Every Step You Take, I’ll Be Tracking You

Lately, it seems like we hear a story every week about a new security breach concerning our personal information.  Just a few weeks ago, Epsilon was hacked and millions of email addresses were stolen. A few weeks later, Sony announced that their worldwide gaming network too was hacked.  And now, companies like Apple and Google are being scrutinized for their questionable iPhone and Android tracking processes.

In a paper recently released on Radar O’Reilly, researchers revealed that they had uncovered a hidden file in iPhones and iPads that regularly records the location of the user. To make matters worse, the file in which all this is stored is unencrypted; that means that anyone with access to a user’s iPhone or iPad could unveil the user’s entire history of where they had been (or at least their device had been).  On top of that, the information collected is also transferred to your computer anytime you sync your device. Even if a customer buys a new device and syncs the new device with the original computer, all the location data will end up on the new device.

So the question is – what tracking is necessary for the device to function? For instance, in order for your phone to find reception it must be able to locate cell towers as you travel.  In order for an iPhone to locate a new wireless network, it also needs to use GPS in order to see where the networks are. Why though is Apple storing this information? The extent to which Apple has gone appears to be extreme.

If you’re thinking that this shouldn’t be acceptable, you’re not alone.  Some rather high profile voices have contributed to the debate.  Senator Franken of Minnesota published an open letter to Steve Jobs chastising Apple for tracking and storing this information.  The head of the Electronic Privacy Information Clearinghouse is also questioning whether Apple violated its own terms of service agreement which ensures that customer information will be guarded appropriately.  A group of people in Florida have even gone so far as to file class action lawsuits against the company.

The immediate and strong outpouring of global concern about this invasion of privacy prompted a few short responses from Apple at the outset, and then one big answer to the issue – a software update. This most recent update to the operating system will turn off tracking and disallow storage of information after one week.  Don’t worry, your iPhone and iPad will still transmit location information that is necessary for device functioning, but all the other information will be erased. This information will no longer be stored on your computer when you sync your device. As for the Android, a spokesperson from Google has said that “any location data that is sent back to Google location servers is anonymized and is not tied or traceable to a specific user.”

Since these announcements initial panic has decreased but we continue to be reminded that our privacy must always be guarded vigilantly. And best of all, companies like Apple and Google are listening to your voice by not tracking your whereabouts.

The Amazing Race: Confucius Meets Twitter

The Amazing Race came back with yet another exciting season premier this weekend.  From the start we saw a lack of preparation by ‘the showgirls’ that almost landed them a trophy for the shortest lived contestants on The Amazing Race.  It all started when Kaylani didn’t secure her passport, dropping it at a gas station less than an hour after the race began.  Luckily, a passerby Tweeted that he had found a passport belonging to an Amazing Race contestant and got convinced by his followers to hand deliver it to LAX.  Strangely, this was a harbinger of the upcoming challenge in which contestants played a game of ‘telephone’ at the Taipei Confucius Temple where they had to listen to a recorded saying by Confucius and then repeat it precisely for their next clue.

Confucius said, “In all things success depends on previous preparation.  And without such previous preparation, there is sure to be failure.”

Even though Confucius spoke nearly 2,500 years ago, his words are as applicable in this digital century as they were when he first spoke them.

In this week’s episode, we saw firsthand what can happen if a team fails to prepare.  But for the kindness of strangers connected to Twitter, Kaylani and Lisa would have been sure to fail.  And therein lies the amazing facets we find in the season premier of The Amazing Race.  Every aspect of our life is interconnected through and into the digital world.  Every step we take online has some type of impact on our footprints in the real world.  With each step we must ask ourselves, “Are we preparing for future success when acting in the present moment?”

When you post a photo on Facebook, can it affect how a future employer might perceive you to be resulting in a lost job opportunity?  When you get a security update, do you hit Remind Me Later, leaving all your personal bank information at the mercy of a hacker?  When you sign into Facebook, Twitter, or Gmail, do you use the same password, setting yourself up for a major phishing attack?  When you register for a new site, do you skip the privacy set-up process, letting others you would never share with see all your personal thoughts.  When you store your private photos, do you put them in a folder clearly marked private, making them highly visible and desirable for others to open?

Every act we take online impacts our safety, security, and privacy.   Take a moment to consider how your actions today will impact your future success.  This was true when Confucius lived in a world without an Internet just as much as it is true today in a world than can’t survive without an Internet.

For more information about online safety, check back here every week or visit my website.

Don’t Remind Me Later

Imagine a bunch of scammers and hackers sitting around in a dark room together. They’ve just created brand new viruses that will invade your life by invading your computer to steal your banking information, take all your passwords, send threatening emails to all your friends, make all your personal photos public, and….. And, they’ve devised a simple and yet genius way to get it into your laptop or smartphone that’s always connected to the Internet using some of the hundreds of software pieces that run on your computer.

Amazingly, software providers have also just figured out a way to block these viruses. But the only way this will work is if you update your laptop or smartphone with the latest security updates they have just sent you. And out of sheer courtesy, they are asking you if you want to update now or “Remind Me Later.”

What are you going to do? What do you do nearly every time you see that nice “Remind Me Later” button looking so sweetly at you while you’re busy updating your Facebook or sending an IM or working on a work email? We all do it. We all tell our friends who are trying to protect us to come back another time. You’re OK leaving all the doors and windows wide open for the bad guys to break into your life. You’re OK with giving your life away to some stranger in a dark room on the other side of the world.

This scenario might sound dramatic, but, it’s really not. The “Remind Me Later” button is not your friend. In fact, it is probably the most dangerous ‘button’ you can push.

Let’s put this in perspective. If robbers had figured out how to turn off your home alarms or break into your house, would you fix it right away or put a note in your calendar to “Remind Me Later?” Similarly, we don’t ask someone to remind us to lock our car later if we know we have left it unlocked. The same is true for every security measure we take in our real lives.

And yet, we hit that “Remind Me Later” button as quickly as we can, like we’re playing whack a mole at an arcade.

Some people complain that security updates take too long, are too cumbersome, and bog down their computers. That was true…about 10 years ago. With today’s high speed systems, security updates can run quietly in the background. Kind of like the locksmith who can do his thing, while you’re busy doing yours in the house.

Hackers are literally creating and launching new viruses every day. That means that these invaluable updates are needed frequently. Every time a software provider figures out a way to block the bad guys, they send out an update. They have effectively put a new lock in an existing door, ensuring the safety of your personal life.

So, next time the dialogue box appears asking if you want to run a security update now, just remember the “Remind Me Later” button is not your friend.

When Hackers Attack, Earthquakes Follow

Hackers of the world have gone wild, infiltrating a variety of sites such as those of the CIA, PBS, and just the other day, NBC.  Supposedly “secure” servers of companies as notable as JP Morgan Chase and Sony have been hacked to get credit card or customer information.

In fact, hacking has had such a substantial effect on the business world that Rupert Murdoch was recently forced to close an English tabloid as a result of the paper’s hacking of celebrity phones. Stories of massive and embarrassing hackings are popping up everywhere letting us know that these hackers mean business.

And if you’re a business, being ready means more than having an IT emergency response plan.  In today’s hacker environment, a company’s response plan must be holistic in nature, agile in execution, and grounded in reality.  The right response must include technical, legal, educational, and public affairs components.  Each area has a significant role to play and one that if executed incorrectly can make the difference between disaster and recovery.  And we’re talking just security.  The problems compound when you throw in safety and privacy as well since the three are interconnected and not mutually exclusive.

Having been at the forefront of safety, security, and privacy (SSP) crises many times over in my previous roles in corporate America, and now as the founder of an online security consulting company, I can tell you that many company executives often think of the public relations (PR) aspect of responding to a hacker crisis as ‘fluff’ or coming from the ‘group that spins’.

In fact, PR is at the epicenter of this type of crisis and how it is handled can make the difference between minor aftershocks or more devastating quakes.

The right PR team will have to navigate with agility, acumen, and diplomacy while still grounded in relevant experience with safety, security, and privacy.  The challenges presented are far ranging and come in multiple forms.  Questions abound such as:

-who should be the spokesperson

-what is better, a reactive or proactive media strategy

-when should the affected consumers be informed

-where is the place to release information

-how should employees be informed about what is happening

-when should a safety, security, and privacy crisis plan be implemented

-who makes the final call on what goes out

Given the sudden onslaught of hackers, traditional PR firms are facing quite the challenge in helping clients respond.  The problem – many of these firms aren’t yet equipped or experienced to handle the unique challenges SSP PR brings even if they have handled other types of crisis in the past.

If your company is at risk of falling victim to a SSP PR nightmare, begin internal discussions ASAP to see if you are equipped to handle such an event holistically.

The more you read about the pain and suffering other companies have gone through, the more daunting the problem may appear.  But, it is one that can be overcome with the right kind of planning, team, and program in place.  Having worked closely with several clients to put in place SSP PR strategic plans, we have seen the positives that come from doing it right the first time.

If there is one thing to keep in mind it is this – hackers don’t follow traditional fault lines.  At any time, you can be the flashing red dot marking the epicenter of a major SSP earthquake.

Protecting Your Memories by Protecting Your Devices

Losing certain objects is like losing certain parts of our personal lives.   We can set stuff down and forget to pick it up, or get our entire bag stolen at a coffee shop or airport.  It seems like we had it one second and the next it’s gone.  Whether it happens through villainy or absentmindedness, one lost bag and we’re out a phone, a laptop, an iPad, a camera…and that’s just the beginning.

We store far more information in things like our phones and laptops than we think we do.  Whether we lose these mobile devices at a football game or have them stolen from a table at a coffee shop, we can also lose vast amounts of personal information stored inside them.

Here are some ideas on how to prevent loss and to get it back.

 

LAPTOPS AND TABLETS:

The amount of information stored on our laptops can be staggering.  Losing one can mean the loss of thousands of photos, documents, songs, and invaluable memories.

Some ways to prevent theft:

  • Grab a lock:  Laptop locks prevent theft by literally locking it down using and are available for most all laptops.  Tech companies are also coming out with locks for tablets such as this one for an iPad.
  • Don’t leave a computer or tablet anywhere, even to get up to use the restroom quickly at a local coffee shop or library.
  • Don’t leave your computer or tablet in a visible place in your car, backpack, or handbag.

What to do if it is stolen:

  • Applications like MobileMe and LocateMyLaptop.com can provide information about the exact location of your laptop if it is stolen.
  • Remote deletion: Intel Anti-Theft Technology is software that disables a laptop if stolen so information cannot be accessed.  Once recovered, the laptop can be enabled again.

CELL PHONES:

For most of us, our cell phones are like a lifeline.  Losing a phone isn’t just losing a device.  Often, it means that entire stores of contacts, texts, and photos will be lost with the phone.

Some ways to prevent theft:

  • Don’t loan your phone to strangers, or even friends. No one watches out for your devices like you do.
  • Have a phone case that you always use so you’re less likely to set it down absent-mindedly.
  • Password protect your phone so a thief won’t want it.

What to do if it is stolen:

  • Applications like iTag for Android (MobileMe for Mac) allow users to disable a phone if stolen so information cannot be accessed.
  • MobileMe also has a “Find My Phone” area and can be accessed from any computer.
  • If you installed an add-ons or apps that allows a stolen or misplaced phone to be found, check that.
  • Call the police (and area pawnshops) with the IMEI, SIM or MEID number (indentifying number for your phone, like a VIN number for your car) so the phone can be returned to you if found, sold, or nabbed in an arrest.
  • If your service providers offers this feature, log-in to their website and immediately limit calls and text allowed

CAMERAS:

Our digital cameras can store thousands of photos of life’s most precious memories.  Losing a camera is like losing an invaluable part of your special moments.

Some ways to prevent theft:

  • Consider keeping your camera tied around your wrist.
    • Do not ask a stranger to take a picture of you or your group especially in high tourist areas where thieves lurk.
    • Never leave your camera alone in a public place.

What to do if it is stolen:

  • StolenCameraFinder.com, GadgetTrak.com/camerasearch:  sites that help people reclaim a lost or stolen camera by scouring Internet photo sites for photos posted by stolen cameras using serial numbers imbedded in photos to locate the thief and camera.
  • While traveling, keep indentifying information like serial number in a location away from the camera and notify authorities with those numbers

SOME GENERAL TIPS:

  • Password-protect your devices by changing factory default passwords to something stronger and more secure.
  • Password-protect sensitive information and valuable applications.
  • Turn of “auto-fill” on your browsers so that people can’t immediately find information.
  • Have a secured password program that stores passwords for software and websites instead of keeping them in a word or text file.
  • Put name and email address (even carefully etching it) on the bottom of your device.
  • Backup to the cloud: online storage sites like Mozy.com allow for information to be backed up in a virtual space and downloaded back to a new device if yours is stolen or lost.
  • Backup to hard drive: back-up regularly all information, photos, music, docs, etc. on a computer by using programs like Time Machine that back-up to a separate hard drive.
  • Take a picture of yourself holding a sign with your email address so someone can let you know if they find a lost camera
  • Download pictures onto an external device often so a stolen camera doesn’t mean a stolen memory.

So the next time you put your bag down, just remember your life could be walking away from you unless you’ve secured it.

Nightmare Renters from Airbnb

Until recently, the name Airbnb was not something tossed around in the average news cycle or dinner party.  However, since a story recently broke about malicious use of rented property and Airbnb’s apparent woeful management of the crisis, the name is everywhere…and not in a good way.

Airbnb describes itself as a company engaged in “unlocking unique spaces worldwide.”  Through its web portal, the company allows people the world over to exchange housing, essentially turning private residences into mini-hotels, renting out their homes and finding residences to for short-term rental.  The service has proved useful for thousands of successful exchanges but truly atrocious stories are emerging about how this can go wrong.

Here’s the short version of what happened.  A host (EJ) rented her home to people who contacted her via Airbnb. When she returned, there seemed to be no end to the damage she encountered.  There were holes in doors and walls, items from shoes to an iPod were stolen, and her whole home was covered in powdered bleach.  They even, allegedly, stole her identity.  Soon after, another victim came forward and told his story of horror.  While these stories are truly awful, they should serve as a strong reminder for companies and users. (Note that the CEO of Airbnb provided this response to these stories.)

Online, we can get lulled in to a false sense of security.  We start to think that, because someone signed into a site or setup an account, they must be honest and reputable.  This is why it’s critical to always exercise extreme caution when engaging in person with someone you have only met online.  In the real world, we would never hand over the keys to our house without some serious ID and references and assurances.  The same should be true online.

Here are just a few other ways to help you keep yourself and your home safe and secure if you’re using rental sites like Airbnb:

  • Secure people:  Look for ways that security initiatives have been engaged on the site. Does the site offer background checks for renters, in the same way that SitterCity offers them for caregivers? Does the site separate out those who have been vetted from those who have not?
  • Assurances:  Look for ways the site plans to handle ‘security breaches.’    Does the site have a process for compensation in the event of damage?  Does the site offer or suggest short-term insurance options to cover loss?
  • Organization history:  Tech start- ups can have a brilliant idea, but don’t always build-in crisis response mechanisms to help a customer.    Does the site you’re considering have clearly delineated departments for helping users? Is there a helpdesk that responds to your inquiry? Does the site provide an emergency contact number that is available 24/7?
  • Check networks:  It is ideal if you know the person you are renting to and great if you have mutual contacts who can be references.   Since this may not always be possible, does the site provide other mechanisms to allow community vetting?

Like so many other online services, rental sites can offer us convenience and help.  As consumers, we must ask the right questions so that sites also proactively embrace safety and security.

Taking a Moment to Pause With Phone Hacking Scandal

For companies that can be broken if their security breaks (anything from email providers, to cell phone providers), headlines like “Phone Hacking Scandal” should garner special attention. The latest “phone hacking” scandal involving allegations that reporters at News of the World listened to or tampered with voicemails of, potentially, over 10,000 victims, has left many in shock and wonderment. But, as with any crisis, we can use this as an opportunity to take a moment to pause and consider what we can learn from it.

The word “hack” implies that a highly technical break-in into a security system occurred, as in the case of the recent CIA breach. What appears to have happened in the phone hacking scandal is really not a ‘hack’ at all carried out by highly technical criminals.

Reporters, allegedly, used some pretty simple tactics, exploiting voicemail procedures by using them in the way they were supposed to be used. When a customer purchases a new cell phone, a default password is set up for accessing voicemail. Often, it’s a simple 4-digit number such as “1111” or “0000” or the last 4 digits of the customer’s cell number. Unfortunately, most people don’t personalize these passwords once they have the phone. Hence, a stranger can call a cell phone and when the subject doesn’t answer, they can simply put in the standard password for the carrier and gain immediate access to voicemails. Here is some more info on just how all this can happen.

Unfortunately, this isn’t the only way people can get into voicemails. Social engineering, a term now used to denote unethical or illegal practices involving impersonation and manipulation, is a very effective means by which people can gain access to voicemails or information. So instead of hacking into a secure system, the bad guy can simply call the cell carrier’s support center, impersonate an actual cell phone customer, and obtain the password for the voicemail. The customer never knows this happened.

And here-in lies an opportunity for cell carriers to pause and consider what types of security mechanisms are in place to thwart the social engineer. For example, consider providing any customer who calls a temporary one-time use password that forces a password change once it is used. Then text and email the customer to let inform them of what just occurred in case it was a social engineer who got through all the mechanisms already in place. Also, consider whether two-part security, security that involves what a customer knows and what a customer has, can work for you. With two-part security, a customer would need to provide info to the customer service rep to recover/replace a forgotten password, and then would have to have the cell phone in hand where the reset info is sent. A social engineer who succeeds in one part ends up getting only half the info needed to succeed. Finally, consider whether the default passwords freeze if they are not changed within a certain period of time from purchase.

Each company will have to weigh everything from customer experience to ease of use to adoption rates when determining what type of security works best for their user base. Note that many carriers have been working towards these goals and should be commended for their work.

The ability to convert challenges to opportunities can be a major asset for a forward thinking, security conscious company. So, take head of the latest events in the news and pause to reflect on what more can be done to protect the most valuable asset any company has – the trust of its customers.

Summer’s Coming – Be More Than Just a Parent

Though the weather in certain parts of the country doesn’t indicate it, summer really is right around the corner. If you’re like most parents, you have already planned various activities and camps to keep your kids busy this summer. Many from tots to teens will be heading to camp, some will be joining sports leagues and others will be hanging around the house playing video games. Regardless of the summer activity, there will be more down time to consider, time that many kids will spend online, time that they don’t usually have during the normal school year.  Because of this increased free time, kids will be spending more time on their cell phones and other devices.

So, what do you need to do to protect your kids this summer?  The following suggestions are key to helping you to make this a fun and safe summer for your kids.

•    Screen new connections: As your kids meet new people at camp, they will be adding new friends to their networks– calling, texting, and social networking with new people. Talk to your kids about appropriate friend choices and appropriate conversation topics.

•    Set rules: It is a good idea to let your kids know what rules are going to be in place when summer starts. Consider printing out a set of rules that includes the amount of time they are allowed to spend on the Internet each day and a list of acceptable websites they can visit. This will allow you to monitor when your child is online and what websites they visit.

•    Discuss appropriate relationships: As kids head to camp, they’re going to be meeting new adults.  Counselors at camp and sports coaches can be a fun and meaningful part of a child’s experience, but boundaries should be set. After camp is over, kids probably should not communicate with their adult counselors online or via phone.  If a counselor has meaningful information to share with your child, make it clear that that information should go through you first.

•    Withhold necessary information: It is great fun for kids to share travel plans with their friends; however, too much information can be harmful to your child, and, potentially, your whole family.  Kids should not list specific vacation plans online as it signals to everyone in their network that your house will be empty.  And, as always, when children keep their location and plans private, it makes it more difficult for people with predatory motives to find them.  If you must know where your kid is, and are not sure he/she will check in often enough with you, there are software choices for monitoring your child’s smartphone.  Check out Mobile Watchdog for more information.

•    Befriend the Internet: Helping our kids achieve a healthy relationship with technology, namely, the Internet, can do a great deal of good.  Many of us have found that, regardless of the topic, scare tactics don’t work.  We never want our children to become afraid of the Internet.  It is a fabulous resource when used wisely. Showing our children that we trust them to make smart Internet choices helps them to make smart decisions.

•    Lead by example: Make responsible choices with your Internet and handheld devices. And, let your children see you take time away from your phone or tablet or computer to spend time with them. In short, be more than just a parent – be an engaged parent.  Your kids deserve it.

Check back next week for part 2 in my summer blog series. How should parents identify and respond when camp counselors and coaches use the power of social media and other devices to groom a child after camp is over. Stay tuned for next week…

Hackers Unite

The thieves who made off with more than $2.5M from Citibank and caused the bank to issue 100,000 replacement bank cards have highlighted an alarming trend. Hackers are evolving. And, they are organizing and uniting. They even have a Twitter account. Before the advent of the Internet, we called these hackers “robbers” or “criminals” or the “mafia.” However, now that the Internet has provided a way to enter the front door through the digital underground, hacking has evolved in to a disastrous enterprise.

I’m seeing the evolution of four kinds of hackers emerging into cohesive groups that we need to pay close attention to.

Mobsters: The hackers who attacked Citibank are probably “mobster” hackers. Mobsters are hackers who are connected to large-scale criminal enterprises bringing new meaning to the phrase “organized crime.” In some cases, crime families are hiring hacking groups to procure log-in information for one site knowing that many consumers today are using the same log-in for their financial sites as well. Citibank seems like a perfect example of this kind of activity.

Taunters: Taunting hackers are just thumbing their noses at anyone who dares to believe they have good online security systems in place. These kinds of hacker are breaking security settings, stealing email addresses, and bypassing firewalls just to show that it can be done, usually to the great embarrassment of the company being preyed upon. The hackers who keep breaching Sony’s systems and the CIA website are most likely taunters.

Activists: Activist hackers seem to have taken a nod from Taunters. While the act of hacking remains criminal, hackers who are breaching security to support a social cause aren’t in it for the money. The hi-jacking of the PBS website to protest the Frontline story on Wikileaks is a prime example as are the attacks on Visa, MasterCard, PayPal, and Sarah Palin. These are more like sit-ins, road blocks, and Green Peace protests.

Anarchists: The fourth and final kind of hackers are those who are working to dismantle governments, disrupt the lives of entire populations, or shut down some branch of government. Anarchist hackers may be engaged in what some might call terrorists activities and others might call citizen uproars or even revolutions. (On a side note, when sponsored by nation-states against enemies, they fall under counter-intelligence activities as well. See unleashing worms).

Whenever those destined to engage in criminal activity of any kind begin to unite and organize, good citizens must pay serious attention. Metamorphosis is a dynamic process, and the hacking evolution is no different. As certain groups gain strength and numbers, allegiances will shift and factions will break.

And as they declare war on each other, the good citizens of the world, like you and I, can find ourselves in a heap of collateral damage.