SMOKINCHOICES (and other musings)

December 22, 2010

Increase safety w/username and PW

(This is such worthwhile information and needed by all of us, if we wish to stay whole.  I was fortunate when a credit card clued me in immediately when I was invaded  only recently.  We can never be too careful.  The advice here is good.  Jan)

Data breaches highlight password negligence


CHICAGO — Customer information collected by three companies, including such household names as McDonald’s Corp. and Walgreen Co., has been compromised in recent days.    The incidents highlight the issue of how vulnerable that information is, especially when consumers, overwhelmed with the number of online logins they need, use “dumb” passwords for their accounts, experts say.    Recent breaches contained such information as names and e-mail addresses. They did not involve crucial personal information, such as Social Security, bank account and credit-card numbers, the companies said.

In Walgreen’s case, medical prescription information was not stolen, the company said.    Last week, McDonald’s notified some customers that information they provided on the fast-food company’s website or in promotions “was improperly accessed by an unauthorized third party.” Information might have included name, mobile phone number, postal address and e-mail address. McDonald’s said it hired Arc Worldwide to coordinate its e-mail promotions. Arc, the marketing services arm of Chicago-based Leo Burnett, then hired another company to manage  the e-mail list. It was that company, which Arc and McDonald’s would not name, that sustained the breach.

Gawker Media, operator of numerous websites, said its registered users’ usernames and passwords were hacked on the weekend of Dec. 11. Though passwords were encrypted, they’re still vulnerable and should be changed, the company said. The danger comes if people used the same logins for a Gawker site as they do for all their accounts, including financial accounts. Gawker operates the websites Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9 and Fleshbot. The Gawker breach led to spam postings using some victims’ Twitter accounts.

Walgreen on Friday said customers subscribing to the drugstore chain’s e-mail distribution list should be on the lookout for spam directing them to another site and then asking for personal data. That was because of “unauthorized access” to its e-mail list. Only e-mail addresses were compromised, not names, said a Walgreen spokesman, who declined to provide further details of the breach.

“The McDonald’s, Walgreens and Gawker incidents should be a wake-up call for everyone,” said Rob Fitzgerald, president of the Lorenzi Group, a digital forensics company.    Andrew Storms, director of security operations for nCircle, a network security and compliance auditing firm, said data breaches are on the rise. “Unfortunately, consumers don’t pay much attention   to breach disclosures, even for large brands, because there are so many of them,” he said.    In fact, 63 percent of organizations reported experiencing at least one security incident or breach during the past 12 months, according to the Global Information Security Trends study by the nonprofit trade group Computing Technology Industry Association.

“More troubling is the feeling that the severity level of breaches has increased over the last several years,” said Steven Ostrowski, spokesman for the association. “Attacks that in the past that may have been done for sport or notoriety are now being done more frequently with criminal intent or financial gain in mind.”    For consumers, one danger of stolen names and e-mail addresses is “phishing .” Thieves can create and send e-mails that look like they are from legitimate businesses, such as a bank, and contain your name, trying to trick you into divulging more personal information, which can be used for more-serious frauds.    Ultimately, the biggest problem is that people are too trusting and offer too much personal information, said Mike Meikle, chief executive of the Hawkthorne Group, a security consulting firm.  “The weakest link is the person using the device or piece of software,” he said. “It’s just about having a healthy skepticism. It’s kind of a sad situation, but you have to kind of give everyone the eye. It’s just the way it is.”

And so many people use the same or similar usernames and passwords for all   their accounts that they’re easy to hack, said Graham Cluley, senior technology consultant for information security firm Sophos and operator of the Naked Security blog.    “People choose dumb passwords, like ‘password’ or ‘letmein’ or the brand of monitor they’re looking at,” Cluley said. Instead, they should use a random password for each site, rather than words in the dictionary that are easily hacked.    Because it’s unwieldy to manage those, consumers should use password storage software. There are many examples, but free programs include LastPass and KeePass, he said.    “People really should be using those,” Cluley said. “And these organizations have to start learning their lessons as well. … It’s alarming that these organizations aren’t encrypting the data.”

Password tips

• Create safe passwords. Use strong passwords that aren’t real words. You might use a mnemonic device taking the first letter of a favorite phrase, lyric or poem, said Graham Cluley, senior technology consultant for information security firm Sophos. A Civil War buff might use the Gettysburg Address, “Four score and seven years ago our fathers brought forth,” which becomes 4sa7yaofb4th.

• Use password keepers. Generate random passwords with software that remembers them for you. Read the privacy policies of any password    Source: Chicago Tribune   software you use.

• Don’t use an obvious pattern to your passwords. For example, if your Yahoo account password is “Yahoo,” and your Google account password is “Google,” then it follows that your Walgreens password might be “Walgreens,” said Andrew Storms, director of security operations for nCircle, a network security and compliance auditing firm.

• Don’t divulge your passwords.   E-mails appearing to be from companies requesting your password are probably fraudulent.

%d bloggers like this: