Cody Gredler

About Cody Gredler

Cody knows cyber security. As CSID’s Director of Marketing she has a keen understanding of what is going on both in the news and behind the scenes with the latest breaches, security threats and identity theft scams. Cody writes about the latest industry news, breaches, identity theft trends and often shares helpful security tips for both businesses and consumers.

Firewall Chats, Ep. 3: Simple Steps to Control Your Privacy

By | November 10th, 2015|Firewall Chats|

PodcastDid you log in to Facebook recently to see post after post of “privacy notices?” Those ineffective status updates were spawned by rumors of how people assume online privacy operates. There are a lot of unnerving rumors and myths circulating on the best way to control your information. In this week’s episode of Firewall Chats, we want to give you the facts and cut through the clutter.

We sat down with Katie Stephens from the University of Texas at Austin’s Center for Identity to discuss how keep your information safeguarded, online and off. These habits don’t require you to copy/paste any text into your status updates, or sacrifice hours of your day. We offer simple tips you can adopt, right now.

At the Center, Stephens is the education program manager and has a heavy hand in the UT’s new master’s program exploring identity management and security. Whether she’s speaking at SXSW or helping craft a security-related video game for kids, Stephens is dedicated to informing people about privacy and security.

“The key point surrounding privacy is to know what you value and to educate yourself accordingly,” she said. “The more you are willing to give up, with regards to your privacy, the more risk it opens you up to in terms of identity theft.”

We need to be careful not to give away data that is unnecessary to share, Stephens explained. Filling out forms in an urgent care clinic? Don’t feel the need to jot your Social Security number down.

“There’s absolutely no reason they need that information,” Stephens said. “You can leave it blank. If someone is insistent that they need your data, feel comfortable asking them why they need it, who has access it to it, and what precautions they will take to keep it safe.”

We explore password health, children on social media, two-factor authentication, and the woes of identity theft with Stephens. To hear it all, listen on www.CSID.com/FirewallChats, and reach out to us on our Twitter and Facebook pages.

Save the Date: Our next episode will air on Tuesday, Nov. 24, and will feature CSID’s own Adam Tyler and the Internet of Things.

Firewall Chats, Ep. 1: Social Media Matters

By | October 13th, 2015|Firewall Chats|

PodcastEvery day we click, like, post, tag, and swipe our lives across our favorite social media channels. The big players, like Facebook and Twitter, provide a life-sharing platform for billions and billions of users. But new channels are constantly competing for our attention and information.

Social media is a fantastic way to keep in touch with friends and family, promote your brand, and engage with celebrities. But there are dangers. Can a careless post lead to identity theft and fraud? Can it damage our privacy and reputation?

In our debut Firewall Chats podcast episode, we sat down with Chris Crosby, CEO of Inflection Point Global and managing director of SociallyActive.com, to discuss the above and share tips for staying safe on social sites.

Crosby’s interest in social media was originally piqued after talking to friends and family members over their concerns with oversharing and cyberbullying. SociallyActive.com was created to be a resource for parents and families to chaperon their children online. Today, when you see services offering to help monitor your social media accounts, there’s a good chance Crosby’s software is powering that technology.

In today’s episode Crosby reminds listeners that malicious minds will use any available information to their advantage.

One simple tip he offers listeners is to constantly edit your friends or followers list online. Should everyone see pictures of your kids or know where you live and work? Probably not. Be thoughtful with your connections and the information you’re sharing.

“As a general rule, don’t put anything online that you don’t want to be seen by a billion people,” Crosby says. “We don’t know what this world is going to look like in five years and how this data is going to be used against us.”

Our expert also goes on to discuss what you should never share online, how to be mindful when using the latest social network startups, and social media guidelines in the workplace.

Listen to the entire episode here: www.CSID.com/FirewallChats. And let us know your feedback on our Firewall Chats Twitter and Facebook.

Save the Date: Our next episode will air on Tuesday, Oct. 27, and feature Passcode Editor Michael Farrell on the latest cybersecurity trends.

Understanding the IoT Convenience/Security Tradeoff

By | October 8th, 2015|Identity Protection, Industry News|

IoTIf you’ve been to a music festival recently, you may have noticed something convenient about your wristband. Sure, it serves its main purpose of getting you into the event, but with recent technology, it now has the capability to do quite a bit more.

Take for instance Austin City Limits music festival, which took place last weekend and will run again this coming weekend here in Austin. Festival-goers have the opportunity to load their credit card information onto their wristband either online or via the mobile app to alleviate digging around in their bag or wallet in the middle of a busy crowd. Simply hold the chip in your wristband up to the POS reader on the vendor’s iPad and voila! You’ve paid for your drink, snack, or souvenir.

Sounds convenient, right? But consider this: As you exit the festival, there are people lined up, eager to buy your wristband from you. Sell it, and it won’t take much for the person to gain access to the personal information associated with the wristband and your credit card info. It would just be a matter of cracking your four-digit pin that you had set up when registering your wristband.

This is just one case to consider, which opens up a broader discussion around what we may be sacrificing from a security perspective in the era of wearables and the Internet of Things.

Wearables, particularly fitness bands, have taken off in the past few years. PwC recently reported that more than 20 percent of U.S. adults already own at least one wearable, and that there will be as many as 50 billion new connected devices by 2020. What users may not realize is that wearable tech creates a new opportunity for a massive quantity of private data to be collected – with or without the user’s knowledge.

Symantic threat researcher Candid Wueest recently shared with Wired that it’s not so much about the level of danger people put themselves in wearing wearable devices, but more about the fact that at this point, developers are not prioritizing security and privacy. From his research, Wueest found that some devices sent data to a staggering 14 IP addresses. During his demonstration at Black Hat, Wueest identified six Jawbone and Fitbit users in the audience, showing how easy it was to find users’ locations, and specific details down to the time they left or entered the room.

But is it the wearable itself that poses the actual security threat? Gary Davis of Intel has explained (and we agree), that the weakest link is actually a user’s mobile phone, not the wearable itself. Most wearables link to your mobile phone, which, in comparison to the wearable device, hosts an exponentially greater amount of data, making it an irresistible target for hackers.

Before you cancel your order on that new fancy fitness tracker, keep this in mind: There are a number of simple, common sense steps you can take in order to protect your data. Consider buying a wearable that comes equipped with remote-lock capabilities, so that you can lock or erase its data if it is stolen. Also, as always, use a password to protect your device, use biometric authentication whenever possible, and keep an eye on user reviews online.

Stay tuned to the blog for more cybersecurity news throughout National Cyber Security Awareness Month. Share your thoughts with us on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

 

Industry News Recap: Connected Automobile Security

By | September 30th, 2015|Industry News|

Car SecurityTwo weeks ago we published a blog on security in the Internet of Things, part of which addressed recently uncovered vulnerabilities in automobile software. Since that time, concerns about cars and cybersecurity have remained in the news.

Hacked cars have made headlines before, but the issue was recently thrust back into the spotlight when white hat hackers Charlie Miller and Chris Valasek revealed a flaw in Chrysler’s Uconnect system. The flaw allowed them to steer the vehicle, change its speed, disable the brakes and shut off the engine as it sped down a highway – all from the comfort of their couch. The two described the hack as “fairly easy” and “a weekend project.”

An article in Wired covered this demonstration in detail and included the fear-inspiring conclusion that if this flaw is not fixed, “the result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.” Days later, Tesla Motors was featured in a similar story, a sign that the auto industry’s connected cars are just as vulnerable to breach as our other Internet-connected devices.

There has been an evolving conversation around car security. As a result of Miller and Valasek’s research, Chrysler issued a recall on more than a million vehicles. Meanwhile, according to Dark Reading, “the automobile industry at large began to address growing concerns over security weaknesses and vulnerabilities in new and evolving vehicle automation and networking features.” Dark Reading also published a list of the world’s most hackable cars, while security influencers began weighing in on the best ways to reduce car hacking threats.

As of September, the ongoing conversation has yielded some promising progress. Miller and Valasek announced that they are joining Uber’s Advanced Technologies Center “to continue building out a world-class safety and security program at Uber.” Intel, a company with plenty of clout in the auto industry, also recently published a “Best Practices” white paper, providing recommendations for automakers to outfit their vehicles for privacy and cybersecurity “in the era of the next-generation car.”

The bonus of all the attention on car security? IoT security as a whole has been given more attention. Cars have not only pushed the Internet of Things forward, they have also reminded the world that as soon as anything is connected to the Internet, it becomes vulnerable to external parties.

Let us know what you think about security and the IoT on Twitter and Facebook. Be sure to check out our Tumblr for the latest industry news stories.

Industry News Recap: Zero-Day Exploits In The Limelight

By | August 28th, 2015|Uncategorized|

Zero-Day AttackA large amount of tech coverage has recently been devoted to zero-day vulnerabilities and attacks and the industry’s widespread attempts to stop them.

The average Internet user has never encountered the term “zero-day attack” but it’s one that we are going to hear more about in future. A zero-day attack occurs when a hacker exploits a software flaw that is unknown to the developer. Techopedia’s Cory Janssen explains that this type of flaw is dangerous because “there is no known security fix [as] developers are unaware of the vulnerability or threat.” These threats are called “zero-day” because they occur on or before the day that a vendor becomes aware of the bug.

Zero-day attacks have long been a concern for software developers, but they have only recently received widespread attention due to a string of high-profile events. In July, leaked documents revealed multiple zero-day exploits in Shockwave Flash. From The Post-Standard: “Once the details were made public, it left anyone using Flash open to cyberattacks.” According to TechRepublic, the result was an eye-opening race, that revealed hackers were able to create malware to exploit the flaws a full day before developers could patch them. Since then, zero-day attacks against a wide variety of developers have dominated the headlines.

The insidious nature of zero-day attacks is alarming, but developers have systems in place to combat them. An exciting example: bug bounty programs, which give monetary rewards to members of the general public who discover software bugs. The tech industry has long used bug bounty programs to incentivize hackers to uncover and report security flaws. Infosecurity Magazine reports that United Airlines has also adopted this strategy and has already “awarded millions of frequent flier miles to white-hats.”

For end-users, the best way to stay safe is to keep your software updated. Frequently check for updates to your browser and select “auto-update” wherever possible so that your device always has the latest security patches.

Let us know what you think on Twitter and Facebook. Be sure to check out our Tumblr for the latest industry news stories.

When Good Passwords Go Bad

By | June 19th, 2015|Uncategorized|

Cyber SecurityLast month, password manager LastPass announced that their system had been hacked, exposing email addresses and encrypted master passwords for its users. Users were notified and prompted to change their master passwords.

Shortly after news broke of a flaw found in Apple’s Keychain software that could let malicious software steal passwords across apps on your Mac. This flaw could result in exposed passwords to iCloud accounts, notes, photos, email accounts, banking, social media – you name it.

Both of these stories exemplify just how vulnerable our login systems are. As the LastPass hack shows – even when you are trying to do the right thing and safeguard your passwords, bad things can still happen.

One thing is certain: there is no surefire way to protect yourself against password loss due to hacks and malware unless you stay off the Internet altogether. However, there are some best practices you can implement to reduce the risk of a hack or breach.

Turn on Two-Factor Authentication
Two-factor authentication is typically comprised of two out of three identifiers:

  • Something you know, like a password
  • Something you have, like a token or code messaged to your phone
  • Something you are, like a fingerprint

Turning on two-factor authentication, especially on high-value accounts such as Amazon, Gmail and banking sites is essential. This will ensure that even if your password is lost, a hacker will need the second form of authentication to access to your account.

Practice safe password habits.
Do not reuse your password across multiple sites. Develop a passcode system that helps you remember the unique passwords you develop for each digital account you own. Passwords should be long, should not include any words found in a dictionary and should vary in character type (include special characters, capitalization and punctuation as password systems allow). Be sure to change passwords every six months and use two-factor authentication whenever possible.

Monitor your identity.
Use a service to monitor for suspicious activity of your personal information on the black market. Monitoring services will identify if your personal information, like your email address or password, is being shared on the dark web.

There are many interesting technologies and methods being explored to help secure our login systems. In the meantime, adhere to the above best practices to protect your accounts from unauthorized access. Were you impacted by the LastPass breach? Let us know how you responded on our Facebook or Twitter channel.

IRS Breach Shows What Happens to PII After it is Sold on the Black Market

By | May 29th, 2015|Breach, Uncategorized|

IRS BreachThe IRS experienced a breach that is changing the way businesses and consumers think about personal information. Reporters attribute the IRS breach to a crime syndicate in Russia, who used personal information obtained elsewhere to exploit the Get Transcript feature on the IRS website. They successfully exploited 104,000 individuals and filed nearly $50 million in fraudulent tax funds.

“This breach is not just about what this single group is going to do with the information, but what happens when this information gets sold on the black market,” said cybersecurity author Peter Warren Singer to The New York Times. “It’s rare for the actual attackers to turn the information directly into money. They’re stealing the data and selling it off to other people.”

As Singer points out, this breach demonstrates how cyber criminals can take stolen data and exploit an online system to pick the pockets of thousands of consumers. Major data breaches thus far have proven that cyber criminals have the know-how to exploit major retailers’ security systems; this breach proves these criminals have more sophisticated schemes in their back pocket to cash in on the information they’ve stolen without having to find a vulnerability in an organization’s security system.

This is costly to businesses as it highlights the limited control they have on security breaches. Maintaining a healthy, secure system helps businesses avoid data breaches, but cyber criminals are working around secure systems by taking advantage of customers’ personal information. Gizmodo reporter Kate Knibbs calls this a “domino effect.” The way it works is that cyber criminals hack into a business’ system and steal customer data. Using that customer data, which includes name, address, email credentials and Social Security number, cyber criminals can log in to another business to make purchases or otherwise financially exploit a business. The result? A business is hijacked without its security system ever being hacked into. Cyber criminals are finding these workarounds, making their schemes more sophisticated and harder to identify from the outside.

So what exactly can we do to mitigate the risk of these types of breaches? Businesses and consumers must develop better habits and methods to protect their identities online. Password reuse is one of the most damaging habits of consumers. In fact, six out of 10 admit to reusing passwords across multiple sites. Convenience typically wins over security when it comes to interacting online. Businesses must innovate convenient options for consumers to better protect their digital identities. In the meantime, monitoring customer and employee credentials is a business’ best bet for protecting their assets.

How does this breach affect the way businesses handle security? How can businesses and consumers prioritize security over convenience when it comes to protecting digital identities? Let us know what you think on Facebook, Twitter and LinkedIn.

Healthcare Data Breaches Have Grown 125 Percent in Five Years

By | May 26th, 2015|Breach, Uncategorized|

Healthcare BreachThere has been a noticeable uptick in the number of criminal attacks against healthcare facilities in the last five years. Ponemon recently released its Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, which shared a 125 percent increase in cyber attacks targeting healthcare data. The major shift in healthcare data breaches, according to the study, is that cyber criminals are intentionally targeting and exploiting healthcare data rather than accidentally coming across it during their exploits.

This shift in active pursuit of healthcare data shows that cyber criminals understand the value of healthcare data on the black market. Through our recent research, we have found that a medical identity, which includes a name, address, Social Security and health ID numbers, sells for $50 on the black market. A Social Security number sells for $1 and an active credit card sells for $3. A major contributing factor to the increase in healthcare breaches may also be due to the shift to digital healthcare records. Starting this year, healthcare facilities that do not show “meaningful use” of electronic health records are penalized, causing facilities to scramble to put records online.

The healthcare industry is a green market when it comes to following best security practices, which is why we’ve put together the top three ways healthcare organizations can keep their patient records secure:

  1. Educate employees. The most important part of having a secure network is making sure your employees are compliant with security standards. Educate employees on how medical identity theft happens and what to do from a HIPAA standpoint to keep patient data safe.
  1. Track, encrypt and password-protect mobile devices. Employees are connected via mobile devices more than ever, whether or not you have a formal BYOD policy. Be sure to create a policy that puts strict limits on how patient data can be viewed and shared on devices.
  1. Create an identity crisis response plan. If your healthcare data is breached, make sure to have a crisis plan in place, including communication with patients. Maintain the plan by training staff on relevant policies and procedures.

Are you surprised by the value of medical identities on the black market? How else can the healthcare industry get up to speed on best security practices? Let us know what you think on Facebook, Twitter and LinkedIn.

Overview of 2015 Verizon Data Breach Investigations Report

By | April 21st, 2015|Breach, Uncategorized|

Every year Verizon takes a thorough look at the global breach landscape in the company’s annual Data Breach Investigations Report. This year’s report offers a wealth of information on the threats, vulnerabilities and actions that plagued businesses in 2014. The report is long, but interesting and worth a read. To make it easier for you, we pulled what we feel are some of the most interesting findings below:

Compromised credentials remain the largest threat in 2014.
If this graph doesn’t encourage you to pick a good password, we don’t know what will. Credentials are like keys to your business. Passwords should never be reused and two-factor authentication should be used whenever possible.

Humans are the weakest link.
This year’s survey found that 23 percent of phishing email recipients open phishing messages and 11 percent click on attachments. When you consider that one employee clicking on the wrong link can compromise your entire business’ system, this is an alarming statistic. Verizon also conducted a test to see how quickly phishing links are clicked on. They found that nearly 50 percent of victims opened emails and clicked on phishing links within the first hour. Teaching employees about security best practices and how to identify suspicious links has never been more important.

According to the Verizon report, mobile malware is not a big deal… but it really is.
They found that only .03 percent of the tens of millions of mobile devices they looked at were infected with malicious malware. We don’t agree with this finding. Mobile malware is a huge problem. Over a 12-month period Kaspersky Lab found more than 3.4 million malware detections on devices of 1 billion users. As mentioned above, employees are the weakest link. All it takes is one employee downloading a malware-infected app on his or her phone to put a business at risk.

If you are concerned about your business and the security risks outlined in Verizon’s Data Breach Investigations Report, we recommend you check out our Resources Page. We have a lot of great information for businesses and consumers on how to mitigate the risk and impact of a breach.

As always, let us know what you think on Facebook, Twitter and LinkedIn.

Tips For Consumer Data Security After The Anthem Breach

By | February 10th, 2015|Breach, Uncategorized|

Anthem BreachAs the dust settles after Anthem Healthcare Insurance announced last week that approximately 80 million of its customers may have had their personal information exposed in a data breach, consumers are once again left wondering how they can protect themselves and their data in the wake of another high profile hack.

Though it’s being called the most massive breach yet, last week’s Anthem’s breach announcement comes not as a surprise, but rather a confirmation of the continuing expansion of online attacks and growing focus on medical ID theft that CSID has seen firsthand. Why? Medical IDs are an extremely lucrative source of income for identity thieves. According to the World Privacy Forum, a medical identity, including name, address, Social Security and health ID numbers – all information that was a part of Anthem’s breach – can sell for around $50 on the online black market. By comparison, a Social Security number currently sells for $1 and an active credit card can sell for $3.

Taking into account this unfortunate emerging cyber-crime trend, all consumers – including those directly impacted by the Anthem breach—should consider the following best practices:

  • Use a monitoring service to keep an eye out for signs of medical identity theft, including medical bills in someone else’s name or for medical services you did not receive.
  • Review your Explanation of Benefits (EOBs) to ensure the doctors listed and services provided are accurate. If you find an inaccuracy, contact your insurance provider right away.
  • Submit a benefits request to your insurance provider. The insurance provider will send a list of all benefits and services paid in your name. Review to ensure they are accurate. Some insurance providers have online systems with information.
  • Keep a close eye on your credit report for fraudulent activity, such as accounts you did not open. Under the law, you’re entitled to a free credit report from each of the three credit bureaus every year. You can visit AnnualCreditReport.com to obtain the most recent version of your credit reports. If you find an error on your credit report or an account that you do not recognize, please file a dispute with the credit bureau (TransUnion, Equifax, Experian) who generated the report and contact that bureau for more information.
  • Consumers may also place a fraud alert on their credit file, which tells creditors to double-check whenever someone applies for credit in your name. For example, when a credit card issuer receives an application for a new card, a fraud alert tells the company to contact you and make sure you’re really the one who submitted the application. You can place a fraud alert with each credit agency by following the links below:

Finally, Anthem has stated that they will be notifying affected customers and providing credit monitoring and identity protection services free of charge. Eligible individuals should definitely take advantage of this offering so that they can be closely aware of important changes to their personal records.

As always, let us know what you think on Twitter, Facebook or LinkedIn.

 

Load More Posts