Information Security

4 seniors: Protecting yourself from identity theft

by

4 seniors: Protecting yourself from identity theft.
OKLAHOMA CITY – The government is in the process of removing social security numbers from Medicare cards, but with 58 million beneficiaries, it can be a huge task.
The Centers for Medicare and Medicaid Services will start sending the new cards next year, but it will take until December of 2019 for all cards to be replaced.
Officials say scam artists are already hard at work.
Some Medicare recipients report getting calls from scamsters who tell them that they must pay for the new card.
They then ask for their checking account and Medicare card numbers.
Until you receive a new card, the Privacy Rights Clearinghouse recommends that you carry your Medicare card only when you visit a health care provider for the first time.
Otherwise, make a photocopy of your card and cut it down to wallet size.
Then take a black marker and cover the last four digits of your SSN and carry that instead in case of an emergency.
You can also check your Medicare claims online or by calling 800-633-4227.

Dangerous teddy bears? FBI issues privacy warning for high-tech ‘smart’ toys

by

Dangerous teddy bears?
FBI issues privacy warning for high-tech ‘smart’ toys.
TAMPA, Fla. – That high-tech teddy bear taking to your kids?
You will want to keep a close eye on the cuddly critter.
FBI agents are warning parents to make sure internet-connected toys are safe and secure – and do not lead to child identity fraud or exploitation.
Parents should do their research on toys that access Wifi or Bluetooth, especially when they put a child’s image and information into cyberspace.
“Before we put anything in her room and access it through the Cloud and WiFi, we do research on the product to make sure they have the right security in place,” says Amber Bahlke.
Amber’s young daughter Amber has a few smart toys in her room, include a CloudPets teddy that lets her “talk” to her grandfather one thousand miles away.
Earlier this year, CloudPets customers in Australia were hacked by cyber criminals who held account information and voice messages for ransom.
The FBI also recommends you: Know all of the toy’s features; for instance, whether it has hidden GPS or location services Make sure toys run on updated software; older versions are targets for security breach Read all disclosures about the toy, eliminate surprises Turn the toy OFF when you or your child is done playing with it; that way all microphones/cameras are shut down For the full FBI warning, visit: www.ic3.gov/media/2017/170717.aspx.

Lawmakers Hold Hearing On Bathroom Privacy Bills Friday

by

AUSTIN (CBSDFW.COM) – Hundreds of people are expected to testify Friday morning at the Texas Capitol during a hearing about two newly proposed bathroom privacy bills.
“I’m angry about the legislation.” On Thursday, he packed his bags for the drive down to Austin.
“I’m happy to go down to testify for my basic human rights, but I don’t think I should have to do that in the first place.” If SB 3 or SB 91 is approved, people would have to use the multi-occupancy bathrooms and locker rooms in local government buildings and public schools that match their birth gender.
Cathie Adams, a grandmother and national board member of the conservative group, Eagle Forum praises the legislation.
The grassroots are very enlivened and want this bill finished, passed.” Adams and other supporters say this isn’t about transgender people, but about keeping sexual predators out of women’s and girls’ bathrooms and locker-rooms.
“If a pervert were to go into a restroom, it wouldn’t matter about gender identity.
People would be able to tell that there’s a difference between trans people and perverts.” Adams disagrees, “There are others who are dressing as transgender, even if they’re not, and they are predators, and so this is just part of a law that has got to distinguish right from wrong.” Other proposed bathroom privacy bills, HB 46 and HB 50, proposed by Rep. Ron Simmons, R-Carrollton, would also negate all local ordinances and written school district policies relating to multi-occupancy bathrooms and locker rooms.
A similar bill has been filed in the Senate, SB 23, but a hearing isn’t scheduled on this legislation.
Adams though says, “I think the schools are trying to push the envelope.” Pettigrew says he’s been allowed to use the men’s room at his Garland high school without hearing any complaints.
Straus, moderate Republicans and Democrats say they don’t like the bathroom privacy bills because they’ll hurt Texas’ reputation as a pro-business state that welcomes everyone.

