Pokemon Privacy: Catching Them All, Safely

By | July 18th, 2016|Industry News, Malware and Scams, Online Safety|

CSIDOn July 6, Niantic launched Pokemon Go — a free, augmented reality game for iOS and Android devices. The world went wild. Pokemon Go grabbed 26 million users in the U.S. alone, surpassing both Google Maps and Twitter in daily active users.

It’s been hard to escape the colorful news over the past week. Articles continue to surface on where to find the best Pokemon, how to catch them, and (most importantly) how to stay safe while doing so. In addition to warning users to be aware of their physical surroundings, many headlines warn of the cybersecurity risks involved with the game.

Full Google Account Access
One of the main concerns was Pokemon Go’s access to iOS users’ full Google Accounts. Although the app was vague on what this entailed, many privacy experts and users were concerned the game could access everything from Gmail to Google Drive.

Niantic was quick to respond to the alarm, claiming this was an error. “Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected,” Niantic said in a joint statement with The Pokemon Company.

The statement also clarified that no additional information has been received or accessed within Google. Instead of potentially accessing your entire Google footprint, the app can now only access your Google user ID and email address.

Take Action: iOS players should take care to update the app from the App Store and re-login to accept this updated privacy policy.

Malware Threats
Pokemon Go is only currently available in the United States, Australia, New Zealand, and United Kingdom, though it will soon be available in Italy, Spain and Portugal. While other regions wait for their chance to build their Pokedexes, many over-eager gamers are downloading versions from third-party sites.

“When it comes to malware, you really don’t want to catch ’em all,” Tim Erlin, Director, Security and IT Risk Strategist at Tripwire told InformationSecurityBuzz.com. “Cybercriminals are after any angle that helps them gain a foothold on your devices. A popular app that’s not available in some places is a near-perfect target for crafting a malware delivery strategy. … Installing software from third-party markets and unknown sources increases your risk of malware. Period.”

The security firm Proofpoint claims to have found a third-party version of the game which included a RAT, or remote access tool, called Droidjack. While Proofpoint has not observed the malicious tool “in the wild,” Droidjack has the potential to give a cybercriminal full control over a victim’s phone.

Take Action: If Pokemon Go is not currently available in your area, be patient. Do not risk infecting your phone and devices with malware. Android users should also take care to download the app from App Store.

Watch Where You Work
The cybersecurity risks around Pokemon Go give employers a great opportunity to create a conversation around BYOD security (and time management) in the workplace. Companies and employees should be aware that a device infected with malware could affect the entire network’s security.

Take Action: Brush up on our best practices for protecting your business.

Create a Conversation with Kids
While apps – and Pokemon – are meant for fun, it’s important to examine the privacy policies of all your apps to ensure you are not over-sharing data. This can help lead into a conversation with your family, and especially your kids, about privacy and security.

Discuss what types of information should be kept private, both online and in person. Discuss concerns over connecting devices to public Wi-Fi, and how to recognize a scam. Creating a conversation now can lead to better cybersecurity habits later.

Take Action: We discuss more tips for talking to your kids about privacy.

Are you playing Pokemon Go? Let us know your experience with the app and how you’re protecting your information. Join in the conversation on Facebook, Twitter or LinkedIn!

Cybersecurity in 2016: Reflections on the First Half of 2016

By | June 30th, 2016|Data Breaches, Industry News|

CSIDWith July just around the corner, it’s hard to believe we’re already halfway through 2016. Throughout the last six months we’ve seen some major cyber security incidents make headlines. According to the Identity Theft Resource Center, since January 1, 2016, there have been a staggering 500 breaches, with over 12.8 million records exposed. The breaches span the verticals of financial services, business, education, government/military, and government/healthcare. If things continue tracking this way, we may very well surpass last year’s total of 780 breaches.

The heaviest hit sector this year was the business sector, coming in at 46.5% of all breaches. Some of the bigger breaches in this category were caused by phishing attacks. In one case, a scammer impersonated the company’s chief executive officer and asked for employee payroll information. The email was not recognized as a scam and as a result, personal information about some current and former employees was disclosed.

This underscores something we have stressed time and time again on this blog: the importance of education at the business and consumer levels. While cyber criminals continue to develop new skills, we’re seeing the same techniques being used in attacks. According to Gartner’s recently-released security predictions, “through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”

The good news about this is that protecting our identities is largely in our hands. By creating long, strong and unique passwords across accounts, being careful about what and where we click, keeping an eye on any suspicious activity, and enlisting the help of a third-party monitoring service, we can stay one step ahead of cyber criminals.

