Leaked employee passwords open up Fortune 500 companies to hackers

Leaked employee passwords

 

It’s one thing when your iCloud account with personal photos gets hacked. It’s another when your Fortune 500 company has a data breach because your office credentials were leaked online.

At 221 of the Fortune 500 companies, Fortune magazine’s list of the the top 500 U.S. public corporations ranked by gross revenue, employees’ credentials are posted publicly online for hackers to steal and reuse in cyberattacks, according to new research from the web intelligence firm Recorded Future.

Corporations, especially highly sensitive targets like Fortune 500 companies, spend a great deal on securing their networks against hackers, but that could be for naught if an employee carelessly uses his office credentials to sign up for, say, a gaming forum.

The sensitive information can be found on forums and text repositories like Pastebin, which are fertile ground for username and password dumps. Researchers at Recorded Future scoured approximately 600,000 websites for credentials posted between Jan. 1 and Oct. 8, 2014. During their analysis, they found at least one username/password combination at 44% of the Fortune 500 companies, leaving those companies vulnerable to hackers who could use the data to break into networks or mount phishing and social engineering attacks, Recorded Future CEO and cofounder Christopher Ahlberg told Mashable.

These credential dumps are outside the companies’ control, Ahlberg said. The data likely come from third party sites — not from breaches of companies’ servers — where an employee used a corporate email to sign up for something. In the past few years, for example, hackers have breached websites and services like Adobe and Forbes.

One caveat is that there is no way to know whether the password used on a third-party site matches the employee’s password used on his corporate account. In other words, Fortune 500 employees’ information may be posted online — but it doesn’t necessarily that information will lead to a successful compromise.

“It’s a coin flip whether or not these credentials taken from third party sites are valid,” Scott Donnelly, the lead researcher on the report, told Mashable. “But when there’s 10 or 20 from a particular company, then odds are you’ve got one that’s valid.”

Below, the breakdown of the 221 companies listed in the report:

Leaked employee passwords open up Fortune 500 companies to hackers

companies

But having an employee’s username and password isn’t necessarily enough — hackers need to know where to use them. In some cases, Recorded Future also found that the webmail login pages of some utility companies are easily searchable on Google, which makes those companies even more vulnerable if an employee’s credentials are compromised.

The report doesn’t name names — either of companies or individuals — and Recorded Future has not notified any of the companies yet, according to Ahlberg and Donnelly. The goal of their research, they said, is to show that big companies are not immune to huge password leaks.

We’ve seen evidence of that lately.

Two weeks ago, a hacker claimed to have dumped 7 million Dropbox usernames and credentials. In a separate instance in early September, 5 million usernames and passwords appeared on a Russian forum (that information likely came from various earlier hacks, though). And in August, a security firm claimed to have found $1.2 billion credentials stolen by Russian hackers, though the firm’s report has been contested.

The issue with these dumps, even when they don’t involve services like Gmail or Dropbox, is the same: the danger of password reuse. If you always reuse the same password, a hacker doesn’t need to breach Google to obtain your Gmail password; instead, he can get it from your Fantasy Football forum. That’s why Facebook announced last week that it has been actively scouring sites that host dumped credentials to notify users if their password had been compromised.

Ahlberg and Donnelly warn that even more companies have probably been compromised, but those employees’ credentials have not been posted publicly.

“We have a pretty good coverage of the underbelly of the web, but these are just the public posts,” Donnelly said. “We’re highlighting how easy it is for somebody to just open the door and exploit a company because the information is sitting out there. But most certainly, there’s information that’s yet to be published.”


SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://mashable.com/

Healthcare finance tips for safeguarding against cyberattacks

cyber-attack caption

Premera hack puts renewed focus on securing sensitive healthcare info.

As Tuesday’s news about the Premera Blue Cross hack shows, healthcare organizations are vulnerable to cyberattacks, and the fix can be costly.

“The average Fortune 500 company budgets $44 million a year for security, including networking and all other aspects,” said Larry Ponemon, chairman of the Ponemon Institute, a research center focused on data security. “(Most) hospitals have less than a million to budget on cyber security.”

Already, at least two class action lawsuits have been brought against insurer Anthem, which saw a major data breach in January affect 80 million people. There’s also the cost to the health plan’s reputation and the logistics of notifying 80 million customers, Ponemon said. It’s still unknown what will come after 11 million people’s information was accesed in the Premera hack.

