Exposed File From Ancestry's RootsWeb.com Contains Data on 300,000 Users

A file containing hundreds of thousands of RootsWeb users' email, login information, and passwords was found externally exposed, genealogy site says.

Ancestry's RootsWeb.com server, which hosts a free genealogical community site, exposed a file containing emails, login information, and passwords of 300,000 users, Ancestry stated in a blog post over the weekend.

An outside researcher informed the company of the exposed file on Dec. 20, according to Ancestry.  And while the 300,000 accounts were affiliated with RootsWeb.com's surname list service that it retired earlier this year, 55,000 of the user names belonged to both the free RootsWeb.com site and also to Ancestry.com, which charges for some of its genealogical services.

The company noted that 7,000 of the emails and log-in credentials belonged to active Ancestry.com users.

RootsWeb does not host sensitive information like credit card and social security numbers, the company stated, further noting it has "no reason to believe that any Ancestry systems were compromised."

The company is currently in the process of notifying all affected customers and is working with law enforcement on the matter. Ancestry.com subscribers who had their information exposed will need a new password to unlock their account, according to the company. Additionally, RootsWeb.com has been taken temporarily offline to enhance its infrastructure, the company notes.

Although the company is seeking to retain all the data on RootsWeb.com, it notes it may not be able to preserve all the user-supplied information that is hosted on the free community site. However, RootsWeb's email lists will not be affected by the temporary shutdown of the site, according to a report in the Legal Genealogist.

Read more about Ancestry's security incident blog post here.

How to Stop Email Spam

Unwanted commercial email – also known as "spam" – can be annoying. Worse, it can include bogus offers that could cost you time and money. Take steps to limit the amount of spam you get, and treat spam offers the same way you would treat an uninvited telemarketing sales call. Don't believe promises from strangers.

How Can I Reduce the Amount of Spam I Get?

Use An Email Filter Check your email account to see if it provides a tool to filter out potential spam or to channel spam into a bulk email folder. You might want to consider these options when you're choosing which Internet Service Provider (ISP) or email service to use.

Use the iPhone Unsubscribe Button in the Apple Mail App Apple’s Mail app now has algorithms built into it capable of detecting if an email is part of a mailing list or not. It may not pick up on every single email that is a part of a mailing list, but most legitimate mailing lists should be recognized, such as a coupon mailing.

When you tap on the unsubscribe button, what you’re actually doing is allowing the Mail app to send an email on your behalf from your email address to the specified mailing list’s unsubscribe email. This lets the mailing list service know you want to be removed and you should stop receiving emails from the mailing list service once they receive your request.

Limit Your Exposure You might decide to use two email addresses — one for personal messages and one for shopping, newsletters, chat rooms, coupons and other services. You also might consider using a disposable email address service that forwards messages to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address.

Also, try not to display your email address in public. That includes on blog posts, in chat rooms, on social networking sites, or in online membership directories. Spammers use the web to harvest email addresses.

Check Privacy Policies and Uncheck Xoxes Check the privacy policy before you submit your email address to a website. See if it allows the company to sell your email to others. You might decide not to submit your email address to websites that won't protect it.

When submitting your email address to a website, look for pre-checked boxes that sign you up for email updates from the company and its partners. Some websites allow you to opt out of receiving these mass emails.

Choose a Unique Email Address Your choice of email addresses may affect the amount of spam you receive. Spammers send out millions of messages to probable name combinations at large ISPs and email services, hoping to find a valid address. Thus, a common name such as jdoe may get more spam than a more unique name like j26d0e34. Of course, there is a downside - it's harder to remember an unusual email address.

How Can I Help Reduce Spam for Everyone?

Hackers and spammers troll the internet looking for computers that aren’t protected by up-to-date security software. When they find unprotected computers, they try to install hidden software – called malware – that allows them to control the computers remotely.

Many thousands of these computers linked together make up a “botnet ,“ a network used by spammers to send millions of emails at once. Millions of home computers are part of botnets. In fact, most spam is sent this way.

Don’t let spammers use your computer You can help reduce the chances that your computer will become part of a botnet:

  • Use good computer security practices and disconnect from the internet when you're away from your computer. Hackers can’t get to your computer when it’s not connected to the internet.
  • Be cautious about opening any attachments or downloading files from emails you receive. Don't open an email attachment — even if it looks like it's from a friend or coworker — unless you are expecting it or you know what it is. If you send an email with an attached file, include a message explaining what it is.
  • Download free software only from sites you know and trust. It can be appealing to download free software – like games, file-sharing programs, and customized toolbars. But remember that free software programs may contain malware.

Detect and Get Rid of Malware

It can be difficult to tell if a spammer has installed malware on your computer, but there are some warning signs:

  • Your friends may tell you about weird email messages they’ve received from you.
  • Your computer may operate more slowly or sluggishly.
  • You may find email messages in your sent folder that you didn't send.

If your computer has been hacked or infected by a virus, disconnect from the internet right away. Then take steps to remove malware.

Report Spam

Forward unwanted or deceptive messages to:

  • the Federal Trade Commission at spam@uce.gov. Be sure to include the complete spam email.
  • your email provider. At the top of the message, state that you're complaining about being spammed. Some email services have buttons that allow you to mark messages as junk mail or report them spam.
  • the sender's email provider, if you can tell who it is. Most web mail providers and ISPs want to cut off spammers who abuse their system. Again, make sure to include the entire spam email and say that you're complaining about spam.

If you try to unsubscribe from an email list and your request is not honored, file a complaint with the FTC.

How to Set Up and Use Your Amazon Echo Dot

Your new Echo Dot is a gateway to a world of smart home automation and fun with your virtual assistant. While Amazon offers several Echo devices, the Dot is a great choice due to its low price tag and slim profile. If you’re stuck during the setup of your Echo Dot or need help figuring out the basics, you’ve come to the right place. In this guide, you’ll find everything you need to know to get started with your Echo Dot and utilize its power. We’ll cover some common problem areas too. Let’s get started.

Echo Dot Unboxing and First Time Setup

First things first, you’ll need to open the box that your Echo Dot arrived in. Inside, you’ll find a few items:

  • The Echo Dot unit — we’ll refer to it as the Echo or Dot from here on out.
  • A standard microUSB cable for powering the unit.
  • A power adapter to plug into the wall.
  • Quick Start Guide with the basic setup instructions that we’ll cover in a moment.
  • Things to Try card with some sample Alexa commands.
How to Set Up and Use Your Amazon Echo Dot 01 Echo Dot Box Contents

Start by plugging the microUSB cable into the back of your Dot. Then plug the standard USB end into the adapter, then into a wall plug. Ideally, you want to place your Dot in a central location in a room so it can hear you from anywhere. Its microphones are solid, so you shouldn’t have to play around with it too much.

Your Echo will start up and show a blue light. Give it a few minutes to run through its initialization process. When you see an orange ring of light, Alexa will tell you that you’re ready to get online.

How to Set Up and Use Your Amazon Echo Dot 02 Echo Dot Setting Up Lights

Grab the Alexa App

Since the Echo Dot doesn’t have a screen, you’ll continue the setup on your phone. Install the Alexa app for your device from the appropriate app store:

Open the Alexa app, and sign into your Amazon account (or create an account if you don’t have one already). If you already use the Amazon app on your phone, it might pick up your account automatically.

How to Set Up and Use Your Amazon Echo Dot 03 Echo Dot Sign In

Once you’re signed in and accept the terms of use, you’ll see a list of Echo devices. You’re setting up an Echo Dot, so select that option. Confirm your language option, then hit the Connect to Wi-Fibutton. Since you plugged in your device earlier, the light ring will already be orange as it advises. Press the Continue button.

How to Set Up and Use Your Amazon Echo Dot 04 Echo Dot WiFi App Setup

Your phone will then attempt to connect to your Echo Dot automatically. If this doesn’t work, the app will ask you to press and hold the Dot’s action button (the one with a bump) for a few seconds. Once it finds the device, tap the Continue button again.

Now you need to add the Echo to your WiFi network. Tap the name of your network here, then enter the password. A moment after you press Connect, your Echo will go online.

How to Set Up and Use Your Amazon Echo Dot 05 Echo Dot WiFi Setup

The final step is deciding how you want to hear your Echo. You have three options: BluetoothAudio Cable, and No speakers. The Dot allows you to connect your device to a speaker using Bluetooth or an audio cable for better audio. If you don’t want to use either of these, the last option will play all audio through the Dot’s basic speakers.

How to Set Up and Use Your Amazon Echo Dot 06 Echo Dot Sound Options

Select No speakers for now and we’ll discuss the other options later.

After this, you’ve completed the setup! The app will offer to show you a quick video on using Alexa, and throw a couple of sample commands at you.

Important Echo Dot Functions

You can start asking Alexa questions as soon as you complete the setup. But to get the full experience, you should know about some of the other functions of your Dot.

Echo Dot Buttons and Lights

We haven’t discussed the buttons on your Echo Dot unit yet. Take a look at the top, and you’ll see a few:

How to Set Up and Use Your Amazon Echo Dot 10 Echo Dot Top Buttons

  • The Plus and Minus buttons control the volume. When you tap one, you’ll notice the white light ring around your Echo grows or shrinks to display the current volume. You can also say Alexa, volume five to set a volume level — any number between 1 and 10 inclusive will work.
  • Tap the Microphone Off button to disable your Echo’s microphones. The device will light up red to let you know it’s disabled and won’t respond to the wake word. Press it again to enable the microphones.
  • The button with a dot is the Action Button. Tap it to wake up your Echo just like saying the wake word. Pressing this button also ends a ringing timer or alarm.

Note that if you have a first generation Echo Dot, you control the volume by twisting the outside ring. The earlier model doesn’t have volume buttons.

Your Echo Dot will often light up with different colors and patterns to communicate with you. Keep an eye out for these common ones:

How to Set Up and Use Your Amazon Echo Dot 11 Echo Dot Red Light
  • Solid blue with spinning cyan lights: The device is starting up. If you see this regularly, you may be accidentally unplugging your device.
  • Solid blue with a cyan sliver: The Echo is processing what you said.
  • Solid red: You’ve disabled the microphone using the button.
  • Waves of violet: The device encountered an error when setting up WiFi. See the troubleshooting section below if you’re getting this often.
  • Flash of purple light: When you see this after Alexa processes a request, it means your device is in Do Not Disturb mode.
  • Pulsing yellow light: You have a message. Say Alexa, play my messages to hear it.
  • Pulsing green light: You’ve received a call or message. See below for more info on Alexa calling.
  • All lights off: Your Echo is in standby and listening for your requests.

How to Keep Your Personal Information Secure

Protecting your personal information can help reduce your risk of identity theft. There are four main ways to do it: know who you share information with; store and dispose of your personal information securely, especially your Social Security number; ask questions before deciding to share your personal information; and maintain appropriate security on your computers and other electronic devices.

Keeping Your Personal Information Secure Offline

Lock your financial documents and records in a safe place at home, and lock your wallet or purse in a safe place at work. Keep your information secure from roommates or workers who come into your home.

Limit what you carry. When you go out, take only the identification, credit, and debit cards you need. Leave your Social Security card at home. Make a copy of your Medicare card and black out all but the last four digits on the copy. Carry the copy with you  — unless you are going to use your card at the doctor’s office.

Before you share information at your workplace, a business, your child's school, or a doctor's office, ask why they need it, how they will safeguard it, and the consequences of not sharing.

Shred receipts, credit offers, credit applications, insurance forms, physician statements, checks, bank statements, expired charge cards, and similar documents when you don’t need them any longer.

Destroy the labels on prescription bottles before you throw them out. Don’t share your health plan information with anyone who offers free health services or products.

Take outgoing mail to post office collection boxes or the post office. Promptly remove mail that arrives in your mailbox. If you won’t be home for several days, request a vacation hold on your mail.

When you order new checks, don’t have them mailed to your home, unless you have a secure mailbox with a lock.

Consider opting out of prescreened offers of credit and insurance by mail. You can opt out for 5 years or permanently. To opt out, call 1-888-567-8688 or go to optoutprescreen.com. The 3 nationwide credit reporting companies operate the phone number and website. Prescreened offers can provide many benefits. If you opt out, you may miss out on some offers of credit.

Keeping Your Personal Information Secure Online

Know who you share your information with. Store and dispose of your personal information securely.

Be Alert to Impersonators

Make sure you know who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail or over the Internet unless you’ve initiated the contact or know who you’re dealing with. If a company that claims to have an account with you sends email asking for personal information, don’t click on links in the email. Instead, type the company name into your web browser, go to their site, and contact them through customer service. Or, call the customer service number listed on your account statement. Ask whether the company really sent a request.

Safely Dispose of Personal Information

Before you dispose of a computer, get rid of all the personal information it stores. Use a wipe utility program to overwrite the entire hard drive.

Before you dispose of a mobile device, check your owner’s manual, the service provider’s website, or the device manufacturer’s website for information on how to delete information permanently, and how to save or transfer information to a new device. Remove the memory or subscriber identity module (SIM) card from a mobile device. Remove the phone book, lists of calls made and received, voicemails, messages sent and received, organizer folders, web search history, and photos.

Encrypt Your Data

Keep your browser secure. To guard your online transactions, use encryption software that scrambles information you send over the internet. A “lock” icon on the status bar of your internet browser means your information will be safe when it’s transmitted. Look for the lock before you send personal or financial information online.

Keep Passwords Private

Use strong passwords with your laptop, credit, bank, and other accounts. Be creative: think of a special phrase and use the first letter of each word as your password. Substitute numbers for some words or letters. For example, “I want to see the Pacific Ocean” could become 1W2CtPo.

Don’t Overshare on Social Networking Sites

If you post too much information about yourself, an identity thief can find information about your life, use it to answer ‘challenge’ questions on your accounts, and get access to your money and personal information. Consider limiting access to your networking page to a small group of people. Never post your full name, Social Security number, address, phone number, or account numbers in publicly accessible sites.

Securing Your Social Security Number

Keep a close hold on your Social Security number and ask questions before deciding to share it. Ask if you can use a different kind of identification. If someone asks you to share your SSN or your child’s, ask:

  • why they need it
  • how it will be used
  • how they will protect it
  • what happens if you don’t share the number

The decision to share is yours. A business may not provide you with a service or benefit if you don’t provide your number. Sometimes you will have to share your number. Your employer and financial institutions need your SSN for wage and tax reporting purposes. A business may ask for your SSN so they can check your credit when you apply for a loan, rent an apartment, or sign up for utility service.

Keeping Your Devices Secure

Use Security Software

Install anti-virus software, anti-spyware software, and a firewall. Set your preference to update these protections often. Protect against intrusions and infections that can compromise your computer files or passwords by installing security patches for your operating system and other software programs.

Avoid Phishing Emails

Don’t open files, click on links, or download programs sent by strangers. Opening a file from someone you don’t know could expose your system to a computer virus or spyware that captures your passwords or other information you type.

Be Wise About Wi-Fi

Before you send personal information over your laptop or smartphone on a public wireless network in a coffee shop, library, airport, hotel, or other public place, see if your information will be protected. If you use an encrypted website, it protects only the information you send to and from that site. If you use a secure wireless network, all the information you send on that network is protected.

Lock Up Your Laptop

Keep financial information on your laptop only when necessary. Don’t use an automatic login feature that saves your user name and password, and always log off when you’re finished. That way, if your laptop is stolen, it will be harder for a thief to get at your personal information.

Read Privacy Policies

Yes, they can be long and complex, but they tell you how the site maintains accuracy, access, security, and control of the personal information it collects; how it uses the information, and whether it provides information to third parties. If you don’t see or understand a site’s privacy policy, consider doing business elsewhere.

8 in 10 Doctors Have Experienced a Cyber Attack in Practice

Physicians, overwhelmingly, are finding themselves the target of cyberattacks that disrupt their practices and put patient safety at risk. Contact our cyber security experts for a free security audit!

