that are used to lure executives into clicking on links or open infected attachments. We recommend sending this list to your executives and give them a heads-up.

The bad guys do not discriminate, they attack businesses but also non-profits like governments and even churches. They are using increasingly sophisticated spear-phishing scams on executives with access to corporate financial accounts and other high-level proprietary information. Some organizations are under constant, 24-hour attack by foreign hackers that are after their intellectual property, this is known as an Advanced Persistent Threat (APT).

These hackers do their research and spend time customizing their spear-phishing emails; as a result, many recipients are fooled by the level of detail and authentic-looking messages and websites.

Here are the most recent spear-phishing attacks that are currently making the rounds nationwide, and which pose a significant threat to your data- and financial security. Note that some of these attacks are used for years, because they continue to work on uninformed people.

Number 5
The Better Business Bureau Complaint – In this scam, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.

Number 4
The Smartphone 'Security App' – This is a 2-step attack. With minimal research cybercriminals can find the name and email addresses of a company’s CFO and social engineer them to click a link. That link infects the PC of the CFO with a keylogger. This way the hacker obtains bank account data and passwords. In case the bank uses two-factor authentication, the attacker spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually malware giving them access to the phone. And with that, the cybercriminals have full access to the CFO’s bank account login credentials and at the same time control any two-factor text messages sent to or from the CFO authorizing money transfers.

Number 3
The Watering Hole Attack – Hackers do their research on a targeted executive, and find out which websites the executive frequents, sometimes to discuss industry related topics with their peers, or perhaps a hobby site the hackers learned about through the exec's social media postings. Next, the bad guys compromise that website, and inject a zero-day exploit onto public pages of the website that they hope will be visited by their targeted executive. Once the exec does, their PC is infected with a keylogger and the network penetrated.

Number 2
Free Dinner in Return for Feedback – By reviewing an executive’s social media profiles, cybercriminals are able to determine what charities that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of that charity, asking the exec to download a Word Doc that supposedly contains details on an upcoming campaign or event, and promises free dinner at their favorite restaurant as an incentive for providing feedback. When the Word doc is downloaded the user's password is stolen – and gives hackers direct access to the network. Here is a short video of Kevin Mitnick showing how this type of exploit works. Take these two minutes, it's worth seeing: http://www.knowbe4.com/video-mitnick/

Number 1
'We're Being Sued' – In this scenario, attackers dig up the email addresses of a company’s executives and also their legal counsel (in-house or external). They will then spoof an email from the legal counsel to the executive team, and attach a PDF that claims to contain information about new or pending litigation. When the recipients download and open the attachment, their system becomes infected and the entire network is compromised.

While savvy Internet users realize they should not click links or download attachments from unknown senders, spoofed emails and official-looking websites trick recipients into letting their guard down. When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.

Stepping execs through high-quality security awareness training is a must these days:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

Five signs your identity may have been stolen

Photo(Mark Huffman @ ConsumerAffairs) Reacting quickly may lessen the damage! In a recent report the U.S. Federal Trade Commission (FTC) noted that identity theft continues to be the top generator of consumer complaints. In 2012, the agency received more than 369,000 reports of stolen identity.  

 

 

Of those, more than 43 percent were related to tax or wage fraud. Unlike in a burglary or armed robbery, the victim isn't usually aware of the crime right away. The longer it goes undetected, the harder it is to recover.

Here are the top five signs that your identity has been hijacked:

Unexplained bank withdrawals

Sometimes identity theft takes the form of someone stealing your bank account information. If you fall for an Internet scam and provide your bank account information to what you believe to be a legitimate business, the person with that information can gain access to your bank account and take all the money in it.

Sometimes they make a very small withdrawal at first, just to make sure the account is still active. That's why it's important to look at monthly statements. Even better, if you have online account access, look at your account every day or two.

Missing tax refund

The Internal Revenue Service (IRS) in recent years has wrestled with the growing problem of identity theft. In these cases, a scammer gets access to someone's Social Security number.

They create a phony W-2 form and then file a federal income tax return showing a large tax refund. They use your name but a different address, so that the refund check comes to them.

When you get around filing your real income tax return, the IRS kicks it back since it has already processed a return linked to your Social Security Number. That's why you should file your return as quickly as possible, before a scammer has a chance to use your identity for a phony return.

Your phone starts ringing

In the most dangerous form of identity theft, the scammer uses your name and social security number to open charge accounts, get credit cards, even buy cars or take out mortgages. They naturally have no intention of paying.

Once the accounts go into default, debt collectors will finally track you down and start calling. You, of course, won't know what they're talking about. It can take years to straighten out. That's why it is very important to safeguard your personal information.

Mysterious health conditions

You might be the picture of good health but suddenly you find medical providers are billing your for a variety of services you've never used. Your health plan might reject your legitimate claim because their records show you've reached your benefits limit.

You might even find that a a new health plan you're applying for won't accept you because they show you with a condition you don't have. All of this could mean that someone has assumed your identity, using your Social Security number, to receive health benefits.

Strange chapters in your credit history

You may be in the process of buying a car or applying for a mortgage and are surprised to learn that your credit history contains a number of accounts, with large balances, that you've never heard of. That can only mean that someone has hacked your identity and has been merrily spending borrowed money in your name.

That's why you should carefully read your credit reports from the three credit reporting agencies every year. Thanks to federal law, you are entitled to a free report from each of the firms by going to www.annualcreditreport.com.

Florida leads

In a state by state comparison, Florida still ranks first in government benefit and tax-related identity theft, with 72% of the reported complaints involving tax or benefits fraud. In terms of overall identity theft, Alaska saw the largest year-over-year increase, with the crime up 30 percent.

“These types of cases very often involve the use of Social Security numbers making them more complex than other types of identity theft, said Eva Casey Velasquez, CEO of the Identity Theft Resource Center (ITRC). “As we are fully into tax season, we anticipate that there will continue to be increases in the reporting of this crime. Government related identity theft has averaged approximately 25% of total cases handled by the ITRC for the last two years and was 25% of our total cases in January 2013 as well.”

As with any type of identity theft, consumers need to have a better understanding of what has occurred, in order to further understand how they should react. At a minimum, if you think you have been victimized you should report the incident to police and the appropriate financial institution, such as your bank or credit card company.

Free Identity Protection

Free credit reports

Keeping an eye on your credit report is your first step to protecting yourself.

Federal law grants you a free credit report each year, and each of the three major credit reporting agencies must provide one.

I recommend staggering your credit report requests. For example, request a report from Experian. Four months later, request one from Equifax. After four more months, request it from TransUnion.

Credit activity should appear on all reports. However, there may be discrepancies among reports from the three bureaus. Also, be aware that a credit report doesn't include your credit score.

You can request your free reports at AnnualCreditReport. Be sure you go to the correct site! Many sites use the word Free in their names, but for free reports mandated by Congress, you want AnnualCreditReport, period.

Freezing your credit

If you want another level of security, you can freeze your credit report. This prevents new creditors from accessing your credit report.

That means they're less likely to issue credit to an identity thief. Of course, that assumes that the creditor consults a reporting agency.

Companies that already have your business can still access your report for fraud investigation, collection, account review and the like.

Plan carefully if you freeze your credit because you can’t apply for new credit with a freeze in place, and credit limits cannot be increased on existing accounts.

You can lift a credit freeze; however, it may take three days or longer to take effect.

A freeze can be lifted temporarily for a particular creditor. You just need to call the credit agencies, verify your identification, provide a special PIN and then you name the creditor. You may need to provide a second PIN to the creditor as well.

If you plan in advance, you can lift a freeze for a set amount of time ranging from 1 to 30 days. This is helpful if you are comparing credit card or mortgage rates.

You must freeze your credit with each of the three major agencies. In most cases, you will pay $10 to freeze your credit. The amount depends upon your state of residence, and some states limit freezes to seven years.

There is also a charge for lifting a freeze permanently. Again, this is usually $10.

Things are different if you can prove that your identity was stolen. Fees for credit freezes and removals are generally waived.

Credit reporting agencies do not always make freeze information easy to find. I have direct links to the required steps at EquifaxExperian and TransUnion.

Monitoring your credit

For more security, you can sign up for credit monitoring. You’ll be able to spot the first signs of identity theft. You’re alerted to any changes in your credit reports

All three reporting agencies offer monitoring services for $15 monthly. And the benefits outshine those offered by third-party services.

Unlike credit freezes, you only need to sign up with one agency.

You’ll also receive insurance against identity theft (the insurance is not applicable to New York residents). Start at the home pages of Equifax, Experian and TransUnion and search for credit monitoring.

Copyright 2012, WestStar Multimedia Entertainment. All rights reserved.

Free Tool Guards Against Identity Theft

Photo

(Mark Huffman @ ConsumerAffairs) Placing a fraud alert on your credit file makes it harder for a thief to access it

With data breaches occurring with more frequency and hackers devising more clever ways to access your personal information, identity theft now affects more people.

The results are devastating. Armed with your Social Security number and other bits of information about you, an identity thief can open credit card accounts and take out loans in your name.

Your credit will be ruined and you will spend months – maybe years – untangling the mess. Fortunately there is a simple and free way to reduce your chances of becoming a victim.

Work with credit agencies

Contact each of the three credit reporting agencies – ExperianEquifax and Transunion and request a fraud alert – or even an extended fraud alert -- on your credit file. This simply means that no one can access your credit file without verifying your identity first.

For example, if someone steals your Social Security number and tries to get a bank loan, the bank would first have to take steps to make sure the person sitting in front of them is who they say they are. That might mean placing a call to you to ask if you are, indeed, trying to take out a loan.

According to the Federal Trade Commission (FTC), an extended fraud alert is free but primarily intended for victims of identity theft and those who believe they are at risk. Today, however, that covers just about everyone.

If you have reason to believe that any of your personal data has been compromised – if your credit card was one of the 40 million exposed in the Target breach, for example – you may be justified in asking for an extended fraud alert on your account. Anyone is eligible for a 90-day fraud alert, which can be renewed.

