25 Best Privacy Apps

Looking for the best apps to protect yourself and your family on your mobile devices? Check out this list, which brings you the best in anti-spyware, anti-virus, phone trackers, data lockdown, and more.

Educate

  1. Clueful – Applications aren’t often clear about what information they are accessing, nor how they intend to use and distribute it once obtained. Clueful helps illuminate this process by running audits on all your existing applications and providing you with clear cut, no-nonsense reports on what applications are leaking about you. It gives you a quick-look at your app’s security with a score, and alerts you promptly when an app is abusing privacy standards. For a subscription fee, you can upgrade the service to include a constant monitor that will lock, locate, and wipe your phone in the event it gets stolen. Also available for iOS. Price: Free.
  2. Protect My Privacy – This application is being developed by UC San Diego as a way of helping them examine privacy on mobile devices. To that end, they collect anonymous data transmitted securely over SSL. Users can choose to not provide data to the study. For users with cracked iPhones, any application attempting to acces your data must first get approval. A message pops up informing users of what data the app is attempting to access, and allows you to fake credentials in some cases, deny access, or allow it. Some data is scrambled to provide an additional layer of protection. Only available for iOS. Price: Free.

Eraser

  1. History Eraser – This simple application makes it easy to wipe sensitive information from your phone, including browser history, call logs, text messages, market searches, clipboard data, and more. Useful for those interested in protecting privacy, but also for those who want to free up storage on their phone. One quick tap will clear your data. Also available for Chrome. Price: Free.
  2. Last Pass – This application has demonstrated its effectiveness for browsers, its mobile version is equally powerful. It automatically fills in forms for every saved site, generates powerful passwords, allows users to add and alter notes and sites easily. Audio and images can be attached to secure notes as well. Also available for iOS, Windows 8, Mac, Linux, BlackBerry, and most other mobile OS. Price: Free 14 day trial, $1 per month pass afterwards.
  3. Delete Me – While not quite a mobile application, this exceptional service can completely remove your sensitive and personal data from the hands of data brokers online, ensuring that private photographs and personal data stay secured. Price: $129 annually for one person, $229 for two people annually.

Photo courtesy of Flickr user Robbert van der Steeg

AntiVirus

  1. McAfee WaveSecure – Recognized in 2010 for excellence from CNET, The NY Times, PC World, Lifehacker, and others WaveSecure offers a solid mobile security package for a good price. It includes lock and wipe features that give you control over a lost or stolen phone, backup and restore to allow you to store important data on the cloud, even after the phone has gone missing, and recover it when necessary from a web-based application.  Locate and track features help you pinpoint the lost phone on a map, set it screaming to make it easy to snag, and allows you to track calls being made on the phone.  Also available for BlackBerry, Symbian OS, Windows Phone, iOS, and Java. Price: 7 day free trial, after which it costs $19.99 annually.
  2. Lookout Security & Antivirus – This application gained recognition from PC Mag Editor’s Choice for being excellent, from TechCrunch as one of the top 10 best free apps, and PCWorld ranked it 5 out of 5 stars. It offers excellent antivirus and malware protection in apps, email attachments, or files. It scans number for dangers and alerts users to potential hazards, blocks  websites that could potentially be harmful, and offers a Privacy Advisor to alert users to what information their apps are attempting to access. It also features a web-based phone finder that utilizes Google Maps to pintpoint your lost phone, lets you make your phone scream to identify it, snap photos of users who attempt to access it while lost, and even remotely lock or wipe your phone. Users also can backup vital phone data and restore it in the event of a wipe. Also available for iOS. Price: A free two-week trial, users can continue using a pared down version for as long as they like after. Premium has a monthly fee.
  3. Webroot Security & Antivirus – Webroot was recognized as one of the best free android apps of 2011 by PCWorld, recognized for its unique features from PC Magazine, for being one fo the best security applications by Tech of Web, and Uberphones said it was ‘a must for Android users.’ It features a powerful antivirus that automatically scans and blocks malware, viruses, spyware, and Trojans and alerts users to settings that put the device at risk. It offers remote access to lock, wipe, scream, or locate your phone when it is lost or stolen. Premier grants the use of App Inspector, which alerts users to apps that access private info, drain money, track location, or drain the battery. It helps maximize battery usage and network access. The program itself is lightweight and not a drain on battery life. Available for iOS and Android devices. Price: $19.99 per device in a year.
  4. NQ Mobile Security & Antivirus – This app offers a powerful antivirus that scans and protects users from all the typical threats, as well as keeping users up to date with security databases. It protects while web browsing against phishing, fraud, and other dangers. A real-time app scanner alerts users to potential problems, and it includes anti-eavesdropping protection designed to detect spyware programs installed on the phone. It features a remote phone locator and offers backup of sensitive data as well as a call and SMS blocker to protect against harassing calls and messages. A system optimizer keeps your device operating smoothly. Only available for Android devices. Price:  Free trial for blah weeks, $19.99 per device, per year after for access to Premium features after.
  5. Norton Mobile Security Lite – As with its competitors, Norton Mobile Security offers a powerful antivirus that keeps users safe when browsing the web, accepting files, or downloading apps. It also offers remote wipe, tracking, and locking capability and SD card scanning.  It continuously scans and alerts users to potentially dangerous apps. Also available for iOS. Price: Free pared down version, and Premium access costs $29.99 for one year on one device (currently on sale for $17.99)

 

Photo courtesy of Flickr user briggz5d

  1. Avast! – This top-rated security app offers both anti-virus and anti-theft capabilities to ensure your phone is well protected against most eventualities.  The software developer has been around for 20 years and the app has been recognized for its excellence by PCAdvisor, Droid-Life, AndroidPolice, AndroidAuthority, and Android and Me. Lost your phone? Use a web-based interface to control your phone remotely, locate it on a map, and lock the device till you can snag it. You can even activate a siren and wipe its memory. Only available for Android devices. Price: Free.
  2. Kaspersky – A fairly straightforward anti-virus and security application that offers its users a powerful defense against viruses, Trojans, malware, and spyware which runs over-the-air to keep the program lightweight. It offers GPS location services to locate the phone if it goes missing or stolen, and remote access to lock and wipe your phone, take a ‘Mugshot’ of anyone who uses it, and remotely activate an alarm. Users can filter incoming calls and text messages to screen unwanted contacts.  In addition, users can conceal calls, contacts, and other data from casual snoopers. Available for Android only. Price: One year subscription costs $14.95.
  3. F-Secure – A European based application that protects mobile devices with a combination of antivirus, anti-theft, and screening tools. Users can filter out adult and other unsuitable content from web content and applications, block unwanted calls and text messages, remote locking and wiping, and remote location detecting. Available for Android and Symbian. Price: 14,95€ for a one year subscription with a free 30 day trial.
  4. Virus Barrier – This Gizmodo app of the day offers iOS users a solid and intuitive antivirus to protect them against intrusions from files, web browsing, and applications. It automatically updates to keep on top of new threats, repairs infected files, and keeps logs of scans, detected threats, and repairs. Only available for iOS. Price:  $0.99

