I spend a great deal of time monitoring the ebbs and flows of security events that go on in the wild. The recent spike in global activities makes it a great time to cover some of the recent security threats or issues you may run into.
The 3 most common events I am currently seeing:
- Global Hacks that expose a large number of users data
- Ransom mail (Emails)
- Official Looking Fishing Emails
Global Hacks that expose a large number of users data. Data breaches in 2015 have been some of the largest to date. These attacks have focused on banks, health care companies, security companies and even a company that writes an application to protect your passwords.
What’s typically been taken?
First Name/Last Name
Credit Card Data
Decrypted Password information
Personal Data (Phone Numbers, Where you Live..ect)
Some of this year’s breaches have impacted as many as 150 million users. As you know from the information above, that’s enough to build a whole new you.
These types of events will continue to happen more and more often. What is important is knowing how to best protect yourself.
Use a unique password for each website you visit.
While a complex password is useful, some of the best expert advice being given these days is to use longer passwords. Taking a line from a favorite song, and stringing it together can make a long password that is hard to hack. You can also add a number and a special character into this to make it even harder for someone to get.
You might find using something like:
Lyrics to “Lady” song by LIONEL RICHIE: Lady, I’m your knight in shining armor and I love you.
Could be turned into the password of: Imyourknightinshinningarmorandiloveyou9$
Yes, its long and you may not enjoy typing it (Note: There are programs that can help remember your passwords and feed them into sites, but do recall, one of the sites hacked this year was a company just like that).
Credit Monitoring Services
Many times when there is a breach like TJ Max, the company will provide you with 1 year of free credit monitoring. Recent reports from the FBI have noted that most often, data from a breach is stored for up to 5 years before it’s sold or used. So that 1 year of credit monitoring may do nothing for you.
You can get one free credit report from each of the three major credit bureaus (TransUnion, Equifax, and Experian) once every 12 months from annualcreditreport.com. However, this site doesn’t provide credit scores, or more specifically FICO® Scores.
Experts suggest that you check your credit at every three months, and would prefer that you go ahead and have alerts set for any new credit line that is opened under your name. While they can be a cost (Normally between 12.99 to 29.95 a month) a number of nationwide credit monitoring services can provide this for you. Many will offer you a free month, and when (if you call in to cancel, will offer you a reduced monthly fee if you agree to say a member, or you reference another site that has a lower cost).
Some companies to consider:
Defining a credit monitoring service is pretty straightforward‚ as these programs literally keep a watchful eye over your credit report for you; but pinning down the myriad benefits of a credit monitoring service is a little more complicated. Some can only alert you to potential fraud taking place in your name‚ while others offer assistance in helping you resolve problems resulting from identity theft should it happen.
- Personal Identity Monitoring
o A good Identify Monitoring company should be watching thousands of sources of both legal and non-legal sources for your Identity, in addition to watching your credit reports.
- Address Monitoring
o Watching those same sources as mentioned above, they look for documents and information that include data about your home. This information could be from sources such as public legal filings.
- Lost Wallet Protection
o If you have a number of cards and memberships, losing your wallet can mean going to a number of places to report your cards missing/stolen. Some services will let you pre-add all of your cards and help in the process to cancel those cards. Others will (from your credit reports) populate all the information that would be needed to help report these cards as missing. It can take an all-night task, and make it 10 minutes.
- 3 Credit Scores* with (At least) Quarterly Updates – my preference is for monthly
o This is a primary source for finding out what’s going on with your credit health, so the more often its checked, the better.
- Identity Theft Insurance
o If your identity is lost, there can be costs such as lawyers, document requests, court filings and other events that costs you money out of your pocket. Most companies will offer between 25K and 1M in USD as “insurance” to help you in this process. From recent reports posted online its often suggested to take between 500 hours and 3,000 dollars to recover, however I consider this amount to be much less then what “Could” be required. I would suggest getting at least 50k in insurance (check to see what the company offers as part of their basic package).
Recently there was a company that prompted people cheating on their significant others. That site was hacked and nearly 50 million unique users were identified. A number of emails are now being sent out to people (many who were not part of that site or never even heard of it) claiming they were found to be on there, and all their friends and family would be told about their misdeeds.
The people claim they can let all your friends and family members know about this via facebook. All you have to do is send 1 Bitcoin (a nearly untraceable electronic currency used on the internet with a currently value of around 231USD per coin).
What they are really hoping is that someone, guilty or not thinks it’s just easier to pay the person them have the possible reputation hit based on the traffic.
How wide spread is this and other forms of Ransom Mail? I operate 10 email accounts that are not connected to a real user (known as Honey Pot Mail Accounts), a real Facebook identity and on a number of different mail hosts (Gmail, Comcast, yahoo…ect). Across these various accounts I have seen it occur on all but one, and in many cases seen it occur between 2 and 5 times in a single day.
What should use do if this happens to you? In most cases, you can ignore them. They are simply spamming millions of people hoping a few people decide to go ahead and send them the money.
In the State of Illinois, you can also report these issues (Should you be concerned about them or should they escalate) to:
Office of the Attorney General
Hon. Lisa Madigan
Another useful resource would be:
Official Looking Phishing Emails
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using fake bait in an attempt to catch a victim.
Recently there have been a large volumes of emails coming from Banks, IRS, Homeland Security and other organizations talking about problems/issues that may be occurring with your account/personal data/tax returns. They normally want you to go to a website and enter your personal information and/or need some data about you that seems harmless (Often to later ask you for more detailed data).
In almost all cases, organizations like this, would contact you via mail or certified mail to let you know that information is needed. If you are still concerned, do not use the phone number or email address provide as part of the email, but instead go to the agency website and lookup a number to call and verify the email.
Michael S. Wherry, CISSP, MCSE, TOGAF 8/9, DCT, MCNE
Director of Compliance, 1to1 Card