NEW YORK (MainStreet) – The past year has seen some of the world’s largest companies fall victim to data thieves, with firms from Sony to Zappos to Valve sheepishly informing their tens of millions of customers that their personal data may have been compromised due to data breaches. Still, it was a bit jarring to see a similar announcement last week from Symantec, one of the world’s largest computer security firms.
The source code of Symantec’s flagship security products – including Norton Antivirus and pcAnywhere software – was stolen back in 2006. In a release Tuesday, Symantec confirmed that users of pcAnywhere should disable the software until the company has a chance to release an update. The other security products involved in the theft are updated more frequently than pcAnywhere, and Symantec has not advised against using updated versions of those products.
“With this incident pcAnywhere customers have increased risk,” reads the announcement. “Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits.”
The ones protecting you from being hacked are getting hacked themselves, an unsettling idea that underlines an even more significant point: If even a company dedicated to computer security can have its own security compromised, then virtually every business, large or small, is vulnerable to an attack. While companies can implement sophisticated systems and strong data security practices, a determined hacker can still gain entrance by seeking out a weak link – and often that means tricking the all-too-human employees into giving them access.
“Any security system is based on people, and people are getting hacked,” says Claus Villumsen, chief technology officer for Bullguard, which makes security software. “If you’re conning people into giving you an access code, no security system can prevent that.”
With people at the root of new online security problems, it’s nearly inevitable that a company with which you do business is capable of being hacked. And as we’ve seen in the Sony, Zappos and Symantec breaches, that means that your own personal data could be compromised as a result.
“Many of the cyber security experts agree that the bad guys do have a lot of data,” says Mustaque Ahamad, director of the Georgia Institute of Technology’s Information Security Center. “But for them to actually profit from that is a little harder than stealing it.”
In other words, while there’s a decent chance that some of your personal data is already in the hands of some unsavory character – perhaps your email and home address were stolen during the Zappos breach, or maybe you had some information leak during the attack on Sony’s PlayStation Network – that information is insufficient on its own to do you any real financial damage. And it’s up to you to keep it that way.
Obviously, if you’ve been informed of a specific leak you may need to take immediate action. When email addresses and passwords were stolen from Zappos earlier this month, the company advised customers to change the password on any site where they used the same email and password combination.
But even if you haven’t been alerted about a specific incident that may affect you, you should still operate under the assumption that someone has at least some of your personal data, and there are certain best-practices you should follow to make sure that hackers can’t build on that info to make the jump from data theft to financial and identity theft.
Be vigilant with email. A hacker with your email address can always try what’s known as phishing: Sending you an email in the hopes of deceiving you into downloading malware, giving up valuable personal information or visiting a malicious site. Usually these emails are easy to spot.
But a hacker who has your email address, name, mailing address and other personally identifying information can craft a much more convincing scam, a practice known as spear-phishing. That’s been the concern in the various data breaches we’ve seen during the past year, some of which even involved the leak of the last four digits of customers’ credit cards. While those numbers are useless on their own, sending someone an email containing that sort of intimate information lends the scammer an air of credibility and greatly increases his or her chances of success.
Stu Sjouwerman of network security firm KnowBe4 specializes in this kind of email attack, and he says it’s good to get in the habit of classifying emails by level of risk. The lowest level of risk is emails from people close to you, such as your friends and family. The second tier is acquaintances and companies with whom you do business; these should be treated with a bit more scrutiny, as a phishing email can be made to appear as if it’s coming from a company (which is why many companies will specifically tell their customers that they’ll never ask for account passwords).
“You can craft scarily real spear-phishing attacks that seem to come from a known vendor,” Sjouwerman explains. “You could spoof the CEO of Zappos.”
The third tier is emails from people and organizations you don’t know, sending emails you never asked for. These should make “all the red flags go up,” says Sjouwerman, who notes that you shouldn’t click on, reply to or follow any links from such emails.
Be smart about passwords and security software. We’ve previously explored a number of programs that allow you to manage your passwords so you don’t have to remember login information for dozens of accounts. Using such a program removes the temptation to repeat passwords, which can backfire if a password from one account is stolen. And just as importantly, they’re usually capable of automatically generating tough-to-crack passwords for your accounts, which can thwart someone determined to get into an account of value. Such complex alphanumeric passwords are particularly important for financial accounts and merchant accounts with saved credit card information.
Purchasing security software and making sure you have firewalls in place are likewise important. Experts recommend enabling the firewall on your computer and using a wireless router, which should have an extra layer of firewall that keeps out intruders.
So which security software should you choose? The Symantec brief is a good reminder that it may actually be better to choose software from a smaller company, which won’t be as much of a target for hackers.
“The risk of using a large, well-known company’s antivirus is that they’re an obvious target, so hackers go after them first,” says Sjouwerman, whose company doesn’t produce consumer security products. “Use a smaller one that is just as good, you run a lesser risk of being breached.”
Don’t forget your phone. People use their smartphones to send emails, conduct online banking and make purchases. So why does no one bother with smartphone security?
While iPhone users generally don’t have to worry about malware, there is an increasing amount of malware targeting Android phones, in large part because the people writing the malware tend to live in countries where Android has a large market share, like Russia and China. And even iPhone users aren’t completely immune from security concerns: Aside from the obvious potential that your phone will be stolen, there also security risks associated with jailbreaking your phone or neglecting to download important security updates.
“We’ve been preaching and shouting about security, and people are catching on, but nobody has migrated the mindset from PC to mobile,” says Villumsen. “People are so very on-the-go and want to go fast, and they don’t want to read about security measures. I kind of have the feeling that we’re going in the wrong direction.”
If you use your smartphone for any sensitive business or financial transactions, you owe it to yourself to get security software and take steps to protect against theft of your phone.
Don’t get complacent. Every time a high-profile company like Sony or Symantec gets hacked, it raises awareness of the precarious state of data security. But as such breaches become more commonplace, there’s a concern that consumers will simply start to tune out the news.
“About 32,000 people die in traffic accidents in the U.S. every year, and it’s no longer something that people read about in the paper every day – you get accident fatigue,” says Sjouwerman. “If you allow yourself to get into a ‘hacker fatigue’ mindset, you open yourself up even more to your personal info being misused. The sane and rational reaction to all these stories is ‘Well, I need to get more secure and protect my data better.’”
The safe assumption is that your personal data has already been leaked, and possibly traded on the black market to spammers or worse. The proper response to this knowledge is not to throw up your hands in resignation, but rather to do everything you can to make sure their attempts to exploit this information is in vain.
Matt Brownell is a staff reporter for MainStreet. You can reach him by email at firstname.lastname@example.org, or follow him on Twitter @Brownellorama.