• RT @CyberSecure: New Cyber Secure Institute Blog on the VA Health Dept. Data Breach and eHealth: http://cybersecureinstitute.org/blog/ #
• new tool for password security http://bit.ly/19zaUm #
• RT @smmode: Voltage Security just introduced a data breach index that maps incidents and predicts breaches.: http://tinyurl.com/ohej6k #
• Seniors and Taxpayers Obligation Protection could help prevent identity theft and Medicare fraud http://bit.ly/rSY3p #
• NY Times editorial: Protecting Electronic Data http://bit.ly/caEEu #
• Maine Requires Breach Notice in 7 days of go-ahead from law enforcement http://bit.ly/L0PJJ #
• Indiana- 4,500 SSN sent to wrong companies http://bit.ly/Vmfqw #
• Virus at Health Dialog Services breaches employee data http://bit.ly/12yChA #
• Putting a stop to misleading “free” credit report offers http://bit.ly/12LHGX #
• RT @PrivacySecurity: Expert Panel Speaks Out on Need for Privacy, Access and Identity for Healthcare Information… http://ow.ly/9mwW #
• Court: Lifelock using ‘unfair business practice’ http://bit.ly/FMfMr #
• We need feedback for a proposal: If you had a wish list of rights for identity theft victims, what would that be? #
• RT @HITNewsTweet: Health insurer Aetna, Inc., is reportedly providing free credit monitoring after its job Web site was breached. http:/ … #
• RT @PerimeterNews: RT @PrivacySecurity: Interior Botches Officials’ Passports, Report Finds http://ow.ly/9Gvz #
• NIST calls for amendment to Privacy Act and E-Government Act http://bit.ly/j5WT7 #
• Research from Deloitte: 6th Annual Global Security Survey- people still an organization’s greatest risk http://bit.ly/gq6zP #
• Twittercut scam, another social networking scam hits Twitter http://bit.ly/17lx5h #
• @geofollow Beaverton, OR 97008 #data breach #identity theft #information security #
• RT @scmagazine: SC Magazine Identity theft ring busted in New York: Using financial information purchased from crooke.. http://ping.fm/UP1f2 #
• US CERT: Blackberry security advisory http://bit.ly/ifCi1 #
• The hidden cost of privacy http://bit.ly/ojTky #
• 7 popular cities for credit card skimming http://bit.ly/kGT8P #
• CA: Consumers increasingly worried about online transactions http://bit.ly/DVkyI #
• Rumors of U.S. Army servers breached http://bit.ly/iXHzF #
• RT @SCMagazine: McAfee documents riskiest search terms: http://tinyurl.com/l43qak #
• National Intelligence: A Consumer’s Guide http://bit.ly/vqEmu #
• RT @CBSNews: Watch Live Now: President Obama makes remarks on cyber security http://bit.ly/4e6FdU #
• Laptop with pension details of 109,000 stolen http://bit.ly/2Yx60 #
• RT @infosecstuff: Operational Risk Survival Guide: Tips for Mergers, Becoming a BHC and other Changes http://short.to/ccs2 #
• RT @ekistics22: The ways spammers & ID-thieves use hacked PCs: http://bit.ly/kZ0d6 #
• Batteries.com security breach exposed name, address, and credit card numbers http://bit.ly/VGpL8 #
• RT @prazg: Savvis faces bank lawsuit over CardSystems data breach- http://bit.ly/yltVd #
• RT @vcuinfosec: 40-50% of second-hand hard disks have sensitive data.Sanitize before disposing. Formatting is not enough. http://sn.im/j15fi #
• White House Press Office- Cybersecurity event fact sheet http://bit.ly/H35yM #
• RT @Awareity: Lessons Learned: “Department of Interior Unable to Locate Nearly 20% of Computers” http://bit.ly/RQOvr #
• RT @YanceySlide: I can’t really disagree with this: http://bit.ly/13nFwL “host membership within a botnet is a corporate data breach.” #
• RT @computerworld: U.S. advisory panel calls for new privacy rules http://ping.fm/Ts70E #
• New ID theft survey tracks medical identity theft for the first time http://bit.ly/11Wkm0 #
• RT @infosecstuff: Tiversa Identifies Over 13 Million Breached Internet Files in the Past Twelve Months http://is.gd/J2mt #
• RT @PrivacyProf: From ITRC report “One-third of the respondents had another person’s information on their medical records” #privacy #idtheft #
• @PrivacyProf criminals sometimes wait months or years before using PII. Initially consumers monitor closely, but after 90 days it drops off in reply to PrivacyProf #
• Threat Level Privacy, Crime and Security Online Ex-Employee Fingered in Texas Power Company Hack http://bit.ly/mepBF #
• RT @tweetmeme “A New World Awaits”- Obama on Cybersecurity | Technosailor.com http://bit.ly/wGLbN #
• RT @CSOonline: SecurityLeaders: New Travel Rules Amid Concerns over RFID-tagged Passport Cards: Card can be eas.. http://bit.ly/h9gk0 #
• States take steps to cut down license fraud…. http://bit.ly/n9l1K …and smiling faces…. http://bit.ly/Q2wgx #

Powered by Twitter Tools.

By Rebecca Seaman

In this tough economy, many of us are actively searching for employment. In most cases, quite a bit of personal information is required to get hired. The question is when and under what circumstances should you disclose this personal information?

If you are just placing an initial application, the potential employer needs to know your name, relevant work history, and little else. They do not (In most cases- specialized or Federal positions may be an exception) need or require your Social Security number, drivers license number, maiden name, etc. In fact, I personally will not even provide detailed address information on my resume or initial applications. I simply provide City, State and Zip Code. This information is private and should not be required to secure an interview.

When will you need to provide more detailed personal information such as Social Security number? My advice is only after you’ve had an interview and the employer has expressed an interest to bring you aboard contingent on a background check. If your potential employer is not requesting a background check, then I suggest you only provide sensitive information once an offer has been extended and you are filling out tax documents.

Please be sure to safeguard your personal information, even when job hunting. I have personally seen initial applications asking for sensitive information, but it is never a required field by law. Remember, what you transmit over the internet has the potential to become exposed.  If you have any doubts at all, please research the company with the Better Business Bureau or your state AG before giving any organization your Social Security number.

The newest phishing attack to hit Twitter yesterday was a type of cyberscam called typo-squatting. This falls under a more generic term, cybersquatting. This attack took advantage of the similarities between a double v (tvvitter) and a w (twitter) to scam you into revealing your login information.Other typo-squatting simply takes advantage of the pay-per-click system to rack in money that should be coming to your organization. According to a recent independent report, cybersquatting increased by 248% in the past year.

Fairwinds Partners, an internet strategy consulting firm, estimates that a company such as Myspace, who has 5.94 % of its traffic being diverted to its top ten typo pages stands to “lose the marketing equivalent of between $400,000 and $700,000 each month”. Although the Anticybersquatting Consumer Protection Act (ACPA) was intended to protect against these scams, they are still common enough to present a real danger to customers and companies.

There are several ways that users can try to protect themselves against typo-squatting. Microsoft has suggested settings to enhance your browser. They have even developed a download called Typo-Patrol. More simply, you can avoid clicking on links to navigate to websites and type carefully each web address you visit. As an organization, there are several companies that will help you prosecute typo-squatters and monitor for cybersquatting. You may also may use the Uniform Domain-Name Dispute-Resolution Policy website to lodge a dispute. You may also wish to visit the Coalition Against Domain Name Abuse for more resources.

Today I was asked several times about social networking and job hunting. The question on everyone’s lips is, “What do I have to watch out for?”

Computerworld reports that one in five companies search social networking sites during the hiring process, although many experts believe that number is much higher. You may think that you’re immune because you don’t have any MySpace, Twitter or Facebook accounts- but read on and you will find that is far from the truth.

• Do a search on yourself. Try Google and Pipl. Search for the same items that appear on your resume and application- name, addresses, phone numbers, user names, email accounts and professional groups are all gateways to finding your profile

• Be aware of professional name squatting and company squatting. There are those who scoop up usernames and create profiles using professional information belonging to you. You can usually get access to these profiles, but at a cost. You do not have to buy the impostor login from the squatter, but be aware that if you found it while searching for information about you, your employer will see it too. There are plenty of online reputation management companies that will help you change the order of appearance of your legitimate profiles in search rankings, and even some that will help you reserve your name and user profile on multiple social networking sites for a small fee. Others still will help you create positive chatter to help drown out any negative or misleading pages.

• Even if you delete the profile, page or photos they may not be gone. Internet archives are still searchable. Photos can be especially difficult to delete entirely.

• Who you keep company with says a lot about you. Your profile might be clean and professional, but if your buddy has pictures of the two of you on your last pub crawl, it can damage your chances of landing the job. Use the privacy settings on your profiles wisely!

• Many people are transitioning between being laid off and job searching maybe angry about the economy and the way they were shown the door. Keep a lid on negative comments about your former employer, just as you would during an interview.

• Be careful of professional identity thieves. I don’t mean people who steal identities for a living, I mean people who troll profiles like LinkedIn to create fake resumes to get hired at companies using real information from other people. The more personal information available on your profiles and resumes the easier it will be for a person to commit identity theft, professional identity theft or gain access to your online profiles by correcting guessing your secret questions. Consider removing details like the names of companies, schools and organizations as well as dates and addresses. Change your profiles slightly to use generic terms such as “Privacy officer for major health organization in Silicon Valley” instead.

• Social networking has become popular way to search for jobs as well. There are classifieds on MySpace, and the ever popular Craigslist- but these are often full of scammers lurking in wait. Offers that sound too good to be true probably are. Stay aware from offers that involve wiring money, processing money orders or otherwise acting as a “broker” for transferring funds. Check the company out using Better Business Bureau, your local police, or other methods before proving any personal information such as date of birth, social security number or showing up for an interview

• If you are offering your services, be careful of people who may be looking for an excuse to come to your home to “case” it for a robbery later. Also watch out for offers to pay you more than what you asked.  You may cash the check, but once the bank processes the phony funds, you will be left holding the bag. Be careful in responding to emails about your job posting as they may be from bots used by spammers or scammers trying to verify that there is a person on the other end of the email.

Bottom line: beware of what you post, delete does not always mean gone forever, use your privacy settings, and be aware of intential and unintential impostors. The last is a warning for both employers and employees. This is why it is so important to know what comes up out there under your name and details- if there is a person sharing your name, area, and has a similar address you may want to directly address that issue in a cover letter or interview. Don’t worry about bringing it up- It shows that you care about your reputation, and that you’re tech saavy.

Lately, I have gotten many emails and phone calls about online impersonations. Everything from MySpace, Twitter and Facebook accounts to email addresses and craigslist postings. This is also sometimes called profile jacking or twitterjacking. Enough real information is being used that someone searching by things like name, address, phone number or username might mistake the impostor for the real deal. People who regularly “google” themselves may be surprised to find new pages and emails associated to their details. Sometimes this impersonation can flood you with phone calls and junk mail, or at worst turn into a kind of cyberstalking.

While annoying and occasionally frightening, online impersonation is not identity theft unless personal information not otherwise available to the public is used. Since you are not required to provide a social security number, date of birth, or other private information for verification for email addresses or online profiles, opening up an account using another person’s name is incredibly easy- but not identity theft.  While many of the activities may fall under stalking laws in your state, many times these are activities outside the law’s ability to change with new technology.

However, all is not lost! Almost all internet companies have a Terms of Service (TOS) agreement, and most of them include online impersonation for the purpose of harassment or fraud as a violation of the agreement. You can contact their abuse desk, usually found at abuse@domain.com, and point out the abuse of their TOS by the impostor. This is particularly useful if the impostor is spamming people with messages, as you can also email spam@domain.com to report it at the same time. They may or may not choose to shut down the impostor. Remember that parody and fair use rules typically apply to most companies, especially in social networking- so you may not always get a result. Additionally, a good rule of thumb is that you will get better service and swifter action on violations of TOS from services you pay for. Free email accounts and free profiles, blogs and networking typically deliver slower results, if they choose to take action at all.

If there is use of your company’s logo or other copyrighted material, you can send them a DMCA take-down notice to their registered agent. The use of copyrighted material or violations of Terms of Service are often the only leverage that a person can use to get an impostor shut down.

The ease and convenience of the internet will always struggle for balance with privacy, security and individual rights. Not only should we be aware of people potentially impersonating us, but we should be aware of how easy it can be to be fooled into believing an impostor. Often impostors will take real blog posts and real tweets to add to their own profiles to try to confuse search engines and potential followers or friends. Some become followers or friends of the real person, just to gain access to more information to imitate. The internet can be a wonderful sandbox, just be careful of the person standing behind you with a shovel.

Are you tweeting? Do you belong to the Twitterverse? Now, so do we!

Want to follow us and watch us grow? Or, you can send us a question or topic you would like addressed to us @idexperts

Our Twitter will automatically notify our followers of new blog posts, news and activity here at ID Experts. From the latest news on data breaches, to our efforts in Washington, Twitter will help us reach more people in more places while reaching out to the privacy and security community at large. As a recognized leader in data breach prevention, detection, & remediation, Twitter is part of our greater effort to bring cooperation and understanding to the data breach and identity theft sector while focusing on our vision  to create a world where personal information  remains private.

Technology Review, published by MIT, has an article that is highlighting a personal crusade of mine. Your secret questions are not all that secret! I’ve said many times that most security questions are answered truthfully, and most of those are easily obtained or guessed. What town you grew up in, what high school you attended, what your pet’s name is are all probably either in public record or on your own profile page somewhere. Several chain-letter-type surveys that ask you to answer your teacher’s name and the street you grew up on in order to provide you with a “Rock Star” name are often a clever scam to get people to reveal the answers to these questions. From there, they only have to click on the “I forgot my password” link on email or websites to gain access to your accounts, profiles, identity and contact list. They may start contacting users in your address book, trying to scam money or personal information- creating a nightmare of fraudulent activity and impersonations to try to resolve.

Sarah Palin’s hacker gained access to her account in this way. As a public figure, much was on Wikipedia and other websites about her life which together provided the answers to her security questions. The lesson to learn here is that our LinkedIn profiles, business contacts and networking efforts may appear enticing to identity thief. Researches from Microsoft and Carnegie Mellon University show that the secret questions are typically insecure. “In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.”

More alarming:

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.

Remember, the easier it is for you to remember- the easier you make it for others to guess. The most secure method would be to create your own password for each security question, with special characters and number. However, realistically, most people will have to sacrifice a little security for convenience. I have always recommended coming up with your own secret question plan. When asked about your pet, give your best friend’s middle name. When asked about the town you grew up in, always answer with your shoe size and so on. This should cut down on the likelihood of a successful attack.

Did you know that that you can register your plans to travel abroad with the Bureau of Consulate Affairs to assist you in the event of an emergency or crime?

Travel registration is a free service provided by the U.S. Government to U.S. citizens who are traveling to, or living in, a foreign country. Registration allows you to record information about your upcoming trip abroad that the Department of State can use to assist you in case of an emergency. Americans residing abroad can also get routine information from the nearest U.S. embassy or consulate.

This can be very helpful if your wallet is stolen or you are mugged abroad and need help contacting the appropriate agencies and companies state side. Remember that traveling puts you at greater risk of identity theft. Unfamilar people and places, the widespread use of your information for hotels and other purchases can not only lead to identity theft- but make it more difficult to recover from when you return. Look up information about the country you are visiting at Department of State’s website and make sure you are aware of any warnings or advisories there may be about identity theft and fraud in the country you are visiting.

Rebecca got the call, I got the call- almost everyone I know got the call. It starts with “Our records indicate that the factory warranty on your vehicle has expired or may be expiring soon….” Others reported auto dialers contacting them about lowering interest rates, or other services. The third or fourth time Rebecca got the call she asked me if she should hang on the line to try to talk to them, or press 0 for an operator. I explained that until more is known about the phone call, pressing any options or speaking to a representative may make the situation worse. According to the National Consumers League’s National Fraud Information Center, by responding to this obvious scam phone call by pressing a number, you are letting the dialer know that there is a live person on the other end of that phone. You could even be providing the proper tones or voice commands for them to record and use later for fraudulent authorizations. Diligently, we hung up every time. Likely, we got caught up in telemarketing call that has the Better Business Bureau and Federal Trade Commission flooded with complaints. Recently, it grabbed the attention of a politician in D.C..  The New York Times reports, “Mr [Charles E]. Schumer, Democrat of New York, was in a meeting on Capitol Hill last week when he picked up his cellphone, triggering a phony, prerecorded sales pitch, ostensibly for an extended vehicle warranty. Irate, Mr. Schumer became one of an estimated 30,000 Americans to make complaints about the robocalls with consumer protection authorities. He held a press conference to rail against the “’robo-dialed harassment.’” The Better Business Bureau offers the following advice when dealing with these companies: Never give personal information, including Social Security, bank or credit card numbers, over the phone to an unknown telemarketer. • Read your manufacturer’s warranty and contact your dealer or manufacturer to ensure that you are not purchasing duplicate coverage. • Consumers can place their phone numbers on the Federal Do Not Call List by visiting www.donotcall.gov. If a consumer is already on the list but continues to receive telemarketing calls, he or she can use the same Web site to report incidents to the Federal Trade Commission. • To find trustworthy auto warranty companies, consumers can check out BBB Reliability Reports online and free of charge at www.bbb.org. For more information or to schedule an interview with a BBB spokesperson, contact Alison Southwick at 703-247-9376.

By Rebcca Seaman

 With the rise (and benefits!) of professional Social Networking, Hackers are increasingly turning their energies away from ‘old school’ methods  of inflicting harm on  organizations (such as email containing viruses and Trojans) and focusing more on Social Networking vulnerabilities.

According to a recent report conducted by the Secure Enterprise 2.0 Forum, hackers have increasingly used programs like MySpace, Facebook and Twitter to perpetuate malware and this trend is expected to increase as more and more organizations incorporate Social Networking into their standard practices.

In an article titled Fail 2.0: Further Musings on Attacking Social Networks,  Shawn Moyer writes “Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them.”So how can you protect yourself and your organization? My best advice would be to remember that while you are on the web at work; you are wholly responsible for protecting the information you transmit. Don’t rely solely of your organization’s malware and virus filters to catch any potential harmful software-it’s up to you to be diligent as well. And just as you wouldn’t broadcast sensitive data in a chartroom, think twice about what you say on Twitter, Facebook and the like (check our Rachel’s blogs on the ownership terms and conditions of some of these sites).

Of course, the end result of these types of hacks can be extremely harmful both to your company and your career-you don’t want to be responsible for exposing trade secrets or sensitive data inadvertently. According to the report, nearly 30 percent of the attacks did lead to the exposure of sensitive information. Additionally, Around 13 percent resulted in actual monetary loss, while more than 10 percent installed malware on computers or their corresponding networks.