Why is Child Pornography on Your PC?

Robert Siciliano Identity Theft Expert

Anti-virus protection, critical security patches and a secure wireless connection have always been essential processes on my networks. My main concern has always been to protect my bank account by keeping the bad guy out.

In my presentations, I’ve always stressed the importance of making sure your wireless connection is secured, to prevent skeevy sex offender neighbors or wackos parked in front of your business from surfing for child porn and downloading it to your PC.

Once a predator uses your Internet connection to go to into the bowels of the web, your Internet Protocol address, which is connected to your ISP billing address, is now considered one that is owned by a criminal. If law enforcement happens to be chatting with that person, who’s using your Internet connection to trade lurid child porn, then someone may eventually knock on your door at 3 AM with a battering ram. And in another freakish and relatively new twist, hackers can use a virus to crack your network and gain remote control access, and then store child porn on your hard drive.

An AP investigation found plenty of people who have been victimized in this way. Maybe their PCs were being used as a virtual server, or maybe they were being framed by someone with a vendetta against them, but either way, they had child pornography planted on their computers. Once that porn is discovered by a friend, family member, or computer technician, the victim is arrested.

This is the kind of “breach” that can cost you thousands in legal fees, your marriage, relationships, your job, and your standing in society. In one case, a virus changed the default home page on a man’s PC, and his seven year old daughter discovered it. The guy was arrested and eventually lost custody of his daughter. And you think you’ve got problems.

When you click a link in an email or a pop up advertisement in your browser, you may inadvertently download one of these viruses, which can then visit child pornography websites and download files onto your hard drive.

It also important to point out that most criminal investigators will say that “a virus put the child porn on my PC” is a bunch of hooey and a common defense used by the presumed innocent until proven guilty. Simply don’t give anyone a chance to doubt by doing the following:

Dont be a scumbag child pornographer. Where there’s smoke there’s usually fire.

Make sure your anti virus up to date and set to run automatically.

Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

Update your operating systems critical security patches automatically

Lock down your wireless internet connection with the WPA security protocol

Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. “Disclosures”

Robert Siciliano Identity Theft Speaker discussing viruses on Fox News

Smarten Up. Increase Your Information Security Vocabulary

Robert Siciliano Identity Theft Expert

Years ago (like 20) a friend was graduating from college and moving away and a bunch of friends were throwing a party for this person. Collectively they asked me if I’d write a small speech as a version of “This is your life”.  Stymied as to why they would ask me to do it I asked ”Why me?” My girlfriend at the time said, and I quote “Because you gut good words”. Serious. And my writing and speaking began. Inspiration comes in many forms.

People who generally have to much time on their hands read my posts. Or they simply enjoy my train wreck world view. Anyway there are some fantastic resources that I draw from that help me to break down the complicated issues revolving around how to keep the bad guy from draining your bank account. The following make me look good. (not to insult the following)

READ/CONSUME/RSS:

Finextra Blogs. A vibrant community of finance, IT and security professionals from almost every corner of the planet. A melting pot of diversity that provides a world view on numerous issues. Just don’t piss off Paul.

The Register. A UK based digital diary of all things tech.  John Leyden and Dan Gooden are Register rockstars.

Dark Reading. Isn’t as dark as it sounds. They hit on every possible security issue and are well researched. Kelly Jackson Higgins (is tireless) and John Sawyer & Graham Cluley provide great information. Tim Wilson is a must must must read.

COMPUTERWORLD Provides the most detailed exhaustive data of any source. Articles are deep and informative and keep you tuned to industry players too. Jaikumar Vijayan and Robert McMillan wear me out.

Wired.com Has anything and everything wires or wireless. Kim Zetter, David Kravets seem to have the inside scoop on everything. Kevin Poulsen Sr Editor used to run from the law with Kevin Mitnick and now bitch slaps anyone who says stupid stuff.

StorefrontBackTalk.com. Run by Evan Schuman is a smart e-commerce/retail/PCI publication

DataLossDB is run by the Open Security Foundation, an ornery bunch that keeps tabs on insecurity. Provides accurate statistics to CSO’s and CTO’s to assist them in decision making. They and their merry band of volunteers are watching you.

USAToday Michelle Kessler is all technology and Byron Acohido and Jon Swartz are very respected journalists who come up with the best insider stories on the planet, and have never ever called me.

The Washington Post Security Fix by Brian Krebs. Nobody has more crack heads, meth addicts and criminal hackers begging to tell their stories to a well known journalist. At least that’s my impression. You can’t not learn from this guy.

Information-Security-Resources.com a new addition to my feeds is edited by Anthony M. Freed and has contributions by Richard Stiennon and Danny Lieberman who often draw colorful commentary.

Nextadvisor.com/blog/ a consumer based easily digestible take on whats new and current in consumer security issues and product comparison.  Kent and Caitlin keep tabs on all things “need to know”.

IAPP Daily Dashboard Mike Spinney, Senior Privacy Analyst , CIPP is a senior privacy analyst with the Ponemon Institute. Dude just rocks.

CNET Elinor Mills does the best job of breaking down complex issues into bite size chunks.

Increasing your information security vocabulary helps keep you and your business secure, like eating good food and exercising helps keep you healthy. So get smart. Up your IT/infosec intelligence. Read these sources and follow these journalists. They all gut good words.

  • And do yourself a favor: Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.

Robert Siciliano Identity Theft Speaker discussing all kinds of security stuff on TBS Movie and a Makeover

Insider Identity Theft Can Be Most Damaging

Robert Siciliano Identity Theft Expert

Earlier this week, an IT employee was indicted for stealing the identities of 150 of his coworkers at Bank of New York Mellon, to the tune of 1.1 million bucks. He bilked almost $140,000 a year over an eight year period by compromising the online bank accounts of numerous employees and wiring money to fraudulent accounts outside the bank.

This is a classic case of the fox watching the hen house. This guy was an insider terrorist, looking his colleagues straight in the eye and lying to them. I rank him with pedophiles and serial killers.

As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks, or government agencies, or by someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

An identity thief begins by acquiring a target’s personal identifying information: name, Social Security number, birth date and address, account information etc. If the thief has regular access to a database, this data is right there for the taking. Many credit applications and online accounts request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. box or the thief’s own address, where the new credit card or statement will be sent. I’m amazed that a lender or credit card company can be careless enough to send a new credit card to a relatively anonymous P.O. box. The lender just checks the victim’s credit and, since everything matches, no red flags pop up. The card is issued, the account is opened and the fun begins.

In the Bank of New York Mellon case, investigators found dozens of bank and credit statements in the names of the victims at the thief’s home address.

Think for a moment about your house or apartment, and how you might break in if you lost your keys. If a burglar knew what you know about where you hide and store your stuff, how much damage could he do? Insiders pose the same problem. They know the ins and outs of all systems in place, and can wreak havoc on your operation as long as they are employed, and sometimes even after they are let go.

The problems begin when we are forced to trust people with complete access in order to allow them to perform their required duties. Ultimately, this is a people problem and needs to be addressed as such.

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human beings to drive down the street while cars are heading toward you, separated only by a thin painted line. Without trust, we couldn’t get out of bed in the morning.

To protect your business and your data, limit sources as much as possible. Minimize the personnel with access to essential systems. Supervise the supervisors. Even your good apples can eventually go bad, so limit access, even for those who are in a trusted position. And require checks and balances, with multiple layers of authorization. If one person is always watching over another person’s shoulder, bad apples can’t hide or execute scams. Perform due diligence. In the information age, our lives are an open book. Background checks from information brokers are crucial. Failing to do background checks increases your liability. Someone who has been previously convicted of a crime just might do it again. And if a breach of trust does occur, prosecute the guilty. Make an example that other’s won’t forget. Public hangings are a strong deterrent.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.

And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human being to drive down the street while cars are heading toward you only separated by a thin painted line. Without trust we wouldn’t get out of bed in the morning.

Robert Siciliano identity theft speaker discussing identity theft on Fox News

Congress Breached via P2P Filesharing…AGAIN!

Robert Siciliano Identity Theft Expert

Congress is still considering the Informed P2P User Act, a law that would supposedly make it safer to use peer-to-peer file sharing software, an effort that is similar to banning mosquitoes from sucking blood. It just isn’t happening. The only foolproof way to prevent accidental data leaks via file sharing programs is for IT administrators to lock down networks and prevent the installation of rogue software.

Congress suffered another embarrassing P2P breach last week, after a confidential memo regarding an ethics investigation into the conduct of thirty House members was leaked, thanks to file sharing software installed by a junior staff member. This follows similar leaks that occurred earlier this year, which revealed sensitive details regarding the security of the First Family. House leaders have ordered an “immediate and comprehensive assessment” of congressional cybersecurity policies. Rep. Zoe Lofgren, chairman of the ethics committee, pointed out that “individual error and sloppiness is always the Trojan horse of cybersecurity.”

Peer-to-peer file sharing allows users to access each other’s computers in order to share music, movies, software, and other files. Unfortunately, many people don’t set up their P2P programs correctly, and they unintentionally end up sharing their most important and sensitive files, including bank records, tax files, health records, and passwords. (This is the same P2P software that allows users to download pirated music, movies and software.) This can result in data breaches, credit card fraud and identity theft. I’ve seen numerous reports of government agencies, drug companies, mortgage brokers, and others discovering P2P software on their networks after sensitive data was leaked.

Savvy users lock down their file sharing software to prevent others from tooling around with their settings. If your IT abilities are scant, you should take the following precautions:

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your entire hard drive. When you install and configure the software, don’t let the P2P program select data for you.
  • Make sure your PC has recently updated Internet security software. P2P networks are riddled with viruses.
  • Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.

Robert Siciliano, identity theft speaker, discusses P2P hacks on Fox Boston.

10 Ways to Prevent Social Media Scams

Robert Siciliano Identity Theft Expert

For the past year, I’ve been screaming about the trouble with social media as it relates to identity theft, brand hijacking, privacy issues, and the opportunity social media creates for criminals to “friend” their potential victims in order to create a false sense of trust and use that against their victims in phishing or other scams. I predicted long ago that the problem will get a lot worse before it gets better and there’s no question about it, criminal hackers have taken hold and are in full force.

We hear about a new Twitter phishing scam almost daily, whether it’s via direct messaging or a shortened URL. My spam folder is filled with emails from Facebook phishers, requesting new login credentials, or a “friend” who’s sending me a video that’s actually a virus.

Not too long ago, it was big news when someone had their Facebook account jacked by someone who impersonated the victim, claiming to have lost their wallet in the UK and begging for a money wire. Lately, I see another story about another victim every week.

Last time I checked, Facebook had more than 400 million users and Twitter has more than 50 million. These numbers jump exponentially every month, and old and new users are still being victimized.

James Carnall, manager of the cyberintelligence division at security monitoring firm Cyveillance, says, “Social media cybersquatting is where domain name cybersquatting was ten years ago”.

Scammers aren’t just stealing identities and spreading malware. They are brand jacking in ways that are hurting companies’ bottom lines. While many may not have sympathy for the bottoms lines of billion dollar corporations, this hurts the little guy, too. Knock off software, hardware, merchandise, and movies ultimately cost legitimate taxpayers jobs and hurt the economy when the money is heading to criminal hackers elsewhere in the world. Liz Miller, vice president of the Chief Marketing Officer Council, says, “Counterfeiting operations are highly organized, are very global and are picking up steam because of the economy.”

MarkMonitor, a company that tracks online threats for its clients, determined that phishing attacks on social networking sites increased by 164% over the past year. And in a CMO Council survey of 4,500 senior marketing executives, nearly 20% of the respondents said they had been affected by online scams and phishing schemes that had hijacked brand names. These statistics undeniably point to organized crime syndicates.

