Thanks to the apps that power our mobile devices, no two smartphones or tablets are identical. Besides making our devices function exactly the way we need them to, apps are what make every single device a completely unique minicomputer, perfectly suited to its owner’s needs.

Unfortunately, those apps are the doorway to your security, too. If you stripped every single app off of your smartphone, there would be very little that a hacker or scammer could do to get into it and violate your safety. That’s why it’s so important that you understand the permission you’re giving to your apps, and why it wants that permission in the first place.

One of the more notorious app-based security threats was in the flashlight apps that appeared in the different app stores. These simple, free apps turned your phone’s camera flash into a sustained light. So what’s wrong with that? First of all, a lot of smartphones have flashlight functions already included, so downloading another app to do the same thing just takes up memory space. Also, these apps were free; if the developer doesn’t make any money on it, what could possibly be the incentive for creating it? The easy answer is advertising. Many free apps have innocuous little header or footer ads, and the company makes its money that way.

However, here’s the real threat: a lot of the flashlight apps were found to request super-user access to your device, such as connecting to your contacts list, when you downloaded it. Why would a flashlight need to know how to contact your friends? Because it was going to spam them with offers, links, or possibly even viruses. At the very least the developer made money by selling those phone numbers or email addresses to spammers, and at worst they were able to spread viruses to lots of people.

This is just one scenario involving one type of app, but it speaks to the big picture: be very careful about the types of permission your apps can have. Apps will ask to send you notifications, to access your contacts list, to access your photographs, even to post on your behalf on social media through your accounts. Make sure you trust the app to do these things, and deny that permission if you can’t determine why the app should be given that capability.

But what about the apps you’ve had stored in your device for years? Do you know what permission you’ve granted in the past?

Luckily, finding out what your apps can do is pretty simple. Depending on the type of phone you have, look in your phone’s settings and find the tab for privacy. Scroll down until you can see your list of apps. Under each separate one, you can grant or deny permission to certain features of your phone. Remember, this can impact how the app functions; if the app no longer works correctly because you’ve removed some of its access, you can undo it in the settings in the same way.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

When people think of malicious software infecting a computer network, they probably envision a file silently accessing and replicating gigabytes worth of data to be harvested for the virus’s creators. They probably don’t think of the office coffeemaker going on the fritz.

But that’s exactly what a worm called the Stuxnet worm is capable of. Discovered in 2010, this particularly nasty software not only attacks the host computer that receives it, but it is capable of disabling other physical components that the computer controls. In one of the more headline grabbing cases of malware attacks, Stuxnet—spread through infected computers belonging to third-party contractors—disabled the centrifuges at an Iranian nuclear power facility, causing them to shut down and need to be replaced.

There is a lot of speculation as to the origins of Stuxnet, and quiet finger pointing has named a number of chief officials and government leaders from several countries as having been at least aware of the design and implementation of Stuxnet.

While Stuxnet is a globally destructive tool, meaning that it’s more likely to be used to shut down the machines the run a country’s electrical power plants than to infect your computer’s online banking information, there are some lessons to be learned from Stuxnet as far as average citizens are concerned. The most important is that Stuxnet is believed to have been spread to the contractors’ computers in Iran via USB flash drives; some reports indicate that files transferred by those vendors on DVDs or CD-ROMs were not infected, but files transferred by flash drive were. There have been reports for quite some time about the vulnerabilities of flash drives, and that even everyday individuals have been victimized by harmful software embedded in the driver that controls the flash drive.

To avoid this problem, always use flash drives from trusted companies—as opposed to inexpensive or “free gift” flash drives from unknown sources—and scan the drive for viruses before using them. The vulnerabilities in flash drives are such that even store-bought drives from known manufacturers should be scanned before use.

Moreover, this is certainly not the first time malicious software has reached its intended objective via third-party contractors, as in the now-famous Target credit card breach that affected millions of shoppers. Stuxnet should serve as a wakeup call to all forms of industry that work with contractors and vendors, and force them to see the need to ensure excellent anti-virus and anti-malware controls before they are connected to outside computers.

If this is the new era of warfare, it is disturbing to think of the ramifications if this worm ever falls into the wrong hands. Experts who have investigated Stuxnet have come up with more questions than answers about how the system operates, but it is known that this is the first time a computer virus has had the capability to manipulate and harm physical objects, such as machinery, that are controlled by the infected computer.

Technology is improving at breakneck speed these days and that means we are buying new devices all the time. For many, new devices means getting rid of the old ones, and there may be some question as to what to do with these devices no longer in use.

You’ve probably heard that the batteries that power many devices and the internal components that make them function can actually be harmful to the groundwater and soil if placed in landfills, so there are already recycling programs in place for cell phones and computers where the components are broken down for protected disposal. But there are also great opportunities for people to donate slightly outdated devices in order to let them continue working in their original capacities.

Cell phone recycling programs not only break down devices, they sometimes redistribute them to people who need connectivity but can’t necessarily afford a newer model. Computers, at the same time, can be donated by the owner to senior citizens’ programs, nursing homes, assisted living facilities, non-profit organizations, schools, and more.

There’s a very important consideration before donating any device, though, and that’s making sure you protect your privacy. Just wiping data from the hard drive isn’t enough, some experts say, to keep a person with the right know-how from accessing your old files, which could include saved or downloaded bank statements, credit card statements, your tax documents if you filed electronically, and more.

Your first step before unplugging your original device for good is to back up any information you’re going to need on a high-capacity flash drive. Make sure you get it all, because you’re going to say goodbye to it forever. Once you’re certain you have all of your necessary data, you’ll want to reformat the hard drive. This is a PERMANENT step, and cannot be undone, so be sure that you’re ready to send this device out the door before you complete this step.

One of the safest ways to ensure that your data is protected before you give away your computer or laptop is to remove the hard drive. This will mean that the recipient will need to purchase a hard drive—or you can kindly purchase a new one to replace yours before donating, if you feel like it—which will ensure that your original hard drive and all of its data and files will remain with you. There are two reasons this is a great idea: first, you can physically destroy the hard drive if you wished—yes, literally with a hammer, but be sure to wear eye protection and get all the pieces up before disposing—or you can buy an inexpensive case at an electronics store (usually between $60 and $80, depending on the type of hard drive it is) and turn your old hard drive into an external hard drive on your new computer. You would still be able to access all of your old files, photos, videos, and more from your new computer, and you’d be able to store new files on it as well, avoiding clogging up your new computer with saved documents.

However you choose to dispose of your personal electronics, make sure you’ve stripped access to any online account logins, any passwords, and any personally identifiable information before letting it out of your sight.

October, as many people now know, is National Cyber Security Awareness Month. But where exactly does the awareness come from, and who is gathering the information needed to keep citizens informed about personal data protection and corporate cyber security? This information comes from a variety of individuals, from advocacy groups to IT experts, all people who have a vested interest in cybersecurity.

Cybersecurity is one of the exploding career fields right now in the tech space, but there is a lot of information to know before working towards a career goal involving computer protection. This infographic from StaySafeOnline shares a wealth of information on how to break into this lucrative and rewarding career, even if you’re not focusing on long-term plans for IT work.

First, a number of companies actually pay everyday citizens for reporting security flaws that they have discovered on their own. With the right technical know-how, you can reap the rewards of exposing vulnerabilities in major platforms, as long as you’re following the right protocols for reporting. Facebook, Google, Yahoo!, and a host of other companies compensate individuals who are known as “white hat hackers,” or basically, the good guys of the hacking world.

But for someone who wishes to become an industry professional, what does it take? According to the data, the overwhelming majority of cybersecurity jobs require a college degree in a related field of computer science, although some schools have placed this kind of educational program under the criminal justice department due to its close association with law enforcement. Major colleges around the country are only just beginning to develop four-year degrees and graduate degrees to create professionals in this new field, so seek out a program that offers accreditation through the university and has a proven track record of its graduates gaining employment.

