As the main “Twit” on our account, it is my pleasure to announce that after four weeks for the corporate Twitter account, we now have over 500 followers. We have connected with many more in the twitterverse. It has been truly educational to see the conversations and discussions happening amongst privacy and security professionals and interested parties. Valuable commentary and opinions on everything from REAL ID to HITECH to PCI DSS, and of course data breaches. The insights we have gained have been incredibly valuable, and we thank everyone deeply for their participation.

I want to thank all the people who are following us, and those who we have interacted with in the twitterverse. You all have been very patient while we figure out the proper netiquette in this space. If we have forgotten to thank you for retweets or follows, I apologize and assure you that it was not done purposefully. We deeply value the insights that are coming from Twitter, and we will continue to foster that community. I want to encourage everyone to send us questions, blog requests or suggestions to @idexperts

In the future, we are planning some exciting things for Twitter. You can look forward to exclusive white paper releases, open job positions and promotional offers coming to our tweet stream. Our international community is growing, so I will attempt to flex some language skills and occasionally tweet in German, Spanish, Dutch, French and more. Additionally, as matters in the privacy and security sector arise, we will be creating polls and surveys to try to capture valuable input from our followers as well as providing research and statistical resources as we make them available.

I want to encourage those who may have specific questions that cannot be asked in 140 characters or less to contact us directly at twitter@idexpertscorp.com. We welcome your input and support, and look forward to building a community of understanding.

• RT @CyberSecure: New Cyber Secure Institute Blog on the VA Health Dept. Data Breach and eHealth: http://cybersecureinstitute.org/blog/ #
• new tool for password security http://bit.ly/19zaUm #
• RT @smmode: Voltage Security just introduced a data breach index that maps incidents and predicts breaches.: http://tinyurl.com/ohej6k #
• Seniors and Taxpayers Obligation Protection could help prevent identity theft and Medicare fraud http://bit.ly/rSY3p #
• NY Times editorial: Protecting Electronic Data http://bit.ly/caEEu #
• Maine Requires Breach Notice in 7 days of go-ahead from law enforcement http://bit.ly/L0PJJ #
• Indiana- 4,500 SSN sent to wrong companies http://bit.ly/Vmfqw #
• Virus at Health Dialog Services breaches employee data http://bit.ly/12yChA #
• Putting a stop to misleading “free” credit report offers http://bit.ly/12LHGX #
• RT @PrivacySecurity: Expert Panel Speaks Out on Need for Privacy, Access and Identity for Healthcare Information… http://ow.ly/9mwW #
• Court: Lifelock using ‘unfair business practice’ http://bit.ly/FMfMr #
• We need feedback for a proposal: If you had a wish list of rights for identity theft victims, what would that be? #
• RT @HITNewsTweet: Health insurer Aetna, Inc., is reportedly providing free credit monitoring after its job Web site was breached. http:/ … #
• RT @PerimeterNews: RT @PrivacySecurity: Interior Botches Officials’ Passports, Report Finds http://ow.ly/9Gvz #
• NIST calls for amendment to Privacy Act and E-Government Act http://bit.ly/j5WT7 #
• Research from Deloitte: 6th Annual Global Security Survey- people still an organization’s greatest risk http://bit.ly/gq6zP #
• Twittercut scam, another social networking scam hits Twitter http://bit.ly/17lx5h #
• @geofollow Beaverton, OR 97008 #data breach #identity theft #information security #
• RT @scmagazine: SC Magazine Identity theft ring busted in New York: Using financial information purchased from crooke.. http://ping.fm/UP1f2 #
• US CERT: Blackberry security advisory http://bit.ly/ifCi1 #
• The hidden cost of privacy http://bit.ly/ojTky #
• 7 popular cities for credit card skimming http://bit.ly/kGT8P #
• CA: Consumers increasingly worried about online transactions http://bit.ly/DVkyI #
• Rumors of U.S. Army servers breached http://bit.ly/iXHzF #
• RT @SCMagazine: McAfee documents riskiest search terms: http://tinyurl.com/l43qak #
• National Intelligence: A Consumer’s Guide http://bit.ly/vqEmu #
• RT @CBSNews: Watch Live Now: President Obama makes remarks on cyber security http://bit.ly/4e6FdU #
• Laptop with pension details of 109,000 stolen http://bit.ly/2Yx60 #
• RT @infosecstuff: Operational Risk Survival Guide: Tips for Mergers, Becoming a BHC and other Changes http://short.to/ccs2 #
• RT @ekistics22: The ways spammers & ID-thieves use hacked PCs: http://bit.ly/kZ0d6 #
• Batteries.com security breach exposed name, address, and credit card numbers http://bit.ly/VGpL8 #
• RT @prazg: Savvis faces bank lawsuit over CardSystems data breach- http://bit.ly/yltVd #
• RT @vcuinfosec: 40-50% of second-hand hard disks have sensitive data.Sanitize before disposing. Formatting is not enough. http://sn.im/j15fi #
• White House Press Office- Cybersecurity event fact sheet http://bit.ly/H35yM #
• RT @Awareity: Lessons Learned: “Department of Interior Unable to Locate Nearly 20% of Computers” http://bit.ly/RQOvr #
• RT @YanceySlide: I can’t really disagree with this: http://bit.ly/13nFwL “host membership within a botnet is a corporate data breach.” #
• RT @computerworld: U.S. advisory panel calls for new privacy rules http://ping.fm/Ts70E #
• New ID theft survey tracks medical identity theft for the first time http://bit.ly/11Wkm0 #
• RT @infosecstuff: Tiversa Identifies Over 13 Million Breached Internet Files in the Past Twelve Months http://is.gd/J2mt #
• RT @PrivacyProf: From ITRC report “One-third of the respondents had another person’s information on their medical records” #privacy #idtheft #
• @PrivacyProf criminals sometimes wait months or years before using PII. Initially consumers monitor closely, but after 90 days it drops off in reply to PrivacyProf #
• Threat Level Privacy, Crime and Security Online Ex-Employee Fingered in Texas Power Company Hack http://bit.ly/mepBF #
• RT @tweetmeme “A New World Awaits”- Obama on Cybersecurity | Technosailor.com http://bit.ly/wGLbN #
• RT @CSOonline: SecurityLeaders: New Travel Rules Amid Concerns over RFID-tagged Passport Cards: Card can be eas.. http://bit.ly/h9gk0 #
• States take steps to cut down license fraud…. http://bit.ly/n9l1K …and smiling faces…. http://bit.ly/Q2wgx #

Powered by Twitter Tools.

The newest phishing attack to hit Twitter yesterday was a type of cyberscam called typo-squatting. This falls under a more generic term, cybersquatting. This attack took advantage of the similarities between a double v (tvvitter) and a w (twitter) to scam you into revealing your login information.Other typo-squatting simply takes advantage of the pay-per-click system to rack in money that should be coming to your organization. According to a recent independent report, cybersquatting increased by 248% in the past year.

Fairwinds Partners, an internet strategy consulting firm, estimates that a company such as Myspace, who has 5.94 % of its traffic being diverted to its top ten typo pages stands to “lose the marketing equivalent of between $400,000 and $700,000 each month”. Although the Anticybersquatting Consumer Protection Act (ACPA) was intended to protect against these scams, they are still common enough to present a real danger to customers and companies.

There are several ways that users can try to protect themselves against typo-squatting. Microsoft has suggested settings to enhance your browser. They have even developed a download called Typo-Patrol. More simply, you can avoid clicking on links to navigate to websites and type carefully each web address you visit. As an organization, there are several companies that will help you prosecute typo-squatters and monitor for cybersquatting. You may also may use the Uniform Domain-Name Dispute-Resolution Policy website to lodge a dispute. You may also wish to visit the Coalition Against Domain Name Abuse for more resources.

Today I was asked several times about social networking and job hunting. The question on everyone’s lips is, “What do I have to watch out for?”

Computerworld reports that one in five companies search social networking sites during the hiring process, although many experts believe that number is much higher. You may think that you’re immune because you don’t have any MySpace, Twitter or Facebook accounts- but read on and you will find that is far from the truth.

• Do a search on yourself. Try Google and Pipl. Search for the same items that appear on your resume and application- name, addresses, phone numbers, user names, email accounts and professional groups are all gateways to finding your profile

• Be aware of professional name squatting and company squatting. There are those who scoop up usernames and create profiles using professional information belonging to you. You can usually get access to these profiles, but at a cost. You do not have to buy the impostor login from the squatter, but be aware that if you found it while searching for information about you, your employer will see it too. There are plenty of online reputation management companies that will help you change the order of appearance of your legitimate profiles in search rankings, and even some that will help you reserve your name and user profile on multiple social networking sites for a small fee. Others still will help you create positive chatter to help drown out any negative or misleading pages.

• Even if you delete the profile, page or photos they may not be gone. Internet archives are still searchable. Photos can be especially difficult to delete entirely.

• Who you keep company with says a lot about you. Your profile might be clean and professional, but if your buddy has pictures of the two of you on your last pub crawl, it can damage your chances of landing the job. Use the privacy settings on your profiles wisely!

• Many people are transitioning between being laid off and job searching maybe angry about the economy and the way they were shown the door. Keep a lid on negative comments about your former employer, just as you would during an interview.

• Be careful of professional identity thieves. I don’t mean people who steal identities for a living, I mean people who troll profiles like LinkedIn to create fake resumes to get hired at companies using real information from other people. The more personal information available on your profiles and resumes the easier it will be for a person to commit identity theft, professional identity theft or gain access to your online profiles by correcting guessing your secret questions. Consider removing details like the names of companies, schools and organizations as well as dates and addresses. Change your profiles slightly to use generic terms such as “Privacy officer for major health organization in Silicon Valley” instead.

• Social networking has become popular way to search for jobs as well. There are classifieds on MySpace, and the ever popular Craigslist- but these are often full of scammers lurking in wait. Offers that sound too good to be true probably are. Stay aware from offers that involve wiring money, processing money orders or otherwise acting as a “broker” for transferring funds. Check the company out using Better Business Bureau, your local police, or other methods before proving any personal information such as date of birth, social security number or showing up for an interview

• If you are offering your services, be careful of people who may be looking for an excuse to come to your home to “case” it for a robbery later. Also watch out for offers to pay you more than what you asked.  You may cash the check, but once the bank processes the phony funds, you will be left holding the bag. Be careful in responding to emails about your job posting as they may be from bots used by spammers or scammers trying to verify that there is a person on the other end of the email.

Bottom line: beware of what you post, delete does not always mean gone forever, use your privacy settings, and be aware of intential and unintential impostors. The last is a warning for both employers and employees. This is why it is so important to know what comes up out there under your name and details- if there is a person sharing your name, area, and has a similar address you may want to directly address that issue in a cover letter or interview. Don’t worry about bringing it up- It shows that you care about your reputation, and that you’re tech saavy.

Lately, I have gotten many emails and phone calls about online impersonations. Everything from MySpace, Twitter and Facebook accounts to email addresses and craigslist postings. This is also sometimes called profile jacking or twitterjacking. Enough real information is being used that someone searching by things like name, address, phone number or username might mistake the impostor for the real deal. People who regularly “google” themselves may be surprised to find new pages and emails associated to their details. Sometimes this impersonation can flood you with phone calls and junk mail, or at worst turn into a kind of cyberstalking.

While annoying and occasionally frightening, online impersonation is not identity theft unless personal information not otherwise available to the public is used. Since you are not required to provide a social security number, date of birth, or other private information for verification for email addresses or online profiles, opening up an account using another person’s name is incredibly easy- but not identity theft.  While many of the activities may fall under stalking laws in your state, many times these are activities outside the law’s ability to change with new technology.

However, all is not lost! Almost all internet companies have a Terms of Service (TOS) agreement, and most of them include online impersonation for the purpose of harassment or fraud as a violation of the agreement. You can contact their abuse desk, usually found at abuse@domain.com, and point out the abuse of their TOS by the impostor. This is particularly useful if the impostor is spamming people with messages, as you can also email spam@domain.com to report it at the same time. They may or may not choose to shut down the impostor. Remember that parody and fair use rules typically apply to most companies, especially in social networking- so you may not always get a result. Additionally, a good rule of thumb is that you will get better service and swifter action on violations of TOS from services you pay for. Free email accounts and free profiles, blogs and networking typically deliver slower results, if they choose to take action at all.

If there is use of your company’s logo or other copyrighted material, you can send them a DMCA take-down notice to their registered agent. The use of copyrighted material or violations of Terms of Service are often the only leverage that a person can use to get an impostor shut down.

The ease and convenience of the internet will always struggle for balance with privacy, security and individual rights. Not only should we be aware of people potentially impersonating us, but we should be aware of how easy it can be to be fooled into believing an impostor. Often impostors will take real blog posts and real tweets to add to their own profiles to try to confuse search engines and potential followers or friends. Some become followers or friends of the real person, just to gain access to more information to imitate. The internet can be a wonderful sandbox, just be careful of the person standing behind you with a shovel.

Are you tweeting? Do you belong to the Twitterverse? Now, so do we!

Want to follow us and watch us grow? Or, you can send us a question or topic you would like addressed to us @idexperts

Our Twitter will automatically notify our followers of new blog posts, news and activity here at ID Experts. From the latest news on data breaches, to our efforts in Washington, Twitter will help us reach more people in more places while reaching out to the privacy and security community at large. As a recognized leader in data breach prevention, detection, & remediation, Twitter is part of our greater effort to bring cooperation and understanding to the data breach and identity theft sector while focusing on our vision  to create a world where personal information  remains private.

You’re in the scene- you’ve got the Facebook, MySpace, LinkedIn and Twitter accounts active and updated. You juggle to remember which friend requests have been added where, and then you suddenly decide to sign up for another social media site such as Yelp, Plaxo, Ning, FriendFeed, Orkut, or iLike. What a pain to add all those friends all over again! Then you see a advertisement for a wonderful service provided by the company- all you have to do is provide your email username and password, and all your friends will be automatically added to your social network. Sounds great, right?

Wrong. This leaves the door wide open for numerous types of fraud. Most people do not take the security precaution of creating different user names and passwords for the sites they visit. They may be handing over their address books, and financial and email accounts. You must also consider that a large database of user names and passwords are VERY attractive to potential hackers and identity thieves, and is much more likely to be targeted than individual accounts.

As reported on TechRadar, Twitter’s API lead Alex Payne said “We’ve always advised users to only give their passwords to websites they feel they can trust. Any website runs the risk of compromise, so giving out your credentials is always a gamble. There’s little risk in using a desktop Twitter client, but we’ve cautioned users against handing out their passwords to web-based services that are higher-value targets to attackers.”

Even if you trust the service not to delve into your personal information, you are providing a third party website with security information. A habit that identity theft and security professionals have been trying to break for years. As handing out your security information from one site to another site becomes commonplace, the easier it will become to convince users to continue the practice. As Jeremy Keith, technical director of user experience consultancy Clearleft points out, “…it teaches people how to be phished.”

There is always a security trade-off for convenience. Before you click on that free download, try the new service, or ask a computer to remember your password ask yourself- Is this worth it? Is the increased risk of attack and theft worth the convenience I am trading it for? Remember to use different usernames and passwords for your accounts, so that any single compromise does not result in total loss of your personal and finacial information. Never provide account information on a third party site, and be cautious of any requests for password or account information by email, website or phone.

PC World reports that On Wednesday, an anonymous hacker going by the name of Hacker Croll posted 13 screenshots to a French online discussion forum, apparently captured while logged into the Twitter account of Jason Goldman, a director of product management with Twitter. This hack was confirmed Thursday by Twitter CEO Biz Stone. The initial investigation revealed that at least 10 accounts were viewed during this hack, possible compromising phone numbers, email addresses and more.

How was this hack possible? Well, if I haven’t emphasized enough the need to change your security questions, this should hammer it home. The hacker was able to gain access through the administrator’s Yahoo! account by guessing at his security questions. Once in his Yahoo! mail account, all her had to do is request his password to be emailed to the account. Security questions are the prompts you receive when you click “I forgot my password” button. They have been the focus of many attacks and breaches, since many times they are easily guessed answers or publicly available information (such as the high school you went to, the town you grew up in, and so forth).

This is the second time someone has hacked into the support staff at Twitter, the first was in January. During the attack in January, it was reported that the password was a word found in the dictionary with no special characters or numbers. A password that would be easily guessed: happiness. Highlighting the problem with third parties who handle your information carelessly. You may take all the precautions to protect your information, but it only takes one mistake by someone else at a company to expose your information.

While some of the recent security problems that Twitter has experianced are related to technology attacks, such as worms and viruses- this highlights the ongoing problem of social engineering attacks. Knowledge is power, and most people would be surprised to find out what information is available to the public. Further, most people are unaware of the amount of information that they place on thier profiles that can be used to conduct these kinds of attacks. Limiting the amount of personal information available by using the privacy setting is important. It is equally important to change the answers to your security questions- make sure the answers are ones you would remember, but no one else who knew the “right” answer could get it. When asked about your pet’s name, pick your best friend’s middle name. When asked about the town you grew up in, answer with the last four digits of your phone number- whatever it takes to make it more difficult to obtain access to your accounts.

By Rachel James

A new method of scams, as described by this article, from IT World, called “Why you can’t trust ‘friends’ on Facebook”, is another example of the risks that social networking exposes us to:

Step 1: Request to be “friends” with a dozen strangers on MySpace . Let’s say half of them accept. Collect a list of all their friends.

Step 2: Go to Facebook and search for those six people. Let’s say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you’re already an established friend.

Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send “friend” requests to your victims on Facebook.

As a bonus, others who are friends of both your victims and your fake self will contact you to be friends and, of course, you’ll accept. In fact, Facebook itself will suggest you as a friend to those people.

(Think about the trust factor here. For these secondary victims, they not only feel they know you, but actually request “friend” status. They sought you out.)

Step 4: Now, you’re in business. You can ask things of these people that only friends dare ask.

“Let’s meet for drinks — bring your new car!”

“I’m in Nigeria on vacation, got robbed and need $500 to get home!”

by Rachel James, Intake Specialist

A recent study found that nearly 50 percent of Facebook users put enough info — things like birth date, hometown, family information and more — to aid ID thieves.

Social networking is everywhere. There are literally millions of members who are sharing details about their lives, their jobs and their personal information. With that many users to choose from, social networking sites are ripe for harvest in the hands of a clever identity thief.

One of the most innocent-looking attacks is to start a “survey” that asks all about your favorite things in order to give you some label regarding your personality type, or even what cartoon character you resemble most. The instructions typically require you to post your results and then forward it amongst your friends. Among these questions are popular security questions for accounts such as “What is your favorite pastime?”, “What town did you grow up in?”, “What is your favorite movie?”

In fact, these questions- which are often the key to gaining access to your accounts in the event you forget your password- are often built into the social networking site’s profile to help better match people to you with similar interests. Most people do not consider the risk that answering these questions posses, because they have probably long forgotten which security questions they placed for their email or bank accounts.

These questions are just the tip of the iceberg. People using Twitter have updated their location as “on vacation” only to come back to a home that has been ransacked and robbed. A recent study in the UK by the Information Commissioners Office showed that 2/3 of social networking users post their date of birth, ¼ post their job title and 1/10 post their home address.

So what are the biggest vulnerabilities?

·        95% of Facebook users run at least one application on their profile. These applications, despite being available for download directly from a social networking site, are by far and large not reviewed by staff at the company and often contain viruses or other malicious code

·        Use your privacy settings and only allow people to view your posts if you trust them and have met them in real life to verify that account is actually owned by them. If you get a friend request you think you recognize, call that person to verify it was really them

·        Don’t post your full name

·        Don’t post your address, phone number or where you work

·        Don’t post your salary range

·        Don’t use status or location updates

·        Don’t post the town you grew up in, or the schools that you went to

·        Emails or posts that request too much information should be considered suspicious and probably ignored. The person forwarding it to you might not even be aware that they might be aiding an identity thief.

·        Be careful of the pictures that you post of yourself, family, friends and activities. These pictures could be used to gain valuable information, or altered in a manner against your will. Fake IDs, stalking, or damage to reputation could occur.

·        Remember that even if you delete the post later, it is still “out there”. Other users may have a copy of the information still on their computers, and it may have been picked up by the various internet archives. Treat everything you post on the internet as though you can never take it back.

·        Now with more social networking sites employing classifieds sections, you must be wary of job offers or other scams in advertising. Remember that if it sounds too good to be true, it probably is.

·        Be sure your security software such as your firewall, anti-virus, spyware protection and internet browser are up to date and running. Updates often include security patches to address known vulnerabilities, so it is important to update as often as possible.

·        Use complex passwords, vary them and change them often. The password to your email, social networking sites, or blog should NEVER be the same as the passwords for your financial or personal information

·        When setting up accounts, do not ever use the “real” answer to a question. When asked for your favorite movie, respond with a password like 00Bond7 to make it easy to remember but hard to guess

·        Speak with children about the dangers of revealing personal information