Security Increases After Grad Student Attack Off Campus

Robert Siciliano Identity Theft Expert

I see headlines like this every day. “Security increases” because we wait until something bad happens until we do something about it. How about we increase security right now because there is a small chance something bad can happen? Like the Boy Scouts, “Be Prepared.

Some time ago a home invasion in Connecticut took the lives of a mother and her two daughters while the Doctor father was tied up in the basement. Bad things happened to the women and the home was eventually set ablaze. This is the single worst home invasion I’ve ever seen. The case is in the courts now. This is a perfect example of what “Predators” are.

There always has been, is, and always will be predators stalking their prey. Unfortunately, this is the natural order of life. Predators are a part of many of life’s species. Growing up my dad sat me in front of the TV and made me watch documentaries on animal behavior.

“In the animal world”, he pointed out, and then he specifically pointed towards the lion and said “there are predators and their natural prey”. The lion hunts and stalks other animals and kills, then eats them. He explained that it’s normal for the lion to kill, its OK, it might not be nice of the lion, but that’s just the way it is.

He went on to say that in the human world, it’s the exact same thing. That there are human beings that act exactly as the lion, and its normal. Its not OK, its not nice, but that’s just the way it is. Lots to digest when you are 12. The fact is dad was right.

Some may know the story of the “Frog and the Scorpion.” Scorpion asks a frog to take him across the river on his back. Frogs like, no way dude you’ll kill me. Scorpion says “hey man, I won’t kill you, if I did I’d drown too” Frogs like, “OK man, sounds reasonable, lets do it”. Frog gets halfway across the river and the scorpion stings him! Surprised, the frog asks why, because now they will both drown, scorpions says, “Stupid frog, I’m a scorpion, its what we do. Predators are predators by nature.

There are over 500,000 registered sex offenders in the US. There are thousands more that aren’t registered and many more that simply haven’t been caught.

It’s unfortunate they can’t just be kept in jail. But this is the land of the free and the brave and we have rights. Even the child molesters have rights.

So here’s the deal. If you live in a house (which most of us do), chances are there are sex offenders near where you live and work. Its not enough to know that there are bad guys out there looking for their next victims. It’s important to do something about it. Take a self defense class, bone up on your eye gouging, and teach those you love how to protect themselves. Remember, once a scorpion, always a scorpion.

Robert Siciliano personal security expert to Home Security Source discussing Predators on the Gayle King Show

Biometrics: To Be or Not to Be?

New Hampshire, USA. “Live Free or Die,” baby. The official state motto emblazoned on every NH license plate has always intrigued. The thought of someone from NH might bring to mind revolutionaries or America militia sympathizers. New Hampshire has come a long way since its motto was created in 1945 and is not much different than most states today.

I live in Boston, one click south of Newy, and all those NH people work in Boston. I see them every day driving their fancy new fanlge auto-mo-biles with their fancy stereo phonic systems. Pleeeze. If any state should adopt the “Live Free or Die” motto it’s Montana, USA. I’ve been to MT bunches of times. They sell guns and beer and fishing rods and meat at gas stations.  NH ain’t gut nuthin’ on MT.  Plus MT had Evel Knievel and he lived in Butte. Now that’s a” Live Free or Die” town.

But it comes as no surprise that Newy is back to its shenanigans again and acting out of concerns for residents’ privacy. The New Hampshire Legislature is considering a bill that would ban the use of biometrics data in identification cards. “Acting out” being the operative term. Or are they rightfully concerned?

As noted in SC, “The bill would prohibit biometrics data, including fingerprints, retinal scans and DNA, from being used in state or privately issued ID cards, except for employee ID cards. In addition, it would ban the use of ID devices or systems that require the collection or retention of an individual’s biometric data. Under the bill, biometric data would also include palm prints, facial feature patterns, handwritten signature characteristics, voice data, iris recognition, keystroke dynamics and hand characteristics.”

That doesn’t leave much left. Why don’t they just ban them-thar fo-toe-grafs too? Come on NH, the world has evolved beyond cow tipping and flaming bags of poop on your neighbor’s door step.

In response, the Security Industry Association stated “SIA firmly believes that the broad restrictions proposed by [the bill]… reflects a significant misunderstanding of the security features and privacy safeguards of this widely-adopted technology,”

I’d say that’s more than a misunderstanding. Some believe biometrics to be the “Mark of the Beast”.