Until Anthem’s hack in January, high profile security breaches focused on large retailers such as Target and Home Depot.

This doesn’t mean healthcare organizations have been sitting on their hands believing it can’t happen to them, Ponemon said. A  survey of 91 healthcare organizations in 2013 showed that 90 percent experienced at least one data breach that year.

“Even if a hospital is reasonably secure, if may not be enough in this world,” he said.

Medical records are extremely valuable on the black market,  Ponemon said. They contain Social Security numbers, health ID numbers, addresses and possibly credit or debit card information – everything needed to create a fake identity.

“Basically it’s a rich data source for bad guys,” he said, such as terrorists seeking travel credentials.

The hackers may wait months and years before exploiting the data, he said.

“This is where we see the most serious ID theft crimes,” he said. “A lot of the 80 million will become identity theft victims.”

Ponemon was in the intelligence field for 45 years prior to founding the Ponemon Institute 14 years ago.

HITRUST, the Health Information Trust Alliance, works with healthcare organizations to improve their data security. It has partnered with the U.S. Department of Health and Human Services to conduct monthly briefings on cyber threats relevant to the healthcare industry, and to share best practices for defense and response.

HITRUST offers healthcare organizations a cyber threat alerting system of threats targeted at the industry. The C3 Alert is coordinated with the Healthcare and Public Health Sector and Government Coordinating Councils, according to HITRUST chief executive and founder Daniel Nutkis.

What hospitals can do:

  • As most security breaches are due to human error, maintain a good data structure to prevent data leakage, Ponemon said.
  • Encrypt data. The Wall Street Journal reported Anthem did not encrypt the personal data of its customers.
  • Ban the use of personal devices for storing patient information. Some doctors routinely send clinical records through personal e-mail, their own smartphones or tablets.
  • Rent a network intelligence system instead of buying one, Ponemon advises. It’s secure.
  • Collaborate with partners on exchanging information during and after a cyberattack, according to the National Institute of Standards and Technology’s 2014 “Draft Guide to Cyber Threat Information Sharing.” While this may seem counter-intuitive, providers need to  learn the types of systems and information being targeted and the techniques used to gain access.
  • Use standard data formats to facilitate interoperability and fast information exchanges, the NIST recommends.

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.healthcarefinancenews.com/

Computer Email Monitoring

  • Do you want to regulate the use of email to send commercial messages in your corporation?
  • Do you have a desire to restrict sender by only allowing employees to use specific mailbox to send emails and prohibiting using other mailbox?

As the importance of electronic mail has grown both for internal communications with co-workers and for external communications with customers, suppliers and business partners, so has the need to ensure that your email servers are working properly. Monitoring and maintaining the health of your email servers has become vital in your business’ communication and even in its very existence.

SurveilStar Email Monitoring is the all-in-one network monitoring solution, which covers the complete range of monitoring needs from availability monitoring to bandwidth and usage monitoring, as well as application, instant message and email monitoring.

  • Record incoming and outgoing SMTP/POP3 emails and Exchange emails
  • Record outgoing webmails and Lotus Notes emails
  • Record all contents of outgoing and incoming attachments
  • Record email subjects, senders, recipients, time, size, etc.

If you need to prevent one or multiple spammers, block some emails addresses, restrict the employees to send emails only to permitted email addresses, prohibit sending attachments or limit email size, you can set an Email policy to achieve the goals easily. Setting up a proper email policy for your business situation is just a breeze.

  • Block specified sender accounts
  • Block specified recipients
  • Block specified outgoing email domains
  • Block users from sending emails with any attachments
  • Block emails with specific subjects
  • Block users sending files with specific file names
  • Block users sending emails over limited size

How to Monitor Emails?

1. Download and install SurveilStar to your PC and PCs you would like to monitor. How to

2. Login SurveilStar Console, select the target computer (group) that you want to monitor email activity. Navigate to Monitoring >Email.

Monitor Emails

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

Big bill revealed for Saanich spying software

Saanich The installation and use of employee monitoring software at Saanich municipal hall could cost the municipality at least $30,000 in 2015, thanks to licensing and maintenance agreements that were confirmed before B.C.’s privacy commissioner launched an investigation into the District’s practices earlier this year.