A staggering 83 percent of physicians told AMA researchers that their practices have experienced a cyberattack of some type. The 1,300 physicians surveyed also said not enough cybersecurity support is coming from the government that will hold them accountable for a patient information breach. These and other findings are contained in a first-of-its-kind survey from the AMA and management consulting firm Accenture. The data (infographic) provide new depth—and an often overlooked physician voice—to the discussion on how best to protect patients in a complex health care system that is increasingly connected and vulnerable to cybercriminal exploitation.

“The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety,” said AMA President David O. Barbe, MD, MHA. “New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data.”

A June 2017 report by the congressionally mandated Health Care Industry Cybersecurity Task Force found “health care cybersecurity is a key public health concern that needs immediate and aggressive attention,” and that, “most importantly, cybersecurity attacks disrupt patient care.” The 88-page document underscores the risk to medical care delivered in smaller settings, which are especially vulnerable to attacks by cybercriminals.

Most of the AMA survey respondents report being either very or extremely concerned about future attacks aimed at their practices. All practice settings are at risk, but attacks are twice as likely at medium- and large-size practices. Malware—the broad term for a wide range of malicious software—is a top concern, as are breaches involving the theft of electronic patient health information.

Nearly three-fourths—74 percent—of the respondent physicians said that interruption or inconvenience to the running of their practices is their greatest concern. In the context of medical care, that business disruption can very quickly become a patient safety concern. Phishing attacks also are among the top threats cited by physicians. The technique involves the use of often very sophisticated sham emails to entice recipients to reveal sensitive information—such as passwords—or trigger malware, including ransomware that blocks access to patient records and other viral practice information until an untraceable online payment is made.

Other cybercriminals just want to steal patient information outright. Medical files are highly valued in the world of financial fraud because of the depth of information they contain, far more exploitable than just a credit card number hacked from a retail site. But, increasingly, the concern is that patient information will be used in a wide variety of health care fraud. Fake claims to defraud payers also place false diagnosis and treatment information into the medical record of the legitimate patient whose data were hijacked. It is not only patient files that are at risk. Another serious concern, still mostly on the horizon, is the hacking through online connectivity and malware of medical devices—the FDA recently recalled nearly a half-million pacemakers because of that vulnerability—critical to patient care.

Still, there is no turning back on the positive uses of the technology and the AMA survey reports that 85 percent of the respondents believe it is important to have the ability to share patient electronic information. But they are critical of the public policy implementation that, after they were encouraged to go online, frustrates them when it comes to meeting the accountability standards Washington has set.

Cybersecurity's big practice costs

Meaningful use incentives—now part of Medicare’s Merit-based Incentive Payment System—put many physician practices on the road to online connectivity. The privacy enforcement standards under Health Insurance Portability and Accountability Act (HIPAA) set substantial penalties for violations. However, the complexity of HIPAA compliance has left physicians in a quandary—how to comply with elaborate requirements, explained in dense legalese, when the application of the law is in the real-life world of patient care.

The vast majority of physicians—87 percent—believe their practices are HIPAA compliant, but 83 percent believe HIPAA compliance is “insufficient.” They want to understand where their practice is at greatest risk so that attention and investment can be directed there. Many physicians say they want tips for good cyber hygiene, simpler legal language on HIPAA requirements, how-to advice on conduct cybersecurity risk assessments, and information on what to consider before hiring a consultant to help with HIPAA compliance.

Meanwhile, practices are running up six-figure annual cybersecurity bills. The amounts can be $250,000 per year for a nine-physician practice, or as much as $400,000 annually for a regional medical center with 50-plus physicians. To make the most effective use of the spending, it is important to establish a cybersecurityrisk-management program. The AMA has partnered healthcare cybersecurityalliance HITRUST to help small- and mid-sized practices with dependable information and strategies, in a series of workshops in eight cities throughout the country, including Pittsburgh, Chicago, Cleveland and Dallas. See the complete listof upcoming dates and locations.

Physicians can get a quick start on understanding the issues with the AMA’s one-hour cybersecurity webinar Jan. 24, 2018. Online attendees will be informed on what the AMA is doing about awareness and understanding on the issue, and how physicians can advocate to protect their patients and gain insights into the shared responsibility for securing electronic patient information.