We are not yet thinking about 2014, but the antivirus community certainly is.  We can expect a lot of new product introductions in the antivirus sector as they attempt to get on your holiday shopping list with newer products.

You’ll find that the competition to get your AV dollar is fierce.  One particular website comparison found at http://www.av-comparatives.org/dynamic-tests/ , allows you to download a PDF of the comparison results.  The important thing is that AV-Comparitives.org actually tracks how well each antivirus actually deals with real world threats over a 6 month period.  Even better, it’s presented in a format that gives direct comparisons between competing products.

Of course, cost is always an issue, particularly if you have to protect a small fleet of pc’s, laptops, and tablets.  Ad-Aware, AVG, and Microsoft all provide free antivirus programs, and the range of pricing for paid products seems to be between $20 and $60 at this time.  Some companies may provide special pricing for multiple license users, and for a typical household this might be important to your cost estimate.  It would be smart to choose a short list of highly rated products, and then compare the pricing.

All antivirus products considered for your use should have automatic capability for updating the virus definitions.  You should ensure all your pc’s are operating in a mode where both antivirus and operating system updates are automatic.  There are many thousands of new viruses and security exploits uncovered each year, and an absolutely sure method to be vulnerable is to have a system operating with old virus definitions and none of the latest security patches.  You should pay special attention to systems that are used infrequently and left powered off, since updating of AV definitions and system patches takes some time, and there is a tendency to “power it up, open a browser, and view a website.”  During that period of updating, that PC might be an easy target for a virus, malware, or hacking exploit.

Some of the antivirus products are rated highly at cleaning up malware that has already been installed on the machine.  Those products are worth thinking about because threat removal is not a simple task with some malware or viruses, and the odds are pretty high this will happen to you at some point.  I will mention an “initially free” product which has worked extremely well for me over several years, Hitman Pro from a company named Surfright.  Hitman Pro is not intended to be a primary antivirus, but is a very good cloud based secondary scanner that has proven extremely proficient at removing threats without my intervention (this is a real blessing if you’re the go-to guy for a bunch of machines).  It’s intended to be run on a scheduled basis, and at any time that you think something bad has happened.  So it doesn’t do real-time scanning, and you should always have a primary antivirus running.  But, the free version of Hitman Pro will do a complete, fast, and thorough pc scan, and alert you to what it found.  And it can then be purchased to use its malware removal skills if needed.

It pays to “pay attention” to your antivirus tools, and to see that they are current and effective.  It is important for proper pc operation, and to keep your personal information personal.

‘Getting the Most Out of Your Antivirus’ was written by Rex Davis.  Rex is the Director of Operations at the Identity Theft Resource Center.

On August 6, Michael Daniel, Special Assistant to the President and the Cybersecurity Coordinator, posted on the White House blog a set of possible incentives for companies that voluntarily adopt the Cybersecurity Framework currently being created by the National Institute of Standards and Technology (NIST).

The Cybersecurity Framework is a voluntary set of rules based on existing standards, practices and guidelines designed to reduce cybersecurity risks to critical infrastructure authorized by President Obama Executive Order 13636 (EO), Improving Critical Infrastructure Cybersecurity.

Once the Cybersecurity Framework is completed, the EO tasks the Department of Homeland Security (DHS) with creating a Voluntary Program intended to encourage private companies to follow the guidelines established in the Cybersecurity Framework. Recommended by the Departments of Homeland Security, Commerce and Treasury, these incentives are to be used to make compliance with the Cybersecurity Framework more attractive to private companies who may not want to spend the money and time to invest in their cybersecurity protection:

  • Cybersecurity Insurance – The insurance industry should be engaged while developing the Cybersecurity Framework and Voluntary Program in order to help build underwriting practices that encourage the use of cyber risk-reducing measures and risk-based pricing.
  • Grants – Federal grant programs should encourage the adoption of the Cybersecurity Framework by making participation in the Voluntary Program a criteria or factor in determining the award of certain federal grants.
  • Process Preference – The participation in the Voluntary Program can be used as a consideration when private companies request government service delivery be expedited.
  • Liability Limitation – Reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements can be offered to private companies participating in the Voluntary Program.
  • Streamline Regulations – Agencies will continually work to reduce overlaps between existing laws, regulations and the Cybersecurity Framework to make participation in the Voluntary Program as painless as possible.
  • Public Recognition – The use of public recognition for Voluntary Program participants could be used as a method of encouragement for companies to comply with the Cybersecurity Framework.
  • Rate Recovery for Price Regulated Industries – It is recommended that consideration be given to working with federal, state and local regulators and specific agencies that regulate utility rates to allow recovery to private companies for cybersecurity investments related to participation in the Voluntary Program.
  • Cybersecurity Research – The government can direct research and development to help create solutions to gaps in cybersecurity where commercial solutions do not yet exist.

These incentives are only suggestions and are not final policy; however, they are a good start to helping the Cybersecurity Framework and Voluntary Program make a real difference by encouraging private companies to comply without forcing them to via federal regulation.

“Cybersecurity Framework Incentive Ideas Released” was written by Sam Imandoust, Esq.  He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original piece.

Passwords “are starting to fail us,” says PayPal’s Chief Information Security Officer Michael Barrett at a recent event in Las Vegas.  Much like a locked front door to your home, it may serve as a minor deterrent to the casual passer-by, but anyone who really wants to find a way in, will most likely be successful.

A lot of it has to do with the seeming inability of internet users, despite many attempts to educate the public, to pick passwords that are truly secure.   “Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”

The number of data breaches in the US increased by 67 percent in 2011, and each major breach is more expensive than many people realize.  When Sony’s PlayStation account database was hacked in 2011, it cost the company upwards of $171 million to rebuild its network and protect users from identity theft. Add up the total cost, including lost business, and a single hack can cost millions or even billions…with a B.

Face It: Internet Passwords Often Fail to Keep Hackers Out

Asked about passwords, ESET Senior Research Fellow David Harley says, “Static passwords are problematic – even a good password is next to useless if the provider doesn’t take good care of credentials data and allows unlimited retries. The trouble is, that password authentication on the Internet is cheaper and easier to implement than most of the alternatives.”

So what’s the answer? How does one protect themselves in an online environment with so many dangers?  While there’s no way to completely eliminate your risk, there are several things that can be done to mitigate the risk.  For starters, don’t make it easier on would-be hackers. Don’t make your password “password,” or “123456.”  Use 10 digit passwords, containing both letters and numbers, as well as capital and lowercase symbols.  Try and vary passwords for different online accounts, so that if one account gets hacked, it doesn’t create a situation where the hacker now has access to every online account you own.  Additionally, avoid making passwords or security questions things that a stranger could guess at just by reviewing your publicly available information.  What city you were born in, for example, might not be the best security question for an online account if you have that information publicly listed on your Facebook Page.  Using varied and less typical/obvious passwords will go a long way to making your information online more safe.

On the industry side of things, more investigation needs to be done on better authentication methods than are currently in place.  Cheap is always appealing, but not always effective. And as was pointed out, if a company is hacked those cost savings go out the window, and then some.  There also needs to be greater limitation on the number of times someone can incorrectly answer a password prompt or security question before the account gets frozen. Understanding on the part of both the service provider and the consumer of what sort of tactics hackers use and what they’re looking for is essential if we are to protect ourselves with a higher rate of success.

In short, don’t be lazy with your passwords, even though they are in some ways antiquated forms of security. Be aware of what personal information about you is floating around on the cloud and be mindful of this when picking your fail safes for account access. Don’t store information online that you don’t absolutely need to and be mindful of who you’re giving your information to and what they plan on using it for.

Face It: Internet Passwords Often Fail to Keep Hackers Out” was written by Matt Davis.  Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to repost the above article, as written, giving credit to the author and linking back to www.idtheftcenter.org.

You use your smartphone and tablet everyday, but are you using it safely when you connect to public WiFi?

The Identity Theft Resource Center and PRIVATE WiFi invite you to participate in our co-sponsored research survey on Mobile Device Security. By contributing your insight, we will learn more about consumer usage habits when it comes to WiFi and security on their mobile devices.

itrc wifi

This allows the ITRC to understand the areas where consumers are most vulnerable and develop education and awareness addressing these issues.

“Consumers use their mobile devices to connect to the world around them and at PRIVATE WiFi, our goal is to make sure that these consumers are taking the necessary steps to keep themselves and their data secure,” said Kent Lawson, CEO of PRIVATE WiFi.

“This survey will help us learn more about how and why consumer us their smartphone and tablet. A better understanding of their habits, helps us make a better VPN product for our customers.”

The survey, consisting of 16 questions, only takes five minutes to complete. Questions include where and how you use mobile devices connected to WiFi. Once the survey has concluded, results will be available on the ITRC website via a published whitepaper.

Click here to complete the survey now!

When the Identity Theft Resource Center was founded, cybercrime and identity theft weren’t quite the “household name” hot topics that they are today. While the various forms of the crime aren’t going away anytime soon, what has happened is a cultural shift towards protecting your information and watching out for your data security.

The old recommendations for security-minded consumers used to sound pretty hard to follow. They were enough to make anyone question why they’d ever get online or carry a smartphone in the first place. Fortunately, as security has become easier to adapt to and there’s more of a public conversation surrounding it, the methods that we now consider best practices and good habits are becoming part of our lives.

While shredding old documents and making sure your privacy settings are set to the highest level might seem like common sense now, there are still a few things that are up in the air. New forms of cybercrime and new tactics on the part of hackers mean we still have “new” behaviors to adopt, just as we did years ago.

1. Two-Factor Authentication – If you’d told someone back when the ITRC was first formed that they would someday press a few buttons on their portable pocket telephone to pay for their groceries, they might have looked at you funny. But that reality is nowhere, and along with it comes the need for two-factor authentication. Some people think it’s a little bit of a hassle to have to login, wait for a text message, and then type the contents of that text into your login screen, but that is one of the best ways to ensure that a criminal isn’t remotely logging into your account.

2. Virtual Private Networks (VPNs) – While it might seem time-consuming to install and then activate a VPN every time you need to go online. However, it’s a great way to keep others from tracking your internet activity, especially if you’re connecting over public Wi-Fi networks. VPNs also let you view your content when you’re traveling, even if you’re in an area where that content isn’t under license, and they can help keep advertisers—or hackers—from tracking your internet searches for marketing purposes.

3. Password Protection – One of the easiest steps you can take in protecting your data just might be passwords, even though they’re certainly nothing new. The only new thing about passwords is our current understanding that strong, unique passwords are still not the norm; far too many people still rely on codes like “password” or “1234” when they’re trying to protect their accounts. It’s not only important to lock up your account with a long and random password that you only use on one account, but you really should change your passwords from time to time in order to thwart hackers.

While great strides have been made in informing consumers about privacy dangers, there’s still a long way to go. As cybercriminals come up with new methods to attack your data, we will continue to spread the word about ways to protect yourself.

If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Social networking sites are a great way for families and friends to stay in contact with each other. They also provide an open forum for people to speak their mind, talk about issues that are important to them, and share photos and memories with the world. Kids and teens have especially taken to this new way of connecting with people. In 2009, 38% of 12 year olds in the United States were members of at least one social network according to the Pew Research Center’s Internet and American Life Project. Kids love chatting, sharing real time photos, and instant messaging each other.

