You can soon set up alerts for whenever your home address, phone number, or email address appears in Search.

In 2022, GOOGLE expanded the ways you can submit removal requests for search results containing personal info. Prior to this change, you had to meet a very high bar to get results with sensitive data wiped. Finding personal details in a Google search, like a home address or phone number, can be scary, but you can take action to protect your privacy.

There’s no guarantee that unwanted search results will disappear completely, but as a result of your request, the web page could be removed from searches on Google.

There are services that can help you make your disappear digitally like DeleteMe. More information on using DeleteMe can be found here.

Under the new Google policy expansion, you can now request removal of other types of information like phone number, email address, or physical address. It also allows for the removal of additional information that may pose a risk for identity theft. Think confidential log-in credentials that my appear in search results.

REQUEST REMOVAL FROM GOOGLE HERE

Google requests your full name, country of residence, and email. You are only permitted to submit takedown requests for results pertaining to yourself or someone you officially represent. You can submit up to 1,000 links at once. Google asks for the URL of the offending content or image, and the company wants you to share the search results where it shows up. It’s not clear how long it will take to review your case, but Google will let you know when it has decided to take action—or do nothing at all. The company promises to include brief explanations with any rejections and allows repeat submissions.

-end-

Reference: Rogers, Reece. “How to Remove Your Personal Info from Google’s Search Results.” Wired.com, APR 29, 2023, https://www.wired.com/story/remove-personal-info-from-google-search-results/

Urgent Information for Barracuda Email Security Gateway Users

DO you have Barracuda Email Security Gateway devices in use to filter your inbound emails for spam, phishing, and malware?

Barracuda is urging replacement of these devices as their recently discovered vulnerabilities cannot be fixed with patches or upgrades. Contact Barracuda support or whomever manages your Barracuda Email Security Gateway to correct this very serious vulnerability.

As always, keep things up to date and properly configured continues to be good advice, but in this particular case, that isn’t going to be enough.

(Barracuda is a physical device that sits on your network in front of your email system)

MORE DETAILED INFORMATION IS PROVIDED BY KREBS ON SECURITY IN THIS ARTICLE.

What are the biggest threats to each of us right now?

Scammers are using AI and ChatGPT as a tool to create even cheekier scams than normal!

THE ARRIVAL OF FLEECEWARE

One of the more irreverent scams is called Fleeceware, a type of mobile application (or website) that comes with excessive subscription fees you may quickly forget you’re paying. The ones oriented around these AI apps have catchy names like Genie – AI Chatbot. It can also be a website that looks like a legitimate site or uses a similar name to a trusted site to give a false sense of legitimacy.

The goal of these apps or websites is to get your to complete a sign up for a weekly/monthly subscription for what you’ll quickly find out is pretty useless.

HOW WELL DOES THE SCAM WORK?

Sophos reports that the people who publish the Genie AI Chatbot app (still available in the Apple apps store btw) are raking in $1 Million a month in subscription fees for something better, and free if you go to the source, https://openai.com/blog/chatgpt 

IS THERE AN OFFICIAL OPEN AI IPHONE OR ANDROID APP FOR CHATGPT?

There is only one official app released as an iPhone app for ChatGPT and there is not one for Android, yet.

If you search the app store for ChatGPT, you’ll see dozens (maybe hundreds of apps) but only one is the official Open AI ChatGPT app. There isn’t an official app for Android yet, but there are more than a few pretenders available. 

The only official app OpenAI has published, download it here for the iPhone:  https://apps.apple.com/us/app/openai-chatgpt/id6448311069

SHOULD I BE SUSPICIOUS OF EMAILS RELATED TO CHATGPT?

The scams wouldn’t be complete without using the headlines to send phishing emails. The current hearings in Congress are news, and news means new subject lines for phishing emails.

There are new domain names popping up related to ChatGPT, many of which are common misspellings of legitimate domain names. BE EXTRA SUSPICIOUS of any email or text messages you receive with subjects or links related to ChatGPT. If you intend to use ChatGPT, be sure to access the service through the official OpenAI site, https://openai.com/blog/chatgpt

 SHOULD I USE CHATGPT FOR BUSINESS?

For businesses, these tools bring the added risk of your employees inputting sensitive information into these tools. Your best protection is to have a policy around the use of these AI tools, similar to what you probably already have to social media usage.

If you have a legitimate business use for these AI tools, great – review their privacy policies and terms of use. You’ll have better privacy and control over your data usage is you pay for a subscription vs. using free ones.