App & Data Lockers

Photo courtesy of Flickr user flakeparadigm

  1. Smart AppLock – Smart Lock is a lightweight application designed to give you greater control over privacy on your mobile device. Set a list of protected applications, then create a lock pattern or password, and your friends and family can no longer access apps you don’t want them in, including SMS, mail, photos, and contacts. Only available for Android devices. Price: Free.
  2. Gallery Lock – Named app of the year by Times Magazine, this handy application makes it easy to keep your private photos away from the eyes of phone snoops. The intuitive program makes it easy to create your own folders and conceal your photos and videos in a beautiful and feature rich application. It has the capacity to run in stealth mode to keep others from being aware of your hidden images. Use a PIN pattern to access your data. Only available on Android. Price:  Lite version is free, Premium unlocks additional features.
  3. App Defender – This straightforward app prevents access to applications. Users can set a unique password for each individual app. After three failed attempts to access an application, it displays the number of failed attempts to alert the owner to the access attempts. Only available for Android. Price:  Free trial, after which it costs $3.13.
  4. Picture Safe –   This application offers advanced protection for your mobile device’s private information. It allows you to create custom folders to organize your data how you wish, decoy icons and screenshots to fool snoopers, a fake calculator entry screen with 8 digit PINs for highly secure access, dual passwords to allow access to ‘safe’ and protected photos, and much more. Hide everything from phone records, photos, and web access. Only available for iOS, including iPhone, iPod Touch, and iPod. iOS 5.0 or later editions, optimized for iPhone 5. Price: $1.99 (currently on sale for $0.99)
  5. Snap Secure – This application offers a range of unique and helpful features designed to make your mobile device a powerful security tool. It features real-time tracking of members that can be viewed on a map from a related mobile device or the web, helpful for keeping track of children or partners. Have teenagers? The motion-activated driver safety feature stops users from texting, calling, or web surfing while on the road. Footprints allows you to track the movement of the device using GPS, giving a clear picture of the movement history for any attached device. It also allows you to create safety zones and sends alerts when a device moves out of that defined territory. Finally, if a user finds themselves in dire circumstances, it offers a panic button that promptly calls 911 or alerts an emergency contact with location information via email, phone, or text. Available for Android, iOS, Windows, or Blackberry. Price: Free basic account, after which it costs $499 a month for a single user and $9.99 a month for a family plan.

 

Other Nifty Apps

Photo courtesy of Flickr user geoffeg

  1. Gibberbot – Recognized by PC Mag as one of the 100 best Android Apps of 2013, this application allows you to securely chat with friends across a range of platforms in one streamlined place, with powerful off-the-record encryption. No ads, easy to use, and available in many languages. Plus the chat program has fun built-in features like custom icons and wallpapers. Also available for iOS, Mac, Linux, and PC. Price: Free.
  2. Anti-Spy Mobile – Homebrewed spies are being blessed with a wide variety of tools to dig into your private and personal information. One growing method is to conceal an application on your mobile device to intercept communication, application use, and web browsing habits.  Stop that in its tracks with this application, which scans for and automatically removes any of these applications. Also available for iOS. Free: This version is completely free, a premium version offers a few additional features.

Locate Lost Phones

Photo courtesy of Flickr user gorbould

  1. SeekDroid: Find My Phone – While many of the antivirus programs offer a basic phone finder program, this one goes above and beyond. In addition to remote location, locking, and wiping, it allows users to create GPS breadcrumbs to track the movement of the lost or stolen phone, access recent calls, retrieve important data, and remotely wipe SD cards. The program itself can be hidden from display and made impossible to remove. It has almost no battery drain. Only available for Android devices. Price: $4.99
  2. Plan B – Many of these applications are focused on preventing loss and damage to your phone. Plan B is for follks who were not quite as proactive. If your phone gets lost or stolen, Plan B helps you locate it after the fact. You can install it remotely and it will start utilizing cell towers and your phone’s GPS to track its location every ten minutes. Users will get an email or text message with the current location of the phone each time it is located. Once the phone is recommended, you can revert back to the preferred ‘plan A’ and download any of the other excellent security apps that include tracking and other security features. Only available for Android devices. Price: $1.99
  3. iHound Software – Utilzing GPS, Wifi, 3G, or Edge signals built into your mobile device, iHound tracks its location every 10 minutes and reports it to a web application. Users can remotely lock and wipe their phone and directly instant message their phone to communicate with anyone who picks it up. Further, users can set it up to automatically alert opted-in programs like Facebook, Foursquare, and Twitter to keep friends up to date on their location. Also available for Android and iOS. Price: They offer a free 7 day trial, after which the program costs $3.99 for an annual subscription.
  4. GadgetTrak – This iOS-focused app will help you keep your phone secure in the unfortunate event it gets lost or stolen. It uses a combination of GPS and WiFi  alongside cell tower triangulation to keep accurate tracking of the phone’s location. Each time the phone is tracked, it will send users a detailed account of its location. Automatic camera captures will let you know who has the phone. Once the tracking has been activated, no software settings can be modified, and all collected data is sent through a secure SSL connection. Only available for iOS. Price: $3.99

 

 

 

Solitary Confinement in the United States is Worse then Iran [INFOGRAPHIC]

EMBED THIS INFOGRAPHIC ON YOUR SITE

(use this code to ensure proper source attribution)

PRISM: Everything you need to know [Infographic]

EMBED THIS INFOGRAPHIC ON YOUR SITE 

(use this code to ensure proper source attribution)

Working with People: An Introduction to Social Engineering

Humans are inherently social creatures who have developed a world strongly based on interacting with others. Just like the world of information technology, the human social protocols are a complex series of rules and guidelines for how people behave when interacting with each other, and just like any other system, there are methods to use and abuse it once you understand the rules that govern it. Social engineering is a broad subject, but in this article we will focus mostly on social engineering as it is used to gain access to social groups and sensitive information.

Social Engineer is one of the few blogs dedicated to the topic.

Photo by OUTography.com

 

What Is Social Engineering?

Social engineering is using the common tendencies of how people interact with others in order to gain information or a benefit of some kind. Effectively, social engineering can be referred to as the hacking of people. Before the Internet age, social engineering would more likely be referred to as conning, but the scope of social engineering’s applications goes beyond tricking people out of money. It is about causing people to act according to your wishes. Getting someone to say yes to a date is social engineering. So is getting your company a contract from a tough client. In regards to information security, social engineering is getting people to give up protected information.

A social engineering definition can be found here.

 

How Effective Is Social Engineering?

 

Even companies that place a high focus on securing their information networks can prove extremely vulnerable to social engineering attacks. DefCon, one of the largest hacking conferences in the world, routinely features a social engineering competition that has demonstrated over and over again that simple tactics can be used to get enough information to potentially do harm to a company. Position in the company also seems to have almost no effect on how susceptible a person is to social engineering; a big wig is just as likely to give up information as a cashier, but the big wig also usually has access to more pertinent info.

Social engineering is gaining attention for its insidious effectiveness, and is starting to get recognized in the media and the corporate world. Check out these news articles for an idea of how it is being perceived:

Smooth-Talking Hackers Test Hi-Tech Titan’s Skills – A look at DefCon hacking competitions, utilizing social engineering within legal boundaries to ferret out intelligence designed to weaken a company’s security.

Social engineering to blame in Syrian Electronic Army hijack of the Onion – The targets of these sorts of attacks aren’t always the ones you might expect, the Onion was a recent victim of a phishing scheme.

Facebook Social Engineering Attack Strikes NATO – Often, the targets are important, such as this attack against NATO. Every organization contains a human element, the target of savvy social engineers.

How a lying ‘social engineer’ hacked Wal-Mart – Many people are naturally biased to trust based on a set of subtle criteria; a tone of voice, a style of dress, even word choices can lead people to give credence to otherwise nonsensical ideas or situations, like this Wal-Mart store manager being duped into giving away company data in exchange for a non-existent contract possibility.

 

General Tips for Social Engineering

These are common guidelines and methods used by social engineers before and during any assignment on which they are working. These focus more on the preparation and mindset of the social engineer than the actual attack methods that are used.

Do Your Research

Take a look at this seminar on social engineering strategies.

Information is everywhere. If there is a topic you want to know about, you usually only need to glance at the Internet. Reading the news and press releases from a company can give you a firm background history from which to work. A social media site may give you insights into the temperament of a person or give you an idea of the social scene in which they operate. If you are trying to infiltrate a group or become closer to a person with any notable focus, then the Internet can be used to familiarize yourself with the topic.

Hackers may go above and beyond in this regard. If they manage to gain access to someone’s email account or messaging service, there may be records of conversations that can be used to mimic the person in electronic communications or learn about key topics that anyone on the inside should know about.

Look the Part

Photo by Viktor1558

Imagine for a moment that you are watching a movie set in modern times and focused on the happenings in a government or business office.  If there was someone dressed in jeans and a hoodie in the middle of a meeting of executives or elected officials, you would likely immediately feel the character was out of place or at least question why they were there. The same holds true whenever you want to interface with another social group, whether it is a company or a club.

Also worth noting is that looking professional – wearing a nicely tailored and well-kept business suit – can generate an obscene level of trust in your social interactions. The suit conveys a lot of subtle messages: this person is a successful member of society, they likely have money, and you can trust then a bit more than the average person. You may not gain complete trust and unlimited access, but the difference between the trust levels shown to someone in a suit and someone in casual clothing is palpable.

Learn to Read People

This article gives you a glimpse into the advancement of research into the integration of robotics and emotions.

If computers are getting to the point that they can recognize and react to the emotional displays of people, then there is no reason that a person should not be able to better do the same task. Taking the time to read on facial expression theory and other psychological articles can help point you in the right direction, but the only way to really learn is to go out and talk with people. Doing this with new people consistently will also give you practice on learning how to pick up the subtleties in a new person’s expression and tone.

Backup Your Backup Plans

Just having an idea of how to work a plan does not mean you should ignore contingency plans. Even if a failure in one portion of a plan only leaves breaking off the attempt, you should be prepared for the possibility and have a clear idea of how you will break it off. This is not going to eliminate having to think on your feet, but having a guideline for your actions can mean the difference between a smooth response and something haphazard that sends the wrong signal.

Strength in Numbers

Unlike the world of open conflict, more numbers on the side of the target can be a firm advantage. Working your way into a small firm can be a dogged task, but it can be easy to turn into “just another suit” at larger offices. It is almost always easier to work your way into social situations when the target has a larger number of people involved.

Take the Time to Do It Right

If you were to take movies and shows as fact, you would think social engineers waltz into a business with a suit and savvy and somehow manage to make their way into the confidence of the boss or gain access to sensitive areas within a few minutes. A real social engineering effort may take weeks or months to accomplish properly.

 

The Social Engineer’s Toolkit

Photo by _sarchi

A number of techniques have become common practice for social engineers. The list here is not exhaustive, and the variations on these techniques makes covering them all a task better suited for a textbook.

Phishing, Vishing, and SMiShing

This rainbow of techniques is typically meant to refer to scenarios where the attacker poses as a person or service the target already knows via electronic communications. One of the most common phishing emails is one that mimics the company’s style and email address while telling the target that their account has been locked out due to potentially malicious activity. A link is supplied to the target to reset their password. The site looks like the company’s to the smallest degree, but the reset instead sends your old and new passwords to the phisher.

The delineation between the terms is based on the attack vector. Phishing is done through the computer, vishing is done through the phone, and SMiShing is done through text messaging.

Pretexting

Pretexting is the art of constructing a scenario in which the target is more inclined to go along with the wishes of the attacker. The most common example of this in action might be taken from the ways people try to convince traffic cops to not give them tickets: “My friend is in the hospital”, “My wife is delivering our baby”, or “I’m on my way to stop the love of my life from getting on a plane and never coming back.” In the movie Live Free or Die Hard, a character uses the pretext of his grandfather in the hospital to get an OnStar agent to activate a car he wants to steal.

There is always a host of information for any company that is not considered protected, but social engineers can piece these bits together to create the façade that they are a member of the company or an associate. For example, instead of just sending an email to the tech support desk for a password reset, a social engineer might send it directly to one of the IT staff members with a message stating that there is a vital report wanted immediately by a big name at the company on that computer, and you need your password reset immediately.

Sex Appeal

When dealing with a pretty face, a person can become distracted and lose focus on the things that matter. Not every social engineer will be a model, but you can expect the ones that have been favored with good looks and charm to use the advantage.

Tech Support

Most people simply have no idea what is going on with their computers beyond interfacing with the applications they use to work. Computers also have an unfortunate tendency to break down due to misuse or just over time. In larger companies, it may not be uncommon for the IT department to be behind on fixing all the computer issues that are active. By masquerading as tech support, savvy social engineers can troubleshoot for the employee while also placing themselves in a trusted position to ask for personal information like passwords.

The Indirect Approach

Coming up to a person directly and asking them about secure, private topics may immediately trigger warning signals. If the social engineer instead approaches a person via a secondary topic and befriends them, then later probing for the information has a higher chance of success due to the longer time for which trust has developed. As an example, if the target is an avid golfer, then a social engineer might find a way to arrange for them to end up playing together. This would let the engineer strike up a conversation naturally due to the common event.

 

Spy Versus Spy: Counteracting Social Engineering

Photo by tr.robinson

It is nigh on impossible to stamp out the threat that social engineering represents even when utilizing proper security methods at a business or simply trying to avoid falling victim to it yourself. Much of the research and the supported methods for handling the threat of social engineering are to educate people on the dangers of it, develop security policies based on what needs to be protected, install Data Leak Prevention (DLP) software, and do penetration testing to get a real idea of the level of security in place.

Enforce Strict Information Release Policies

Both in your personal life and in the business world, sensitive information should be treated with respect and controlled properly. That does not mean you have to give someone trouble every time they ask  for personal information, but taking the time to double check that the person is who they say they are and that you can feel comfortable handing over sensitive information can be done with a high degree of trust.

Education

To use an analogy, the human minds that reside within a social group can be thought of as computers on that social network. Where you would patch a computer, you would educate a mind. The ways in which you can be educated are numerous: you could have an article on social engineering (like this one) made mandatory reading, make social engineering news part of your company newsletter, or hold a class every couple of months. At the very least, people should be aware of the information policy on which you decide. The patch may not take on every person, but you should at least try.

Data Leak Prevention Software

An up and coming type of software is joining the ranks of applications like antivirus and firewalls on the list of things any network trying to be secure should have: Data Leak Prevention (DLP) tools. The software can monitor data in storage, in use, or going over the network, and it can perform tasks like preventing the data from sending or triggering an alert if something is sent. This is limited to just helping to prevent social engineering mishaps on computer networks, but social engineers are likely to use a combination of methods to try and gain access to the most valuable information.

Penetration Testing

Just like your hardware and software, your people can benefit from penetration testing in order to ascertain their awareness of social engineering as a threat and the information security policies that protect from it. This usually requires the aid of an outside entity to get a proper simulation of an attack from someone currently outside the company.

Social Engineering Fundamentals: Part II: Combat Strategies – An article on preventative measures against social engineering from Symantec, a notable information security software company.

 

How Can You Use Social Engineering in Your Everyday Life?

You  may not want to con someone out of their account passwords or savings fund, but that does not mean that the methods of social engineering cannot find their place in your life. They can even be used effectively for altruistic purposes. For example, making new friends can benefit from the inclusion of social engineering information.

Social engineering as a way to gain access to secure information is a threat of which everyone should be aware. Like almost any form of science or technology, it can be used for good and for evil. Taking the time to learn social engineering methods is the best way to use them to your benefit and know how to defend against them. Unless you move to a deserted island with no technology, you are going to be subject to the designs of social engineering, so you may as well stay informed on the subject.

8 Potentially Life-Threatening Situations in Everyday Life

The Internet provides endless convenience. You can find pretty much anything you could need with just a few clicks of a button. Whether it is a pair of shoes, groceries, furniture, a personal assistant, a copy of episode 67 of the 1980s hit show Three’s Company, a job, a nanny, a date — you name it, it’s all there. It’s so simple to find what you need that many people go to the Internet before going anywhere else. And where do they do their research before making a big purchase or hiring decision? The Internet.

According to a December 2012 Pew study, 81% of American adults use the Internet, and of those in 2010 and 2011:

  • 78% looked for information online about a service or product they were thinking of buying.
  • 71% bought a product.
  • 56% looked online for information about a job.
  • 53% use online classified ads or sites like Craigslist.

