Hacking

SPOTLIGHT ON SECURITY

New Year’s Resolutions: Be More Secure in 2014

If you’re inclined to make resolutions this time of year and you’re concerned about your online and offline security, here are some suggestions that can keep you safer in the days ahead.

At the top of the list: You should vow to change the passwords to your important accounts on a frequent basis.

“To ensure your personal information online is secure, it’s a good practice to regularly change your password,” JD Sherry, vice president of technology and solutions at Trend Micro, told TechNewsWorld. “With cyberattacks becoming more prevalent, hackers can more easily gain your password and the information within your personal emails, messages and social media.”

Using the same password for many websites is also something you should vow to avoid in 2014. If you don’t resolve to do that, there’s always the chance that someone will do it for you, as Facebook did when a breach of Adobe showed the same passwords were used for both systems in some cases.

“You can’t always count on someone like Facebook doing it for you,” Chet Wisniewski, a security advisor for Sophos, told TechNewsWorld. “You have to assume that any place you’ve used it will lose it, as so many places did in 2013. It’s on you, as an individual, to make sure that password isn’t the one key that unlocks your entire kingdom.”

Manage All Those Passwords

If you do vow not to reuse passwords, you may want to embrace another resolution: to use a password manager.

“Password management is a big deal,” identity theft expert Robert Siciliano told TechNewsWorld. “I have over 700 passwords. I couldn’t remember 20 passwords, never mind 700-plus.”

In addition to making it easier to kick the reusing password habit, password managers have other benefits.

“It allows me to manage my passwords across devices, across operating systems and across browsers,” Siciliano said, “so no matter what I’m using, my passwords are in sync in the cloud.”

Be Cloud Skeptical

Here’s a resolution worth considering in the wake of the Target department store breach: “Never use a debit card that is tied to your bank account for anything other than ATM withdrawals,” David Britton, vice president of industry solutions at 41st Parameter, told TechNewsWorld.

Some banks will cover any money lost due to debit card fraud. However, unlike with a credit card — where spending can’t exceed a limit set by the card issuer — a card thief may be able to spend more than you have in your debit card account.

“If the fraudster’s charges exceed the balance of the account, there may be overdraft fees that may not be covered,” Britton explained.

As in recent years, you’ll be hearing lots about the cloud and security there. You might want to vow to take a down-to-earth view of the nimbus in your dealings with it.

“Remember, the cloud is just someone else’s computer — not a magical place where no bad things can happen,” security analyst Graham Cluley told TechNewsWorld.”

NSA Targets Error Messages

The exploits of an elite group in the NSA called the “Office of Tailored Access Operations,” or TAO, last week were detailed in a lengthy report in Der Spiegel.

One of the favorite pastimes of this group of code warriors reportedly was intercepting error messages sent to Microsoft by legions of computers running Windows.

It was a “neat way” to gain “passive access,” according to a purloined presentation from the NSA cited in the Der Spiegel report.

What makes the error reports, dubbed “Dr. Watson,” so vulnerable to snoops is that they’re transmitted in plain text across the Internet, explained Alex Watson, a director of security research at Websense (no connection to the “Dr. Watson” code-name).

Those reports contain valuable information to anyone planning an attack on a network or computer. They include application names, versions, crash locations, operating systems, computer makes and models, unique identifiers and BIOS information.

What’s more, a program crash isn’t the only thing generating error reports.

“Every time you plug in a USB device, very detailed information about that device will be sent to Microsoft,” Watson told TechNewsWorld.

After studying a number of those reports, Websense came to a disconcerting conclusion.

“We found that with the frequency that these reports happen, it’s entirely possible for anyone with access to these unencrypted logs to quickly profile and identify vulnerabilities and build a blueprint for a network they wanted to attack,” Watson said.

That was illustrated in the Der Spiegel report, which “showed that some nation-states are using these reports to craft highly specific, low-chance-of-detection attacks against a targeted network,” he added.

Breach Diary

  • Dec. 29. Spanish police arrest eight people they say helped a global ring that pilfered millions of dollars from two banks through ATM withdrawals. Taken into custody were six Romanians and two Moroccans who allegedly made 446 fraudulent withdrawals in Spain totaling US$392,000 in 2013 and $93,697 in 2012.
  • Dec. 30. German news magazine Der Spiegel reports NSA was targeting Apple iPhones in 2008 with a project called “DROPOUTJEEP.” When planted on an iPhone, the NSA malware would take almost total control of the smartphone, including retrieving text messages and voicemail and remotely turning on its microphone and camera.
  • Dec. 30. Barry University in Florida announces it has begun notifying an unspecified number of patients of its Foot and Ankle Institute that their records may have been compromised by a school laptop infected by malware in May 2013.
  • Dec. 31. “Lightcontact” publishes to the Web a database containing some 4.6 million user names and phone numbers snatched from mobile photo-sharing service Snapchat.
  • Jan. 1. Skype posts tweet saying its social media properties were targeted by the Syrian Electronic Army, a pro-Syrian government hacker group, but that no user information was compromised.
  • Jan 2. Riverside Regional Medical Center reveals 919 patients had their medical records inappropriately accessed by an employee who had been with the provider for 13 years. Affected patients have been offered one year of credit monitoring services for free.
  • Jan. 2. Beasley, Allen, Crow, Methvin, Portis & Miles of Montgomery, Ala., files class action against Target for November data breach that compromised payment card information of some 40 million customers. Lawsuit seeks compensation for financial losses from defrauded deposits of financial institution members and customers and costs associated with closing accounts, reissuing new checks, debit cards and credit cards as a result of the breach.
  • Jan. 2. Piper Jaffray & Co forecasts year-over-year holiday sales for Target stores will rise 1.5 percent despite data breach during the period affecting 40 million of its customers.
  • Jan. 2. Snapchat announces it will be releasing new version of its app that allows users to opt out of its Find Friends feature. That feature earlier in the week was exploited by hackers to compromise some 4.6 million accounts on the photo- sharing service.
  • Jan. 2. American Civil Liberties Union files notice that it will appeal decision of federal appeals court that dismissed its case challenging the NSA’s authority to collect the phone records of U.S. citizens in bulk.
  • Jan. 3. OpenDSL Project confirms weak passwords, not a hypervisor exploit, enabled hackers to deface its website on Dec. 29.

Upcoming Security Events

  • Jan. 19-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Oct. 21-Dec. 1, $575; After Dec. 1, $725.
  • Jan. 27-29. CyberTech 2014. The Israel Trade Fairs & Convention Center, Tel Aviv. Registration: Until Jan. 1, $350; Jan. 2-26, $450; on-site, $550.
  • Feb. 6, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Feb. 9-13. Kaspersky Security Analyst Summit. Hard Rock Hotel and Casino Punta Cana, Domincan Republic.
  • Feb. 17-20, 2014. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
  • Feb. 25, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 20-21, 2014. Suits and Spooks Singapore. Mandarin Oriental,5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
  • March 25, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 25-28, 2014. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
  • April 8, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 11-12, 2014. Women in Cybersecurity Conference. Nashville, Tenn.
  • April 29, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 20, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 3, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24, 2014. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

1 Comment

  • Americans Right to Privacy DOES NOT collect your personal information. Did you know that Google, Yahoo, Hotmail, AOL and other service providers are scanning, analyzing and categorizing your emails every day? As a result, these numerous providers are pleased to give you a "free" email service because they generate large revenues for themselves through the selling of your personal information to third parties!

    Our email service is 100% privacy guaranteed. Privacy is not only a human right but also required to survive in a competitive business environment. We are very serious about protecting your electronic communications and due to the strict restrictions of the U.S. Patriot Act for law abiding citizens, we cannot align ourselves with servers located in the United States. Therefore, our servers are located in Switzerland where strong data privacy laws do not abide by the U.S. Patriot Act.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels