Tag Archives: passwords

Breach Brief – Macy’s, Adidas

Macy’s department stores has reported a data breach of customer data. The breach affects Macy’s online customers and exposed names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Macy’s pointed out that it does not store credit verification values (CVV) or Social Security numbers in its online customer profiles. Macy’s has reported the data breach and exposed card numbers to payment processors Visa, MasterCard, American Express and Discover. Macy’s has not said how many customers are impacted.

According to Macy’s the breach took place between April 26 and June 12. The company reported that an “unauthorized third party” had obtained usernames and passwords and were able to log into Macy’s and subsidiary’s Bloomingdale’s shopper’s online profiles. It is not known how the hackers got the information. Macy’s reported the breach in a letter to the New Hampshire Attorney General’s Office on July 2nd.

Macy’s has frozen any customer profiles with suspicious activity until the customers change their passwords.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” the company said in a statement. “Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

 

Adidas

Adidas, maker of sportswear and equipment, issued a warning to online shoppers in the U.S. that their personal information may have been compromised as a result a suspected data breach.  Adidas first became aware of the incident on June 26 and analysts are saying that potentially millions of customers could be affected.

A preliminary investigation revealed that the hacker may have stolen customer’s contact information, usernames and encrypted passwords. Adidas does not believe any credit card or health and fitness information was compromised.

A statement on Adidas’ website read; “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.” The company is in the process of notifying affected customers.

Breach Brief – SunTrust Bank

SunTrust Bank has reported a data breach that may have compromised the personal information of up to 1.5 million customers. According to reports the bank believes a former employee may have stolen customer information to give to a criminal third party.

SunTrust first became aware of improper access to customer records in February. An internal investigation implicated the ex-employee for the alleged theft. According to the Wall Street Journal the employee tried to print the records and share them with a “criminal third party.”

According to SunTrust the names, addresses, phone numbers and account balances of 1.5 million customers were breached. However the bank does not believe that Social Security numbers, account numbers, passwords, and driver’s license information were accessed. SunTrust also stated that there’s no indication that fraudulent activity has occurred with the affected accounts.

The bank has begun  the process of contacting customers whose info may have been compromised. SunTrust is also planing to provide free identity protection to all its customers whether they have been impacted by the breach or not. 

SunTrust customers can go to this website to see if they are affected by the breach.

The incident is under investigation and the bank continues to work closely with law enforcement and outside experts.

ALERT! – Specter and Meltdown Security Flaw – ALERT!

Regardless of what computer you own, Apple or Windows, Spectre and Meltdown security flaws affect you. Security researchers recently revealed the details of these two microprocessor security flaws. Chips made by Intel, Advanced Micro Devices (AMD) and others are in billions of devices making them sitting ducks for hackers.

Devices with these chips include phones, tablets, PCs, and computer servers. Exploiting the vulnerability opens the door for hackers to steal personal data, passwords, cryptographic keys, and other supposedly inaccessible information from device owners. While the average consumer should exercise caution the impact on business could be devastating. 

The Meltdown flaw only runs on Intel chips while the Spectre flaw can affect devices with virtually any modern processor.

Computer microprocessors handle data like a passwords or encryption keys. Normally these are kept from other apps. But both Intel and AMD pride themselves on the speed of their chips. To do this the chips use whats known as “speculative execution” to try to guess answers that may be needed if a chain of calculations came out a certain way. Since the delay in calculations can be predictable researchers found that a rogue app could guess where confidential data was located in a chip’s memory and steal it.

Regardless of your web browser, Google Chrome, Apple Safari, or any version of the Windows family, they all use Javascript code.  Hackers could introduce a data stealing Javascript program and post it on any chosen web site. Your browser app would automatically run the rogue code like it was an ordinary part of the site’s features resulting in your data becoming vulnerable or stolen. As you can see this is an extremely grave threat to business computing.

Although this vulnerability is now known there is no evidence anyone has used it…yet. And that is where the danger lies. The danger of these flaws is so great that tech companies  swung into action quickly to fix the problem. Perhaps too quickly.

According to various news sources the Microsoft patch to fix the flaw has been damaging some devices.  In some instances the computers are suffering performance problems while others have been bricked. A bricked computer is frozen and unusable. The problem has become so bad that Microsoft has halted issuing the patch for both Spectre and Meltdown for AMD equipped computers and devices.

Intel’s CEO Brian Krzanich addressed the Meltdown and Spectre issue as the keynote speaker at the Consumer Electronics Show in Las Vegas. “I want to thank the industry for coming together to address the recent security research findings reported as Meltdown and Spectre,”  said Krzanich. He called the response to the issues a “collaboration among so many companies.” Krzanich promised that “for our processors and products introduced in the past five years, Intel expects to issue updates for more than 90 percent within a week, and the remaining by the end of January.”

Browser makers have swung into action to combat the flaw. Users of Google Chrome should turn on a feature calledsite isolation.”  The feature prevents malicious Javascript from accessing sensitive data. Google will soon release an update to Chrome’s Javascript feature that will improve protection against Spectre attacks, however, browser performance may suffer.

Microsoft has already issued a Windows security update for its Internet Explorer and Edge browser apps labeled “KB4056890” to protect against Spectre. According to Microsoft the update will change the browser’s features to protect confidential information in a device’s CPU. But make sure you check if your device has an AMD chip before using this patch.

Firefox maker Mozilla said its newest apps changed several features to make Spectre attacks more difficult. Released on January 4th, Firefox version 57.0.4 includes the new protections. Mozilla said in a blog post that it is studying additional ways to strengthen security against the attacks. “In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers. This project requires time to understand, implement and test.”

Apple is planning to release an update to Safari in “coming days” to protect against Spectre. Early tests of the Apple updates showed a minimal impact on browser performance. For additional information on Apple products click here.

 

 

 

 

 

 

 

National Cyber Security Awareness Month – Mobile Security and Accounts

Mobile security of your smartphone or tablet, is not rocket science. You can take simple steps to secure your devices and online accounts that protects you from being an easy target. Let’s start with your passwords.

Passwords

You need to change them and do so on a regular basis. Please don’t be lazy about this simple task. Anyone who knows anything about you can probably guess your password. Especially if you d0 something stupid like use you dog’s name, the street you live on, your favorite shoe designer or sports team. People do these things and, to make it worse, they keep the same password for years. Or, dumber still, they use this same password on all their online accounts. So anyone who guesses it can then take over your life. How do hackers know you well enough to guess your passwords? Facebook! Never, ever, use the same password for multiple online accounts!

Change you passwords at least every six months. Use a lot of numbers and special characters and mix them up good. Your password should look something like this “L*gg46&#wEvF?.” Ugly huh?  And hard to remember too. Well try a password manager. They are easy to use and free. CheckThe Best Free Password Managers of 2017from PC Magazine.com.

Device safety

Do you know what your device is doing? It does all kind of things when you are using it, and when you’re not. Practicing good cyber security means understanding what your device is doing and how to spot trouble and stop it. Take the time to learn all about your mobile device.

Make sure you update your phone’s operating system and apps regularly. Companies are always finding flaws and security issues and they issue updates and patches when they do.

Online accounts

Consider this, any account you have online can be monitored to see what recent activity has occurred.  Ok, so who does not have a Facebook or social media account of some kind?To see what’s happening with your Facebook account click here.  Facebook offers all its users a page that will tell them if someone has been accessing their accounts. If you have a Twitter account click here, for Google click here.  These links will take you to the pages you need to monitor your account activity. Do yourself a favor and bookmark them for future use. It doesn’t take long to check these sites for unusual activity. And check them regularly.

You will also find ways to block any unauthorized activity on your accounts. Some apps and services allow you to set up alerts that come to you via a text message or email when something funny is happening to your accounts. They will also alert you when you log in from a new device or from a different location.

Check your apps

Another thing you need to do is check the app permissions on your phone or tablet. Apps communicate with their maker regularly. Most of the time its things like performance reports if the app crashes or updates. But trust me, it is communicating. You need to understand what your phone is doing and what permissions it has to access your data. Apps can do things like monitor your position using GPS, copy your text messages, access your contacts and spy on you using the on-board camera. Most people don’t realize how much data their phone and the associated apps give away.  Don’t just click on the “accept” link when an app asks for permission to access your phone’s features.  Investigate and ask yourself, why?

 Apps from third party vendors are a good source of trouble. Games, shopping apps, email apps, any app can be malicious. Hackers count on you not looking at the app too closely, especially the part about permissions to access things like your email, camera or GPS. Think it can’t happen to you? Think again!

You should also be aware of a new threat that is hitting mobile devices, it is known as ad and click fraud. It is a direct result of clicking on a link in an email or text message. Clicking on mysterious links is a s good way to introduce malware into your device.

Free Wi-Fi

Set up your phone to ask permission to join open wi-fi networks like you find at Starbucks. These open networks, or free wi-fi, are havens for hackers. When you are traveling make sure you know what the hotel or airport wi-fi name is. A new tactic for hackers is to set up their own wi-fi networks close to or inside the hotel. They give their wi-fi a name similar to that of the hotel’s. If you are not paying attention you might get on a hacker’s wi-fi. Hackers can see everything you do if you are on their phony network and that could be big trouble. Learn to you use a VPN or tether your device to your smartphone for secure Internet access. Better yet, get your own wi-fi hotspot. Many of the major cellphone service providers offer them.

Now you know.

 

National Cyber Security Awareness Month

October is National Cyber Security Awareness Month (NCSAM). In recognition the African-American Cyber Report will be participating with the Department of Homeland Security to promote awareness of cyber security issues and personal safety online.

Each week the AACR will publish articles that promote cyber security at home, at work and for your children. The AACR is dedicated to bringing the message of cyber security to African-Americans who use the Internet in their daily life. We are focused on protecting you, your home and your children from cyber fraud, hacking, viruses, malware, personal data theft and other cyber threats. 

African-Americans are full participants in the technology revolution from smartphones, to mobile banking to e-commerce to social media. As such we must become more aware of what is happening in cyberspace. We need to understand the dangers and the opportunities that the Internet presents. 

As part of NCSAM the Dept. of Homeland Security is offering all Americans the Stop.Think.Connect. Toolkit. The Toolkit is a series of information pamphlets designed to educate various audiences on cyber security awareness and online safety. The targeted audiences include;

  • Students K-8, 9-12, and Undergraduate
  • Parents and Educators
  • Young Professionals
  • Older Americans
  • Government
  • Industry
  • Small Business
  • Law Enforcement

The educational material covers 22 topic areas that include social media awareness, mobile banking, and educating children about going online. 

We invite you to join us as we focus on the safety and security of all people but especially our brothers and sisters who use the greatest communication technology ever invented, the Internet.

ALERT!-Google Docs Phishing Attack-ALERT!

Right now millions of email users are getting a seemingly innocent email asking them to view a Google Docs file. DO NOT CLICK ON IT! DELETE IMMEDIATELTY!

The email takes the user to an excellent replica of the Google Docs page you would normally see. The hackers are so clever they have copied the newest version of the page. To make matter worse the URL or web address is very close to the real Google Docs web address. The email itself will look as if it came from a legitimate email address and even uses a .gov email address.

The email does not deliver any malicious malware that we know of. But it does steal user names and passwords.

In a statement a Google PR representative said; “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

Google sent out another statement, this time directly from Google that read; “We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.

If you have recieved the suspect email there are a few things you can do.

  1. Do not click on it even if it comes from someone you know. Always be suspicious of links and attachments you are not expecting or do not know where they come from. Anytime you get an email containing a link or attachments contact the sender and ask what is it. They may not know their email is being used to send out spam or malware.
  2. Use multi-factor authentication. Many websites offer multi-factor authentication. It is simply and extra step to protect you on the web. The system often works by sendng a second code via a text message to your smartphone. This is great when you are using a computer you don’t normally use and can prevent hackers from accessing your accounts or stealing passwords.
  3. If you have already clicked on the suspect email or are not sure then you can cancel third party access by visiting this Google site. Also change your Google passwords.
  4. Finally report the incident by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.”

Remember, try to avoid catching “click around fever.” This is the compulsion to click on links or attachments in your email or visit websites just out of curiosity. Many malware infections and viruses can be had by what’s commonly known as a drive by download.  This means the instant you click on the wrong thing or visit the wrong website you’re infected.

Tax Season 2017 – Fighting Identity Theft

There are two seasons that cyber criminals celebrate; Christmas and tax season. African-Americans should understand that protecting themselves during this time is especially critical  A 2011 Federal Trade Commission national fraud survey revealed that African-Americans were almost twice as likely to be victims of fraud as whites.  African-Americans were victimized 17.3 percent of the time compared to 9 percent for whites.  For Hispanics 13.4 percent reported being fraud victims. To top off these disturbing numbers is the fact that black and minorities often don’t report fraud because of embarrasment.

Tax season used to be a multi-billion dollar hunting season for identity thieves. But the hunting may not be so good this year. Because of IRS work identity theft has plummeted by 46 percent.  376,000 fewer taxpayers had their identities stolen by criminals.

In the past two years the IRS, working with major tax preparers, started sharing information to improve tax payer security.  Congress has also given the IRS more tools to prevent criminals from getting fraudulent tax refunds. This allowed the IRS to identify and block over 1 million phony tax refunds last year. 

Federal authorities crushed a massive identity theft ring in Alabama and Georgia in 2015. Those thieves collected $10 million in fraudulent refunds. Cyber criminals are merciless. This scam even targeted veterans of the Afghanistan war being treated at Fort Benning’s hospital.

Last year another ring in the District of Columbia was taken down as they tried to steal more than $20 million in fraudulent tax refunds. The victims included people in assisted living facilities, drug addicts and prison inmates.

Technology deployed at the IRS in recent years identitfies potential fake tax returns. Now the IRS can flag dramatic differences in a taxpayer’s return from year to year for additional screening.

The earned income tax credit is a big target for identity thieves. The IRS was holding refunds until Feb. 15 for families claiming this credit. These credits provide payments to people who don’t make enough money to owe any federal income taxes. This makes them attractive to identity thieves.

Protect your personal nformation during tax season by following these steps.

  • File early, even if you owe. Filing  your return early prevents anyone who has stolen your information from filing a fradulent return. The IRS will only accept the first return even if the thief has your social securty number.
  • Encrypt your data. Encrypted data is secure even if your laptop is stolen. There  is plenty of free encryption software available. PC Magazine recently published The Best Encryption Software of 2017. And using it is not that hard. If you can create a password you can encrypt your data.
  • Buy a decent shredder. Destroy any document with any personal information, especially your Social Security number. Any small bit of information helps a cyber thief and they are not above going through your trash can. These thieves have been known to drive through neighborhoods picking up trash! Any personal papers that has your bank account or investment account information should be shredded before disposal.
  • Use strong passwords. Learn to construct powerful passowords that are easy to remember. And change them often.
  • Keep your computer software up to date. Use a good anti-virus/anti-malware. Some cyber thieves can install spyware on an unprotected computer and steal your information.
  • Be aware of phishing attacks. Phishing is when you recieve an email or call asking for information using very sneaky questions. This is a form of social engineering. Don’t respond or click on email attachments or links. Anybody calling claiming to be from your bank or the IRS should be hung up on and reported. Banks and the IRS don’t call asking for information. These callers can be insistent and even threatening. Just hang up and investigate on your on by calling the IRS or your bank. DON’T GIVE ANY INFORMATION OVER THE PHONE! And remember, if anyone calls asking for money you should be the one asking the questions.
  • The IRS does not ask for money NOW! The don’t ask for money to be tranferred via a payment card. They don’t ask for credit card or debit card information. The are not coming to your house to arrest you. If someone threatens you with anything like this they are thieves. If you get a suspicious email or phone call, do not respond. Immediately call the IRS Identity Protection Specialized Unit (IPSU) at 1-800-908-4490.
  • Is someone else preparing your taxes? Here what you need to be asking;
    • How will my data be stored?
    • Will it be encrypted?
    • What computer security software is used?
    • Who has access?
    • Have those with access been properly screened?
  • Do not transmit tax returns or sensitive personal data on public WiFi. That means Starbucks or the public library. This is prime hunting ground for cyber thieves. These hackers wait and watch wifi traffic for an unprotected computer. The can intercept and record your online activity stealing your information or even hijacking your computer.
  • Check you credit report at least annually. You can get all three free credit reports from AnnualCreditReport.com. Remember this is the only credit report website authorized by the federal government.

Don’t be a victim during this tax season. Be aware!