This is a wonderful tool for kids and teens to use, but there are certain things that must be taken into consideration, the first being the mental and emotional maturity of the user. Most young people don’t understand that what you post online can be seen by everyone, and is online forever. Pictures, comments, etc. can be viewed by anybody you allow access to. The biggest concern most parents have is stalkers and pedophiles who can use the information posted by kids to pinpoint what school they go to, the rout they take to walk home, if they have after school jobs, or if they will be at a particular location unsupervised like at the mall.

The second concern is that most kids don’t understand the long term consequences of what they post. Some users have found their posts used against them years later when they are applying for college and jobs. Comments about a particular college could result in an application to attend being denied. Pictures and comments at parties and social gatherings could cost you a job. Even pictures that a minor child may think are safe to post or share online could result in criminal charges of child pornography and a permanent record as a sex offender.

The last thing kids and teens need to keep in mind is that anything they post online can be accessed and manipulated by others. Cyberbullies have been known to take pictures from legitimate social networking profiles and create a dummy profile. They may doctorthe pictures to depict the original person in compromising and embarrassing situations.

When teaching your children safety online it is always important to stress that nothing they post is 100% guaranteed to be private. Parents should be proactive in monitoring what their children post and talk with them if they see anything they deem inappropriate.

Most iPhone users store a considerable amount of personal data on their phone that would be devastating to lose. This can be in the form of pictures, saved PDFs, passwords, banking information, credit card information, and personal text messages. Therefore, it is extremely important to keep your iPhone as secure as possible. Luckily, there are a few simple things that you can do to help ensure the safety of the personal information on your iPhone.

  • Enable the Auto-Lock and Passcode Lock features under the general settings. The Auto-Lock feature will automatically lock your phone after it has been sitting idle for an amount of time that you pre-determine. The Passcode Lock feature will require a 4 digit password anytime someone attempts to access the phone when it is locked. These two simple features provide significant deterrence to the random individual who may try to steal your phone when you leave it sitting about.
  • Siri is incredibly useful and is capable of accessing and providing personal information to whoever is using the iPhone. Unfortunately, a user is allowed to communicate with Siri even if the phone is locked. Thus, Siri can be used as a workaround to the passcode feature, giving access to personal data when the iPhone owner thinks that the phone is locked down. In the Passcode Lock menu, you can opt to turn off Siri while the phone is locked.
  • Use a Virtual Private Network (VPN) when using the iPhone to access the internet from public WiFi locations. Public WiFi poses a danger to your iPhone and personal data because hackers can use public WiFi hotspots to monitor what you are doing on your iPhone as well as what information you may be inputting into it as well. A Virtual Private Network encrypts the signals from your iPhone making it impossible for hackers to decipher what you are doing on the internet.
  • Always have an updated antivirus program installed on your iPhone to help prevent virus or other malware from infecting your phone.
  • Enable Find my iPhone under the iCloud settings which will allow you to determine where your iPhone is at any given time in addition to giving you the ability to remotely wipe your phone of all its information. This is extremely useful because the 4 digit passcode can easily be decoded by a determined hacker. With this feature enabled, if you lose your iPhone all you have to do is sign onto any computer and elect to remotely wipe your iPhone of all its information.

“How to Protect Data on Your iPhone” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original post.

Most of us who own smart phones store a considerable amount of personal data on them which could be very damaging if the phone was lost or stolen. Everything from valuable documents, passwords, personal pictures, banking or credit information, and personal text messages could be compromised. Fortunately, there are several steps one can take to protect the data stored on their phone. What follows are some best practices for protecting the data on your Android Smart phone.