Emails released Monday through a freedom of information request show Saanich’s Information Technology department underwent training on Nov. 24, 2014 and installed Spector 360 – which is capable of capturing keystrokes as well as continuous screen images of employee activity – on an unknown number of computers at a cost of $1,992.

Two invoices dated Jan. 14, 2015 reveal Saanich was given the option of paying another $29,250 for further licencing and one year of maintenance, or $43,992 for licencing and three years of maintenance by SpectorSoft Corporation, which sells Spector 360. The software had been monitoring activity on several municipal computers until Jan. 20, when the B.C. Privacy Commissioner Elizabeth Denham launched an investigation into its use.

The FOI response also reveals Laura Ciarniello, Saanich’s director of corporate services, sent an email on Dec. 2 to IT manager Forrest Kvemshagen approving the software installation. Mayor Richard Atwell and council were sworn in on Dec. 1.

“I approve of this program and the machines that it has been installed on,” Ciarniello wrote in the email to Kvemshagen. “I have spoken with the Directors and Paul about this and I left it with (former CAO) Paul (Murray) to discuss with [redacted] and [redacted] or not.”

Murray was on vacation leave on Dec. 2 and left the municipality on Dec. 16 with a $468,000 payout. Ciarniello was on vacation Monday and was unavailable for comment.

Mayor Richard Atwell went public about his concerns over the “spyware” on Jan. 12 and said Spector 360 had been installed on his computer and several other computers without his knowledge or consent.

Atwell told the News on Monday that he will wait for the privacy commissioner’s report before commenting on the FOI revelations.

“I will be more than happy to comment when the OIPC releases its findings,” Atwell said.

Interim CAO Andy Laidlaw said the District provided all necessary information to Denham on its use of Spector 360 and will wait to respond to the recommendations in her report.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.saanichnews.com/

Some Thoughts on Employee Appreciation Day, including a Potential Wage and Hour Pitfall

Employee Appreciation Day “And you’re wondering . . . am I appreciated . . . I’m not really appreciated, should I play like I’m appreciated, but I’m not that appreciated . . .but I think my employer might appreciate me . . . but do I want to be appreciated . .. but now my employer doesn’t really appreciate me . . . and then all of the sudden I’m getting, I’m starting to be appreciated.  Jeremy Grey, Workplace Crashers (2005)

Okay, so I retooled that quote and the movie title slightly, but it still makes me laugh and certainly works as a nicer teaser to a post on Employee Appreciation Day, which is celebrating its 20th anniversary tomorrow, Friday, March 6.

Employers Should Appreciate Employee Appreciation

Started in 1995, Employee Appreciation Day encourages employers to focus on the contributions of their staff members.  And a recent White Paper entitled Employee Performance: What Causes Great Work? concludes that a little employee recognition goes a long way.  According to research conducted by the Cicero Group (and commissioned by the O.C. Tanner Institute), effective employee recognition may be the leading reason that employees perform at their highest level.

The Cicero Group administered an online survey to employees between the ages of 25 and 65 working in the US at companies with more than 1,000 employees across all industries.  980 employees responded to the survey and provided various answers to the open-ended question of “What is the most important thing that your manager or company currently does (or could do) that would cause you to produce Great Work?”  Of the nine types of answers provided in response, a clear majority of the respondents (37%) said “recognize me.”  “Lead by example” came in second at 22% followed by 7 other answers that ranged from 2% to 9% of the responses.  The rest of the research Cicero conducted supported this initial finding and allowed it to conclude that “[i]f you want employees that produce and innovate more, invest in recognition.”

I can’t say I was entirely surprised by this conclusion given my own experiences with recognition behavior in my workplace, but it was nice to see my experiences match the statistical evidence.

Employee Appreciation Bonuses and Overtime Pay

Wage and Hour LawThere are all sorts of things employers do to recognize their employees, whether they do it this Friday or throughout the year.  From verbally praising their employee’s efforts, to having an employee of the month program, to handing out gift cards, to having late arrival or early dismissal, to buying employees lunch or hosting a happy hour, to handing out bonuses.  Let’s focus on that last one – bonuses – for a second.  As always, any employer action – no matter how well-intentioned – can have legal pitfalls, and in this case, the potential pitfall relates to an overtime violation.