“Some have suggested biometrics, themograms, or bodily ID systems, such as iris scans, fingerprints, voice patterns, facial features, etc. as the mark of the beast. Biometrics ID could not be the mark of the beast because the mark of the beast is something you “receive“. An iris scan, voice scans, fingerprints, biometrics are NOT something you receive. It’s simply part of a person’s bodily features. In this case, every one would “have” the “mark”.”

With this kind of resistance to security, it’s amazing we get anything done. Biometrics is not an invasion of privacy. I also doubt the devil plays any role in them either. They are a tool to identify. Could they be abused? Yes. Should we be concerned? Of course. Should we ban them? Of course not.

In other parts of the world effective identification is actually embraced. Privacy concerns seem to take a back seat to security interests.

Effective use of biometric data could have prevented the apparent theft of Anglo-Israelis’ identities, MK Meir Sheetrit (Kadima), the architect of the country’s Biometric ID Law, and a former minister of intelligence services, told The Jerusalem Post” This statement is in reference to a mess of a story regarding an assassination and the use of fake passports. The Register states that “all passports now issued contain ‘biometric’ details “which are unique to you – like your fingerprint, the iris of your eye, and your facial features”. In addition, “the chip inside the passport contains information about the holder’s face – such as the distances between eyes, nose, mouth and ears” which “can then be used to identify the passport-holder”.

And they were tampered with, which means a failure of epic proportions. So, is NH right?

Meanwhile, CNN reports “in the name of improved security a hacker showed how a biometric passport issued in the name of long-dead rock ‘n’ roll king Elvis Presley could be cleared through an automated passport scanning system being tested at an international airport. Using a doctored passport at a self-serve passport machine, the hacker was cleared for travel after just a few seconds and a picture of the King himself appeared on the monitor’s display.”

Some stuff to chew on. Identity Proofing is the “ultimate” solution. Identity proofing simply means proving that individuals are who they say they are. Identity proofing often begins with personal questions, like the name of a first grade teacher or the make and model of a first vehicle that only the actual person would be able to answer. Of course, this technique is not foolproof, and now that personal information is so readily available over the Internet, knowledge-based authentication is probably on its way to extinction. The next step is documentation, such as a copy of a utility bill or a mortgage statement. These types of identifying documents can be scavenged from the trash, but they are more effective proof when combined with personal questions. Biometric features, such as fingerprints or iris scans, can help further authenticate an individual’s identity.

Authentication is the ability to verify the identity of an individual based on their unique characteristics. This is known as a positive ID and is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples of each are: Static – iris, fingerprint, facial, DNA. Dynamic – signature gesture, voice, keyboard and perhaps gait. Also referred to as something you are.

Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify their asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.

Allz I know is we guts to do something to fix this thing.

Protect your financial identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Please Hack Me. My Password is 123456

Robert Siciliano Identity Theft Expert


Is this you? Are you a hackers delight? Are you a lazy lima bean begging to be hacked? Recently, there were 32 million passwords stolen last month from a social media site. Upon observation, researchers determined 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

In another breach thousands of email addresses and their passwords were phished by identity thieves and posted in an online forum. Researchers parsed the hacked passwords and broke them down into categories based on their level of security. For example some of the passwords were very weak “111111” “123456” “1234567” “12345678” “123456789” made the top list. Many of the stolen passwords were people’s first names which of course could be kids, spouses, etc. Obviously, anyone who uses an insecure password like this is more likely to get hacked due to their laziness and less than sophisticated approach to security. 60% of the passwords contained either all numbers or all lowercase letters.

Beefing up passwords using a password manager is much easier. Combine uppercase and lowercase letters, as well as numbers and characters. Don’t use consecutive letters or numbers, and never use names of pets, family members, or close friends. Instead use the first letters of phrases: Full moons on Saturday bring out whackos @12am!: is FmoSbow@12am! That’s a strong password that no sane person will enter manually. But a password manager makes it possible.

I’ve tried every possible password manager on the planet. There is only one that I have found to be incredibly efficient and secure. Roboform. This thing works great. I have it on 5 PCs and the iPhone and they all sync automatically.

Robert Siciliano personal security expert to Home Security Source discussing Hacked email on Fox News

Assassin or Identity Theft Victims?

It made a little buzz in the States, but over in  Dubai, as more details become available about the assassination of senior Hamas terrorist Mahmoud al-Mabhouh in Dubai, it is becoming apparent to some (depending on which side of the wall you live on) that the assassins stole the identities of several Israelis carrying foreign passports.

