"According to the statement issued by Jim Holthouser, Executive Vice President of Global Brands, "unauthorized malware" was used to gain access to Hilton's point-of-sale systems resulting in the theft of payment card information of some of its guests. The attacks are said to have occurred between November 18 to December 5, 2014; and April 21 to July 27, 2015. Customers who used their cards at any of the Hilton Worldwide hotels - including its subsidiary brands, such as Waldorf Astoria, Conrad Hotels & Resorts, Double Tree, Embassy Suites, and others - during these periods have been recommended to monitor unusual activity."
Not that I don't already keep a close eye on my credit card transactions. As much as I travel, and use my card, I know better.
An online quiz that illustrates the words you use the most on Facebook as a "word cloud" has gone viral -- and it's a great reminder of why you should be wary of connecting ostensibly fun games with your account. UK-based VPN comparison website Comparitech has delved into how it collects not just your name, but also your birthdate, hometown, education details, all your Likes, photos, browser, language, your IP address and even your friends list if you link it with Facebook. Too many details for a simple game, right? If you agree, you may want to think hard before linking any other FB quiz in the future, because most of them require you to give up a similar list of information.
Yes, you should probably do this. If you've stored a credit card with Amazon, now that they are supporting two factor authentication, you need to enable it.
I will be!
I've said it before. Google is a company that sells advertising. Anything that will help them target advertising to users will be done, including keeping track of what you search for.
I have resisted the urge to use a VPN all of the time, but I may need to revisit that idea.
"There's been a lot of data breaches lately, and the numbers seem to be constantly increasing. From the high profile attacks against the likes of Ashley Madison and Sony Pictures, to the lesser known breaches like Kmart Australia and Systema Software, it's practically becoming routine to read a headline that says, "Company X breached; data on millions of users stolen," and there doesn't appear to be a way to stem the tide.
But what if I told you that these breaches are better than what we're likely to see in the future?
Think about the recent OPM breach, where data on every United States Federal employee was stolen. Not only were social security numbers taken, but also sensitive data like fingerprints. Now imagine that instead of the attackers stealing all of the data, they instead modified fingerprint data. Maybe they put their own fingerprints in place of an undercover agent's. Or maybe they simply change the fingerprints so that when an agent tries to confirm their identity, they're seen instead as a convicted felon. Perhaps instead of breaking someone out of a prison by force, an attacker modifies the convict's data to issue them an early release. Or in a more mundane use, simply change your credit card account to "paid in full" or reverse a payment of someone you don't like.
Considering it takes nearly a year to detect the average security breach, is it really that far-fetched to think that impacting data integrity will soon be more advantageous than simply attacking the confidentiality of the data?"
This is when things will get ugly. Unfortunately, I think something this bad is going to have to happen before the average person really starts to think seriously about data security. Too many people are taking a "I have nothing to hide" approach to data storage and even surveillance. How well will that approach work when someone manipulates the data to make it appear that you really do have something to hide?
This is why many of us are against collecting the data in the first place. If it's not being tracked, it can't be targeted.
As far as the stuff that does need to be kept, we need better security in place, as well as better ways for individuals to have the ability to check the data being collected about them, and see what it actually says. I shouldn't have to wait until I find myself in trouble to find out there is erroneous data out there about me. I can always pull my credit report and challenge that information, I can't do that with "secret" databases being accessed by the government.
Your government at work. These are the people responsible for protecting all of the personal information that is included with your taxes, and they can't even find all of their own computers in order to upgrade them, and some of the ones they have found, are still running 12 year old versions of Windows Server.
That's just fantastic.
"Such concerns didn’t strike me as farfetched, but I was reluctant to air them in mixed company. I knew that many of my fellow citizens took comfort in their own banality: You live a boring life and feel you have nothing to fear from those on high. But how could you anticipate the ways in which insights bred of spying might prove handy to some future regime? New tools have a way of breeding new abuses. Detailed logs of behaviors that I found tame—my Amazon purchases, my online comments, and even my meanderings through the physical world, collected by biometric scanners, say, or license-plate readers on police cars—might someday be read in a hundred different ways by powers whose purposes I couldn’t fathom now. They say you can quote the Bible to support almost any conceivable proposition, and I could only imagine the range of charges that selective looks at my data might render plausible."
I don't necessarily recommend becoming paranoid, but it'd be silly to continue walking around without recognizing how much of our behavior, especially online, is being monitored, recorded, and interpreted out of context. Right now it's more likely that Apple, Google, Facebook et al, are using the information to push ads to you, but don't discount how much government agencies are doing the same tracking, and potentially making decisions about you based solely on that information.
The article is a long read, but worth the time. Unless you want to continue living in blissful ignorance.
Yet another reason you should not, repeat NOT, just plug in a USB drive that you find laying around! Only use ones that you, or someone you trust, has used to store data.
Also, ones that your instructor gives you at training classes I teach should be safe too. I plug those into my laptop in order to copy the class files first, so if there's a massive problem, it'll hit me! ;-)
Honestly, I haven't given much thought to boarding passes. When I have a printed one, I typically hang on to it and throw it away once I reach my destination, assuming that once the flight has been completed, it has no value. (I am crazy about not losing it before a flight, out of what is probably an irrational fear of someone else boarding the plane in my place, but hey, it's my fear.)
Given all of the information about me that is available in the text, let alone the barcode, I should probably hang on to all of them until I get home and shred them though, instead of tossing them at the hotel. Or, always just use electronic ones, which stores them on my phone, but really,aren't we all taking precautions to protect all of the other data that's on our phones anyway?
"As the Internet of Things continues to expand, so too will the sources of potentially material evidence. Xively, a part of LogMeIn, claims to connect 400 million devices, from usual suspects like computers down to individual light switches. The usefulness of that information those devices collect will continue to increase as IoT manufacturers improve their ability to connect device interaction with individuals. Just last Thursday, LogMeIn announced Xively Identity Manager which seeks to link device usage to individuals.
Take a nap? Turn off a light? Turn down the A/C? The Internet of Things knows and it's keeping a record."
This will be interesting to watch. Lawyers are already struggling with eDiscovery from mobile devices and things we've already had for years. As the Internet of Things starts tracking lots of information about us, how will that data play out, and how will we verify that the data is correct? How many people really think about whether the reporting can be hacked, making it appear that our car was in a specific area, when it really wasn't, for example?
Never a dull moment!
This article reminded me of a statistic I saw during a presentation on insider threats last week. In a recent survey, over one third of employees would willingly sell their passwords/access to anyone, some for as little as $150.
See the problem here is that while so many people are starting to wake up to the data security problem that we have, and some are even starting to realize that the people who have access to that data are the most important link to that data when it comes to keeping it secure, I don't know that many are correlating that fact with just how disengaged some of their employees are.
An employee who would sell their access credentials for cash, is an employee who doesn't care at all about the organization they work in, and in many cases, why should they? Yes, it's unprofessional, and illegal, and I can give you a host of other reasons why anyone should at least care enough not to do this, but I also understand it. I've worked at jobs I've hated, for organizational "leaders" I had no respect for, for managers who showed no respect for the people doing the actual work, and so on. It's a miserable existence, and after I left, I felt zero sympathy for the company when bad things happened.
Given those sort of working conditions, is it any wonder your employee would sell you out?
"Fingerprints are another type of data entirely. They're used to identify people at crime scenes, but increasingly they're used as an authentication credential. If you have an iPhone, for example, you probably use your fingerprint to unlock your phone. This type of authentication is increasingly common, replacing a password -- something you know -- with a biometric: something you are. The problem with biometrics is that they can't be replaced. So while it's easy to update your password or get a new credit card number, you can't get a new finger.
And now, for the rest of their lives, 5.6 million US government employees need to remember that someone, somewhere, has their fingerprints. And we really don't know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies."
This is bad, and really we have to question the government for storing all that fingerprint data in one central location. This is the main problem for those of you who think you have nothing to hide and the government can collect whatever data they want. When they don't protect it properly, now some bad actor has a copy of personal information and potentially a fingerprint to go along with it. That opens the doors to a lot of things we normally assume as being secure. It also opens the door to that data being planted in various places as well. Who wants to have to worry about that?
"For several years, TrueCrypt was the gold standard in PC disk decryption suites. That changed nearly 18 months ago, when the individuals who developed the software abruptly quit. The developers declared that the existing software was ““not secure as it may contain unfixed security issues,” provided a final version of the software to decrypt data, and shut the project down. This was all the more puzzling when two extensive security audits found no bugs of significance. As of today, that’s changed."
Welp, there goes that. In the time since TrueCrypt shut down, what have you been using for encryption?
I don't really know why this isn't a job requirement for people with a security clearance already. Shouldn't the ability to understand and use technology appropriately be the part of most job performance evaluations? Shouldn't the inability to do that result in not getting a good evaluation?
If so, shouldn't someone granted a security clearance lose that clearance if they perform poorly at actually keeping things secure?
"Financial data has a finite lifespan because it becomes worthless the second the customer detects the fraud and cancels the card or account. Most forums for such data have a high enough surplus of stolen payment cards that they have fire sales.
But information contained in health care records has a much longer shelf life and is rich enough for identity theft. Social Security numbers can't easily be cancelled, and medical and prescription records are permanent. There's also a large market for health insurance fraud and abuse, which may be more lucrative than simply selling the records outright in forums."
Some great resources to learn more about cybersecurity and ethical hacking at your own pace. Definitely going to be bookmarking this myself!
I didn't manage to get to sessions where data security was the main topic, but I know it was a large topic of conversation all around the conference. Law firms are being held reaponsible by clients for keeping data that belongs to those clients secure, but it's a tough thing to do when you don't even know what data you have or where it's been stored. Trying to do that is the first challenge many firms are facing.
Not surprising at all is it? If you want to target sensitive data, a third party who doesn't have the same strong sense of protecting it, and an industry that has a reputation for somewhat lax security measures, would be a pretty tempting place to start.
The exposure to being hacked raises a lot of questions about the so-called Internet of Things. If everything is connected to the Net, then everything is tracking you. That information is valuable in and of itself to hackers looking to embarrass or blackmail people.
But, as bad as that is, what is worse is the ability of hackers to actually take control of those devices, especially when talking about medical devices, or transportation. Given the number of hacks that have already been reported, and the severity of them, I have little faith that anyone can truly protect our information or devices.
Maybe I'm just a pessimist. What do you think?
Can we really be surprised? This is why I've written before that while using mobile technology to replace banks for many people impossible, the security has to get better!
Click in to find related links.