Where to start

Request fraud alerts here:

The FTC advises that you contact each of the credit reporting agencies to place an extended fraud alert, with lasts 7 years instead of 90-days, on your credit file. The company may have you fill out a request form and provide other documentation.

Equifax cautions that a fraud alert, while a powerful tool, will not guarantee a cunning identity thief can't open an account in your name. In particular for an initial fraud alert, a creditor is not required by law to contact you.

“You should also pay close attention to your credit file to make sure that the only credit inquiries or new credit accounts in your file are yours,” the company says on its website. “Other measures may also be warranted depending on your particular situation.”

Credit freeze

A fraud alert is different from a “credit freeze” in one important respect. With a credit freeze, your existing creditors can still get access to your file without your knowledge. It will also not stop misuse of your existing accounts or some other types of identity theft.

To place either a fraud alert or a credit freeze, you will need to provide appropriate proof of your identity, which may include your Social Security Number. If you ask for an extended alert, you may have to provide an identity theft report.

An identity theft report includes a copy of a report you have filed with a federal, state or local law enforcement agency, plus any additional information requested. For more detailed information about the identity theft report.  

Free Tool Guards Against Identity Theft

Photo

(Mark Huffman @ ConsumerAffairs) Placing a fraud alert on your credit file makes it harder for a thief to access it

With data breaches occurring with more frequency and hackers devising more clever ways to access your personal information, identity theft now affects more people.

The results are devastating. Armed with your Social Security number and other bits of information about you, an identity thief can open credit card accounts and take out loans in your name.

Your credit will be ruined and you will spend months – maybe years – untangling the mess. Fortunately there is a simple and free way to reduce your chances of becoming a victim.

Work with credit agencies

Contact each of the three credit reporting agencies – ExperianEquifax and Transunion and request a fraud alert – or even an extended fraud alert -- on your credit file. This simply means that no one can access your credit file without verifying your identity first.

For example, if someone steals your Social Security number and tries to get a bank loan, the bank would first have to take steps to make sure the person sitting in front of them is who they say they are. That might mean placing a call to you to ask if you are, indeed, trying to take out a loan.

According to the Federal Trade Commission (FTC), an extended fraud alert is free but primarily intended for victims of identity theft and those who believe they are at risk. Today, however, that covers just about everyone.

If you have reason to believe that any of your personal data has been compromised – if your credit card was one of the 40 million exposed in the Target breach, for example – you may be justified in asking for an extended fraud alert on your account. Anyone is eligible for a 90-day fraud alert, which can be renewed.

Where to start

Request fraud alerts here:

The FTC advises that you contact each of the credit reporting agencies to place an extended fraud alert, with lasts 7 years instead of 90-days, on your credit file. The company may have you fill out a request form and provide other documentation.

Equifax cautions that a fraud alert, while a powerful tool, will not guarantee a cunning identity thief can't open an account in your name. In particular for an initial fraud alert, a creditor is not required by law to contact you.

“You should also pay close attention to your credit file to make sure that the only credit inquiries or new credit accounts in your file are yours,” the company says on its website. “Other measures may also be warranted depending on your particular situation.”

Credit freeze

A fraud alert is different from a “credit freeze” in one important respect. With a credit freeze, your existing creditors can still get access to your file without your knowledge. It will also not stop misuse of your existing accounts or some other types of identity theft.

To place either a fraud alert or a credit freeze, you will need to provide appropriate proof of your identity, which may include your Social Security Number. If you ask for an extended alert, you may have to provide an identity theft report.

An identity theft report includes a copy of a report you have filed with a federal, state or local law enforcement agency, plus any additional information requested. For more detailed information about the identity theft report.  

Free online background check

(Kim Komando) Have you done an online background check of yourself lately? There are several reasons you should.

There might be erroneous information about you floating around the Internet or in your credit report. Maybe you'll find a picture of yourself or a comment you made years ago somewhere that's a little embarrassing.

These things will pop up and hurt your chances the next time you apply for a loan or a job. Fortunately, you can take steps to correct or remove this damaging information.

It's also a very good idea to do a background check before taking on a roommate or going out on a date with that new crush you met online. You never know what sort of worrying or dangerous details could be lurking in someone's past.

Because checking people's background is such a pressing need, there are dozens of ways to go about this. Fortunately, several ways won't cost you a thing.

Before I continue, I should point out a tricky fact about background checks. If you are performing a background check as a landlord or employer - or for credit, medical or insurance reasons -- you can't use just any service.

Under the Fair Credit Reporting Act, you have to use a Consumer Reporting Agency. A CRA has to maintain certain standards for data protection and offer dispute resolution.

If you do reject a potential tenant or employee (even semi-informal employees like domestic workers) based on a background check from a company that isn't a CRA, you could wind up in trouble.

You can find a fairly complete list of CRAs here on my website. The list is helpfully divided into categories such as credit reporting, employment history, insurance, renting and so on. Note that you can request and dispute the information that these CRAs have on file for you.

For checking on potential roommates or romantic partners, you can use just about any service or (legal) method.

The simplest option for a background check is to hire a professional service. You can find dozens of background check agencies online.

You will need to watch out for scam companies. Look around at several companies to find the average price for a background check and avoid any companies that are too low or too high.

If you want to save some money and you have some time, you can do many of the same checks yourself. You might also dig up information on a person's habits or character that a professional might not consider.  Click here for four sites that can really help you learn about someone. They comb Google, Facebook and other information websites to find out details that the person has willingly shared.

A Google search could turn up other things about the person that might make you think twice, too. However, you probably won't see important details about whether they've been arrested or evicted in the past.

Luckily, most court information is public record. To find it, go to your state's official government website or find the information you need at the National Center for State Courts. Make sure you search every state that the person you're checking has lived in.

After that, you might want to drill down to discover any felony and misdemeanor convictions on the county and city level. Keep an eye out for civil judgments, too, such as a bankruptcies and court orders to pay debts.

In most cases, a credit report can't be pulled without a legitimate business purpose and written permission. A good strategy for screening a roommate would be to ask him or her to volunteer a report.

All consumers are entitled to get a free copy of their credit report once a year from the three reporting agencies - Equifax, Experian and Trans Union.

The more information you have about a person, the better your searches will be. Knowing a middle name and date of birth will help you weed out people with similar names.

If you aren't completely sure you've found the right person, don't act on the information until you've verified it is actually them. Being penalized for something that isn't your fault isn't fun.

Copyright 2013, WestStar Multimedia Entertainment. All rights reserved.

Google Change Brings Major Pivacy Concerns

Google used to say its mission was to organize all the world's information. Now its mission, judging from its new privacy policy, is to organize all the information it has about you. The new policy means that anything you do on almost any of Google's 60 or so services will affect what you see on other Google services. This raises any number of questions, including:

  • How does it do that? By following you and keeping track of what you do.
  • How do you opt out? You don't.
  • Is it anonymous? Not exactly. 

Basically, Google will now be combining all the personal data you share with any of its products or sites, except for Google Chrome, Google Books and Google Wallet, hoping to create a more comprehensive picture of you. This means that anytime you’re signed into your Google account, whether on a computer, tablet, or Android phone, Google collects information about your activities and adds it to its growing profile of who you are, what you do and so forth...

Read More - Click Here!

Google Cleared in Justice Department Wi-Fi Sniffing Scandal

The Justice Department has cleared Google of wiretapping violations in connection to the company secretly intercepting Americans’ data on unencrypted Wi-Fi routers for two years ending in 2010, Google said.

“The DOJ had access to Google employees, reviewed the key documents, and concluded that it would not pursue a case for violation of the Wiretap Act,” Google wrote in a Thursday filing (.pdf) with the Federal Communications Commission.

The Justice Department declined comment.

If true, the development means that at least three government agencies — the FCC, Federal Trade Commission and the Justice Department — found Google committed no wrongdoing in the so-called Street View debacle.

Those outcomes, however, contradict a federal judge who last year ruled the search-and-advertising giant could be held liable for violating federal wiretapping law. The decision by U.S. District Judge James Ware of California green-lighted about a dozen lawsuits seeking damages — a decision that has been stayed pending Google’s appeal.

Google has said it didn’t realize it was sniffing packets of data on unsecured Wi-Fi networks in about a dozen countries between 2008 and 2010 until German privacy authorities began questioning what data Google’s Street View mapping cars were collecting. Google, along with other companies, use databases of Wi-Fi networks and their locations to augment or replace GPS when attempting to figure out the location of a computer or mobile device.

In Google’s letter to the FCC, it said it would pay a $25,000 FCC fine, levied two weeks ago, to settle the agency’s claims that Google stonewalled the commission’s Streetview investigation. Google denied wrongdoing, but agreed to pay “in order to put this investigation behind it.”

Read More - Click Here!

Google Docs phishing scam

Photo(Jennifer Abel @ ConsumerAffairs) There's a dangerous new phishing scam, first discovered by security experts at Symantec, that seeks to steal the passwords and other confidential information of any Google account holder.

It's quite sophisticated compared to most phishing attempts, but even so: you should be able to protect yourself provided you pay extra-close attention to details, and also remember the phishing-protection rule “Don't call us; we'll call you.”

Here's how the newest scam works: you, the would-be victim, get an email with the subject heading “Documents”; the body of the email includes a link to an “important” Google Docs document.

Hopefully, if you'd received such an email you'd already know to ignore it, since it's neither personally addressed to you nor from any sender you actually know and recognize. But suppose you decided to click on this unknown link from an unknown sender anyway — what would you have found?

Looks convincing

Here's where the sophistication of this new scam comes in. In most phishing attempts, if you clicked on such a link (and did not immediately infect your computer with all sorts of malware as a result), you'd usually be taken to a page whose address, visible in your browser bar, is obviously not that of the company the scamsters are pretending to be – as in, you get a fake email allegedly from Google, but the link leads to a page with an unfamiliar (and distinctly not Google) web address.

