Why Won’t Adobe Flash Die?

Adobe just released another large patch release for Flash that includes 19 patches.  One of the patches is for a zero day exploit that Adobe says is being exploited in the wild.  This brings the patch total for 2015 to a little over 300.

I made a decision a couple of months ago to disable Flash in Chrome and Firefox, the two browsers that I use, just to see what the impact would be.

First, I like the way Firefox handles it better than Chrome’s handling.  Firefox gives you three options – enable, disable or ask me.  Chrome does not have the last one, so if you disable Flash and you go to a web site that needs it, your experience is that the page seems to hang.  Not very friendly.  In Firefox, you get a link that says  do you want to activate and if you do, do you want to activate it just once or forever.  I really like the friendliness of this approach.

In reality, there have been very few sites that don’t work.  What I really miss is those ads with dancing bears.  NOT!  Those don’t appear.

So my suggestion is to install the update, but set it to not run automatically.

Oh, wait, I forgot.  If you are one of the 12 people that still use Internet Explorer, it appears that you are out of luck.  I’d change browsers.  From Windows 8 on, Microsoft has integrated Flash into IE so there is no way to disable it.  It will get updated by way of Windows update, so at least that is good, but there is no way to protect yourself from zero day attacks.  Just one more reason not to use Internet Explorer.

So, the Flash saga continues.  Until a large percentage of the user base disables Flash, advertisers (and the malware inside the advertising) will continue to use Flash to attempt to infect your computer.  Join the revolution and disable Flash.

To disable Flash in Firefox, open Firefox and type About:addons and select Ask To Activate next to Shockware Flash.

To Disable Flash in Chrome, open Chrome and type Chrome://plugins and uncheck the Flash plugin

To see what version of Flash you have installed, go to http://www.Adobe.com/software/Flash/About .

Information for this post came from KrebsOnSecurity.

Healthcare Ranked #1 – Most Records Breached

This is the time of year for lists.  In this case, the healthcare industry is probably not happy about coming in #1.  IBM has named 2015 as The Year Of The Healthcare Breach, with 34 percent of all records breached being healthcare related.

In just the first half of the year, over 100 million healthcare related records were compromised.

The cyber security universe has focused a lot of its energy on fixing credit card related fraud.  While this is good, it is only solving a very small part of the problem.

An indication of this is that the price of credit card data on the dark web is down dramatically.  Part of this is due to the fact that the credit card industry has improved its ability to detect fraudulent use, but part of it, also, is due to the fact that there are so many fraudulent credit cards out there that there are not enough crooks to use them.

So what is an enterprising information thief to do?


Healthcare records can sell for 50 TIMES what a credit card record sells for on the black market.  Partly this is due to the fact that the insurance industry, both private and government, have not done a great job at cracking down on fraudulent use of healthcare information, but part of it is due to the fact that you cannot change your healthcare information if it gets compromised like you can change your credit card number.  As a result, the useful life of fraudulently used healthcare information is measured in years unlike credit cards, which is measured in days and weeks.

So now we know that healthcare breaches are bigger than credit card breaches, but what is bigger than healthcare breaches?

In my opinion, it is the theft of intellectual property.  This includes employees who leave a company and take customer files, proposals, and other IP as well as people who steal it for financial benefit.

Only occasionally do we get a glimpse of the size of this business and that is usually accidentally.  For example, last month when the attackers who stole customer information from J.P. Morgan Chase were indicted, we got a peek.  Remember, there was no bank account or credit card data in that theft.  Still, according to the U.S. Attorney, the attackers made hundreds of millions of dollars.  They did this by trading on inside information – theft of intellectual property.

And, for the most part, there is no law that requires that the theft of intellectual property be disclosed.  Assuming that the company even knows that it has been stolen.  After all, there is no credit card company or insurance company looking for the use of stolen intellectual property.  And the company still has its data.

Personally, I think that theft of intellectual property dwarfs all other forms of data theft.  And we are not spending a lot of effort stopping it.  China and other countries are masters of it.  By stealing, for example, the plans for the F-35 Joint Strike Fighter, China saved tens of billions of dollars.  First, they don’t need to spend the R&D dollars to develop, for example, new engines – they just copy what we did and second, they don’t need to buy those engines from us – costing us billions in business.  And, they take our technology and sell engines built with it to other countries, reducing the market for our engines – costing us even more money.

This is just a very obvious and large scale example, but on a much smaller scale, if a competitor learns your business methods, they don’t have to develop it themselves and will compete with you using your own processes and technology.  Or try and steal your customers away from you.  You get the idea.

So while healthcare is #1,  there is a hidden #1 that we are not even talking about.

Just sayin’.

Information for this post came from HITECHanswers and BreakingDefense.

Your Voter Information Available Online

Databreaches and other sites are reporting that a database of 191 million voters is available publicly online.  As of this morning, after a week of trying to track down the owner of the database, the owner is still a mystery.  191 million is likely the number of registered voters in the United States.

Depending on the state, voter information may be unrestricted (such as Colorado) or confidential (such as California), free or very expensive to buy.

So what is in this database?

Besides your first and last name, home and mailing addresses, date of birth, gender , ethnicity, party affiliation, the date you registered to vote, your email address if you provided one, your state voter ID, whether you are a permanent absentee voter, whether you are on the do not call list, whether you voted in each primary and general election since 2000 and other information.

Voter campaigns are big data wonderlands.  Some of the lists include whether you are a gun owner or pro or anti abortion, whether you are likely to vote a straight party ticket or not or stuff like that.

During campaign season, when you get a phone call asking you about your thoughts, the reason is so that they can fill in the blank fields in their database and sell it to campaigns.

Technically, this is not a breach – at least for residents for some states.  For other states it might be.  For some of the data, for the companies who sell it, they are probably not thrilled that anyone who can find it can download it for free.  One firm charges $270,000 for a single copy of the database.  If it is free, it could, kind of, cut into their revenue stream.

Obviously for some people, having their home address, phone number and other information publicly available – like police officers, attorneys, public defenders and activists – could put their lives in danger.

However, that genie is out of the bottle now.  If you are in that group for who this is a life safety issue, you should be on alert because at this point we have no idea how long the data has been exposed, who has downloaded it or how it has been shared.

I guess it is good news that the database does not include social security numbers, driver’s license numbers or credit card information, but that doesn’t make me sleep a whole lot easier.

However, until Congress decides to do something about it, for the most part, you have no control over things.  An individual state legislature – like California has done – can set rules on the use of this data.  The California AG, NY FBI office and the Internet Crime Center have all been notified.  It is just not clear if this is a crime.

As of right now, the database is apparently offline.  Too little, too late.

A complete list of fields is available here.

Information for this post came from Chris Vickery, who discovered this glitch and Databreaches.

Merry Christmas – Is Your Child A Victim of Identity Fraud?

Now that Christmas has come and gone and your kids are actively playing with their new goodies, have you considered protecting their identities from fraud?

Two recent breaches bring the subject to the forefront.  VTech Holdings, the Hong Kong based toy maker offers an app store called Learning Lodge and messaging system called Kid Connect.  In November, after a journalist told them they had been hacked, they said that information on almost 5 million adults and 200,000 kids had been taken.  A few days later they revised that to 6.4 million kids.

This month, the toy maker Sanrio, who makes the Hello Kitty line of toys, among others, was hacked and exposed information on over 3 million customers.

In both cases the data was not encrypted, although since we don’t have details of the attacks, we do not know if encryption would have helped.  In the Sanrio case, the user’s passwords were not encrypted – that we know is a problem.

So why are kids especially vulnerable?  Because attackers know that parents do not look for identity fraud for their kids.  If someone assumes your kid’s identity, it is likely that you will not discover it.  In theory, an attacker cannot open a credit card in your kid’s name, if your kid is under 18.  In theory.  There are plenty of other kinds of fraud to consider.

In fact, according to the Tech Times article:

If an adult looking into getting a “free ride” for a few days, months or, worse, years, is able to obtain that clean slate and claim it as theirs, they can start using your child’s information to mask their own identities. They wouldn’t have much of a problem with getting caught too soon unless the parent decides to check up on their child’s record and discovers the anomalous activity.
The affected child could wake up many years later as an adult prepared to lead a responsible life only to find out they already have a bad credit score and incurred a huge debt.

For parents, this means monitoring what your kids are doing online, checking their credit reports and generally being observant. 

Just in case you think I am a member of the tin foil hat crowd, I am.  By the way, MIT did some research and discovered that for certain raido wave frequencies, tin foil hats actually increase the amount of radio waves absorbed, but I digress.  A quick Google search shows that even the Federal Trade Commission has a page on child identity theft (see here).

So while your kids play with their new toys, now is the time to start training them about identity theft.



Information for this post came from Techtimes and CNBC.

The Weakest Link

The Nasdaq posted an article on their web site from Dow Jones that talks about the big banks’ fight against hackers and malware.  While the article quotes the Association of Corporate Counsel statistic that 30% of data breaches are due to employee error, I think that number is significantly understated.

While this article is about banks, it is equally applicable to every other business.

Here are some tidbits about what the big banks are doing and you might consider:

  • J.P. Morgan Chase sends out fake phishing emails to its employees periodically.  A few weeks after they were hit with an insider breach that compromised more than 75 million records, they sent out a test phish.  20% of their employees fell for the email.  Chase is not disclosing what they are doing about it.  They did announce that they will be spending about $500 million on cybersecurity this year.
  • Chase is now PROHIBITING employees from using their work emails for personal use such as registering on shopping sites or social media.  This is a big turnaround from just a few years ago when those policies were relaxed.  Of course, at most companies, if I know your name, I can figure out your email because emails are standardized.  If I work for Chase, I can’t have my email address be BigRedTruck@Chase.com .  The only time there is any question about what my email would be at most companies is if there are two people with exactly the same name.  If companies used accounts like mt473251@myco.com and kept their directories as private as possible, they would at least make phishers work a little bit.
  • Bank of America’s CEO Brian Moynihan said that their cybersecurity budget is effectively unlimited and they are increasing their focus on employees.  He said that they are hard on their employees – they even discourage out of office notices on email and voicemail so that hackers cannot easily tell if an account is not being monitored at the moment.  This is a tradeoff with customer service, but you can get around that by having a coworker check your voice mail using a temporary password and check your email by delegating authority (WITHOUT sharing your domain password) for them to see your email.
  • Wells Fargo CEO John Stumpf that they are spending an “ocean” of money and it is the only expense where he asks if they are spending enough.  They declined to put a number to it, however.
  • As is well documented, LinkedIn is a great tool for hackers and is often one of the first sites I check when I am “checking out” a company.  Attackers get names, companies, job titles, job descriptions, software experience, etc.  Companies are trying to figure out what the balance should be between security and personal rights.  Social media (particularly Facebook) is also a great place to go to find out who is out of town, where they are going and sometimes even how long they will be gone.  This is very helpful if you want to break into their house or steal their mail.  In fact, some insurance companies have started to deny coverage based on social media posts.  MY recommendation is not to post anything until after you are back from a trip.
  • TD Bank is also sending out fake phishing emails to employees.  If they click on the link, they get a video explaining what they did wrong.  The videos get a workout!
  • Even small banks are working on improving personnel awareness.  Pinacle Financial Partners sends out phishing emails to its employees every quarter and even though employees know this, a small percentage still click on the links.

As i said earlier, this advice applies to any business.  Those that handle money, of course, should already be sensitive, but companies that have intellectual property (which would be almost any business) should also be nervous.  Intellectual property includes customers lists, contracts, proposals, technology and many other things that would be useful to a competitor or adversary.  The hackers that stole 75+ million records from Chase did it to facilitate insider trading and made several hundred million dollars before they got caught.  Whether Chase got any of that money back is unknown, but I doubt it.  it is unlikely that money is in any country friendly to the U.S. Even if they spend a few years in jail, it will be comforting to know that when they get out and go to, for example, the Caymans, they will be able to live out the rest of their lives in luxury.

Just food for thought.


Find link to the article at the Nasdaq web site.

Lifelock Settles With FTC

Last month I wrote that Lifelock had set aside $120 million to deal with its fight with the FTC (see post).  I assumed this would be a Wyndham-like fight that would go on for years.  Apparently I was wrong.

Last week Lifelock settled with the FTC and deposited $100 million with the court that is overseeing the case.  The reason this is being managed by a court is that the FTC took Lifelock to court for failing to live up to the terms of the 2010 settlement between the FTC and Lifelock.  In 2010, the FTC said that, among other things, Lifelock was misrepresenting what it could really do and was not managing the security of it’s customers’ information.

It is no secret that I am not a big fan of Lifelock.  I think they significantly overstate what they can actually do.  For the basic $120 a year membership, what they effectively do is look at your credit report and if they find something new, they call you or send you an email.  It is not clear that this is worth $120 a year.  Recently, I opened a new credit account and a competitor to Lifelock who was monitoring my credit at the time as a result of the Home Depot breach called me with an alert about this new account – 90 days after I opened it.  This is because it takes that long for this stuff to get reported to a credit bureau – if it even does get reported at all.

If you are willing to pay Lifelock $300 a year or more, they do additional things.  This requires that you give Lifelock access to your bank accounts, credit accounts, retirement accounts, etc.  Once you do that, they do the same thing for those accounts as they do for your credit report – compare them against their standards and if anything stands out, they generate an alert.

Recently, JP Morgan Chase posted an alert on their home page that said that if you give someone else access to your accounts (as you would have to do with Lifelock), Chase grants themselves permission to deny any claims that you make for losses.  What they would do in reality is not clear, but that certainly makes me nervous.

With the premium versions of Lifelock, you are trusting them with a lot of information.  If they don’t keep it safe, you have a real problem.

Going back to the FTC settlement, of the $100 million, $68 million is set aside to pay redress to class members who were damaged.  None of that $68 million can be used for lawyers’ fees or administrative expenses.  This is very different than normal class action cases where attorneys will take any where from a third to a half of the money.  In this case, the FTC gets at least $32 million (which is actually a third) to continue its efforts to protect consumers.  In general, that is probably better than giving that same one-third to lawyers.

By the way, this is the largest monetary settlement that the FTC has ever made.

So what did the FTC claim Lifelock did or did not do?

  • That Lifelock failed to establish and maintain a comprehensive information security program to protect your information.
  • That Lifelock claimed that they protected your information with the same high level safeguards that banks do.  Chase, for example, is spending $500 million a year to protect our information.  Is that how much Lifelock is spending?  I *think* what Lifelock meant by that statement is that they use SSL (Https://) on their web site.  That is quite different from what they said.
  • That Lifelock falsely advertised that they would send an alert as soon it received any information that the consumer may be a victim of identity theft.  I gather that the FTC thinks that even that was delayed.
  • Finally, the FTC claimed that Lifelock failed to follow the court’s record keeping order from the 2010 settlement.

$100 million is a lot of money and Lifelock, unlike Wyndham, did not fight it very much.  They must have thought that they did not have much of a case.  Even if they just fought it enough to reduce the penalty from $100 million to $50 million, that, it seems, would have been worthwhile.  It would seem that Lifelock didn’t think they could make enough of a case to pull even that off.

So, for those of you who are Lifelock customers, consider what you are paying and what you are getting.

Information for this post came from the FTC.