History buffs may know that the Titanic disaster had far-reaching consequences as officials struggled to understand and correct what had led to such a terrible loss of life. One of the lesser known outcomes was the formation of the Federal Communications Commission, or FCC, under the Radio Act of 1912.

At the time of the ship’s sinking, anyone with the right homemade equipment could be a “wireless” operator, and the overload of crisscrossed signals spreading incorrect information was initially blamed for the shortage of ships coming to Titanic’s aid. The Radio Act made several provisions, including one that licensed radio operators and ensured that emergency radio communications weren’t disrupted by individual operators.

Now, the FCC is once again at the center of a newly proposed plan to keep the public safe from a previously unforeseen communication threat: Internet of Things-connected devices.

DDoS attack in October used unsecured IoT devices to block access to several major websites in various high-density areas of the country. A DDoS attack, or distributed denial-of-service attack, occurs when someone redirects so many accounts to one website’s servers that the website crashes under the weight of all the people trying to use it. In the case of the recent event, the accounts that were clogging up Facebook, Twitter, PayPal, and many other websites weren’t real. Instead, they were things like webcams, smart TVs, and Wi-Fi routers that hackers had infiltrated and rerouted to clog up these websites.

In order to prevent this type of hacking event, outgoing FCC Chairman Tom Wheeler has sent a proposal in response to a letter from Senator Mark Warner, one which outlines the need for a certification concept for IoT devices similar to the ones that are already in place for cordless phones and cell phones. The goal seems to be better regulation and labeling with the intention of securing some of the millions of households that use IoT-connected devices.

But one of the FCC’s broader concerns is now the internet services providers (ISPs) themselves, or the companies that provide internet service to customers. ISPs are ultimately the source of the internet connections that hackers rerouted, and the FCC wants to make sure that the ISPs are doing everything they need to in order to prevent this type of large-scale IoT attack. For now, though, some officials have argued that regulating the ISPs is outside the scope of the FCC’s authority, and that this kind of regulation couldn’t happen without broadening the current reach of the agency.

As always, anyone who believes their identity has been stolen or their personal data has been compromised is invited to connect with the ITRC through our toll-free call center at (888) 400-5530, or on-the-go with the new IDTheftHelp app for iOS and Android.

If you had trouble using your favorite websites last Friday, you’re not alone. Large sections of the country experienced internet outages on some major sites, outages which turned out to be an intentional DDoS attack by hackers. The long list of shuttered websites included Twitter, PayPal, CNN, and Reddit, along with several news outlets, social media sites, and retailers.

A DDoS attack stands for distributed denial-of-service attack, and basically it means the hackers sent so much traffic to those websites that it clogged them up. It’s just like walking up to your favorite ride at Disney World, only to have thousands of tour buses unload their passengers into the line before you can get there. Only, in this case, those passengers aren’t really people, they’re just cardboard cut-outs of people; they’re not going to get on the ride and the line is never going to move.

So where did all these fake people come from? That’s where things get a little surreal. According to reports about DDoS attacks like this one from Krebs On Security, hackers can use hijacked connections and divert them to the sites they want to slow down. One large infrastructure company, Dyn, was targeted in Friday’s attack, meaning many of the companies that rely on Dyn’s service to make their websites work were slammed with fake traffic.

The “fake accounts” that were busy clogging websites and making them crash were actually hacked by Internet of Things devices (IoT), which are everyday objects that have network connectivity. A Chinese software company that powers a lot of the IoT devices on the market has already stated that its products were hacked and used in this event. The company has now issued a recall of many of the products that were used to pull off the attack.

One of the chief culprits in this attack falls back on the consumers who own those IoT devices. When they set up their smart TVs, connected webcams and home security cameras, DVRs, and more, any weak passwords they may have used left their accounts and their devices vulnerable to hijacking. A weak password is one that is easily guessed—something like “password,” which has long been one of the most commonly used passwords around the world—and therefore leaves the door wide open for a hacker.

