Seven Smartcard Keys To The Internet

There has been a bit of buzz lately regarding an Internet “kill switch” and a handful of trusted individuals given the responsibility of rebooting the Internet, should it go down from cyber attack or be shut down for whatever reason.

The operation is born of the Internet Corporation for Assigned Names and Numbers (ICAAN). ICANN was formed in 1998. It is a not-for-profit public benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable, and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its role coordinating the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.

Popsci reports that “part of ICANN’s security scheme is the Domain Name System Security (DNSSEC), a security protocol that ensures Web sites are registered and “signed” (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC , as it’s known, and during a major international attack, the system might sever connections between important servers to contain the damage.”

The lucky seven holders of the smartcard keys are from all over the world.  Each key has an encrypted number which is part of the DNSSEC root key that by themselves are useless, but combined they have the ability to restart the Internet. The process of rebooting the web requires five of the seven key holders to be in the United States together with their keys. That’s a pretty lofty responsibility for anyone. You can learn more about the card process in this video.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)


Child Identity Theft

Child identity theft is a growing problem. The Federal Trade Commission estimates that there are 500,000 new victims every year. The culprits are often parents or others who have direct access to the child’s Social Security number. (In my own experience, I’ve had to give out my children’s Social Security numbers to hospitals, insurers, and schools more than I can count.) When irresponsible parents apply for credit in their children’s names due to existing financial hardships, the soiling of their credit begins.

Jason Truxel was denied a mortgage because of bad credit. He had no idea that his credit scores were low, so he pulled his credit reports. He discovered a tremendous amount of debt, and accounts he had never opened. One such account showed that a credit card had been opened in his name when he was 13 years old. Jason found out the hard way that he was a victim of child identity theft. When Jason was a child, his father was convicted of credit card fraud.

You may be saying, “Of course I would never steal my own child’s identity,” but sometimes the custodial parent discovers that his or her ex committed identity theft when notices from bill collectors begin to arrive.

If you ever determine that your child’s identity has been stolen, you should immediately file a report with a local police department. A police report is often the first step to have the unauthorized accounts removed from the child’s credit report.

Creditors often fail to verify the applicant’s age and simply accept a credit application at face value. Children rarely discover that they are victims of identity theft until they are adults, when they are denied a student loan or even a job, if their potential employer runs a credit check and deems the applicant irresponsible based on poor credit history.

Some would say, “Protect your child’s Social Security number,” which is okay advice, but not practical and not really possible. The best solution is to invest in identity theft protection.

To ensure peace of mind and protect your child’s most valuable asset, his or her identity, subscribe to an identity protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss child identity theft on NBC Boston. (Disclosures)

Stealing Secrets: Telling Lies Over the Phone

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get the necessary information that may lead to penetrating a person’s computer.

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network.

Social engineering is all based on telling a lie and getting others to tell the truth in response. Thousands of years of civilized conditioning and cultural teaching to help and trust one another has made people just a little too eager to help.

Participants in the contest successfully got employees from some Fortune 500 companies to provide full profiles of the inner workings on network PCs and software that could easily be used to launch an attack. Some revealed what operating system they had, the version of their service pack, antivirus software, browser, email, which model their laptops were, the virtual private network software the company used, and even what garbage collector hauled the company’s trash.

In some cases, the tricksters even got the Fortune 500 employees to visit certain websites while on the phone. Sometimes the simple act of visiting a website can install a malicious program on your PC if it’s not properly protected. Based on the answers provided by the employees, the social engineer can guide the person to whatever website that would infect their computer based on the answers provided.

Recognize that while you are generally not being swindled by those who call you, there is a chance that you may be. This means having systems in place regarding what can be said to whom, when, and why. Training on social engineering and how to prevent it is a must for any company and frankly for any individual who doesn’t want to fall victim to a conman.

Robert Siciliano, personal security expert contributor  to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures

High School Football Team Player Burglars

I was 17 once. I hung around with good kids, not so good kids and very bad kids. Teens heavily influence one another in ways that can have a direct impact on their futures. When you are young and new to the world, you are seeking out how things are supposed to be. Your gauge is guided by what your parents have become, but kids don’t often think their parents are smart enough to make the right decisions. So even if the kids’ parents are great, the kid may rebel and do stupid things.

At a young age, a kid that seems to have his act together by his peers, may become a leader. That kid may be a great influencer but may not have his act together at all. He may be a leader, but a blind one. As the saying goes, the blind leading the blind.

