Equifax offering free Freezes until Nov 21st – Because they have to

Equifax (photo by Mike Stewart/AP c/o <a href=http://nymag.com/selectall/2017/09/equifax-hack-143-million-us-customers-credit-data-leaked.html>Nymag.com</a>)
Equifax (photo by Mike Stewart/AP c/o Nymag.com)

According to the New York Times: Equifax reluctantly decided to make freezes free for a little while in light of their colossal blunder. It remains to be seen if they will also be issuing new PINs to those of us who already had a freeze in place. I reached out to a staff lawyer for consumers-union to ask if they had any plans to do so, but she didn't know (and didn't have any way to find out since the credit report companies avoid contact as much as possible).

I'll be looking for more details and try to get an answer, but until then I'll assume Equifax has no plans to take responsibility for their error.

Update: According to the New York times, Equifax is claiming that no PINs for current freezes were lost Tags: ,

Equifax Loses Data on 143 Million customers, unlikely to offer help to victims

Equifax (photo by Mike Stewart/AP c/o <a href=http://nymag.com/selectall/2017/09/equifax-hack-143-million-us-customers-credit-data-leaked.html>Nymag.com</a>)
Equifax (photo by Mike Stewart/AP c/o Nymag.com)

Oh look! Yet another data breach. This time affecting Credit Reporting Company Equifax; one of the three businesses most directly responsible for ID theft woes. Most companies don't offer any information or help to get your credit reports frozen (the only actual solution for ID theft) and I don't expect Equifax to be any different.

Equifax has a sorted past with multiple class action lawsuits and various other kinds of misconduct that had to be addressed by the Federal Trade Commission. Chances are they'll use this opportunity to offer free credit monitoring to appear to help while really just trying to avoid lawsuits and I guarantee, they won't talk about credit-freezes at all. Don't let them snow you and freeze your credit reports now!

Tags: , , , ,

Man Hunts and Beats Teen for Mocking Him Online

For anyone who's participated in forums, online games, or any other system where you can communicate with random strangers, you've probably encountered people who make you angry. Some are just people who you don't get along with legitimately, and some are "trolls"; people who toy with others for their amusement.

What makes people trolls is generally the anonymous nature of the Internet. Sadly, this is often a perceived anonymity only. Just yesterday, I found a post I didn't agree with and wanted to comment on it. Since the author had locked comments, I did a little web research and found her real name, school, e-mail address, and other sites she posted to. I was only looking for some means to contact her, but the information was fully filled out on these sites with no protection at all.

Imagine her shock to find out how easily she was found (and to be honest she called me quite a few names at first though we did have a good conversation after that).

Sadly, most people don't realize how difficult it is to be truly anonymous. The only things keeping you safe in many cases is that you've never given anyone enough reason to look you up. And now we get to the real story.

Online games can be tense and frustrating. For example, the first time I played an online competitive game, I was completely crushed in seconds and insulted repeatedly for my efforts. I chose to stick with offline gaming but others weather the storm and build their skills to the point they can keep up and even be good enough to win.

However, there are just going to be times that someone is better than you. That's frustrating enough, but when they're rude and insulting, it can be maddening. And for context, understand that the people who are the rudest are often younger males who believe they don't have to "pull any punches" since they don't have to face the consequences of their actions (an idea that was excellently portrayed in Disney's Pinocchio).

My point is, this kid was being an ass with abandon. What was his opponent going to do? Hunt him down and hurt him? Turns out the answer was yes.

And believe it or not, there's a lot of support for the attacker online. The sad fact is that there are still consequences for what we do, even if we're online. Similar to the adive every parent must give to their children of how posts last forever, we must also teach our kids not to draw undue agression. After all, how do you know whether the person you're "Teabagging" has the ability and desire to come after you in person?

Tags: , ,

Citibank Unable to Afford Secure Web Design

Really Citibank?
Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

UK Immigration Officer Put Wife on No-Fly List

This is awesome terrible. Apparently a UK immigration officer added his wife to the no-fly list when she was out of country effectively stranding her.

Based on the lack of details and the fact that she could have just taken a ferry not an airplane, this story doesn't really seem that likely, but it's making the rounds and the most important issue here is that the possibility of a single government official working alone abusing the system. While important security databases are poorly controlled, these kinds of abuses are possible.

Speaking of, I found a supposed copy of the no fly list online. Check it out!

Tags: , ,

Yahoo Accounts Are Easy to Hijack

There have been some high profile hacks of Sarah Palin and Grady Sizemore, but the issue here is less about Yahoo security and more about what you do with it.

Just make a Privacy Alias and use it for places that want your personal information, but don't really need it. Of course, if you use an encrypted file to store passwords, you don't have to make an alias at all. You can just store completely new made up challenge answers for each site.

Tags: , ,

Hijack A Facebook Account in One Click

Ok so maybe not ONE click. But someone has put together a simple tool that you can use to take over the active sessions of anyone within wireless range of you. Hang out at the Starbucks free wi-fi and you'll be able to control the Facebook or other accounts of people nearby. It's an attack that was always simple to do for those who know how, but now any idiot can do it with a simple new interface.

Hopefully with their newest black eye (it never ends for Facebook does it?) they'll patch up this glaring hole.

By the way, they mention a few protections from this at the bottom of the article, but here's one more.

Tags: , ,

TSA Pilot Refuses Naked Scanner – TSA Response

Maybe you haven't heard of this yet, but a pilot working for ExpressJet refused to use the new nudie scanners installed at his airport. They offered to pat him down instead, but according to him:

"Pat down is misleading," Roberts explained. "They concentrate on the area between the upper thighs and torso, and they're not just patting people's arms and legs, they're grabbing and groping and prodding pretty aggressively."

I've written about this previously as it's been reported that refusing the scanner will get you a ''super-sized'' pat-down almost like a punishment and this experience seems to confirm that.

Peter Pietra, the head of privacy for the TSA is a reasonable guy who I met at a conference once. I asked him about this issue and he stated that the procedures seemed to work as intended. People have the right to opt out, but must be patted down in the process. I asked him about the "aggressive pat-down" and he said this:

There is no retaliatory pat-down for people who decline AIT. There used to be several types of pat-downs, but there are now only two (standard, and resolution). People who decline AIT or metal detector, for that matter, get the standard pat-down, but our standard pat-down changed about a month ago …. There was a flurry of media attention about a month ago on it, and some complaints following the news articles, but not a lot. My rough recollection is a dozen or fewer complaints specific to the new pat-down.
There is no retalitory pat-down…people who decline get a standard pat-down

Along with my previous talks with him, this is the second time he's assured me that there is no special treatment of people who refuse the scan. While I'm positive there are people who abuse their authority or make things tougher for people who they think make things tough for them (asserting rights which also makes their job harder), here's the thing:

There are two pat-downs and while I don't know what warrants the second, you should only get the first by refusing to be scanned. Therefore, if your pat down is more extensive than what you see old people with heart devices getting, it's time to complain and complain loudly (which is what I believe this pilot has done and good for him). Peter says he thinks there's no problem because he hasn't received many complaints. If you think you've been a victim of retaliation or excessive probing, make sure he hears about it.

Make sure your voice is heard. You can connect with his office here: TSAPrivacy@dhs.gov

Support for the Pilot

There's been a lot of support for him in the airline industry (among workers not officially). Here are some of the industry forums where they're talking about him:

Jetcareers
Expressjetpilots
Flyertalk

UPDATE 2010/11/07

I recently went through the airport and also refused the scanner. I was patted down, but the TSA employee was very clear and professional. At no point did I feel uncomfortable.

It's a big deal if someone overdoes it and they should be called out, but it really wasn't a problem for me.

However, I was once told that signs would be prominently posted showing people they could opt out of the scan, but I found none anywhere.

Tags: , ,

DC Online Voting Halted Due to Hackers

From the Washington Post:

Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of "give it your best shot." Well, the hackers gave it their best shot — and midday Friday, the trial period was suspended, with the board citing "usability issues brought to our attention."

Here's one of those issues: After casting a vote, according to test observers, the Web site played "Hail to the Victors" — the University of Michigan fight song.

Whoah! E-voting not secure? Where have we heard that before!? And the best part is that it doesn't even take the vile hacker underground to do it. It's the college researchers each time.

No knock against college researchers, but for e-voting to work, it should take a vast conspiracy spanning several continents and special agents who jump from helicopters in the night to break into buildings through air-ducts not some mostly-sober frat boy. They obviously have no idea what they're doing and should stop. Now.

About the only ray of light in this whole story is that they were smart enough to challenge the public to hack them thus making their failure obvious (and therefore correctable).

E-voting will come eventually, but not now and probably not for a long time. Wait… Scratch that. It WILL come, but it won't be ready, it won't be secure, and we'll all suffer for it (like we did the last time).

Tags: ,

Firewall Flowchart

I always recommend having a Software Firewall on your computer, but the one catch is that you have to know what to do when you get an alert. It's not very hard once you've seen it once or twice, but to help you walk through it, I've made this firewall flowchart:

Click on the image for a larger view
Click on the image for a larger view

Just start at the green oval and answer the yes/no questions to trace your way through.

Tags:
IDENTITY THEFT
How to Steal Identities - Why It's So Easy
Credit Freeze
Data Defense
Credit Monitoring
Id Theft Insurance
The Identity Theft Victim's Mini-Guide to Recovery
PRIVACY
The Geek Privacy Principle
Nothing to Hide
Data Abuse
RFID - Radio Frequency IDentification
Privacy Alias/Persona
Data Defense
INTERNET SAFETY
Online Addiction
The Consequences of Posting Online
Photo Safety
Tricks and Scams
Account Hijacking
Trusting Companies
PASSWORDS
Bad Passwords
Password Tips and Tricks
Password Protection
Password Mugging
Computer Security
E-mail Safety
Kids and Computers
Shopping Online
Retailers
All About Warranties