UPS Hacked!

UPS hacked!

“It was the best of times, it was the worst of times.”


This famous quote from Charles Dickens’ classic novel, A Tale of Two Cities, gives insight into how two forces, like good and evil, are equal rivals contending for survival. The same goes for the world of cyber security. We have a world of information, convenience, and entertainment at our fingertips, and yet, in that world, there are dangers and possibilities to have valuable information stolen.


In Alex Roger’s article, “UPS: We’ve Been Hacked,” Roger’s reports on the newest breach within The UPS. “The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised.” Rogers continues, “The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26.” Even though the breach was wide ranging, UPS assured that on August 11 the threat  was resolved.


UPS issued a public statement, “The customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for each customer. Based on the current assessment, The UPS Store has no evidence of fraud arising from this incident.” UPS went on to say that it is safe to shop at all of the UPS branches.


As fiction continually tells us in pros and verse, good and evil will always be at odds with each other, just as Dickens foreshadows in A Tale of Two Cities. So what can we do about it? Well, our job is twofold. We need to be sure to follow the Password Best Practices (PBP) and petition applications and companies that we use on a daily bases to start supporting Two-factor.


Password Best Practices


Password Best Practice (PBP) is the easiest way to accomplish login security to your applications and portals to access private information. PBP gives practical advice on how to strengthen your password, how often to change your password, what not to do with your password, and much more. By enforcing and educating users on PBP, you are on your way to achieving stronger passwords and making logins more secure. PennState has done a great job outlining the Password Best Practices on their site. The article is a great resource and reminder of what we should be doing with our passwords.


What you can do to about Two-factor Authentication


You may ask yourself what you can do to ensure that private and person information is protected with two-factor. There are two things that one can do. First, if you have the sway and influence, there are identity management providers that provide usable two-factor, protecting against network attacks. Secondly, if you are only a user and have no influence in the IT Department, there is a great site that contains a Two-factor Authentication list. From this list you can send a direct request to those that are not currently supporting Two-factor Authentication. The list is a great way to see if your favorite applications and websites are doing their part in protecting your personal information from network attacks worldwide.


Even though we seem to be living in a constant state of “the best of times, it was the worst of times,” we can do our best to fight against the evil of stolen identities and by educating ourselves on Password Best Practices and petitioning companies to support Two-factor Authentication.

The IT Professional vs. The Deadly Data Breach

IT Professional vs. Deadly Data Breach


The Deadly Data Breach

We know it well, the Deadly Data Breach! So many people have felt the effects of a data breach, and so many companies are scrambling to protect the personal information they have on file. I am sure data breaches are on the minds of every IT professional that has kept up with the most recent breaches. No one goes unscathed by The Deadly Breach: P.F. Changs, Goodwill, Home Depot, and numerous schools.

Home Depot’s recent data breach reaches all the way back to April first of this year. According to Steven Weisman’s blog article, “Important Home Depot Update,” Weisman reports that “along with the credit card numbers and debit card numbers, the hackers also are selling the state and zip code for the particular cards.  This enables the hackers to defeat some fraud detection programs that pick up charges made from areas far from the home of the card holder.” This just covers up and prolongs agencies from discovering a security breach sooner. The Deadly Data Breaches just keep getting more deadly!


The Cost of The Deadly Data Breach

The cost of the deadly data breach doesn’t stop at the yearly budget meeting. There are many different costs when a breach strikes: the cost of private information, the cost of an organization’s reputation, and the actual monetary cost. Target’s data breach cost them $148 million dollars so far, and having more stores than Target, Home Depot will most likely exceed that number. At this moment in time, I do not envy the IT Professional and truly feel for them; thankfully, there are some great resources for IT Professionals. For example, Liisa Thomas’s book, Thomas on Data Breach: A Practical Guide to Handling Data Breach Notifications Worldwide, is a great resource for the IT Professional contending with The Deadly Data Breach.


What Can Anyone Do?