A number of hacking competitions and cybersecurity events take place that will provide great knowledge, networking opportunities, and even resume experience. Look for information on the Global CyberLympics at cyberlympics.org, or the US Cyber Challenge at uscyberchallenge.org. There are also a lot of other similar events that can lead students who place well into a good higher ed program, so reach out to these event organizers for details on what it takes to be a part of them.

One catch-all organization that serves as a source of information and support is the National Initiative for Cybersecurity Careers and Studies, which can lead you in the right direction for pursuing this kind of work. With updates, resources, news items, and guidance, the NICCS works to increase the number of professionals working in this important law enforcement and tech field. Find out more about the organization at niccs.us-cert.gov.

For anyone with an interest in any specific field, the most important aspect is knowledge of the industry. Be sure to keep up with the news of data breaches, hacking events, software and tech vulnerabilities, and more, and make sure you’re following current industry leaders on social media to see what threats are currently on their radar. As technology continues to expand and the definition of a digital society continues to evolve, the need for qualified security experts will only go up.

Businesses rejoice in their ability to promote directly and for free to customers and prospects using social media.

While social media has created no-cost marketing opportunities, it also has created risks, including identity theft and data breach. Are you paying enough attention to the risks and costs? I hope so!

Think about it. Social-media sites ask registered users to provide as much personal and business information as possible. Some of the largest social media sites such as Facebook, Twitter and LinkedIn already have experienced data-breach events.

And now online perpetrators are using social media to create more opportunities than ever to steal identities and commit fraud.

Positive opportunities created by social media include the ability to increase business and consumer connections along with increasing your brand through sites such as LinkedIn, Facebook, Twitter and YouTube.

Some of the negative risks include the creation of permanent records and reputational damage to your brand in the event of a data-breach event.

Businesses need to identify social media’s intellectual property theft and data breach risks and plan and prevent accordingly. In particular, I encourage you to pay close attention to my top five risks to small business related to social media.

•The use of social media to make false or misleading claims.

•The use of social media to commit copyright or trademark infringement (oftentimes unintentional).

•The use of social media to use intellectual property without permission.

•The use of social media to steal trade secrets — or to post trade secrets and confidential information.

•The use of social media to steal employee or customer information, resulting in a data-breach event.

Based on the above, here are my four top risk-management tips that can help protect and minimize your business from social-media risks:

Create a crisis management plan detailing employee and employer protocol in the event of a data breach, injured employee, customer complaints or compliance and social-media issues. This crisis plan should state clearly what is accepted and not accepted in using social media.

Understand that social media creates a permanent record and that your business and/or your employees’ use of social media can result in a data leak, be used to discredit your business or to serve as a source for material discovery in a court case or litigation. Be sure to have an information policy, including a records management plan, to be consistent for all communication and correspondence, including social media.

Create a social media policy that provides a detailed explanation and clarification for all employees and vendors on what company information and/or issues can be discussed within and outside the business. This policy should include basic tenants and the negative impact on both the company and employee if this policy is ignored – either accidentally or on purpose.

Employee education and training for your employees with specifics regarding the management and safeguarding of employee and customer information.

Mark’s most important: Take advantage of social media for your business, but be prudent when using it and be prepared with a plan in case ID- and cybercriminals decide to take advantage of you.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

In the wake of the Target breach, the Home Depot breach, the PF Chang’s breach, and hundreds of other corporate hacking events that made headlines in the last year, it’s easy to assume that cybercrime is only a “big company” problem. After all, hackers are taking a huge criminal risk in stealing and using other people’s data, so it’s understandable to think that hackers wouldn’t go after a small or mid-sized company. But that’s proving to not be the case, as small business owners are finding out almost every day.

October is National Cyber Security Awareness Month, and the focus of week four is on how small business owners need to prepare for data protection in order to safeguard their customers’ information and their own business security. By having adequate protocols in place to prevent a breach and a streamlined process for responding to a hacking event, hardworking business owners can know they are doing everything within their power to protect sensitive information.