However, as the official Symantec security blogger warned on March 13, if you click on this new Google-based phishing link:

“[T]he link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown. The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages.”

In other words, you think you're logging in to your actual Google account, so you type your email address and password as usual, not realizing that your password is not being read by the real Google to verify your identity, but by phishing scammers to steal your identity.

Still not too late

However, even if you were caught off-guard enough to click on the unsolicited Google Docs link that some unknown sender e-mailed you, it's still not too late to detect certain details indicating a scam. Remember two sentences ago, when we said “you type your email address and password as usual”? That's the detail which sharp-eyed Google account holders should recognize as scammy: usually, when logging into legitimate Google accounts from your own computer, you don't have to type your email address at all, only your password.

As Gizmodo writer Adam Clark Estes pointed out: “if you show up at the log-in screen, you should notice that it doesn't recognize you as a Google user (if you are a Google user).”

Note to non-Google users who don't understand what Estes is talking about here: if you have a Google account, or more than one, anytime you visit a genuine Google page it will recognize you, and you'll see your name, avatar and other personal features as applicable — although you still won't be allowed access to your Gmail or any other personalized, password-protected Google things until you actually type in your password and only your password — your actual you@gmail.com email address is already there.

But with this fake Google phishing scam, you only get a generic login page requiring you to type not just your password, but your email address itself; the genuine Google login pages only require this if you're accessing your account from a public computer, or a brand-new one you've never used to sign in to Google before.

 

Google Street View Continues to Raise Privacy Concerns By Brian Cooper

Google Street View, a Google Maps feature that lets users see images of streets and the surrounding areas, continues to generate controversy. Since its launch in May 2007, the feature has prompted questions about whether it constitutes an invasion of privacy, complaints about inappropriate images, and even a lawsuit.

Aaron and Christine Boring vs. Google

The lawsuit came from a Pittsburgh couple in April 2008. The couple lives on a private road. However, Google's Street View team travelled down the road and continued taking images all the way up to the couple's home. The images were then posted to Google Maps and included close-ups of the couple's home, swimming pool, and outbuildings.

Google's response? \"Complete privacy does not exist in this world except in a desert, and anyone who is not a hermit must expect and endure the ordinary incidents of the community life of which he (or she) is a part.\"(1)

While Google's assertion that its Street View imaging team is an \"ordinary incident of community life\" is far-fetched, Google does make some good points in its response. Namely, that the plaintiffs could have simply requested that Google delete the offending images from Street View via a form available on Google Maps. Instead, the couple filed suit and in doing so have made the matter public record and ensured that the images will be viewed by even more people.

Since the lawsuit, Google has removed the images in question, but the suit remains open.

The Borings' Neighbors

On Goldenbrook Lane, a nearby street, some of the Borings' neighbors also had an incident with the Street View team. In this incident, the Street View team drove up Goldenbrook Lane and into the driveway of the McKee residence. They continued to drive, snapping Street View images the whole way, up to the garages of the McKees.(2) While it appears that the McKees didn't resort to a lawsuit, Google has removed the images of the home that were taken from private property from Street View.

Street View in California

In California, the antics of the Street View drivers continued. Drivers reportedly went on over 100 private roads in Sonoma County according to an analysis done by PressDemocrat.com. In another instance, Street View drivers went past two no trespassing signs as they photographed the 1,200 foot private road leading up to Betty Webb's house in Humboldt County. In another incident reported by PressDemocrat.com, Street View drivers ignored a no trespassing sign, passed through a gate, and drove through someone's yard on a dirt road near Freestone.

Street View and U.S. Military Bases

In March 2008, the Pentagon requested that Google erase some images of military bases taken from public streets due to the potential threat those images posed to national security. \"It actually shows where all the guards are. It shows how the barriers go up and down. It shows how to get in and out of buildings,\" said General Gene Renuart, commander of U.S. Northern Command.(3) According to Google spokesman Larry Yu, Google has honored the Pentagon's requests.(4) However, the Pentagon was still reviewing the many images of military facilities that were included in Street View.(5)

Street View Goes Global

After the complaints in the U.S., other countries warned Google that Street View would have to be modified to comply with their stricter privacy laws. To this end, Google has improved facial recognition technology so that it can find faces in images and blur them so that they are unrecognizable. This technology has also been applied to license plates. The blurring feature has since been applied to U.S. Street View imagery in addition to images in other countries where Street View is now available.

Accountability

While Google has removed some of the aforementioned locations from Street View, the burden to monitor Google's actions, be it Street View or other Google services, continues to fall on people like you and me. With regard to Street View, Google argues that \"many people — visitors pulling in the driveway, neighbors turning around at the end of the road, deliverymen delivering packages — can all plainly see the exterior of the (Borings) home.\"(6) While these examples are likely accurate for the Borings and the population in general, they involve people that we know or strangers that we requested to come to our homes. Private residents didn't request that Google visit these neighborhoods nor would residents reasonably expect that someone would be driving down their streets taking photographs of everything. In fact, I suspect that if you or I were to do the same thing, someone would call the police and we'd have some difficult questions to answer down at the station.

Potential Consequences

So, what could the consequences of Street View be? Well, while the feature has been used to aid police in a kidnapping investigation (7), I think the feature could be far more useful to criminals. For example, a criminal could use Street View to case a neighborhood - checking Street View for cars that are parked in garages or driveways so they could know when someone isn't at home, scan the yards and windows for any signs indicating that homes have security systems, check the proximity of neighboring houses using Street View and Google's satellite imagery, look for signs of pets that could pose problems for a thief, see if the homes have newspapers delivered (which might help the thief determine if the residents were on vacatíon) and, assuming the criminal found a good candidate, select a few potential access points (like open windows) for breaking into the home. If the Street View car happened to pass through your neighborhood on garbage day, the camera might even capture the box of that new HDTV you got. Scary, huh?

Protecting Your Privacy

So how can you protect yourself? First, check your address using Street View. To report a concern with Street View imagery, enter the address you desire and click \"Search Maps.\" Then, click \"Street View\" in the thought bubble that appears on the map. Once the \"Street View\" image appears, click \"Report a Concern\" in the bottom left corner of the Street View image and enter the details of your complaint.

Second, be mindful of how your information is used and act when you feel your privacy is being threatened. Google's Street View can be a helpful tool, but it is meant to help Google sell ads and make revenue, not protect your privacy. You can write your local, state and federal representatives and even the local paper to voice your opinion.

Oh, and if you believe as Google does that \"complete privacy does not exist,\" then you should check out the house where Google CEO Eric Schmidt reportedly lives using satellite imagery from Google Maps. It looks like he has had some construction done in the past few years. A simple Google search of the address (366 Walsh Road, Atherton, CA) will tell you that Schmidt merged two adjacent lots in 20018 to create the new lot and then added a new fence, retaining wall, and drainage in 2004. (9) Eric, that creepiness that you're feeling is probably approaching the level of the people who had Street View vehicles in their driveways. So, while it is Google's mission to \"organize the world's information and make it accessible and useful,\" the company should thoroughly consider how that information can adversely impact the same people it is meant to help.

References:

(1) \"Preliminary Statement.\" Boring vs. Google, Allegheny County, PA
(2) TheSmokingGun.com \"Google is in Your Driveway!\"
(3) Reuters. \"Google pulls some map images at Pentagon's request.\" Mar. 6, 2008.
(4) Ibid
(5) Ibid
(6) \"Preliminary Statement.\" Boring vs. Google, Allegheny County, PA
(7) Telegraph.co.uk. \"US police use Google Street View to find missing child.\" Jan. 9, 2009
(8) Town of Atherton City Council Minutes, May 16, 2001.
(9) Palo Alto Online, September 24, 2001.

Google Wants To Replace Cookies with AdID

(Victoria WoollastonIs @ mailonline) Google about to kill off the cookie? Web giant rumoured to working on a new way to make it easier for customers to control how they are tracked online (by everyone but them!)

Google believed to be working on an advertising system called AdID
It could be an alternative to cookies currently used by advertisers
Cookies are used to monitor what people like and what sites they visit
This makes it easier to only show relevant, personalized adverts

Google is believed to be working on a new, anonymous way for advertisers to track what people like based on what sites they visit.

The anonymous identifier for advertising, being referred to as AdID, would be an alternative to third-party cookies currently used by advertisers to serve relevant, personalised adverts.

Reports in USA Today also state that Google's new system could make it simpler for customers to monitor how they are tracked.

Google accounts for around a third of worldwide online ad revenue and is rumoured to be looking into new methods of working with advertisers according to someone 'familiar with the plans.'

Under the plans, when a person visits a site, an anonymous AdID would be sent to advertisers and advertising networks that have signed up to the system

These advertisers would have to adhere to a set of basic guidelines about what they can and can't track, and how they can and can't use the information they are sent.

This could potentially make the process easier for consumers to understand and make sure there isn't any confusion about their anonymity.

At the moment, first-party cookies that are used to identify basic details about a person are put on the site by the site's owner.

Third-party cookies are added to sites by advertisers and can track what products they like based on what they click on.

As they move around websites, these cookies can create a profile of interests and make sure the adverts shown are relevant to that individual. This can be disabled through a browser.

he AdID system would still track people for the same reasons and ultimate outcomes, but would simplify the process and could create an industry standard that all advertisers who want to use Google would adhere to.

This could prevent rogue third-party cookies being added to sites, as an example, or different advertisers each taking and using different data in different ways.

Only advertisers who stick to the guidelines would be given the IDs and if they break the terms and conditions, they would lose access to them.

USA Today continued that the AdID could be automatically reset by the browser each year.

Users may also be able to create 'secondary AdID' for when they want to keep their browsing history private.

It is also thought that the system will be opt-in, similar to the current way cookies are handled, and people can disable the tracking at any time.

The Interactive Advertising Bureau, which represents the industry, told USA Today that it 'at least wants some type of tracking technology available for advertisers, whether third-party cookies or something else'.