In California “police have arrested High school football players in connection with a string of street robberies that targeted teenage boys over the past two weeks. The teenagers were wanted in connection with a string of five robberies that began June 30. After police alerted the community via e-mail and local media, someone called and offered a tip that led police to the suspect’s home. Police said the teens in custody told them that the victims were targeted because they were walking alone and distracted, either by listening to music or talking on their cell phones. In each of the reported cases, a vehicle appeared to canvass a street for an unsuspecting teen. One occupant would get out and walk ahead of the victim. He would then turn around and punch or grab the victim and steal his electronics, usually an iPod, cell phone or both, while shouting threats.”

When I was a kid, I saw this. Teens I ran with thought behavior like this was “cool”. Fortunately for me, I didn’t see the fun in that kind of behavior. I think I got lucky. Today, many of those kids I ran with are messed up, dead or in jail. When young and impressionable, even a good kid can go bad when with the wrong crowd. And for the rest of his life he will pay the penalty. My parents were great. As good a parent as you may be, your kid can get caught up in something like this. Have you talked to your kid today?

Robert Siciliano personal security expert to Home Security Source discussing Home Security on NBC Boston. Disclosures.

Banks Need You to Partner in Security

Sticking your cash in a mattress has never been a good idea. That’s why we have banks. Banks have safes, insurance, and other systems in place to ensure that multiple layers of security protect your money.

In the past decade, however, as much as 80% of all banking has taken place online, compared to the hundreds of years of traditional banking. Clearly, this is all about convenience. And it has become apparent that these conveniences of technology have outpaced consumers’ security intelligence. It is possible to secure systems in a way that will defeat most online criminal activity, but that level of security comes with inconveniences that the consumer may not be equipped to handle.

According to American Bankers Association VP of risk-management policy Doug Johnson, “The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a continuous, almost daily, basis. That’s because PCs and smartphones have become the online bank branch for a lot of individuals. The customer needs to really recognize that security is most effective when they work in partnership with their financial institution.”

When banks began building out their infrastructure to allow for online banking, they didn’t anticipate the thousands of ways in which the bad guy would scheme to separate banks and their clients from their cash. There are tens of thousands of viruses created every year to overtake users’ PCs and con customers into entering their credentials in spoofed pages.

While banks are fighting their own battles, working with the security industry to create new technologies to combat fraud and account takeover, it is imperative that the banks’ customers adhere to the fundamentals.

  • Set your computer’s operating system to automatically update critical security patches.
  • Make sure your firewall is turned on and protecting two way traffic.
  • Always run antivirus software, and set it to update virus definitions automatically.
  • Run a protected wireless network.
  • Never click links within the body of an email. Instead, go to your favorites menu or type familiar addresses into the address bar.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online banking security on CBS Boston. (Disclosures)

Cameron Diaz Named Most Dangerous Celebrity in Cyberspace

Cameron Diaz has replaced Jessica Biel as the most dangerous celebrity to search for on the Web, according to security company McAfee, Inc. (NYSE: MFE). For the fourth year in a row, McAfee researched popular culture’s most famous people to reveal the riskiest celebrity athletes, musicians, politicians, comedians and Hollywood stars on the Web.

The McAfee Most Dangerous CelebritiesTM study found movie stars and models top the “most dangerous” list this year while politicians like Barack Obama and Sarah Palin are among the safest.
Cybercriminals often use the names of popular celebrities to lure people to sites that are actually laden with malicious software. Anyone looking for the latest videos or pictures could end up with a malware-ridden computer instead of just trendy content.

“This year, the search results for celebrities are safer than they’ve been in previous years, but there are still dangers when searching online,” said Dave Marcus, security researcher for McAfee Labs.

“Through consumer education and tools, such as McAfee® SiteAdvisor® site ratings, consumers are getting smarter about searching online, yet cybercriminals are getting sneakier in their techniques. Now they’re hiding malicious content in ‘tiny’ places like shortened URLs that can spread virally in social networking sites and Twitter, instead of on websites and downloads.”

Cameron Diaz Searches Yield Ten Percent Chance of Landing on a Malicious Site
McAfee research found that searching for the latest Cameron Diaz pictures and downloads yields a ten percent chance of landing on a website that’s tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware.

Fans searching for “Cameron Diaz” or “Cameron Diaz and downloads,” “Cameron Diaz and screen savers,” “Cameron Diaz and wallpaper,” “Cameron Diaz and photos” and “Cameron Diaz and videos” are at risk of running into online threats designed to steal personal information. Clicking on these risky sites and downloading files like photos, videos or screensavers exposes surfers or consumers to the risk of downloading the viruses and malware.

The study uses SiteAdvisor site ratings, which indicates which sites are risky to search for celebrity names on the Web and calculate an overall risk percentage. The top 10 celebrities from this year’s study with the highest percentages of risk are:

Position Celebrity
1. Cameron Diaz – Searching for Diaz results in a one in ten chance of landing on a risky site. She has most recently been in the spotlight with blockbuster movies, “Knight and Day” and “Shrek Forever After.” When “Cameron Diaz and screensavers” was searched, 19 percent of the sites were identified as containing malicious downloads.

