$575Million Equifax Settlement Illustrates Business Security Basics

We recommend and help implement security for every one of Computing Center's clients. While totally baffling given what Equifax's business is, they apparently didn't do many of the basics. A bit of a long read, but there are many lessons to be learned here. No time to wade through the entire article...checkout the last section - what you and every business should be doing is listed there.

Patch your software. Segment your network. Monitor for intruders. According to tech experts, those are security basics for businesses of any size. But when you’re industry giant Equifax – a company in possession of staggering amounts of highly confidential information about more than 200 million Americans – it’s almost unthinkable not to implement those fundamental protections. An FTC, CFPB, and State AG settlement of at least $575 million illustrates the injury to consumers when companies ignore reasonably foreseeable (and preventable) threats to sensitive data. Read on for security tips for your business and what consumers can do to get compensation for their losses and sign up for free credit monitoring.

The Equifax data breach has been in the headlines, but what happened behind the scenes? According to the complaint, in March 2017, US-CERT – Homeland Security’s cyber experts – alerted Equifax and other companies about a critical security vulnerability in open-source software used to build Java web applications. The alert warned anyone using a vulnerable version of the software to update it immediately to a free patched version. It didn’t take long before the press reported that hackers had already started to exploit the vulnerability.

[More]

Safeguarding Network & Customer Credentials

This sotry is a bit long, kind of dense, but definitely worth the time to read. Years in the making, this FTC case shows how much damage a "bad actor" can cause to public facing networks.

Suppose a lunch companion says, “I think there’s something wrong with this tuna salad.” To determine if the problem is tuna not to their taste vs. tuna gone bad, would you scarf it down? Probably not. Now remove tuna salad from the example and substitute a web browser extension. (Stay with us here.) Let’s say you’ve been warned that an unknown extension could be used for fraud. Should you download it and let it marinate in your company’s network? The FTC says that’s what the owner of ClixSense.com did, and it’s just one example of conduct challenged as deceptive or unfair.

[More]

Tax Related Identity Theft

April 15 has come and gone, but that doesn't mean the scammers have moved on. 

Tax-related identity theft is prominent on the IRS’s 2019 Dirty Dozen list of Tax Scams. Tax-related identity theft is not limited to stealing personal information of individuals. Because of successful efforts to crack down on such identity theft, thieves have shifted their focus to businesses. They create and use, or attempt to use, the identifying information of businesses to obtain tax benefits. For example, as the IRS has noted, cybercriminals that obtain a business’s tax identification number may file a return claiming a tax refund because of a fuel credit or a research credit used as a Social Security tax offset.

[More]

Scammers & Notre Dame Donations

 by Rosario Méndez

Following last week’s devastating fire that destroyed much of the famous and historically important Cathedral of Notre Dame in Paris, fundraising efforts have begun. Many generous people may decide to donate money toward rebuilding efforts – and scammers know that. They’re ready to take donations, too, so here are some things to consider before you give to an organization or a crowdfunding project:

  1. Research the organization first. Search online for the name of the organization plus the word “complaint” or “scam.” Read what others say the about the organization. These organizations can also help your research.

    [More]

Recent Local Spearphishing Attacks

Over the recent week, Cornell and other companies and organizations have been hit with several spearphishing attacks. As you might expect, Cornell is a constant target for nefarious attacks (as are most large institutions), however this one has hit a large number of "Cornell.edu" email accounts. And over the last 24 hours, we've been made aware of several other attacks as well.

What makes this attack particularly challenging, is that the Sender and Subject appear to be legitimate.

However, once the email is opened the content reads something like: 

READ THIS MESSAGE (in a clickable banner)

05:59:47 (Cornell)
Re: "Subject"
Watch before: Thursday

If you clicked on the banner, you are taken to a page with a legitimate company logo - the one we looked at (safely) had the Xerox Logo with lines requesting our Xerox Login Name and Password.

IF YOU OPEN THIS EMAIL, DO NOT CLICK ON THE BANNER AND ABSOLUTELY DO NOT FILL IN ANY LOGIN OR PASSWORD INFORMATION!

[More]

More Entries