Be sure to know how the service will use any data you give it before committing.

BY TODD SWARTZMAN
Chief Information Security Officer

I was presenting this week on Steps a Business can Take to Reduce their Cybersecurity Risks and a question came up that I didn’t have a good answer for: How can I tell if my social security number was stolen and what can I do about it?

I thought about the question later that evening and decided to do some research the next morning. Here is what I learned:

“HOW CAN I TELL IF MY SOCIAL SECURITY NUMBER HAS BEEN STOLEN?”

It seems that monitoring your credit reports and/or signup for ID theft protection are the only options currently available. There isn’t a way to tell before a notification happens, so the following are ways to monitor your identity proactively:

• IDENTITY THEFT PROTECTION SERVICES
  These services can help prevent or alert you someone is trying to use your identity. Unfortunately, they require the bad actors to try and do something with your information before knowing if you have been breached. If your information is exposed in a data breach and you’re offered ID theft protection for free, take advantage, it can’t hurt and might help.

• CHECK YOUR CREDIT REPORT
  Since any use of your information to try and secure new credit will show up, its good to check your credit on an on going basis. You can get a free credit report from all three credit reporting bureaus from this website: https://www.annualcreditreport.com/ or call 1-877-322-8228. This is the only authorized website to get your free annual credit reports that you are entitled to by law. {As you might imagine, scam sites abound offering “free” credit reports that are not legitimate.}

• REVIEW YOUR SOCIAL SECURITY STATEMENT
  If you don’t have an account, now would be an excellent time to set one up so that YOU control that and not some future identity thief.

 PROACTIVE STEPS TO PROTECT YOURSELF:

• Minimize who you provide your Social Security Number to in the first place!
  Many organizations ask for your social when they just don’t need it. Your doctor’s office, public and private schools are good examples of places that don’t need your ssn to provide services. They can ask, and you can say “no thank you.” So far, no one bats an eye when I refuse to provide them this information that they have no legitimate use for (and, let’s be honest here, many places aren’t good at protecting this very sensitive information)

• If you suspect that any identify theft has occurred:

  • Contact local law enforcement ( a necessary step) to obtain a police report.

  • Contact the FTC, Federal Trade Commission, 1-877-438-4338 or online at https://www.ftc.gov  or their identity theft reporting site: https://www.identitytheft.gov/#/ 

  • IC3.gov is another place you can report the problem, the FBI monitors this one.

 ADDITIONAL RESOURCES

Tips - https://www.identitytheft.gov/#/Info-Lost-or-Stolen you can open up each relevant section for some excellent advice based upon your situation

NEW ADVICE FROM REALTIME CYBERSECURITY

One of our vendors has released a security trends report using the monitoring data of SaaS (Software as a Service) application usage across ~7500 Small Businesses (SMBs) who use their cloud security service. About 70% of the businesses monitored use Microsoft 365. These insights are the summation of the data collected from monitoring almost 1 million accounts across ~7500 small businesses whose SaaS environments were monitored from Jan 1, 2022 – Dec 31, 2022:

• 7500 Small Businesses’ SaaS environments monitored

• 980,000 end user accounts

• 1 Billion events logged

• 701,000,000 of these events came from Microsoft Office 365

Where ARE the attacks originating?

Most of the attempts come from outside of the United States. More than 53% of attempted unauthorized logons originated from just these five countries: China, Vietnam, India, Brazil, and South Korea. Interestingly, Russia isn’t in this top five this year, most likely due to cyber-attacks from Russia focusing on Ukraine in 2022. Have you ever heard of a Brute Force Attack? This is a common tactic where bad actors will target known cloud-based accounts and try multiple credentials (usually derived from data thefts) in hopes that one works. 

Just this week, this service alerted me that my own account was being subjected to a brute force attack! The system alerted me to the event, it blocked the attackers from further attempts, and the alerts showed me they were unsuccessful. Whew! 

What this event also showed me is that there was something we could do better to prevent this specific attack vector in the future, which will help us all be more protected in the future.

Top recommendations on
how to protect your SaaS based applications

…and really almost all of this applies to any technology environment.

1. Enable and enforce Multi Factor Authentication.

2. Monitor all of your SaaS applications for unusual or unauthorized activity.

3. Enforce proper configuration of your SaaS applications and monitor for changes.

4. Monitor unauthorized file sharing activity.

5. Delete unnecessary guest accounts on a regular basis.

-by Todd Swartzman, RealTime CISO