There are many things that both the IT Professionals and the end users may do to proactively protect themselves from having their identity stolen. In reference to the Home Depot breach, Weisman gives practical tips on protecting yourself from identity theft. Weisman’s blog Scamicide is a great resource on daily technical news and practical tips to protect against hacktivists.


  • Password Best Practices: These are a great place for the IT Professional to start in their fight against the Deadly Data Breach. Password Best Practices are common sense protocols for passwords and a great place to start creating a healthy password environment for your organization. PennState has a great article on Password Best Practices that I found very helpful.


  • Speak Up: For the end user, there is a great website that was featured in the NYTimes that has a list of applications supporting two-factor authentication. The end user is also able to send a request to their favorite website/application requesting that they support two-factor.



We are in an age where logins are a part of life and the gateway to private and confidential data. As the tsunami of data breaches continues to destroy and damage the cyber world, it is time to look towards stronger authentication to reduce the impact on organizations worldwide.

You Have a Case of Identity Theft!

Identity Theft

It’s the hot topic in the news, blogs, books, and more, identity theft and security! We are all susceptible to identity theft from the individual user to the largest corporation.


Author Steve Weisman has been speaking on Identity Security for years, including his blog Scamicide and in his books The Truth About Avoiding Scams and Identity Theft Alert: 10 Rules You Must Follow. The most recent breach, the Community Heath System, is one that Weisman covers in his blog entry Community Health Systems and the Chinese hacker. By now we all know the characters in the story, hacker wants sensitive data, companies have budgets and time restraints, and users want usability. In his blog post, “Community Health Systems Data Breach Update”, Weisman wisely states, “It has been said that the price of liberty is eternal vigilance and that is also important in maintaining your own personal security.  People who did not change their passwords following the Heartbleed security flaw first being uncovered should take this as a wake up call to do so now.” I concur!


(read on to learn how you can make a difference)


Weisman goes on to give some great examples on how to protect credit and to watch for fraud. But we all know that that is not where the story ends. Weisman states the grim truth that “it is not unusual for hackings and data breaches to remain undiscovered for significant periods of time.  This data breach may be the first major data breach connected to Community Health Systems, but it is most likely not going to be the last.” Sadly, he is most likely correct.


Organizations and companies need to transition to stronger authentication; one way they can do this is with a usable authentication solution. Why usable? Well, let’s not forget one of the main characters in this story, the user. Users want usability when it comes to identity security and logging into their accounts, and there are many solutions that are rising to the occasion to provide both security and usability to organizations. PortalGuard is one solution that brings usable Two-factor Authentication to the table with printable OTPs, SMS, and PassiveKey.


So there is no doubt that security needs to be increased and usability cannot be forgotten, but what can you do as an individual to increase authentication security within the organizations that you use on a daily bases? Well, I am glad you asked. I just happen to have the perfect site that was promoted on in Ron Lieber’s article A Two-step Plan to Stop Hackers. allows you to send a tweet requesting that organizations and apps that are housing your personal information support two-factor. (you may now cheer and applaud) Find out if your favorite app is using Two-factor or take it into your own hands to tell them to support Two-factor.


Weisman ends his blog post reminding us that “you are only as safe as the places that hold your personal information and some of them have poor security.” How true that is, and how slow many are at implementing the necessary steps to secure our personal and private data. In conclusion, you have really two choices as a user.


Cut out all technology from your life and keep your savings under your mattress


Make smart identity choices and request that those that are housing your personal information implement a usable, two-factor solution.

More Compromised Students and Faculty


Recently, there was yet another security breach at a college campus. This time the victim was Butler University, where a hacker accessed over 160,000 records for current, past students and faculty. The information stolen was the typical pertinent information that is stolen in this type of breach.

Names, Social Security numbers, date of birth, and bank account information.

The announcement of this breach comes due to an identity theft investigation that came from California law enforcement. The perpetrator that was caught possessed a flash drive that contained all of the data stolen from Butler University. Through the work of a third party investigator, it was uncovered that the information was stolen by remote hackers who accessed the Universities network between November 2013 and May 2014.

When will all of this craziness stop and people take security seriously?

I find it interesting that there is not more of an outcry from the general public to make sure that organizations are protecting their information. It used to be that colleges and universities were less likely to get attacked, since students typically do not have any credit in general. However, this year we have seen two other colleges in the spring and a high school earlier this summer.

There are schools, like Dalton State College and Clermont Northeastern School District, that have taken a serious look at this problem and addressed it by partnering with PortalGuard to deploy a two-factor authentication solution. By adding a two-factor authentication solution to their environment, they are able to ensure that the end-user is who they claim to be and not an imposter or hacker. This type of authentication can also deter man-in-the-middle attacks as well.


Violated Database: Montana Department of Public Health and Human Services


Your car has been broken into, yet nothing was stolen. Nothing was stolen, so no big deal, right? WRONG! You would still feel violated, creeped out, and concerned about it happening again. The Montana Health Department has experienced a similar data breach.


On May 15th, Montana’s Department of Public Health and Human Services (DPHHS) officials noticed out of the ordinary activity. After further investigation, DPHHS confirmed that a server had been breached by hackers, and according to Alison Diana’s article Montana Health Department Hacked,“1.3 million people of the incident” are being notified of the breach and ensured that their information will be protected. Diana continues by stating, “there is no evidence this information was used inappropriately – or even accessed.”


At the moment, DPHHS is ensuring that a stronger security solution will be put in place to prevent such attacks from happening again, and extra measures are being taken to ensure that all citizen information is not compromised. There is a help line that DPHHS has on their website with information for potentially affected patients.


Diana continues in her article on the increase in attacks on healthcare databases, “many healthcare breaches have historically resulted from employee carelessness or error, hackers are increasingly attracted to this industry’s rich stash of personal data — including Social Security numbers, credit card information, and addresses — and personal health information.” With all this private information being housed within a healthcare database, it is imperative that a stronger authentication solution be put in place, along with educating employees on Password Best Practices (PBP). Many IT professionals are turning to PortalGuard for Healthcare for stronger security and increased usability for their corporation.

Young Hacker Infiltrates High School Database


We live in a world with multiple cyber threats, many coming from alias names from countries we have never been to. Within the United States, we have our fair share of hackers that cause major problems and confiscate sensitive data. It is sad and eye opening when it happens on the high school level.


Recently, a 16-year-old boy gained access to a school database that held personal information like grades and attendance. By gaining access to this database, the student was able to change multiple attendance records and grades.


According to Ashley Carmen’s SC Magazine article “Orange Public School district staff and authorities believe the student accessed the computer system through a teacher’s login credentials . . ., however, they aren’t sure of how he obtained access to the teacher’s password.” With the privacy and safety of students being top priority over the last decade or so, it is surprising that many K-12 schools have not deployed a second factor for account logins for both students and faculty.


With this account hacking comes “multiple counts of second-degree computer theft for unlawfully accessing and altering data and one count of hindering apprehension,” according to Carmen. This case is going to be handled in Family Court.


As K-12 schools begin to invest in identity solutions, many are turning to PortalGuard for education, giving them stronger security and increased usability.

Press Release: Get the Level of Identity Management Your Campus NEEDS for Office 365



BEDFORD, NH– (Marketwire – June 25, 2014) – Today, PistolStar, Inc. announced the integration of its PortalGuard product with Office 365. This integration will give administrators the power to choose the level of convenience and security they desire for their students and faculty while accessing Office 365, including:


-Self Service Password Reset (SSPR)

-Single Sign-on (SSO)

-Two-factor Authentication


With PortalGuard integrated with Office 365, schools now get the level of identity management they need. Gregg Browinski, CTO of PistolStar, Inc. comments on the level of identity management and security with PortalGuard. “Using Office 365 guarantees 99.9% uptime for your campus email infrastructure, but this benefit is moot if students forget their passwords and can’t login. Federating Office 365 with a local ADFS instance can allow SSO but this just pushes a ‘forgotten password’ scenario further back to the desktop login and still lacks stronger two-factor authentication or self-service password reset options.” Browinski continues, “Swapping PortalGuard in place of ADFS in this architecture can provide standards-based web SSO and highly flexible SSPR from a single, tightly integrated, brandable, login interface.”


Using PortalGuard’s SSPR, students and faculty are given the power to reset their passwords from the web or desktop, reducing help desk calls and increasing ROI. SSO streamlines the login and reduces the barriers to access; with just a single login, the students and faculty gain access to all of their authorized applications, including: Blackboard, Moodle, Canvas, Banner, Google Apps, and Office 365.


PortalGuard provides you with the level of identity management your campus needs. Click here to learn more about PortalGuard®’s seamless integration for Office 365 and other education applications or visit our Education Page here.

From Hacktivist to Cybersleuth

Hacker Gone Hero


It’s just like something from out of the movies: criminal mastermind gets caught, turns from his wicked ways, and eventual unveils a piece of the criminal mastermind world to help out the good guys. There is something intriguing in being able to see into the criminal mastermind and get a behind the scenes look at the secret life of these hacktivist. In the hacktivists’ world, there is a network of secret groups and ominous aliases that threaten to breach and expose a multitude of private and personal data.


In August 2011, Hector Xavier Monsegur, also known by his hacker alias “Sabu,” pled guilty to numerous charges relating to multiple hacktivists actions. Monsegur then proceeded to help reveal the true identity to the alias names responsible for stolen identities and jeopardized corporations. According to The Daily Dot article LulzSec hacker-informant ‘Sabu’ set free, “After agreeing to help the FBI “immediately” after they busted him in his home on June 7, 2011, according to court documents, he proved extremely helpful to their investigations.” With the Monsegur turned cyberslueth, FBI officials were able to prevent many major cyber attacks from taking place.


Monsegur is also the foster parent of two kids, and this factor was what drove to Monsegur’s quick response of pleading guilty and full cooperation with the FBI.  According to USAToday, his attorneys stated “It was not a difficult choice for him. [. . .] his family came first.” Monsegur and his family are currently being relocated for safety purposed.

Press Release: Strengthening Web Authentication, Without Overcorrecting

PKlaunch 1

CLICK to View Video

BEDFORD, NH–(Marketwired – Jun 3, 2014) – Today, PistolStar, Inc. announced immediate availability of PortalGuard’s newest solution, PassiveKey. PortalGuard’s PassiveKey is a customer driven response to deliver the latest in innovative identity solutions. PassiveKey transparently enables two-factor authentication while allowing the user to login with the familiar username/password approach. This simultaneously strengthens authentication and eliminates the need for end-user training.

“Many think the correlation between strong security and identity logins is an unavoidable inconvenience to the end user. With PassiveKey, you can strengthen identity logins without ever impacting the end user,” says Thomas Hoey, founder and CEO of PistolStar, Inc. “Increasing security can be accomplished with many different second factor methods, but most stifle usability, negatively impacting the end user,” Hoey says. “Answering the need for both security and usability, PassiveKey cuts through all the hassle of second factors without ever compromising strong identity security.”




With PassiveKey enrolled on a user’s device, the user logs into the protected account like they normally would with their password while PassiveKey transparently generates and transmits a one-time token which is validated by the PortalGuard server based on a shared secret between the two. “It is clear that it is no longer enough to protect private information with just a password,” Hoey continues. “Authenticating the user today must be more than just a user’s password, but the login process must be as easy as using just a password.” Revolutionizing logins, PassiveKey is restoring the balance between security and usability.

For more details or a free demo of PassiveKey, visit the product page here.

To see our PassiveKey video click here.

About PistolStar, Inc.
PistolStar, Inc. was founded in 1999 and is located in Bedford, NH and provides multiple services through PortalGuard. PortalGuard is Your Ideal Identity Solutions Experience, providing dedicated services, innovative solutions, and proven value. For more information, visit our website.