Just about every kind of healthcare related entity—hospitals, rehab centers, pharma companies, insurance carriers and more—have been and continue to be compromised by cyber criminals.
This isn’t just a leak of patients’ personal health information, but the institutions’ billing systems and intellectual property get in the hands of crooks.
Once the hackers are in, they’re in a position to launch more attacks on other networks and commit billions of dollars worth of fraudulent transactions.
Here are some bitter pills to swallow:
- Compromised devices include radiology imaging software, Web cameras, firewalls and mail servers.
- Quite a few compromises occur due to simple issues like failing to change default credentials on firewalls.
- Tens of thousands of malicious events can occur within a healthcare IT environment during the time that intelligence is gathered.
- Not only can cyber criminals get ahold of patient addresses, SSNs and medical condition data, but they can manipulate medical equipment.
- Healthcare providers accounted for 72 percent of malicious traffic according to the SANS-Norse Healthcare Cyberthreat Report. In addition, healthcare business associates: 9.0 percent; health plans: 6.1 percent; pharmaceutical: 2.9 percent; healthcare clearinghouses: 0.5 percent; miscellaneous healthcare related entities: 8.5 percent.
This all means that patients are getting a big burden financially in that healthcare costs rise in response. For instance, the cost that was related to compromised medical insurance records and files in 2013 was $12 billion. This gets trickled down to patients.
Many healthcare related organizations cannot adequately protect sensitive data; the cyber attacks are like a relentless virus, overtaking its host.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.Filed Under: health records data
How does a funeral scam work in the first place? This is something that I, as a security analyst, teach to the consumer public. First of all, the fake funeral scam starts off with an e-mail. The fraudulent e-mails come disguised as a notification for a funeral.
The subject line of an e-mail will say “funeral notification.” The message can be from anywhere, though it’s made to look like it’s from a Texas funeral home. You’re invited to a “celebration of our friends’ life service.” It’s a real-looking e-mail. It even uses the funeral home’s actual logo.
Of course, typical of scam e-mails, you’re urged to click a link inside the message, to view “more detailed information” about the ceremony. But clicking on the link will take you to a foreign domain, where malware awaits – to be downloaded to your computer. The crooks will then have access to your personal data.
How to Avoid the Funeral and Other E-mail Scams
- Just because a real-existing business’s logo is in an e-mail message, doesn’t mean that the message is authentic and not fraudulent. A scammer can even make the sender’s address appear authentic.
- Before clicking on a link inside a message (and you shouldn’t, anyways), hover over the link to see what the source is.
- But why hover when you’re smart enough NEVER to click on a link inside an e-mail message in the first place?
- A message from a company that has poor spelling and grammar is highly suspicious.
- Messages calling for immediate action are usually scams.
- Don’t click pop-ups that seem to originate from your computer, even if they warn your computer has been infected.
You now know how to stay ahead of crooks trying to rip you off with the funeral scam e-mail.Filed Under: scams
Tags: social media burglary, Social Media Identity Theft, Social Media privacy, social media safety, Social Media security
You may think you’ve guarded your company, but are your social media outlets unprotected? Look at these 15 potential weaknesses in your defense.
Well, I can top that, because there are at least 15 social network mishaps that can haunt a business owner. Here’s a closer look at 15 types of trouble you can encounter on Facebook, Twitter and other popular social media platforms. Once you’re aware of all these potential dangers, you should take the necessary steps to prevent them from damaging your company.
1. Posting about illegal or questionable activities. Can you think of an illegal activity your employees might engage in that could get your company into trouble if they posted it on Facebook? How about underage drinking? If you employ teens under the age of 18 and any of them posted a photo of themselves drinking at your place of business, you could be in trouble with the law. And even if all your employees are adults, they can still post something unflattering (though not illegal) that could smear your reputation.
2. Account hijacking. Remember when the Dow dropped 150 points last April after someone hacked the Associated Press’ Twitter account and sent out a tweet that fraudulently claimed the White House had been attacked and President Obama had been injured? Don’t shrug it off—account hijacking can happen closer to home. Fraudsters may send your employees Twitter messages on their workplace computers that are designed to fake the recipients into thinking they’re receiving authentic messages when, in fact, the fraudster’s motive is to get money or sensitive data.