Prior to the World Wide Web, when someone needed a product or service, they likely turned to friends, family, and colleagues for referrals. This way, there was a direct human connection to that person, increasing trustworthiness. But today, none of us really know who’s on the other side of that computer screen. It’s easier to lie when you’re not looking someone in the face. It’s even easier for a criminal to lie.

There’s a ton of horror stories out there about hiring nannies and employees, answering to Craigslist ads, and online dating. Although it’s frightening, when you think about it, these horror stories make up a very small percentage of transactions that occur on the Internet every single day. We don’t ask that you quit taking advantage of the convenience offered by today’s technology, we just ask that you’re careful and consider doing a little research about a persona or seller before risking your life, and wallet.

8 Potentially Life-Threatening Situations in Everyday Life – An infographic by the team at BackgroundChecks.org

Embed 8 Potentially Life-Threatening Situations in Everyday Life on Your Site: Copy and Paste the Code Below

The Top 40(+) Private Eye Blogs

A great number of excellent PI and related blogs have fallen in the last few years, but there are still quite a few worthy of perusing. They are pretty evenly divided between a focus on other PI’s and educated potential clientele. Most of the quality PI blogs come from professional investigative firms, but some are from individual PIs. This list also includes interesting criminal justice blogs from the perspective of police investigators as well as detective and murder mystery oriented writing blogs, as they often pull heavily from real investigation and often contain interesting or useful information.

Photo by It'sGreg

Professional PI’s

  1. G.E. Investigations – This Arizona based private investigation firm run a blog that responds to news related to the industry, posts about wanted criminals and persons-of-interest, investigative tactics, announcements, hacking, and more. The blog is easy to navigate and well organized. Must Read: West Virginia Private Investigator Arrested for Illegal Wiretapping!
  2. The Marriage Detective – A newly utilized blog for a professional detective agency, this blog focuses on partner investigations and the topics they post about reflect information that would be useful to a potential client. They offer national reference servicing and are sales oriented, but there is some good information in the posts. Must Read: 5 Myths About Private Investigators – What They Cannot Legally Do
  3. Diligentia Group Blog – This professional agency provides some excellent advice in this well designed blog, both for other private investigators and for potential customers considering hiring one. Frequently updated and easy to navigate. Must Read: 101 Things a Private Investigator Can Do
  4. AFX Search Blog – This Florida based investigative firm provides regular blog posts on of use to both potential clientele and other investigators ranging from different research strategies, to legal issues, and more. Must Read:  Asset Recovery – Dangers of delaying civil action until criminal cases are completed
  5. ICORP Investigations Blog – A newer blog run by a Florida-based investigative firm, they have started off strong with quality articles focused on informative articles on investigative methods and responses to relevant news. Must Read: Is Someone Recording This? It’s Harder to Find Out
  6. Orange County Private Investigator Blog – Full of useful information for people interested in doing their own investigation, including product reviews, practical skills, information about PI services, and general information. Must Read: Social Media: Your Private Life Made Public!
  7. JFA Brisbane Blog – Updates, advice, and stories from the trenches, this blog is written from the perspective of an Aussie licensed private detective firm.  A great resource for the prospective client or wanna-be investigator alike. Must Read: So You Think You Might Like To Be A Private Investigator? 
  8. Jan B. Tucker: The Detective Diary – Long-lived and frequently updated, The Detective’s Diary has been recognized for its quality before. Jan Tucker focuses on more than just PI topics; he’s also a progressive political activist and keeps tabs on topics important to hislocal area and national issues. You may even find a review of local venues or notices of interesting events tucked away here and there. Must Read: The Small Freaky World of White Collar Crime
  9. Private Eye Confidential – This California-based investigator keeps us updated on local news, personal stories, and fascinating history related to his area alongside practical tips for other investigators. Must Read: My First Domestic Success
  10. Handcuffed to the Ocean – Repeatedly noted as one of the best PI blogs around, this fantastic combination of well-told stories from real investigations and beautiful introductions to the beaches and dive sites he’s explored. Must Read: Spearman’s Barge
  11. Mass Private I – This blog’s focus is on issues of criminal justice and civil rights, and takes a watchdog stance on issues of state and federal government stepping over the boundaries of ethics and the spirit of law in their own investigations. Must Read:  NYPD’s rationale for stop & frisk quotas: some of their police officers are lazy.

Photo from Conner395

The Criminal Justice World

  1. Criminal Justice USA – This site illuminates its readers on a wide array of criminal justice topics with playful design and accessible writing. It regularly features infographs meant to quickly provide statistics in an easy to comprehend manner. Must Read: A Timeline of Police in the U.S.
  2. Tickle The Wire – This blog keeps its readers updated on the news and issues relating to federal law enforcement. Updated frequently and featuring a number of experienced columnists, it is a worthy addition to anyone who wants to get a feel for the national crime beat. Must Read: Column: The Justice Department’s Seizing of Associated Press Phone Records is Disgusting!
  3. Murder by Gaslight – A fascinating look into the crime of 19th Century America. It includes profiles, histories, stories, photographs, and resources for researchers. A great read for those who are interested in the history of investigation, crime writers, or historical crime aficionados. Must Read: The Legend of Lavinia Fisher
  4. Crime Magazine – All the stories about crime, historical and modern, that you could wish to read. Organized by type of crime, regularly updated, and very much worth reading. Helpful for investigators in studying case files to gain a greater understanding of how criminals operate. Useful for crime writers for inspiring the imagination. Must Read: Nixon, Sinatra and the Mafia
  5. Crime Library – This regularly updated blog shares interesting crime stories from all around the world, including the notorious and mundane, with insight into the criminal mind. An excellent resource for investigators learning more about criminal methodology or fictional crime writers looking for new ideas. Must Read:  The Definitive Rodney Alcala
  6. The True Crime Report – Keeping readers up to date on the latest unsolved crimes, homocides, sex crimes, missing persons, and my personal favorite category – douchebags. Regularly updated with quick and dirty updates on real crime, with links back to the original sources. Must Read: Carmen Wysong, Girl Scout Troop Leader, Steals Thousands in Cookie Money
  7. The Crime Scene – Updates on crime from the southwest Missouri region. Murders, missing persons, and your typical medley of hooligans and mischief. Regularly updated with fairly detailed accounts of each crime and links to further information on each case. Must Read: Oklahoma Cold Case Heats Up With Discovery of Three Sets of Human Remains
  8. My Life of Crime – Despite a rather busy format, this blog does an excellent job of keeping its readers up to date on criminal investigations, upcoming executions and trials, and notable sentencing. It features monthly themes and historical tidbits as well. Regularly updated with lots of linked resources relating to each crime. Not much in the way of personal perspective on each case, but lots of data.  Must Read:  Deadly Wives: Nancy Mancuso Gelber, true crime writer, tried to hire a hitman to kill her husband
  9. The Thin Blue Line – A UK based blog focused on issues relating to crime and criminal justice matters in the region. Regularly updated, well written and researched, with excellent analysis from professionals with experience in the field. Must Read: Contempt of Cops – The Thing End of the Wedge
  10. Constable Chaos – This UK policeman’s blog contains both criminal justice insights and some playful steaming off from a man behind that thin blue line. A recent post includes a picture and lyrics to a lively tune about policemen rounding up drunks on a Friday night. Another details the unexpected rescue of a Norwegian Blue parrot. Must Read: #GangnamPoliceman
  11. The Thinking Policeman – Opinion and updates about criminal justice matters and behind the scenes accounts from his peers still on the job are frequently seen on this retired UK police inspector’s blog. Issues are primarily relevant to his side of the pond. Must Read: Gadget Lives On – The iPhone Resolution
  12. Tales of a Public Defender Investigator – This blog is a fascinating look at investigative work done on the part of a public defender. Lots of useful tidbits in here, plus legal updates and events relevant to the industry. The color scheme leaves something to be desired, however. Must Read:  GANGS 101
  13. LAPD Blog – Any investigator in the LA area might want to keep up with the goings-on in the LAPD. This blog keeps readers informed about recent criminal cases, recruitment information, legal changes, and more. Must Read: Suspects Attempt to Lure Young Girls into Cars
  14. Bounty Hunter Discussion – All sorts of information useful for bounty hunters or private investigators found here, including product reviews and updates, news, tips and tactics, and practical business matters. Must Read: Judge in Favor of Private Bail
  15. Guns, Gams, and Gumshoes – This blog exists in a strange balance point between the writing world and the world of the working PI. It includes resources and information handy for PI’s and writers chronicling the adventures of literary private dicks. Must Read: Staying Legal in a Shady Business: When PIs Are Asked to Break the Law
  16. L.A. Noir – An enjoyable read, this blog is a combination of personal stories from a crime writer’s perspective and interesting tidbits from real-life crime stories in the LA area. Must Read:  The Dead Lady in the Water Tank Story Just Got Weirder
  17. Detectives Beyond Borders – Reviews of great literature, news about upcoming noir events, behind the scenes news about the writers in the genre, and more. Frequently updated, well written, and easy on the eyes. Must Read: “Ah refuse tae be victimized”: William McIlvanney and Glasgow patter

