Protect your Tax Filings and Bank Accounts

April 13, 2011

Money is on everyone’s mind as taxes are calculated and finances sorted, so take a few simple steps to ensure that your tax filings and bank accounts are well protected. In addition, parents can learn about cyberbullying and how they can help protect kids.

Parents

Discuss bullying with your kids to assist them in possibly helping themselves or others who are being bullied. (In the United States, for example, cyberbullying affects about a third of youth online.)

Key concepts to discuss are:

  • It is always wrong to bully. No matter what someone has done, they do not deserve to be bullied.
  • The only person at fault for bullying is the bully. It is NEVER the victim’s fault.
  • If you cannot stop the bullying right away, get help. People who get help are showing themselves and others that they deserve to be treated better.
  • Work with your child’s school if the bully is a schoolmate. Students can report bullying to school officials and teachers to get help.
  • Is your child a bully? Data show that kids who bully are more likely to be arrested for crimes, become abusers as adults, and are at an increased risk of suicide.

Tip Learn more about how to protect kids from cyberbullying and what to do if they are bullied online.

 

Everyone

Tax time brings a resurgence in scams. You may see scams offering “tax consulting,” links to websites offering “new deductions,” tools that will “calculate your taxes,” or requests from the “IRS” for your bank routing information. Don’t fall victim to these.

Tip Review the 14 Steps to Avoiding Scams to learn the warning signs, and read 6 Steps to Staying Safer this Tax Season.

How secure is your online banking experience? Ask yourself three questions:

  • Is my computer as secure as possible? You must have up-to-date security software, which includes antivirus and antispyware protection. Not sure? Secure your computers with anti-virus, anti-spyware, and tools. Keep them current and use them unfailingly -as automatically as locking your door when you leave the house. A computer that does not have security software installed and up-to-date will become infected with malicious software in an average of four minutes. That malicious software will steal your information and put you at risk for crimes. If the cost of security software is prohibitive, there are several excellent free services to choose from.  Learn more about free choices in Are You a Malware Magnet? 4 simple steps can make all the difference. [L1]
  • Is my connection as secure as possible? Follow the tips below to help keep cybercriminals from breaking into your computer (especially through your wireless network and router.)
    • Make sure the firewall is on.
    • If you use a wireless network, you will probably need to turn on encryption because most routers are shipped with it off.
    • Secure your wireless network at home by changing the router’s default network name and password. Find out how from the company that provides your router.
    • Avoid paying bills, banking, shopping, or doing other sensitive business on a public computer, or on any device (such as a laptop or cell phone) over a public wireless network even a network “borrowed” from a neighbor. The security is unreliable.
  • Am I using strong passwords? See Safe passwords don’t have to be hard to create; just hard to guess if you aren’t sure. (One thing to keep in mind about your passwords: no financial institution or the IRS will send you an email message asking for your PIN or password. Ever!)
Advertisements

Small Businesses Don’t Think They are Cybercrime Targets – That Puts YOU at Risk

December 2, 2010

85% of small business owners believe their companies are less of a target for cybercrime than large companies according to a new survey released by National Cyber Security Alliance (NCSA) and Visa, Inc.

Because of this perceived sense of lower risk, nearly 50% of all small business owners believe the high cost in time and money to fully secure their business is not justified by the threat.

This misplaced view of risk means that though 65% of small businesses store customer data, including 43% that store financial records and 33% that store credit card information:

 

  • 47% of small business owners have provided no network or mobile device security training whatsoever in the past year (75% have provided less than 3 hours of training for employees)
  • Only 36% have run a criminal background check on employees that handle payment data.
  • Only 43% have a plan in place to respond to the loss of customer data, such as credit or debit card information or personal identifying data.
  • Only 41% have a corporate policy preventing employees from connecting company devices to unsecured wireless networks.
  • Only 36% of small businesses say they are compliant with the Payment Card Industry Data Security Standard – in spite of the fact that compliance is required of all businesses that accept payment cards.
  • Only 21% say the payment application they use has been validated against the Payment Card Industry Data Security Standard

What this means to you

Cybercriminals look for the easiest targets, and that is no longer the big companies with millions of records as these companies have had to step up their security measures.  According to security experts and law enforcement groups, the new targets that hackers and cyber criminals are honing in on are small businesses. The report notes that just last month, Ukraine authorities arrested five individuals who allegedly stole $70 million from U.S. bank accounts in an elaborate scheme targeted at U.S. small and medium-sized businesses.

“The greatest threat to a company’s cybersecurity is complacency,” said Michael Kaiser, executive director of the NCSA.  “We encourage small business owners to take the necessary precautions to protect their customers, employees and their businesses.”

Your safety and privacy are directly impacted by the security measures – or lack of security measures – taken by the companies with whom you do business.  If these companies fail to have up-to-date security and privacy measures in place it only takes moments for all their consumers – you – to be placed in harm’s way and in many instances you won’t even be notified of the breach.

As you go about your interactions with companies and services of any size, ask or look to find a notice of what security measures are in place, what precautions they’ve taken to screen their employees, and the steps they take to protect your privacy.

In today’s world, you simply can’t assume your information is being treated with the care it is due.

Linda


‘Tis the Season – 10 Steps to Safer Holiday Shopping Online

November 6, 2010

In this tough economy, online bargain hunting is fast becoming a national sport. But getting a great deal online involves more than just getting the lowest price.

You want to be sure that products arrive on time, that quality is what you expected, that items include a proper warranty, and that there is a way for you to return products or get support with any questions or issues you have.

Apply these 10 Tips for Safer Shopping to improve your shopping experience:

  1. Secure your computing environment. If your computer isn’t protected from viruses and other malware your financial information and passwords will be stolen as you make purchases (as will everything else you store on your computer or do online). This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, there are several free services.Use a secure connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information.
  2. Trust is Key. Know the Merchant – or Their Reputation
    1. If you already know the retail chain, shopping their online store is very safe. If there’s a problem you can always walk into the local store for help.
    2. If you know others who have had consistently positive experiences with the online store, you can be reassured of the site’s quality.
    3. If you don’t know the store, it may still be the best bet, you just need to take a few more precautions. Conduct your own background check by looking at sites dedicated to reviewing e-stores (for example, Epinions, BizRate, Better Business Bureau). Another Web site to consider is The National Fraud Information Center which watches out for shady Internet dealings and offers consumer tips on its Web site. If the store isn’t listed as a legitimate site by one of these sources, move on.
  3. Check to see if the merchant offers coupons or discount codes. You can save a significant amount on your purchases by applying a coupon or discount code to your order, and a few simple steps will keep you safe when doing so. Click here to learn how.
  4. Is the Offer ‘Too-Good-to-be-True? Avoid buying from any e-store that promises too much at too low a price. If the price is low, you have to consider whether the merchant came by the items legally, whether you will ever receive the items, whether the items will work, if you will be able to return damaged goods, or if the merchant is also generating revenue by selling your financial information. Disreputable stores frequently run an absurdly low price offer and then, claiming the item is out of stock, try to sell you something else; this is a classic “bait and switch” technique.
  5. Giving a Gift Card? Be wary of Bankruptcies – this warning is particularly important this year as many stores are struggling or already know they’ll be shutting their doors. Make sure gift cards will be redeemable if the store is facing bankruptcy.
  6. Does the Merchant Collect More Information than is Necessary to Complete the Sale? You will need to provide some method of payment, address, and telephone number. If a merchant requests your bank account information, social security information, or driver’s license number, NEVER provide it. Some reputable companies ask additional questions about your interests. These should always be optional and you should be cautious about providing responses. Remember, your information is a commodity and you should feel you are getting appropriate value – and control – before providing your information.Does the merchant resell, rent, or share your information? Check the site’s privacy policy to understand how exposed your information may become. Many stores clearly state that they do not share, sell or rent consumer’s information – others say they own your info and can use it (or abuse it) however they choose. Stick to the companies that respect your privacy.
  7. Need a Password? – Make it Unique. Many sites ask you to create a password when you’re making a purchase. Use a strong password on any site you provide financial information, and remember, passwords don’t have to be hard to remember, just hard to guess. Click here to learn how.
  8. Make Sure the Site is Secure  – Before entering Any Personal or Credit Card Info
    1. Look to see if the web address on the page begins with “https:”, not of “http.” You should also see a small padlock symbol at the bottom of your screen.
    2. Never pay through email. Security protections do not work in e-mail applications so only make payment online though a secure site.
  9. Use Your Credit Card – not a Debit Card, Check, Cashiers Check, Wire Transfer, Money order – or use a well-respected payment service like PayPal.
    1. Credit card purchases limit your liability to no more than $50 of unauthorized charges if your financial information is stolen, and the money in your bank account is untouched. Most debit cards do not offer this protection – and even when they do, you’re the one out of funds in the meantime.
    2. Consider creating a dedicated e-mail account for online shopping and transactions, and to use one credit card exclusively for online purchasing and transactions. If that card gets compromised, you can quickly shut it down.
  10. Review the company’s shipping methods. Always check a merchant’s shipping rates; some hide exorbitant shipping fees that can turn a bargain into a burden. Look to see if they provide tracking and insurance. Understand what carriers they use, and be particularly wary if the item won’t be shipped within 10 days.

Let the online shopping begin…

Linda


Google’s WiFi Data Collection Larger than Previously Known

November 1, 2010

Google violated Canadian law when it collected personal information from unsecured WiFi networks while photographing buildings and homes as part of its Street View mapping service.  “Our investigation shows that Google did capture personal information — and, in some cases, highly sensitive personal information such as complete e-mails. This incident was a serious violation of Canadians’ privacy rights” said Canadian Privacy Commissioner Jennifer Stoddart in comments last week.

This story began to unfold last May when Google admitted they had “collected only fragments of payload data” from unencrypted wireless networks. That news prompted a flurry of inquiries from privacy officials across the globe and under inspection by external regulators have inspected the data as part of their investigations, at which point whole e-mails, URLs, and passwords were discovered.

According to Alan Eustace, senior vice president of engineering and research at Google, while most of the data collection was “fragmentary, in some instances entire e-mails and URLs were captured, as well as passwords,” adding the company is “mortified” by what happened and wants “to delete this data as soon as possible.”

Commissioner Stoddart asked Google to do four things before she would consider the matter closed: instigate a governance model to ensure that privacy is protected when new products are launched; enhance privacy compliance training among all employees; designate an individual responsible for privacy issues; and delete the Canadian data.

In response to concern, Eustace announced that Google has put several changes in place since discovering the problem.

  1. They have appointed Alma Whitten to serve as Google’s director of privacy across privacy and engineering. “Her focus will be to ensure that we build effective privacy controls into our products and internal practices. Alma is an internationally recognized expert in the computer science field of privacy and security. She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role.”
  2. Second, Google will enhance its core privacy training for engineers and other groups, like product management and their legal department “with a particular focus on the responsible collection, use and handling of data,” Starting in December, all employees will also be required to undertake a new information security awareness program, which will include clear guidance on both security and privacy.
  3. Finally, Google said it will improve their existing review system. Going forward, “every engineering project leader will be required to maintain a privacy design document for each initiative they are working on” that will detail how user information is handled and this document will be reviewed regularly by managers and an independent audit team.

“We believe these changes will significantly improve our internal practices, and we look forward to seeing the innovative new security and privacy features that Alma and her team develop,” Eustace concluded.

The furor is directed at an add-on project being run by Google Street View cars. In addition to taking photos for the Street View project – which itself has come under heavy international criticism for violating consumer’s privacy – the cars were collecting information on wireless networks including their MAC addresses, to use in building a database of them in the future.

According to Google, an engineer’s experimental code was inadvertently included in the software used to gather the data. “He [the engineer] thought it might be useful to Google in the future and that this type of collection would be appropriate,” That resulted in the gathering of “payload data,” from personal unsecured wireless networks that included complete e-mails, e-mail addresses, user names and passwords, names and residential telephone numbers and addresses, health details, and other personal information.

Excerpts from the Commissioners Report: (Underlines added)

The engineer involved included lines to the code that allowed for the collection of payload data. He thought it might be useful to Google in the future and that this type of collection would be appropriate.

This code was later used by Google when it decided to launch a particular location-based service. The service relies on a variety of signals (such as GPS, the location of cell towers and the location of WiFi access points) to provide the user with a location. Google installed antennas and appropriate software (including Kismet, an open-source application) on its Google Street View cars in order to collect publicly broadcast WiFi radio signals within the range of the cars while they travelled through an area. These signals are then processed to identify the WiFi networks (using their MAC address) and to map their approximate location (using the GPS co-ordinates of the car when the signal was received). This information on the identity of WiFi networks and their approximate location then populates the Google location-based services database.

Google’s future plans for its location-based services

Google still intends to offer location-based services, but does not intend to resume collection of WiFi data through its Street View cars. Collection is discontinued and Google has no plans to resume it.

Google does not intend to contract out to a third party the collection of WiFi data.

Google intends to rely on its users’ handsets to collect the information on the location of WiFi networks that it needs for its location-based services database.  The improvements in smart-phone technology in the past few years have allowed Google to obtain the data it needs for this purpose from the handsets themselves.

Although it has no tracking tool to keep records of a customer’s locations (and does not intend to create one), Google acknowledges that it does need to examine the potential privacy concerns of this method of collection.

Stoddard gave Google until Feb. 1, 2011 to comply with those requirements, but resolving Canada’s concerns may just be the tip of the iceberg. Investigations are still underway by privacy commissioners worldwide, and Spain’s Data Protection Agency has just announced plans to fine Google between $84,000 and $840,000 per offense due to the Wi-Fi data Google collected with its Street View cars. In the U.S. there are at least 3 lawsuits seeking class action status for the stealth collection of personal information form home networks.

Why this matters to you

If you have – or had – a wireless network that was not password protected, information from your computer(s) may have been collected.  Google has committed to destroying all the information, but it’s a serious breach of your privacy that information was collected without your knowledge or permission in the first place.

You may also feel that the collection and public display of images of your home is a breach of your privacy. If you want these removed see my blog How to Remove Images of Your Home from Google’s Street View. NOTE: you will have to check back periodically to be sure that any images you requested be deleted remain deleted, as I have found these can reappear.

You should also be concerned about Google’s future plans to collect information about WiFi networks from your Smartphone(s). How this is done is going to be critical to your safety and privacy. In the report Google acknowledges that it does need to examine the potential privacy concerns of this method of collection.  It remains to be seen what the outcome of that examination will entail, and whether they inform users in advance and allow you to opt out if this is not something you want collected from your phone.

Linda


Consumers Doubt Private Enterprise Can Reduce Cyber Crime

October 8, 2010

Almost 40% of business professionals polled by Deloitte during a recent cyber crime prevention webcast  were “not confident” that private enterprises have sufficient controls in place to minimize the occurrence of cyber crime.

In fact, the poll showed a fairly even split among respondents belief that their regarding organization was likely to experience an electronic security breach in the next 12 months. According to the results, 41.7% believed it was “likely” or “extremely likely” that an electronic security breach would occur in this time frame, while 38.4% indicated it was “unlikely” or “extremely unlikely.”

“Based on the results of this poll, it appears that many organizations are leaving themselves vulnerable to cyber crime because there might be a false sense of security, or perhaps even complacency,” said John Kula, director in the forensic & dispute services practice of Deloitte Financial Advisory Services LLP. “Many organizations are failing to recognize the prevalence of cyber crimes in their IT environments and consequently could be misallocating limited resources to lesser threats.”

As sobering as these views are, they appear to be quite accurate.

In  a study by Verizon and the Secret Service released in August, investigative experts found, as they did in the company’s prior data breach reports, that most breaches were avoidable if security basics had been followed. Only 4% of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

“Cyber crime innovation and techniques have outpaced traditional security models. That’s what makes it so important to gather intelligence data internally and externally to understand the threats, and then to act on that intelligence”, said John Clark, partner in the security & privacy services practice of Deloitte & Touche LLP. “If companies don’t have the tools in place to be informed and to prevent breaches, it could lead to significant risks, potentially leading to financial losses, regulatory issues, and a loss of client and public confidence.”

Where legislation can help

Consumers have little influence on whether companies step up to basic security precautions, so in spite of my reluctance to suggest legislative solutions, this may be one area that could benefit by new regulations. These regulations need to hold companies clearly accountable to better protect the consumers they serve by strengthening their technical security, implementing training and procedures to reduce the risk of breaches, effectively testing their systems for potential risks in an ongoing manner, and swiftly reporting breaches that do occur. Legislation could also provide a watchdog service that identified for consumers how various companies and services ranked to facilitate informed consumer decision making.

As consumers, we need to remove our business – and our information – from sites with poor safety, privacy and security track records and shift to companies that maintain appropriate security hygiene.

Cyber Security isn’t just a Corporate issue

Every consumer has a role to play in their own cyber security, and in the cyber security of the larger internet ecosystem. Every time a user fails to install adequate security software, or fails to update that software, they invite criminals to use their machine. They may use your computer to harm you, and/or they may use your computer as part of a botnet to spam others, spread malware, crash servers through denial of service attacks, or steal your contacts lists to help socially engineer scams against others.

To do your part as a digital citizen, it is essential that you ensure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and that you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.

  1. Secure your computer. If your computer isn’t protected from Trojans, viruses and other malware your financial information and passwords and identity will be stolen. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, there are several free services.
  2. Secure your Internet connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
  3. Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Passwords do not have to be hard to remember, just hard to guess.
  4. When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
  5. Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble.
    1. You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
    2. Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do now have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself.

There is a battle being waged for control online. Criminals want the status quo, we need to drive for change.

Linda


One in Five Americans Think Internet Less Safe than A Year Ago

October 6, 2010

Just 5.1% feel the Internet is safer today than it was a year ago.  68% feel it’s about the same, while 21.2% think it’s less safe. Half of Americans say they are most concerned about identity theft of all the possible things that could happen to them online, according to newly released Online Safety Study by the 2010 National Cyber Security Alliance and Symantec.

Computers lack security protections

The study also found that only 24% of Americans feel very safe and 61% feel somewhat safe that their home computers are protected. Unfortunately, while Americans may feel protected on their home computers, they are experiencing a false sense of security.

Comprehensive protecting means you have antivirus, firewall, antispyware, spam filter, anti-phishing, and identity protection tools in place and up-to-date.

In a consistently concerning trend, 58% of study respondents said they had a complete security software suite – but when their computers were actually scanned for security software, only 37% were fully protected.

This means 63% of home computers are unprotected, or under-protected, from malware, and  these  computer are unquestionably infected with malware.

In response to the survey question, Do you believe your computer is currently infected with a malicious program? 85% said no. That’s a lot of naïveté about what’s really going on with their computer and information.

The table to the right shows just how much information these unprotected users have already had compromised – and yet they wonder how their identity is stolen and their personal information exposed.

Half of Americans now have two-to-three computers at home, with 74% owning a laptop or netbook according to the study findings.  All told, 31% said their laptop or netbook is their primary computer.  Nearly 17% of respondents can connect to the Internet via their TV, and 24% connect via a gaming device.

Unprotected WiFi Use

This increased number of internet access points expose new security, safety and privacy risks. Wireless networks have reached high levels of adoption, with 70% of respondents saying they have a wireless router at home, but 43% admitted they have logged onto a wireless network without entering a password – a number that increases to 66% for 18 to 29 year olds. (see my blogs Starbucks Launches Digital Network – 6 Steps to Safer WiFi Use, Like Lambs to the Slaughter? Firesheep Lets Anyone be a WiFi Hacker and Google’s WiFi Data Collection Larger than Previously Known for more information about the risks with unprotected wireless networks.)

“Computer users can run into online threats regardless of where they might be connected and what device they’re using,” said Marian Merritt, Norton Internet Safety Advocate.  “However, on a Wi-Fi network, there are other risks consumers can run into, like ‘evil twin’ networks that trick people into connecting to unknown networks, giving cybercriminals access to their computer and its contents.  Consumers should ensure they’re connecting to a legitimate network, using the access keys or portal given to them by the Wi-Fi provider.”

Mobile Use

Particularly sobering are the study’s mobile use findings that show, users aren’t taking steps to protect themselves or their data.  Only 22.2% back up personal data stored on their phones despite using them to keep private information such as personal contacts, calendars and e-mail.