3. Bullying on Facebook. Bullying doesn’t just happen among kids; workplace bullying also exists, and what better place than on social media? Sometimes employees who manage a company’s social media get frustrated with the public’s comments and fight back with below-the-belt comments.
4. Online reputation management. Make sure you and your employees never post anything on Facebook that you wouldn’t show your grandmother or wouldn’t want going viral and damaging your brand.
5. Social media identity theft. Ever considered the possibility that someone could take your business’s name and use it for nefarious purposes? Someone could crack your password, take over an account and cause a trail of destruction. Or they could create a new account using your business’s name and post all sorts of alarming, but false, things about your company. Make sure your business name is protected by constantly navigating the Web, seeking out spoofed sites and your likeness or logo.
6. Financial identity theft. Does your company’s Facebook page include personal information about employees, such as the names of their pets or children? What about their birthdays? Hackers can take this information and use it to crack passwords to online business accounts. Be sure to use privacy settings, and make sure your company’s Facebook page isn’t full of personal details.
7. Burglaries. Never post information about vacation or travel dates on your social pages. Do you want the whole world (which includes crafty burglars) to know when you’ll be away?
8. Geo-stalking. Don’t use location-based GPS technology unless you absolutely need to (for instance, if you and your employees are on a “team building” trek in the wilderness and get lost). While search-and-rescue teams need to find you, stalkers who want your identity do not.
9. Corporate spying. Yes, it’s possible: A crook could pose as one of your employees, set up a Facebook group and invite all your employees to join. This enables the bad guy to gather sensitive data from your business and use it against you.
10. Harassment. Someone who’s disgruntled could stalk your brand and make false accusations. They could set up blogs and social sites, post videos and continually tweet their angry thoughts.
11. Government spying. It’s 10 p.m.: Do you know who it is you just friended on your Facebook page? The Associated Press says, “U.S. law enforcement agents are following the rest of the Internet world into popular social networking services, going undercover with false online profiles to communicate with suspects. Just don’t be a ‘suspect.’”
12. Sex offenders. Sex offenders have been known to pose as someone other than themselves—younger, a different sex, etc.—so they can gain the trust of their victims. You might connect with them online as a business only to discover down the road that they’re a predator.
13. Scams. A bad guy could set up a phony Facebook page and then create phony contests to slurp sensitive customer data such as names, addresses, emails, phones, account numbers and credit card numbers.
14. Legal liabilities. Privacy settings on Facebook can hide posts, but that doesn’t matter to a judge in New York who recently ruled that items posted on Facebook (as well as other social networking sites) can be used as evidence in court—even if the posts were concealed by the privacy settings.
15. Zero privacy. And speaking of privacy, don’t assume you actually have any, because thieves have already figured out how to yank data from the innards of Facebook that’s supposedly just for you and your closest colleagues to see. So be very careful what you put up on Facebook, privacy settings or not.
Robert Siciliano is the author of four books, including The 99 Things You Wish You Knew Before Your Identity Was Stolen. He is also a corporate media consultant and speaker on personal security and identity theft. Find out more at www.RobertSiciliano.com.Filed Under: social media privacy
Data brokers have lots of personal information about you; here’s what you can do about that.
The entity that gets the data, the broker, is called a consumer data company. They snatch huge amounts of data from individuals all over the planet and sell it. And who wants your personal information? Your information is of significant value to marketers, companies doing background checks and in some cases, your government.
They want to know what you like to buy, what you’re most likely to buy, if you want to lose weight, build muscle, what kind of cars you like, where you vacation, what you eat, where you shop for clothes, what kind of disease you have, whether or not you’ve been assaulted or if you have committed a crime…all so they can get a solid picture of who you are.
You now know about data brokers: a whole new industry that reflects our evolving technology. Lawmakers have taken notice of this flourishing industry, trying to get companies to give some control to consumers over what becomes of their data.
At least one data broker makes it possible for you to see how much data is out there about you and to possibly edit and update it. But that’s not enough.
Just how much do data broker companies even know about people?
They build you up from the inside out; starting with skeletal information (name, address, age, race) and padding the meat on from there: education level, medical conditions, income, life events, (buying a home, getting divorced), driving record, law suits against you, credit scores and more. One credit reporting agency even sells lists of the names of people expecting babies and who has newborns. They even sell lists of people who make charitable donations and read romance novels. Data brokers can even get ahold of your income information.
This doesn’t mean that any one data broker knows everything about you. It’s just that a heck of a lot of personal information about you is potentially scattered all over the place. Data brokering is legal: a multi-billion dollar industry involving trillions of transactions every day. But this doesn’t mean the consumer is without rights or power. You can, indeed, do some reclaiming of your name from the data brokering industry.
How do you get control and manage your name?
Sit and wait: As mentioned, lawmakers are putting the heat on data companies to make it possible for consumers to have some control over all of this. The FTC recommended in a 2012 report that the data mining industry establish a website that reveals names of U.S. data brokers plus other relevant information.
- Got to StopDatamine.me: Data brokers have not responded, so someone else did: a site that tells consumers who the data brokers are and their opt-out links.
- Browse “Incognito”: with Googles Chrome browser you can open a “New Incognito Window” once opened, you’ve gone incognito. Pages you view in incognito tabs won’t stick around in your browser’s history, cookie store, or search history after you’ve closed all of your incognito tabs. Any files you download or bookmarks you create will be kept.
- However, you aren’t invisible. Going incognito doesn’t hide your browsing from your employer, your internet service provider, or the websites you visit.
- Use a VPN: For the ultimate in masking your webcrumbs use Hotspot Shield VPN which acts as a proxy and covers up your IP address and protects your devices and data from Wifi hackers at the same time.
- Plugins: Browsers Chrome and Firefox offer a plethora of addons to mask your browser. DoNotTrackMe is a good one.
- Behave: Yes, just be good, don’t commit any crimes, because you can’t erase bad behavior from government records.
Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.Filed Under: Data Security
Police in San Jose, California believe that viewing home security footage will help them solve crimes. The proposal for homeowners to voluntarily register their security cameras for a new police department database is the creation of councilman Sam Liccardo. The idea is to view the footage promptly after a crime.
Liccardo revealed the proposal following a rash of arsons. Property owners willingly gave their home security videos to the police to help identify the arsonist, who has burned down a dozen buildings.
The new database would be managed by pre-existing city technology employees, making the cost nominal.
Homeowners would simply sign up for the database. Police could then remotely gain access into the cameras’ feeds. However, older models would need to be turned in for their tapes.
The issue of privacy concerns has been reared, even though the plan would be based on voluntary actions—which actually doesn’t make sense, since nobody would be forced or even pressured to give up their home footage.
Retired judge LaDoris Cordell says that the database plan is simply an extension of the evolution of surveillance technology, rather than an intrusion of privacy, a way for residents to be abreast of the happenings in their neighborhood.
San Jose wouldn’t be the first to launch such an initiative. Nearly 600 businesses and residents in Philadelphia have signed up with a similar program, which has led to 200 arrests based on video footage.
Liccardo will be facing a “Big Brother” obstacle as he attempts to get his plan approved, but says that the police will not be sitting around watching live feeds for kicks.
There have been no adverse responses to a similar program with the Los Gatos/Monte Sereno police department, in which 30 property owners have signed up.
Sources:Filed Under: home security
Finally, retailers and banks have agreed to work together to fight data breach incidents, foregoing the finger-pointing of who’s responsible for prevention and recovery.
This means both entities will work to improve technology that will protect consumers. Historically, the squabbling consisted of retailers accusing banks of being lethargic at adopting updated, more secure debit card technology; and banks insisting that retailers soak up more of the costs for card replacement following breaches.
However, despite the move forward of joining forces, banks and retailers will surely continue having differences. For example, the cost of getting replacement cards is “not something that the two industries are likely to agree upon,” said Tim Pawlenty to Reuters; he’s chief executive of the Financial Services Roundtable.
So how did both parties decide to join forces? Pawlenty was contacted by Sandy Kennedy, the head of the retail leaders group.
This partnership will develop improved communication so that retailers can have a formal program regarding cyber threats. “We both viewed this as an opportunity to collaborate rather than to wage a public battle,” says Brian Dodge of the retail leaders group.
In addition to card related breaches, the partnership will focus also on smartphone security. Use of mobiles to make payments has stunted progress between retailers and banks.
In fact, MasterCard Inc. and Visa Inc. have named a 2015 deadline to implement “chip and PIN” cards to replace the magnetic stripped cards that are so vulnerable to hacking.
Unfortunately, this switch is pricey, and both retailers and banks are not willing to be the first to take that dive off the high board. Especially since more and more people are using mobiles to make payments.
However, security for mobile users could reinforce the retail-bank partnership, says David Robertson, publisher of The Nilson Report. “We need to make sure that mobile becomes a secure way of doing business,” he says.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.Filed Under: Financial
This week (April 15) marks one year since the rampage in Boston.
This Monday April 21st I am running my 3rd Boston Marathon with 38,000 other people and I’m doing it in the spirit of Gratitude and Grace for Boston Childrens Hospital charity.
Many of you have already very generously donated which makes you fabulous!! Last year we raised almost 9k for sick kids. In 3 years we have raised over 20k and I’m hoping with this post we can get to 25K, so please…donate!
DONATE HERE http://ow.ly/rCSvD
FOLLOW THE RACE:
For those interested in following my race progress you can get text/email messages sent automatically regarding my progress. Go tohttp://www.baa.org/races/boston-marathon/participant-information/att-athlete-alert.aspx and learn how to sign up for alerts. You will need to enter my Bib# below.
My Bib# 32732
Be forewarned, I’ve had a tough training season with multiple painful physical therapy appointments and many cortisone shots. This will be a slow run/walk race to get to the finish line safely. Expect a 5.5 hr journey.
Last year I got stopped at the 26 mile mark within yards of the bombings. My wife and kids were at the finish line, saw more than they should, while waiting for me. My experience wasn’t as harrowing as others, but it wasn’t a good one either. I spent that evening and the next 3 weeks doing media, communicating my perspective of the event. Click or copy/paste my account here: http://robertsiciliano.com/blog/2013/04/19/2013-boston-marathon-my-best-worst-day-ever/
GRATITUDE AND GRACE:
Gratitude and Grace: “The greatest gifts are those that can never be reciprocated, like the gift of health that the doctor makes to a poor patient, demanding nothing in return, or like the gift of life and nurture that a mother makes to her child, or like the gift of his own life that a soldier makes when he dies in battle for his country.
Philosopher Roger Scruton in The American Spectator defined Gratitude and Grace. One sentence in particular “Everyone who has suffered some major calamity, be it illness, loss, or some sudden reversal of fortune, feels, on pulling through, a great surge of gratitude.” means a lot this year.
When I give something I am present in the gift: it comes from me and is a symbol and an out-growth of the free self that is the moral heart of me. The gift comes wrapped in affection, an out-going of me to you that is created by the very act of giving. Even if the gift belongs to a context of ritual and reciprocity, it is something more than a bargain or a contractual exchange. It is I, going out to you.
The proper response to a gift, even a gift of charity, is gratitude. People who feel gratitude also wish to express it. The easiest way is to give in one’s turn. By giving you pass on and amplify the goodwill that you received.”
American Spectator. Read more here: http://spectator.org/articles/39831/gratitude-and-grace
“Life is not without struggle. It is in that struggle that we see the truth in life. For me, through struggle and truth, I learned gratitude. It is with that, I give back. Today my life is an exercise of gratitude and grace and my life’s efforts are my gift to our world.” Robert Siciliano
Donate to Boston Childrens Hospital here: http://ow.ly/rCSvDFiled Under: Marathon
A law(s) for data breaching is around the corner. And the time is right, what with the scads of data breaches involving major retailers lately. Details of customers’ addresses, phone numbers, credit cards and other sensitive information have ended up in the hands of hackers. We’re talking many tens of millions of affected consumers.
Despite this mushrooming problem, no consensus has yet arrived regarding just what role the government should assume to protect peoples’ data. But a common thread to the many ideas is customer notification once a data breach occurs. Though 46 states do have notification laws, retailers gripe that this makes them spend precious time complying with this instead of on fighting data infiltrations and repairing the fallout.
“We’ve long said that action is needed and hopefully we can see passage of data breach notification legislation this year,” says Brian Dodge, a senior vice president at the Retail Industry Leaders Association.
Recently the Data Security Act was introduced. It would require companies and banks to have privacy protections and investigate breaches, plus alert customers about big risks of theft or fraud. Banks have complained about the costs of responding to data breaches and have insisted that retailers take more action to the fallout. The DSA could take some of this burden off banks.
“We think it’s important that essentially everybody up their game,” says Kenneth Clayton, an executive VP and chief counsel at the American Bankers Association. This needs to occur whether through law or industry action, Clayton adds.
The FTC may even get involved. But how much should the government get involved, though? “The idea that the government would do a better job than private industry is a horrible idea,” says John Kindervag, a principal analyst at Forrester Research, an advisory firm.
However, a 2014 priority for the FTC is to protect sensitive health and financial information. “The FTC has long been concerned that this type of sensitive data warrants special protections,” says Jessica Rich, head of the FTC’s consumer protection bureau. She adds that the FTC strongly supports the possibility of new laws that would protect consumers.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.Filed Under: Data Security
One man’s trash is another man’s new identity?Yes, because that “junk mail” you toss in the garbage contains valuable data about yourself. A crook bent on identity theft can potentially have a field day with your discarded pre-approved credit card applications, bank statements, etc. Using a paper shredder before throwing out letters and documents such as these will help protect you and your family.
You should take this same vigilant approach when recycling your devices, whether that be your computer,external hard drive, mobile phone or tablet. This ensures no matter where your recycled device ends up, you can feel secure knowing it contains zero data about you—and a factory reset will not necessarily achieve this.
Here’s how to “clean” the data on your mobile device:
- Do a factory reset. Every mobile phone contains software to do this.
- To reset Android: Menu > Settings > Privacy > Factory Data Reset.
- To reset Blackberry: Options > Security Options > General Settings > Menu > Wipe Handheld.
- To reset iPhone: Settings > General > Reset > Reset All Settings.
- For other phones, you can find out how to reset by doing an online search using the appropriate keywords, including the model number.
- Get rid of data that is on external media, like SIM or SD cards. Your best bet is to cut them in half.
- You can use a mobile security product, like McAfee® Mobile Security, to wipe your mobile clean of all its apps and data.
How to “clean” the data on your computer:Before you get rid of your computer, you must make sure that it’s impossible to recover the data on the hard drive. Simply putting things in the trash can and deleting them is not enough. If someone is skilled enough, they can almost always retrieve data left over on a hard drive. It’s your choice on how tough you make it for your computer’s new owner to do that.So don’t rely on these tasks.
Use a utility designed for wiping or erasing. This tool will overwrite everything with binary 1’s and 0’s. In fact, these tools meet government security standards and will overwrite each sector in your hard drive multiple times.McAfee Shredder, in which is included with McAfee LiveSafe™ service, is one of these tools. It will permanently wipe everything off your PC to protect your privacy.
This Earth Day, join the movement and demonstrate support for environmental protection. Just make sure to protect yourself first!Filed Under: mobile phone security
Organized crime rings are using brains, not brawn, to target small businesses and steal critical data. Protect your business by putting these 11 security measures into place.
Organized crime has always been known to be all about muscle … but even the bad guys have evolved. Seems organized crime syndicates have discovered that more money can be made in less time with less hassle simply by employing brains over brawn.
As technology and technology skills have evolved, it’s become painfully easy to employ hackers to break into small businesses’ networks and seek out sensitive data and personal information.
Meet the members of your friendly neighborhood crime ring:
Programmers: skilled technicians who write and code viruses that target a business’s network PCs.
Carders: specialists in distributing and selling stolen card data and sometimes transferring data onto blank “white cards” then embossing them with foil in order to create exact clones.
Hackers: black-hat intruders who look for and exploit vulnerabilities in networks.
Social engineers: scammers who may work with psychologists who dream up the different scams and then con victims via phone, phishing or in person.
Rogue systems providers: unethical businesses that provide servers for criminals.
Money mules: often drug addicts or naïve Americans who buy items at retailers with stolen credit cards. Some mules ship products, and others launder money. Mules may be from a foreign crime syndicate’s nation and travel to the U.S. to gain employment within an organization and open bank accounts to store money until transfer.
Bosses: in charge of the entire operation. Bosses delegate, hire talent and make all the money.
Why Target Small Businesses?
Organized criminal hackers all over the world use sophisticated hacking tools to penetrate databases that house a small business’s client data. In general, they’re seeking:
- Social Security numbers
- Credit card numbers
- Bank account information
- Home and business addresses
- Birth dates
- Email addresses
Why do they do it? Simple—their primary motivation is to get paid. They accomplish this by opening new lines of credit or taking over existing accounts. Transactions include making charges to credit cards, initiating electronic fund transfers or using email addresses for large phishing or spear phishing campaigns.
How Hackers Hack
Hackers are the bad guys who use penetration-testing tools—both legal and illegal—that are available commercially or only available on the black market. Their tools come in different forms of hardware and software that seek out vulnerabilities within a small business’s network.
Vulnerabilities may be physical, as in facilities vulnerable to intrusion, or may be people who are vulnerable to social engineering. Virtual vulnerabilities exist in a business’s Internet connection (whether wired or wireless), an outdated browser or an outdated operating system—any of which may be vulnerable if they don’t have updated security patches. Vulnerabilities can also be exposed via social engineering: A criminal simply gets on the phone, sends an email or shows up in person and cons a target using any of a variety of methods.
Protecting Your Data
There are plenty of ways to get taken. But there are also plenty of ways not to. The fundamentals of protecting your business’s data include:
- Maintaining updated operating systems, including critical security patches
- Installing and running antivirus, antispyware and antiphising software and a firewall
- Keeping browsers updated with the latest version
- Updating all system software, including Java and Adobe
- Locking down wireless Internet with encryption
- Setting up administrative rights and restricting software, such as peer-to-peer file sharing, from being installed without rights
- Utilizing filtering that controls who has access to what kind of data
- Utilizing Internet filters to block access to restricted sites that may allow employees or hackers to upload data to Cloud-based storage
- Possible disabling or removing USB ports to prevent the downloading of malicious data
- Incorporating strict password policies
- Encrypting files, folders and entire drives
These 11 steps are a good start. However, standard security measures are never enough. Depending on the size, scope, type of data requiring protection, compliance and regulatory environment, possible insider threats, and what “bring your own device” policies may be in place, risks and threats must be defined and prioritized. This often requires consulting a professional.
There are two considerations small businesses must take into account that go beyond a low-budget, “do it yourself” mentality:
1. Data loss prevention and risk assessment software. This type of software monitors an entire network’s activities and behaviors to seek out events that might lead to a breach and then stop them before data loss.
2. Penetration testers. These are white-hat hackers who use similar tools as black hats to seek out vulnerabilities and exploit those vulnerabilities as far as they’re allowed by the client. They might use automated tools to seek technology vulnerabilities, or employ virtual or physical social engineering. For instance, some penetration testers will test the physical security of a building during or after hours. Penetration testing involves real-world attacks that have been proven to work elsewhere, along with seeking out flaws in a business’s networks.
The worst thing any small business can do is nothing. Failure to test your networks and put layers of security in place will inevitably result in a breach. Forewarned is forearmed.
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: Data Security