Information Security Bulletin Issue #2013-06 Raising awareness of information security related issues and concerns. Evernote, Facebook, Rent-to-Own Computers (March 2013) Evernote What happened: Hackers stole usernames, associated email addresses and encrypted passwords for nearly 50 million Evernote users. The passwords were hashed and salted, which will help mitigate the damage. Evernote has attempted to notify users and is enforcing password changes. Read more about the breach at http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/ Recommended Action: If you have an Evernote account, go to https://www.evernote.com/Login. action and change your password. If you used the same password in other sites, be sure to change those passwords as well. There are reports that those who are not using the most recent versions of the software are experiencing issues when changing passwords so be sure to apply the updates. FaceBook What happened: The new Graph Search has brought a host of issues for FaceBook users. Potentially embarrassing uses for the new Graph Search, using information people posted, can be found here: http://nakedsecurity.sophos.com/2013/01/28/privacyfacebook-graph-search/ For approximately 9 months, FaceBook has had an API bug that was leaking users’ phone numbers to application developers. At this time, there appears to be no way to know if your phone number was shared inappropriately. To read more about the bug, https://developers.facebook.com/bugs/298946933534016. Recommended action: If you have a FaceBook account, be very careful to consider the long range impact of information you provide via FaceBook and stay abreast of all their privacy changes. As a Facebook User, you are responsible for what you share on the social network. Rent to Own computers What happened: The software, PC Rental Agent by DesignerWare, was reportedly installed to shut down the computer if the renters fall behind on payments. One of the seven rent-to-own companies identified by the FTS, Aaron’s Rentals, had local franchisees. The US Federal Trade Commission (FTC) found that the software’s “Detective Mode” also logged key strokes, captured screen shots and used the computer’s webcam to take photographs inside people’s homes. This software tracked movement of the individuals via WiFi hotspots. Fake program registration screens were used that tricked consumers into providing their personal contact information. In one or more cases, a manager used the software even after the computer was paid off. To read more: http://www.ftc.gov/opa/2012/09/designware.shtm; http://www.nbcnews. com/technology/technolog/185-000-spyware-emails-were-sent-aarons-computers-1C8595813; At least one class action suit has been filed. Recommended Action: If your home computer was purchased through a rent-to-own lease or if you purchased it from someone who bought it from one of these companies, check for the software. If you paid off the company where you leased the computer, remove the software for you and your family’s protection. Be careful to remove all of it (hire a professional if you are unsure). If you are still paying off the contract and the machine has this software, be very careful when and how you use the computer, especially when accessing bank accounts and any password protected site or when the webcam could capture uncomfortable images. Information Security Team: Cheryl Bowman, Information Security Risk Advisor 831-6574 cbowman@epcc.edu Richard Becker, Chief Information Security Officer 831-6411 rbecker3@epcc.edu The El Paso County Community College District does not discriminate on the basis of race, color, national origin, religion, gender, age, disability, veteran status, sexual orientation, or gender identity.