  • Enable the Auto-Lock and Passcode Lock features under the general settings. Go to your settings, and then select “security.” The Auto-Lock feature will automatically lock your phone after it has been sitting idle for an amount of time that you pre-determine. The Passcode Lock feature will require a password, or a trace design anytime someone attempts to access the phone when it is locked. These two simple features provide significant deterrence to the random individual who may try to steal your phone if it’s left unattended.
  • Use a Virtual Private Network (VPN) when using your phone to access the internet via public WiFi. Public WiFi poses a danger to your personal data because hackers can use public WiFi hotspots to monitor what you are doing as well as what information you may be sending over the internet. A Virtual Private Network encrypts the signals from your Android making it impossible for hackers to decipher what you are doing on the internet.
  • Always have an updated antivirus program installed on your Android to help prevent virus or other malware from infecting your phone. Monitoring apps such as Lookout Security can gauge the risk levels of various apps or programs you might be inclined to install on your phone.
  • Always pay attention to what apps you’re downloading. What access rights to your data does it ask for? Is it produced by a reliable/trustworthy entity? Never download an app you’re not 100% sure about, and always pay attention to what rights they require to install their app in your phone.
  • Install a wiping program on your phone so that in the event of a theft or a loss, you will be able to remotely wipe all your sensitive data from the phone so the thief cannot benefit from it.
  • Never pre-store banking passwords or other sensitive passwords on your phone. If someone were to gain access to your Android, there’s no reason that event needs to preclude a thief gaining access to your email or your mobile banking apps.

“Keeping your Information Safe on an Android Device” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original article.

Like millions of other people, I got my first smartphone for work, not personal use. And, just like most other digital device users, my personal life soon became a part of whatever smart phone I was using, and the tasks I expect it to do have broadened greatly since the days of my Kyocera 6035. Without even taking into account iPads, Kindles, and other larger platforms, the activities we now accomplish on a typical smartphone platform are pretty amazing.

wipe or notOf course, many still have corporate email on the device, but almost everyone will also have a couple of personal email accounts that are also installed on the phone, along with Facebook, LinkedIn, GPS navigation information, a raft of pictures and movies that have been taken with the device, probably some downloaded Internet movies, and so on. And, just like the car you have driven the past few years, quite a bit of this stuff will find its way under the seats, into the side pockets, and in the glove box (who the heck ever used a glove box for gloves?). In other words, there may be quite a bit of information stored in places you don’t normally look (until it’s gone). We also tend to make online transactions, including purchases, banking, and other secure sites, which probably stores some fairly important credentials and other information on our smartphones.

I remember the adrenaline rush of getting up one morning and finding that my Blackberry of the moment had just died… All the email, account info, etc. was gone, except for some stuff that was stored on the removable memory card. A similar situation, even worse, is when someone realizes that their phone has been stolen or lost. It is worse, because now any information on the phone, including email, account info, pictures, etc. may be in the hands of someone who has a penchant for taking your money, rather than a job. Two of my family members have managed to “Drown a Droid” in the past couple months. Sooner or later, these events will happen to you.

When loss of a smartphone or the data on it occurs, there are several key concerns:

  • Was the device protected by a PIN, password, or other method to prevent unauthorized access? While not perfect, having a phone protected does a lot to slow down access to your information. You just won’t believe how much information is typically available in a couple years of email!
  • Do I have a method to remotely erase all the information on the device, to prevent its use for identity theft and fraud? Is there a way to track/find the missing phone?
  • How can I recover the majority of the information, contacts, pictures, movies, emails, etcetera?

First, have your phone protected by at least a simple PIN or swipe pattern. Just DO IT. You don’t want the guy who lifted your phone at a party to be able to instantly start sending email and posting on your phone. If you happen to lose the phone, the same situation applies. Some phones have facial recognition now, which is pretty convenient, and reasonably secure. Whatever security method you choose, make sure your phone is locked within a minute or so of when you set it down.

