Archive for September, 2009

There are many types of information that people don’t want to share with the world but someone’s personal medical history is probably at the top of that list.  The reasons we visit the doctor’s office can vary from mundane to downright embarrassing (or even scary), so it’s no surprise that many patients really depend on the rules surrounding confidentiality to protect this very private information.

Unfortunately, medical students may not realize the importance of patient privacy, which is evidenced by the fact that we’ve started seeing disclosures more and more through the use of social networking tools and modern technology.  For example, one surgeon found the fact that his patient had the words “hot rod” tattooed on his genitals so funny that he took a picture and shared it with his colleagues. 

As CNN reports, 60% of medical schools “have had students post inappropriate or unprofessional information on the Web.”  While most of this information pertained to their own behavior, 13% of them shared content that violated patient privacy.  Incredibly, there were even instances when some students were so descriptive that their patients were identifiable. 

Incredibly, only 38% of the affected schools had policies in effect to deal with inappropriate sharing on the internet but, at least, 11% of the remaining schools were working on creating guidelines. 

This illustrates the fact that many professions have not had to deal with internet security issues on this level but, while some are trying to actively address the issues, the public is at risk in the meantime. 

image: sxu.hu

The SANS Institute has just released the results of a comprehensive study on the topic of cyber security risks. The study is based upon prevention systems in 6,000 organizations and vulnerability data from 9 million systems. The study indicates that there are two major risks out there to organizations, both of which could be mitigated.

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

We’ve been talking a lot lately about Facebook, particularly as Facebook aims to improve its security and privacy measures. A new article from Switched has laid out 5 common Facebook social engineering scams and how to avoid them. It’s a great primer on how to avoid being duped by any scan.

Aside from never clicking on suspicious or shortened links from friends (unless you expand them first), the article outlines these 5 common scams and how to avoid them:

1. 419 Scams - your friends’ accounts may be hijacked if you receive any message from them claiming to be desperate for cash. Always talk to your friend by some non-web-based means to confirm if they really are in need first!
2. Hidden Fee Apps – You should never have to submit your cell phone number or other personal information in order to unlock features or receive quiz results from any application
3. Fake Login Pages - they may look real, but if you get an email asking you to log into Facebook, make sure you’re actually at Facebook, not following some link (particularly if the link leads to anywhere other than Facebook.com).
4. Malware Links - If you receive messages from friends with links, beware. There is a chance that account has been hijacked and you’re being sent to malicious sites that could then steal any personal info on your computer.
5. Facebook Apps that are Malware – Yes, even the applications themselves can be dangerous! Some may even mimic valid applications, sending you realistic messages such as a notification that someone has left a message on your wall. Like with #3, their goal is to get you to a fake login page. So, look for anything weird in these emails (odd icons, poor grammar, invalid links).

There are many websites featuring this list. For more comprehensive details about these scams and how to avoid them, you can check out PC World. Another variant of the same theme can be found at CSO Online, which also includes tips to avoid Twitter scams.

If you do find yourself a victim of a scam on Facebook, it’s best to alert Facebook administrators with all of the details of the scam.

Absolute Software and IAITAM co-hosted a webinar entitled “Compliance, Identification and Life-Cycle Management in a Mobile Environment.”

The webinar was co-hosted by Geoff Glave, Product Manager at Absolute Software and by Lynne Weiss, VP of Sales & Marketing at International Association of Information Technology Asset Managers (IAITAM).

Topics covered in this webinar include information on how to:

• Reduce the time and cost of gathering physical asset inventory
• Gain control of the inventory and better control over lease maintenance costs
• Increase accountability to ensure compliance
• Enhance performance of assets and the life cycle management
• Risk reduction through standardization, proper documentation, loss detection
• Accurately track and manage computers on or off the network
• Leverage the benefits of SaaS

Watch for the webinar

Almost every internet user has encountered “scareware,” those fake anti-virus warnings that pop up with the intent of scaring people into believing that their computer is at risk of being infected or compromised in some way. 

Often, users are offered some sort of program (for a fee, of course) that will protect their computer from threats.  As if shelling out good money for these scams isn’t bad enough, it’s worsened by the fact that many of these products actually prevent real antivirus programs from operating properly.  In fact, some even block users from being able to access websites and tools that could help them remove the bad program.

Since there are legitimate online virus scanners on the internet, how is it possible to distinguish them from the fake ones?

Typically, you won’t come across a real virus scanner accidentally since they usually require people to agree to a variety of terms and conditions before they are given access to the tool.  Also, if you are a Mac user, a major clue might be that the scanner includes a “My Computer” window or some other pop up that is specific to Windows (for some reason, these scams tend to target PCs more often than Macs). 

There are a number of great resources for more information. 

• Mark Hyslop wrote a more in-depth article about scareware
• ZDnet offers a great guide to scareware protection

Here is a list of some legitimate online scanners:

• TrendMicro’s Housecall
• Kaspersky’s Online Malware Scanner
• F-Secure’s Online Malware Scanner
• ESET’s Online Malware Scanner
• BitDefender’s Online Malware Scanner
• PandaSecurity’s Cloud Antivirus
• McAfee’s Online Malware Scanner
• Rising’s Online Malware Scanner
• Dr. Web’s Online Malware Scanner
• Symantec’s Online Malware Scanner
• CA’s Online Malware Scanner

image: sxc.hu/svilen001

The following recovery story was sent in by two happy Computrace LoJack for Laptops customers:

Dear Computrace LoJack for Laptops,
 
We recently completed six months of South American adventures and travels, researching the Inkan civilization based in the ancient city of Cusco, Peru. During our travels, our laptop was stolen while we were eating lunch at a busy cafe near Cuscos Plaza de Armes, a popular tourist destination en route to Machu Picchu. 

We would never have seen our laptop again were it not for the advanced tracking capabilities of Computrace LoJack for Laptops – which we purchased as a safeguard while traveling overseas – and the close coordination of Absolute with the Policia National del Peru. 

Shortly after the robbery, our laptop began emitting its signal to Absolute from Lima, Peru’s capital city.  The Cusco Policia transferred our case to the Lima Policia.  Upon the Lima Policia learning about the case, Absolute quickly provided the computer’s IP address, and through satellite technology, pinpointed the exact building it was located in. 

We conferred with the Lima Policia late in the afternoon.  We checked in with them late the next morning and to our amazement, they were pleased to report they had caught the thieves and found our laptop along with another stolen computer.  I am writing this from our recovered laptop.  

Needless to say, I am most impressed with the capabilities of Computrace, which tracked the movement of the thieves and enabled the Lima Policia to catch them red handed. We highly recommend this product.
 
I would especially like to thank the Absolute Recovery Team for their professionalism, quick responsiveness and ability to maneuver through the culture of an overseas country to retrieve our laptop.  Our sincere appreciation to the Recovery Team for your successful efforts on our behalf. 

Were it not for Computrace LoJack for Laptops, we would have never seen our laptop again.
 
Best regards,
 
Craig and Sharon Spry
Inka Travelers Company

Earlier this month, PC World posted a true story about a man who was able to recover his stolen laptops using a free remote-access service, LogMeIn.

The story was this: David Krop left 2 laptops in his SUV in a parking garage while he attended a meeting. The computers were stolen and they weren’t even password protected. However, David had a trial access of LogMeIn installed, which allowed him to remotely access his laptop. He was able to use this service to see that his stolen laptop was being used by its alleged thief. By spying on this person, and collecting all his personal information as he browsed the internet (including his face via a video chat), Krop was able to supply information to the police. The police were then able to recover the laptop.

Now, this sounds like a good deal, right? However, it’s a pretty a-typical situation to be in, and does not guarantee laptop recovery. The scenario depended on many factors, including:

• That the unauthorized user did not dismiss the tracking icon that appeared when his laptop activity was being watched
• That the unauthorized user would reveal a wide variety of detailed personal information while using the laptop (phone number, email address, face)
• That the unauthorized user wouldn’t wipe all the existing software off the computer

As you can see, using LogMeIn or other free laptop tracking or remote access services is not the same thing as using a dedicated laptop tracking & recovery program and service such as Computrace or LoJack for Laptops from Absolute Software. Only Absolute has a dedicated Theft Recovery Team to work with police to recover your computer. Our software does not require your to sit around waiting for the alleged thief to supply detailed information about him/herself – all investigations and tracking are done on your behalf.  And you don’t have to hope to talk a police officer into taking on your case – we have existing relationships with local police around the world. Also, most PCs also now have our software at the BIOS level, protecting it from being wiped if software is deleted. So even if a crafty thief that tries to remove the software, the BIOS firmware will make sure its installed.

David Krop has learned his lesson about leaving his laptop in his car. And he now uses remote tracking software. If you aren’t yet set up to track your laptop, check out our theft recovery products here.

It’s September and, with so many students returning to school, this is a great time to check out LoJack for Laptops’ Student Laptop Security site.

There is a wealth of information to be found from laptop basics to helpful resources. 

Some great featured content include:

• 10 Proven Ways to Protect Your Laptop at School: Students might not even think about the possible dangers but schools are among the top five locations where laptops are stolen.  Read more about how to protect yours!
• Discovering Your Laptop’s True Value:  Did you know that your laptop will probably increase in value the more you use it?  Find out how!
• School Laptop Shopping Guide: Buying a new laptop can be a tough decision.  This shopping guide will provide helpful suggestions for picking the right machine to meet your needs.
• Stolen Laptop! What Should I Do?: Your laptop is missing and aside from panicking, do you know what you should do?  There are a number of things that you can do to protect yourself.  Read more about what steps to take in the unfortunate event that your laptop is stolen.

For regular updates, you can also follow them on Twitter @lojackforlaptop (corporate customers can also follow updates on Twitter @absolutecorp).

PGP has released a new business guide entitled “Five Truths About Enterprise Data Protection” which talks about how to secure all your data devices – your laptops, USB drives, remote logins, phones and more. The five “truths” are basic statements about data and business, skewed towards the security offerings at PGP, including:

1. Business data is everywhere – and it’s on the move
2. Exposed data carries high costs & consequences
3. Only encryption can secure all your data, wherever it is
4. An enterprise-wide data encryption strategy reduces the risk of data breaches
5. Enterprise data protection liberates your business

As we’ve said before, encryption is only one piece of the data security puzzle and is not the only solution to all your security needs. For example, Absolute Software’s Computrace Complete can provide additional security in the form of IT Asset Management & Data & Device Security, such as tracking and remotely wiping missing devices. A comprehensive security policy will do a risk assessment and decide on which security tools are important to your corporate needs.

My favorite section in the brochure deals with the 5th Truth, and how a comprehensive security system will enable a business to protect all its data, all the time, wherever it is stored and however it travels. You can get the guide here.

We talk a lot about travel and laptop security here on the blog, but one thing we’ve never discussed is safe in-flight laptop practices. And by “safe” I refer to not just data security, but to keeping your laptop from being damaged in any way during flight.

Mary Jo Manzanares, a flight attendant and travel writer, has put together a list of in-flight laptop precautions that will make you think twice about when – and how – you use your laptop on the airplane. The tips include:

• Don’t store your laptop in an overhead bin if it’s in a soft case
• Don’t angle your laptop into the aisle
• Close and put away your laptop during service periods, so there’s no risk of a beverage tipping onto it (yours or anyone elses)
• Keep your laptop within your own seat space
• If you leave your seat, close your laptop and put it away or leave it on the seat, not the tray

Other blog posts on travel & laptop security you may wish to read include:

• Tips for Laptops and International Travel
• Airport Laptop Security Tips
• Airport Security-Friendly Laptop Bags
• Airports a threat to laptop security
• Absolute Recovers Laptop After Flight Attendant Loses It En Route

Image: clipart