A common misperception about weak passwords is that an easy password is so obvious that no hacker would think you would use it. That’s like saying, “123456 is so simple, hackers are going to think I’m smarter than that.” Unfortunately, what many people fail to realize is that cybercriminals don’t sit at their keyboards and randomly guess your password. They rely on readily available software to “crack” your password, software that is capable of making millions of guesses per second.

That’s why your password has to be strong and unique. A unique password is just what the name implies: it’s only used on one account or one device. It’s tempting to reuse your passwords—especially if you’ve gone to the trouble to memorize a really strong combination of letters and numbers—but once a hacker has that password, they can test it out on all of your accounts.

A strong password is a little trickier. It needs to have at least eight characters (if not more), and it needs to contain a combination of uppercase letters, lowercase letters, numbers, and symbols. It also shouldn’t use any part of your name, your birthdate, or any other identifying feature that can be gleaned from your account information.

Interested in more cyber news? Check out the ITRC blog to keep you updated and aware of the latest topics and events.

Boss Phishing: The Inside Track to Data Breaches

The culprits in hacking events and data breaches have often been seen as mysterious figures with high levels of computer skill. They’re the stuff of blockbuster cyberthrillers, often portrayed as slightly unstable geniuses with unstoppable abilities. But the reality of hacking and data breaches is far more mundane than Hollywood would have us believe; in fact, with the new tools and methods at their disposal, stealing information can be a fairly unskilled crime if they have the right power of persuasion.

The easiest way to steal data seems almost too obvious: simply convince someone to give it to you. Employees at every level within a company can be the targets of a low-tech scammer, from the custodian all the way up to the C-suite executive, as an alarming number of companies have already discovered.

How do scammers manage to convince company employees to give them access to entire databases of information? Through an increasingly common tactic known as “boss phishing.” This method—which has also been referred to as CEO phishing, spoofing, and business email compromise attacks—uses a bogus email that appears to come from someone higher up in the company, perhaps even the CEO, to persuade a lower-level employee to provide data, change a password, transfer funds, or other unauthorized activity. Once the recipient of the fake message complies, the hackers take over.

Boss phishing works for two major reasons: it’s easy to do, and the recipient thinks he’s complying with a superior’s orders. Questioning the boss’ orders is usually frowned upon, so employees all too often comply when they’re told to hand over information or transfer money from one account to another.

Some of the companies hit by a successful boss phishing attack just in 2016 include medical centers, schools, retailers, social media websites, and perhaps most surprising, software and technology companies. Care.com, Advance Auto Parts, and Snapchat were probably some of the more recognizable household names to be targeted earlier this year. In some cases, the stolen records belonged to employees of the company, while in other cases it was customers, patients, or students whose records were accessed.

Since this form of attack is both easy and effective, companies have got to take the threat seriously and enact a full-spectrum effort to prevent it. A company policy against fulfilling any emailed directive of a sensitive nature without verbal verification is a good start, so long as everyone understands that questioning the order isn’t insubordination, but instead is just smart cybersecurity. Another key step would be to limit who has access to large databases of stored information; if the “boss” emails an employee with instructions to do something the employee isn’t even capable of doing, that could serve as a warning that a hacker is at work in the system.

Thanks to the apps that power our mobile devices, no two smartphones or tablets are identical. Besides making our devices function exactly the way we need them to, apps are what make every single device a completely unique minicomputer, perfectly suited to its owner’s needs.

Unfortunately, those apps are the doorway to your security, too. If you stripped every single app off of your smartphone, there would be very little that a hacker or scammer could do to get into it and violate your safety. That’s why it’s so important that you understand the permission you’re giving to your apps, and why it wants that permission in the first place.

One of the more notorious app-based security threats was in the flashlight apps that appeared in the different app stores. These simple, free apps turned your phone’s camera flash into a sustained light. So what’s wrong with that? First of all, a lot of smartphones have flashlight functions already included, so downloading another app to do the same thing just takes up memory space. Also, these apps were free; if the developer doesn’t make any money on it, what could possibly be the incentive for creating it? The easy answer is advertising. Many free apps have innocuous little header or footer ads, and the company makes its money that way.

