Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones

We have to remember that mobiles aren't just phones anymore! They store a significant amount of data to make life easier for us, but we must ensure that we don’t make it an easy target for thieves or hackers! 

So…what can we do to protect our personal information on our ‘smart’ phones?

1 - Familiarise yourself with the settings of your phone, understand the key features and enable the security features including setting a password or PIN so that no one else can access your information if your phone is lost or stolen.

2 - Turn off the Bluetooth function when not in use so that your device is only visible when you specifically need other people or devices to see it.  This means that potential hackers cannot connect to it unless they already have your Bluetooth address.

3 - When connecting to the internet, try to use an encrypted network that requires a password.

4 - Check for updates regularly, install as soon as they become available as these often contain important changes that will make your phone more secure.

5 – Keep your phone safe and on your person at all times.

6 – Back up your data regularly.

According to the OAIC 62% of Australians have chosen to not use a mobile app due to privacy concerns.

What can we do to ensure we are kept safe when downloading and using apps?

1 – Download apps from reputable websites and mobile phone apps.

2 – Follow the set up properly and consider the need for an app to access your contacts list or location details.  If in doubt don’t use it!

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act 
Privacy Awareness Week Day 2: Protect your privacy online

Yvonne Sears

Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

Privacy Awareness Week Day 2: Protect your privacy online

According to the OAIC 74% of Australians are more concerned about their online privacy than they were five years ago. So what can you do about it?

How often do you check your privacy settings?

Social media sites frequently update their settings and this may occur without your knowledge.  These changes will include changes to the look and feel of their website or how they interact with you or how they manage the security settings.  So it is important to periodically check your own settings and ensure only those you wish to see your information can.

Do you have to provide everything to everyone online!?

For example, consider whether you are happy for personal information such as your birth date to be made publically available.  When signing up for websites or newsletters do they really need your real birthdate or can you give a fake one? Remember who you are protecting.

Releasing your personal information is your choice!

8 simple steps for staying safe online

1. When asked for personal information, ask what it will be used for.
2. You don’t need to share everything about yourself on Social Media.
3. Think about the information you want to share.
4. Before you hand over your email address read the website privacy policy and find out how they will use the email address you provide.
5. Check for encryption and use secure payment methods when shopping online. Look for https: connections when transferring confidential information (Banks use these secure communications for example when you log in).  This demonstrates that you have a secure connection with the website.
6. Tick the ‘opt out’ box on forms if you don’t want to receive marketing communications.
7. Set strong passwords, especially for important online accounts such as banking and avoid using the same password for all accounts.
8. Know your privacy rights, visit www.oaic.gov.au

You can find more information on your privacy rights and Privacy Awareness Week from the OAICwebsite

Or for more hints and tips go to www.staysmartonline.gov.au

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act 

Yvonne Sears

Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

Privacy Awareness Week, Day 1: What is privacy and changes to the Act

 This week (5^th -10^th May) is Privacy Awareness Week (PAW) and CQR has partnered with the Office of the Australian Information Commissioner (OAIC) to help promote Privacy Awareness amongst the community.

So what is Privacy?

Privacy is about the protection of an individual’s personal information.  We are all responsible for protecting our own identity and that of others.  Think about it:  We expose or own personal information on a daily basis.  When we use social media, contact our utility companies and shop online we provide a large amount of our own personal data.  You may make the assumption that the person or website you are sharing your information with will take care of it, ensure it is secure and not share it with anyone else.

This to a degree is true and most companies will have a privacy policy in place to demonstrate a level of commitment to protecting your personal information, but this isn't a fool proof solution.

The person who is actually responsible for your personal data at the end of the day is you!  What is the best way to safeguard yourself and look after your own identity?  Have you ever taken the time to think about it?

To help you understand, Australia an independent Government agency responsible for privacy functions that are conferred by the Privacy Act 1988 (Privacy Act) called the Office of the Australian Information Commissioner (OAIC).  The OAIC provides advice and guidance to the public, Businesses and Government agencies on how they are to handle personal information. 

The changes to the Privacy Act on 12^th march 2014 brought about a heightened awareness of the message that we should be protecting our own privacy and together with PAW CQR has put together a program of Blogs covering:

-          How you can protect your privacy online;

-          What you can do to protect your privacy when using mobile apps;

-          Business obligations to privacy; and

-          How to manage breaches to personal information.

We hope that you will keep a keen eye out on blogs, get engaged in conversation and most importantly retweet the messages to colleagues, family and friends to share the importance of Privacy.

You can find more information on your privacy rights and Privacy Awareness Week from the OAICwebsite

Yvonne Sears

Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

CQR is now an approved member of CREST Australia

Within the Information Security world the word Risk is key. Understanding and managing that word can make the greatest of difference to an organisation.

CQR are proud in the fact that they practice what they preach and their risks are checked, managed and improved at every opportunity. And to reinforce the work that they do and the value and the expertise that they have they have now officially become a member of CREST Australia.

Crest is the Council of Registered Ethical Security Testers and in order to become one of their CREST Approved companies each is subjected to auditing and CQR are happy to have passed this process and are now on the list of CREST Approved companies.

To complete the process 3 of CQR’s best security specialists have completed CREST’s demanding CRT examination process and have become certified information security testers. CREST’s CRT exam is based on the applicant’s skills and experience, there is no way to prepare for it except to rely on your own knowledge. One of CQR’s specialists achieved the highest score that has ever seen in the exam, and CQR are very proud of all of their specialists who took part and passed.

All those who pass the examination must be employed by a CREST approved company to be part of CREST Australia.

In achieving approval from CREST this shows that CQR and its security specialists work to the highest of standards and are dedicated to providing the very best of service to their clients.

Sarah Taylor
www.cqr.com

The Heartbleed Bug, gone in a heartbeat.

There is a hole in the heart of Internet security which has the potential to expose countless encrypted transactions.  It’s been named the Heartbleed Bug.  The bug was accidentally incorporated into OpenSSL in late 2011.  OpenSSL is an open source library that many software developers use to implement SSL/TLS encryption to provide security and privacy for communications over the Internet.

So how does it work?

When you connect to a secure Internet site to access your email, social media account, or Internet banking, the server you connect to will send back what is called a ‘heartbeat’, and just like your heartbeat it is how your computer and the server stay connected whilst you are logged in.  This heartbeat is used so that the server knows that you are still there and wishing to connect to your online account.  Once you log out this heartbeat stops meaning the server then knows that there should no longer be a connection and so your online account is no longer accessible.

The heartbeat is a very small message, but by using the bug an attacker may be able to get access to more of the memory of the web server than it should, and this memory may contain sensitive information useful to an attacker.  This might include usernames and passwords, session keys or even the web server’s private key.

So am I affected and what should I do?

This is a hard question to answer.  If your web site uses an old version of OpenSSL, then they are not affected.  Even if they do use the vulnerable version of OpenSSL, it would require an attacker to be using the bug at exactly the time you are using the site to be able to grab your credentials.  The best we can say is that it’s possible that you have been directly or indirectly affected.  Unfortunately the Heartbleed bug leaves no trace of exploitation, so you are unable to see if it has been used against you.

The best thing for us all to do is change our passwords if our provider tells us that they were exploited.  It might even be a good idea just to change all those old passwords that you’ve been using for years, just in case.  Here are some tips for creating a secure password:

·         Be a minimum of 8 characters long
·         Use upper and lower case letters
·         Substitute numbers or symbols for letters
·         Do not use simple personal information (i.e birthdays, kids names, pet names)
·         If you keep a written copy of your passwords use and encrypted method of accessing them, not a note in your wallet.
·         An easy thing to remember is a phrase, try abbreviating the phrase and using each of the first letters as your password. Using numbers can help make this harder to guess.

The OpenSSL team have created a fix and this is being rolled out across the Internet to correct the bug.

How can I find out if my website is affected?

A useful tool to check the configuration of your Internet provider is https://www.ssllabs.com/ssltest/

I would like more information of Heartbleed and its effects.

Here are some of places to look for more information.

Providing detailed information of Heatbleed and detailed Q&A

The Heartbleed Hit List: The Passwords You Need to Change Right Now
How Heartbleed Works: The Code Behind the Internet'sSecurity Nightmare

Sarah Taylor
www.cqr.com

The XPocalypse is nigh!

Next week, on 8-Apr-2014, the mainline support for Windows XP ends.  If you believe the media, the Internet is headed for a disaster of biblical proportions.  Real wrath-of-God-type stuff.  Fire and brimstone coming from the sky!  Rivers and seas boiling!  Forty years of darkness!  Earthquakes!  Volcanoes!  Human sacrifice, dogs and cats living together, mass hysteria!

Perhaps the late great Harold Ramis had it right in Ghostbusters, but I think that XP will go into the night, not with a bang but with a whimper.

Let's fire our proton pack at each of the arguments, and see what ends up in the trap.

1.  XP will be vulnerable forever.

Absolutely true.  There will be no more security patches ever.  But most businesses that have managed the transition to Windows 7 still don't patch effectively, which means that most of those installations are vulnerable right now.  If you upgrade but don't maintain your patches, you might as well not bother.

2.  XP is everywhere.
No it really isn't.  The current market-share of XP is just under 30%.  While this is still much higher than we would like a week away from the end of support, it is low enough that herd immunity will probably protect the laggers for some time.

3.  Alright then, XP is everywhere in critical systems.

Yes and no.  It is true that most of the ATMs on the planet run XP, but the vast majority don't run the same XP Professional image that you might have once had on your desktop.  What they run is either Windows XP Embedded Service Pack 3, which is supported until 12-Jan-2016, or Windows Embedded Standard 2009, which is supported until 9-Apr-2019.  So the banks have plenty of time to address the issue.

4.  Ok then, XP is in medical systems, if they don't upgrade people will die.

In some of them it definitely is, and it's the desktop version.  You can probably even find Windows 98 running some systems in hospitals.  However almost all of these systems are not networked, so the attack surface is very small.  They also tend to be locked inside the machine, so accidental access is unlikely.

5.  But my Mum has XP!

And finally we get to the crux of the problem.  There really is a lot of legacy XP out there in systems that we've given to our families.  Nothing says "I love you" like buying them a new tablet and sending the old XP machine to recycling.

I really don't think there is any need to cross the streams right now, but it still might be a good idea to keep an eye out for the Stay-Puft Marshmallow Man.  After all, we get to choose the form of the Destructor!

 

Phil Kernick

@philkernick

www.cqr.com

3 new certified QSA's reporting for duty.

In March, 3 of our Australia based employees became certified as Qualified Security Assessors (QSA’s) which doubles the number of QSA’s working for CQR covering Australia and New Zealand.

CQR have been a QSA company for a number of years and prides itself on having available QSA resources in each of their Australian offices.

Being certified as a QSA means that the PCI Security Standards Council has assessed each candidate to meet the requirements to perform a PCI data security assessment, and are able to validate a client’s adherence to the PCI DSS.

Why comply to PCI DSS?

For vendors who are responsible for the safe handling of cardholder information the PCI Data Security Standard (PCI DSS) is a key part which provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.

Undertaking a PCI Security Standard can seem like a lot of effort, especially for those with smaller organisations, but the benefits out way those doubts. In an environment where data is valuable, showing compliance to PCI DSS lets customers know that your systems are secure and they can trust you with their sensitive payment card information. That trust allows your customers to be happy doing business with you and making confident customers they are more likely to become repeat customers or recommend you to others.

For other organisations doing business with you it shows that you are conscious about security and are active in looking after your data and that of others. Compliance is an everyday process and ensuring that you are up to date and meeting the standards guidelines is just as important. Being compliant can also help with other regulations that are out there.

Being compliant not only gives your customers and business partners confidence and peace of mind but it will also help your company to avoid the negative effects of compromised data, including loss of sales, relationships which can lead on to insurance claims, cancelled accounts, payment card and government fines. None of which any organisation wishes to encounter. This shows that the benefits of having a robust PCI DSS can benefit all organisation who deal with cardholder information.

CQR have proven success in supporting businesses through stages of their PCI journey and having additional PCI QSA’s ensures that the extra skills are available to achieve this.

Contact CQR today to see how we can help you achieve compliance today.

Sarah Taylor
www.cqr.com