Why you should change your Verizon PIN right now – The Washington Post

Although Verizon said that the PINs alone can’t help access online accounts, Hemu Nigam, a cybersecurity analyst at SSP Blue, said he would still advise customers to change their PINs because they could give people access to other accounts they use. “The unfortunate part is if you use that PIN, you’re probably using a similar PIN for other situations, so once I have that I can test that PIN on other things,” he said. “Verizon’s relationship with the customer is not at risk, but the customer is now at risk

Source: Why you should change your Verizon PIN right now – The Washington Post

10 Ways Hollywood Can Thwart The Next Orange Is The New Black Cyber-Theft | Deadline

10 Ways Hollywood Can Thwart The Next ‘Orange Is The New Black’ Cyber-Theft, by Hemu Nigam, guest column

Bottom Line– Vendors are the last place the Hollywood big guns might think hackers will target, but that is exactly what makes them so much more at risk.

Source: 10 Ways Hollywood Thwart The Next Orange Is The New Black Cyber-Theft | Deadline

Avoiding the Cyber Crime Holiday

Price Waterhouse Coopers just released a report finding that cyber crime against businesses has soared in 2011.  While Cyber Monday might be over, the online shopping discounts will continue to get better and better as Christmas approaches.  In essence, the holiday ad bombardment won’t stop until the New Year bells have tolled.

The press gives a great deal of attention to consumer protection over the holidays.  I even wrote an article for ABC News on this just this week.  And for good reason.  This year 40% of consumers will have their information misused.

But given the just as staggering figures for online crimes against businesses, what are these companies supposed to do? Are there good practices that businesses should adhere to this holiday season? The short answer is yes.

For any business, consumers are your most important asset.  If your customers don’t trust you, you won’t be in business long. Just as a manufacturers takes steps to ensure that the products they make are safe for consumers, businesses that engage in online sales must give cyber security the same level of importance.  Hackers will check how easy it is to break into a site, so put up the online security locks and force them to go elsewhere.  Note that the bigger you are, the more of a target you become.  Hackers love to make headlines, so be on the ready if you are popular site.

And follow these security tips to get started on the right path to putting your consumer first:

Cyber security basics: Make sure your system is secure by encrypting usernames, passwords, and valuable personal information that belongs to your consumer.  Also, break up personal information, for example, store username separate from full names and addresses.

“Red Team” your site – bring in a team of white hat hackers (a service SSP Blue provides, for example) to do a security assessment – they can find security holes and help you fix them before the bad guys exploit them.

“Red Team” your site again – anytime you change anything on the site – add a feature, for example – make sure it goes through the Red Team process again before going live.  A new feature can sometimes break something else.

Teach secure coding – the best engineers still need training on how to write ‘secure code’.  If you outsource your engineering, demand the outsourced company do the same.

Insert ‘Teachable Moments’ throughout your site – teach your users how to be cautious online and how to navigate safely – so they make it part of their daily routine and trust you more in the process.

Staying alert, engaged, and secure this holiday season isn’t just for consumers.  Businesses need to be on guard as much as consumers do.

A few cyber security steps can make the difference between a prosperous holiday season and a lousy lonely one.

Don’t Remind Me Later

Imagine a bunch of scammers and hackers sitting around in a dark room together. They’ve just created brand new viruses that will invade your life by invading your computer to steal your banking information, take all your passwords, send threatening emails to all your friends, make all your personal photos public, and….. And, they’ve devised a simple and yet genius way to get it into your laptop or smartphone that’s always connected to the Internet using some of the hundreds of software pieces that run on your computer.

Amazingly, software providers have also just figured out a way to block these viruses. But the only way this will work is if you update your laptop or smartphone with the latest security updates they have just sent you. And out of sheer courtesy, they are asking you if you want to update now or “Remind Me Later.”

What are you going to do? What do you do nearly every time you see that nice “Remind Me Later” button looking so sweetly at you while you’re busy updating your Facebook or sending an IM or working on a work email? We all do it. We all tell our friends who are trying to protect us to come back another time. You’re OK leaving all the doors and windows wide open for the bad guys to break into your life. You’re OK with giving your life away to some stranger in a dark room on the other side of the world.

This scenario might sound dramatic, but, it’s really not. The “Remind Me Later” button is not your friend. In fact, it is probably the most dangerous ‘button’ you can push.

Let’s put this in perspective. If robbers had figured out how to turn off your home alarms or break into your house, would you fix it right away or put a note in your calendar to “Remind Me Later?” Similarly, we don’t ask someone to remind us to lock our car later if we know we have left it unlocked. The same is true for every security measure we take in our real lives.

And yet, we hit that “Remind Me Later” button as quickly as we can, like we’re playing whack a mole at an arcade.

Some people complain that security updates take too long, are too cumbersome, and bog down their computers. That was true…about 10 years ago. With today’s high speed systems, security updates can run quietly in the background. Kind of like the locksmith who can do his thing, while you’re busy doing yours in the house.

Hackers are literally creating and launching new viruses every day. That means that these invaluable updates are needed frequently. Every time a software provider figures out a way to block the bad guys, they send out an update. They have effectively put a new lock in an existing door, ensuring the safety of your personal life.

So, next time the dialogue box appears asking if you want to run a security update now, just remember the “Remind Me Later” button is not your friend.

When Hackers Attack, Earthquakes Follow

Hackers of the world have gone wild, infiltrating a variety of sites such as those of the CIA, PBS, and just the other day, NBC.  Supposedly “secure” servers of companies as notable as JP Morgan Chase and Sony have been hacked to get credit card or customer information.

In fact, hacking has had such a substantial effect on the business world that Rupert Murdoch was recently forced to close an English tabloid as a result of the paper’s hacking of celebrity phones. Stories of massive and embarrassing hackings are popping up everywhere letting us know that these hackers mean business.

And if you’re a business, being ready means more than having an IT emergency response plan.  In today’s hacker environment, a company’s response plan must be holistic in nature, agile in execution, and grounded in reality.  The right response must include technical, legal, educational, and public affairs components.  Each area has a significant role to play and one that if executed incorrectly can make the difference between disaster and recovery.  And we’re talking just security.  The problems compound when you throw in safety and privacy as well since the three are interconnected and not mutually exclusive.

Having been at the forefront of safety, security, and privacy (SSP) crises many times over in my previous roles in corporate America, and now as the founder of an online security consulting company, I can tell you that many company executives often think of the public relations (PR) aspect of responding to a hacker crisis as ‘fluff’ or coming from the ‘group that spins’.

In fact, PR is at the epicenter of this type of crisis and how it is handled can make the difference between minor aftershocks or more devastating quakes.

The right PR team will have to navigate with agility, acumen, and diplomacy while still grounded in relevant experience with safety, security, and privacy.  The challenges presented are far ranging and come in multiple forms.  Questions abound such as:

-who should be the spokesperson

-what is better, a reactive or proactive media strategy

-when should the affected consumers be informed

-where is the place to release information

-how should employees be informed about what is happening

-when should a safety, security, and privacy crisis plan be implemented

-who makes the final call on what goes out

Given the sudden onslaught of hackers, traditional PR firms are facing quite the challenge in helping clients respond.  The problem – many of these firms aren’t yet equipped or experienced to handle the unique challenges SSP PR brings even if they have handled other types of crisis in the past.

If your company is at risk of falling victim to a SSP PR nightmare, begin internal discussions ASAP to see if you are equipped to handle such an event holistically.

The more you read about the pain and suffering other companies have gone through, the more daunting the problem may appear.  But, it is one that can be overcome with the right kind of planning, team, and program in place.  Having worked closely with several clients to put in place SSP PR strategic plans, we have seen the positives that come from doing it right the first time.

If there is one thing to keep in mind it is this – hackers don’t follow traditional fault lines.  At any time, you can be the flashing red dot marking the epicenter of a major SSP earthquake.

Taking a Moment to Pause With Phone Hacking Scandal

For companies that can be broken if their security breaks (anything from email providers, to cell phone providers), headlines like “Phone Hacking Scandal” should garner special attention. The latest “phone hacking” scandal involving allegations that reporters at News of the World listened to or tampered with voicemails of, potentially, over 10,000 victims, has left many in shock and wonderment. But, as with any crisis, we can use this as an opportunity to take a moment to pause and consider what we can learn from it.

The word “hack” implies that a highly technical break-in into a security system occurred, as in the case of the recent CIA breach. What appears to have happened in the phone hacking scandal is really not a ‘hack’ at all carried out by highly technical criminals.

Reporters, allegedly, used some pretty simple tactics, exploiting voicemail procedures by using them in the way they were supposed to be used. When a customer purchases a new cell phone, a default password is set up for accessing voicemail. Often, it’s a simple 4-digit number such as “1111” or “0000” or the last 4 digits of the customer’s cell number. Unfortunately, most people don’t personalize these passwords once they have the phone. Hence, a stranger can call a cell phone and when the subject doesn’t answer, they can simply put in the standard password for the carrier and gain immediate access to voicemails. Here is some more info on just how all this can happen.

Unfortunately, this isn’t the only way people can get into voicemails. Social engineering, a term now used to denote unethical or illegal practices involving impersonation and manipulation, is a very effective means by which people can gain access to voicemails or information. So instead of hacking into a secure system, the bad guy can simply call the cell carrier’s support center, impersonate an actual cell phone customer, and obtain the password for the voicemail. The customer never knows this happened.

And here-in lies an opportunity for cell carriers to pause and consider what types of security mechanisms are in place to thwart the social engineer. For example, consider providing any customer who calls a temporary one-time use password that forces a password change once it is used. Then text and email the customer to let inform them of what just occurred in case it was a social engineer who got through all the mechanisms already in place. Also, consider whether two-part security, security that involves what a customer knows and what a customer has, can work for you. With two-part security, a customer would need to provide info to the customer service rep to recover/replace a forgotten password, and then would have to have the cell phone in hand where the reset info is sent. A social engineer who succeeds in one part ends up getting only half the info needed to succeed. Finally, consider whether the default passwords freeze if they are not changed within a certain period of time from purchase.

Each company will have to weigh everything from customer experience to ease of use to adoption rates when determining what type of security works best for their user base. Note that many carriers have been working towards these goals and should be commended for their work.

The ability to convert challenges to opportunities can be a major asset for a forward thinking, security conscious company. So, take head of the latest events in the news and pause to reflect on what more can be done to protect the most valuable asset any company has – the trust of its customers.

Hackers Unite

The thieves who made off with more than $2.5M from Citibank and caused the bank to issue 100,000 replacement bank cards have highlighted an alarming trend. Hackers are evolving. And, they are organizing and uniting. They even have a Twitter account. Before the advent of the Internet, we called these hackers “robbers” or “criminals” or the “mafia.” However, now that the Internet has provided a way to enter the front door through the digital underground, hacking has evolved in to a disastrous enterprise.

I’m seeing the evolution of four kinds of hackers emerging into cohesive groups that we need to pay close attention to.

Mobsters: The hackers who attacked Citibank are probably “mobster” hackers. Mobsters are hackers who are connected to large-scale criminal enterprises bringing new meaning to the phrase “organized crime.” In some cases, crime families are hiring hacking groups to procure log-in information for one site knowing that many consumers today are using the same log-in for their financial sites as well. Citibank seems like a perfect example of this kind of activity.

Taunters: Taunting hackers are just thumbing their noses at anyone who dares to believe they have good online security systems in place. These kinds of hacker are breaking security settings, stealing email addresses, and bypassing firewalls just to show that it can be done, usually to the great embarrassment of the company being preyed upon. The hackers who keep breaching Sony’s systems and the CIA website are most likely taunters.

Activists: Activist hackers seem to have taken a nod from Taunters. While the act of hacking remains criminal, hackers who are breaching security to support a social cause aren’t in it for the money. The hi-jacking of the PBS website to protest the Frontline story on Wikileaks is a prime example as are the attacks on Visa, MasterCard, PayPal, and Sarah Palin. These are more like sit-ins, road blocks, and Green Peace protests.

Anarchists: The fourth and final kind of hackers are those who are working to dismantle governments, disrupt the lives of entire populations, or shut down some branch of government. Anarchist hackers may be engaged in what some might call terrorists activities and others might call citizen uproars or even revolutions. (On a side note, when sponsored by nation-states against enemies, they fall under counter-intelligence activities as well. See unleashing worms).

Whenever those destined to engage in criminal activity of any kind begin to unite and organize, good citizens must pay serious attention. Metamorphosis is a dynamic process, and the hacking evolution is no different. As certain groups gain strength and numbers, allegiances will shift and factions will break.

And as they declare war on each other, the good citizens of the world, like you and I, can find ourselves in a heap of collateral damage.

Every Step You Take, I’ll Be Tracking You

Lately, it seems like we hear a story every week about a new security breach concerning our personal information.  Just a few weeks ago, Epsilon was hacked and millions of email addresses were stolen. A few weeks later, Sony announced that their worldwide gaming network too was hacked.  And now, companies like Apple and Google are being scrutinized for their questionable iPhone and Android tracking processes.

In a paper recently released on Radar O’Reilly, researchers revealed that they had uncovered a hidden file in iPhones and iPads that regularly records the location of the user. To make matters worse, the file in which all this is stored is unencrypted; that means that anyone with access to a user’s iPhone or iPad could unveil the user’s entire history of where they had been (or at least their device had been).  On top of that, the information collected is also transferred to your computer anytime you sync your device. Even if a customer buys a new device and syncs the new device with the original computer, all the location data will end up on the new device.

So the question is – what tracking is necessary for the device to function? For instance, in order for your phone to find reception it must be able to locate cell towers as you travel.  In order for an iPhone to locate a new wireless network, it also needs to use GPS in order to see where the networks are. Why though is Apple storing this information? The extent to which Apple has gone appears to be extreme.

If you’re thinking that this shouldn’t be acceptable, you’re not alone.  Some rather high profile voices have contributed to the debate.  Senator Franken of Minnesota published an open letter to Steve Jobs chastising Apple for tracking and storing this information.  The head of the Electronic Privacy Information Clearinghouse is also questioning whether Apple violated its own terms of service agreement which ensures that customer information will be guarded appropriately.  A group of people in Florida have even gone so far as to file class action lawsuits against the company.

The immediate and strong outpouring of global concern about this invasion of privacy prompted a few short responses from Apple at the outset, and then one big answer to the issue – a software update. This most recent update to the operating system will turn off tracking and disallow storage of information after one week.  Don’t worry, your iPhone and iPad will still transmit location information that is necessary for device functioning, but all the other information will be erased. This information will no longer be stored on your computer when you sync your device. As for the Android, a spokesperson from Google has said that “any location data that is sent back to Google location servers is anonymized and is not tied or traceable to a specific user.”

Since these announcements initial panic has decreased but we continue to be reminded that our privacy must always be guarded vigilantly. And best of all, companies like Apple and Google are listening to your voice by not tracking your whereabouts.