Many industry experts have taken the viewpoint that it’s not a matter of “if” a data breach will affect a business, regardless of its size, but “when.” But one of the biggest obstacles small business owners face when it comes to data protection is the typically high price of investing in tools like quality anti-virus software, external hard drives for backing up consumer data, running system checks of their credit card systems, and more. Experts caution business leaders that investing in the right preventive tools before an incident occurs will result in tremendous savings by minimizing the damage and the resulting financial liability of exposing their customers’ data to hackers.

Also, given the fact that a high percentage of data breaches are actually “inside jobs,” it’s important to make sure that employees are limited in their ability to access customers or client information. By making sure that employees cannot retrieve sensitive data for which they really have no need—as in the case of not one, but two data breaches of cellular provider AT&T’s customers’ information in 2014 alone—a lot of expensive damage can be prevented.

But when an employee is responsible for a data breach, it’s not always malicious. Sometimes a lack of training or tech-awareness is all it takes to expose a business to hackers from the inside. By making sure that all employees are fully trained in the dangers of certain online behaviors like opening links in emails or downloading videos and images, as well as by ensuring that company computers that access sensitive data are not able to interact on social media, companies can help ensure the protection level of their content.

One other important tool is a routine checkup of company technology and networks, meant to uncover flaws or vulnerabilities in protection. This is especially important in a business’s credit card system, as a number of breaches have occurred due to malicious software running in the background on POS machines and other network-based computers. These checkups can have a significant cost, but it’s far better to pay for one before an incident happens, rather than as part of the process of assessing liability after a breach.

Perhaps the most crucial step a company can take in protecting its customers’ data is to not store unnecessary information in the first place. If a company requires customers’ personally identifiable information such as Social Security numbers or driver’s license numbers in order to establish an account, for example, there’s no need to hang onto that data after the account is opened and in good standing. It leaves the customers vulnerable to hacking, and the company liable for paying to clean up the mess after a data breach. By not holding onto information that hackers want, it might be possible to prevent a breach from ever happening.

With so much talk about hacking events and data breaches, and with Hollywood’s constant portrayal of the cyber bad guys, it can be easy to forget that simply being a hacker isn’t necessarily a bad thing. It certainly doesn’t always equate to criminal activity. Everyone from law enforcement agencies to retail companies rely on hackers to expose vulnerabilities in their security protocols, to develop creative ways of infiltrating a system before criminals can think of it, and even to solve crimes that may have nothing to do with breaking into a computer system.

This shift in perception of what “good” hackers really do is finally making its way into pop culture through television shows, movies, book characters, and more. Even better, the public image of the quintessential hacker—the person who has routinely been portrayed as a nerdy social outcast who turned to cybercrime because he was never accepted by his peers—is also changing. Instead of outlandish individuals with insurmountable personality quirks, more and more typical characters are making their way to the entertainment realm, and they’re demonstrating the good that this level of technological know-how can provide. At the same time, it’s promising to see the higher-than-ever numbers of female characters in these roles, as technology jobs of this level have often been underrepresented by females and minorities in the real-world work force.

One step that producers are taking with the new crop of highly popular television series is to try to present a more accurate portrayal of what it is hackers actually do, how they can be beneficial to the community at large, and how they operate. While it’s entertaining to watch a smug computer geek tap a few keys on his keyboard and announce that he’s broken into the system, that kind of work can actually take weeks to pull off. Of course, watching an hour-long program in which fifty minutes of it is spent watching a man type isn’t all that fun or engaging, so the industry has taken some liberties with its accuracy, much like it did with forensic detective work on many of the earlier crime series.

The new popularity of hackers does have to tread one fine line, and that’s the concept of vigilante justice. While it’s all well and good to fight for the little guy and make sure consumers are protected, doing so in violation of the law or where other individuals—even a Wall Street tycoon or Bernie Madoff-style criminal—are hurt is not in the public’s best interest. Groups like Anonymous, who’ve pulled off some interesting hacks while fighting for justice, have come under fire for their efforts, while public interest groups have had to draw the line to prevent copycats or “wannabes” from hurting people just to prove they can.

One of the interesting aspects about the hacker community is this concept of one-upmanship, and it’s led to criminal activity of epic proportions. In the criminal hacking sphere, there’s a level of respect to be earned for successfully infiltrating bigger and bigger targets, so much so that several years ago the NSA tried to recruit hackers who were interested in demonstrating that they were the best in the world.

