Cybersecurity News

Hackers and identity thieves are increasingly focused on mobile computing. With so many smartphones and tablets now in use, mobile is increasingly becoming how consumers use the web.

Criminals also like the fact that many mobile devices have little or no security protection – not on the device itself and not on the data that is stored in the cloud.

Mobile data can be stored both places and security experts say both need strong protection. Chris Rancourt, an editor at NextAdvisor.com, says consumers who use an online backup service to store and share their data in the cloud need to be especially careful.

“When you put your information on the cloud, you get this extra level of security with their encryption,” Rancourt said. “Most services now use encryption but some are stronger than others.”

Increasingly popular

Cloud storage and backup services have become increasingly popular. They store data off-site, protecting it from a catastrophic computer crash or other physical damage. They also make it accessible from other computers in other locations.

“Pretty much any information you can upload to the cloud – pictures, documents, videos. And all that information can be encrypted and stored safely inside your cloud or online back-up service,” Rancourt said. “The backup services that we use provide coverage for Apple, Android – pretty much the whole spectrum.”

Rancourt suggests picking a backup service with very robust encryption. One service that falls into that category, he says, is SpiderOak. There is one security feature, in particular, that he likes.

'Zero-knowledge' security

“They have this policy where no one in their company will know your password,” he said. “If you lose your password they can't go in and retrieve it for you. It's really up to you, which makes the security a lot stronger, but at the same time you have to be responsible for your own stuff.”

Absent-minded consumers can run the risk of losing everything if they forget or lose their password. Writing it down in several secure places, however, might be all the insurance policy you need.

Sugarsync is another secure backup service. With Sugarsync, you can safely store important files and then sync them across an unlimited number of computers. If the data is updated on one computer, it's also updated on the rest.

Mozy is a low-cost cloud storage service. The company's backup plans start with one computer per subscription, but it can sync up with other computers that aren't part of the plan.

First line of defense

The best feature of these companies' backup services may be the sophisticated encryption. Rancourt says it provides a great first line of defense.

“For companies like SpyderOak you actually have to have an encryption key in order to decode the information and read it as something legible,” he said. “Most services have something like that as well.”

But hackers are resourceful individuals. Suppose they get access to your cloud and your encrypted information by stealing or finding your lost device. It might look like gibberish at first, but given a few hours, it's just possible some hackers might be able to crack the encryption. That's why you need a second level of defense – remote wipe.

If your device is lost or stolen, remote wipe will still give you access to all your files and documents from another computer but allow you to block access on the missing device. You can even delete files.

“Let's say you keep all your bank information on your cloud,” Rancourt said. “Someone can actually hack in there and steal your identity.”

It should go without saying that you should have robust security features on your hardware as well. Getting a strong mobile security package for your smartphone or tablet will reduce the risks from lost or stolen devices.  

News that over 1,000 accounts at online ticket-seller StubHub have been hacked should serve to remind you of this important online safety rule: don't use the same password across multiple accounts.

The Associated Press first reported on Tuesday that “cyber thieves” managed to fraudulently access more than 1,000 StubHub accounts, and buy themselves tickets in the legitimate accountholders' names.

As hacks go, a mere thousand compromised accounts in a company as large as StubHub sounds like pretty small potatoes. Why was the damage so limited?

According to StubHub spokesman Glenn Lehrman, the thieves never broke into the StubHub customer database. Instead, they got customers' login and password information from other sources, either hacking into different retail databases or even putting keylogging software or other forms of malware on user's computer.

The thieves presumably know how commonplace is it for people to use the same passwords (and sometimes even login names) across multiple accounts, so if thieves have, for example, the password you use for your email, bank account, favorite web-discussion forum or any other password-protected thing you do, they'll also try plugging that password into your other accounts on the off-chance it will work. Where over 1,000 StubHub customers are concerned, it did.

If you get an email from LinkedIn saying you need to reset your password, it's real. The social networking site has reported a data breach in which an undisclosed number of passwords were compromised.

"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Vincente Silveira, a LinkedIn director, wrote on the company's blog. "These members will also receive an email from LinkedIn with instructions on how to reset their passwords."

Silveira stresses there will not be any links contained in the email that informs you that you must reset your password. However, once you follow the initial step request password assistance, then you will receive an email from LinkedIn with a password reset link.

Regardless of whether you receive an email, it would be prudent to immediately change the password on your LinkedIn account.

"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Silveira wrote.

A ConsumerAffairs sentiment analysis of about 2.5 million comments posted to social media finds that the news knocking LinkedIn from an overall approval rating of close to 80% to a 24% negative rating.

 While the hack attack wasn't the only negative to emerge in the analysis, it was by far the largest, as shown in this chart:

How it happened

Silveira did not say how the data breach occurred, only that an investigation was underway. Chester Wisniewski, Senior Security Advisor at Sophos Canada, wrote in his blog that it is imperative that LinkedIn also determine whether email addresses, often a user name, were also compromised. LinkedIn has more than 161 million members who use the site to expand their business and professional contacts.

About 6.5 million passwords have been posted online and the company says some of them do appear to be LinkedIn passwords.  Others appear to be passwords for eHarmoney accounts, security experts say. 

EHarmoney said a "small fraction" of its member passwords had been compromised and that it is investigating. Meanwhile, it said affected passwords have been reset.