Photo by mark Coggins

Great Detective Story Blogs

  1. Guns, Gams, and Gumshoes – This blog exists in a strange balance point between the writing world and the world of the working PI. It includes resources and information handy for PI’s and writers chronicling the adventures of literary private dicks. Must Read: Staying Legal in a Shady Business: When PIs Are Asked to Break the Law
  2. L.A. Noir – An enjoyable read, this blog is a combination of personal stories from a crime writer’s perspective and interesting tidbits from real-life crime stories in the LA area. Must Read:  The Dead Lady in the Water Tank Story Just Got Weirder
  3. Detectives Beyond Borders – Reviews of great literature, news about upcoming noir events, behind the scenes news about the writers in the genre, and more. Frequently updated, well written, and easy on the eyes. Must Read: “Ah refuse tae be victimized”: William McIlvanney and Glasgow patter

 

International Private Investigators

  1. Crown Intelligence PI & Intelligence Services Blog – This is a company blog, so it is primarily focused on articles geared for potential customers. It discusses various tactics used by private investigators, how to pick a PI suitable to your needs, the role of investigators, and news related to the industry. Written in an accessible style with an easy to navigate format. Must Read: Things to Consider Before Hiring a Private Investigator
  2. PI Telegraph – This e-zine based out of the UK targets investigative professionals who are interested in free resources, relevant news, product reviews, and other tidbits that can help hone skills.  The design is elegant and the site is well-organized, making it easy to locate topics of interest. Must Read: How Much Should I Charge? Pricing For Profit
  3. Keynorth Blog – A professionally oriented blog from Canada reporting on changes to laws, professional development, and information that can be applied in the field. Must Read:  Primer on the Federal Administration Act, Asset Recovery, Reporting and Deterrence
  4. Bali Eye Private Investigation – This blog provides useful information on how to protect oneself and avoid scams as a potential client, and offers advice and tactics to other investigators. Based in Indonesia, it provides a unique perspective on private investigations in other parts of the world. Must Read: Dating Cons Games in Indonesia

E-zines, News, and Community Blogs for PI’s

  1. PIbuzz.com – This hub of information is made for and by private investigators. It features news important to the industry, product reviews, tips and tricks, and useful research links. The design is pretty clean and the site is easy to navigate and offers a newsletter. Must Read: Dynamic Internet Searching with Google Products
  2. PI Stories – Covering a wide range of stories of interest to the PI industry, including personal perspectives, responses to news, case studies, examinations of technology, and more. Long running and easy to navigate. Must Read: Parents Find Out About Their Daughter’s Death Through Facebook
  3. Fraud Magazine – Technological updates, headline responses, regular columns, professional development tips, product and book reviews, and much more are featured in this bimonthly magazine focused on white-collar crime and fraud examination techniques. Their articles are focused on providing actionable, practical information.  Must Read: Cyber-attack vector? Who, me?
  4. The Background Investigator – This is essentially an aggregate source of news relating to information gathering. It covers popular stories, national, and international news. The news is primarily focused on background screening but covers related topics as well. Must Read: Washington State Courts Office Suffers Data Breach

 

Advice, Tactics, and Resource Oriented Blogs

  1. PI Advice – A comprehensive blog designed to aid new and veteran P.I.’s interested in honing their craft. The blog features a minimalist style and includes podcasts, apps, and an online store with tools for investigators. The posts range from advice, to real-life stories, to product reviews, and more. Must Read:#58: Investigation Stories – The Lessons I Learned with a Bit of Luck – Part 1
  2. The Confidential Resource  – As the title suggests, the focus of this blog is on providing useful sources and methodology for investigators and researchers.  It is well designed with a clean and modern look, easy to navigate, and searchable. Must Read:  The Cost of Investigative Internet Research
  3. BPI Security Blog – This blog is full of excellent advice from the field, practical skills development, and great information about the business of running an investigative services firm from the perspective of a successful firm. Must Read: Slight of Hand(lers)
  4. Title Search Blog – This blog is focused on real-estate oriented investigative work and news. It includes up to date legal information, news reports related to the industry, practical advice, and even videos with step-by-step instructions. Must Read: Case Law on Invalid Mortgages

Small Business Owner’s Guide to PCI Compliance

Information theft and the damage it can cause to consumers and businesses have been featured extensively in the news for most of the past decade as we move to an almost entirely online way of doing business. The usage of the Internet for business has changed the landscape of the commercial world for the better, but it does provide an avenue of attack that allows malicious entities to acquire sensitive data without ever stepping foot inside an office. For this reason, the PCI DSS was created.

Chances are high that, as a modern business owner, you at least have a passing knowledge of the need for PCI compliance. For those less technologically savvy or who do not have the time to read through extensive regulations, this need can seem like an unnecessary burden, both to your budget and your time. To help you at least become more familiar with the PCI DSS, this guide will give a high level overview of the purpose and requirements of the regulations and provide advice and resources for becoming PCI compliant.

Photo by eliazar

What Is the PCI DSS?

PCI stands for “Payment Card Information,” and the appended DSS often seen accompanying it stands for “Data Security Standards.” The PCI DSS was created by the PCI Security Standards Council, which consists of the five largest credit card companies: MasterCard, Visa, JCB, American Express, and Discover. Its intent was to establish a system for protecting payment card data which can be used for malicious purposes easily once it is in the hands of unauthorized persons. It details the baseline security procedures that companies who interact with payment card information should follow, assists in providing information so the companies can do so, and establishes penalties for noncompliance.

To Whom Do PCI Regulations Apply?

The PCI security guidelines apply to anyone who stores, processes, or transmits consumer payment card data. It does not matter if you run a restaurant, work from home, or have a small chain of stores. If you directly interact with payment card data in any fashion, even by just processing one payment, you are almost assuredly under the purview of PCI DSS. Even if you utilize a payment gateway or merchant account service, your business is responsible for adhering to the regulations as long as it interacts with the payment data in any fashion.

Steps to Adhering to PCI Guidelines

This is a general, step-by-step guide to becoming compliant with the PCI DSS. The PCI regulations themselves outline this process, though the sections are broken down a bit further. These steps do not address every action you need to take through the process. For the exact details on how to follow these steps, consult the PCI DSS version 2.0, available on the PCI security standards site. This especially applies to the more technical sections of firewall and encryption usage.

Photo by: Aman Deshmukh

Step 1: Install a secure firewall and establish good system passwords.

Firewalls are used to monitor and manage the network traffic running through a system. There are a number of free software firewalls available online, but a high quality, commercial firewall is typically going to be more secure. You can also opt for a hardware firewall for increased security.