When it comes to reversing the trend of growing breaches, we all play a role. How are you committing to safe cyber practices for the rest of 2016? Share with us on FacebookTwitter and LinkedIn.

National Internet Safety Month: Creating a Conversation at Home

By | June 17th, 2016|Industry News, Online Safety|

CSIDJune is National Internet Safety Month, which began in 2005 in order to raise awareness around the need for online safety, especially among children and teens. In honor of Internet Safety Month, this week we’re diving into how to start a conversation with your family around Internet security.

Late last year, it was reported that teens spend nearly nine hours every day in front of some form of media channel. Pew Research Center also recently found that, “… aided by the convenience and constant access provided by mobile devices, especially smartphones, 92% of teens report going online daily — including 24% who say they go online ‘almost constantly.’”

With so much time spent online it’s clear that, perhaps more than ever before, parents need to start a conversation around Internet security with their children.

What dangers may be associated with so much time spent online? One that may not be immediately obvious is the growing trend of child identity theft. As adults, we know using the Internet comes with certain risks, but parents often do not realize that their children face these same risks while online. This is especially troubling considering young people are already much more vulnerable to identity theft: children are 35 times more likely to have their identities stolen than adults. In our 2013 survey on the subject, CSID found that 52 percent of parents are not taking measures to prevent the misuse of their child’s online information.

These statistics underscore the importance of starting a conversation with your children about online risk. Here are some pointers to get started:

  • Talk to your child about privacy: Teach your child what types of information should be kept private, and talk to them about the importance of guarding this information, both online and in person. Remind them that they should check their social media privacy settings every few months to make sure their information stays private.
  • Teach your child to recognize scams: Fraudsters can send texts or emails that look like they’re from a familiar source –tricks which young people are especially prone to falling for. Tell your kids not to click on links or respond to messages that ask for personal information.
  • Educate your child around password best practices: Encourage kids to create long, strong and unique passwords, especially for their social media accounts. Strong passwords should be a cryptic combination of upper and lowercase letters, numbers and special characters.
  • Ask about your child’s gadgets: Have your child show you their gadgets – gaming console, cell phone, computer, tablet – and familiarize yourself with them. Use this time to recognize the unique risks, and opportunities for to bolster security on each device.

Have more online privacy tips to share? Join the conversation over on Facebook, Twitter and LinkedIn, and check out our blog post “5 pieces of information kids should not share online” for more child identity theft protection tips.

Passwords Going the Way of the Dinosaur?

By | June 3rd, 2016|Industry News, Online Safety|

CSIDWe have discussed passwords many times on this blog and how poor password habits, such as easy-to-guess logins and reusing passwords across multiple accounts, can easily lead to identity theft and fraud. Password management can be difficult – we get it – and so does Google.

At this year’s Google I/O conference, the company announced Trust API, a new feature that will be available to Android developers by the end of the year that uses a combination of biometrics to create a “Trust Score.” The API uses biometrics such as your location, typing cadence, and facial recognition to determine if you are who you really say you are. If the Trust Score is over a certain number, the device will automatically log you in – no password or pin needed. If the Trust Score falls below a certain threshold, a password and two-factor authentication may be required.

Consumers often use easy-to-guess passwords and reuse them across multiple sites because they simply don’t want to remember multiple passwords. The same goes for two-factor authentication. Most consumers don’t turn on two-factor authentication because they want to access sites quickly, without the added step of entering a pin or answering a question. People want ease of use. We explored the issue in a 2012 survey that found that 61 percent of respondents reused passwords across multiple sites and 44 percent changed their passwords once a year or less. Despite the many high profile breaches over the past four years, it doesn’t seem like password habits have improved. Identity and access management firm, Gigya, conducted a similar survey last month and found that 56 percent of respondents used passwords such as names and birthdates, and only 16 percent created a unique password for each of their online accounts.

But are consumers ready to embrace biometrics such as location tracking and typing cadence? We’ll have to wait and see. The fact remains that our current password system has a lot of flaws and it is going to take a combination of consumer education and new technologies to reduce the impact of stolen and hacked passwords on consumers and businesses.

What are your thoughts on Google’s Trust API? Share with us on our social – on Facebook, Twitter and LinkedIn.

March Madness Madder Than Ever

By | April 14th, 2016|Industry News|

CSIDIt’s no wonder they call it March Madness, this year’s NCAA tournament was particularly exciting between the upsets in the first two rounds and a National Championship that ended on a buzzer beater. If you followed along on the CBS Sports app, you’ll want to take note of the below.

According to mobile data management and security firm Wandera, the CBS Sports app and mobile website had a data leak during the NCAA Tournament, which may have compromised user data, including user names, birthdays, email addresses, account passwords and ZIP codes. Social Security and credit card numbers were not comprised.

Wandera says the site and app weren’t properly encrypted, and that they made the discovery unintentionally, while doing research on sports applications before March Madness began. With encryption top of mind for consumers, especially in the wake of the Apple and FBI battle, instances like these show that mobile apps and sites may still be vulnerable, whether or not they are encrypted.

To be clear, Wandera is not purporting an actual breach occurred, just that the data was not properly encrypted. CBS Sports has denied a data breach happened at all, and claims to rigorously monitor and test its platforms for potential issues.

Hackers are particularly attracted to large events like March Madness, as the surrounding excitement results in an uptick of traffic to sites or mobile apps. CBS Sports and Turner Sports provided exclusive coverage of the national championship game, and said the final match-up amassed 2.5 billion minutes of consumption across digital and TV platforms. Especially during these highly trafficked times, companies must be diligent in ensuring their content is secure.

Consumers can protect themselves as well—anyone using the CBS Sports app should start by immediately changing their password. It’s good practice to make a habit of regular password updates after any major event, like increased traffic, that might affect an app or site, making it a more desirable target for cyber criminals. If you reused the same username and password combination for another account, it’s in your best interest to change that password too.

It’s also good practice to keep your device software up-to-date. Check for updates frequently so that your device always has the latest security patches in place. The next time you see an update notification, click yes or make it easy on yourself and set your system to automatically update.

While your bracket might reveal poor choices, don’t make the same mistakes with your personal information. These simple, yet vital practices, like changing your password and saying yes to software updates, can help safeguard your personal information.

All Eyes on Encryption: WhatsApp Takes a Stand

By | April 11th, 2016|Industry News|

CSIDIn the wake of the San Bernadino tragedy back in February, the FBI asked Apple to build a new, custom version of its iOS to help unlock one of the shooters’ phones. They very publicly declined, issuing an open letter to their customers that quickly sparked a massive national debate around consumer privacy and international security.

It seems that since that time, we’ve seen a heightened awareness around encryption. The most recent example is last week’s major news that WhatsApp, the online instant messaging service owned by Facebook with more than one billion global users, rolled out end-to-end encryption for all of its users.

What exactly does this mean? According to a blog post written by WhatsApp CEO Jan Koum, this latest software update has ensured that every conversation on the messaging service – whether private or a group chat – will have full, end-to-end encryption, meaning that only the recipient is able to see the message. “No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us,” said Koum.

While many privacy advocates have hailed this move from WhatsApp as a hallmark victory, others have expressed concern.

The FBI’s top attorney, General Counsel James Baker, spoke out during an event hosted by the International Association of Privacy Professionals (IAPP): “If the public does nothing, encryption like that will continue to roll out,” he said. “It has public safety costs. Folks have to understand that, and figure out how they are going to deal with that. Do they want the public to bear those costs? Do they want the victims of terrorism to bear those costs?”

Other opponents of encryption include Senators Dianne Feinstein of California and Richard Burr of North Carolina, who made headlines last Friday for introducing a bill intended to “tackle the rising use of strong encryption technology that cannot be decrypted by anyone without the correct key – including law enforcement and the companies responsible for creating it.

Regardless of where you stand in the consumer privacy versus national security debate, one thing is certain, we’ll continue to see moves from the public and private sector in the next few months shaking up headlines. What do you think about end-to-end encryption? Weigh in with us on Facebook, Twitter and LinkedIn.

Cybersecurity Took Center Stage at SXSW 2016

By | March 24th, 2016|Industry News|

SXSWWe’re just about a quarter of the way through 2016, and we’ve already seen some cybersecurity trends taking shape. We presented at South by Southwest Interactive earlier this month, participating in and engaging with some of the biggest technology conversations from around the world. If you missed any of our panels, be sure to check out our recent recap.

While we were excited to present, we were just as excited to attend some of the other sessions diving into the latest in this space at SXSW. The conference further stressed what we already know: There are plenty of things to keep an eye out for as we continue into 2016 and beyond.

The Balance of National Security and Consumer Privacy
Apple made headlines earlier this year in the wake of the San Bernardino tragedy, declining to build a new, custom version of its iOS to help unlock one of the shooters’ phones. This triggered a debate on consumer privacy in the name of national security, and during his SXSW Interactive keynote speech, President Barack Obama addressed the fine line between the two.

