Tech Tuesday: Online Security Begins with You

hackerWe have barely begun our journey into 2016, but it did not take long for a potential data breach to have occurred. This time, the target of this hack is Time Warner Cable, and even they are not sure if data has been compromised or not.

Time Warner Cable (TWC) reported that email and password details were “likely gathered” either through “malware downloaded during phishing attacks” or indirectly through “data breaches of other companies” storing customer data. However, as there is no definitive indication that any systems were breached, it is impossible to determine how the personal information of possibly 320,000 TWC customers was obtained, if at all.

Sounds confusing? Well, yes, it is.

Setting aside the ambiguity of the story they released to Reuters, it is particularly unsettling when you read about how this data may have been obtained. Through “malware downloaded during phishing attacks” or indirectly through “data breaches of other companies” storing customer data. “Phishing” was considered a new term back in 2007 or 2008, but in 2016—nearly a decade later—a company like TWC should be familiar with phishing, how it works, and what to look for in a suspicious email. As far as the claim of data breaches at other companies, there is a responsibility on vendors to know the security measures of those responsible for data. We trust businesses with our data. Without that trust, transactions cannot happen; and while corporations appear concerned constantly with the “bottom line” and cut corners when and where they can in order to maximize profits, security is something neither corporation nor clientele can afford to skimp. You get what you pay for, and security—if anything—should be a priority item.

The lesson we can take away, though, as individuals from this current corporation kerfuffle is how we all need to remain vigilant about protecting our personal information. Identity protection begins with us.  While hackers are growing more sophisticated in their methods of social engineering and phishing, we can do far more in protecting ourselves.

From Above the Law, a blog covering the realities and business side of the legal profession, comes a rather disturbing story of one such phone call from a professional who should know something about the importance of sensitive data. On the Acela train between D.C. and New York, the managing partner of a prominent law firm called an up-and-coming lawyer to present them with a potential job offer. The terms of the offer were as follows:

  • Base compensation: $300K in the first year.
  • Additional compensation: $50K upon bringing in $1MM; 15 percent of anything over $1MM.
  • Equity: Possible equity in the partnership after one year.

This partner then proceeded to call his firm’s Human Resources department to provide the candidate’s full name and home address.

All this had been clearly overheard by the Above the Law tipster, along with a full-to-capacity Acela express train.

This was five years ago, if you note the date on the article which might prompt you to say “We’ve come a long way since 2011.”

Have we?

Network mistake.

Take a look at these passwords SplashData compiled just last year as being passwords attributed to data leaks:

 

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 123456789
  7. 1234
  8. baseball
  9. dragon
  10. football
  11. 1234567
  12. monkey
  13. letmein
  14. abc123
  15. 111111
  16. mustang
  17. access
  18. shadow
  19. master
  20. michael
  21. superman
  22. 696969
  23. 123123
  24. batman
  25. trustno1

These were compiled back in 2015, presented in order of their popularity in 2014,  and now we wait to find out from SplashData what the preferred passwords were for last year. Perhaps we have learned a few things between last year and today, but there are some things we as consumers and users of modern conveniences can do better:

  • Limit the amount of information shared on social networks. Use common sense. Think about what information you want to share, who you are sharing it with, and always assume that others outside of your protective network are going to see it too.   Then decide if you want to post it.
  • Avoid private discussions in public places. Again, there is no “private” in public places.   Voices carry; and when sharing personal data during a phone call, your voice carries a lot more than just words.
  • Avoid sharing sensitive data on public Wi-Fi networks. Many free networks remain unsecure, granting hackers easy access to your computer for data mining. Online security is not the only vulnerability, though. Keep in mind that people can inadvertently listen in on a phone call, or watch your laptop screen from a distance.
  • Share with your friends and business associates what is and isn’t permissible to share in public. While you can do a lot to protect yourself online and in the real world, you should also advise your friends, family, and co-workers what you deem as “private.” If they don’t know, what may be perceived as a harmless photo on Facebook or a detail shared over the phone could cross a boundary or two.
  • Know how to recognize a phishing scam, especially when on social media. Anytime an email comes in and is not personalized to you (For example, legitimate emails from Amazon, Chase Bank, and PayPal will say your name in the email, not “Customer” as many spoof mails will.) or if you receive a notification that is personalized but does not have the right return address (For example, I received a personalized mail from Amazon, but the return address is from a domain that is not Amazon.) or just doesn’t look right, it is SPAM. Avoid any online quizzes, especially on Facebook, as these “What Is Your Most Used Word” or “What Star Wars Character Are You?” quizzes ask for  authorization to mine your accounts. This is a treasure trove for hackers.

While we have come a long way over the years in protecting sensitive data for hackers, this does not mean we should become lax in our vigilance. Corporations are still discovering that, and we should strive to demand more from them in security as well as demand more from ourselves. A little common sense and taking a moment to consider how much you are sharing with the public can go a long way in protecting yourself, your privacy, and your identity.

 


 

Stratford-KeyCyber_2016.pngStratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at  http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.


Leave a Reply

Your email address will not be published. Required fields are marked *