Google detects fake website ID certificate threat

Web browser makers have rushed to fix a security lapse that could have allowed cyber thieves to impersonate Google+

The loophole involved an exploit of ID credentials that browsers use to ensure a website is who it claims to be.

By using fake credentials, criminals could have created a website that purported to be part of the Google+ social media network.

The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them.

TurkTrust said there was no evidence the data had been used for dishonest purposes.

Secure code

An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate.

Instead of issuing low level certificates it mistakenly gave out what amounted to "master keys" which could have allowed a bogus site to pretend it was the legitimate version without triggering a warning.

"An intermediate certificate is essentially a master key that can create certificates for any domain name," explained security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse.

"These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong."

The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the "master keys" and the lower level security credentials.

The lapse was spotted when automatic checks built into Google's Chrome browser noticed someone was using the program with an unauthorised certificate for the "*.google.com" domain.

Had this not been detected the person could have gone onto to impersonate Google+, Gmail and other services run by the US firm.

The danger would have been that they could then have staged a man-in-the middle attack. This would have involved them relaying targeted users' communications to the real Google services and passing on the responses. By doing this they could have eavesdropped on potentially sensitive messages.

Google said it alerted other browser-makers to the threat after its discovery.

Microsoft and Firefox developer Mozilla subsequently issued updates which revoke the two wrongly issued intermediate certificates.

The identity of the person using the unauthorised certificate has not been reported, and their intentions are unknown.

This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords.

"It is really time we move on from this 20-year-old, poorly implemented system," wrote Mr Wisniewski. "It doesn't need to be perfect to beat what we have."

Read More - Click Here!

Googles Scary New Terms of Service and Privacy Policies

The bottom line here is that you should start perusing Google’s terms of service and privacy policies pronto! Google will know more about you than your wife does. Everything across your screens will be integrated and tracked. Google noted that it collects information you provide, data from your usage, device information and location. Unique applications are also noted. Sure you can use Google’s dashboard and ad manager to cut things out, but this policy feels Big Brother-ish. Google is watching you as long as you are logged in. It’s also unclear whether this privacy policy move will be considered bundling in some way by regulators. This unified experience hook appears to be at least partially aimed at juicing Google+. Google responded with clarification: Google noted that it already has all that data, but it’s now integrating that information across products. It’s a change in how Google will use the data not what it collects. In other words, Google already knows more about you than your wife.

Read More - Click Here!

Government Snooping Up 29% in 2011 - Who's Looking At You!

A new report from Google shows a rise in government requests for user account data and content removal, including a request by one unnamed law enforcement agency to remove YouTube videos of police brutality--which the company refused. Read More – Click Here!

HIPAA VS SAS 70

HIPAA and SAS 70

Recently there has been a marked increase in the demand for SAS 70 audits. This is primarily being driven by the surge of regulatory compliance legislation, coupled with the growing corporate governance initiatives that have been unleashed in the last decade. While many people point to the Sarbanes-Oxley Act of 2002 (SOX) as the prime reason for the rise in SAS 70 audits, other federal legislation, such as HIPAA and Gramm Leach Bliley Act (GLBA) have had a considerable impact also.

Ask ten people what a good definition of HIPAA is and you are likely to get ten different answers. To be fair to these people, HIPAA is a long, vague and cumbersome piece of legislation with many disjointed moving parts. It's hard to really get a good grasp on it, but this is what you need to know as it's related to SAS 70 audits. The HIPAA security guidelines and many other ancillary initiatives within this piece of federal legislation advocate protection of private consumer medical records along with industry accepted technology protocols for transmitting, protecting, and storing consumer medical information. That's where SAS 70 audits come in. Long used as the default audit for examining an organization's internal controls, SAS 70 audits have become a favorite go to audit for ensuring compliance with HIPAA legislation as it pertains to the privacy and confidentiality issue of consumer medical records. As technology has changed dramatically over the years, its very use has created a need for ensuring confidential medical information is just that-kept confidential and protected. SAS 70 audits, when performed properly, can examine an organization's internal controls, which can also include the safeguard controls that are to be in place for adhering to HIPAA standards. No, SAS 70 is not a technology audit, nor is it an operational audit-rather, it can be considered a little bit of everything as it touches many areas within an organization that use technology as part of their internal control structure.

HP Issues Fix For LaserJet Flaw

Last month, Researchers from Columbia University's Computer Science Department said they'd found a way to reverse engineer the Remote Firmware Update function in HP LaserJet printers and trick the printers into accepting and installing malware-filled updates. From there, researchers said, an attacker could compromise PCs on corporate networks and use them to send a barrage of instructions to a LaserJet printer, thereby causing its ink-drying element to heat up -- and potentially ignite printer paper.

Read More - Click Here!

Hacked Companies Fight Back

Frustrated by their inability to stop sophisticated hacking attacks or use the law to punish their assailants, an increasing number of U.S. companies are taking retaliatory action.

Known in the cyber security industry as "active defense" or "strike-back" technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant's own systems.

In the past, companies that have been attacked have mostly focused on repairing the damage to their computer networks and shoring them up to prevent future breaches.

But as prevention is increasingly difficult in an era when malicious software is widely available on the Internet for anyone wanting to cause mischief, security experts say companies are growing more aggressive in going after cyber criminals.

"Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new cyber security company CrowdStrike, which aims to provide clients with a menu of active responses.

Once a company detects a network breach, rather than expel the intruder immediately, it can waste the hacker's time and resources by appearing to grant access to tempting material that proves impossible to extract. Companies can also allow intruders to make off with bogus files or "beacons" that reveal information about the thieves' own machines, experts say.

Henry and CrowdStrike co-founder Dmitri Alperovich do not recommend that companies try to breach their opponent's computers, but they say the private sector does need to fight back more boldly against cyber espionage.

It is commonplace for law firms to have their emails read during negotiations for ventures in China, Alperovich told the Reuters Global Media and Technology Summit. That has given the other side tremendous leverage because they know the Western client company's strategy, including the most they would be willing to pay for a certain stake.

But if a company knows its lawyers will be hacked, it can plant false information and get the upper hand.

"Deception plays an enormous role," Alperovich said.

Read More - Click Here!

Hacker Shows Windows XP Users How To Get Updates

Word of Caution - Try this AT YOUR OWN RISK. THIS IS A NEWS ITEM, AND NOT A RECOMMENDATION OR INSTRUCTIONS

(Julie Bort ​@ Business Insider) A Hacker Found An Easy Trick To Get Security Fixes For Windows XP, And Microsoft Is Not Amused​

That didn't take long. Someone found a simple trick that forces Microsoft into sending security updates to Windows XP machines.

It's not a perfect fix, but it's easy enough that anyone could do it, if they dare.

Microsoft and many security vendors were treating the end of support as if it were some kind of PC Armageddon. But people and companies (particularly small businesses) have been reluctant to give up their perfectly functioning XP PCs and upgrade to new Windows machines running Windows 8 or even Windows 7. Even now, XP runs more than a quarter of the PCs on the Internet, 26%, according to Net Marketshare.

The hacker, Wayne Williams at Betanews, showed people how to write a few lines of code and make Windows XP install updates anyway. This trick makes Windows Update think that the device is running a version of Windows XP that is still supported by Microsoft and will be for another five years. That's a version known as Windows Embedded POSReady.

All you have to do is following Williams' instructions below:

  1. Create a text document, and call it XP.reg. You’ll need to make sure .reg is the proper extension -- so not "XP.reg.txt". If it’s not showing up as a registry file, open any folder, go to Tools > Folder Options, select View and uncheck 'Show hidden files and folders'. That should fix the problem.
  2. Right-click the file, and select Edit. Paste in the following:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
    "Installed"=dword:00000001
  3. Save it, and then double-click the file. That will make that change to the registry. 

CAUTION - ANYTIME YOU HACK THE REGISTRY YOU RUN THE RISK OF CATASTROPHIC FAILURE!

That’s all you need to do. Windows will now automatically fetch updates designed for POSReady 2009, ensuring XP remains protected for the foreseeable future.

If you try this, whenever Microsoft fixes a security problem in XP embedded, your PC will get that update.

Of course, Microsoft is now aware of this hack so we'll see how long it lasts. The company isn't happy. It wants you to upgrade your Windows machine or buy a new one.

When ZDNet's Larry Seltzer verified that the hack worked, Microsoft sent him this statement, warning people not to try it.

We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.

And Microsoft has a point. The PC world has changed a lot in 12 years and newer versions of Windows are faster and more secure. But those who want to brave the risk of holding onto their Windows XP machines may be daring enough to give this hack a go, too.

Personal Note: Linux and Apple ARE viable alternatives!

 

 

Hacker warning: change your passwords - all of them

Photo(Jennifer Abel @ ConsumerAffairs) Bad news: if you're reading this, there's a very good chance you need to change your password because a 20-something computer hacker in Russia already knows it.

Of course, you've already read countless variations of that story: “Hackers break into database. If your information was on it, you must protect yourself.”

So when you hear about the hack attack du jour, you immediately want to know the specifics: which one of my passwords am I supposed to change this time? Which company or organization got its database hacked? What was the time frame?

And you expect an answer along these lines: “If you made any credit- or debit-card purchases at an XYZ store, or online at XYZstore.com, between January 13 and February 10, your information is at risk.” That also implies a comforting corollary: “If you've never shopped at XYZ, or at least didn't shop there between those two listed dates, you have nothing to worry about.”

Unfortunately, such information is not available for this latest hacking. Even if it were available, it would be too much to summarize here in a single news article, because it's not just one company or website that's been attacked; it's at least 420,000 different websites ranging from obscure little sites to major household-name companies.

Largest known collection

The New York Times reported yesterday that researchers from Hold Security discovered a Russian cyber-criminal gang had “the largest known collection of stolen Internet credentials, including 1.2 billion [unique] user name and password combinations and more than 500 million email addresses …. [and] confidential material gathered from 420,000 websites, including household names, and small Internet sites.”

Hold Security wouldn't release the names of any affected companies or sites, due to non-disclosure agreements and also a desire to avoid identifying companies whose sites remain vulnerable. Therefore, there's no way for ordinary computer-users like you to know which of your passwords were compromised, if any.

Thus far there's no evidence that the Russian hackers have been using stolen passwords to open false credit card accounts or commit other forms of identity theft; the hackers are primarily using this information to send spam to various social media accounts.

Whether you need to change your passwords or not, this latest hacker discovery serves as another reminder of this important online-security rule: don't use the same password across multiple sites.

Last month, for example, the online ticket-seller StubHub had over 1,000 customer accounts hacked into, yet the hackers never actually managed to breach the StubHub database.

Instead, they hacked into various other databases, or even installed malware on individual computers, in order to steal people's passwords from one account – email, online banking, social media sites, even small online discussion forums – and then test those stolen passwords to see if they'd work in customers' other accounts. And in the case of over 1,000 StubHub customers, it did.

Still: a thousand customers of a ticket-resale site is extremely small potatoes compared to 1.2 billion people. Consider: it's estimated that, as of 2014, there are 2.9 billion Internet users on the entire planet Earth. And of those 2.9 billion Earthling web-surfers, over 40% have their passwords in the hands of a small Russian hacker-ring.

Hackers Franchising their Malware

(Mark Huffman @ ConsumerAffairs) Hackers may be forgiven if they think they have hit the jackpot. Their ransomware attacks, which began a few years ago, have proven to be money in the bank.

Victims who are unfortunate enough to click on a link in an email download a program that encrypts every file on their computer or network. They can access nothing until they pay a Bitcoin ransom – usually a few hundred dollars, and receive a key to unlock their files.

Besides individual consumers, attackers also target corporations and organizations that might not have the most sophisticated protocols in place. It's a scam that pays off just about every time.

New and dangerous wrinkle

Now, there's a new and dangerous wrinkle that has law enforcement officials even more worried. Symantec reportssome clever ransomware developers have created a Trojan called Shark. The software is being provided to hackers who want to get into the ransomware game.

It's a turnkey product, meaning the novice hacker doesn't have to possess a lot of special skills to launch the attacks. The developers of Shark get 20% of any ransoms collected.

In other words, the ransomware enterprise appears to be evolving into a franchise. Shark is essentially the McDonald's of ransomware.

Exploding threat

That means this growing cyber threat could explode in the coming months. To try and counter it, the Federal Trade Commission (FTC) is convening a technology seminar September 7 to explore ways to deal with the growing threat.

In the meantime, the FTC says businesses and consumers need to exercise extreme caution with email, even messages that appear to be from familiar sources. Clicking on links in these messages can lead to paying a ransom to free the files.

Beyond using care in handling emails, the FTC says a good defense against ransomware is backing up everything on a system. However, if you back up to an external hard drive, disconnect it from your system when you aren't in the process of backing up files. That's because ransomware encrypts every file in your system, including those on other connected drives.

Hackers may have breached the federal government’s personnel office

(Fred Barbash @ WashingtonPost) Hackers may have breached the Office of Personnel Management’s network, a Department of Homeland Security official confirmed Thursday.

According to the DHS official, who asked not to be identified, the agency’s National Cybersecurity and Communications Integration Center became aware of a “potential intrusion” of the network, and has been working with OPM and other agencies to assess and mitigate risks. So far, they have not found “any loss of personally identifiable information,” the official said.

The New York Times first reported Wednesday night that Chinese hackers penetrated the databases of the federal government’s personnel office, which contains files on all federal employees, including thousands who have applied for top-secret clearances.

The paper said the attack on the Office of Personnel Management occurred in March before it was detected and blocked. It quoted a “senior Department of Homeland Security official” confirming the attack, and saying that “at this time” the government had not “identified any loss of personally identifiable information.”

The Times also quoted an “unnamed senior American official” saying the attack had been traced to China, though not necessarily to the government of China.

According to the Times:

The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.

 

The agencies and the contractors use the information from e-QIP to investigate the employees and ultimately determine whether they should be granted security clearances, or have them updated.

Cyber espionage — the United States against China and China against the United States — has become a source of constant tension between the U.S. and Chinese governments. Reports based on documents leaked by Edward J. Snowden revealed that the National Security Agency penetrated the computer systems of Huawei, the Chinese firm that makes computer network equipment, and operated programs to intercept conversations of Chinese officials.

In May, Attorney General Eric H. Holder Jr. announced the indictments of five Chinese Peoples Liberation Army members on charges of hacking to benefit Chinese industry. They were accused of hacking into computers and stealing valuable trade secrets from leading steel, nuclear plant and solar power firms. It marked the first time that the United States has leveled such criminal charges against a foreign country.

Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared last year for the Pentagon and officials from government and the defense industry.

Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to the confidential report prepared for Pentagon leaders by the Defense Science Board.

Experts said recently that Chinese cyber-spies have been systematically targeting major Washington institutions, including think tanks and law firms. Middle East experts at major U.S. think tanks were hacked by Chinese cyberspies in recent weeks as events in Iraq began to escalate, according to a cybersecurity firm that works with the institutions.

The hacking goes back years. In 2006, hackers in China broke into the State Department’s computer system in Washington and overseas in search of information, passwords and other data. The bureau that deals with China and North Korea was hit particularly hard, although the system penetrated contained unclassified information, U.S. officials said.

The Times said the attack on OPM was “notable because while hackers try to breach United States government servers nearly every day, they rarely succeed.”

Ellen Nakashima contributed to this story.

Heartbleed Virus Update

Another excellent comic by xkcd (a site that publishes dev/op/web-related comics, usually nailing things right to the head): This time explaining one of the worst bugs in IT history, the OpenSSL “Hearthbleed Bug” (links to official bug page). For everybody who lived under a rock in the last days: Several weeks ago a bug in the open source OpenSSL library (that is used in, well, nearly everything that uses SSL, from major websites to NAS systems, from Android to routers) was discovered and major websites were informed secretly (to prevent criminals getting notice on that). The bug is basically a broken parameter check that allows the user/attacker to request a “full” memory dump. A full memory dump. With passwords, SSH keys, etc. in it.

A few days ago, TheVerge wrote an article about the bug, reaching mass attention, opening heaven for cyber-criminals. Side-fact: It’s interesting to see the extreme mass of news coverage created by bugs in (open source) software these days: Hearthbleed and Apple’s OpenSSL bug (test site) have made it to the #1 article in quality newspapers, tv news and for sure online newspapers all over Europe. Somebody ran a mass test against the top1000/top10.000 pages in the world, checking major websites for vulnerability – and listed the results here on GitHub. This list is unproven, but the names are awesome. Note that this list has been created after the bug went viral, so we don’t talk about a theoretical bug here.

You can make a basic check for the bug on this Hearthbleed test site.

 

heartbleed ssl bug explanation

Many of you may have been asked to update a security certificate from your email server. If you that message, please answer "Confirm Security Exception", "YES" or "Submit" to update the certificate.

 

Here are the test results from our two mail servers:

 

 

 

 

 

 

 

 












Greg Allen
Active Technologies
active-technologies.com
gallen@active-technologies.com
Web Design Hosting Internet Search
"We Drive Customers to Your Business"
Summerville - Charleston, SC
843-225-5648

 

Hide Your Home From Google Maps

 

 

If you don't want your house to appear on Google Maps... Google Maps is a feature provided by Google that allows you to find locations on a virtual map. When you search for a specific address you can use the Street View feature to view an aerial picture of the specific location and surrounding area. If you find your house on the Google Maps Street View, there is a simple process to remove it so it will no longer be visible to the public, and this is how we do it:

Instructions

    • 1

      Go to the Google Maps website (See Resources). Enter your street or address into the top search field.

    • 2

      Click on the "Search Maps" button. The area where your house is located will appear on the map.

    • 3

      Click the plus sign on the vertical bar located on the left hand side of the map. This will help you enter Street View.

    • 4

      Locate your house on the map and then click on the red marker for your house. Click on the "Street View" option.

    • 5

      Click on the "Report a problem" option from the bottom of the Street View image. Click "Privacy Concerns," then click "My House."

    • 6

      Click on the radio button next to "I have found a picture of my house and would like to remove it."

    • 7

      Enter your email address into the "Email address" field. Click on the "Submit" button. You will receive an email when a Google representative has removed your house from Google Maps.

 

Hosting Providers Should do More to Stop Piracy

(CHRIS BURT @ WHIR) The Motion Picture Association of America (MPAA) has included Cloudflare and several foreign hosting companies among parties it says are helping pirates violate copyright law by failing to play an active role in reducing support for “notoriously infringing sites.”

In an effort to identify the world’s most notorious markets for intellectual property infringment, the Office of the U.S. Trade Representative (USTR) requests a letter (PDF) from the MPAA each year. The response this year includes a broader scope of the “notorious markets” where piracy happens.

According to the MPAA, “[a]ll stakeholders in the internet ecosystem – including hosting providers, cloud (and anonymizing) services, advertising networks, payment processors, social networks, and search engines – should be actively seeking to reduce support for notoriously infringing sites such as those we have nominated in these comments, including through voluntary initiatives aimed at combating online content theft in a balanced and
responsible manner.”

The MPAA has long been critical of Cloudflare, a security and CDN provider based in San Francisco. Last October, in statement on a joint strategic plan on Intellectual Property enforcement, the MPAA said that while Cloudflare provides “many valuable services to legitimate websites, they also provide them to sites dedicated to copyright theft.” The MPAA isn’t the only organization that has called out Cloudflare on similar grounds; in August, Cloudflare told a court that it shouldn’t be forced to block sites without proper legal procedure after a group of record labels demanded it stop providing services to various websites connected with the music streaming site MP3Skull.

Private Layer, Altushost, and Netbrella, which the MPAA associates with Panama, the Netherlands, Sweden, and Switzerland, are named as “notorious markets” under the new “hosting providers” category.  CloudFlare is not included as a notorious market because it is a domestic  company, but is named in the body text as an example of a CDN which hides the IP of web servers used in illegal activity. CloudFlare’s reverse proxy function is identified as a popular tool used by pirate sites and services to render them anonymous.