He wasn’t the only one. Passcode participated in a number of panels on the subject. In fact, cryptologist Matt Blaze suggested it’s a lot more complex than just security versus privacy. Encryption simply isn’t widespread enough – and isn’t 100 percent foolproof – to ensure complete consumer privacy. “We are in what can only be described charitably as a cybersecurity crisis,” Blaze said, stating that his field still has a long way to go.

Defining a Company’s Role in Society
While most tech enthusiasts applauded Apple for their steadfast stance, not everyone felt they were completely innocent. Stewart Baker, former general counsel for the National Security Agency, believes Apple “isn’t being socially responsible” on the subject of encryption. He went so far as to suggest that if a company is profiting from the privacy benefits it offers, then it should have to take on a portion of the costs in fighting crimes.

“How about letting victims of crimes that have not been solved because of encryption sue Apple for damages?” Baker said.

Blaze added that weakening encryption systems will actually hurt the government’s ability to pursue criminals. “It’s a fundamental problem of computing,” he said. “If those systems aren’t as strong, they’re easier to infiltrate.”

Companies nowhere near the size of Apple can still create a better security culture. “You can’t iterate the trust your users have in you,” said Heather West, senior policy manager at Mozilla during a SXSW talk. In essence, consumers are happy to give up more data if they feel secure in your presence, but if that trust ever disappears, it’s nearly impossible to get it back.

Staying Secure Among Robots and the Internet of Things
Writer Kevin Kelly spoke at a panel about the trends in software, robotics and data. While there’s certainly some concern in the general public about robots taking over, Kelly urged us to focus on using robotics for good, as in the case of self-driving cars whose only knowledge is how to get passengers to their destinations safe and sound.

With wearables and the IoT continuing to expand, we’re seeing progress in a number of fields that can enhance our quality of life: IEEE Spectrum has done research into brain prosthetics to help restore memory, and graphene wristbands that not only monitor blood sugar levels, but also correct them.

At one panel, Intel’s vice president of law and policy Ruby Zefo said she recently was notified that her home’s temperature could be adjusted based on who was currently inside of it. The technology would determine the home’s occupants via location services in their mobile devices. Sure, it’s convenient, and could even save money by turning off the heat and air conditioning when no one was home. But Zefo opted not to give up that personal data, and suggested everyone at least consider what information they provide. “You’ve got to be a wise consumer,” she said. “If you have zero privacy, you should get over it, because you did it to yourself.”

SXSW was full of great conversations, and it’s interesting to see where things are headed in the coming months and years. We’ll be weighing in on these trends and more this year, be sure to follow us on Facebook, Twitter and LinkedIn.

Snapchat’s Phishing Attack: A Reminder That Security Starts with Employee Education

By | March 2nd, 2016|Business Security, Industry News, Malware and Scams|

EducateSnapchat, the popular ephemeral messaging application, just announced a phishing attack that has compromised the identities of a number of its current and former employees.

According to a blog post from the company, Snapchat’s payroll department was targeted by an isolated phishing scam, where a scammer impersonated the company’s chief executive officer and asked for employee payroll information. The email was not recognized as a scam and as a result, personal information about some current and former employees was disclosed.

Snapchat has not revealed the specific information that was released, but because it is sensitive payroll information, it could likely include everything from salary data and Social Security numbers, to bank details and addresses.

The frequency of phishing attacks continues to rise, and even unsophisticated hackers now have access to the tools needed to orchestrate an attack. According to a report from PhishLabs, “basic, even free, phishing kits now contain a variety of clever functions, as well as obfuscation and anti-analysis techniques.” While more sophisticated attackers are selling phishing kits for anywhere between $1 and $50, others are making them freely available.

In 2015, the FBI coined the term “business email compromise” to describe the growing category of phishing attacks targeting American companies. As of August 2015, the Bureau estimated that “since 2013, the total dollar losses to American companies exceeded $740 million, while only hitting around 7,000 targets. When international victims are added in, the losses total $1.2 billion.”

As with the case of Snapchat, attackers frequently impersonate executives from the company in order to hack in to company networks. These attacks are often difficult to detect. It’s essential that companies invest time in educating their employees on safe email practices, including:

  • Using strong, unique passwords and enable two-factor authentication whenever possible
  • Keeping all systems up-to-date with the latest security patches and updates
  • Avoiding sharing sensitive information over email, or utilizing code words to verify that the person requesting the information is indeed that person and not an attacker
  • Not clicking on any suspicious links
  • Deploying SPAM filters

How are you keeping your company safe from phishing attacks? We’d love to hear from you–connect with us on Facebook, Twitter or LinkedIn.

What we can learn from Apple’s open letter to its customers

By | February 19th, 2016|Industry News|

iPhoneIn the wake of the San Bernardino tragedy, the Federal Bureau of Investigation (FBI) seized an iPhone that was used by one of the shooters. Recently, the FBI obtained a court order from a California district court, requesting Apple’s assistance in cracking the phone’s passcode. This has sparked an interesting debate around encryption, the outcome of which will ultimately have an impact us all.

The FBI is asking Apple to build a new, custom version of its iOS to help unlock the phone. Later versions of the iPhone have a special security protection that cannot be manipulated by customizing the iOS, an iPhone 5c—and all models prior—can be. If Apple were to move forward with creating the software, the FBI could bypass security measures to crack the passcode, including erasing a key to decrypt data after 10 incorrect passcode guesses and removing the timed delay after incorrect password guesses.

In response, Apple has written an open letter opposing the court order, saying it’s a threat to data security for all of its users, not just for this phone in particular. The company equates what they’re being asked to do with creating “a master key, capable of opening hundreds of millions of locks.” Once the information on how to bypass security controls is known, a hacker that obtains that knowledge can combat encryption. This “backdoor” could be dangerous if it falls into the wrong hands.

There is a legal precedent for all of this: the All Writs Act of 1789, which allows courts established by Congress to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law,” so long as it’s not an “undue burden.”

Of course, this raises an interesting question. Is asking Apple to essentially create malware that could harm its older devices an “undue burden”? Think of all the things you use technology for: shopping, banking, travel, staying in touch with friends and family. It’s an incredible convenience, and while there are inevitable risks, is this asking too much of Apple? One of their top priorities is ensuring their customers are treated fairly and their data is kept secure. On the surface, what the FBI is requesting makes sense–for Apple to help crack the phone of a terrorist. But if this request is granted, it creates a precedent for similar requests in the future, requests that could have an impact not just on older iPhones, but on Android devices, computers, and pretty much any piece of technology.

This discussion is a reminder of how important cybersecurity awareness is, and why we should all be taking action to keep our personal information secure. Even simple steps, like enabling biometric authentication whenever possible, utilizing unique passwords for online accounts, and monitoring personal information, banking or credit card accounts for any potential fraudulent activity, will go a long way in keeping data secure. Consumers need to do everything they can to be aware of emerging cybersecurity threats, as poor cybersecurity practices in one situation can impact everyone. By arming themselves with awareness around the risks that are out there, consumers will be better prepared for inevitable threats on the horizon.

In the meantime, we’ll be keeping a close eye on developments around this news. Do you have an opinion? We’d love to hear from you–connect with us on Facebook, Twitter or LinkedIn.

The Worst Passwords of 2015

By | January 22nd, 2016|Business Security, Industry News|

PasswordsIn our line of defense against hackers, our passwords may be the first – or last – hurdle between malicious cybercriminals and our most sensitive information. Unique, complex logins should be used to protect our emails, social networks, bank accounts, shopping transactions and more. It is important to take great care crafting these passwords; however, the majority of Americans do not.

Each January, password management firm SplashData compiles and shares a list of the worst logins from the year prior. In 2015, the firm examined more than two million passwords that were leaked and breached.

Holding fast at first and second place are “123456” and “password,” respectively. Both passwords have topped SplashData’s list for the past five years. In addition to thoughtless, keyboard-lazy passwords (like “111111” and “qwerty”), sports and pop culture references were also overused. “Football” was number seven on SplashData’s list, with “baseball” close behind at number 10. The Force also had a hand in some of the worst passwords of 2015, driving “princess,” “solo,” and “starwars” up the Top 25 list.

“As we see on the list, using common sports and pop culture terms is also a bad idea,” said Morgan Slain, CEO of SplashData. “We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

If your password(s) appear on this list, make a resolution to change them right now.

For the strongest passwords:

  • Make sure your combinations are at least 12 characters long, and are a cryptic combination of letters and numbers.
  • Take care to avoid your name, birthday, or pet’s name.
  • Create a unique password for each site.
  • Change your passwords a few times a year, and especially after being notified after a breach.
  • Implement two-factor authentication for sites whenever possible.

Did your password make the “worst” list? Will you change it? We’d love to hear what you think. Weigh in with us on FacebookTwitter or LinkedIn.

Load More Posts