However, here’s the real threat: a lot of the flashlight apps were found to request super-user access to your device, such as connecting to your contacts list, when you downloaded it. Why would a flashlight need to know how to contact your friends? Because it was going to spam them with offers, links, or possibly even viruses. At the very least the developer made money by selling those phone numbers or email addresses to spammers, and at worst they were able to spread viruses to lots of people.

This is just one scenario involving one type of app, but it speaks to the big picture: be very careful about the types of permission your apps can have. Apps will ask to send you notifications, to access your contacts list, to access your photographs, even to post on your behalf on social media through your accounts. Make sure you trust the app to do these things, and deny that permission if you can’t determine why the app should be given that capability.

But what about the apps you’ve had stored in your device for years? Do you know what permission you’ve granted in the past?

Luckily, finding out what your apps can do is pretty simple. Depending on the type of phone you have, look in your phone’s settings and find the tab for privacy. Scroll down until you can see your list of apps. Under each separate one, you can grant or deny permission to certain features of your phone. Remember, this can impact how the app functions; if the app no longer works correctly because you’ve removed some of its access, you can undo it in the settings in the same way.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When people think of malicious software infecting a computer network, they probably envision a file silently accessing and replicating gigabytes worth of data to be harvested for the virus’s creators. They probably don’t think of the office coffeemaker going on the fritz.

But that’s exactly what a worm called the Stuxnet worm is capable of. Discovered in 2010, this particularly nasty software not only attacks the host computer that receives it, but it is capable of disabling other physical components that the computer controls. In one of the more headline grabbing cases of malware attacks, Stuxnet—spread through infected computers belonging to third-party contractors—disabled the centrifuges at an Iranian nuclear power facility, causing them to shut down and need to be replaced.

There is a lot of speculation as to the origins of Stuxnet, and quiet finger pointing has named a number of chief officials and government leaders from several countries as having been at least aware of the design and implementation of Stuxnet.

While Stuxnet is a globally destructive tool, meaning that it’s more likely to be used to shut down the machines the run a country’s electrical power plants than to infect your computer’s online banking information, there are some lessons to be learned from Stuxnet as far as average citizens are concerned. The most important is that Stuxnet is believed to have been spread to the contractors’ computers in Iran via USB flash drives; some reports indicate that files transferred by those vendors on DVDs or CD-ROMs were not infected, but files transferred by flash drive were. There have been reports for quite some time about the vulnerabilities of flash drives, and that even everyday individuals have been victimized by harmful software embedded in the driver that controls the flash drive.

To avoid this problem, always use flash drives from trusted companies—as opposed to inexpensive or “free gift” flash drives from unknown sources—and scan the drive for viruses before using them. The vulnerabilities in flash drives are such that even store-bought drives from known manufacturers should be scanned before use.

Moreover, this is certainly not the first time malicious software has reached its intended objective via third-party contractors, as in the now-famous Target credit card breach that affected millions of shoppers. Stuxnet should serve as a wakeup call to all forms of industry that work with contractors and vendors, and force them to see the need to ensure excellent anti-virus and anti-malware controls before they are connected to outside computers.

If this is the new era of warfare, it is disturbing to think of the ramifications if this worm ever falls into the wrong hands. Experts who have investigated Stuxnet have come up with more questions than answers about how the system operates, but it is known that this is the first time a computer virus has had the capability to manipulate and harm physical objects, such as machinery, that are controlled by the infected computer.

Technology is improving at breakneck speed these days and that means we are buying new devices all the time. For many, new devices means getting rid of the old ones, and there may be some question as to what to do with these devices no longer in use.

You’ve probably heard that the batteries that power many devices and the internal components that make them function can actually be harmful to the groundwater and soil if placed in landfills, so there are already recycling programs in place for cell phones and computers where the components are broken down for protected disposal. But there are also great opportunities for people to donate slightly outdated devices in order to let them continue working in their original capacities.

Cell phone recycling programs not only break down devices, they sometimes redistribute them to people who need connectivity but can’t necessarily afford a newer model. Computers, at the same time, can be donated by the owner to senior citizens’ programs, nursing homes, assisted living facilities, non-profit organizations, schools, and more.

There’s a very important consideration before donating any device, though, and that’s making sure you protect your privacy. Just wiping data from the hard drive isn’t enough, some experts say, to keep a person with the right know-how from accessing your old files, which could include saved or downloaded bank statements, credit card statements, your tax documents if you filed electronically, and more.

Your first step before unplugging your original device for good is to back up any information you’re going to need on a high-capacity flash drive. Make sure you get it all, because you’re going to say goodbye to it forever. Once you’re certain you have all of your necessary data, you’ll want to reformat the hard drive. This is a PERMANENT step, and cannot be undone, so be sure that you’re ready to send this device out the door before you complete this step.

One of the safest ways to ensure that your data is protected before you give away your computer or laptop is to remove the hard drive. This will mean that the recipient will need to purchase a hard drive—or you can kindly purchase a new one to replace yours before donating, if you feel like it—which will ensure that your original hard drive and all of its data and files will remain with you. There are two reasons this is a great idea: first, you can physically destroy the hard drive if you wished—yes, literally with a hammer, but be sure to wear eye protection and get all the pieces up before disposing—or you can buy an inexpensive case at an electronics store (usually between $60 and $80, depending on the type of hard drive it is) and turn your old hard drive into an external hard drive on your new computer. You would still be able to access all of your old files, photos, videos, and more from your new computer, and you’d be able to store new files on it as well, avoiding clogging up your new computer with saved documents.

However you choose to dispose of your personal electronics, make sure you’ve stripped access to any online account logins, any passwords, and any personally identifiable information before letting it out of your sight.

October, as many people now know, is National Cyber Security Awareness Month. But where exactly does the awareness come from, and who is gathering the information needed to keep citizens informed about personal data protection and corporate cyber security? This information comes from a variety of individuals, from advocacy groups to IT experts, all people who have a vested interest in cybersecurity.

Cybersecurity is one of the exploding career fields right now in the tech space, but there is a lot of information to know before working towards a career goal involving computer protection. This infographic from StaySafeOnline shares a wealth of information on how to break into this lucrative and rewarding career, even if you’re not focusing on long-term plans for IT work.

First, a number of companies actually pay everyday citizens for reporting security flaws that they have discovered on their own. With the right technical know-how, you can reap the rewards of exposing vulnerabilities in major platforms, as long as you’re following the right protocols for reporting. Facebook, Google, Yahoo!, and a host of other companies compensate individuals who are known as “white hat hackers,” or basically, the good guys of the hacking world.

But for someone who wishes to become an industry professional, what does it take? According to the data, the overwhelming majority of cybersecurity jobs require a college degree in a related field of computer science, although some schools have placed this kind of educational program under the criminal justice department due to its close association with law enforcement. Major colleges around the country are only just beginning to develop four-year degrees and graduate degrees to create professionals in this new field, so seek out a program that offers accreditation through the university and has a proven track record of its graduates gaining employment.

A number of hacking competitions and cybersecurity events take place that will provide great knowledge, networking opportunities, and even resume experience. Look for information on the Global CyberLympics at cyberlympics.org, or the US Cyber Challenge at uscyberchallenge.org. There are also a lot of other similar events that can lead students who place well into a good higher ed program, so reach out to these event organizers for details on what it takes to be a part of them.

One catch-all organization that serves as a source of information and support is the National Initiative for Cybersecurity Careers and Studies, which can lead you in the right direction for pursuing this kind of work. With updates, resources, news items, and guidance, the NICCS works to increase the number of professionals working in this important law enforcement and tech field. Find out more about the organization at niccs.us-cert.gov.