However the movies decide to use the character of a hacker, it’s important to remember that they are people who can choose to do good works or bad, and that no single label determines what a person is capable of. As with all stereotypes, we have to remember that committing a crime is a choice, but engaging in cyber activity to benefit others is also a choice.

Anyone who’s spent any time around the internet has probably heard of phishing emails, or those really strange messages that try to get you to click a link or reveal personal information about yourself, or may even go so far as to try to get you to make payments of some kind. They’re usually pretty far-fetched and the grammar is often laughable; thanks to those facets and to public awareness of the problem, most people can recognize a phishing attempt when they see one.

PhishingBut a new variation on phishing attempts is called spear phishing, and it’s a lot harder to recognize. Spear phishing, given that name because the scammer is targeting you specifically instead of just sending out random “shot in the dark” emails that someone will hopefully fall for, is a lot more likely to be successful if you let it. It works because scammers pay attention to your internet activity and send you requests that look like the real thing, claiming to be from companies you actually do business with.

How are you involved in this process? Scammers can pull off spear phishing attempts based on the information that you share about yourself, as well as other internet behaviors like using the same password for multiple websites. When you post updates to social media, especially about accounts, companies you do business with, purchases you’ve made, and more, you’re handing over vital information that a scammer can use to target you.

For example, clicking a Like button on a retailer’s website may send information to Facebook on your behalf. A new status update appears—one that was auto-generated when you clicked Like—that says, “I just Liked (insert name of retailer or commerce site here).” From that single post, a scammer can then send you an email using the address listed in your Facebook account, telling you that your account at that website has been activated and needs to be updated to complete the registration process. When you receive that email and click the link or enter the data, you just handed over the content a scammer needs to steal your identity. Moreover, when you enter that password on the fraudulent registration, if you’re like far too many internet users, you may have just given the scammer the password you use on other important websites.

You may have also seen status updates from individuals you know that say things like, “I just bought a Bob’s Camp Gear Royal Sierra Ten-Person Polynylon Tent on Amazon.” Why would your friends post something like that? They may not have meant to. Many retailers use this kind of one-click activity as a form of advertising, so when you make a purchase and inadvertently click the offered button, you just informed your social media connections of your purchase.

But guess what a scammer just saw? You’re going camping, and you have a business relationship with the folks at Bob’s Camp Gear.

Based on that one button you clicked, he can then target you with emails or social media messages that seek to gather information on you. Right off the bat, Bob’s Camp Gear would be a great company to pose as, since you just gave them your information and established an account. All a scammer has to do is say, “There’s a problem processing your order of a Royal Sierra Ten-Person Polynylon Tent.” He has the name of the product you ordered, the knowledge that you ordered it from Amazon, and even a link to the exact product you looked at, all of which was contained in that simple status update you made.

How do you avoid this kind of attack? Once again, it all comes down to oversharing. Make sure that the information you share and the posts you put up on social media websites—including the responses and conversations you have on friends’ social media posts, since you can’t be sure who is seeing those posts besides you—doesn’t contain specific details about you, your family, your shopping or financial activity, or more. Keep your internet posts limited to innocuous information, and don’t hand over your personally identifiable information by mistake to someone who could use it against you.

 

How aware of scams and data breaches are you? Take our survey, let us know: goo.gl/y8C3u5.

When the social media site Snapchat first appeared on the internet, it didn’t take long for its built-in appeal to become obvious to its hordes of mostly younger users. In essence, Snapchat worked by letting users send a “snap,” which was a message, video, or image that would completely disappear after a matter of seconds. Even the site’s developers have admitted that the appeal of the platform was its ability to let users send compromising content to their friends while enjoying the safety of knowing that the content couldn’t be stored or shared. This made the site an overnight success in terms of the increasingly popular practice of “sexting,” or sending nude images or suggestive texts to someone, knowing that the recipient couldn’t use the content in a malicious way.

What could possibly go wrong, right?

