The Easiest Way To Avoid Being Hacked

For decades we have been told by security professionals that the best way to stop from being hacked is to be careful when opening e-mail attachments, to install anti-virus software, and use a firewall. That has been the security mantra since the 1990s. If you’ll notice, we are not in the 1990s anymore. Hackers have had over 20 years to poke holes in those defenses, and have largely been successful. It is time for a new approach.

At a recent security conference, Avecto, a security product manufacturer, conducted an analysis of Microsoft Security Bulletins from 2015, focusing only on the security vulnerabilities labeled “Critical”. What they discovered is that 85% of the vulnerabilities exploited to hack a computer, can be mitigated by removing administrator privileges from the current user. In other words, if you use a "standard" user account as opposed to an "administrator" user account, malware could be stopped from being installed on your computer 85% of the time. What is the difference between "standard" and "administrator" user accounts? A "standard" user account cannot install software or make configuration changes to your computer. Only an "administrator" account can do that.

When you create your user account in Windows, you have a choice whether to create a "standard" or "administrator" user. You can also change the account type by going to Control Panel > User Accounts > Change Your Account Type. There has to be at least one “administrator” user on a computer. That means you will need to create two user accounts; one “standard” and one “administrator”. You use the “standard” one for your everyday activities and the “administrator” account just for making changes or installing software.

So, why don't most people use standard user accounts? The answer is convenience. They want the immediate gratification of installing software or making changes on the fly. Most users are not aware that Microsoft has already made it more convenient to user a standard user account. Since, Windows 7 you can now operate in your standard user account and install software by right clicking on the installation file and selecting from the menu "Run as Administrator". You will then be prompted to enter your administrator username and password. That means you can still stay logged in your standard user account, but invoke the administrator account when you need to without logging off and switching accounts.

Working in a standard user account is essential for keeping the hackers from invading your computer. Consider these other findings:

● Of the 251 vulnerabilities in 2015 with a Critical rating, 85% were concluded to be mitigated by removing administrator rights ● 86% of Critical vulnerabilities affecting Windows, can be mitigated by removing administrator rights ● 99.5% of all vulnerabilities in Internet Explorer, can be mitigated by removing administrator rights ● 82% of vulnerabilities affecting Microsoft Office, can be mitigated by removing administrator rights ● 85% of Remote Code Execution vulnerabilities, can be mitigated by removing administrator rights ● 82% Critical vulnerabilities affecting Windows 10, can be mitigated by removing administrator rights ● 63% of all Microsoft vulnerabilities reported in 2015, can be mitigated by removing administrator rights.

Best Privacy Policy Statement Ever

Being a privacy advocate, I am one of the few people who actually read the privacy policy of a website.  Most privacy policies are so convoluted with legalese that the average person can't make any sense of it.  I was pleasantly surprised when I came across a privacy policy statement that was simple, easy to understand, and clearly states the privacy protection principles of the business. The privacy policy statement below belongs to www.gongs-unlimited.com.  (Why I was looking for a gong is a whole other story, which may be an entertaining story, yet irrelevant to discussing privacy policies. So, I will do the reader a favor and not digress.) Like all good privacy policies this one states what information the company collects and if they share that information with a third party.  What makes this one stand apart is the personable language that plainly states why they believe in protecting their client's privacy. Admittedly, I also like the emphatic and irreverent tone spiced with just the right amount of humor.  Read it below for yourself....

THE GONGS UNLIMITED PRIVACY POLICY

Everyone at Gongs Unlimited treasures their privacy and we trust that our customers treasure their privacy as well.  If you are anything like the 15 year old daughter of the Head Mallethead here, you really really treasure your privacy.  Because we are just a retail store. You come in and buy a gong. That's all we want to know.

We will never give your email address or any other information you used to purchase a gong to any third party. And not any fourth or fifth parties either.  Screw them! If you wanted Spam, you'd go to Hawaii and order some with eggs!

If you bought a gong at a local mall, you wouldn’t expect to be hounded by salespeople from other stores chasing you to your car, calling you and yelling into your phone, or filling your mailbox with garbage. We believe that you shouldn’t have to experience that in your computer when you buy a Gong either.

Data Breach: Vacaville Housing Authority

When and Who

Organization Name: Vacaville Housing Authority (VHS)

Date(s) of Breach (if known): Monday, August 24, 2015

Date(s) of Discovery of Breach: Tuesday, August 25, 2015

What Happened

This data breach is an example how one innocent mistake can expose personal identifying information.  A VHS employee sent an email with a file attachment, that included Social Security Number information, accidentally to the wrong recipient.  Fortunately, when the recipient viewed the email she notified VHS and deleted it from her inbox.  As required VHS did report the incident to the local police, California's Attorney General's Office and to HUD.  The local police did confirm that the recipient deleted the email. 

One lesson that can be drawn from this incident is to be careful to review who you are sending an email to in order to avoid this kind of mistake.  After all, not all recipients may be as conscientious as the recipient in this data breach.  In all fairness, mistakes do happen, and it is better to have a process in place that takes into account potential mistakes.  For example, using file encryption that requires the recipient to enter a password to view the file could have prevented this incident.   

What Kind of Data Was Breached 

Social Security Numbers

Who Is Affected

Number of those affected were not mentioned in notification of breach by the organization to those affected. 

More People Believe Privacy Has Been Lost

A recent CBS News/New York Times Poll indicated that most Americans believe that the right to privacy in general has been compromised. 52% think the right to privacy is under serious threat, and another 30% think it has already been lost. Only 16% think it is still safe.

According to a Pew Research poll, 91% of adults think that consumers have lost control over their personal information used by companies.  Given the perception of lost privacy, the majority of Americans express negative views about companies collecting personal information about individuals, including what they buy, their credit histories, and income information. When presented with the reasons for or against such practices, only 13% think it is mostly good because it allows companies to better serve their customers and process financial transactions quickly, whereas 83% say that it is mostly a bad thing because it makes it easier for the information to be shared inappropriately. 


Americans clearly think the government ought to be doing more to protect their information; 68% think the federal government is not doing enough to regulate the personal information that can be collected about people. 14% think it is doing enough, and 11% think it ought to be doing less. Even so, the political gridlock in Washington DC makes the passage of stronger privacy legislation a remote possibility any time soon. 

A Pew Research Poll indicated that 61% say they "would like to do more" to protect their privacy.  Given the dearth of online privacy options and software, many are left without information about the choices to protect their privacy.  A recent survey conducted by GlobalWebIndex showed that only 28% of the online population using tools to disguise their identity or location.  Clearly, there is a gap between the desire to protect privacy and knowledge of how to do so.

How Fast Can a Hacker Snag Your Data?

You have one minute and 22 seconds to stop all communications with the Internet from you computer once you open that malicious attachment in your email. Otherwise, attackers will start exfiltrating the data from your computer.  This is according to an annual report conducted by Verizon that analysed data involving nearly 80,000 breaches contributed by 70 different organizations including law enforcement agencies as well as government and industry computer incident response teams worldwide.

Everyone thinks that they will never be fooled into opening that suspicious attachment. We feel confident that we can spot those emails from Nigera offering to transfer millions to our bank account. Sorry to burst your bubble of email bliss.  Verizon noted that 23 percent of recipients open nefarious messages containing malicious attachments or links. Even so, simply opening an email won’t necessarily install malware on your computer. Ever more dangerous are the 11 percent of recipients who go so far as to click on malicious attachments. Attackers have become experts at creating convincing emails that appear to be from a trusted source. There are malicious emails concocted for mass distribution and those that are cleverly targeted and thereby appear trustworthy. In security professional terminology the difference is between "phishing" emails and "spear-phishing" emails. 

"Spear-phishing is a more targeted form of phishing", according to Kim Zetter in her article "Hacker Lexicon: What Are Phishing and Spear Phishing?" published in Wired Magazine. "Whereas ordinary phishing involves malicious emails sent to any random email account, spear-phishing emails are designed to appear to come from someone the recipient knows and trusts—such as a colleague, business manager or human resources department—and can include a subject line or content that is specifically tailored to the victim’s known interests or industry. For really valuable victims, attackers may study their FaceBook, LinkedIn and other social networking accounts to gain intelligence about a victim and choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust."

And, it's not just email we need to worry about.  The same techniques can be used by hackers using social media sites like FaceBook, Instagram, SnapChat, and so forth. The attacker just needs you to open a file, photo, music recording, or video.  If you have a one in ten chance of getting fooled in opening a malicious file and your anti-virus only has a 55% chance to detecting the malware, eventually some hacker is going to gain access to your computer. Clearly, the security methods and tactics that worked in the past are simply not as effective today. It's time for products to be redesigned with added security and we need to move away from putting all our digital goodies in one basket.

The TV That Observes You

Imagine that you can talk to your TV and it response to your commands. The technology has finally arrived at a store near you. Samsung's SmartTV uses voice recognition technology to enable voice commands.  No more hand remote! Amazing!

Not so amazing is the caveat that comes with the technology.  It is better described as disturbing.  Buried in Samsung's privacy policy, is a disclosure that reads, "if your spoken words include personal or other sensitive information, that information will be captured and transmitted to a third party."  Notice the phrasing is NOT "could be" or "accidentally".  Rather it clearly states "will be captured and transmitted". 

Just when you finished covering your webcam to protect your privacy from hackers accessing your laptop camera, now you need to deal with your TV snooping on you as well.  At least someone has to hack into your laptop.  Not so with the Samsung SmartTV.  The spyware is already embedded and will be capturing and transmitting your spoken words to a "third party".

Expect more of the same to come with the "Internet of Things".

Ten Essential Smartphone Security Practices

Be Smart with Securing Your Smartphone

Today, there are more mobile phones than there are laptop and desktop computers.  Our smartphone is like a mini-computer.  We don't just make phone calls anymore.  We surf the internet, check our email, text messages, take pictures, make videos, check Facebook, and much more.  This treasure trove of personal as well as business information is a lucrative temptation for a cyber criminal or data broker.   If you don't want to have your emails, Facebook postings, text messages, and the like pilfered for someone else's profit or potentially used in an exploitive way, then you need to start being smart when it comes to securing your mobile phone.  Below are ten essential security practices you should follow.

Smartphone Security and Privacy Tips

1. Use a password on your phone to prevent unauthorized access.
2. Configure your smartphone to auto-lock when not in use.  Your password won't provide protection unless your device is locked.
3. Turn off Wi-Fi or Bluetooth when not in use.  Alternatively, place your device in "Airplane" mode. These platforms are essentially open connections to your phone; so if you don’t need to use them, turn them off.
4. Turn off auto-connect to Wi-Fi networks. There are a lot of unsecured Wi-Fi networks out there, and your phone can automatically connect to any Wi-Fi network that is in range. Only connect to trusted networks.
5. Download apps from only trusted sources such as the Apple Store or Google Play store.
6. Check app permissions individually to be aware of what data apps are accessing on your phone.
7. Perform regular software updates on all apps and your phone’s OS. This patches possible security vulnerabilities (aka backdoors) that can give hackers access to your phone.
8. Do regular backups of your phone. This will prove helpful in the event that your device gets lost or stolen.
9. If your device happens to get lost or stolen, make sure you have software that allows you to remotely lock, and if necessary, wipe the data from your phone.
10. Install mobile security software on your phone as an extra layer of security.