Protect yourself from social media identity theft.

  1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday. You can do this manually or by using a very cost effective service called Knowem.com.
  2. Register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cybersquatting.
  3. Get free alerts. Set up Google alerts for your name and get an email every time your name pops up online. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google does of fetching your name on the web.
  4. Implement policies. Social media is a great platform for connecting with existing and potential clients. However, without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network. Teach effective use by provide training on proper use and especially what not do to.
  5. Encourage URL decoding. Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
  6. Limit social networks. In my own research, I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure. Knowem has a mind blowing list of 4600 as of this writing.
  7. Train IT personnel. Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
  8. Maintain updated security. Whether hardware or software, anti-virus or critical security patches, make sure you are up to date.
  9. Lock down settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
  10. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker with ID Analytics discussing Social Media Identity Theft on Fox Boston

Once a Predator Always a Predator

Robert Siciliano Personal Security Expert

A necessary diversion from my daily IT security/Identity theft rants.

So what happens when a convicted rapist lures a 21-year-old woman to his bedroom in 1989, then spends 15 years in jail and then gets a free pass in 2005? He does it again. Why? Because that’s normal. It’s not OK, but it’s normal. Its his nature. A psychologist said to me years ago, “You would be amazed at how many levels of normal there are”.

Officers went to this 50 year old guys home to arrest him for assault and rape and emanating from his home was a bad smell. The smell turned out to be 6 dead women.  The decomposed bodies were discovered buried in the basement all the way up to the 3rd floor. The coroner estimates some could be 3-4 years old, which would coincide with his release from prison.

A 43 year old female neighbor has been missing for 6 months. Neighbors are concerned she is one of the 6.

As a convicted sex offender, he was required to report regularly to the sheriff’s office, which said he had complied. This is an obvious false sense of security that all municipalities employ. The system certainly has its flaws. People lose faith in the system and don’t trust their officials to effectively do their jobs.

Law enforcement officers sometimes bear the brunt of the blame, but often undeservingly. They are on the front lines and have the miserable task of dealing with the absolute lowest life forms on the planet.  The cop catches the bad guy then he gets off because of some technicality. Judges often make errors but ultimately have a responsibility to work within the law.  While common sense would say the guy should be castrated, we can’t do that in a civilized society.

This predator did his time. 15 years is no small stint. But his first victim is still and will always be a victim. She got life. Hopefully she healed to a degree that she could live a balanced life. The rest of his victims got a death sentence.

The question always arises as to whether or not a sex offender can be rehabilitated. I’m sure there is a handful of level ones and level 2s that can be. But once a predator always a predator. It’s their nature. It’s their normal.

With 500,000 registered sex offenders in the US and thousands more unaccounted for and even more who’ve never been caught, know that this can happen to you or your daughter. Know how to fight. Know how to defend yourself from a predator. Understand all the vulnerable points of the human body and what parts of your body can be used as weapons.  Go for the eyes, nose, throat, groin, instep of foot. Know how to fight from the ground, if attacked from behind, or when a distraction is used in front.

Determine if you want to carry a weapon, but know your brain is your best defense weapon. Carry a weapon if you are properly trained and not a day before. Years ago my childhood hero was this Chicago cop named JJ Bittenbinder. He would say “If all else fails, let them kiss you, then bite down on their lips until your teeth meet.

Nice.

There are a bunch of free sites you can go to that will let you know the current living situations and general whereabouts for registered sex offenders in your town. Take advantage of every opportunity you can to learn where the bad guy is. Intelius offers “Neighborhood Check” which is a service that keeps you alert to new sex offenders moving in and their addresses. Complacency can result is bad things happening. Be vigilant, alert, and aware and know your options.

Robert Siciliano “Disclosures” Personal Security Expert discussing how to survive and attack on Fox Boston