Tag Archives: Tony Anscombe

AVG

Fake IRS claims: What happens when data falls into the wrong hands

Leave a comment

Over the past 18 months we have witnessed monumental data breaches affecting tens of millions of users. As consumers though, do we worry about what happens to our leaked data?  Are attackers aggregating it with other sources, are they applying for credit in my name or even using medical services?

We should be concerned and the latest disclosure from the I.R.S. demonstrates what can be done when  attackers gain access to our valuable personal information. Using Social Security numbers, dates of birth, home addresses and other personal information, cyber criminals have accessed over 100,000 past tax returns.

Once they have the past return, they can file a new return with new data including the refund destination account. As a result, the IRS issued $50 million in refunds before detecting the intrusion method.

Fraudulent tax claims are nothing new to the I.R.S. In 2013 the agency paid out a massive $5.8 billion in falsely claimed refunds. IRS spokesperson, John Koskinen, said “These are extremely sophisticated criminals with access to a tremendous amount of data.”

Cyber criminals have amassed a huge amount of data through the many data breaches but also through our own propensity to share our data without due consideration. The IRS has successfully put a stop to this particular form of attack, but  with so much data available, it’s only a matter of time before the bad guys work out another way to make fraudulent use of it.

 

What can you do to protect against identity theft?

Avoid Cold Calls: If you don’t know the person calling then do not hand over payment or personal details. If in doubt, hang up and call the organization directly to establish you are talking to legitimate operators.

Set privacy Settings: Lock down access to your personal data on social media sites, these are commonly used by cybercriminals to socially engineer passwords. Try AVG PrivacyFix, it’s a great tool that will assist you with this.

Destroy documents: Make sure you shred documents before disposing of them as they can contain a lot of personal information.

Check statements and correspondence: Receipts for transactions that you don’t recognize could show up in your mail.

Use strong passwords and two factor authentication: See my previous blog post on this, complex passwords can be remembered simply!

Check that sites are secure: When you are sending personal data online, check that the site is secure – there should be a padlock in the address or status bar or the address should have a ‘https’ at the start. The ‘s’ stands for secure.

Updated security software: Always have updated antivirus software as it will block access to many phishing sites that will ask you for your personal data.

 

If you believe that you have been affected by a data breach, be sure to take out any identity protection service offered to you as compensation. These services scour the Internet looking for your data being misused or sold.

 

You can follow me on twitter @tonyatavg

 Title image courtesy of dineshdsouza

 

 

 

AVG

Has a plane been hacked mid-flight?

Leave a comment

The FBI is investigating Chris Roberts, a security researcher, who claims to have taken control of an aircraft in midflight and made it drift sideways by controlling one of the engines. All this from a passenger seat and a connection through the entertainment system located under a seat.

Chris Roberts, who has demonstrated hacking many devices at Blackhat conferences, denies the claim and has tweeted

 

The FBI is reported to have interviewed Roberts a number of times in a recently published article on APTN, a Canadian news outlet. According to the article Roberts claimed he took control of an aircraft

Just one month ago, a GAO report warned of a vulnerability on aircraft where they claim that the avionics could be accessed through the entertainment system as they are connected through a common infrastructure. The GAO report was widely disputed by many industry experts as I detailed in a previous blog post.

This second incident has made me revisit the topic and makes me question whether or not I will be safe on my next flight. Once again, my conclusion is that I am. Here’s why:

  • The original conclusion that the two networks are not connected was based on expert commentary from Dr. Phil Postra a qualified pilot and professor of digital forensics at Bloomsburg University.
  • There is speculation that newer aircraft, specifically the Boeing 787 DreamLiner may have a single onboard network but experts say that even on these aircraft the flow of data is one way from the cockpit to the passenger network and that no traffic can fly in the opposite direction. This has been a speculative issue for the last 7 years, see this Fox news story.
  • The aircraft that Roberts reportedly hacked was ‘older’ and had the standard of separate networks for Avionics and Entertainment, which would imply that the hack may not have happened at all and may have just been a bit of bragging.
  • Since this story took to the mainstream press last month, I am certain that manufacturers of aircraft have tested and re-tested the security of the avionics systems and if necessary made the necessary changes. In fact, Roberts may have made the systems even more secure with just the rumor of a hack.
  • Lastly, aircraft are fitted with the ability for the pilot to take manual control and fly by wire, this is done through a disconnect switch in the cockpit. In the remote possibility someone did manage to mess with the avionics then I would trust one of the pilots to take control.

 

While there maybe doubt, speculation and differing views, there are many other systems that could potentially be hacked to disrupt a flight such as air traffic control systems or satellite positioning systems. These could be attacked from the ground and not require a hacker to be on board. It seems far more likely to me, that these would be the target of a person with malicious intent.

Will I be boarding an aircraft soon? Yes, next week. If the person sitting next to me gets out a screw driver and starts taking his seat apart to access networks cables I will call the crew over  and ask them to inform the pilot, I trust you will do the same.

AVG

Man so enraged he shoots his computer!

Leave a comment

Last week a man in Colorado sparked police action for shooting his computer eight times after becoming frustrated with it malfunctioning. He was detained for discharging a firearm in the city.

“He was having technology problems, so he took it to the back alley and destroyed it” a police spokesman said.

The article in The Gazette amusingly say that “he got tired of fighting with his computer for the last several months”.

I wonder how many of us would like to seek revenge on our computer or device by taking it outside and destroying it. I recently could have done this to my home printer that for some weird reason would no longer connect as a Google Cloud Printer.

The good news is that keeping your computer running quickly and smoothly is not a difficult task. I’ve outlined five tips below that should help keep you from losing your temper with your device!

  1. Run a full system scan to ensure your machine is clean, simple instructions for this are here.
  2. Ensure that you have up to date Anti-Virus software, not only does it need to be installed but it needs to be active and updated. You can download AVG Free Anti-Virus from our website.
  3. Test the configuration of your security software to ensure it is performing the way you expect it to. A simple way to do this is to run the Security Features Check on the AMTSO website.
  4. Once you’re confident the machine is ‘clean’ then download and install a performance enhancing product, there are many on the market and you need to make sure that you choose one that is not snake oil, you can easily check this           through third party awards and reviews. I, of course, recommend AVG PC TuneUp, you can download a trial version here and also checkout the independent reviews listed there.
  1. Once downloaded and installed there are some automated task that you will be prompted to do, I would recommend supplementing these with the following

 

Hopefully the above will keep you from resorting to taking up arms and destroying your machine. I do understand the frustration though and I am sure shooting the PC felt good at the time.

 

Follow me on twitter @tonyatavg

AVG

You can now download your Google Search history

Leave a comment

When it comes to significant historic events, we can all remember where we were when we first heard the news. I can remember where I was on 9/11 and when man landed on the moon but can you remember what you searched for on the 29 November 2012?

Chances are you can’t, but it’s now possible to find out.

Search engines like Google can collect vast amount of data about us that can be used to build a profile of our interests, hopes, fears and activities. Imagine everything you searched for being stored and later analyzed.

College years, holidays, medical conditions, online dating, buying a car, having children or just my news preferences are all there in the keywords that I use when searching for content.

Is there any need for either you or anyone else to have this personal view into your life?

Two years ago, I switched off storage of Google search history with no noticeable effect on my ability to find things. On the other hand, I am sure its inconvenienced a couple of companies that would love to target me for advertising.

Google recently announced the ability to download your entire search history, which if you have a Google account is collected by default. This is a little known feature that comes with a forewarning about the sensitive nature of the data.

Data Warning

 

If the data is so sensitive then why was there no warning that someone was collecting it to start with? Maybe it should be an optional feature that I could choose to switch on?

I recommend that you make a conscious decision on whether someone needs to be collecting this or whether you feel that you may need this for some reason in the future (if you can think of one please let me know).

Changing the history storage options is in your Google account settings in the ‘Account Tools’.

Account Tools

 

Selecting Account history then opens a screen that allows you to control not only search history but also voice searches, YouTube videos searched for or watched and even the location data that you may be storing. While on this page, be sure to review what history you are willing to share and make the appropriate selections as necessary. As you can see, I have selected to switch off all collection of my history.

Web history

 

Then there is the management of all the historic data, it might be amusing to go back and look at what you were browsing for before you remove it. This might just highlight to you the need to manage what is collected!

Account history

 

Follow me on twitter @tonyatavg

AVG

Can a plane be hacked and controlled through inflight Wi-Fi?

Leave a comment

A number of leading publications jumped on the report and within hours, it had become a viral sensation.

Like most, when I first saw the article I had a brief moment of serious concern, especially as I travel frequently on business. On further consideration, I decided to investigate further as there is extensive regulation and compliance in the aircraft industry.

We have seen many industries struggle with security as more services move to digital and connect to the Internet of Things. One example is the medical industry where devices handle sensitive data. This article in The Atlantic gives a great summary of the points.

So based on what we’ve seen in other industries, would a vulnerability on an aircraft seem farfetched? Probably not.

However, as I mentioned, aviation is a highly regulated industry with security standards and safety at its core. It would therefore surprise me if someone left the backdoor open and the aircraft’s avionics were accessible through the Wi-Fi.

The following diagram is probably what made this report go viral.

Plane Wi-Fi

 

The government report and its diagram may be highlighting an area of concern but according to Dr Phil Polstra, as stated in a Forbes article ‘The GAO report was put together by people who didn’t understand how modern aircraft actually work’.

Based on Dr Polstra’s comments and his credibility as an expert in this area I think we can rest assured that the frightening nature of the article that went viral is a false alarm.  The real risk here is someone publishing a report when they may not have fully understood the subject matter.

I will be getting on a plane soon and will not be concerned that the person in the seat next to me might be hacking the flight system. However, if they could adjust the temperature and lighting around my seat, that would be useful.

Follow me on twitter @tonyatavg

Title image courtesy of ArsTechnica

AVG

Is our data ready for the wearable health revolution?

Leave a comment

This week MEF issued a report on the use of wearable devices in the health sector, both relating to personal consumption and also when recommended or used by health professionals.

According to the report, “the global health and fitness app market is currently worth $4 billion, and is predicted to be worth $26 billion by 2017”. This means that we’re going to hear a lot more about health wearables in the future.

The biggest selling point for wearables is their convenience. They can passively track our activity, pulse and other vital data points that allow us to make health and lifestyle decisions.

Imagine a future where a patient that needs frequent monitoring for diagnosis can go about their daily routine while a wearable tracks and transmits their data back to the doctor for analysis.

This remote diagnosis is potentially an incredibly simple way to provide doctors with the information they need without waiting time, travel time and consultation time.

There have been some very interesting developments in this area over the past year as well, with Google researching contact lenses that measure blood sugar to the use of wearable camera technology used in surgery so a remote surgeon can assist.

MEF’s report also showed that the adoption of wearable technology in health is lower in Western countries and some of the lowest is seen in Germany and France.

I believe that patients in these countries are more aware of data security and privacy risks having seen many data breach stories in the news over the last few years.

Trust and data security are fundamental to the success of mHealth. Wearables are blurring the lines between recreational and medical data.

By law, medical data needs to be encrypted and authenticated (HIPPA in the USA for example) but recreational data as captured by most wearable devices does not.

Moreover, manufacturers of wearable fitness trackers and other activity monitors are not operating in a regulated market and companies could be using this data in ways that we neither agree with nor understand (even though it may be in their policy documents).

If commercial companies are to hold data that we really only expect medical companies to hold then maybe the regulations should apply to them as well.

While it may be boring, I would recommend reading the privacy policy and terms of use of anything collecting what is very personal and sensitive data and making a choice on whether you want to share this data.

AVG

Is Hotel Wi-Fi Safe?

Leave a comment

Recently, a new authentication vulnerability was identified in the firmware of routers that are used in hotels around the world.

This means that new files can be written to the routers and then potentially all connected machines (meaning hotel guests) could become infected.

Public Wi-Fi is not a new risk as these networks are unencrypted and send all your data in clear text, unless of course the web site you are visiting offers encryption.

Why does it matter that your data is unencrypted? Imagine all your regular post arriving at home written on postcards so that anyone in the delivery chain could read them. It would be a huge invasion of your privacy and unacceptable.

The risk of similar but you just can’t see that it was all sent for others to read, should they be so inclined.

Stay safe while using public Wi-Fi

  • When using public Wi-Fi in café’s, airports, hotels or even when visiting a place of work that has guest Wi-Fi you should always be cautious on which services you use while connected.
  • Where possible use a virtual private network (VPN). This will encrypt the data being send over the public Wi-Fi network that you are connected to, or put another way it will put your mail back in envelopes.
  • Many scammers set up fake Wi-Fi networks to conduct what is known as a man in the middle attack. If you are in a hotel or airport, make sure you are using the legitimate free Wi-Fi  service.

For more tips on keeping your data safe while using public Wi-Fi, check out the infographic below.

WiFi

AVG

A lesson in online identity

Leave a comment

This week I noticed two news stories that brought this advice to mind.

The first involves the popular dating app Tinder, where a developer exposed a serious security flaw to trick men into flirting with each other, thinking they were talking to a woman.

I am sure you can imagine the type of messages that went back and forth and the anger when men realized that they were talking to other men looking for women.

The developer claims that he created the hack to highlight the harassment that women often face on dating apps.

The second story is rather amusing but also very serious, a convicted fraudster escaped from prison by tricking prison officers with a fake bail email.

Using a mobile phone, Neil Moore created an email account belonging to a fake domain closely resembling the court service’s official address. He then emailed the prison’s custody inbox with instructions of his release.

Authorities only noticed Moore was missing three days later when lawyers turned up to interview him. Fortunately, he later turned himself in and was charged with “escape from lawful custody” where the judge described the behavior as ‘ingenious’ criminality.

There’s a chance that you’ll think these stories are quite amusing, which of course they are, but both have different but serious consequences.

When we communicate with others online it’s important that we validate them in the same way we would in real life. We scrutinize people’s behavior and appearance to make an informed decision on trustworthiness and character.

You of course can’t look someone in the eye on the Internet, so it’s doubly important to scrutinize their credentials (email addresses, user names etc) and their behavior (what they are asking of you and what they claim).

Perhaps that’s a lesson that the folks at Her Majesty’s Prison Service could do with learning.

Follow me on twitter @tonyatavg

AVG

Can These Glasses Protect Your Identity?

Leave a comment

What are invisibility glasses?

Developed by AVG Innovation Labs, the glasses help protect your visual identity in the digital age.

Through a mixture of technology and specialist materials, privacy wearables such as invisibility glasses can make it difficult for cameras or other facial recognition technologies to get a clear view of your identity.

For more information on AVG’s Invisibility Glasses check out this blog post.

AVG

How safe are one-time passwords?

Leave a comment

Most people have dozens of passwords, for dozens of online accounts.  At times it can be tricky to remember them all, as best practice says they should all be slightly different.

If you’re one of these many people, Yahoo’s recent announcement may get you excited. Earlier in March, Yahoo revealed an innovative idea that would mean we never have to remember a password again.

The concept is very simple. By selecting to use one-time passwords in your account settings, the next time you login it will send a password to your phone that you can use to login in with via a SMS.

While this seems very convenient, is it secure?

Generally speaking, there are three types of authentication in use today

  • ID and Password
  • ID, Password, Verification Code (using SMS)
  • Two Factor authentication using ID, Password and another device providing a unique password

The Yahoo solution seems to be half way between the least secure option A and Option B.

Sending a password on demand to a device is a step in the right direction, but there may be other security risks involved when transmitting data over SMS and to a potentially unprotected device.

The phone may not have a passcode and could be infected with malware that reads the SMS. This could mean the email account and all the data inside gets compromised.

If you do want to enable one-time passwords, I would recommend you have both of these: a passcode and AVG AntiVirus for Android on the phone to keep yourself protected.

 

What would I do differently?

Using the mobile device to add another layer of security is a smart idea as most people have one. Most of us also use apps regularly and if you’re a Yahoo user then you probably have the Yahoo app.

I would change the delivery method of the password from SMS and instead deliver it, in an encrypted format, via their own app.

On top of this, the Yahoo app with this one-time passwords enabled should require the device to have PIN security.

This would mean that an attacker would need the ID, the phone and the PIN in order to access the account. The app could even go further and check for the presence of an Anti-Virus product to ensure that it’s being scanned regularly.

It could be that there are currently technical limitations with one-time passwords, and that in the future we’ll see a lot more secure and comprehensive process.

My top advice right now though is if you’re going to use this service then be sure to have a security app and a PIN on your phone so you can help ensure that the password is being sent to a secure device.

Follow me on Twitter @tonyatavg