Data Breach: Vacaville Housing Authority

When and Who

Organization Name: Vacaville Housing Authority (VHS)

Date(s) of Breach (if known): Monday, August 24, 2015

Date(s) of Discovery of Breach: Tuesday, August 25, 2015

What Happened

This data breach is an example how one innocent mistake can expose personal identifying information.  A VHS employee sent an email with a file attachment, that included Social Security Number information, accidentally to the wrong recipient.  Fortunately, when the recipient viewed the email she notified VHS and deleted it from her inbox.  As required VHS did report the incident to the local police, California's Attorney General's Office and to HUD.  The local police did confirm that the recipient deleted the email. 

One lesson that can be drawn from this incident is to be careful to review who you are sending an email to in order to avoid this kind of mistake.  After all, not all recipients may be as conscientious as the recipient in this data breach.  In all fairness, mistakes do happen, and it is better to have a process in place that takes into account potential mistakes.  For example, using file encryption that requires the recipient to enter a password to view the file could have prevented this incident.   

What Kind of Data Was Breached 

Social Security Numbers

Who Is Affected

Number of those affected were not mentioned in notification of breach by the organization to those affected. 

More People Believe Privacy Has Been Lost

A recent CBS News/New York Times Poll indicated that most Americans believe that the right to privacy in general has been compromised. 52% think the right to privacy is under serious threat, and another 30% think it has already been lost. Only 16% think it is still safe.

According to a Pew Research poll, 91% of adults think that consumers have lost control over their personal information used by companies.  Given the perception of lost privacy, the majority of Americans express negative views about companies collecting personal information about individuals, including what they buy, their credit histories, and income information. When presented with the reasons for or against such practices, only 13% think it is mostly good because it allows companies to better serve their customers and process financial transactions quickly, whereas 83% say that it is mostly a bad thing because it makes it easier for the information to be shared inappropriately. 


Americans clearly think the government ought to be doing more to protect their information; 68% think the federal government is not doing enough to regulate the personal information that can be collected about people. 14% think it is doing enough, and 11% think it ought to be doing less. Even so, the political gridlock in Washington DC makes the passage of stronger privacy legislation a remote possibility any time soon. 

A Pew Research Poll indicated that 61% say they "would like to do more" to protect their privacy.  Given the dearth of online privacy options and software, many are left without information about the choices to protect their privacy.  A recent survey conducted by GlobalWebIndex showed that only 28% of the online population using tools to disguise their identity or location.  Clearly, there is a gap between the desire to protect privacy and knowledge of how to do so.

How Fast Can a Hacker Snag Your Data?

You have one minute and 22 seconds to stop all communications with the Internet from you computer once you open that malicious attachment in your email. Otherwise, attackers will start exfiltrating the data from your computer.  This is according to an annual report conducted by Verizon that analysed data involving nearly 80,000 breaches contributed by 70 different organizations including law enforcement agencies as well as government and industry computer incident response teams worldwide.

Everyone thinks that they will never be fooled into opening that suspicious attachment. We feel confident that we can spot those emails from Nigera offering to transfer millions to our bank account. Sorry to burst your bubble of email bliss.  Verizon noted that 23 percent of recipients open nefarious messages containing malicious attachments or links. Even so, simply opening an email won’t necessarily install malware on your computer. Ever more dangerous are the 11 percent of recipients who go so far as to click on malicious attachments. Attackers have become experts at creating convincing emails that appear to be from a trusted source. There are malicious emails concocted for mass distribution and those that are cleverly targeted and thereby appear trustworthy. In security professional terminology the difference is between "phishing" emails and "spear-phishing" emails. 

"Spear-phishing is a more targeted form of phishing", according to Kim Zetter in her article "Hacker Lexicon: What Are Phishing and Spear Phishing?" published in Wired Magazine. "Whereas ordinary phishing involves malicious emails sent to any random email account, spear-phishing emails are designed to appear to come from someone the recipient knows and trusts—such as a colleague, business manager or human resources department—and can include a subject line or content that is specifically tailored to the victim’s known interests or industry. For really valuable victims, attackers may study their FaceBook, LinkedIn and other social networking accounts to gain intelligence about a victim and choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust."

And, it's not just email we need to worry about.  The same techniques can be used by hackers using social media sites like FaceBook, Instagram, SnapChat, and so forth. The attacker just needs you to open a file, photo, music recording, or video.  If you have a one in ten chance of getting fooled in opening a malicious file and your anti-virus only has a 55% chance to detecting the malware, eventually some hacker is going to gain access to your computer. Clearly, the security methods and tactics that worked in the past are simply not as effective today. It's time for products to be redesigned with added security and we need to move away from putting all our digital goodies in one basket.

The TV That Observes You

Imagine that you can talk to your TV and it response to your commands. The technology has finally arrived at a store near you. Samsung's SmartTV uses voice recognition technology to enable voice commands.  No more hand remote! Amazing!

Not so amazing is the caveat that comes with the technology.  It is better described as disturbing.  Buried in Samsung's privacy policy, is a disclosure that reads, "if your spoken words include personal or other sensitive information, that information will be captured and transmitted to a third party."  Notice the phrasing is NOT "could be" or "accidentally".  Rather it clearly states "will be captured and transmitted". 

Just when you finished covering your webcam to protect your privacy from hackers accessing your laptop camera, now you need to deal with your TV snooping on you as well.  At least someone has to hack into your laptop.  Not so with the Samsung SmartTV.  The spyware is already embedded and will be capturing and transmitting your spoken words to a "third party".

Expect more of the same to come with the "Internet of Things".

Ten Essential Smartphone Security Practices

Be Smart with Securing Your Smartphone

Today, there are more mobile phones than there are laptop and desktop computers.  Our smartphone is like a mini-computer.  We don't just make phone calls anymore.  We surf the internet, check our email, text messages, take pictures, make videos, check Facebook, and much more.  This treasure trove of personal as well as business information is a lucrative temptation for a cyber criminal or data broker.   If you don't want to have your emails, Facebook postings, text messages, and the like pilfered for someone else's profit or potentially used in an exploitive way, then you need to start being smart when it comes to securing your mobile phone.  Below are ten essential security practices you should follow.

Smartphone Security and Privacy Tips

1. Use a password on your phone to prevent unauthorized access.
2. Configure your smartphone to auto-lock when not in use.  Your password won't provide protection unless your device is locked.
3. Turn off Wi-Fi or Bluetooth when not in use.  Alternatively, place your device in "Airplane" mode. These platforms are essentially open connections to your phone; so if you don’t need to use them, turn them off.
4. Turn off auto-connect to Wi-Fi networks. There are a lot of unsecured Wi-Fi networks out there, and your phone can automatically connect to any Wi-Fi network that is in range. Only connect to trusted networks.
5. Download apps from only trusted sources such as the Apple Store or Google Play store.
6. Check app permissions individually to be aware of what data apps are accessing on your phone.
7. Perform regular software updates on all apps and your phone’s OS. This patches possible security vulnerabilities (aka backdoors) that can give hackers access to your phone.
8. Do regular backups of your phone. This will prove helpful in the event that your device gets lost or stolen.
9. If your device happens to get lost or stolen, make sure you have software that allows you to remotely lock, and if necessary, wipe the data from your phone.
10. Install mobile security software on your phone as an extra layer of security.

Why Net Neutrality is a Victory for Small Businesses

As a small business owner you are now free to set up an outrageously successful website without having to cough up extra money to your Internet Service Provider that would add no additional value to your service.   

Net Neutrality is the concept of keeping the Internet a level playing field with no "fast lane" or "slow lane" treatment to some kinds of traffic.  Large Internet Service Providers (ISPs) wanted to insert a "Middle-Man" service, that would stand in between the consumer and a Cloud provider such as NetFlix.  Currently, a user visits a website of their choice with no such Middle-Man obstruction.  Large ISPs wanted to implement another means to make money by charging a toll charge for website access.  There was no functional reason for this toll charge.  The Internet is working just fine.  Stopping short of censorship, the ISP could make access to a website so slow the result would be in users going elsewhere.  Eventually, the website host would have to pony up the extra money.  

It was no surprise there was widespread support for Net Neutrality as demonstrated by 99 percent of the 1.1 million comments on "Net Neutrality" submitted to the Federal Communications Commission were in favor of it, according to analysis by the Sunlight Foundation.

Steve Wozniak, co-founder of Apple Inc., explains why he favored Net Neutrality and why he thinks it is a victory for consumers. 

http://www.bloomberg.com/news/videos/2015-02-26/wozniak-this-is-a-victory-for-the-consumers

Antivirus Is Dead, What Do I Do Now?

Brian Dye, senior vice-president for information security at Symantec, has declared antivirus as “dead”. With a detection rate of only 45%, you can’t rely on antivirus to protect your computer from malware infections. Now what?

Being careful with opening email attachments and what websites you visit is important but doesn’t mean you will never be fooled. If you have ever watched a magician perform a trick and couldn’t figure out immediately how that trick was performed, then you are capable of being fooled. Experienced cyber criminals are experts at scamming and the art of illusion. Besides, most people use Facebook and other social media sites which have become a popular attack approach. Cyber criminals have enjoyed a 70% success rate with malware spread through social media.

If you assume your computer will crash or will suddenly experience performance issues, and that is how you will know you’ve been hacked, think again. Cyber criminals will NOT crash your computer. That would defeat their purpose. Their aim is to infiltrate your computer to pilfer data. After their done they will use your computer to cover their tracks so their attacks on other computers will appear to originate from your computer. Besides, even if your computer performance takes a dump, how are you going to remove the infection if the antivirus or similar detection tool can’t find the source of the infection?