“Given the central role of hosting providers in the online ecosystem, it is very concerning that many refuse to take action upon being notified that their hosting services are being used in clear violation of their own terms of service prohibiting intellectual property infringement and, with regard to notorious markets such as those cited in this filing, in blatant violation of the law,” the MPAA argues.

Other categories of notorious markets include websites, cyberlockers, peer-to-peer networks and torrent portals, and portals for piracy apps, as well as physical markets.

The MPAA also says registrars like the Indian Public Domain Registry (PDR) are enabling piracy by refusing to take action or investigate reports.

Hotmail Password Bug Quick Fix

Microsoft has rushed out a fix for a serious bug in its Hotmail webmail services.

The bug allowed a hacker to reset the password for a Hotmail account, locking out its owner and giving the attacker access to the inbox.

The fix was put together because the bug was starting to be actively exploited online.

One security news site reported that some hackers were offering to hack Hotmail accounts for $20 (£12).

Computer security researchers discovered the vulnerability in early April and told Microsoft about it soon afterwards. The bug revolved around the way Hotmail handles the data that must pass back and forth when a user wants to reset their password.

Read More - Click Here!

How Many Viruses In Circulation Today

How many distinct strains of malware are in circulation today? If you said hundreds of thousands or millions, you’re way off. A close look at numbers from one leading security company helps explain why some big numbers don’t tell the whole story.

How many strains of malware are in circulation right now, for Windows PCs, Android devices, and Macs?

That seems like a straightforward question, but the answer is far from simple. And the number might be a lot lower than you think.

If you check with the leading security companies, you might be tempted to pick an answer in the millions. After all, that’s how many listings you’ll find in the definition files for common antivirus programs. At day’s end on April 12, for example, Symantec published the summary shown below, noting that its latest Virus Definitions file contained 17,702,868 separate signatures.

Read More - Click Here!

How To Clear Your Google Web History

Google's latest privacy move has some questioning their mantra, "Do no Evil." Photo by Jonathan McIntosh/flickr/CC

Google's latest privacy move has some questioning their mantra, "Do no Evil." Photo by Jonathan McIntosh/flickr/CC

If you've been to Google's homepage lately — and the chances you have are astronomical — you may have noticed a little announcement mentioning something about changes in Google's privacy policy. You then probably ignored it — but you shouldn't.

On March 1st, 2012, Google will implement a new, unified privacy policy. The new policy is retroactive, meaning it will affect any data Google has collected on you prior to that date, as well as any data it gathers afterward. The official Google Blog has more details on what the new privacy policy means. But what does all of this legal jargon mean practically? Basically, under the new policy, your Google Web History (all of your searches and the sites you clicked through to) can be combined with other data Google has gathered about you from other services — Gmail, Google+, etc.

Previously Google kept your search history separate, which means that its profile of you was less complete. If you'd like to keep your personal data a good distance away from Google, you'll need to delete your existing search history and prevent Google from using that history in the future.

The Electronic Frontier Foundation (EFF) has more details on why you might want to turn off Google's Web History feature.

Privacy policies are ubiquitous, yet often highly irrelevant to the typical user; in this case, however, a little time spent changing your settings can provide invaluable peace of mind knowing that Google can't exploit your personal tendencies for its own purposes. Convinced yet? Read on for our guide to locking down your web history.

This how-to was written by Scott Gilbertson, a writer and web developer living in Athens, Georgia.

Read More - Click Here!

How To Avoid 17 Common Email Scams

We’ve all heard the horror stories: credit card fraud, pyramid schemes, phishing, identity theft — the list of scams goes on and on.

“Oh, that won’t happen to me,” you think. “I know the signs.” No one wants to think he’ll be counted among the fooled. But the truth is, you can never be too cautious about scams on the web.

After all, according to the Internet Crime Complaint Center, yearly dollars lost grew by about $500 million from 2004 to 2009, and the trend isn’t showing signs of slowing.

Read More = Click Here!

How To Avoiding Text Message Scams

Be suspicious of a text that says you've won a gift card. Why? Viruses and phishing scams are quickly moving to smartphones, meaning consumers have to exercise the same caution when they're mobile that they do at their desk.

When you get a text from a source that appears suspicious, the prudent thing to do is assume that it's a scam. These messages usually contain malware and viruses designed to infect your phone and steal personal information.

Photo

And because everyone likes something “free,” common examples include messages claiming you have "won" a gift card for Wal-Mart, Best Buy, Apple and other national retailers.

Fortunately, there are ways to protect yourself:

Read More - Click Here!

How To Keep Free From Internet stalking bullying and harassment

(Daryl Nelson ConsumerAffairs) Sooner or later, we all get that email that we don’t want, or receive something posted on our social network page that we wish we never got, and whether the message is from a company, an overzealous salesperson or from a personal acquaintance, they can be annoying and even upsetting at times.

But at what point do these unwanted messages go from being just annoying to becoming full-on harassment?

The month of January is Annual Stalking Awareness Month, and according to the Stalking Resource Center of the National Center for Victims of Crime, stalking someone online has a lot to do with repeated attempts of harassment and a certain level of deliberateness, which isn’t always the case with someone occasionally sending you a message that you don’t want.

Michael Kaiser who is the executive director of the National Cyber Security Alliance (NCSA) says cyber-stalking is nothing that consumers should take lightly, and as soon as you notice a pattern or receive just one threatening message, you should contact your local police department as soon as possible.

“In order to effectively combat unwanted contact, it is important to know the signs of stalking and how to deal with such related incidents,” said Kaiser in a statement.

“Aggressive outreach such as persistent emails, harassing posts or text messages are not acceptable forms of online communication and NCSA encourages affected individuals to contact local law enforcement or victim service agencies to report such activities and get help.”

Take action

Experts say if you ever find yourself a victim of cyber-stalking you should immediately suspend your account whether it’s your email or social network page, and consumers should always make sure all of their contact pages have the correct privacy settings, so it’s difficult for cyber-stalkers to locate you in the first place.

PhotoExperts also say that Internet stalkers and other online criminals will more than likely pass up the person who makes it more difficult for them to commit their wrongdoings, and even though it can be tempting at times, people should keep the sharing of their personal information to a minimum, like announcing you’ll be out of town for the next two weeks.

Safety experts also stress for people to create usernames that aren’t gender specific, and be sure not to publicize any information that may give a cyber-stalker an idea where you live.

So posting that photo of you standing next to your new car in the driveway, that also happens to show a street sign or a familiar landmark in the background is a great big no-no, say experts.

Go Google yourself

Anupama Srinivasan, who is a program director for a non-profit organization that deals with violence against women, says that people should Google themselves just to get an idea of what personal information is already out there.

And just because you may see your name and address online, doesn’t mean that you have to accept it being there, because obviously the more personal information you’re able to remove from cyber space, the harder it will be for someone to stalk or harass you.

“If you locate personal information like address, phone numbers or pictures or information you don’t want to be out there, speak to the people involved and get it deleted,” said Srinivasan in a published interview.

“Write to the website that lists your phone number without your permission and get it removed. Use your full name and/or the name you go by generally to Google yourself, and be sure to add ‘plus photographs’ in your Google search.”

According to the NCSA one in five people in the U.S. have experienced cyber based crimes that include the stealing of personal information, stealing of identities, bullying and of course cyber-stalking, and over 29 percent of consumers said they know someone who was a victim of an Internet crime.

In all 50 states in the U.S. cyber-stalking is a crime, but some say it doesn’t get the same amount of attention that other Internet crimes do, like identity theft or pilfering money, and for this very reason experts say that consumers need to be even more vigilante when it comes to sharing too much information online and “friending” people they may not know.

The NCSA also says that removing old Internet posts or entries is a smart idea, and just like any other kind of stalker, cyber-stalkers will look under every stone until they can piece together your whereabouts or the necessary information to harass you or even locate where you are.

Be discreet

Also, consumers should not be posting their whereabouts online, as it’s now commonplace for people to let everyone know which restaurant they’re eating at or which movie they're attending, and for someone willing to sit by a computer to learn all of your daily movements, you’ll just be making it that much more easier for them to accomplish whatever bad deed they’re intending to commit.

Experts also say as parents use some of these safety measures in their own Internet use, they should also continually remind their children of what to do in order to diminish the chances of them getting stalked or bullied online.

“Adults are not the only ones at risk when it comes to cyber-stalkers,” said Gary Davis in a statement, who is the vice president of global consumer marketing at the software security company McAfee.

“Parents need to communicate with their children about such Internet dangers and promote Internet safety. Be sure to secure your devices with strong passwords and frequent updates, connect only with people you know, and be careful not to share contact information or your location,” he said.

Read More - Click Here!

How To Know Your Are Infected (Kim Komando)

Pop-up ads
Running into pop-up ads while surfing the Web used to be par for the course. Thanks to pop-up blocking now standard in modern browsers, these annoyances aren't common.

Still seeing pop-ups online from multiple sites? It could be a badly-configured browser.

Seeing pop-ups when your browser isn't even open? It's usually adware, spyware or scareware.

You can usually tell it's the last one if the pop up says "a virus was detected." It will offer you a paid program to remove the virus. Of course, you'll just be downloading even more malware.

Keep an eye on your email "sent" folder and on your social network posts. If you see items you didn't send or post, change your account passwords immediately. This will lock out a virus that's stolen your passwords.

Then go to work with your security software. After you've removed the virus, I'd change your passwords again, just in case.

Be sure to let your friends and family know you were hacked. That way they can take precautions for their accounts as well.

Having trouble taking back your account from a virus or hacker? Click here for detailed instructions to clean up your computer.

Locked computer
You're surfing the Web minding your own business. Suddenly a scary message appears. It says law enforcement has detected illegal material on your computer. You've been locked out until you pay a fine!

Of course it's a lie. A virus has taken over and is holding your computer ransom. That's why it's commonly called "ransomware."

Some ransomware doesn't even try to be sneaky. It tells you up front that hackers took over your system. You have to pay to get it back.

I don't recommend paying. You won't get your computer back.

Unfortunately, you probably won't be able to run your normal anti-virus program. You'll need a rescue CD. Click the links for the free AVG Rescue CD or Windows Defender Online to take care of the problem.

In some cases, the ransomware actually encrypts your files. If that happens, you better have a recent backup. Even if you get rid of the virus, your files might be lost.

Essential tools and programs stop working
If a computer is misbehaving, most computer users hit Ctrl + Alt + Del. The "three-finger salute" lets you open up Task Manager. This can show you what programs are causing trouble.

Sometimes, you'll hit this keyboard shortcut and nothing happens. Your Start Menu won't open. Nothing happens when you right-click on the desktop. Your security software won't run.

This is often a clue that a virus is messing with your computer. It's doing what it can to keep you from identifying it and removing it.

This is where deep-cleaning anti-malware software like MalwareBytes will shine. If that fails, you'll need to use a rescue CD like I mentioned earlier.

If nothing you do works, it could also be a hardware problem. Most likely it's bad RAM or a failing power supply.

Everything is running fine
I run into many people who don't install security software. The excuse is always the same: "But my computer runs just fine without it. If I had a virus, I'd know."

The simple fact is that you don't know. Modern malware can hide deep in your computer without raising red flags. It will just quietly go about its business.

Read More - Click Here!

 

How To Make Sure Microsoft Updates Your Computer On Patch Tuesday

The second Tuesday of every month is called Patch Tuesday and it's the day Microsoft releases updates for Windows, Office, Internet Explorer and other Microsoft products.

It's vital that you protect your computers and servers from the latest threats, and that is why you need to make sure these security updates install properly.

If Windows automatic updates is turned on, your computer will download the updates automatically and install them the next time you shut down or restart. If the updates still need to be installed, you will see a yellow security badge or shield on the shutdown button in your Start menu, and/or on your taskbar to the right of the screen..

Click the button to turn off your computer and install the security updates. This could take a little bit of time, so make sure you don't need to use your computer anytime soon.

If you don't see the notification, go to Start>>Control Panel>>All Programs>>Windows Update. This is the place to checkand see if there are updates that need to be installed on your computer. If there are updates available, click the Install Updates button.

Make sure you doublecheck the "most recent check for updates" date and time to see if the computer checked in the last day or so. If your computer hasn't checked for udpates recently, click the Check for Updates link.

Best Practice: Have automatic updates check for new updates nightly at about 3:00am, and leave your computer/server on at night for updates and virus scans. In that way, your computer is not trying to do updates while you are trying to do work on your computer.

Remember also to restart your computer every morning first thing before use. In that way, all updates requiring a restart will be complete, cashe will be cleared, memory refreshed, and all items will be written properly to disk.

The second Tuesday of every month is sort of a holiday for tech junkies. It's called Patch Tuesday and it's the day Microsoft releases updates for Windows, Office, Internet Explorer and other Microsoft products.

It's vital that you protect yourself from the latest threats. That's why you need to make sure these security updates installed properly.

 

If you have Windows' automatic updates turned on, your computer will download the updates automatically and install them the next time you shut down or restart. If the updates still need to be installed, you should see a yellow security badge on the shutdown button in your Start menu.

Click the button to turn off your computer and install the security updates. This could take a little bit of time, so make sure you don't need to use your computer anytime soon.

If you don't see the notification, go to Start>>Control Panel>>All Programs>>Windows Update. Here you can see if there are updates that need to be installed on your computer. If there are click the Install Updates button.

Make sure you doublecheck the "most recent check for updates" date and time to see if the computer checked in the last day or so. If your computer hasn't checked for udpates recently, click the Check for Updates link.

- See more at: http://www.komando.com/tips/index.aspx?id=13744#sthash.iLNHUOsS.dpuf

The second Tuesday of every month is sort of a holiday for tech junkies. It's called Patch Tuesday and it's the day Microsoft releases updates for Windows, Office, Internet Explorer and other Microsoft products.

It's vital that you protect yourself from the latest threats. That's why you need to make sure these security updates installed properly.

 

If you have Windows' automatic updates turned on, your computer will download the updates automatically and install them the next time you shut down or restart. If the updates still need to be installed, you should see a yellow security badge on the shutdown button in your Start menu.

Click the button to turn off your computer and install the security updates. This could take a little bit of time, so make sure you don't need to use your computer anytime soon.

If you don't see the notification, go to Start>>Control Panel>>All Programs>>Windows Update. Here you can see if there are updates that need to be installed on your computer. If there are click the Install Updates button.

Make sure you doublecheck the "most recent check for updates" date and time to see if the computer checked in the last day or so. If your computer hasn't checked for udpates recently, click the Check for Updates link.

- See more at: http://www.komando.com/tips/index.aspx?id=13744#sthash.iLNHUOsS.dpuf

How To Prevent USB Data Breaches

(Josh Davis @ Business2Community) In today’s National Cybersecurity Awareness Month post, SolarWinds‘ VP of Product Management, Chris LaPoint, takes us behind the scenes of USB drive security awareness and ways to ensure mobile data remains secure. Chris has spent the last decade building IT management software, first as a software engineer, then as a technical evangelist and product manager at SolarWinds.

In the movies, USB drives are the tools spies use to easily tote around a secret list of global CIA operatives, or nuclear launch codes. All of it highly secure, of course.

The problem is that USB drives are not necessarily secure, and life is not a Jason Bourne film. In fact, USB drives are highly susceptible to malware and data loss due to, among other things, simple human error.

According to the Ponemon Institute:

  • 800,000 data-sensitive devices are lost or stolen each year
  • 74% of missing USB drives result from employee negligence
  • 65% of missing USB drives are not reported by the employee

Of course, public sector organizations need to be particularly careful that data stored on USB drives is kept safe. There is no margin for error here; even the smallest breach can cause catastrophic results. That’s why organizations such as the Department of Homeland Security are actively endorsing particular types of encrypted USB drives and auditing all mobile devices.

Beyond a full-scale audit, however, there are some simple steps that federal agencies can take to ensure USB security, including:

  1. Active monitoring and tracking of network activity. Breaches exhibit certain patterns. For example, you may detect unusual after hours activity on your network, or higher than average login attempts to reach highly secure information. Tracking LAN traffic can help IT teams pinpoint USB-introduced malware based on how it tries to access other ports or network hosts, allowing IT teams to contain the threat. Simultaneously, the teams can prevent data from leaving the organization through the USB drive.
  2. Deploy a secure managed file transfer system. USB drives are popular, but they’re certainly not the only easy-to-use storage solution. Remember FTP? It generally gets a bad rap for potentially being unsecure, but it doesn’t have to be. Managed file transfer (MFT) systems provide FTP with a high level of security while allowing employees to access files wherever they may be. These web-based systems control access via virtual folders, and allow IT managers to actively monitor and control the data being accessed. Also, MFT systems eliminate the need to store data on physical media, so information will no longer be literally out the door. In fact, you can shut off access to USB drives altogether, yet still provide employees with a simple and secure way of accessing information.
  3. Use a USB defender tool. If you’re still set on allowing USB devices on your network, a USB defender tool is a must. USB defenders can provide IT with a real-time alert whenever a USB drive is being used. The usage can then be matched to network logs to correlate malicious attacks with USB use. Defender tools can automatically block USB usage, disable user accounts, quarantine workstations and automatically eject drives. This takes a massive load off the security-minded IT manager.

USB drives may not exactly be the end-all storage solution that Hollywood would like us to believe – but they could certainly end all of the hard work that organizations have done to keep their information safe. Organizations need to do everything they can to monitor, protect and defend that information, or risk having data corrupted or compromised.

How To Remove Tagged Photos From Instagram Profile

(Emily Price @ Mashable) Instagram added the ability to tag photos this week. Similar to photo tagging on Facebook, your friends can now tag you in their Instagram photos so that the image shows up on your profile as well.

It’s a fantastic feature if you want to share those photos with the world, but what if your friend adds a picture of you that you’d rather people not see? Luckily, there's a quick and easy way to remove a tag, as well as a way to make sure no photos make it to your profile without your permission.

Much like how it’s handled on Facebook, when you’re tagged in a photo on Instagram the app sends you a notification. Tagged images are added to a “Photos of You” tab on your profile page.

Tap on the tag in an offending photo to bring up a dialogue box of options. From there you can choose to hide the photo from your profile, remove the tag, or report the photo in general as inappropriate.

If you’d rather not be tagged in any photos you can set things up that way as well. Simply select the Settings menu from the Photos of You section, and then change the selection from “Add Automatically” to “Add Manually.” Now, you’ll have to approve any photos that get added to your profile page.

How To Remove Your Online Info

The Paranoid's Bible: An anti-dox effort.

The Paranoid’s Bible (PB) is a repository of knowledge meant to help people remove their information (Dox) from the web and people search engines.

How to Protect Yourself From Email Fraud

(Kelly and the Kids at enrichingkids.com AND SpecialDatabases) Email has very quickly become one of the most effective methods for people to communicate with each other. This has dramatically changed the way we communicated either through personal or business purposes. Now with the advent of electronic communications, we no longer have to rely on communicating via the mail or by telephone. With email, communication has been revolutionized with quick, inexpensive and efficient communication with others. However, while email has quickly become the preferred method of communication for businesses as well as individuals, it is not without potential risks.

Email can be a great vehicle for instantly communicating information, ideas, thoughts and much more for individuals and companies. However, one of the concerns that people have is whether the email you receive is a valid email. While the vast majority of the communication we receive by email is legitimate, it's the small amount of questionable email that we receive that you need to be concerned with.

One of the biggest problems we face is that of email and Internet fraud. Basically email fraud is when an email is sent by someone who makes a false claim. The purpose of this type of email would be to con the recipient into acting in a way that can result in a loss of money. Email fraud is becoming one of the biggest problems that people currently face online. While laws are in place protecting people from becoming victims of the scam, the key is being aware of potential dangers and to avoid being a victim.

To help learn more about the dangers of email fraud and how to prevent being a victim, we have gathered a number of helpful links. Be safe!

  • What is email Fraud? – Informative page which outlines what email fraud is and why it is dangerous.

  • Email Fraud – Article from the New York Times which provides information on what makes email fraud work.

  • Definitions – Useful article which lists a number of common definitions related to online fraud.

  • Internet Fraud – Helpful definition of what is commonly referred to as Internet fraud.

  • Internet Hoaxes - Information and definition of the legal description of an Internet hoax.

  • What is an email Hoax? – Web page which outlines the different kinds of email hoaxes.

  • Email Phishing Scams – Information on Phishing including examples and how to prevent being a victim.

  • Common Fraud Scams – Informative site from the FBI which gives an overview of typical fraud schemes.

  • Email Frauds – Article which lists several common varieties of email fraud attempts.

  • Email and Text Fraud – Helpful page with information on what to look for in possible fraudulent emails and texts.

  • Fraud and Phishing Resources – Useful page with information for consumers about email fraud.

  • Frauds and Scams - Overview of the various types of online and email frauds and scams that consumers need to be aware of.

  • Email Frauds - Useful page which provides information on email frauds and other online dangers.

  • Danger of Email Scams – Helpful article which contains an overview of possible email scam dangers.

  • Email Dangers – Article providing tips and suggestions on how to avoid email dangers.

  • Potential Risks – Information on potential risks associated with email and the Internet and how to avoid them.

  • Email Risks – Kid-friendly information for children informing them of email risks.

  • Email Risks – Page of legal information from an employers point of view about the potential risks with email.

  • CAN-SPAM Act – Informative page from the FTC about laws that businesses should follow regarding emails.

  • Email Privacy Laws – Overview of some of the laws pertaining to protecting consumers through email.

  • Email Privacy Act – Useful page which looks at a 2013 law for email privacy.

  • Email Privacy – Web page which looks at the legal issues involved with email privacy.

  • Privacy in the Workplace – Overview of the issues of email in the workplace.

  • Spam Messages – Informative page from the FCC about how to stop unwanted text and email messages.

  • Preventing Fraudulent Communication – Useful page with information about how consumers can prevent being a victim.

  • Fraud Protection Tips - Information and suggestions for consumers on how to be protected from fraud.

  • Fight Fraud – Overview of several fraud activities and how to prevent being a victim.

  • Fraud Prevention - Informative web site with information about fraud, how to prevent being a victim and how to file a complaint if you are a victim.

  • Prevent Internet Fraud – Article with ten suggestions on how to prevent fraud.

  • Preventing Fraud – Helpful tips for consumers on how to prevent Internet fraud.

How to Read and Delete What Google Search Knows About You

Here’s How to Download and Delete What Google Search Knows About You

( @Technology Reporter) Have you ever what Google Search really knows about you? Well, now you can check, as Google has added a new feature that lets you view and download your entire search history.

Yep. Everything.

The feature, which was spotted by the unofficial Google Operating System Blog — though VentureBeat points out that the function was made available in January — gives you access to everything from what you searched for to the links you clicked on from those searches. It also shows you the addresses you’ve searched for.

I was even able to see the list of images I clicked on while searching for pictures of cats eating spaghetti. Now imagine what you’ve looked for. Oh, and clearing your browser history won’t delete this data.

But there’s no reason to panic, because in addition to being able to download your search history, you can clear it.

First, here’s how to download your history:

1. Navigate to Google’s Web and App Activity page.

image

2. Next, click the gear icon in the top-right corner of the screen.

image

3. Then select Download from the drop-down menu.

image

You’ll then receive a pop-up window warning you not to download your search history to a public computer, as it contains a large amount of sensitive information.

4. If you want to continue, click Create Archive

image

Once your history is downloaded, you’ll receive a link in a few seconds that lets you view your data.

If you don’t want to download your data, and would rather get rid of it, you can do that as well. Of course, there are some reasons to let Google keep your search data. For one thing, it guarantees faster search results. It also ensures that Google Now has all of the latest relevant information about you. If you delete your data, your searches won’t be as tailored to your habits.

Still want to get rid of your search history? Here’s how:

Before we get started, it’s worth pointing out that if you want to keep your information hidden, you can use your browser’s privacy option, which keeps Google from saving your data — though it can still be seen by your service provider or employer.

Simply deleting you browser history won’t clear the data saved by Google, as you’re only deleting the information stored by your browser and not what’s on Google’s servers. To do that, you’ll have to:

1. Navigate to the Web and App Activity Page and click the gear iconin the top-right corner.

image

2. Select Remove Items and choose the beginning of time from the drop-down menu.

image

3.Click Remove and kiss your data goodbye.

image

That’s it. All of your search history will be deleted, and you’ll never have to worry about Google knowing about the time you looked for tickets to a Justin Bieber concert.

How to detect malware on your PC

(Mark Huffman @ ConsumerAffairs) There is growing concern about cyber security, especially among businesses and organizations that maintain vast networks. But consumers have to be aware of any threats to their personal computers and mobile devices. These threats are usually in the form of malware.

Malware is a general term to describe software you did not knowingly install and that disrupts the normal operation of your machine. It can simply be annoying or a serious threat. Your anti-virus software is supposed to detect and deflect these programs but, for a number of reasons, some can slip by.

Here are some signs that your PC might be compromised:

The machine runs at a slower than usual speed. We're not talking about your Internet speed, necessarily, but the speed in which your computer operates software programs and performs tasks.

If you find that your browser is taking you to a different site than the one you selected from your bookmarks, or a search engine gives you odd, unpredictable results, it's a sure sign your computer is infected with malware. After all, the main purpose of malware is to give someone else control over your machine.

Use care in downloading fixes

There are a number of free programs that will scan your system in search of malware, but be very careful, checking out any program before you download it. Michael, of Plano, Tex., downloaded MyCleanPC, which is advertised on TV, and now wishes he had not.

“Almost immediately I began noticing an unbelievable number of advertisements of all kinds on my laptop, making my laptop run even slower,” Michael wrote in a ConsumerAffairs post. “I have so far uninstalled all traces of MyCleanPC from my laptop, and the effect is spectacular. No more silly and annoying ads and my laptop is a bit faster.”

Malware is sometimes enabled by a rootkit, which is a type of software that can disguise what your computer is doing. Sometimes, it can even fool your anti-virus software. Once an attacker gains access to a compromised computer, it can perform just about any tasks you can, including changing settings.

Some may recall the 2005 scandal involving Sony BMG Music, which was accused of secretly including a rootkit in music player software that came with music CDs. The rootkit was designed to protect the copyright by limiting the consumers' access to the CD but it also amounted to a major security breach.

A nasty threat

While a rootkit is very hard to detect, it may be even harder to remove. In some cases it requires the replacement of hardware. Fortunately, rootkits are not as common as run-of-the-mill malware. In most cases, malware is used to direct your attention from what you are looking for and toward something that the attacker wants to sell.

To do this malware often attacks and changes your DNS server settings. Internet addresses are not words, like ConsumerAffairs.com, but a series of numbers, punctuated by periods. DNS servers provide the translation from the name you typed into your browser's address line to the numbers, which identify the site's real address.

Hackers have learned that if they can control a user’s DNS servers, they can control what sites the user connects to on the Internet. A malware called DNSChanger performs that task. By using malware to change the user’s DNS server settings, the criminal can force the user to go to a different site than the one the user actually wants.

Last July the FBI found and disabled a number of rogue DNS servers operated by malware hackers. As a result, the consumers whose machines were infected with DNSChanger found their machines would no longer connect to the Internet.

What to do

If you suspect your machine is infected with malware, you could troubleshoot the problem yourself, but you are probably better off seeking professional help. Seek an independent computer repair shop that has a good reputation. That will usually yield better results that using repair services operated by big box retailers.

Once your machine is cleaned and repaired, make sure you keep your anti-virus software and computer operating system updated. It's probably not a bad idea to take your computer to a repair shop for a diagnostic tune-up once a year anyway, just as you would get regular service for your car.

All this assumes you are running Windows. If you are using an Apple machine or a Chromebook or running Linux on your computer, you're most likely home free. 

Huge attack on WordPress sites could spawn never-before-seen super botnet

(Dan Goodin @ arstechnica) Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a "botnet" of infected computers that's vastly stronger and more destructive than those available today. That's because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.

"These larger machines can cause much more damage in DDoS [distributed denial-of-service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic," Matthew Prince, CEO of content delivery network CloudFlare, wrote in a blog post describing the attacks.

It's not the first time researchers have raised the specter of a super botnet with potentially dire consequences for the Internet. In October, they revealed that highly debilitating DDoS attacks on six of the biggest US banks used compromised Web servers to flood their targets with above-average amounts of Internet traffic. The botnet came to be known as the itsoknoproblembro or Brobot, names that came from a relatively new attack tool kit some of the infected machines ran. If typical botnets used in DDoS attacks were the network equivalent of tens of thousands of garden hoses trained on a target, the Brobot machines were akin to hundreds of fire hoses. Despite their smaller number, they were nonetheless able to inflict more damage because of their bigger capacity.

There's already evidence that some of the commandeered WordPress websites are being abused in a similar fashion. A blog post published Friday by someone from Web host ResellerClub said the company's systems running that platform are also under an "ongoing and highly distributed global attack."

"To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers," the blog post reported. "We did a detailed analysis of the attack pattern and found out that most of the attack was originating from [content management systems] (mostly WordPress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories."

The blog post continued:

"Today, this attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IPs used are spoofed), it is making it difficult for us to block all malicious data."

According to CloudFlare's Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username "admin" and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.

"At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website the company's Sean Valant wrote. "These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including 'special' characters (^%$#@*)."

Operators of WordPress sites can take other measures too, including installing plugins such as this one and