Archive for the ‘Identity theft’ Category

Medical records thefts

Posted: May 6, 2013 by IntentionalPrivacy in Identity theft, Vulnerabilities
Tags: , ,

What is “medical record theft” and why would someone want to steal your medical information? Simple.

The hospital or clinic a person goes to most likely keeps their records on a computerized system called an “electronic medical record” or EMR. What is a thief looking for? Your medical record contains information like your insurance company information, other identity information, financial information, and drug information. The thieves use this information to steal medical services, obtain prescriptions, and maybe even identity and financial information to use in identity theft.

And what if the hospital or clinic shares information with another business partner, such as a consulting doctor?

Recent health care breaches:

  • 780,000 medical records stolen from the Utah Department of Health on April 9, 2012. The article stated that the cyber-hackers were operating out of Eastern Europe.

What can you do if your records are stolen? Here’s what the FTC recommends: http://ftc.consumerdev.org/bcp/edu/microsites/whocares/medicalidt.shtm

The FTC is holding hearings on Medical ID theft.

References: SC magazine http://www.scmagazine.com/id-thieves-find-gold-in-medical-data/article/236302/

Flash!

Posted: February 8, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Vulnerabilities
Tags: , , , , ,

Ok, now Adobe has released a security update for Flash, which applies to Flash versions for Windows, Macintosh, Linux, and Android operating systems, as well as Google Chrome and Internet Explorer browsers.

  • The version you should be running for Windows and Mac is Adobe Flash Player 11.5.502.149.
  • Linux users should update to Adobe Flash Player 11.2.202.262.
  • If you’re using Google Chrome as your browser, it should automatically update to the latest Chrome version. Chrome’s latest version runs Adobe Flash Player 11.5.31.139 for Windows, Macintosh and Linux.
  • If you’re using Internet Explorer 10 on Windows 8, it will automatically update to the latest version of Internet Explorer, which includes the latest version of Adobe Flash Player, 11.3.379.14 for Windows.
  • Android 4.x devices should be running Adobe Flash Player 11.1.115.37.
  • Android 3.x devices should be running Adobe Flash Player 11.1.111.32.

How to keep up with all these security updates? You have several choices.

  • Sign up for US-CERT email bulletins and follow the instructions.
  • Run Secunia PSI and set it to check for updates weekly.
  • Set Adobe and Java to send you updates automatically. Java will ask you questions; make sure you check for any obnoxious add-ons before you click ok.

In the Adobe security bulletin about this Flash vulnerability that you can read at http://www.adobe.com/support/security/bulletins/apsb13-04.html, Adobe recommends that you verify the version of Flash running on your device.

  • To verify the version of Adobe Flash Player installed on your system, access the About Adobe Flash at http://www.adobe.com/software/flash/about/, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
  • To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

New vulnerabiltity discovered in Universal Plug and Play (UPnP)

Posted: February 8, 2013 by IntentionalPrivacy in Identity theft, Privacy, Vulnerabilities
Tags: , , , , , , ,

What is Universal Plug and Play? It is a protocol that allows network devices to talk to each other and it often runs on devices unless it is turned off. I have listed a few examples of devices that might have it enabled, which include such devices as home routers, printers, smart TVs, IP cameras, and home automation systems, but there could be many other types of devices that could have it turned on.

The first thing to check is your home router. How do you find out if your router is vulnerable? Rapid7 is a security research firm that has a free website-based tool that will check your router, available here http://upnp-check.rapid7.com/. Click the button “Scan My Router.” You do not have to install any software. It should take about 30 seconds to run.

If you want to check more than your router, there is a program on that page that you can download and run.

There is also a link to a page listing answers to frequently asked questions as well as a link to a more in-depth, technical explanation if  you’re interested.

A good reason to stop using Internet Explorer …

Posted: January 22, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Privacy, Uncategorized
Tags: , , , ,

A new vulnerability reported at bugtraq on December 11, 2012, has just come to my notice.  The compromise occurs if you visit a website displaying an ad containing the exploit, even so-called safe sites like YouTube or the New York Times. If you have any version of Internet Explorer open on a compromised website–even if the page is minimized or you’re not on the page–your mouse cursor movements can be tracked.

Microsoft’s position as stated in this article http://www.securityweek.com/microsoft-ie-mouse-tracking-exploit-poses-little-risk is that this vulnerability would be very difficult to exploit.

There is a demo of this issue in Internet Explorer at http://iedataleak.spider.io/demo. All I could see displayed was when the CTRL, SHIFT, or ALT keys were pressed; no other keys displayed. I could, however, tell when the browser window was dragged to my other screen. Note: Spider.io has a demo game set up. In order to play the game, they want you to log in with your Twitter account. I do not recommend signing into any site with credentials from Facebook, Twitter, LinkedIn, or any other social media site.

As stated in the article, the demo does not work if the URL is entered into a Firefox web browser.

My suggestion is to only use Internet Explorer if necessary, and to close any browser–IE, Firefox, Chrome, whatever–when you are done using it, especially if it has ads on it.

Don’t let Java run rampant in your browser!

Posted: January 14, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Privacy, Uncategorized
Tags: , , , , ,

Oracle, maker of Java, does not have a good track record for fixing holes in Java. A new Java security hole that apparently targets Java 7 (however, some researchers think it also apparently targets  some versions of Java 6) was discovered recently. What options do you have for fixing the problem?

  1. The safest thing to do is to uninstall Java from your computer. If that’s too extreme, then uninstall Java plugins. KrebsOnSecurity has an article listing how to disable Java in Firefox, Internet Explorer, and Google Chrome, which you can access here https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
  2. If you need to use Java for some sites, then the safest thing to do is to use two browsers and disable the Java plugin for the browser you use most often. For example, disable Java in Firefox and use Internet Explorer for the sites that absolutely must use Java. If you decide on this solution, make sure you keep Java up to date.
  3. Another viable option is to use Firefox with the NoScript plugin, available at http://noscript.net/getit. NoScript allows you to choose when to allow JavaScript to run. NoScript can also block Flash Player, which is another problematic plugin.
  4. If you have a PC, make sure you run Secunia’s Personal Software Inspector available here http://secunia.com/products/consumer/psi/ at least weekly to keep up with any updates available for all of your programs.

This vulnerability affects Macs as well as PCs. Only visiting “safe” sites will not help you avoid this issue.

Oracle released an update to fix this issue last night.

Don’t wait! Save your computer, save your information.

FTC Cellphone PROTECT Initiative

Posted: November 2, 2012 by IntentionalPrivacy in Cell phone, Identity theft
Tags: , ,

The FTC’s new program to help combat cellphone theft started on November 1, 2012. The major carriers–AT&T, Sprint, T-Mobile, and Verizon–have launched databases for stolen smart phones, so when a cellphone user reports that their cellphone has been stolen, that device will not be able to be used again. http://www.fcc.gov/document/announcement-new-initiatives-combat-smartphone-and-data-theft

The FTC advises cellphone users to lock their phones with a passcode to protect any information on their phone, use software to help locate lost devices and either install a remote-wipe application or enable the feature to remotely wipe a stolen device.

If your cellphone has been provided by your employer, look to them for guidance first.

For more information on how to better protect your cellphone, your provider should provide more information. Search their website using keywords such as “lock,” “locate device,” and “remote wipe.”

Here are a couple articles on what to do:

http://www.pcmag.com/article2/0,2817,2352755,00.asp

http://forums.att.com/t5/Apple-Community-Discussion/How-to-SECURE-YOUR-new-iPhone-4S-PLEASE-TAKE-THE-TIME-TO-READ-IT/td-p/3210869

I use Prey at https://preyproject.com/ to track my Mac and Windows laptops. Prey will also work for iOS, Linux, Ubuntu, and Android. While I don’t currently use a smart phone, when I had an Android (company supplied), I tried the Remote Wipe feature provided by our IT department and it worked perfectly. I also used the free version of Lookout for Android.

Barnes and Noble credit and debit card thefts

Posted: October 24, 2012 by IntentionalPrivacy in Identity theft
Tags: , ,

Thieves hacked into Barnes and Noble credit card swipe machines to steal credit and debit card data. According to http://abcnews.go.com/WNT/video/barnes-noble-customer-credit-card-info-stolen-17557470 B&N has removed all swipe machines from their stores nationwide.

This is not the first time such a theft has occurred. Last year, Michaels crafts stores were hit by a similar scam.

The FBI is investigating.

Newer Entries