For anyone with an interest in any specific field, the most important aspect is knowledge of the industry. Be sure to keep up with the news of data breaches, hacking events, software and tech vulnerabilities, and more, and make sure you’re following current industry leaders on social media to see what threats are currently on their radar. As technology continues to expand and the definition of a digital society continues to evolve, the need for qualified security experts will only go up.

Businesses rejoice in their ability to promote directly and for free to customers and prospects using social media.

While social media has created no-cost marketing opportunities, it also has created risks, including identity theft and data breach. Are you paying enough attention to the risks and costs? I hope so!

Think about it. Social-media sites ask registered users to provide as much personal and business information as possible. Some of the largest social media sites such as Facebook, Twitter and LinkedIn already have experienced data-breach events.

And now online perpetrators are using social media to create more opportunities than ever to steal identities and commit fraud.

Positive opportunities created by social media include the ability to increase business and consumer connections along with increasing your brand through sites such as LinkedIn, Facebook, Twitter and YouTube.

Some of the negative risks include the creation of permanent records and reputational damage to your brand in the event of a data-breach event.

Businesses need to identify social media’s intellectual property theft and data breach risks and plan and prevent accordingly. In particular, I encourage you to pay close attention to my top five risks to small business related to social media.

•The use of social media to make false or misleading claims.

•The use of social media to commit copyright or trademark infringement (oftentimes unintentional).

•The use of social media to use intellectual property without permission.

•The use of social media to steal trade secrets — or to post trade secrets and confidential information.

•The use of social media to steal employee or customer information, resulting in a data-breach event.

Based on the above, here are my four top risk-management tips that can help protect and minimize your business from social-media risks:

Create a crisis management plan detailing employee and employer protocol in the event of a data breach, injured employee, customer complaints or compliance and social-media issues. This crisis plan should state clearly what is accepted and not accepted in using social media.

Understand that social media creates a permanent record and that your business and/or your employees’ use of social media can result in a data leak, be used to discredit your business or to serve as a source for material discovery in a court case or litigation. Be sure to have an information policy, including a records management plan, to be consistent for all communication and correspondence, including social media.

Create a social media policy that provides a detailed explanation and clarification for all employees and vendors on what company information and/or issues can be discussed within and outside the business. This policy should include basic tenants and the negative impact on both the company and employee if this policy is ignored – either accidentally or on purpose.

Employee education and training for your employees with specifics regarding the management and safeguarding of employee and customer information.

Mark’s most important: Take advantage of social media for your business, but be prudent when using it and be prepared with a plan in case ID- and cybercriminals decide to take advantage of you.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

In the wake of the Target breach, the Home Depot breach, the PF Chang’s breach, and hundreds of other corporate hacking events that made headlines in the last year, it’s easy to assume that cybercrime is only a “big company” problem. After all, hackers are taking a huge criminal risk in stealing and using other people’s data, so it’s understandable to think that hackers wouldn’t go after a small or mid-sized company. But that’s proving to not be the case, as small business owners are finding out almost every day.

October is National Cyber Security Awareness Month, and the focus of week four is on how small business owners need to prepare for data protection in order to safeguard their customers’ information and their own business security. By having adequate protocols in place to prevent a breach and a streamlined process for responding to a hacking event, hardworking business owners can know they are doing everything within their power to protect sensitive information.

Many industry experts have taken the viewpoint that it’s not a matter of “if” a data breach will affect a business, regardless of its size, but “when.” But one of the biggest obstacles small business owners face when it comes to data protection is the typically high price of investing in tools like quality anti-virus software, external hard drives for backing up consumer data, running system checks of their credit card systems, and more. Experts caution business leaders that investing in the right preventive tools before an incident occurs will result in tremendous savings by minimizing the damage and the resulting financial liability of exposing their customers’ data to hackers.

Also, given the fact that a high percentage of data breaches are actually “inside jobs,” it’s important to make sure that employees are limited in their ability to access customers or client information. By making sure that employees cannot retrieve sensitive data for which they really have no need—as in the case of not one, but two data breaches of cellular provider AT&T’s customers’ information in 2014 alone—a lot of expensive damage can be prevented.

