In recognition of Data Privacy Day, “10 Don’ts” foreword author Tom Jelneck appeared on Fox35’s “Good Day Orlando” program about ways to keep your data safe from hackers and other thieves. You can watch the video via the link below — we are especially grateful to Tom for plugging the book on live TV!!
Direct Link: http://www.fox35orlando.com/good-day/83032189-video
The audio from the October 14 meeting of the Senior Statesman of Virginia, focusing on Internet Security, is now available through the Charlottesville Podcast Network. 10 Don’ts author Eric Rzeszut was one of two featured speakers.
Senior Statesmen of Virginia: Internet Security
As we point out in the very first chapter of 10 Don’ts, “Don’t Get Phished,” criminals are getting more sophisticated when they craft phishing scams. They’ll use real terminology, correct English, and proper company/organizational logos to increase the number of people fooled by these malicious emails.
Today, Virginia’s Attorney General Mark Herring (@AGMarkHerring) released a warning about a phishing scam being perpetuated via email, phone, and even social media:
Attorney General Mark R. Herring today warned Virginians to be vigilant for a major, ongoing “phishing” scam involving emails, phone calls, and social media messages purporting to be from the Attorney General and his office. The emails claim to be a “Final Legal Notification” from Attorney General Herring or his staff regarding debt owed to “Cash Advance, Inc,” or some variation thereof, or claim that an “arrest warrant” has been taken out on the recipient. The emails demand payment from the recipient to resolve the issues. In some cases, recipients may receive follow-up phone calls from the scammers perpetuating the fraud. The Attorney General’s Office does not operate in such a manner and the recipient should not respond to the emails or phone calls.
Full story: NBC 29
The records of as many as 80 million customers of Anthem Health Insurance were breached last week. Hackers may have obtained names, addresses, birthdates, medical histories, and other personal data of Anthem subscribers (or former subscribers), and are using this data in phishing attempts to further violate subscribers’ privacy.
So, if you’re one of the affected people, what should you do? ZDNet writer Violet Blue has put together a list of seven helpful steps to take to protect your data. Many of these precautions (such as two-factor authentication, password managers, etc.) are good ideas for everyone — not just Anthem victims — and we recommend many of these in 10 Don’ts on Your Digital Devices.
Full story: ZDNet
“Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers.
The flood of phishing scams was unleashed just hours after Anthem announced publicly that a “very sophisticated cyberattack” on its systems had compromised the Social Security information and other personal details on some 80 million Americans.”
Full story: Krebs on Security
“Anthem, the US’ second-largest health insurer, announced today that it was the victim of a cyber-attack last week, in which its database of about 80 million records — including names, birthdays and social security numbers — was compromised.
Anthem reports that other personal member data like addresses, phone numbers, email addresses and employment information was also stolen. However, the company says that it has no evidence to show that credit card numbers, medical history, diagnosis or treatment data were exposed.”
Too early to know the source of this hack, of course. But as we point out in 10 Don’ts, many of these attacks are made possible by human error — someone being phished or otherwise social engineered out of a password, someone storing private data in a public location, someone performing sensitive tasks over an open wireless connection, etc.
Full Story: The Next Web
In the first chapter of 10 Don’ts, we discuss the dangers of “phishing.” We look specifically at “spear-fishing,” where attackers target an organization or a specific group of people. This allows them to customize the emails to appear legitimate to the person or group, and increases the odds that the malicious links will be clicked, and/or sensitive information provided.
In the past year, a group of hackers has focused specifically on university employees, attempting to gain access to their financial information:
According to a public advisory issued by the Research and Education Networking Information Sharing and Analysis Center on Wednesday, universities and colleges have been “targeted by spearphishing campaigns designed to steal user credentials for many years.” The stolen credentials are used for many reasons, including “sending spam from compromised e-mail accounts, optimizing search engine results for black market pharmaceutical web pages, gaining access to university-licensed resources, and hosting malware.”
For the past year, though, the focus of these campaigns has been on gaining access to employees’ direct deposit information to reroute their checks. More often than not, victims are both faculty and administrators from university medical and dental programs.
The attack begins with a phishing email where recipients are fooled into clicking on a link inside an email that is disguised as an official email from their institution. These emails tend to have subject lines like “Your Salary Review Documents,” “Important Salary Notification,” “Your Salary Confirmation,” “connection from unexpected IP” or “RE: Mailbox has exceeded its storage limit.”
Full Story: In the Capital
“Underground cybercrime shops that sell credit and debit card accounts stolen from retailers are slashing prices and promoting their own Black Friday and Cyber Monday sales as fraudsters gear up for the busy holiday shopping season.”
Full story: Krebs on Security