I was never too comfortable having my credit card information stored by small and medium businesses.
Here is why: I thought to myself, what kind of information security measures and procedures would a small flower shop take to protect my information? Where are they storing my credit card info? How long do they store it for? Yes there is PIPEDA here in Ontario, but what if they are out of the country or in another province. How do I know they follow the guidelines? I don’t see anything on the website. These are questions I would probably never get the answers to – but I need to order flowers right?
A flower shop’s specialty is flowers, not IT right? The McAfee and GeoTrust badges they show on their website aren’t any comfort to me either. Reason being is it doesn’t speak to the human equation when it comes to information security. An employee can easily copy my number down over the phone or an employee could unwittingly download a piece of malware and their computer could become a mecca for credit card info to whomever controls that piece of malware.
Another situation I wasn’t too comfortable with was when I realized a popular bike rental service here in Toronto was storing my credit card info – I was allowed to log in to their website and edit my information. I can’t leave it blank, but luckily I could fill in random numbers.
In the case where you can’t fill in random numbers and are forced to enter a valid credit card, I recommend getting one of those pay per use credit cards and charge it up with $5. This way, if the online retailer were to be compromised, your credit can’t be affected because the hackers would have the wrong info and a credit card that’s not really tied to your name.
Small and medium businesses are low hanging fruit for anyone in a criminal enterprise. The majority of small and medium businesses don’t have to worry about state sponsored attacks because they have nothing to gain from them, unless its a small boutique shop offering designs in nuclear reactors. Small and medium businesses would have access to credit card and bank account information, which is what would attract many criminal enterprises.
I just read about the ‘Apple Battery Hack‘ where by specially crafted code could brick an Apple laptop battery.
Luckily the author who discovered the hack provided Apple with the information so they can fix it. Hopefully soon.
Imagine if hackers created a virus that took advantage of the bug and infected your laptop, threatened you to pay a ransom or else they render your laptop inoperable? You are probably saying to yourself, ‘Apple doesn’t get viruses’, which is completely false. Just look at what happened with ‘Mac Defender‘. Websites were created in order to trick people to download and install the software, because the software looked legitimate. Lo and behold it was a virus. Hats off to those of you who can’t be tricked, but there were many who were duped.
As of July 28, 2011 an Apple laptop batteries costs $129 USD. How many times are you willing to replace the battery before you give in to the hackers demands?
I’m not saying it’s the end of the world either and freak out. Nothing can be done until Apple releases a fix. Until then, you need to stay vigilant and be aware of what you install on your computer. Someone else would have to discover how the vulnerability works and then create a conceivable way of delivering it and infecting a user with it. By then, Apple will have likely released a fix for it. It’s up to you apply the fix.
The moral of the story is, keep your operating system software up to date. Be it MAC or Windows. As the article pointed out other laptops weren’t tested, and they could conceivably be affected by the same type of issue.
A securityphile reader recently submitted a question regarding LinkedIn and I thought I would share it with the rest of the readers:
“I’d created a Linkedin profile a year ago, but now I feel that the information on that site is just *too* much. Do you agree? I’m in the process of deleting every detail that I wrote about myself on that site… and just wanted to know your thoughts on the uses/potential for misuses of that site.”
Our anonymous reader agreed to let me post the question and response so that other readers can benefit from she learned.
My recommendation is to limit the amount of information you place on LinkedIn. By default, LinkedIn makes your profile available to search engines like Google, Bing, Yahoo. You can turn this feature off.
I would only enter the name of your employer and your position, nothing more into LinkedIn. No details about accomplishments, projects etc (you could be breaking confidentiality clauses you might not be aware of either you or your employer are liable for).
The more information you provide, the easier it is someone can build a profile of you. Since it’s the Internet, you have no control who can view your information. It’s easy to create a fake profile on any social networking site, people can use that fake profile to monitor you.
If someone is legitimately interested in contacting you regarding your experience, they can contact you further (make that known on LinkedIn).
Potential misuses could lead to identity theft, fraud or plain theft.
Depending on your employer and your position, you could be targeted by hackers (who may be employed by hostile governments etc.) who try to make you install software on your computer at work. If someone can see who you use to work with in the past, they could potentially pose as that person therefore gaining your trust.
It’s all about risk and the likelihood that that situation happens. If you are an administrative assistant to a high level executive in the auto industry or Canadian government, you could be a target. Those industries contain secrets and intellectual property that other countries may find very valuable. If you were the financial controller of a small business, you might be targeted because you have online access to your business’s bank accounts. If you are a receptionist at a high school, its unlikely a hostile government would try to hack you, but maybe one of the students might target you.
Threats to personal safety
If you have run away from an abusive husband and he has hired a private investigator to find you, one of the places he might look is LinkedIn. LinkedIn gives away information about location and name of employer. Your information may be unnecessarily exposed.
If someone was trying to steal your identity, they could call up one of your previous employers and pretend to be a new employer doing a background reference check. Depending on the person that is asked, they may unknowingly give up personal information about you. While you might not share such information, you can’t vouch for what another would do in the situation.
My guest post about “Sharing Too Much Online” is up on With Love… I was honoured that Marta asked me to write this piece for her readers. I thought it was a great opportunity to cross over into the world of fashion blogs and hopefully share my knowledge about online safety with the fashion community. I was glad to see from the comments, quite a few people enjoyed the article and found the information valuable.
If you are interested in having me write a guest post for your blog, please don’t hesitate to let me know.
WordPress.com was hacked, it was announced yesterday. They are still conducting an investigation as to the extent of the hack and what data may have been compromised.
They recommend some preliminary measures to take like changing passwords, don’t re-use passwords on different sites and use a password manager.
All of which are good, necessary measures to protect yourself.
This is what I recommend you should do to protect yourself:
1. Change your username and/or email address in addition to changing your password
2. Generate new API keys for Webmaster Tools if you use them.
3. Check your settings to see if there is data you don’t recognize (like links to malicious ads)
4. Be aware of suspicious emails or SMS sent to you in the next few months, especially those asking you to reset passwords. Your phone numbers and e-mail addresses may have been exposed, .
5. If you use the hosted version of WordPress and you use the Jetpack feature you should reset your password as it requires you to create an account on WordPress.com
WordPress.com has calmed a lot of customers down by being transparent about the initial incident in their blog post. Hopefully they continue their communication after they’ve conducted their investigation.
Take note that having on a blog on WordPress.com is different than having your WordPress blog hosted on Go Daddy, Dream Host, Media Temple etc. etc. Read more about the differences between WordPress.com and WordPress.org.
I would check back on the WordPress.com blog and look for any updates.
The comment section also provides good insight as to the customer sentiment and additional details provided by WordPress.
It’s happened to many of us: Our computer no longer functions and it’s beyond our ability to fix it. But we won’t know what needs to be fixed until a computer repair technician takes a look at it.
Before you bring your computer into a repair shop, you need to be aware of the risks to your data stored on your computer:
When you are granting someone access to repair your computer, you are granting them full access to the information that’s stored on it. That means access to passwords, email, pictures, financial records and whatever else you save on your computer that you consider to be private and confidential.
This isn’t a theoretical case of a ‘what if situation’. This happens more often than we realize. A lawsuit was filed against Geek Squad claiming employees comb through personal files and sometimes COPY lewd or other content over to their own personal hard drives. Then there is the case of a Hong Kong movie star who brought in his computer for repair, only to have pictures of him and other Hong Kong actresses leaked to the Internet.
In order for any of this to be effective, you need to be doing items 2 to 5 before a problem with your computer arises.
Here are 5 things you can do to protect your privacy or at least be aware of before you send in your computer to repair:
- What is the policy if your confidential information is exposed as a result of brining the computer
- Will the store take all the necessary steps to make sure your privacy is maintained
2. Remove all of your private information off your computer before bringing it in for repair.
- This includes financial statements, receipts, browser settings, cached passwords, email, pictures, etc.
3. Store your private information on an external drive instead of the main hard drive.
4. Back up your data frequently.
- Always remember to frequently back up your data. If you have to bring your computer in for repair and you haven’t backed up your information, it might be too late.
5. Use encryption software to protect your personal information.
- Encryption software exists that allows you to encrypt portions of your hard drive to prevent unauthorized access to your personal information.
If you can’t trust the computer repair shop, then I recommend this as a final alternative:
Remove your hard drive before bringing it in for repair.
If your problem is not software related you should remove your hard drive. Computer repair shops should have spare hard drives in stock to test with. If your computer won’t turn on, it’s likely the problem isn’t related to the hard drive anyways.
About a month ago, I was contacted by Marta who runs the fabulous fashion blog ‘With Love‘, and she asked me to do a blog post for her about online safety and women. I thought it was a great topic and readily agreed. I have my own blog called ‘Securityphile‘ where I talk about everything and anything related to online privacy, safety and identity.
When it comes to online safety, the most important thing to remember is protecting your personal information. Without any information available about you online, your safety is pretty much guaranteed right? Unfortunately that isn’t a reasonable solution. It’s a rather extreme and narrow view of trying to stay safe, especially in 2011. What needs to happen is there needs to be balance. Today, a lot of our daily activities revolve around the Internet, and it has become the norm. Friends, family, co-workers are all sharing photos, shopping for clothes, listening to music, paying bills, handing in school assignments, talking to friends, etc. etc. – all on the Internet. In order to do any of that, we are required to give up information about ourselves in order to use the services. Typically an email address and a password are required so you can identify yourself. If you are shopping, credit card information and an address are also required so that you can pay for and receive your purchases. That is it. Any other information requested is usually optional.
However, things start to get complicated when you start using sites like Facebook, Twitter , Foursquare, Youtube, or any other social networking related sites. In order to get any reasonable use out of them, you need to participate, but instead of paying for a product or service, you engage and socially interact with others. You end up providing content (which is really just personal information about yourself), and it usually comes in the form of text, images, video or location, all of it delivered to a combination of friends, family, co-workers, acquaintances or strangers. Your friends and family may get to know you better, but so do strangers and acquaintances. Is that something you are comfortable with? If you aren’t comfortable, one way you can control this is by enabling the privacy settings, this way, you know who and who isn’t seeing what you post. In Facebook, the settings are quite granular, but for Twitter, its an all or nothing privacy setting. The feature ‘block this person’ is helpful too! Whatever you use, I highly recommend using privacy settings to control who can see your personal information.
The deal is, the more information you give up, the more people get to know you. This can be a good and bad thing. While it can be good for family and friends, it’s usually a bad idea when it comes to strangers and acquaintances. Then again, I bet there are certain friends or family members that you wouldn’t want to share everything with either am I correct? Strangers will know what you look like, but you don’t know what they look like. You don’t know what their intentions are and you have no way of judging their character. You dont know if they’ve been previously convicted of a crime or are mentally unstable. I would say for the most part, people are generally nice, which is why we tend to let our guard down and trust people. But it also makes it quite difficult to pick out the scary people. It’s tough to judge people sometimes, and people change too. The trick is to find a balance where you can share enough information that lets you participate effectively, yet you don’t end up giving up too much that people can figure out what your daily routine is.
I came up with a list of things to avoid when engaging in an online public discussion:
- Your age
- Your birth year
- Marital status
- Where you work/go to school
- People you live with or if you live alone
- Expensive items like cameras or computer equipment, jewelry
- Your location, past, present and future (including vacations)
- Your home address and the area you live in
- Your main method of transportation (car or public transit)
- Names of Family members and their relation to you
While the individual pieces of information above may mean nothing on their own, when you combine them with other pieces of information taken from Twitter, Facebook or Foursquare, it can give anyone a deeper insight about yourself, knowledge that you normally might not divulge. When sharing information online, I recommend being vague when it comes to personal information. If you want to share personal info with people, use a non-public channel like email or instant messaging. This way, you control who you are sharing it with.
Its not just your physical safety that you have to worry about. You need to protect your identity online as well. If someone gains access to your personal accounts like email, Facebook or online banking account, they may blackmail you, steal financial information from you or from your place of work. They may choose to take over your accounts and impersonate you. I’ve seen it happen to many friends on Twitter and Facebook. Have you?
How to Protect Yourself
Test yourself by checking your Gmail or Facebook to see if your account has been accessed by someone else. I have seen friends on Twitter talk about how they discover their Facebook accounts are being accessed – from a different state or province. Checking Gmail and Facebook can tell you if your safety/identity has already been compromised. If it has change your password immediately! If you have your own domain name, make sure you have chosen the privacy option for your WHOIS record. Doing a WHOIS look up will tell you if you are unnecessarily exposing your home address, when you should be keeping it private.
More Important steps you should take to protect yourself online:
- Always use a different password for different accounts
- Change all of your passwords. Every 4 months
- Back up your data, documents, pictures, music on your computer and smart phone
- When using public, free wifi connections, use it only to browse for public information. Dont use it to check email, access Facebook, online banking,
- Same goes for public computers that are shared, you dont know what previous users have done to the computer
- Answers to secret questions shouldn’t be information you can figure out from Facebook or Twitter. This was how Sarah Palin’s email got hacked. (Its not a good idea to use the secret question ‘what is your mothers maiden name‘ when she is a friend on Facebook.)
- Google yourself and create alerts whenever your name appears online
- Keep your operating system updated, even if its MAC OS X
- Use anti virus
I also spoke to some female friends to get their perspectives about online security and to understand how they protect themselves. All of them have a presence online, typically its a combination of a blog, Facebook, Twitter, Youtube etc. etc., all of which they incorporate into their regular, daily lives. I was quite surprised to hear they haven’t had any major issues with being harassed, stalked or had their identities stolen. When I delved further into the issue, it turns out everyone already practiced some form of safety routine. I was quite impressed by their knowledge and the various methods they used to protect their privacy. They use updated anti virus, update their operating systems on a regular basis, change their passwords or keep them in a safe location. Almost everyone I spoke to have set up separate email addresses, one for strangers and acquaintances and the other is for family and friends. Most importantly, they censor themselves and are careful about the content they post online. I am proud of my friends!
At the end of the day, it’s really up to you to decide what to share and what not to share and to whom. Its the type of information and the amount that you share online that affects your safety. Always think about what you are about to say online, you might forget what you said 2 years ago, but the Internet won’t. Always keep in mind that the information you post online can be interpreted differently by different people. Being online can make you closer to friends and family and when used properly, it can keep strangers and acquaintances at an arms length.
I recently saw a post on Twitter where someone extolled their love for the password manager software they use. They also mentioned the information that was stored in it, the type of information that is the secret sauce to a person’s identity: user names, passwords and banking information.
While I think the use of password management software isn’t entirely a bad idea (as long as you have other defenses in place), I do believe it’s a bad idea announcing WHAT YOU USE to store the recipe for your secret sauce, particularly when it’s on a social networking website, for everyone to see. That’s akin to announcing to the whole world the name and model number of the safe I use at home, what’s stored inside and where it is. But I’m still using a safe, so I’m secure right? No!
Posting critical information like that to a social networking website will make you a likelier target for hackers. It will be easy for them to build a profile of people based on their blog, Twitter and Facebook accounts, then plan a social engineering attack. The attack may come in the form of gaining your trust, then sending you a malicious file for you to execute. A general search of 1Password or Keepass on Twitter, will show you lots of users who are using the software.
While the secret sauce maybe encrypted, if a computer is infected with a trojan horse that has key logging features, the encryption no longer protects you and it becomes a moot point. If you don’t keep your operating system up to date, use anti-virus and a firewall that just makes you even more susceptible to your secret sauce being revealed.
The other question to ask yourself is, where do you store this information? Is that encrypted file on a laptop or desktop? What if the laptop is lost or stolen? Hopefully there is a back up. And a back up of that back up.
Rule of thumb: The more information you reveal about your computer’s defenses, the more vulnerable you become.
What concerns me, is how easily this lack of knowledge is spread via Twitter, and it will give people who aren’t as technically savvy, the wrong idea. I can guarante a lot of people will try out the password manager but forget to do everything else, like update their browser, anti-virus, operating system and install a firewall. If that’s the case, they will have all their eggs in one basket, and be ripe for the picking.
I’m not really big a fan of Facebook. The public display of their eroding privacy policies have left me with a bad taste that only enforces my general mistrust of corporations.
Since many people either don’t feel that way or are just completely unaware of what is happening with Facebook, I still feel the need to discuss security or privacy issues that affect it.
Within Facebook, there is a new option for you to enable ‘Account Security’. I recommend that you enable it immediately if you use Facebook. The feature allows you to be notified when your account is accessed from a computer that has not been registered. While its not a bulletproof measure, its a step in the right direction.
You will need to log in and log out of Facebook after you enable the feature so that you can register your device, be it smart phone, laptop, etc. When you access ‘Account Security’ you will see a list of registered computers.
It’s likely this feature came about after a Facebook board member fell victim to a phishing attempt.
Take note that, if your email account uses the same password as your Facebook account, then the hacker accessing your account can delete the email out of your inbox before it gets to you. Another good reason to use different passwords.