Malicious insider attacks to rise. McAfee has a warning

Robert Siciliano Identity Theft Expert www.IDTheftSecurity.com

The world’s biggest software maker has warned companies to expect an increase in “insider” security attacks by disgruntled, laid-off workers.

With millions losing their jobs their are a plethora of opportunities for insiders to plug in an iPod, thumdrive or other external source and steal client data, or other proprietary information.
Its been said before, company networks are like candy bars, hard on the outside and soft and chewy on the inside. Insiders fearing the inevitable layoff begin to look for ways to profit from what is immediately within their grasps.

Stealing office supplies only takes them so far. But hundreds, even millions of records or company secrets is worth something to someone. Those on the inside usually know what its worth to who.

Verizon determined insider attacks equate to up to 18% of all breaches. McAfee further disclosed fraud equates to a trillion dollar price tag.

Maggie Shiels Technology reporter, BBC News does a great job Here

Robert Siciliano is and Identity Theft Expert and CEO of IDTheftSecurity.com he is a business builder, strategic marketer, security analyst, published author, television news correspondent. Delivers presentations on identity theft protection and personal security. Works with Fortune 1000, IT and startups. Launching, branding, messaging, representation, m&a facilitator, SEO and media. Current private equity projects include dynamic biometrics, credit card platform multi-factor authentication, security investigations and telemarketing fraud mitigation. Connect with him on LinkedIn

Robert on Fox discussing ID Theft

Data scams have kicked into high gear, Mr. Ming Yang Has 31,000 Viruses

Robert Siciliano Identity Theft Speaker 2/11/09

“I am Mr. Ming Yang, I have an obscured business suggestion for you. Your services will be paid for. Contact mr_mingyang_desk45@hotmail.com”

Mr Yang sent me an email just now. He wants…my services…? Or something. He’s not my type. My type doesn’t have a filthy virus. Plus he is a dude.

Care for a dalliance? He’s all yours.

Great article here: Data scams have kicked into high gear as markets tumble

As the markets tank, criminals are releasing a barrage of scams. email scams of every kind, infecting peripherals, drive-by viruses and more. In September 2009 there were a record 31,000 viruses released daily. That’s EVERY DAY! Criminal hackers are taking full advantage of the down economy and the overall panic and confusion of the millions of people whose lifetime investments are tanking and others who’ve lost their jobs.

Organized criminals in the form of webmobs are well funded and out for blood. They are breaching your home PC when your kid installs a malicious program to play a game, they are going after mom and pop small businesses all the way up to major enterprise networks.

5 years ago criminal hackers would compromise your machine and wreak havoc. They’d delete your files or crash your machine. Not any more. They want your machine running smooth and efficient.

Your computer network is an asset to organized criminals. They utilize your computing power as a “botnet”, which is a robot network of computers connected to the internet sitting in your home or office. All computers connected to a botnet share something in common, usually a virus that allows for a remote control component and someone or a group of crackers controlling it. They use your PC to do the dirty work sending out more spam, offers and phish emails.

Often your PC would be used as a server to host spoofed websites designed to extract data from the not so savvy who become victimized.

Many of today’s problems stem from applications we use every day that are vulnerable to attack. In criminal hacker forums, viruses are bought and sold that will infect a web based banner advertisement that may incorporate Adobe Flash player. Once the ad is clicked, or not, all you have to do is launch the page in some cases, a piece of code, or malware infects your PC and you become a zombie PC.

Running anti-virus, keeping your operating systems critical security patches updated, firewalls, updating your applications and not being stupid can prevent most attacks.

Here is an appearance discussing an attack on peripherals on Fox News

Robert Siciliano is and Identity Theft Expert and CEO of IDTheftSecurity.com he is a business builder, strategic marketer, security analyst, published author, television news correspondent. Delivers presentations on identity theft protection and personal security. Works with Fortune 1000, IT and startups. Launching, branding, messaging, representation, m&a facilitator, SEO and media. Current private equity projects include dynamic biometrics, credit card platform multi-factor authentication, security investigations and telemarketing fraud mitigation. Connect with him on LinkedIn

Identity Theft Rising; Hits Record 10M Americans in 2008

Robert Siciliano Identity Theft Speaker 2/9/09

Number of fraud victims rises in 2008, but average loss per theft falls, according to a recent study. Article Here It should come as no surprise that identity theft incidents are climbing. Over the past year we have seen hundreds of data breaches resulting in millions and millions of records ripped out of small business to large enterprise networks. Many companies breached were simply irresponsible with the information they were entrusted with. Others were found to be compliant under various standards.

Still, the bleeding continues and as I have said numerous times, it will continue to get worse, it won’t get better and change wont take place until consumer credit is frozen across the board and citizens are properly identified.

A “fulz” is a term used in the underground, defined as an asset of information obtained by a “carder” or criminal hacker, which includes name, address, social security number (US primary identifier), and in some cases account and credit card numbers. A fulz is usually traded online in internet relay chatrooms by criminal hackers who become information brokers. They used to sell a fulz for a few hundred dollars per record, now they are as low as 20 dollars. Why? Supply. There are millions of records for sale. It would take identity thieves multiple lifetimes to get through all the information and turn it into cash.

In 2008 the number of victims rose 22% to a record 9.9 million in 2008 from 8.1 million a year earlier, with about one in 23 U.S. adults becoming victims. Contributing to the problem is the global economy. Desperate people are resorting to desperate acts. Familiar identity theft is when family, friends or coworkers steal IDs from those closest to them. A father and son who share a same name are perfect examples. A son could easily adopt his father’s social security number and open various accounts under his dad’s name. What makes this so easy is the son already has IDs with dad’s name, which he shares.

The study further shows that losses to the victims have dropped. Don’t get too excited, its not what I wound consider significant. It’s enough to acknowledge that consumers are recognizing their identity compromised quicker. Which means a bit of due diligence for the consumer. Good for them. However most are still ripe for the picking due to the fact they don’t take many active steps to lock down their information. That’s where tools such as fraud alert for free, but you have to renew every 90 days or pay a company to do it for you and its on-going hands off. Another option is a credit freeze which locks down your credit preventing even you from getting new credit until its thawed or unlocked.

The study further shows people who made more than $75,000 were more likely to be fraud victims. And the fraud rate was highest among people 35 to 44 years old, which makes sense. For most people, these are prime earning years.

It is important to point out the study was commissioned by 2 companies that benefit from the results. That said, I still believe in the results. I say this because I’m in the same space, and I receive calls and emails daily from victims. These are people that have been caned and waterboarded by identity thieves. Their lives have been abruptly invaded and they have an ongoing barrage of bill collectors and even law enforcement pursuing them because of the crimes of an impostor.

Here is an appearance discussing the same on Fox News

Robert Siciliano is CEO of IDTheftSecurity.com he is a business builder, strategic marketer, security analyst, published author, television news correspondent. Delivers presentations on identity theft protection and personal security. Works with Fortune 1000, IT and startups. Launching, branding, messaging, representation, m&a facilitator, SEO and media. Current private equity projects include dynamic biometrics, credit card platform multi-factor authentication, identity theft security AAS, laptop tracking, security investigations and telemarketing fraud mitigation. Connect with him on LinkedIn

Identity Theft Expert; “Robby, Do I have a Paypal Account?” Back to Basics

Identity Theft Speaker Robert Siciliano www.IDTheftSecurity.com

Me Mum calls me last night. Shes asks “Robby, Do I have a Paypal Account?” (Yes, my mom calls me robby) I say “Why do you ask?” Shes says “Paypal sent me an email and I need to update my account”

Shes 60. Been online for 5 years. Knows about as much as most “baby boomers” know about the Internet. And shes the mom of a dude thats been on CNN MSNBC FOX News and a bazillion publications on information security and identity theft prevention.

She does not have stupid written on her forehead. Shes just as naive, kind and cordial as most of her peers. She reached out to me because a piece of my advice to millions of others rubbed off on her.

I’m telling you, call your mother right now and tell her not to respond to any emails or phone calls or snailmail that are from anyone but her closest friends. I’m receiving more emails from victims and seeing more news now of people getting scammed than in any time in my adult life. It will get worse, it wont get better, and somebody you love will get scammed if you dont inform them of whats up.

Many agree. Another blogger added a very pertintnet comment to a recent post;
“With the Russian economy evaporating we can only expect a resurgence in scams coming from there, and in fact everywhere. With the public image of banks never worse and religious leaders announcing fatwa’s encouraging the cyber-attack of western commerce, I expect 2009 will see new records for fraud exploits. Perhaps not in value, because of diminished wealth of the victims, but certainly in the number of attacks.”

Yup. Cold War 2.0

Its Tax Time for Scammers in the USA. And I’m getting a flood of emails from scammers posing as the IRS. They are taking a low tech tact. They are including Word Docs that the victim fills out and faxes back. I sacrificed my security and went against my own rule and opened the attachments in the last one. I scanned them first and so far I think I’m good. And please dont send me comments telling me I have stupid written….

The attachments and note came equipped with a real fax number with an area code from the Bronx, New York USA. Cant blame the Nigerians or Russians for this one. Unless of course they live in NY ;)~

Make sure Mum has McAfee or another no brainer anti-virus provider on her PC automatically updating with every phish filter running.

See below.

DOC 1

Sir/Madam,

Our records indicate that you are a non-resident alien. As a result, you are exempted from United States of America Tax reporting and withholdings, on interest paid you on your account and other financial dealing to protect your exemption from tax on your account and other financial benefit in rectifying your exemption status.

Therefore, you are to authenticate the following by completing form W-4100B2, and return to us as soon as possible through the fax number: +1-646- 519-7245.

If you are a USA Citizen and resident, please complete form W-4100B2 and fax it to us, please indicate “USA Citizen/Resident” on the form and return it to us.

When completing form W-4100B2, please follow the steps below

1. We need you to provide your permanent address if different from the current mailing address on your Form W-4100B2 , you must indicate if a non-USA resident, your country of origin to support your non-resident status (if your bank account or other financial dealing has a USA address for mailing purpose).

2. If any joint account holder are now USA residents or Citizen, or in any way subject to USA tax reporting laws, Please check the box in this section.

3. Please complete 1 through 19 and have all account holders, sign and date the form separately and fax it to the above-mentioned number.

Please, complete Form W-4100B2 ‘attached” and return to us within 1 (one) week from the receipt of this letter by faxing it, to enable us update your records immediately if your account or any other financial benefits are not rectified in a timely manner, it will be subject to USA tax reporting and back up withholding (if back up withholding applies, we are required to withhold 30% of the interest paid to you).

We appreciate your cooperation in helping us protect your exempt status and also update our records.

Sincerely,

Laura Stevens
IRS .Public Relations.

_____________________________________________________________________
DOC2

FORM W-4100B2 (US Tax Recertification)
Request for Recertification of Foreign Status
W-4100B2 Certificate of Foreign Status of Beneficial Owner
(Substitute form) For United States Tax Withholding
Part I Identification of Beneficial Owner
(JAN-APRIL. 2009)
1. Name of individual or organization that is the beneficial owner
2. Sex: □ male □ female
3. Type of beneficial owner □ Individual □ Corporation □ Complex Trust
□ Simple Trust □ Grantor Trust □ Central Bank of issue
□ Government □ International organization
□ Tax-exempt organization □ Private foundation
4. Date of Birth
5(a). Nationality: 5(b). Place of Birth:
6(a). Country of permanent Residence 6(b). Passport No.
7. Mother’s Maiden Name:
8(a). Spouse Name: 8(b). Spouse date of Birth:
9.Permanent resident address (street, apt, or suite no, or rural route).
Do not use a P.O.box or In-care of address
City or town, state or province, include postal code where appropriate
10. Mailing address (if different from above)
City or town, state or province, include postal code where appropriate
11. Social Security Number □SSN or ITIN □EIN
12. Profession: 13.Day time phone/ fax Number
14.(a) Bank Name(s):
15. Account number(s):
16. Branch Address:
17. Date Account(s) was opened:
18. How often do you come to USA and when did you arrive last?
19. ATTACH PHOTOCOPY OF PASSPORT OR US DRIVERS LICENCE FOR PROPER IDENTIFICATION
Part II Certification of Beneficiary Owner
Under penalties of perjury, I decided that I have examined the information on this form to the best of my knowledge and believe it is true, correct and complete.
I furthermore certify under penalties of perjury that:
. I am the beneficial owner (or am authorized to sign for the beneficial owner) of all the income to which this form relate.
. The beneficial owner is not a U.S person.
. The income to which this form relates is not effectively connected with the conduct of a trade or business in the United States or is effectively connected but
subject to tax under an income tax treaty, and
. For broker transaction or barter exchanges, the beneficial owner is an exempt foreign person as defined in the instructions.
Furthermore, I authorized this form to be provided to any withholding agent that has control, receipt or custody of the income of which I am the beneficial owner or withholding agent that can disburse or make payments of the income of which I am the beneficial owner.
The Internal Revenue Service does not require your consent to any provisions of this document other than the Certifications required to establishing your status as a non-U.S person and, if applicable, obtain a reduced rate of withholding.

Sign Here ____________________________________________________________
(Signer #1) signature of beneficial owner or individual authorized to sign for beneficial owner Date

Sign Here ____________________________________________________________
(Signer #2) signature of beneficial owner or individual authorized to sign for beneficial owner Date SEND FAX TO: +1-646- 519-7245

Heres a video of fraud around Tax Day
http://www.youtube.com/watch?v=wSyPQnXNido

Identity Theft Expert; “Phexting” is the new phish “I ain’t got stupid written on my forehead”

Identity Theft Speaker Robert Siciliano www.IDTheftSecurity.com Article here; Text Message Scam

Interviewed for this article the victims states “I ain’t got stupid written on my forehead” I’m sure she is a lovely woman who must be smarter than her quote. She received a scam text and didnt get taken.

Most of us are somewhat aware of text messaging scams. Ive never received one. But I’m seeing a flood of local news reports on the issue. I’ve yet to see a national story on what I predict will become as bad as phishing in emails.

The problem stems from criminal hackers who are using technology to generate cell phone numbers based on area code first, plugging in the cell carriers given extension then generating the last 4 numbers.

Do a search on mass sms software and you will find lots and lots of vendors providing free and small fee programs to send mass texting.

Sexting is when teens send sex pics to one another. Robert Siciliano (me) says “Phexting” is the new phish.

Whats happening is browsers and email clients are doing a better job of protecting the naive. Phexting is the path of least resistance to get to the victim.

Most web based email providers do a pretty good job of recognizing that an email is a phish. First they send it right to spam or they might display a red banner along top of the email in the preview pane.

Up to date browsers have phish filters that recognized a spoofed website. This feature works if you dont turn it off.

While all these tools are helpful, nothing will fix the problem better than simple common sense. I aint got stupid written on my forehead either. But too many people do. And snake oil salesman can smell them from 10,000 miles away.

Heres a video on Phishing:

Identity Theft Expert; Are You Addicted to Information Insecurity?

Identity Theft Speaker Robert Siciliano www.IDTheftSecurity.com Article here;Are You Addicted to Information Insecurity?

Ben Rothke writes a great article that ties in addiction and information Insecurity, thats IN-security. Face it, you may be an addict. You might have an addiction to something like sugar, nicotine, alcohol, sex, gambling, addicted emotionally to another person , or even carbohydrates. Try not eating a baked flour based food for a few days and you’ll go through withdrawals. Ben states, and we all know that addictive activities produce beta-endorphins in the brain, which gives the person a feeling of being high. In this piece it seems that high is being connected to being lazy and taking the easy road. I think he makes the correlation.

At times we do take “pleasure” in in-action. We get a moment of “high” a sense of “relief”, and that is the beta-endorphins in the brain giving you a high five for in-action. But like any addiction it will eventually hurt you in one way or another.

We have been addicted to in-action. And we are fat and lazy and losing to the criminal hackers.

I often encounter people who just cant seem to get anything done. They are all addicted to in-action. And I see it in their personality’s in other areas of their lives. Organizations have to be responsible to not promote a culture of in-action addicts.
They must address security purely and organically with no additives or chemicals. They must systematically address each aspect of insecurity and execute strategic processes to avoid getting hit.

Consider criminal hackers disciplined, lean mean fighting machines that have no addictions (appease me) and thats what we are up against.

Here is another example of a long list of data breaches

Identity Theft Speaker Robert Siciliano on CNN 2/5/9 “Facebook Scams”

Robert Siciliano Identity Theft Protection Expert www.IDTheftSecurity.com is on CNN 7:24am and 8:44am EST (always subject to change). Updates all day on CNN.com, Headlines News, CNN International and maybe 360.

Personal Security and Identity Theft Expert on E! THS Investigates: Dating Nightmares

Robert Siciliano www.IDTheftSecurity.com featured on link; E! THS Investigates: Dating Nightmares

True Hollywood Stories Investigates probes the dark side of dating in all its forms – the cyber hook-ups, sexual secrets, swindling suitors, psychopathic Prince Charmings, and deranged stalkers.

Thursday, Feb 5 5:00 pm eastern

Roberts Internet Movie Database resume Here and Here

Identity Theft Expert; Are Legitimate Sites the Next Malware Threat?

Identity Theft Speaker Robert Siciliano www.IDTheftSecurity.com Excellent article here; Are Legitimate Sites the Next Malware Threat?

Lax attention to critical security patches continues to provide criminal hackers the path of least resistance inside the walls of SMBs and large enterprise networks. Most of us are privy to fundamentals such as not opening attachments, updating anti-virus, securing wireless connections, avoiding P2P downloads and not spending any time in the bowels of the web.

Where many fail is routinely updating whats is outdated or flawed. Further, attention is often paid to functionality and to build-out of an application during development than to security. Consequences often include data breach and becoming part of a botnet.

Here is a Fox News video depicting a retailer who was “compliant” but still had 300 machines infected.

Identity Theft Expert; Data breaches continue to get more costly for businesses

Identity Theft Speaker Robert Siciliano www.IDTheftSecurity.com Article here; Data breaches continue to get more costly for businesses

Ponemon Institute LLC is all the buzz this week after publishing a study showing the cost of a data breach has risen significantly. The study points to companies being hesitant to invest in security for numerous reasons that all point to costs associated with the investments.

Any company not doing what it takes to make the necessary investments in security will eventually be outed by the criminal hacker. Its not a matter of if, but when.

Study after study points towards organized webmobs attacking every aspect of information security from Application develoment to the Wild Wild Web.

Here is a clip from a Fox News piece about a google bug hack.