But when an employee is responsible for a data breach, it’s not always malicious. Sometimes a lack of training or tech-awareness is all it takes to expose a business to hackers from the inside. By making sure that all employees are fully trained in the dangers of certain online behaviors like opening links in emails or downloading videos and images, as well as by ensuring that company computers that access sensitive data are not able to interact on social media, companies can help ensure the protection level of their content.

One other important tool is a routine checkup of company technology and networks, meant to uncover flaws or vulnerabilities in protection. This is especially important in a business’s credit card system, as a number of breaches have occurred due to malicious software running in the background on POS machines and other network-based computers. These checkups can have a significant cost, but it’s far better to pay for one before an incident happens, rather than as part of the process of assessing liability after a breach.

Perhaps the most crucial step a company can take in protecting its customers’ data is to not store unnecessary information in the first place. If a company requires customers’ personally identifiable information such as Social Security numbers or driver’s license numbers in order to establish an account, for example, there’s no need to hang onto that data after the account is opened and in good standing. It leaves the customers vulnerable to hacking, and the company liable for paying to clean up the mess after a data breach. By not holding onto information that hackers want, it might be possible to prevent a breach from ever happening.

With so much talk about hacking events and data breaches, and with Hollywood’s constant portrayal of the cyber bad guys, it can be easy to forget that simply being a hacker isn’t necessarily a bad thing. It certainly doesn’t always equate to criminal activity. Everyone from law enforcement agencies to retail companies rely on hackers to expose vulnerabilities in their security protocols, to develop creative ways of infiltrating a system before criminals can think of it, and even to solve crimes that may have nothing to do with breaking into a computer system.

This shift in perception of what “good” hackers really do is finally making its way into pop culture through television shows, movies, book characters, and more. Even better, the public image of the quintessential hacker—the person who has routinely been portrayed as a nerdy social outcast who turned to cybercrime because he was never accepted by his peers—is also changing. Instead of outlandish individuals with insurmountable personality quirks, more and more typical characters are making their way to the entertainment realm, and they’re demonstrating the good that this level of technological know-how can provide. At the same time, it’s promising to see the higher-than-ever numbers of female characters in these roles, as technology jobs of this level have often been underrepresented by females and minorities in the real-world work force.

One step that producers are taking with the new crop of highly popular television series is to try to present a more accurate portrayal of what it is hackers actually do, how they can be beneficial to the community at large, and how they operate. While it’s entertaining to watch a smug computer geek tap a few keys on his keyboard and announce that he’s broken into the system, that kind of work can actually take weeks to pull off. Of course, watching an hour-long program in which fifty minutes of it is spent watching a man type isn’t all that fun or engaging, so the industry has taken some liberties with its accuracy, much like it did with forensic detective work on many of the earlier crime series.

The new popularity of hackers does have to tread one fine line, and that’s the concept of vigilante justice. While it’s all well and good to fight for the little guy and make sure consumers are protected, doing so in violation of the law or where other individuals—even a Wall Street tycoon or Bernie Madoff-style criminal—are hurt is not in the public’s best interest. Groups like Anonymous, who’ve pulled off some interesting hacks while fighting for justice, have come under fire for their efforts, while public interest groups have had to draw the line to prevent copycats or “wannabes” from hurting people just to prove they can.

One of the interesting aspects about the hacker community is this concept of one-upmanship, and it’s led to criminal activity of epic proportions. In the criminal hacking sphere, there’s a level of respect to be earned for successfully infiltrating bigger and bigger targets, so much so that several years ago the NSA tried to recruit hackers who were interested in demonstrating that they were the best in the world.

However the movies decide to use the character of a hacker, it’s important to remember that they are people who can choose to do good works or bad, and that no single label determines what a person is capable of. As with all stereotypes, we have to remember that committing a crime is a choice, but engaging in cyber activity to benefit others is also a choice.