When calculating overtime pay, some employers think that they should simply use the employer’shourly rate when determining overtime.  For example, if the employee worked 45 hours and is paid $10.00 per hour, the employer may simply multiply $10.00 by 45 hours for $450 in straight time wages, and then to calculate overtime, it would multiply the $10.00 hourly rate by ½ by 5 hours of overtime for a total of $25.00 in overtime pay for a total wage payment of $475.00.  In many cases that is how it’s done.  But not always.

The Fair Labor Standards Act and its interpreting regulations do not refer to the employee’s “hourly rate” when discussing how to calculate overtime; instead, they refer to the employee’s “regular rate”.  Believe it or not, many employers have never heard of this term before.

So what does the Act and its interpreting regulations mean by “regular rate”?  Although the “regular rate” is ultimately converted into an hourly rate, it includes “all remuneration for employment paid to, or on behalf of, the employee,” and therefore, it includes forms of compensation other than the employee’s hourly rate when calculating overtime pay due.  The interpreting regulations define the types of compensation that employers should include and should not include when determining the employee’s regular rate.  Among those payments that employers may exclude from the regular rate are payments for gifts and other payments in the nature of gifts on special occasions.

The regulations say that a bonus qualifying as a gift or payment in the nature of a gift should merely be a reward for service, and it will not qualify “[i]f it is measured by hours worked, production, or efficiency,” because in that case, it is considered “a payment geared towards wages and hours during the bonus period and must be included in the regular rate.”  Further, if the bonus payment “is so substantial that it can be assumed that employees consider it a part of the wages for which they work,” it will not qualify either.  At the same however, it does not matter if the employer pays the bonus with regularity (i.e. on every Employee Appreciation Day or Christmas, etc.) so that employees are led to expect it – that is, once again, as long as it is not tied to hours worked, production or efficiency.

Thus, if not devised properly, employers may have to include Employee Appreciation Bonuses as compensation when determining the regular rate, which means higher overtime costs.  Let’s revisit our earlier example where the employee worked 45 hours at $10.00 per hour.  Say the employee worked those 45 hours in the week in which Employee Appreciation Day fell and that traditionally, as a recognition reward, the employer paid its employees a $10 appreciation bonus for each hour they worked during that week.  This employer would have to now recalculate the regular rate because the bonus is more likely tied to hours worked rather than presented merely as a service award on a special occasion.  The employee would have compensation totaling $900.00 (45 hours x $10.00 per hour = $450.00 weekly wage + 45 hours x $10.00 bonus = $450.00 bonus).  The $900.00 in compensation is then divided by 45 hours worked for a regular rate of $20.00 – a full $10.00 increase in the regular rate in the first example.  And to calculate the total wages due, you would multiply 45 hours by $20.00 ( = $900.00) and the 5 hours of overtime by $10.00 (or ½ the $20.00 regular rate x 5 OT hours, which equals $50.00 in overtime) for total wages due that week of $950.

Had the employer in our example not tied the Employee Appreciate Day bonus to hours worked and merely paid the employee a special one-time $450 service bonus, then the employer could have excluded the bonus amount when determining the regular rate.  The wages would have equaled $925 ($450 in straight time wages + $25 in overtime wages (5 OT hours x ½ x $10 regular rate) + $450 bonus), which amounts to a $25 difference.

A Conclusion You Can Appreciate

This is all a long-winded and technical way of saying that whenever you pay a bonus to your employees – whether it’s on this Friday or at any other time, you should be careful.  It is vitally important that you first determine whether the bonus amount should be included or excluded from the regular rate calculation, either as a gift or payment made in the nature of a gift on a special occasion (or also as a discretionary bonus – a type of bonus that we did not cover in this post, but which is subject to a similar analysis).  The failure to address this issue properly can lead to costly wage and hour class action overtime claims, which, ironically, no employer appreciates.


Recommend

SurveilStar is an ultimate employee monitoring software and parental control software which can help monitor computer activities and protect data security. You can also block files uploading and sharing to prevent data leakage. Including:

computer monitoring

  • View Real-time Screen Snapshot
  • Monitor Skype or Other Chat/IM Activity
  • Record Emails
  • Track web browsing history
  • Block access to any website
  • Remote PC Maintenance
  • Program Activity

 

If you would like to record and control all your children or employees’ activities on working PC, SurveilStar Monitoring would be your best choice.

A 30-day free trial version of this professional computer monitoring and tracking software is available. Feel free to download and try to check what your employees and children have done on PC.

Download

 

Reference: http://www.employmentmattersblog.com