Obviously, a new approach to computer protection is required. First, would be an operating environment that is impervious to infections. One approach would be to change you operating system to Linux. Millions of malware infections are roaming around on the Internet designed for Windows. There are fewer malware infections designed for a Mac. Still the number of malware designed for a Mac is close to one million. Linux on the other hand has had less than 100 malware designed to attack it. Part of the reason is due to Linux lack of use along and the numerous different versions. Linux has had a reputation of being difficult to learn and use. However, there is a new version that has been designed for Windows users called Zorin. Even so, you may still find learning a new operating system to much of a challenge.

A new technology known as virtualization may provide an approach that has promise. The technology isolates an application from the rest of the operating system. It can also isolate and entire operating system environment. The benefit is that whatever happens in that isolated environment stays in that environment and won’t affect the rest of your computer. An example of software that uses application virtualization is Sandboxie. If you open your browser (Internet Explorer, Firefox, Chrome, etc) within Sandboxie, and if you go to a website that has malware, the malware will be isolated in the Sandboxie environment and will not infect your computer. Sandboxie can be configured to erase all activity in a session so that you can start with a clean slate each time you open a program. That means any malware will not only be isolated, but at the end of the session will be erased. This technology is still relatively new and still needs some work in the area of usability for the average user. But, power users should have no problem installing it and using it.

I will have more suggestions in future blogs, so stay tuned.

Check out…

Sandboxie

http://www.sandboxie.com/

Zorin 

http://zorin-os.com/

If Antivirus Is Dead, How Do I Know If I've Been Hacked

Antivirus “is dead”, declared Brian Dye senior vice-president of information security at Symantec. Industry experts agree that antivirus protection is only 45% effective in detecting malware. If you have been relying on antivirus protection as your only approach to protecting your computer from intruders, then you might sleep less comfortably at night.

So, if you go to a website, open an email attachment, or download a file where there is malware present, there is a 55% chance your computer will become infected without you knowing about it. If you can’t rely on antivirus protection to detect an infection, how will you know if you’ve been hacked?

Chances are you won’t know you’ve been hacked. Most people assume that their computer will crash or will suddenly experience performance issues. That assumption is a myth. Cyber criminals will NOT crash your computer. That would defeat their purpose. Their aim is to infiltrate your computer to pilfer data. After their done they will use your computer to cover their tracks so their attacks on other computers will appear to originate from your computer. They may also add your computer to their network on infected computers. That network is referred to as a “botnet” and your computer is referred to a “zombie”. With a network of hundreds of thousands and even millions of computers, hackers have the power to launch attacks on networks and websites that can render them inoperable. There is absolutely ZERO benefit to the cyber criminal in crashing your computer.

If you think that being careful with opening email attachments and what websites you visit will protect you, think again. Most people use Facebook and other social media sites. According to industry experts the use of social media to spread malware has become ubiquitous. Cyber criminals have enjoyed a 70% success rate with malware spread through social media.

What can you do besides throw your arms in the air in frustration yelling “why little ol’ me!”. Or, resigning yourself to constant surveillance and saying to yourself “I have nothing to hide” in order to feel less uncomfortable. Obviously, a new approach to securing your computer is sorely needed. There are solutions that I will cover in future blogs. So, stay tuned.

Symantec Exec Declares Antivirus is Dead

 

Antivirus detects only 45% of all attacks which renders the widely used protection ineffective according to industry experts. Brian Dye, senior vice-president for information security at Symantec, has declared antivirus as “dead”. This comes from a company that has been a leading innovator of antivirus products since the 1980s.

Cyber criminals and hackers have simply outsmarted the developers at antivirus companies. At first the industry approach was detect and then protect. That method worked when the amount of malware and viruses being produced was relatively low. Once the amount of malware created per year reached the level of millions of variants the “detect and protect” approach became impractical. At that time a quasi-artificial intelligence called “heuristic detection” was developed. Heuristics worked for the 1990s and early 2000s. But, the bad guys found a way to bypass the heuristic detection. Hackers now use a method called “cypting” that renders malware undetectable to antivirus software and malware tools.

Brian Krebs, a computer security reporter describes this “crypting” method, “Put simply, a crypting service takes the bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today – to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And, it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.”

The cyber criminals and hackers call this kind of malware “full un-detectable” or “FUD” for short. This is the reason antivirus is now only 45% effective. So, if you have been depending on antivirus as your sole means of protecting your computers you are in for a rude awakening. And, if you have felt safe because your computer hasn’t crashed, you are even in for a bigger rude awakening. Professional cyber criminals and hackers will NOT crash your computer. That would defeat their purpose of pilfering your data and using your computer to cover their tracks when attacking other computers.  There is absolutely NO benefit to the cyber criminal to crash your computer.   They may encrypt your data and blackmail your into paying a ransom to get your data back, but they won't crash your computer. 

In future blogs I will discuss alternatives to antivirus protection that is more effective.  Stay tuned.