How to write an information security architect job description

by

How to write an information security architect job description.
Any good job description will spell out the role’s duties and priorities.
The job description might also provide the role’s requirements, which could include certifications, skills, experience and education.
They include: Design, build and implement enterprise-class security systems for a production environment Align standards, frameworks and security with overall business and technology strategy Identify and communicate current and emerging security threats Design security architecture elements to mitigate threats as they emerge Create solutions that balance business requirements with information and cyber security requirements Identify security design gaps in existing and proposed architectures and recommend changes or enhancements Use current programming language and technologies to writes code, complete programming and performs testing and debugging of applications Train users in implementation or conversion of systems [Related: What it takes to be a security architect] Skills and competencies This section outlines the technical and general skills required, as well as any certificates or degrees that a company might expect an information security architect to have.
Key technical skills include: Five or more years’ experience in: Security architecture, demonstrating solutions delivery, principles and emerging technologies – Designing and implementing security solutions.
This includes continuous monitoring and making improvements to those solutions, working with an information security team.
“Typically at least CISSP is required,” he says, “but if your background clearly shows a significant amount of experience in building security solutions – as mine did – you may be able to make a compelling case with experience and education alone.” Industry-specific requirements Certain industries might have unique requirements that need to be addressed in the information security architect job description.
That is especially true in healthcare, which requires in-depth knowledge of Electronic Health Records (EHR) systems and protecting patient information in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Axel Wirth, healthcare solutions architect at Symantec, says the “complexity of the ecosystem” means a security architect needs a very broad range of skills.
He says in healthcare, the mission is important as well.

On voter privacy, we’ve taken one step forward and two steps back

by

The recent controversy over a White House commission request for voter data shows many state officials support protecting the privacy of this information.
However, too many states also favor new ways to violate the privacy of supporters of charities, advocacy groups, and trade associations by requiring these groups to reveal information about the names, home addresses, employers, and donation amounts of their members.
These officials support individual privacy in the act of voting, just not when citizens come together to speak about voting.
The information requested?
Just the names, home addresses, birthdates, political party affiliations, and voting history of Americans since 2006.
So far, two lawsuits have been filed, and the Electronic Privacy Information Center requested that a U.S. district judge block the commission’s request.
In New Mexico, Secretary of State Toulouse Oliver has proposed a new rule invading the privacy of supporters of groups, including charities.
She wants to publicly reveal the names and home addresses of supporters of such groups for merely mentioning candidates or even publishing nonpartisan information.
Further, this right does not go away the moment we step out of the voting booth.
Americans should not fear associating with groups of like-minded citizens to voice their opinions.

Cybercriminals can take a class on stealing credit cards

by

Security firm Digital Shadows discovered the cybercrime class taught by five instructors and sold on a deep web forum.
The class was revealed in research published Wednesday investigating credit card fraud and a criminal activity called “carding,” or stealing and using payment card data.
Digital Shadows estimates $24 billion will be lost to credit card fraud next year.
Criminals can also take emails and passwords leaked from other data breaches, and test them on banking websites.
According to Digital Shadows, the course recommends visiting one of six different sites to get credit card data.
On two of those forums, more than 1.2 million card numbers were advertised for sale — nearly half of them in the U.S. CNN Tech is not publishing the names of the sites on the deep web where criminals can buy credit cards.
Barbosa helped prosecute Roman Valerevich Seleznev, one of the world’s most notorious carders.
Seleznev stole millions of credit card numbers and sold them to other criminals.
Seleznev trained fraudsters on how to use stolen credit cards to increase demand for the product he stole.
His training, though more rudimentary than the lectures discovered by Digital Shadows, helped boost his own business.

CSO mobile phone plan ‘surveillance at its worst’ – privacy expert

by

CSO mobile phone plan ‘surveillance at its worst’ – privacy expert.
Former Ontario privacy commissioner would not want her data accessed this way A project by the Central Statistics Office proposing to track tourists and Irish residents travelling abroad using mobile phone roaming data has been described as “surveillance at its worst” by a world-renowned privacy expert.
It has been in a stand-off with the Data Protection Commissioner for almost nine years on the legality of the proposal, but said last week it had found an “innovative technical solution” to anonymise the phone records.
The commissioner’s office has described the project as “disproportionate” and “extraordinary”.
“They don’t seem to realise that both direct and indirect identifiers may be used to track the activities of individuals, in this case via their cell phones, which can then be linked to personal identifiers, creating a detailed picture of one’s activities and whereabouts,” Dr Cavoukian told The Irish Times by email.
“Privacy is all about control: personal control over the uses of one’s data, and I certainly wouldn’t want my cell phone accessed in this manner if I was visiting Ireland.
“None of this is free for the telcos, who are all operating in financially constrained markets.
So either the State pays for it and indemnifies the telco or the customer pays for it,” Mr O’Brien said.
Confidentiality of communications was a fundamental element of EU law, he added.
“There’s nothing inherently wrong with doing any of this stuff if it’s done the right way, but this is not the right way.

5 lessons small business should learn from recent cyber attacks

by

5 lessons small business should learn from recent cyber attacks.
1.Attacks are random and unpredictable Cyber-attacks cannot really be predicted, unless we are talking about very specific targets which constantly come under fire.
When attacks are this random, they should always be expected.
If you are a small business, you also have the responsibility of protecting your users.
Perhaps the most common mistake by small businesses in regards to cyber security is that they assume they will not be attacked.
In fact, plenty of hackers specifically target small businesses exactly because they are small.
Of course, all of these can be expensive processes, so you will need to balance your budget against potential threats.
Some of the computers infected with WannaCry were still running Windows XP, for example, despite the fact that extended support for the OS ended more than three years ago.
Even those who were running newer operating systems such as Windows 7 had neglected security for one reason or the other, resulting in unpatched systems which were obviously vulnerable to the cyber-attack.
In fact, you may even be held responsible if information is leaked.

Hole in the Cloud Service Bucket: Dow Jones Data Exposed

by

Hole in the Cloud Service Bucket: Dow Jones Data Exposed.
But many organizations inadvertently misconfigure their buckets to allow “public” or semi-public access, which can result in data being exposed.
On Sunday, Dow Jones said that about 2.2 million customers’ details were exposed due to an Amazon S3 bucket misconfiguration. “We were made aware that certain Dow Jones/WSJ subscriber and Risk & Compliance content was over-exposed on Amazon Cloud (not the open internet),” a Dow Jones spokeswoman tells Information Security Media Group.
Amazon says that by default, however, data stored using AWS is only accessible to the account holder.
Verizon, Others, Also Cite User Error Vickery continues to discover firms that have failed to lock down their buckets by using tools developed by UpGuard that are designed to guess internet addresses of exposed data.
Last week, Verizon blamed user error for a misconfiguration problem that resulted in a public-facing bucket exposing data for between 6 million and 14 million Verizon customers.
In April, discount brokerage firm Scottrade blamed the AWS S3 bucket exposure of 20,000 customers’ details on user error.
In a statement, Scottrade said that one of its third-party vendors, Genpact, “uploaded a data set to one of its cloud servers that did not have all security protocols in place,” thus leaving it exposed.
Long-Standing Problem Back in 2013, researchers at security firm Rapid7 reviewed 12,328 Amazon S3 buckets and found that 1,951 of them – 15 percent – were publicly accessible.

Bank Heists Possible Due To Flawed Code

by

The most common vulnerabilities relate to flaws in mechanisms for identification, authentication, and authorization of users with two in three remote banking applications vulnerable to brute force attacks.
Applications developed by third party vendors had on average twice as many vulnerabilities as applications developed in-house.
33% of online banking applications had vulnerabilities that made it possible to steal money, and in 27% of applications, an attacker could access sensitive client information.
Mobile banking applications also have issues with an attacker able to intercept or brute force user credentials to one in three apps.
Two thirds of the vulnerabilities found within automated banking systems were critical, some even allowing administrative server access.
With this level of access, an attacker could conduct fraudulent transactions yet remain unnoticed.
The possibilities for such fraudulent transactions are practically limitless: attackers could create new accounts, change their balance, or create counterfeit payment transfers to other institutions.
Vulnerabilities in source code can be avoided at the development stage.
Positive Technologies is a leading provider of vulnerability assessment, compliance management and threat analysis solutions to more than 1,000 global enterprise clients.
Study & Research Positive Technologies applications authentication and authorization automated banking systems banking banking applications brute force fraudulent transactions mobile banking online banking online banking applications positive technologies remote banking applications three remote banking three remote banking applications twice as many vulnerabilities two in three remote two in three remote banking vulnerabilities within automated banking within automated banking systems