First, news broke earlier this year that Snapchat’s messages don’t actually disappear, they simply “expire.” This is to say that the cell phone carriers each user signs onto can still store the content on their servers. Users are not supposed to be able to access that content, but it’s far from gone. In fact, the platform settled in an agreement (pdf document) with the Federal Trade Commission over the site’s misrepresentation to users about the security of their content and the gathering of their personal data in user profiles.

But like an eerily similar hacking event akin to the celebrity nude photo leak that appeared on 4chan recently, a hacker recently accessed the stored content of an estimated 200,000 Snapchat users and announced the leak of as much as 13GB’s worth of pictures that users had sent through the platform. In an event being dubbed The Snappening, the hacker also claims that he’s produced a database of the images that will make them searchable and will link back to users’ identifying information.

Snapchat has insisted its website has not been hacked, but that isn’t the issue here. The problem is the use of third-party apps—which is a direct violation of Snapchat’s terms of service—that let users snag images and content and save it. One of these third-party apps, Snapsaved, has apparently been hacked and is the source of the illegally accessed content. Snapsaved has already issued a statement confirming the breach, but denies that the hacker should have been able to access the users’ personal information to create his database.

Given Snapchat’s popularity with young people and its reputation for being a discreet way to send nude and sexually suggestive images, it’s entirely possible that this breach and leak will result in child pornography charges, if the authorities can uncover and locate the hacker. Unfortunately, given the fact that 4chan operates as a no-rules, anonymous forum for this kind of activity, it’s equally likely that the culprit won’t be apprehended anytime soon, if ever.

The take away from this event is that internet users—even those so-called digital natives who have never lived in a world where the internet didn’t exist—have to get smarter about understanding how online behaviors actually impact the users, and need to remember the old maxim that nothing ever disappears from the internet. When the FTC took action against Snapchat for openly misrepresenting the functionality of the site, that should have been enough of a warning that the purpose of the site was not to be trusted to operate the way it claims, and hopefully this recent event will secure that in users’ minds.

It’s National Cyber Security Awareness Month, and this week’s theme is Secure Development of IT Products. What does that mean to consumers? It means working to protect technology and personal data through better standards for product design, and a better awareness of the behaviors that lead to a data breach. With news this year of several different vulnerabilities in operating systems and the breaches of several major corporations that leaked millions of consumers’ personal information each, it stands to reason that better IT protocols need to be put in place.

Apple took some of the first steps this year with the unveiling of its iPhone 6, spending a significant amount of time leveraging the security enhancements of the device and its Cloud backup system, a system that was recently breached and resulted in the sharing of dozens of celebrities’ personal photos. Other phone manufacturers have joined Apple in stating they will be putting security measures in place that will also decrease outsiders’ access to content customers store on the devices or in the cloud, including government officials and agencies.

But there are some factors that make IT security difficult, and they’re largely a consumer problem. According to some reports, not only has mobile traffic increased exponentially, there is still an awareness issue on the part of many mobile device users who simply don’t know the methods by which content can be hacked and accessed. If consumers don’t know how hackers are retrieving their content, how do they know if they’re making it all too easy for the bad guys?

Unfortunately, some of those behaviors have seen a rapid increase, such as buying jailbroken phones or jailbreaking devices themselves, downloading suspicious apps that contain malware, making financial transactions on mobile devices with unsecured, unvetted vendors, and more.

One of the chief dangers to personal information is the abundance of features that mobile device manufacturers are working to incorporate, all in an effort to entice customers to their brands. In the frenzied race to offer the shiniest or most capable device on the market, the door is left wide open for vulnerabilities and flaws in the system that can compromise millions of users’ safety.

With NCSAM in its second week, the focus is on ensuring that all of us—from consumers to developers to manufacturers—maintain safe mobile and connected behaviors and ensure that all of the products we use and rely on are as secure as possible. While the device developers are obviously the first step in producing a secure product, it falls to the individual user to make sure that nothing sensitive is put out there for hackers to harvest. By working together on IT security, we can prevent many of the large scale breaches that have already plagued 2014.

 

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.