Apparently, the purported identity theft stems the accessibility of passport data from Israelis who hold dual citizenship from Israel, Britain, Australia and other countries. “Six more Britons had their passports cloned by the killers of a senior Hamas official, “ Dubai police said yesterday as they revealed a total of 15 new suspects in the assassination. One of the victims/accused assassin stated “I was in total shock. I don’t know what’s happening – I don’t know how they got to me or my information. I haven’t left the country in about two years, and I’ve never been to Dubai. I don’t know who was behind this. It’s just scary, because powerful forces are involved in this.”

The Dubai police went ahead and released information on 26 suspects in the assassination. The pictures of the suspects were also released. One of the accused, after his mother saw him on the news stated, “Even my mother asked if I’d been abroad.”

Freaky Stuff.

I was interviewed in a yet to be released AP story from Jerusalem about how something like this can happen. It seems simple to me. If in fact the accused are what I would label as criminal identity theft victims, then we are all susceptible to this type of crime. I’ve always believed this to be the scariest of all identity theft and if the above story concludes as factual, then it’s a perfect example.

In the USA, we have as many as 200 forms of ID circulating including passports from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. These are paper and plastic documents that can be recreated with a PC, scanner, printer and laminator. We use numerical identifiers that aren’t physically associated with us. Pictures are attached to some documents that may not look like us. Especially if there are eye glasses involved, beards, hair coloring or hair removal, weight gain or loss. Some identification documents are absent of a photo.  This is not effective authentication. World wide, the system isn’t much more secure.

This is criminal identity theft waiting to happen.

At least protect your financial identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Thieves Stealing Your GPS Can Track You Back Home

Robert Siciliano Identity Theft Expert


GPS is the single greatest invention since the wheel. Well, it is for me. Admittedly, I’m not a great driver. I don’t pay attention as much as I should. I day dream and I miss exits. I’m safe, but I just don’t like to drive. GPS gets me there.

I’ve messed with all kinds of GPS devices to get me from A to B. I’ve used iPhone Apps, Google Maps and the GPS that came built into me vehicles dashboard. My dashboard GPS is frustrating and less than user friendly. So I went out and picked up one of the name brand portable models. I LOVE IT!

Out of the box, it brought me through a set up wizard. The set up wizard prompted me to plug in my home address into a field appropriately called “Home.” This thing is so user friendly it allows you to press this one button from wherever you are at the time and it gets you home!

What a fantastic feature; for a car thief or a burglar!. As soon as I saw this feature I was like, ahhhh NO! I’m not plugging my home address in this thing. If my vehicle was ever stolen, the thief would know where I lived and have the remote control to my garage too! And if you ever valet a car at a restaurant or function, the valet has a buddy who then goes to your home and burgles it! With your keys! So I plugged “Home” as the address where city hall is. Plus I never give my house keys to a valet.

Some of you reading this might be saying “The thief still has your address on your vehicle registration” Ahhhh, NO! Not mine. First, you’re supposed to carry your registration in your wallet and not leave it in the car. I learned this after the cop who I reported my stolen car told me this 20 years ago.  And my registration is listed as a PO Box. I use a PO Box as a corresponding address for almost every transaction that allows it. I have a barrier between my home life and every thing else.

Remember, you have to think like a burglar to prevent a burglary.

Robert Siciliano personal security expert to Home Security Source discussing Tracking on the Tyra Banks Show

When FTC Sends a Warning, Data Theft Has Jumped the Shark

When Fonzie jumped the shark on his HOG, that spelt the end of Happy Days.

The FTC sending a warning to 100 companies and agencies that their employees are leaking client  and sensitive data on the web via Peer to Peer file sharing (P2P) is the single most pathetic and embarrassing communication to come across the desk of an IT professional. It’s over, Johnny IT’S OVER!

The FTC certainly has their hands full with the mess of information security that we call identity theft. I’ve met some from the FTC. These are smart people who are doing the best they can with what they have to work with. But government is usually the last to be on top of what is new and ahead of what is next. Especially, with technology issues. Generally, they are reactive and fix it after it’s broke. They step in when there is a problem and work to fix it so it’s not a problem in the future.

How is it that after hundreds of data breaches and numerous articles that all point to leaks via P2P; there are still companies who allow the installation of technology that opens a big hole in your network, big enough for a car bomb?

As Byron Acohido eloquently stated The Federal Trade Commission today finally voiced concern about the long-known problem of data leaking into criminal hands via LimeWire, BearShare, Kazaa and dozens of other  peer-to-peer (P2P)  file sharing networks.” The operative word here being “FINALLY!” Why are we having this conversation?

For the under a rock crowed, P2P has been around since before the days of Napster. Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software to get hacked.

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Social Media Messages Telling Too Much?

Robert Siciliano Identity Theft Expert

By now you’ve heard about a Web site called PleaseRobMe.com. This site is re-posting people’s messages, and uses a location-sharing technology to post where you are when you’re not at home. The sites motivation is to teach people they are putting themselves at risk.

I’m not a fan. There are better ways to teach and raise awareness.

I had a chance to appear on the CBS Early Show to discuss this site and its impact on personal security. Prior to doing the show I Tweeted, as I always do, to make my contacts aware of the show. What did I Tweet?

I’m on the CBS Early Show at 7:40am discussing PleaseRobMe.com politely suggesting violence. My home is alarmed & my German Shep will bite you!” I figured it was appropriate due to the nature of the segment I was about to do.

Robbery is “Larceny using threats or violence”. Or as PleaseRobMe may say, please take from me and hurt me in the process. This isn’t tongue and cheek, it borders on “inciting violence.”  And that day may come.

For years I’ve been barking about personal security as it relates to social media and the risks involved. I’ve written numerous times about how social media requires a risk vs. reward assessment.  Plain and simple, putting all your life’s details in one place makes it easy for the bad guy to gather intelligence about you.

While I believe the site has the right intentions to bring awareness to the issue, and they’ve certainly made an impact, the site is irresponsible and unethical. It’s entirely inappropriate for them to shine a big bright light on people and say “Please Rob Me”. Because some whacko just may do it. Then what?  Do the sites operators then say “I told you so” If they have a lawyer, he’s probably getting ready to buy a new home from all the money they will have to pay him.

Ending up featured on this site is the new “Scarlet Letter” of stupidity. Please, don’t be stupid.

Robert Siciliano personal security expert to Home Security Source discussing sharing too much in social media on the CBS Early Show

RATs Are Committing Identity Theft Via Webcams

A webcam is certainly one way the bad guy can get intelligence about you. They can use it to spy on you. They can listen into everything you say all day. They know when you are home or not, whether or not you have an alarm, they watch you. But in my opinion, the real issue here isn’t the webcam, but the technology that allows for full remote control access to your network.

If you are a cave dwelling uni-bomber you may have missed the story about the family who is already involved in numerous civil judgments (litigious bugs me) suing their sons school for spying on him with the school issued laptop. Apparently, it’s not OK to spy on students who are issued a school laptop.

The school apparently installed laptop tracking software that is designed to find a stolen laptop. Laptop tracking is often IP and GPS based that provides location based detection when plugged into the Net. The trick to this particular laptop tracker was a peeping Tom technology called a RAT. AKA “Remote Access Trojans.”

RAT’s can capture every keystroke typed, take a snapshot of your screen and even take rolling video of your screen via a webcam. But what’s most damaging is full access to your files and if you use a password manager they have access to that as well.

RAT’s covertly monitor a PC generally without the user’s knowledge. RAT’s are a criminal hackers dream and are the key ingredient in spyware. Common RAT’s are the LANRev Trojan and “Backdoor Orifice”. This RAT allowed the school district full remote access to the student’s laptop, and at his home and in his bedroom.  Creepola!.

Now the FBI is in the fray. According to the original complaint, the student was accused by his school’s assistant principal of “improper behavior in his home” and shown a photograph taken by his laptop as evidence. That kind of backdoor slap in the face for bad behavior certainly raises an eyebrow. For every action there is a reaction as they say.

Installing RAT’s can be done by full onsite access to the machine or opening an infected attachment, clicking links in a popup, installing a permissioned toolbar or any other software you think is clean. More ways include picking up a thumb-drive you find on the street or in a parking lot then plugging it in, and even buying off the shelf peripherals like a digital picture frame or extra hard drive that’s infected from the factory. The bad guys can also trick a person when playing a game as seen here in this YouTube video.

There are plenty of remote access programs that use legitimate back door technology that we consume every day. Examples include LogMeIn and GoToMyPC remote access. Your desktop has “remote desktop” which acts in a similar way. There are a dozen iPhone Apps that do the exact same thing.

Considerations:

An unprotected PC is the path of least resistance.  Use anti-virus and anti-spyware. Run it automatically and often.

A PC not fully controlled by you is vulnerable. Use administrative access to lock down a PC preventing installation of anything.

Many people leave their PC on all day long. Consider shutting it down when not in use.

Unplug your webcam if you are freaked out by it. If it’s built into your laptop cover it up with tape. You may also be able to disable it on start-up and uninstall it and remove the drivers that make it work.

And invest in identity theft protection.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Webcam Spying on The CW New York