Password policy is a simple security procedure that many people fail on regularly. A complex password system may be inconvenient, but when people use generic passwords such as “firstnamelastnamenumber,” “password1,” “qwerty,” or “abc123,” it becomes easier for rudimentary cracking programs to bypass this first level of defense and even makes it so an account could be accessed by an unauthorized user without the use of such a program. Passwords should be case sensitive and use a mixture of upper case letters, lower case letters, and numbers. They should also avoid common dictionary words and should not be recycled.

Step 2: Protect consumer data with encryption.

Data encryption renders a file virtually unreadable without a proper decryption key. Encryption technology has evolved to the point where, even if a hacker somehow accesses the encrypted data, decrypting the data is still a difficult task. The method is not foolproof, and you cannot store certain pieces of information even if you encrypt it.

Step 3: Consistently run and update anti-virus and anti-malware software.

Viruses and malware can find their way onto a computer through a number of seemingly harmless methods, such as installing a new program or browsing a website. Once compromised, an infected system may be more easily subjected to hacker attacks or the activity on that system, including network traffic that contains payment data, can be monitored remotely. The capabilities of these malicious programs are extensive, making the use of software to detect and remove them essential for information security.

Step 4: Maintain proper access control over sensitive systems.

Limiting the ability of unauthorized personnel to gain access to sensitive information is aided intuitively by limiting who can access it, both electronically and physically. With more people who can access the data through normal operations, the risk of a security breach increases. Payment data access should be restricted to specific user accounts based on need, and you should not utilize any group or public access accounts on sensitive systems. The physical access to the data should be limited as well and be situated in a secure and monitored area. Additional levels of access control such as managing user accounts, password cycling, secondary login verification methods like biometric data or access cards, and lockouts on repeated login attempts are also required.

Photo by: JermJus

Step 5: Monitor and test network security regularly

Keeping track of the systems which interact with sensitive data can be useful in determining intrusion attempts or discovering the source of a data breach. All activities should ideally be monitored, but the PCI DSS specifically calls for keeping logs of access attempts, creation of system-level objects, the activities of root and administrator accounts, any accessing of payment card data, and audit trails with specific attention paid to recording the time, outcome, origin, type, and effected components of the event.

Once all the security measures are in place, the PCI DSS necessitates a variety of regular testing procedures. Quarterly procedures include penetration testing performed by an Approved Scanning Vendor (ASV), scanning for unauthorized access points, and vulnerability scans. Extensive penetration testing is required at least once per year, and additional testing should be performed after any significant changes to your systems.

Step 6: Establish an information security policy

This is one of the more detailed and overarching requirements of the DSS. Put simply, it requires that your business has established operating procedures relating to information security. Obviously, part one of this policy is to ensure that your systems remain PCI DSS compliant. Other considerations include maintaining a list of approved electronic devices for your systems and clear information as to who and what the devices are intended. The responsibilities of “information security manager” should be assigned to an individual or group, which can be an outside security provider. These responsibilities include account management, educating personnel on information security procedures, and monitoring the company’s networks. Security procedures should be discussed with any third-party vendors the company uses, and a formal, written agreement should be composed. The plan should also specify when testing procedures should take place, and the plan itself should be subject to testing and scrutiny.

Also, bear in mind that the individual payment card companies may place extra requirements onto merchants. For example, this is a list of Visa’s requirements. While not too far off from the main PCI DSS, it is important to be aware of these requirements to avoid issues.

Penalties for Failure to Comply

While the PCI regulations are not enforced by law, the major credit card companies and banks level fines that are tiered to the volume of transactions a company processes. The exact amount of the penalty also varies based on a case by case basis, but they can range from $5,000 to $500,000. They may also continue fines on a monthly basis if non-compliance is not rectified.

Help for Becoming PCI Compliant

While the overall concept of becoming PCI compliant is fairly straightforward, the intricacies of actually adhering to all the various guidelines and regulations can be difficult for small business owners to handle, and it can often eat up the limited time of the fewer employees that the smaller companies possess. Enlisting the help of companies certified to validate and assist with PCI compliance is recommended by the PCI regulatory body and is required in some cases, such as the regular testing by an ASV made necessary in the regulations. QSAs (Qualified Security Assessors) can be used to verify that you are adhering to the PCI DSS.

Aside from the companies directly related to PCI compliance, the help of a Managed Security Service Provider (MSSP) is good practice for enhancing your general security and thus helping your systems to comply with PCI guidelines. These organizations are experienced in setting up information security functions for businesses and individuals, and utilizing them is often more inexpensive for small businesses who cannot afford to bring on several IT staff members just to handle information security. Many MSSPs can also function as QSAs, but it is better practice to use different companies for these services, even if it is not required to do so.

A report detailing some of the best MSSPs based on various criteria can be found here and the lists of PCI Security Standards Council approved QSAs and ASFs are located in the resource section at the bottom of this guide.

You can also engage in further reading with tools like this free PCI for Dummies ebook, courtesy of Qualys.

Photo by: kchbrown

Is PCI Compliance Enough?

PCI represents a baseline level of security that should be adhered to by companies that handle sensitive data. While it may seem to be an unnecessary burden, information security breaches have been responsible for trillions of dollars lost through fraud and secondary expenses. Even if your business does not handle high volumes of transactions from a number of different customers, neglecting to properly secure your information systems can result in data breaches that put you and your customers at risk and do extensive monetary damage. It is in your best interest to take information security extremely serious and even go beyond the security standards set by the PCI DSS.

Helpful Resources

PCI Security Standards – The main PCI DSS site. It contains the regulations, supplemental information, links to certified assistant companies, and more.

Approved Scanning Vendors –  The official list of ASVs certified by the PCI regulatory body.

QSA List – A searchable database of QSAs certified by the PCI regulatory body.

PCI Compliance Guide –  A helpful reference for PCI compliance questions and information.

Emerging Managed Security Service Providers, Q1 2013 – A detailed analsys provided by Forrester of the most promising MSSPs.

Becoming ‘PCI Compliant’ If You Accept Credit Cards – A checklist of tasks for becoming PCI compliant from the BBB.

The 20 Worst Data Breaches

The information technology age has brought with it a new opportunity for the criminally minded. Unfortunately, our government agencies and corporations have not always been as guarded as they could be against those determined to gain access to the vital data they store. Through a combination of hacking and social engineering techniques, digital thieves have made off with identity information, hampered affairs of state, and even stolen millions of dollars. Here are 20 of some of the most damaging, notorious, or notable data breaches presented in chronological order.

  1. Card Systems – 2005

Card Systems is a third-party processor of credit card information based in Tuscon, AZ. In June of 2010, a hacker slipped a data-mining bug into their system through security holes and stole data over time from roughly 40 million cards. This data breach happened in large part because the company was storing cardholder’s account numbers and their security codes, in direct violation of MasterCard rules, which allowed the hacker to collect it.  The information gathered was suitable only to steal money from the credit holder’s accounts, not to steal identities. At the time, it was the largest data breach to date.

Photo by molotalk (http://www.flickr.com/photos/molotalk/)

  1. US Veteran’s Affairs Laptop Heist – 2006

In 2006, burglars broke into the home of a VA employee who had taken his company laptop home, in violation of that agency’s regulations. Fortunately, the thieves responsible for stealing the laptop in question had no idea what they had gotten their hands on and deleted all the relevant information. When FBI agents recovered the laptop, they found it had been cleared and reformatted for quick resale, thus protecting the millions of veterans whose information had been stored. The data in question included Social Security numbers, names, addresses, and birthdays for millions of veterans, current service members, reservists, and their spouses. It did represent the largest data breach from a government agency in US history, and raised a lot of questions about how we enforce and protect the highly sensitive data government employees have access to.

Photo by nist6ss'
<

  1. TJX Companies Inc – 2007

TJX Companies is a large retailer that includes a number of retail chains like HomeGoods, Marshalls, T.J. Max, and others. Over the course of several years, predominantly in 2003 and 2006, an unknown number of hackers made stole millions of transaction data. Of note, it took TJX over two months after the data breach was discovered to talk about the true size and scope of what occurred with the media, and even delayed discussing their awareness of it with affected banks and customers. In the end, 45.6 million card numbers were stolen and data from over 450,000 merchandise return receipts were also taken. This represented another major wake-up call for the industry. It took TJX seven months after the theft to recognize it, and retracing the hacker’s steps proved challenging since they lost much of the trail in normal data purges.

Photo by Infusionsoft

  1. TD AmeriTrade – 2007

Once again, a company with a major data leak chooses to withhold this information to its customers for half a year before disclosing it. In this case, AmeriTrade was made aware at least as early as October of 2006 when customers began to complain of stock-related spam emails. That led to a lawsuit in May of 2007 when two of its customers actually sued the company for the breach. Each client had an email addressed used exclusively with TD AmeriTrade and when those inboxes began to fill up with unwanted ads, they immediately knew where the leak had come. The problem was even noted on BoingBoing in June of that same year, when they featured a review of AmeriTrade which noted similar email spam to their dedicated address. Despite this, the company kept the information close to the chest until September when a court order would have forced them to step forward anyway. The lawsuit suggested that the data breach could have potentially leaked sensitive customer data like Social Security numbers and other information that could be used in identity theft. There was also a concern that the company might attempt to destroy information that would display their negligence. The company then requested a two week break from court proceedings, was granted it, and used that time frame to ‘discover’ the breach and notify the press and their clients. It became very clear that they choose to respond not out of a sense of responsibility to their clientele, but purely because they’d been caught and could no longer contain the story.

Photo by Pat Hawks

  1. Certegy – 2007

This case was pretty much a cut-and-dry case of more traditional data theft – a disgruntled employee sold information to a data broker. The details that make this case worth examining is how the company presented the scope of the problem initially and how they recovered. They claimed after it happened that only 2.3 million records were stolen and that the public should not be concerned, because these records were all going to ‘legitimate marketing firms.’ A few months later it was revealed through a filing with the Securities and Exchange Commission that the true number of stolen records was in the range of 8.5 million. Of those records, roughly 5.7 million included checking account records, and 1.5 million included credit card records that could be used for identity theft and fraud. In the end through a settlement with the Florida Attorney General, consumers were granted a two year period to report and receive reimbursement for expenses related to theft from the incident, and they were given credit monitoring at the company’s expense. Further, the company restructured how it handled information security, doing a comprehensive review of internal and external risk, implementing a range of safeguards, and scheduling regular tests and monitoring programs to detect weaknesses and catch issues before they became problems.

Photo by MedillNSZ

  1. Monster – 2007

Monster actually had a recurring problem with data breaches between 2007 and 2009. Three separate times they suffered data breaches in which millions of customer’s personal data was stolen or had their job listings infected with malware. Users affected also saw targeted phishing emails encouraging them to download malicious software or tempting them to accept jobs working as mules for online criminal organizations. One of the malicious Trojans left behind by the attacker’s encrypted files on the affected user’s computer and left a text file demanding payment to the attackers to recover the data. Each attack was perpetrated by hackers abusing security weaknesses in their information security structure. Each time, Monster delayed informing its users that there was a breach after becoming aware of it. Each time, Monster swore to do better. Unfortunately, as Monster learned, big talk is not enough to deter hackers. Actual improvements in infrastructure actually have to be accomplished, not just discussed.

Photo by ppmotskula

  1. Bank of New York Mellow – 2008

Another case of traditional theft leading to a massive data leak, Bank of New York Mellon discovered a missing box of data storage tapes in February and again in April of 2008. Each time, these tapes were being transported by third party vendors from one location to another when they went missing. Surprisingly, these tapes containing vital customer information were not at all encrypted. In addition, the bank did not inform potentially affected customers for three months. Initially, the breach was believed to have affected over 4 million individuals and included names, addresses, and Social Security numbers. Later that year, the bank notified 12 and a half million customers that their data had been stolen. All affected customers were offered two years of free credit monitoring and identity theft insurance worth up to $25,000.

Photo by brewbooks

  1. CheckFree – 2008

At the time of the attack, CheckFree was the largest e-bill payment system on the internet, controlling between 70-80% of the US online bill pay market. This made it a prime target for smart hackers. For several hours, hackers managed to redirect visitors from the legitimate site login page to a site based in Ukraine that attempted to install software designed to steal customer’s passwords. CheckFree at the time had more than 24 million users, so the attack had the potential to be devastatingly effective. This attack was not due to a problematic infrastructure on CheckFree’s part. The hackers had legitimate codes to access CheckFree’s website, suggesting they either successfully phished that information from a CheckFree employee or utilized password-stealing malware. This same website in Ukraine attacked at least 71 other domains at the same time. The attack was noticed and responded to promptly by CheckFree, who had plugged the leak the same day. They promptly informed their customer base, instructed them how to detect malware infection, and arranged for every affected customer to receive a free copy of VirusScan Plus from McAfee.

Photo by IntelFreePress

  1. Hotmail – 2009

In another phishing scam, about 10,000 Hotmail users had their passwords stolen. Much like the CheckFree incident, users were redirected to a site resembling the Windows Live Hotmail login screen. Users who were fooled into entering in their password and user account found their information later posted on Pastebin.com, a site originally designed to allow web developers to easily share tidbits of code. This same site had a list of over 30,000 Gmail, Yahoo! Mail, AOL, Comcast, and Earthlink email accounts and passwords. Microsoft responded quickly upon learning of the breach, sending out emails to warn affected customers of the potential problem and forcing password resets on all affected accounts. As with CheckFree, this was not a failure of Hotmail’s own data security, but a successful phishing venture.

Photo by soupstance

  1. Heartland Payment Systems – 2009

Thought to be the largest data breach of a payment processor, the 2008 attack of Heartland Payment Systems affected roughly 130 million customers and raised a few questions about the effectiveness of PCI standards of the time. The CEO Robert Carr adamantly reported that Heartland was in full compliance with PCI standards and was certified as such. The PCI Security Council contested his claims, suggesting that the breach was a result of an SQL injection error. Even still, the company was certified as fully compliant, leading many to conclude that companies should go beyond the basic requirements of PCI to protect customer data. Particularly with regards to tracking security standards over time, as errors creep into systems and hackers gain more sophisticated tools. Heartland developed an E3 end-to-end encryption service to monitor and secure the whole payment process from point-of-sale all the way through authorization and approval. The PCI Security council also began looking into technologies like card tokenization to improve their own standards. The end result was more focus on a layered approach to information security. In the end, Heartland paid more than $110 million to Visa, MasterCard, American Express, and other card companies to settle claims related to the breach, customers were notified and offered credit monitoring, and companies gained a sobering check about the state of their data security.

Photo by NickGreywfu

  1. US Department of Veteran’s Affairs – 2009

Once again, the VA put data from roughly 76 million veterans at risk through employee negligence. In this case, the breach started with a faulty hard drive in a database RAID array. Employees arranged for a contractor to repair the disc and neglected to erase the encrypted data stored on the disc. When the contractor failed to repair it, the disc was recycled, leaving the data accessible to whoever next claimed the disc.

Photo by Jemimus

  1. Hannaford Bros. Chain – 2009

Much like Heartland, Hannaford Bros. supermarket chain appeared to be following PCI compliance standards when they were hit with a massive data breach. Despite their compliance, a sophisticated hacking attack exposed over 4 million credit and debit card numbers to potential identity theft risk, and resulted in almost two thousand cases of fraud. Later that year, Albert “Segvec” Gonzalez was indicted by a federal grand jury in New Jersey, along with two co-conspirators, on charges of hacking into Hannaford Brothers, Heartland Payment Systems, 7-Eleven, T.J. Maxx, and other unnamed national retailers. This individual and his small team were accused of stealing over 130 million credit and debit card numbers, the biggest fraud case of its kind in history. He was eventually sentenced to 20 years in federal prison for his crimes.

Photo by Andres Rueda

  1. VeriSign – 2010

The VeriSign attack was notable both for the severity of potential complications such a breach could have caused, and for the astounding lack of communication happening within the company. The data breach was first discovered by their security team in 2010, but this was not reported at all to management until September of 2011. An SEC filing made public the data breach, forcing the company to acknowledge the situation, though initially the upper level management seemed to have little knowledge of the incident beyond what was included in the filing. At the time of the attack, VeriSign was one of the largest providers of SSL certificates, which browsers use to identify secure sites like financial sites and communication portals. VeriSign also housed sensitive information on customers and the registry service used to create website addresses also a potential target. The big fear was that the certificate system was compromised; this would have allowed hackers to forge certificates (an event that had already occurred) and thus trick users into believing a phishing site was completely legitimate. Stewart Baker, former assistant secretary of the Department of Homeland Security responded to the event by saying, “Oh my God. That could allow people to imitate almost any company on the Net.”
Photo by Travis Goodspeed

  1. Gawker Media – 2010

Gawker Media’s security breach was a lesson in humility, the internet’s version of being publicly tarred and feathered. A feud between online message board 4Chan and Gawker (who is responsible for Kotaku, Gizmodo, Jezebel, Jalopnik, Lifehacker, Deadspin, Fleshbot, and io9) developed as the web publisher trashed 4chan’s antics. This was swiftly followed by denial-of-service attacks perpetrated by 4chan members. Shortly thereafter, a group with loose affiliation to 4chan who called themselves Gnosis began to infiltrate the Gawker’s content management system, internal communications systems, and user databases. There they sat for a period of time, during which Gawker’s founder was notified that his account was logged into their internal system when he was not. He ordered the account shut off, but did not bother to change his password. In a stunning display of stupidity, it turned out that he used the same password for everything. After playing around internally for a bit, Gnosis began to get public. They posted a snarky message via Gawker’s Twitter account suggesting that user accounts might be compromised. When a Gawker employee assured people that their information was safe, Gnosis responded by posting a meme and a message on Gawker’s site directing people to a Pirate Bay torrent containing a massive data dump that included internal conversations, user names and passwords for a number of employees and many site commenters, FTB account access, and the source code for their content management system (allowing hackers to dig through for weakness). It also revealed that they were three years out of date on their server’s security patches, were using horrendously out of date encryption on user passwords, and had zero protocol established for password creation; nearly 2,000 Gawker users has ‘password’ as their password. Gawker’s response was incredibly poor. Not only did Neck Denton, the founder, fail to respond in a sensible manner after being originally made aware of the problem, they then refused to admit that there was a problem because their passwords were ‘encrypted’ and then waited over a day before notifying users there was a breach. When they did notify customers, it was done with a message on their site, not via email, ensuring many users would never know there was an issue.

Image by iPott

  1. ESTsoft – 2011

ESTsoft is a general purpose software company operating in South Korea. In 2011, they were the target of a devastating attack that impacted nearly the entirety of South Korea’s population. Hackers gained access to one of ESTsoft’s update servers and loaded malware that attached itself to their ALZip compression application, which subsequently infected 62 computers at SK Communications that made use of the ESTsoft program. The infected computers were then able to steal complete customer databases including addresses, contact information, passwords, and gender of roughly 35 million individuals in a nation with a total population of 49 million. The company apologized, the primary web portal for Korea, NHN, ordered employees to delete ESTsoft programs, and lawsuits were filed. The company never disclosed the financial cost of the breach.

Image by Free Grunge Textures

  1. Epsilon – 2011

In one of the largest data breaches of its kind, Epsilon was hacked in March of 2011. Epsilon handles over 40 billion emails annually and services more than 2,200 clients around the world. The information stored was primarily email addresses and names, including those of customers who had opted-out of marketing mailers, opening up all of those customers to phishing attempts. In addition, some users member points were accessed, giving thieves an upper hand when creating believable scam emails. Included in the many companies that sent out warnings to their clientele were major retailers, financial companies, cellular phone companies, banking institutions, and more. Roughly 3% of Epsilon’s clientele was effected. The Secret Service investigated the breach which is estimated to potentially cost Epsilon up to $225 million in damages.

Photo by Aaron Anderer

  1. RSA Security – 2011

SecurID tokens, used in a two-factor authentication system which is designed to create a layered and stronger security system, were compromised in March of 2011 when RSA Security was hacked. Initially, RSA claimed that the hack would in no way allow any “direct attack” on the tokens. Then a few months later, the defense contractor Lockheed Martin fended off a hacking attempt in which the tokens failed to offer any layer of protection. In June RSA released a statement acknowledging the failure. Their Chairman, Art Coviello, claimed that the reason it took them 3 months to disclose the full scope of the breach was to protect other customers from attacks similar to what Lockheed Martin experienced. There were claims that Northrop Grumman and L-3 Communications faced similar attacks. The delay caused many to question the reliability of RSA’s system and certainly to worry that withholding that information put their customers at risk. Some choose to switch to a new token provider, but many remained with RSA because the cost of switching was much more expensive and time intensive than simply gaining new tokens (which RSA provided). In a rather ballsy gesture, RSA encouraged its customer base to increase the layers of RSA security to create redundancy layers. One product fails, so we’ll switch that one out and sell you two more.

 

Photo by purpleslog

  1. PlayStation Network – 2011

Some 77 million user accounts on Sony’s PlayStation Network were compromised after a large scale hack accessed the Sony database. It took the company seven days to notify their customers that data was stolen during the breach that caused their massive shutdown. Names, email addresses, passwords, security questions, birth dates, and addresses were accessed, and Sony warned customers that credit and debit card information may also have been stolen, though no cases of identity theft or fraud were reported as a result. The company was fined £250,000 (approximately $400,000 USD) by Information Commissioner’s Office, a UK based watchdog group, naming the clear negligence on Sony’s part as the reason for the fine.

Photo by cjschris

  1. Bitcoinica – 2012

Bitcoin offered the internet world a unique form of new currency. The nature of Bitcoins makes it an irresistible target for hackers, as a key feature is the permanency of the peer-to-peer transaction style. While it protects merchants from chargebacks, it also means that a successful theft of the currency is one that cannot be reversed. Once a hacker gains access to the private keys, what they steal is theirs to keep. Bitcoin has see a lot of growth in recent years as it has become a haven for both criminal activity and as a sort of virtual stock market. It has also seen a rash of hacking attacks targeting trading platforms like Bitcoinia, who lost $87,000 worth of currency in an attack against their production servers and BitFloor, the largest Bitcoin exchange in the US, who lost $250,000 in a successful hack against an unencrypted storage server. Bt Gox, Instawallet, and other Bitcoin-supporting companies have also seen successful thefts. These thefts have considerably increased the risk of investment in Bitcoins, stalling what had been a dramatic growth in value in 2012.

Photo by zcopley

  1. Global Payments – 2012

With a pricetag of $92.7 million in damages, investigation costs, lost business, and remediation expenses, the Global Payments data breach put at risk more than 7 million card numbers. The data that was stolen in the breach included full Track 1 and Track 2 data, usable by thieves to counterfeit new cards.  Union Savings Bank was just one among a number of financial institutions affected by exactly that tactic. In March of 2012, thieves began purchasing small denomination Safeway-branded prepaid debit cards. They would then encode Union Savings Bank issued debit card accounts to the magnetic strip on these cards, use them to purchase high value prepaid cards, and spend the money buying high ticket electronics and other items from other retailers. USB alone suffered roughly $85,000 in expenses related to the theft. Some, like Fulton Bank of New Jersey were harder hit, seeing roughly one thousand stolen accounts every week. Visa and MasterCard promptly revoked their certification of Global Payments.  Javelin estimated that $707 million in fraudulent charges will occur to the 1.5 million cards that were known to be compromised, with an end cost to consumers of roughly $152 million.