2. Julia Roberts – Academy Award-winning actress Julia Roberts is one of America’s sweethearts, and will soon be in the spotlight with her upcoming release of “Eat, Pray, Love.” The overall risk of searching for Roberts is nine percent, yet searching for “Julia Roberts and downloads” results in a 20 percent chance of downloading a photo, wallpaper or other file laden with malware.

3. Jessica Biel – Last year’s Most Dangerous Celebrity fell two spots with searches resulting in fewer risky sites this year. Biel continues to be in the spotlight with her on-again, off-again relationship with Justin Timberlake, and appeared in “The A-Team” in June 2010. While her overall search risk is nine percent, searching for “Jessica Biel and screensavers” results in a 17 percent chance of landing on a risky site.

4. Gisele Bündchen – The world’s highest-paid supermodel moved up two spots since last year. Searching for “Gisele Bündchen and screensavers” can prove risky, 15 percent of the search results for this beauty can put spyware, malware or viruses on your computer.

5. Brad Pitt – Pitt is often in the spotlight with news of his movies and his personal life. It’s no wonder why this leading man has been in the top ten for the past three years. He moved up in rank five spots this year. Downloading photos, screensavers, or other files of Brad can potentially put adware or spyware in your computer.

6. Adriana Lima – Searching for downloads of this Brazilian beauty can direct users to red-ranked sites. Lima is best known for being a Victoria’s Secret Angel since 2000.

7. Jennifer Love Hewitt, Nicole Kidman – Searching for these Hollywood starlets resulted in an equal number of risky download websites.

8. Tom Cruise – With recent buzz around his MTV Awards performance as well as his movie, “Knight and Day,” Cruise rises to the top ten.

9. Heidi Klum, Penelope Cruz – Both of these ladies are consistently in the spotlight, and share the #9 spot. Cybercriminals use their names to lure people to risky sites. Klum hosts “Project Runway” and Cruz has been in the spotlight recently for her role in the “Sex and the City 2″ movie and is expected to be in the fourth film of the “Pirates of the Caribbean” series.

10. Anna Paquin – This “True Blood” star is as dangerous on the Web as she is on the screen. Searching for screensavers of Paquin can lead you to downloads filled with malware.

“Cybercriminals follow the same hot topics as consumers, and create traps based on the latest trends,” continued Marcus. “Whether you’re surfing the Web from your computer or your phone or clicking on links in Twitter about your favorite celeb, you should surf safely, and make sure you’re using the latest security software.”

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss celebrity identity theft” on CNBC. (Disclosures)

Telemarketing Scams Target the Elderly

We hear it over and over how the elderly are often targeted by scammers. Elderly are simply “elders” and no smarter or dumber than anyone else. If anything, they are wiser. However, as we age we often get feeble, weaker in the mind. That slightly weaker state of mind is when the scammer strikes. You one day may be part of a telemarketing scam.

The psychology behind the success of these scams might have to do with the nature of the scam. Often they put a degree of pressure on the victim in regards to losing something or gaining something, but inevitably, it’s the pressure put on them that makes the victim act. Often the plan to scam money will involve something the victim is aware of, but doesn’t have a good understanding of. The scammer often does their best to speak in a way that is basic, but at the same time slightly over the head of the victim. They lead the victim down a rabbit hole that they can’t pull themselves out of.

In Ohio and all over the country, tried and true lottery scams are emptying bank accounts. In one scam a man loses $500,000 and in another $250,000.

U.S. postal inspectors say they’re seeing fresh reports about these old-fashioned scams: Senior citizens from Cleveland, Youngstown, Toledo, Mansfield and Madison have recently reported losing hundreds of thousands of dollars apiece. The newest phone scams follow an old-fashioned formula: Scammers promise huge lottery winnings and then string victims along by inventing some problem — taxes, a customs problem, and a legal fee — that requires victims to send a sizable chunk of cash to free up their winnings. The recent victims are elderly and, for the most part, widowed, childless or estranged from family. They may have medical or other issues that cloud their judgment.”

Once the bad-guy locks in on them, they won’t let go until the bank account is beyond empty. Victims have been known to pull all the equity out of their houses as well.

In our day to day affairs with life so hectic and busy, it’s easy to forget those in our lives who are older and who may not be an immediate family member. These are people who the scammers often prey upon.

Who in your life could use some checking in on?

Robert Siciliano personal security expert to Home Security Source discussing scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.

Researcher Proves Your Friend Isn’t Your Friend

I’ve said numerous times that there’s too much trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. Apparently, they see no reason to distrust. Generally, your “friends” are people who you “know, like and trust.” In this world, your guard is as down as it will ever be. You can be in the safety of your own home or office, hanging with people from all over the world, in big cities and little towns, and never feel that you have to watch your back.

Computerworld reports, “Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named ‘Robin Sage,’ whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking.”

Apparently, one of the easiest ways to gain acceptance as a trusted colleague is to be an attractive woman. I recently wrote about “Sandra Appiah,” a curvy lady who sent me a friend request. She had already friended two of my buddies, who accepted because they already had two friends in common. She had posted questionable photos of herself. Red flag? But my buds didn’t seem to see it the way I did.

The security researcher set up profiles on Facebook, LinkedIn and Twitter. “Then he established connections with some 300 men and women from the U.S. military, intelligence agencies, information security companies and government contractors.”

Steve Stasiukonis, another ethical hacker, took it to the next level. He used a similar technique and, with permission, infiltrated a company’s network to test their security. By creating a group on Facebook, he was able to access employees’ profiles.

He set up his own employee persona with a fake company badge, business cards, a shirt embroidered with the company logo, and a laptop. “Upon entering the building, he was immediately greeted by reception. Then displayed fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.”

Social media can and is being used as a smokescreen. The idea behind social media is that we are social creatures that thrive in community and want to connect. The problem is that this ideal is based on the mindset that we are all sheep and there are no wolves.

When mama told you to not talk to strangers, there was wisdom in that advice. When you friend people who you don’t know, you are friending a stranger and going against moms advice.

Robert Siciliano, personal security and identity theft expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

Spies Among Us

The term “spy” conjures ideas about “foreign operatives,” “moles” and James Bond. You might envision forged IDs, fake passports and fraudulently issued government sponsored papers. When spies were recently exposed and caught in the United States, it was kind of surreal for me, since some of them lived right here in Boston.

Back in the day, spies used advanced covert technology, was always a hidden or shrunken version of something more common and accessible. Today, the same technology exists, and it’s cheap and mostly manufactured in China. Lighters, pens, just about any small, seemingly benign object you can think of can contain a video or audio recording device. Tiny flash or thumb drives are capable of storing gigabytes of data.

The eleven Russian spies who were recently nabbed used a lot of the same equipment that you and I use today, including laptops, flash memory cards, and cell phones, but with a twist. One of the spies would set up a laptop in a coffee shop on a regular basis, and the FBI noticed that on Wednesdays, a van driven by an official would go by. The FBI determined that when the van passed the coffee shop, there was a direct exchange of data via their wireless laptops. The discovery was made using commercially available WiFi sniffing technology. Apparently, the data was transferred in this way to avoid detection over the Internet.

The phones the spies used were prepaid mobile phones with no contract, which are often paid for with cash so the user can avoid detection. After a few uses they toss the phone and get a new number to avoid detection.

And the availability of fake identification makes it so easy to pose as someone else. Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID or passport. Or how easy it can be for someone else to obtain an ID that would allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, most of our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner, and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

In the end, the spies were caught with a combination of high tech surveillance and gumshoe police work. The Boston Globe reports that in 2005, FBI agents found a password written on a piece of paper while searching the home of one of the spies. This allowed agents to decode more than a hundred messages between the spies and their government.

Unless we effectively identify who is who, using secure documentation, it’s spy business as usual.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses Spies using fraudulent passports on Fox News. Disclosures

Condo, Apartment Neighborhood Watch Safety Is Key to Peace of Mind

In New Jersey, a condo board president was instrumental in launching a neighbor watch program which has received the attention of city officials.

The condo association has taken the extra steps of installing home security cameras too. The local police approved on the idea of using camera security and agree that every layer of protection is a good one.

A neighborhood block watch, which residents can initiate through local police, bands together an educated public to work with police on safe neighborhoods. But it is just one of many ways an apartment or condo resident can help to improve security. Other protections run the gamut from doormen to alarms and surveillance cameras.”

A home surveillance system is effective in 2 ways. The best way is for it to be monitored by a human who can call the authorities if they detect something suspicious. The second best way is to incorporate a digital video recorder that records around the clock. Each method should include software that detects motion and sends an alert. This alert can trigger a human to interact with a non-monitored system and allow for a call to the authorities when necessary.  The recording by itself is a reactive way to catch the bad guy or to at least keep tabs on what goes on around the property.

Recently my own home security system caught an altercation between two neighbors. One neighbor was clearly the aggressor which helped the other neighbor build a case against him.

Sometimes you never know what those cameras will pick up. My neighbor who was assaulted is now making his own investment in home security cameras. Sometimes adverse situations can help people learn to proactively more forward.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures.