Pelland Blog

Another Step to Protect Your Privacy

September 3rd, 2021

You might be surprised to learn how much of your personal information is readily available online, easily accessed by just about anybody, and being packaged and sold at a profit by over 100 data brokers, so-called public records providers. There are over a billion searchable public records today, and both federal and state legislation passed over the last 50 years ensures the public’s right to access. It all started with the Freedom of Information Act, passed in 1967, guaranteeing that anyone can submit a public records request to any federal agency, and that agency (with few exceptions) is mandated to provide the information in a timely manner. This federal legislation was followed by similar “sunshine laws” that were passed in all 50 states, providing access to state and local public records. The public has a right to know what is going on behind closed doors with its elected officials and government agencies, but it is the access to public information regarding specific people – routinely exploited by profit-seekers who sell compiled data to marketers and others who have no business accessing your personal information – that is troublesome.

If you do a search on Google for your name, city, and state, you are likely to be shocked to see how much personal information (some of it highly inaccurate) is available with just one click, where public records are consolidated with information that you may have voluntarily provided on platforms such as Facebook and LinkedIn. You will probably find your full name and address, former addresses, family members (including births, deaths, marriages and divorces), phone numbers, email addresses, year of birth, estimated annual income and net worth, real estate and property records, property taxes, professional licenses, voter registrations, campaign contributions, court records, arrest records, prison records, sex offender registrations, bankruptcy records, educational level, general credit status, liens, and corporation and LLC records. Is that enough? About the only records that are generally off-limits are your tax returns, school transcripts, library records, health records, and juvenile court records.

How Public Records Providers Operate

If you go to one of these public records providers’ websites, you will first be asked enter the first and last name of the person for whom you are searching, along with his or her city and state. You will then be presented with a list of results that likely include that person, along with links for “more information” or a “full report”. You will then wait several minutes for the report to be allegedly generated, teasing you with the categories of information that are being compiled, and presenting you with one or more payment or subscription options. If you are like me, you realize that public information must remain accessible, but you would like to see your personal information removed from websites that are packaging that information for profit and selling it to anybody willing to pay their fee.

If you live in California, you are in luck because the California Consumer Privacy Act (CCPA) protects the rights of California residents regarding their personal information, including the right to easily request access to or deletion of their personal information, as well as the right to demand that businesses stop selling that personal information. Whether you live in California or elsewhere, you basically need to go to the website of each public records provider and click on the link (usually at the bottom of the page) that says “Do Not Sell My Personal Information”. You will then be directed through a multi-step process that will include email or text authentication in order to be removed from that one seller’s database. (If you live in California, there will be a secondary link that will streamline the process.) Of course, there are businesses that are willing to capitalize on anything, and there are companies online that will do the work for you for a substantial fee. Two of those are companies called DeleteMe – https://joindeleteme.com/ and OneRep – https://onerep.com/ that will provide that service for one person for one year at prices of $129.00 or $99.00 respectively.

Presuming that you would like to avoid that kind of fee and would like to go through the process of removing your personal data from these websites yourself, here is a list of some of the major culprits, along with their removal URLs:

  1. Instant Checkmate. https://www.instantcheckmate.com/opt-out/
  2. SpyFly. https://www.spyfly.com/help-center/remove-my-public-record
  3. TruthFinder. https://www.truthfinder.com/opt-out/
  4. BeenVerified. https://www.beenverified.com/app/optout/search
  5. CheckPeople. https://checkpeople.com/do-not-sell-info
  6. PeopleFinders. https://www.peoplefinders.com/manage
  7. US Search. https://www.ussearch.com/opt-out/submit/
  8. ID True. https://www.idtrue.com/optout/
  9. Spokeo. https://www.spokeo.com/optout
  10. Intelius. https://www.intelius.com/opt-out/
  11. Radaris. https://radaris.com/control/

Several additional websites do not maintain their own databases, basically repackaging the information from larger data brokers and earning a commission on sales. In those instances, getting removed from the source of the data will remove you from more than one site. Examples are the PeopleLooker, PeekYou, and PeopleSmart websites that run off the BeenVerified database, and InstantPeopleFinder that runs off the Intelius database. Then there are other companies – such as FreeBackgroundCheck.org (with a bald eagle in its logo and which at $19.95 per month is anything but free) – that seem to spit in the eyes of privacy rights. According to the FAQ page of their website: “As a courtesy (sic) we can ‘opt out’ your specific information. Contact customer support and request the procedure instructions to be removed from the database. Each individual that wishes to be opted out of must be accompanied by proof of identity and address. We will only be processing opt out requests we receive by fax or mail and no request will be processed without complete information. Requests for opt out will not be processed over the phone or via email.”

You probably already knew that we are living in a world where personal privacy rights are continually swept under the carpet, and where there are countless companies and individuals that are willing to compromise those rights through the use of dubious profit-based services. Although you may very well feel like David vs. Goliath, you can at least attempt to fight back!

This post was written by Peter Pelland

You Think It Can’t Happen to You?

July 4th, 2021

If you are aware of ongoing news events, you know about the recent online cyberattacks at big companies like Colonial Pipeline and JBS. In both instances, ransomware was involved. Colonial Pipeline reportedly paid $4.4 million in ransom, after shutting down the delivery supply of gasoline, diesel, heating oil and jet fuel across much of the eastern United States, causing a spike in prices that you have paid at the pump. In the case of JBS, the meat processing network across the United States, Canada and Australia has been affected, with the impacts being felt by consumers at grocery stores and supermarkets. It has not yet been disclosed at the time of this writing what ransom, if any, was paid by JBS, but it joins a wave of ransomware attacks against businesses and organizations since the start of the year that includes Molson Coors, E & J Gallo Wines, Kia Motors USA, and the District of Columbia Police Department. Most victims prefer to keep their companies’ identities anonymous for obvious reasons.

Lest you think that these attacks only target big businesses and our national infrastructure, think again. Also recently, a ransomware attack targeted the Steamship Authority, the Massachusetts transportation entity that runs the primary transportation network that connects Woods Hole on Cape Cod with the islands of Martha’s Vineyard and Nantucket, disabling its reservation system. You may be seeing a connection there that suggests that the tourism industry is more vulnerable than you may have imagined.

According to Cybercrime Magazine, the fact is that a new business will be targeted by a ransomware attack every 11 seconds in 2021. The primary points of entry are vulnerable software (generally the result of a failure to apply security patches or the installation of apps than are either unsecure or intentionally contain malware) and email phishing. According to Fortinet, 1 in 3,000 emails sent to businesses and that pass typical security filtering, contain malware that includes ransomware. The average downtime for a business that has been attacked is 19 days, and the average ransom paid is nearly $250,000.00. An attack on a small business would have a smaller ransom, but could you afford to pay $25,000.00 or be unable to access your reservation system for days on end? A large percentage of these ransoms are covered by cybersecurity insurance, for businesses that carry that coverage. The ransoms always require payment using cryptocurrency, making the perpetrators totally untraceable other than generalities regarding their country of origin.

Although it is true that the reports that we see covered by the national news media involve larger organizations where the impacts are more broadly disruptive, smaller businesses are generally far more vulnerable and even more likely to be targeted. The recent surge in employees working from home, where security standards are usually less stringent, has also contributed to the proliferation in attacks. The smaller your company, and the more personally associated you are with that business, the more likely you are to be an easy target. If you are one of the hundreds of millions of people with an account on either Facebook or LinkedIn, your personal data has already been stolen since the start of this year and is being freely distributed on the Dark Net. That data likely includes your name, address, email address, phone number and more. There is a connection between these data breaches and the phishing emails and scam phone calls that you receive.

One common point of entry in recent weeks has been email that allegedly comes from your email service provider, claiming that your email account has been put on hold pending some sort of “verification”. While writing this, one of my clients forwarded me one such email that she had just received. The “verification” link was a cryptic 200-character URL based in India. How many people, through either carelessness, naivety, or a sense of panic over the thought of losing their email access, will click on those links?

Email service providers are getting far more vigilant about trying to stop malicious emails before they reach your inbox, but it is a frustratingly endless task. Users get upset if legitimate emails they either send or receive are falsely flagged. One of the large email service providers that my company uses for many our clients’ email accounts found itself blacklisted by Microsoft about a month ago, after a single user had sent out an email with malicious content. As a result, thousands of subsequent legitimate messages were not reaching their intended recipients with either Outlook or Hotmail email addresses. Then yesterday, an email account for one of our clients was automatically disabled after she had sent out an email to a couple hundred seasonal campers with a Microsoft Word document attached, a risky violation of typical email terms and conditions. She was unaware that Word documents are frequently used to harbor malware and that this would trigger a red flag.

In other instances, we have clients who ask us to set up email accounts for every new employee, typically designating a weak password to be used. We reluctantly follow instructions, but include a link to Security.org’s HowSecureIsMyPassword.net website, which can show that the designated password could be cracked by any computer in a day or less.

When it comes to employee email accounts, the questions you should ask yourself are:

  1. Does this employee actually need his own email account?
  2. Are you prepared to pay the costs and disruption to your business if your network is breached as the result of using a weak password?
  3. Are you prepared to pay a ransom because a minimum wage employee with little or no training in cybersecurity standards clicks on a malicious link?
  4. Do you give every employee a key to your front door and access to your cash register?

Ignoring these concerns comes at your own peril. Would you leave your car unlocked on a city street, maybe with the windows open, and maybe even with the keys left on the seat? If your car would be stolen, you would only have yourself to blame; however, if the car was then used to intentionally drive into a crowd of people, you would be guilty of criminal negligence. Another example would be somebody working the night shift at a convenience store, having a handgun for security and leaving it on the counter. That would be an invitation for an armed robbery and potential injuries or deaths.

If you would never think of doing anything as careless as either of those two examples, why would you use a weak password, or use the same password for multiple purposes? Using the same password to access more than one email account or online application is like leaving those keys on the seat of your unlocked automobile, except that the key ring including the keys to every other vehicle that you own, the front door to your office, and the front door to your home. You think it can’t happen to you? Think again!

This post was written by Peter Pelland

It’s Okay to Be Antisocial

March 11th, 2021

Let me be the first to admit that I am guilty. It was not that long ago that I was presenting seminars and writing how social media advertising – Facebook, in particular – was the greatest new development since the Internet itself. As recently as four years ago, I was offering suggestions on how to beat Facebook at its own game, using guerilla marketing techniques on the platform. Sure, we all recognized that the intrusions into our personal privacy were a bit creepy, but the ability to reach targeted marketing prospects seemed to be worth the compromise. After all, when I was a child watching television in the 1950’s, Captain Kangaroo would seamlessly segue from visiting with Bunny Rabbit and Mr. Moose to selling Kellogg’s Rice Krispies and Schwinn Bicycles, and what was wrong with that? Actually, there was plenty wrong with it, prior to a Federal Trade Commission (FTC) ruling in 1969 that prohibited children’s show hosts from directly promoting commercial products.

In the beginning, Facebook (originally called Facemash) seemed to represent little more than an awkward attempt by nerdy Harvard undergrads with a lack of actual social skills to meet young women at neighboring colleges. When you think about it, even that original concept (an extension of the sexist freshman photo books that had been sold on college campuses for decades) violated the personal privacy of the young women whose photos were being used. From that start, it did not take long for Facebook to reinvent itself into a money making machine that would be built upon ever-increasing exploitations of personal privacy.

On a personal level, I stopped using Facebook in its entirety in early September of 2020. I actually experienced what I would describe as a 7 to 10 day period of withdrawal, missing the ability to stay in daily touch with countless friends both old and new, but my sense of newly discovered freedom afterward was absolutely refreshing. Over the course of the 10 years or so when I remained active on the platform, I would often joke about how Facebook would “coincidentally” show me advertising that was related to one of my recent posts or comments. When I, along with millions of other people, started using ad blockers, Facebook started showing paid posts in lieu of paid advertising. These paid posts represent advertising content that is being disguised as editorial comment, even when that advertising is originating with foreign governments or other unscrupulous characters. The only way this can happen is by Facebook’s algorithms monitoring every word that you type, just as craftily as the National Security Agency (NSA) monitors the telephone conversations of known terrorists.

What made me see the light was when I realized that Facebook’s business model was designed to amass huge profits by intentionally sowing discord among its subscribers. Regardless of where a person falls within an increasingly polarized political spectrum, Facebook will show that person paid content that pours fuel on the fire while demonizing those with opposing viewpoints. By being fed a one-sided diet that is often based upon disinformation, subscribers’ opinions and beliefs are reinforced in a manner that continually enhances the polarization. It should not require an insurrectionist attack upon the U.S. Capitol for reasonable people to understand that this represents a rapidly accelerating downward spiral.

Let us be clear that Facebook advertising is not a bargain. In the early days, businesses would pay to advertise on the platform in order to get users to “like” their page and then see their posts. Soon afterward, advertisers needed to pay Facebook so that even people who had already “liked” their page could actually see their posts. Think about it. This means that you are paying Facebook so you can reach your existing customers. Why would anybody pay to do that when there are countless alternate means of reaching your existing customer base at a far lesser cost? In the campground industry, some of the same people who willingly pour money into Facebook advertising question the rationale for offering Good Sam and similar discounts that they feel cut into thin profit margins. I would rather offer a customer incentive than to take that same money and pour it into Facebook’s coffers.

Yes, Facebook and the other social media may be capable of sending you customers, but at what price and in what environment? If a drug dealer approached you and said, “Yes, my main business is selling heroin, but I can also send you customers”, would you do business with that person? I doubt that many of us would enter into that sort of deal with the devil.

The Federal Trade Commission (yes, the same people who ruled that Captain Kangaroo should not be hawking breakfast cereal) is currently proposing the breakup of Facebook, a process that is long overdue. Facebook has steadily grown – with the acquisition of Instagram, WhatsApp and related platforms – and a breakup of its monopoly would be the first such action since the breakup of AT&T four decades ago. Many of my peers in the advertising industry will disagree with me, and I welcome that debate. I remember the days when tobacco products were extensively advertised on television, a practice that contributed to countless deaths. Today, I believe that many other types of advertising should be banned because they either mislead consumers or actually prey upon vulnerable segments of our population, typically the elderly. These include the advertising of prescription pharmaceuticals, advertising by class-action attorneys (think “mesothelioma”), advertising directed at children (think about Saturday mornings), and advertising directed at senior citizens (think about Medicare supplements and the aforementioned pharmaceuticals). In the meantime, it is your decision as a small business owner to decide whether or not to continue financing a business model that you may agree is inherently wrong.

This post was written by Peter Pelland

Beware the “Sextortion” Scam: A New Form of Cybercrime Making the Rounds

October 28th, 2018

Most people realize that the ultimate in cyberwarfare would be for one country to take down the power grid, telecommunications network, financial industry, or military and defense networks of a foe country. There is no doubt that the United States, Russia, China and other countries maintain this capability but wisely withhold use of this “nuclear option” in cyberwarfare, although there have been instances where the waters have clearly been tested. As has been recently demonstrated, cyberwarfare tends to take a much more subtle and individualized approach, exploiting weaknesses in things like social networks and ballot tabulations. The same sort of approach, where individuals are targeted, is generally practiced in cybercrime, the aggressive bully that is the awkward little stepbrother of cyberwarfare.

Cybercrime takes a variety of forms but generally targets either individuals or individual companies. Small businesses, where there is often only a subtle distinction between a business and its owners, can be particularly vulnerable. In most instances, the criminal activity exploits vulnerabilities in the security practices of the target. These vulnerabilities include the failure to apply software patches and updates, unsecure office practices, and the use of weak, old, and/or repetitive passwords. The results include the easy entry of computer viruses and malware that can turn a computer into a bot on a criminal network or install ransomware that will hold a computer and its files hostage. The same vulnerabilities lead to the proliferation of phishing attempts and other email and telephone scams where the senders or callers impersonate trusted companies in an attempt to obtain passwords, secure information like social security numbers, your credit card numbers, or remote access to your computer.

One of the latest trends in cybercrime exploits a combination of known hacks and personal fears and anxieties. As most of us know, there have been a number of major websites that have been hacked in recent years, some instances more widely publicized than others. The ultimate victims are the individuals whose personal data has been breached and compromised. The term “pwned” originated in early online gaming as a typographical error in the word “owned”. If you have been “pwned”, it means that your personal information is now “owned” by others. To see if your personal data has been “pwned”, visit the “Have I Been Pwned?” website and enter your email address. At the time of this writing, there are 296 websites that have been “pwned” with over 5 billion accounts compromised. Some of the websites that have been hacked include Adobe, Ancestry, Avast, Comcast, Dropbox, Exactis, Experian, Forbes, Kickstarter, LinkedIn, MySpace, River City Media, Snapchat, Ticketfly, tumblr, and Yahoo. This list includes websites that you have probably used, and in all likelihood, your personal information has almost certainly been hacked. In my own instance, my email address has been compromised in 10 of these major hacks, most recently the Exactis hack in June 2018. That recent hack disclosed credit status information, dates of birth, email addresses, income levels, marital statuses, names, phone numbers, physical addresses, and much more from 340 million personal data records.

Stolen passwords are then readily exchanged, sold, or even made freely available on a number of forums and so-called “pastes”, utilized by cybercriminals who are well aware of the human tendency to reuse usernames (many simply the users’ email addresses themselves) and passwords across a variety of websites. Security breaches like the Yahoo and Dropbox hacks go back to 2012. Although savvy Internet users will have changed their passwords on those sites long since then, if those same passwords were used on other websites, the vulnerability remains. More recent hacks will expose passwords that are currently in use, demonstrating a strong argument in favor of changing passwords on a regular basis.

With this combined background information in mind, you will understand how I felt both alarmed and violated when I received an email one evening back in July that made it past the Gmail spam filter. The subject line included a username and password combination that I frequently used 10 or 15 years ago, indicating that somebody had gained access to my personal information, even though it no longer represented valid credentials. The email had successfully caught my attention and, at first glance, seemed like there could be cause for concern. It went on to allege that a visit to pornographic websites led to the installation of remote access and keyboard logging software on my computer that gave the hacker complete access to my email and social media address lists, as well as my computer’s microphone and camera. Cutting to the chase, the sender was threatening to send a compiled split-screen video of the sites I had visited, along with my “interactions” with those sites, to my friends and family members as allegedly compiled from access to my computer. The only way to prevent this from happening was to pay $3,200.00 in Bitcoin (a cryptocurrency that is popular with online thieves) using a key that was provided.

The facts that I do not spend my time visiting pornographic websites, do not have either a camera or microphone installed on my computer, would immediately know if somebody had remote access to my computer, my passwords are highly secure, and Trend Micro Maximum Security software shows that my computer is free of any malware, spyware or viruses, still left me feeling personally violated. The following morning, I spoke with an agent at the Federal Bureau of Investigation’s Boston field office who told me that this extortion scam had been circulating quite widely throughout the month of July 2018. (In fact, I found a variation in my spam folder a couple days later, with this second thief only seeking $250.00 in Bitcoin.) The agent also told me that there were people who reported receiving variations that were sent through the mail. I also have friends and clients who told me that they have received the same sort of email during the same time period and as recently as last week. I went on to file an online complaint with the FBI’s Internet Crime Complaint Center, commonly referred to as the IC3. There is also a page on the Krebs on Security website that outlines the “Sextortion” scam and currently includes nearly 1,000 comments from people like me who have received the emails and are trying to warn others from falling victim.

The lessons to be learned are to:

  • Be aware that your personal information has been stolen, probably on multiple occasions.
  • Your personal information can be used in extortion attempts.
  • Minimize vulnerabilities on your computer and run up-to-date security software.
  • Never trust any email that sets a deadline or seeks payment in cryptocurrency.
  • Never make an extortion or ransom payment.
  • Notify legal authorities if you are a victim.

It is challenging enough running a small business these days. Nobody needs to waste time, worries, or money with the perpetrators of online scams, who are going to continue to evolve into using more creative and credible formats.

This post was written by Peter Pelland

Securing Your Digital Identity

June 25th, 2018

In recent months, I have been taking the 10 Steps for Securing Your Digital Identity seminar – that I first presented at the National ARVC Outdoor Hospitality Conference & Expo in Raleigh in 2017 – on the road, with presentations before several state association meetings. The information in the seminar, drawing parallels between the 2017 Equifax security breach and the risks that face small businesses like yours and mine, seems to continually grow timelier with each presentation.

Equifax has admitted that more data was compromised than was originally disclosed, the Internal Revenue Service (which cancelled a no-bid contract with Equifax) urged taxpayers to file their returns as early as possible in 2018 because a stolen identity can lead to a stolen tax refund, and Facebook admitted that it profited from personal data that was exploited by Cambridge Analytica for nefarious marketing purposes. That latter instance forced Facebook CEO Mark Zuckerberg to uncomfortably don a suit and tie, and led to the May 1, 2018 announcement by Cambridge Analytica that it was shutting its doors and initiating bankruptcy filings in both the United Kingdom and the United States.

Some people have suggested disconnecting from the Internet and deleting their social media accounts. The former suggestion is highly impractical in today’s interconnected world, and the latter suggestion – perhaps laudable – in unnecessary if some common sense precautions are exercised. Let me share just two of the highlights from my seminar that will help you to secure your digital identity.

Passwords

There is no easier way to ensure that your identity will be compromised than by using weak passwords, the same password for more than one account, or a password that you have not changed since the sun started rising in the East. A weak password is like the old skeleton keys that could open every door in the neighborhood when I was a child. If you think that your password is secure, you can quickly test its strength online at https://howsecureismypassword.net/. You do not want a password that can be cracked in seconds, minutes, days, weeks, months or even years, but a password that would require millions, billions or trillions of years to crack. I recommend tools that generate secure random passwords, such as the one at https://passwordsgenerator.net/, where secure passwords typically consist of a minimum of 16 characters that mix upper and lower case letters, numbers, and special characters.

Another option is to use four totally random and unrelated words in succession, such as kitten, faucet, maple, and magnet: kittenfaucetmaplemagnet. According to the online test, that example would take 277 trillion years to crack. The only problem is that most of us find it difficult to think in such a random manner. However, if you make a conscious effort, you can generate a highly secure password that should be relatively easy to enter into a keypad. The most common complaint even then is that secure passwords are difficult to remember.

The solution is to use one of several available password safes, including LastPass, Dashlane, and Keeper. These all work with Windows, Mac, iOS, and Android operating systems, have plugins for popular browsers, include two-factor authentication, offer fingerprint login on mobile devices, and have free versions which are usually all that you need. You only need to remember one highly secure master password. Even if that master password could somehow be hacked, nobody could log into your account thanks to two-factor authentication. If somebody attempts to log into my own password safe (which has happened more than a dozen times from hackers around the globe), they would have to know my master password (good luck!), then – because they would be logging in from an unrecognized device or IP address – they would also need to steal my phone AND know how to unlock that device in order to enter the two-factor authentication.

Software Updates

The massive Equifax security breach was the result of the company’s failure to install a patch in universally used Apache Struts open-source software in a timely manner. The Apache Foundation discovered a vulnerability in its software on March 7, 2017, announcing and patching that vulnerability the same day and issuing a subsequent patch three days later. Equifax failed to apply those urgent security patches for at least two months, resulting in a hack that compromised virtually every consumer in America, including at least 209,000 credit card numbers. Offering free identity theft protection and credit card monitoring service is a poor substitute for basic responsibility. In the fallout, Equifax’s CEO was forced to resign, its stock value plummeted by over 30% almost overnight (only recovering half of that loss at the time of this writing), it lost that multi-million dollar no-bid contract to provide taxpayer identity services for the IRS, and the company’s name is now almost always followed by the words “security breach.”

What are the lessons to be learned by your small business? First and foremost, it is critical to run the latest operating system and updates on all of your computers and mobile devices. If you are running a Windows computer, this means running the latest version of the Windows 10 operating system. Microsoft’s support for Windows Vista ended on April 10, 2012; support for Windows 7 ended on January 13, 2015; and support for Windows 8/8.1 ended on January 9, 2018. If you are running any of those operating systems, your computer and the files that it contains are at high risk. It is also important to be running the latest version of Internet browsers, such as Chrome, Firefox, Edge, and Safari; plug-in software such as Adobe Reader, Adobe Flash Player, and Java; and a reliable anti-virus software suite from companies like Avast, Trend Micro, Webroot, or Bitdefender.

Hack attacks are continuous and ongoing, seeking out vulnerable passwords and vulnerabilities in software. Without taking basic precautions, you could become the next victim of identity theft, be subjected to ransomware demands, have your credit card information stolen, or compromise the personal information of every one of your customers. The resulting impact could be devastating for your business. The days have long past when any business, large or small, can afford to take anything less than a vigilant stance when it comes to securing its digital identity.

This post was written by Peter Pelland

Keep Your Passwords Secure

November 26th, 2017

If you attended my “10 Steps for Securing Your Digital Identity” seminar at the 2017 Outdoor Hospitality Conference & Expo, you learned that my lead segment involved the importance of keeping your passwords secure. Passwords have been around since ancient times, when the first sentry asked “Who goes there?”, becoming essential for admission to a speakeasy during Prohibition, and playing a vital role in military security during World War II.

When I was growing up in the 1960s, the doors to our house had old mortise locks and keys that gave our family a sense of security. I recall that the logic when the doors were locked at night was to keep the key turned 90 degrees in the keyhole on the inside of the lock, under the presumption that this would prevent a thief from inserting a key into the outside of the lock and gaining entry. Of course, if somebody got locked inside, we knew that it would only take a couple of minutes to jimmy the key out of the lock. When we were away from home, the key came with us, leaving the lock even more vulnerable.

If a key got lost or broken, we simply walked to the neighborhood hardware store (yes, they existed back then!) and bought a skeleton key for 50¢ that would probably open every lock in our house, including the outside entry doors, as well as the locks on most every other house in the neighborhood. It is no wonder that we relied on neighbors to keep an eye on our houses back then. Sadly, many people today do not even know the names of their neighbors.

Nowadays, passwords are almost exclusively associated with computers and Internet security, and a lame password is essentially the equivalent of a skeleton key. Like those families sleeping soundly behind the security of a mortise lock, a majority of computer users think that their passwords are securely protecting their accounts from getting hacked.

Before I go any further, I would like you to test one of your passwords. Go to this URL and enter your password: https://howsecureismypassword.net/. As an example, I just tested “JBDayton62”, which is exactly the type of password that many people use, so falsely confident in its security that they use it on every account that requires a password. According to the test, a computer could crack this 10-digit password in only 8 months; however, anybody who researched the Internet and social media and already knew that John Brown was born in Dayton, Ohio in 1962 could crack this password in no time flat. If a password is convenient to remember, it is easy to crack!

What Constitutes a Secure Password?

Quite simply, for a password to be secure it should consist of a minimum of 16 characters; never contain a word or a combination of words found in the dictionary; never contain the names of family members, friends, pets, sports teams, and the like; and be made up of a random combination of uppercase letters, lowercase letters, numbers, and special characters. You can also often use spaces in passwords, although it is unfortunate that many websites still prevent users from choosing truly secure passwords, by precluding the use of special characters, for example.

The next rule is to always use a unique password for each and every site, and then to change each password on a routine and frequent basis. Apply even stricter standards for sites that provide access to highly secure information, such as your online banking or the IRS’s Electronic Federal Tax Payment System (EFTPS) website. The time to change your old, reused, vulnerable, weak, or compromised passwords is now, not next week or “when you get around to it.”

Before you naively presume that nobody is out there trying to crack your password, consider the fact that password cracking software is readily available online for use by hackers (and occasionally by companies that are on the lookout for weak passwords being used by employees.) Those programs include L0phtCrack, Cain, and John the Ripper … all designed to crack passwords (and sometimes credit card numbers) using brute force, dictionary attacks, rainbow tables, and other means.

How to Create a Secure Password

Never trust yourself to generate your own secure password. Our brains are simply not programmed to think randomly, and any password that makes sense to you is easy to crack. Some people even think that including a foreign-language word in their password will make it secure, perhaps presuming that hackers only reference English language dictionaries (even though English may be far from their native languages.) My recommendation is to use a secure online password generator such as the Secure Password Generator: https://passwordsgenerator.net/

The Secure Password Generator will allow you to choose any length of characters (from 6 to 2,048) and choose the types of characters that will be allowed (or excluded, if a site does not permit certain characters), then generate it on your own computer.

How to Store Your Passwords

Once you generate a highly secure password, keeping it written down on a sheet of paper or in a Word document on your computer is like leaving the keys for Fort Knox at a lost and found counter. You need a way to store and access your passwords safely, relatively easily, and securely. I recommend the use of a password safe. Three of the best are LastPass, Dashlane, and Keeper.

LastPass – https://www.lastpass.com/
Dashlane – https://www.dashlane.com/
Keeper – https://keepersecurity.com/

All three work with Windows, Mac, iOS, and Android operating systems; have plugins for popular browsers; include two-factor authentication; include form-filling; offer fingerprint login on mobile devices; and have free versions.

The idea with a password safe is that you have only one highly secure master password to remember. Thanks to geolocation, if you login to your account from an unfamiliar IP address, the two-factor authentication will kick in, requiring you to confirm your identity before being allowed access. In my own instance, 12 attempts to login to my account over the last 6 months have been thwarted – 3 from Vietnam, 2 from China, 2 from Brazil, and one each from Argentina, Georgia, Ukraine, The Philippines, and the United States (North Carolina). Do not think for a moment that there are not people out there actively trying to hack into your accounts. They are out there and they are everywhere.

Access to our personal data is far too important to be left to chance, and I am hoping that this article might help to open the eyes of a few disbelievers. People who are ahead of the curve when it comes to planning are already taking measures to ensure the longevity of access to their data, even as new biometric methods such as fingerprint and iris recognition are coming into play. According to a survey taken by the University of London and cited in Wikipedia, one in ten people are now including password access or recovery information in their wills. My best advice is to think toward the future, but to start changing your way of thinking today.

This post was written by Peter Pelland

The Equifax Security Breach: Your Response

October 22nd, 2017

Update, July 29, 2019: The following post was written about the Equifax security breach when it first came to light back in October of 2017. The wheels of justice often turn very slowly; however, in an agreement reached on July 22, 2019, Equifax has agreed to a $700 million settlement that includes $425 million that has been set aside as compensation for the 150 million people affected. You were probably one of the 150 million, now entitled to compensation. If you are unsure whether or not your data was compromised, click here to determine your eligibility to participate in the settlement:
https://eligibility.equifaxbreachsettlement.com/en/eligibility

Presuming that you were affected, it will take all of 5 minutes of your time to submit a claim for a minimum $125.00 settlement payment following this link:
https://www.equifaxbreachsettlement.com/file-a-claim

Every so often, a truly important news story breaks into the public consciousness through an information overload that seems more and more obsessed with partisan issues, celebrity news coverage, and YouTube videos gone viral. One of these recent stories involved the unfolding cybersecurity breach at Equifax, one of the three American companies that compile the personal information that determines your credit-worthiness, your ability to obtain a loan, and the interest rate that you will pay for that privilege.

Of course, a legitimate question could be asked regarding what gives Equifax, Transunion and Experian the right to gather hyper-sensitive personal and financial information on every American citizen alive today. We have certainly come a long way from the idealized days of George Bailey and the Bedford Falls Building and Loan, when financial decisions were local and finalized with a handshake. In our modern times, it would seem that the minimum responsibility on the part of credit reporting agencies would be to maintain iron-clad security standards to prevent our personal information from falling into the hands of malevolent third parties.

In the recent Equifax incident, the personal security information of 143,000,000 Americans was compromised. According to the Federal Reserve Bank, there are only about 125,000,000 households in the United States. Without question, you were personally impacted. Essentially, the names, addresses, dates of birth, social security numbers and more for virtually every adult citizen in the United States were compromised. In addition, investigations have disclosed that credit card numbers of 209,000 individuals were hacked, along with personal identification numbers (PINs) for another 182,000 consumers.

According to testimony prepared for a House Energy and Commerce Committee hearing, Equifax CEO Richard Smith admitted that the breach was the result of a failure to apply a software update, despite warnings from the Department of Homeland Security, followed a day later by a warning from the company’s own security team. The company’s policy was to apply such patches within 48 hours, but this failed to happen. The patch was designed to repair the vulnerability in the open source Apache Struts software that the company was using in one of its systems. Even following the company’s internal software policies, hackers would have had three days to exploit that vulnerability – a virtual lifetime in the world of hackers. The Apache Software Foundation had issued a patch for the flaw in March, two months before hackers began accessing sensitive information on Equifax’s servers on May 13. Clearly, Equifax had no excuse for its failure to have taken immediate corrective measures.

This all occurred two years after a similar, but smaller, security breach occurred at Experian, compromising “only” 15,000,000 Americans. What did the credit reporting industry learn over that time? Apparently how to wait months before reporting the incident, while providing an opportunity for three top Equifax executives to unload $1.8 million worth of company stock, after the breach was discovered but prior to its announcement. It also forced Smith to resign, albeit with an over $90 million golden parachute, according to Fortune Magazine.

The impacts of the Equifax security breach upon individuals have been well-documented, including advisories to subscribe to free credit monitoring services, change all of your passwords to unique strings of characters that are more difficult to crack, to pay to freeze reports on your credit (only unfreezing the reports in specific instances, such as when applying for a loan), and to join into one or more of the class action lawsuits against the company. As a small business owner, on the other hand, what measures should you take to ensure that you are safeguarding the information of your customers to the best of your ability? There is no question that international cybercriminals tend to pursue the larger and more lucrative targets; however, every business that conducts business online (not necessarily through its website, but through any Internet-based transactional application) is vulnerable and bears a responsibility for protecting its customers.

The Federal Trade Commission offers a series of five areas of recommendation for how businesses should handle their customers’ personal information.

  • The first is an assessment of how your company handles personal information that is gathered from a variety of sources, including credit reports, employment applications, and customer-provided data. How is it delivered to your business, how broadly is it accessed within your company, and how and where is it stored? A particular area of concern is the processing of credit cards. Above all else, cybercriminals are looking for credit card information, social security numbers, and banking information. There is no reason for most businesses to maintain records of that information in any form.
  • Stop gathering information that you do not need. With the exception of very specific matters including employee tax accounting, there is no reason to ever ask for anybody’s social security number. Do not maintain records of credit card numbers. Those should only be gathered through a secure point of sale terminal or via a secure online payment gateway, where you do not actually see the number, its expiration date, or the security code. Never ask people to provide that information via email, and discourage the common practice of taking that information over the phone. Because “we’ve always done things this way” is no longer an excuse.
  • Keep all physical and electronic records secure. Paper records and backup files should be stored in locked rooms or file cabinets, with limited employee access to a limited number of keys. Electronic files should be encrypted and password-protected. Individual computers should be password protected, put into password-protected sleep or screen saver mode when left unattended, and shut down at the end of each business day. Scan the computers on your network for vulnerable open network services. For example, if a computer is not intended to be used for the sending or receipt of email, the ports for those services should be closed on that computer. Every computer should also be running real-time anti-malware and anti-virus software that includes scans of incoming email messages for malicious content that might be disguised as routine file attachments. Never allow an employee who is untrained in basic security precautions to access and open email messages.
    A highly secure password is almost worthless if an employee is allowed to write it down on a Post-It Note, typically attached to his computer monitor. Educate employees (and yourself!) on the importance of password security, use a “password safe” application with a highly secure master password, and lock out users after a limited number of incorrect login attempts on any computer and any online application. Laptops and mobile devices are particularly vulnerable due to their portable nature. They should never be left where they would be even momentarily visible to thieves, and their access to secure information should be carefully limited. Using unsecured Wi-Fi access at airports and other public places is an extremely risky practice.
  • Always maintain proper disposal practices. We have all heard the old adage about one man’s trash being another person’s treasure. That was never as true as it is today. Paper records and disposable electronic media containing sensitive data should never go into the trash. These need to be run through cross-cut shredders or incinerated. When disposing of old computers and storage devices, all data must first be removed with a data wiping utility. Simply deleting files leaves them recoverable by a thief. Did you realize that your office copier or fax machine contains a hard drive that stores its data? That data probably includes copies of your tax returns, and that data also needs to be wiped prior to the disposal of any such device.
  • Finally, maintain a response plan in the event of a security breach. If a computer is compromised, immediately disconnect it from Internet access, remove it from your network, and then shut it down. Bring in an expert to identify and correct the vulnerability and assess any threats to personal information. If there have been compromises, immediately notify your customers and anyone else who may have been impacted by the breach of security. Do not repeat the Equifax mistake of hiding disclosure for months.

This is a brief summary of what occurred in the recent Equifax security breach, how you should react to that breach, and some of the measures that you should implement to tighten the security standards at your own business. If you would like to learn more, be sure to attend the “10 Steps for Securing Your Digital Identity” seminar that I will be presenting at the Outdoor Hospitality Conference & Expo, in Raleigh, on November 8, 2017.

This post was written by Peter Pelland

It’s Never Too Late to Start Guarding Your Privacy

May 10th, 2017

I logged onto Facebook this morning, and I was immediately presented with a sponsored display ad hawking a t-shirt design that read, “Never underestimate an Old Man who listens to Neil Young and was born in September.” If I was naïve, I would see that ad and think, “Wow! This is my perfect t-shirt”, then order one. In the short time in which this ad has been displayed, it has been “liked” by 480 people, shared by 182 people (multiplying its reach at no charge to the advertiser), and has received 61 comments. Every one of those comments is from a man who confirms that he was born in September (usually adding a year from the 1950’s or 1960’s) and wants one of the shirts.


Man-NeilYoung-September-FacebookAd

Is the fact that I was shown this advertising a coincidence? No way! It is custom-tailored to my identity. If I went to the order page and modified the URL, I could display any of a number of t-shirt designs based upon:

  • The name of the performer.
  • The birth month.
  • Whether I was a man or a woman.

Here is an example:

Woman-Bob-Dylan-August-FacebookAd

To make the ad even more effective, the ordering page includes a countdown clock to create a false sense of urgency:

Ordering-Urgency-FacebookAd

Depending upon how you view it, being presented these ads is either a brilliant use of Facebook’s marketing potential or an egregious violation of the personal privacy of Facebook users. In this case, I was being shown advertising that was based upon the disclosure of my gender, age, month of birth, and taste in music … all information that I had either voluntarily or unwittingly published on Facebook for either my friends or the world to see.

Yesterday, I was presented with another variation of the ad, based upon the fact that I drive a Jaguar … another fact that I had disclosed on Facebook. Now, I can also order a coffee mug! I am sure that I could modify the URL on the ordering page to change the design to show the name and logo of just about any car company. (On a side note, I have to wonder if these performers and companies are being paid royalties by the t-shirt company for use of their trademarks.)

Man-Jaguar-September-FacebookAd

You may think that this is all innocent, fun, and the price we pay for the otherwise free use of social media apps like Facebook, but there is more involved. I don’t know how many times I have seen friends on Facebook post a complete set of answers to 50 personal questions such as the name of their elementary school, their first phone number, name of their eldest sibling, and so forth. Whenever I see this being treated as a harmless and fun exercise, I cannot help but ask myself, “Are you insane?” If any of these questions and answers seems familiar, it is because they are among the same ones that are used as security tests on your online banking or an e-commerce site when you reset a password. Yes, the name of your first pet can lead to the theft of your identity!

You may have seen the recent news about the “Google Docs” phishing scam that proliferated in e-mails on May 4, 2017, said to be the most effective e-mail worm since the “I Love You” virus that caused havoc back in 2000. The scam was effective because it looked legitimate (it is so easy to copy the appearance of a legitimate website!), came from somebody you knew (rather than some random name chosen by a hacker in Belarus), and was spread through the type of shared online document that we have come to accept as routine. Even cautious recipients who would never open an e-mail attachment from a stranger thought that it was safe to download the same sort of document that appeared to have been shared via a cloud service by a known sender. All of these scams, whether relatively harmless or downright nefarious, play upon the human willingness to trust those with access to our personal information.

At the moment, leading into Mother’s Day 2017, there are several gift card scams that are proliferating on Facebook almost faster than they can be identified and taken down. One purports to offer a $50.00 coupon for use at Lowe’s home improvement stores in exchange for taking a short survey, in which you will be disclosing a wealth of personal information. Another purports to offer a $75.00 coupon to Bed Bath & Beyond, the same sort of scam that attempts to gather your personal information for exploitation later.

As I have said in the title of this article, it is never too late to start guarding your privacy. In fact, today is the best day to begin!

This post was written by Peter Pelland

Passwords: First Line of Defense against Identity Theft

February 14th, 2017

Passwords have come a long way since the days of Prohibition, when a knock on the door of a speakeasy required the necessary password for entry and the consumption of illegal liquor. Today, we use passwords and personal identification numbers for just about everything online, in an effort to protect the privacy of our personal information.

Identity theft has grown rampant, proliferating at a time when almost every personal or business transaction passes through one or more computer network. According to the Federal Trade Commission’s latest annual report (covering the 2015 calendar year, with the 2016 report due out in February 2017), there were 480,000 identity theft complaints filed during that time period. Of these, 45% involved tax- or wage-related fraud, 16% involved credit card fraud, 10% involved phone or utilities fraud, 6% involved bank fraud, and 4% involved loan fraud.

One recent report surmised that 15 million Americans have become the victims of identity theft in 2016. That means that 7% of all adults have been victimized in this year alone, with an approximate per-instance loss of $3,500.00. On average, these people spend an additional $500.00 and 30 hours of time trying to recover their identities and make their private information less vulnerable.

Start with Your E-Mail Passwords

My company provides e-mail hosting services through Google and Rackspace for our website hosting clients, and it is rare for a few days to pass without being contacted by a client who has purchased a new computer or mobile device but has misplaced an e-mail account password. For obvious reasons, we do not store those passwords, and we strongly advise our clients to keep records of their passwords in a secure location. Our only option is to assist with changing the lost password, which will then require that passwords be updated on any other actively used devices.

When setting up those e-mail accounts (or updating a password), clients are often annoyed that we will not agree to use a weak password like 123456, abc123, password, passw0rd, qwerty, steelers, yankees, football, baseball, camaro or firebird. (Yes, those are actual passwords that consistently show up on compiled lists of weak passwords.) In fact, Google’s Gmail will not allow an admin to use a password that is made up of fewer than 8 characters (although there are no further password security requirements beyond this minimum length.)

Some people make an attempt at generating a secure password that they can still remember. For example, they might concoct “AIwfCim2ft” from “All I want for Christmas is my 2 front teeth.” The rule of thumb is to use something that is both easy to remember and difficult to guess. This is definitely a step in the right direction, but something totally random that also uses special characters and spaces would be even better, although far less memorable.

Secure passwords will provide a layer of protection against some bad character obtaining your password and hacking into one of your accounts, but they are of far less value in protecting your identity should your account be one of thousands (or millions) compromised in a major data breach.

Hacks Happen

You do not need to be Sony Pictures getting under the skin of Kim Jong Un. Big companies are routinely targeted by hackers from around the globe, putting the security of their subscribers at risk when a breach occurs. In general, big businesses take extraordinary measures to attempt to maintain the utmost security standards, but it is an ongoing game of cat and mouse. For example, Facebook alone has paid out over $5 million to date in its not-highly-publicized Bug Bounty program, where it pays independent “white hat” hackers to identify and repair security vulnerabilities.

That is an example of what one big online business is doing; however your own personal security is to a great degree your own responsibility. You will want to check (and often disable) routinely loose security settings when you buy a new computer or mobile device or when you upgrade one of those to a new operating system. Keep in mind that settings that benefit convenience and ease of use are very often directly at odds with the safeguarding of your personal security.

There are many ways that passwords can be hacked online. The most common technique is the use of dictionary attacks, where commonly used words are highly vulnerable and easily uncovered. Another technique consists of using the brute force of computing power and sophisticated software to run through every possible combination of characters. The more bits of data involved (directly proportional to the number and random nature of characters), the longer it will take to hack a password. Complex character combinations and the use of encryption slow down, but will not prevent, the disclosure of a password to a determined intruder.

There are actually times when a company or individual needs to recover a lost password, and there are other instances where law enforcement needs to crack a password in order to uncover criminal activity. We are all familiar with the FBI vs. Apple Computer encryption debate, involving a cell phone owned one of the shooters in the December 2015 San Bernardino, California terrorist attack. Whether used for good or bad, there are dozens of free, open-source brute force hacking tools that can be easily found and downloaded online. Their existence and ease of access should provide a wake-up call to any computer or mobile device user.

Just in case you think that one of your own passwords is “secure enough”, enter it into this online tool for what will probably be a rude awakening:
https://howsecureismypassword.net/

HowSecureIsMyPassword_600x205_100
Minimum Standards

The minimum standards for password security that are generally considered acceptable today involve the use of at least 12 (preferably 16) entirely random characters (a mix of upper and lower case letters, numbers, spaces and special characters), never including a dictionary word or a repeated sequence, and with no password used in more than one application.

An online tool that will assist you in generating secure random passwords is the aptly-named Secure Password Generator. Using this tool, I just generated a random 16-character password that I then entered into the secure password test site (shown above.) According to that site, the password that I entered would take 41 trillion years to crack. Give it a try:
http://passwordsgenerator.net/

Storing Passwords

The best advice for keeping track of your cryptic passwords is to always maintain a written paper record in a very secure location. To simplify your life, you can also use one of several password managers that will allow you to encrypt and store all of your passwords in one secure location. You will only have to remember one password to access your files. (If you have been following along and learning from what I have written, that password will meet the standards that I have outlined above.)

The following are some of the best free password managers. They all work across multiple devices. Compare their features and choose one:

LastPassDashlaneKeePass

Bear in mind that even these password managers are vulnerable to hackers; however, in one documented security breach, only users with weak passwords were impacted. We are over a month into a New Year. Resolve to at least take a step in a positive direction when it comes to your online security.

This post was written by Peter Pelland

Nothing Wrong with Accepting Helpful Advice

June 11th, 2016

I think that many of us have become jaded to the thought that somebody might simply be willing to offer helpful advice. We have encountered too many phone calls from telemarketing scam artists, often alleging that they are calling from either Microsoft or Google, when they are really only trying to get their hands on our credit card numbers. It seems unlikely that anyone might be willing to offer assistance without some sort of strings attached. Well, that might not always be the case.

During the course of my work, I frequently encounter websites that are infected with malware or a virus, have forms or other content that are not functioning properly, or are entirely disabled. There are even instances when search results on Google will warn users either that “This site may harm your computer” or “This site may be hacked.”

I encounter these sites most frequently when checking for potential outgoing links – typically area attractions or local tourism districts – to be added to my clients’ websites. I also frequently encounter these warnings attached to do-it-yourself websites, where the webmasters have no knowledge or understanding of server security issues. Google provides several useful resources that will guide webmasters through the recovery process in these instances, but a quick glance will immediately suggest that anyone other than an experienced server administrator will be way out of his league and will be quickly sinking in quicksand.
https://www.google.com/webmasters/hacked/

Malicious content on websites goes hand-in-hand with browser security vulnerabilities, making it all that much more important for computer users to install the latest browser security updates. Between January 26 and April 26, 2016, the Mozilla Foundation has reported 48 security vulnerabilities affecting its Firefox browser – including 15 critical vulnerabilities – that have been patched by security updates … but only if users install those updates. Critical vulnerabilities are defined as vulnerabilities that “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” As you can probably deduce, some threats are specific to users of certain browsers, especially outdated versions of those browsers. Sound scary? Absolutely!
https://www.mozilla.org/en-US/security/advisories/

WebsiteWarnings

The accompanying graphic shows a collage of just a few of the screen shots of warnings that have been displayed on my computer when clicking through to hacked websites. I have blurred out the website URLs in order to avoid embarrassing the site owners.

I have often called the businesses or associations that own such infected websites, feeling socially responsible to inform them of the problems and explaining that they could be infecting significant numbers of visitors to their sites. In almost every instance, I encounter denial at the other end of the phone, am told that “nobody else has mentioned a problem”, or get brushed off with “we will tell our webmaster” before they hang up the phone. Never once has anybody thanked me for calling a problem to their attention.

If somebody calls you to report a problem with your website, take a moment to listen. Be cautious, if not suspicious, since most of those unsolicited calls are scams; however, at least do yourself the favor of soliciting a second opinion from somebody knowledgeable who you know you can trust.

This post was written by Peter Pelland