Is your child a victim of identity theft?

By Maria Varmazis

The Equifax breach was well over half a year ago now, but I’ve had a nagging worry all the while since then: Was my child’s data affected in that breach, and how could I possibly find out for sure?

After the Equifax breach, a number of people who had never even heard of the credit monitoring bureau (including people living outside of the U.S.) found out their personal data had been compromised – an unpleasant discovery, to say the least. Something that was and still is quite unclear after the breach is if any data belonging to children had been leaked.

The official line from Equifax or any other credit bureau is that children should never be affected by a data breach like this, as children are not supposed to have any kind of credit until they become legal adults, which in the U.S. is at 18 years of age. However, some parents checked the Equifax breach website to see if their child’s data was leaked, and alarmingly many people got a notice that their child’s social security number “may” have been involved – with no easy way to investigate further.

That operative word, “may,” is unnerving – this is not an issue you want to let sit and fester with unknown status, as child identities are a very tempting blank slate for criminals to misuse. Most people won’t even think of their child’s credit until the child becomes an adult. However, finding out someone has already established your child’s credit for them is a nightmare to try and clean up after years of damage already done – you can’t just scrap the old credit profile and/or social security number and get a new one.

The reason for the ambiguity from Equifax’s point of view is that in most cases there should be no child credit report or any record of the child at all in the hands of a credit bureau in the first place (though some parents add their teenager as an authorized user to a credit card the parent owns, which does result in the teenager having a legitimate credit report). So if a credit bureau has a credit report for your child and that data has been breached, unfortunately, you now have two problems.

Finding out if someone has your child’s data takes a little investigation work, but it is absolutely doable. Someone who has unauthorized access to a social security number won’t just sit on it, they’ll use it – to rack up bills, take out loans – and that will leave a paper trail. For an adult, you want to scour your paper trail/credit report for signs of foul play; however, in the case of a child, the complete absence of a paper trail is a good sign.

Read more at https://nakedsecurity.sophos.com/2018/02/21/is-your-child-a-victim-of-identity-theft/

Flight simulator comes bundled with password stealing stowaway

By John E Dunn

How far should a software company be able to go to protect its products from piracy?

Not, one would assume, as far as deploying a Chrome password capture tool in its downloads. Yet this was the extraordinary accusation levelled at Flight Sim Labs (FSLabs) last weekend by a perplexed Reddit user.

The company makes flight simulation mods, one of which – an Airbus A320X add-on for Lockheed Martin’s pro-level Prepar3D – was setting off antivirus security software during installation.

As the user suspected – subsequently confirmed by pen-testing company Fidus Information Security –  the offending file, test.exe, was an executable for something called SecurityXploded. Explains Fidus:

The command line-based tool allows users to extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format.

Under pressure, FSLabs quickly owned up to what it was doing and, moreover, why it was doing it.

According to founder and CEO, Lefteris Kalamaras, the tool captured passwords but not indiscriminately (FSLabs’ emphasis):

There are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products.

The tool only activated if the user had installed the software using a pirated serial number believed to be circulating on the internet.

That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product.

It was so narrowly targeted, in fact, that the whole scheme was intended to gather evidence against a single individual believed to be circulating license keys for FSLabs’ software.

Read more at https://nakedsecurity.sophos.com/2018/02/21/flight-simulator-comes-bundled-with-password-stealing-stowaway/

Artificial intelligence reads privacy policies so you don’t have to

By Lisa Vaas

We can think of privacy policies as fortresses made out of thick bricks of gobbledygook: impenetrable, sprawling documents that do little beyond legally protect companies.

Nobody reads them. Or, to be more precise, 98% of people don’t read them, according to one study, which led to 98% of volunteers signing away their firstborns and agreeing to have all their personal data handed over to the National Security Agency (NSA), in exchange for signing up to a fictional new social networking site.

And here’s the thing: if you’re one of the ~everybody~ who doesn’t read privacy policies, don’t feel bad: it’s not your fault. Online privacy policies are so cumbersome that it would take the average person about 250 working hours – about 30 full working days – to actually read all the privacy policies of the websites they visit in a year, according to one analysis.

So how do we keep from signing away our unsuspecting tots? Machine learning to the rescue!

A new project launched earlier this month – an artificial intelligence (AI) tool called Polisis – suggests that visualizing the policies would make them easier to understand. The tool uses machine learning to analyze online privacy policies and then creates colorful flow charts that trace what types of information sites collect, what they intend to do with it, and whatever options users have about it.

Read more at https://nakedsecurity.sophos.com/2018/02/21/artificial-intelligence-reads-privacy-policies-so-you-dont-have-to/