Second, you may want to use one of the available programs that will allow you to remotely wipe all the personal information from the smartphone in the event of a lost or stolen device. Depending upon the type of phone, iPhone, Android, Blackberry, etc., there are different methods to remotely wipe the phone, and possibly detect its location. For Android phones, Android Lost has been recommended as an app that will allow remotely finding and wiping an Android phone. Microsoft Windows phones can be located and remotely wiped from your user account on a website, www.windowphone.com. Blackberry has always had the remote wipe capability in their administrative software, but it is managed by the system administrator. Apple has a service to find your phone, and remotely lock the phone by using a web based service. Regardless of the type of device you use, you should activate one of the methods before you lose the phone.

Third, recovery of all the data that you have on the phone will also depend upon what steps you have made while you have possession of the phone. You should note that if your main email is provided by a corporate account (Exchange Server), that email can be recreated on a new phone without anything more than setting up your email account on the new device. However, many other types of email, and documents, pictures, videos, etc. will probably require that you set up or activate a backup system for your mobile device. There are many backup systems available for each type of smartphone, and you will have to compare features to choose the one that is best for your protection. Carriers like Verizon offer backup utilities as a part of their service, and Apple offers iCloud Storage.

Mobile device backup has become a growing market, and you will need to choose the system that meets your personal needs. A good place to start is to think “If my phone was ripped out of my hand right now, and would never reappear, what would I need to have on a new phone to be ok?” A second vital question is “What’s on my current phone that could put me at risk if the phone is stolen?” These are questions best answered before your data goes missing.

Now, back to Sudoku. You know, I’d hate to lose my year-long aggregate score….

“Wiped Out? Or Not?” was written by Rex Davis. Rex is the Director of Operations at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original post.

Recently here at ITRC, we’ve received several queries about the effectiveness and use of mobile VPNs. What are they? How do they work? Do I need one for my phone if I send and receive a lot of data? Well, we aim to please…

VPN stands for “virtual private network.” A mobile VPN provides mobile devices with access to network resources and software applications on their home network when they connect via other wireless or wired networks. A VPN maintains an authenticated, encrypted tunnel for securely passing data traffic over public networks. This is important because public wireless internet connections (public wi-fi) are one of the easiest and most common ways for identity thieves and hackers to harvest personal information from their victims.

The increased use of mobile devices and a related rise in employee desire to use their own personal devices for work purposes means it is more important than ever that organizations take appropriate steps to protect corporate information and provide access in a safe and effective way. A mobile VPN makes it possible for users to access the internet via public wireless access in a McDonalds or Starbucks, while still staying safe behind a firewall to keep prying eyes from accessing privileged information. When considering whether or not a mobile VPN is a worthwhile tool to have, there are several issues to consider.

1. The need for privacy

It’s always a good idea in personal practice to exercise sound judgment when accessing the internet in public areas. For work purposes, the need for privacy becomes even more paramount. Not only could you compromise your personal information, you could expose company secrets as well. If your job is the type that requires continuous access to shared information, a mobile VPN should be viewed as a near necessity.

2. Connectivity and Convenience

A mobile VPN functions essentially like a portal to your home or office server. The cost of this convenience and safety should be considered necessary only if one is regularly accessing secure or sensitive information (either for personal or professional use) while on the go. If you don’t have access to your office server and/or don’t use your personal phone to send or receive sensitive information, a mobile VPN may be an unnecessary expenditure. A VPN is likely to come attached to a monthly subscription fee, and will also very likely make the speed of data exchange on your phone somewhat slower than it would be otherwise.

3. Frequenting Foreign Websites?

The secure nature of a mobile VPN allows you to usually access foreign hosted sites faster than otherwise possible.

4. Flexibility

VPN’s function on virtually any type of internet connection (wi-fi, 4g/LTE, broadband, etc.)

5. Voice vs. Data Security

It’s important to note that smartphones have both data and voice channels. Mobile VPN ONLY encrypts the data channel i.e., your phone access to a browser, email, and internet resources are encrypted. However, your voice calls are not encrypted through use of a mobile VPN. If you use internet based phone service (Skype for example) that uses the data channel to make phone calls, your voice calls may be encrypted when using your mobile VPN.

 

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.