Surprisingly, more than 64% said they always or sometimes read an application developer’s privacy policy before downloading an app on their phones. Yet, only 5.7% believe they store passwords or account numbers in their apps.

Driving home the message that you must protect your internet connected devices

Unlike your toaster, the internet is not a plug-it-in-and-go experience.

  • It requires installing, or turning on security software onto your devices – and then setting the software to auto-update so it keeps your safety level current.
  • It requires creating strong passwords to log-in to the computer.
  • It requires ensuring any WiFi connection is password protected.
  • It requires changing passwords periodically
  • It requires getting educated on how to avoid scams, spam, and protect your privacy.

It also requires that you step up to your civic duty of protecting others. An infected device is the digital equivalent of Typhoid Mary – you may not intend to send infected documents, or be part of a botnet spewing spam and scams, contributing to denial of service attacks, or spreading viruses, but if you haven’t taken security precautions to keep your devices clean, you are part of the problem.

The full study can be found here.

Linda


New Proposals for Defending the Internet

October 5, 2010

Countries, companies and consumers struggle to understand and manage the myriad of cyber threats that have been launched against us for the last twenty years. Unfortunately, we’re largely on the losing side of this struggle as determined criminals focus their full efforts on finding new methods to attack internet systems, services, and the individuals who use them.

Today, Scott Charney, Corporate Vice President, Trustworthy Computing, at Microsoft posted a blog titled The Need for Global Collective Defense on the Internet with his thoughts and links to white papers he’s written on the subject.

Written in layman’s terms, his thoughtful approach is a short but important read for everyone who wants to understand the issues, complexities, and potential approaches to reducing cyber threats.

Excerpts from Scott Charney’s blog post:

“….Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns.

Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis…

…one possible approach to addressing botnets and other malware impacting consumer machines… involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled “Collective Defense: Applying Public Health Models to the Internet.”

…Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.  In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.  Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.  To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.

Cyber security policy and corresponding legislation is being actively discussed in many nations around the world and there is a huge opportunity to promote this Internet health model.  As part of this discussion, it is important to focus on building a socially acceptable model. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern.

Within the current legal and political landscape, and with the current state-of-the-art in technology, there are collective defense actions we can take now and we should commit to continued cooperation, collaboration and investment to fully leverage current tools and technology.  With examples like France’s Signal Spam or Japan’s Cyber Clean Center as models, industry and governments need to build upon the successes to more systematically help improve and maintain the health of Internet connected systems and to disrupt cybercrime and other threats to individuals and society.

For its part, Microsoft looks forward to continuing to provide and promote research and development that will make system scanning and cleanup more cost effective, along with looking to solve current technical barriers. We will also advocate for legislation and policies worldwide that help advance the model, but does so in a way that advances principles supporting user control and privacy. “

The internet is too valuable a resource to allow crooks or creeps to exploit. It powers our countries, our commerce, and our communications. Supporting thoughtful efforts to increase security and safety while ensuring privacy is critical to our future, but something harder for individuals to do.

What you can do right now

In spite of serious security threats, the answer isn’t to unplug your computer and head for the hills. Instead, take a few precautions to protect yourself, your friends and family, and the nations infrastructure.

Make sure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.

  1. Secure your computer. If your computer isn’t protected from Trojans, viruses, bots, and other malware your financial information and passwords and identity will be stolen harming you, and potentially spreading the malware to others. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use one of the excellent free services.
  2. Secure your Internet connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
  3. Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Safe passwords don’t have to be hard to create; just hard to guess
  4. When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
  5. Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble
    1. You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
    2. Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do not have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself. Learn how to Mitigate Risks When Using Shortened URL’s.

Linda


Malware-Riddled Flash drive Created “Worst” U.S. Military Breach

September 3, 2010

A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the “most significant breach of” the nation’s military computers ever, says William J. Lynn III, deputy secretary of defense in a newly released essay titled “Defending a New Domain: The Pentagon’s Cyberstrategy,” for the September/October issue of Foreign Affairs magazine. (you must register to read full article)

The article says the flash drive is believed to have been inserted by a “foreign intelligence agency” and the malware infiltrated the U.S. Central Command network and spread undetected on classified and unclassified systems creating a “digital beachhead, from which data could be transferred to servers under foreign control”. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” writes Lynn.

This incident is reportedly the most significant breach of U.S. military computers to date, and served as a wake-up call. In response, the Pentagon launched Operation Buckshot Yankee marking a turning point in U.S. cyberdefense strategy.

In the article, Lynn estimates that over 100 foreign intelligence agencies are working to hack into U.S. networks and that some countries already have the ability to disrupt our communications, saying “Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks that control critical civilian infrastructure. Computer-induced failures of U.S. power grids, transportation networks, or financial systems could cause massive physical damage and economic disruption.”

The scope of intrusions by hostile organizations and countries is staggering. Over the last ten years, the sophistication and frequency and of probes into U.S. military networks have increased exponentially. Every day, U.S. military and civilian networks are scanned millions of times a day, and Lynn says and files including weapons blueprints, operations plans, and surveillance data, have been stolen.

Lynn highlights the threat of counterfeit computer hardware which has been found in systems purchased by the Department of Defense, and of hardware and software that has been tampered with en route to the U.S..

“The risk of compromise in the manufacturing process is very real and is perhaps the least understood cyber threat. Tampering is almost impossible to detect and even harder to eradicate. Rogue code, including so-called logic bombs, which cause sudden malfunctions, can be inserted into software as it is being developed. As for hardware, remotely operated ‘kill switches’ and hidden ‘backdoors’ can be written into the computer chips used by the military, allowing outside actors to manipulate the systems from afar,” says Lynn.

“Cyberattacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous. and exceedingly hard to trace. Such attacks may not cause the mass casualties of a nuclear strike, but they could paralyze U.S. society all the same,” he wrote. “In the long run, hackers’ systematic penetration of U.S. universities and businesses could rob the United States of its intellectual property and competitive edge in the global economy.”

What this means to you, and your role in protecting the country’s infrastructure

Every computer connected to the internet has the potential to impact the safety of the broader ‘net. In spite of the serious threats, the answer isn’t to unplug your computer and head for the hills. Instead, it is essential that you make sure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.

  1. Secure your computer. If your computer isn’t protected from Trojans, viruses, bots, and other malware your financial information and passwords and identity will be stolen harming you, and potentially spreading the malware to others. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use one of the excellent free services.
  2. Secure your Internet connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
  3. Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Safe passwords don’t have to be hard to create; just hard to guess
  4. When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
  5. Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble
    1. You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
    2. Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do not have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself. Learn how to Mitigate Risks When Using Shortened URL’s.

Linda

Additional Resources


6 Steps to Staying Safer this Tax Season

April 3, 2010

Whether you file your taxes online or use a tax program on your computer, cybercrooks are hoping you’ll make a security or safety mistake this tax season. And they are poised to take full advantage of it if you do. Last year online scams cost Americans $559.7 million dollars, according to the FBI’s 2009 Annual Report on Internet Crime, more than double the amount scammed from in 2008.  Following a few basic precautions will significantly increase your safety.
6 Steps to Staying Safer this Tax Season:

  1. Secure your computer – if your computer is infected with malware, criminals will be stealing every piece of information you put on it.  Computer security is vital every day of the year, but especially critical before entering your most sensitive financial information.
    1. You must have anti-virus and anti-spyware software installed and up-to-date. If your computer isn’t protected from Trojans, viruses and other malware your financial information, passwords and identity will be stolen. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use a free service.
    2. Secure your internet connection – Make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here. Never use a public WiFi service for any type of financial transaction or other type of sensitive information transfer.
    3. Use added protection on sensitive financial information with passwords or store on a flash drive, CD or external hard drive For added protection all year, keep your finances inaccessible to anyone who uses (or hacks into) your computer. You can do this by password protecting individual files or folders on your computer, or choose to keep this information on a flash drive or CD that you keep in your safe or other secure location.
  2. Drive, don’t be pulled to tax websites – Chances are, the internet holds the answers to your tax questions. But safely searching for tax forms, advice on deductibles, tax preparers, etc. requires that you don’t get fooled into landing on malicious sites.  Trust is Key. Know the Site. Know the User. Know the Company.
    1. Navigate to the websites yourself by conducting your own search. Always use a tool that helps you see the safety rating of the search results. There are many website safety rating services, and both Firefox and IE offer tools as well.
    2. Or, type in the URL of a trusted site. Just be careful that you don’t mistype the URL, criminals are quick to buy URL’s that are just a common typo away from the legitimate sites, and can make their fake sites appear legit.
    3. Never allow yourself to be pulled to a site by using a link sent in email, or found on someone’s blog, or by clicking on an advertisement. The website you land on may look just like the real site (just as the ad may have looked like a legitimate ad) but it may be a well crafted fake.
  3. Don’t fall for email, web, or social networking scams – tax time brings tax scams. The scams may tout tax rebates, offer great deals on tax preparation, or offer a free tax calculator tool, etc. If you did not solicit the information, it’s a scam.
    1. If the email claims to be from the IRS, it’s a scam – the IRS will not contact you via email.
    2. If the email appears to be from your employer, bank, broker, etc. claiming there is an issue with what they reported for you and you need to verify some information – it’s a scam.
    3. If you feel any temptation whatsoever to believe an online notice, check it out BEFORE responding. Use a site like Snopes and type in the email’s subject to see if the scam has been reported. If it comes from a company, find the company’s contact information yourself and call. Do Not use information contained in the email to check it out, if it’s a scam the information will be part of the scam.
  4. Never send sensitive information in email unless that sensitive information is in a password protected attachment (Word document, Excel file, etc). Basic email is not secure; it can be trapped and read by criminals. There are some email services that encrypt email, you will know if you have one of these.
    1. Do not include the attachment’s password in the email – call and share the password over the phone.
  5. Use strong passwords – A weak password is all it takes for someone to steal your information. “Password” or “123456” are not secure options, and neither are names, birthdates, words found in dictionaries, etc.. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Learn how to make strong passwords that aren’t hard to remember, just hard to guess.
  6. Use a reputable tax preparer that follows strict data security guidelines. Even when you’ve secured information on your computer, information can ‘leak’ from whomever you share your information with.
    1. If you are using a new tax preparer, check them out with the Better Business Bureau or get references and check them carefully.
    2. Ask about the data security precautions the tax preparer uses to protect your information – if their computers aren’t secure, your information isn’t either.

Of all the things you need to worry about during tax preparation, don’t make financial safety be one of them. Your actions today can significantly decrease your chances of becoming one of the 300,000 thousand or more victims expected to contact the Internet Crime Complaint Center this year.

Linda


Other Safety Resources

November 4, 2009

BlogSafety.com

This Web site features an interactive forum where parents, teens, and others can ask and answer each other’s questions about safe blogging. The forum is staffed by experts who make sure that all questions are answered with accurate up-to-date information. You’ll also find articles and tips on the subject.

Cyberbully.org

Cyberbullying is sending or posting harmful or cruel text or images using the Internet and cell phones, computers, and other such devices. This site offers guidance to parents and teachers on how to watch for and prevent cyberbullying.

Families Online Magazine

This online magazine offers expert parenting advice about children from infancy to teens by doctors, teachers, psychologists, nutritionists, and child safety and child development specialists.

The Internet Protectors

The Internet Protectors is a new Web site that allows people to connect on vital issues of online security with an emphasis on technology tools. The site offers video tutorials that help you set up and use security tools, as well as discussion forums on a variety of Internet-safety related topics.

KIDPOWER

This Web site gives straightforward advice and tools that give relevant practical solutions to real problems. It’s an excellent resource that provides books, workshops, training, and educational materials to teach people of all ages and abilities to use their power to stay safe, act wisely, and believe in themselves.

Online Shopping Rights

Online shopping is not only convenient, but is often the best way to get the best price. Get savvy about getting safe bargains with the comprehensive information at Online Shopping Rights. It coveres everything from how to protect your personal information and use your credit card when you shop online to how to secure your wireless network and steer clear of spyware.

Parenting With Dignity

This site offers parenting books and videos as well as a program that provides a proven framework for raising kids in a time when external pressures have never been greater.

SafetyClicks

SafetyClicks.com is AOL’s new Internet Safety site for families and includes articles, blogs, videos. The site is designed to help educate parents about how to best protect kids and teens in a Web 2.0 world.