Mobile Phone Security Under Attack

As mobile Internet usage continues its rapid growth, cyber criminals are expected to pay more attention to this sector. Mobile device platforms compete for content creators’ latest innovations, which often require more and more device access. As applications and other content are more widely distributed, security breaches will be inevitable.

The speed of technological advancement and the demand for new products and services make mobile phones particularly vulnerable. In some countries, almost all banking takes place with the use of phones.

Spyware, which was created as a legitimate technology for PCs, further complicates matters. Spyware can track and record social networking activities, online searches, chats, instant messages, emails, keystrokes, websites visited, and programs launched. It can be the equivalent of digital surveillance, revealing every stroke of the user’s mouse and keyboard. When a PC or phone becomes infected with spyware, all the data on that PC or phone is immediately compromised.

Mobile phone spyware is relatively new, and is quickly grabbing headlines. As PCs shrink to the size of a smartphone, spyware continues to evolve. This software records nearly everything a person does on a phone. Some spyware programs can record everything in a video file that can then be accessed remotely.

Spyware can be installed on your cell phone remotely or directly. To protect your phone, never click on links in texts or emails, since these links may actually point toward malicious downloads. Keep your phone with you, don’t let it out of your sight, and don’t share it with others. Make sure your phone requires a password, as this makes it more difficult to install spyware.

If your phone is behaving oddly or you have some other reason to suspect that it contains spyware, reinstall the phone’s operating system. Consult your user manual or call your carrier’s customer service for step-by-step help with this process.

With more than 11 million victims just last year, identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss mobile phone spyware on Good Morning America(Disclosures)

5 Sneaky Credit Card Scams

#1 Phone Fraud. The phone rings, a scammer poses as your banks fraud department. They may have your entire card number stolen from another source. They ask about a charge made and you deny the charge, but in order for the charge to be removed, they need your 3-4 digits CVV number off the front or back of the card. A variation may be they only have the last 4 digits found on a receipt or statement you threw away. They can also use the same ruse to get the full 16 digits from you.

#2 Clever Clerk. You hand your card to a sales clerk, waiter or waitress and they have a card reading wedge device that looks like this. The device may be wrapped around a band on their ankle. They bend over and make it look like they are fixing a sock, once they swipe the card through, they can make charges on your card.

#3 The Loop. You’re at an ATM that isn’t cooperating. Some nice guy injects himself into the scene to help you. During the process he watches you enter your pin. After another attempt the ATM eats your card. After you leave all upset, he pulls the card from the ATMs card slot using a loop of VHS tape he jammed inside the machine.

#4 Risky Retailer. When searching for something on the web you come across a website with a great deal. In the process of ordering they inform you a discount is available along with a free trial of another product. Thinking you just made out on the deal you take the bait. Next thing you know your card is charged every month and the company makes it very difficult to cancel the charges.

#5 Cell Snap. While buying something at a store you swipe your card through the point of sale terminal. If you are using a debit card you also need to punch your PIN into the keypad. The guy one or two people behind you filmed the entire transaction including your PIN on his mobile phone.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams. Disclosures

Just One Day in the Boston Globe

Sometimes all you can do is shake your head and wonder how we have managed to get this far as a species. Scanning today’s paper I couldn’t help but notice the total mayhem that makes up one day of news. I bring this to your attention not to sensationalize or provide the “bad news” but to make you grateful for what you have and hopefully motivate you to go out and do something positive to help your community. It also might make you think twice about your personal safety.

October 6th 2010:

Hundreds mourn victim of Mattapan shootings

Simba Martin’s family huddled around his shiny, pewter-colored casket yesterday morning, their cries of grief filling the small red-brick church on Highland Street. Near the altar, a female relative shouted “why’’ repeatedly as she slumped in the embrace of a family member.

Death of Vt. woman is called a homicide

WATERBURY, Vt. — A body found in the woods Sunday by two bird hunters has been identified as that of a missing 78-year-old woman, and police called it a homicide yesterday.

Judge sets rules for N.H. slaying trial

CONCORD, N.H. — Three men who have acknowledged their roles in a deadly home invasion in which a woman and her daughter were stabbed and slashed dozens of times will be allowed to testify about the plot leading up it, a judge says.

Onetime serial arson suspect accused of setting office on fire

PLYMOUTH — A Brockton man who decades ago was a prime suspect in the torching of dozens of churches, VFW posts, and other buildings in the area south of Boston was accused yesterday of setting fire to a federal probation office Monday night.

Man allegedly stole more items from grandmother after theft

A Braintree grandmother’s house was robbed Monday afternoon, and police said that as they arrived to investigate, the victim’s grandson stole more items and tried to have a friend pawn them while blaming it on the original burglar.

1 student robbed, 1 nearly abducted

One Bay State College student was robbed and another was the victim of an attempted abduction in two separate incidents yesterday afternoon, police said. Boston police spokesman David Estrada said that at about 2:30 p.m. an 18-year-old student was walking out of a Subway restaurant on St. James Street when he was robbed by a man armed with a knife.

Man ordered held in statutory rape case

A 31-year-old Tewksbury man accused of raping a 14-year-old girl in August after sending her sexually charged text messages for a month pleaded not guilty yesterday, officials said.

Man sentenced for trying to lure teen

A Dorchester man already convicted of sex offenses against children was sentenced to up to five years in state prison and 10 years’ probation Monday for attempting to lure a 13-year-old girl who was on her way to school in 2009

Man convicted of killing three in 2007 Conn. home invasion

NEW HAVEN — A paroled burglar was convicted yesterday of killing a woman and her two daughters in a 2007 home invasion in an affluent Connecticut town and now could be sentenced to death.

Wow. Nuts! It can be a mad, mad, mad world sometimes. But being kind to someone takes less effort than being evil. Choose wisely. And please, think about home security and what systems need to be in place to protect your family.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams. Disclosures

Seminar to Feature ISECOM’s OSSTMM v3

Pete Herzog, Founder of ISECOM, will be discussing the revised Open Source Security Testing Methodology Manual (OSSTMM v3) and how it applies to web application security today (10-13-2010) in Raleigh, NC.

Pete rarely gets to the US, so this is a unique opportunity for security professionals to have an open discussion with him about trust-based security models and how to apply sound logic to securing and testing web applications.

“About 5 years ago, while searching for any existing methodologies, I stumbled across ISECOM and the Open Source Security Testing Methodology Manual. It changed the way my company and I engaged with clients at every angle,” Michael Menefee of WireHead Security recently wrote.

“As a security consultant, I’ve always looked for ways to increase consistency, efficiency and value when conducting security analysis on a client’s network or business,” Menefee stated. “This would, of course, require both a data collection methodology as well as a reporting methodology in order to work properly.”

The OSSTMM is a peer-reviewed methodology for performing security tests and metrics, and the test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

On the origins of the OSSTMM, Pete Herzog wrote that, “in the research for factual security metrics, factual trust metrics and reliable, repeatable ways for verifying security, including concretely defining security, we found that the practice of guessing forecasting risk was not only non-factual but also backwards. Risk stuck us into a never-ending game of cat and mouse with the threats.”

“Beginning with version 3, the OSSTMM is no longer just about security testing. The break-throughs we’ve had in security had us re-visit how we work with security. This includes risk assessments.”

Christoph Baumgartner, CEO of OneConsult GmbH in Switzerland – whose firm has been using the OSSTMM methodology since its inception – recently commented on the value proposition the methodology standard offers, stating that, “the most important aspect is that we have an easier time keeping our clients. Most of the companies and organizations which order security audits on a regularly basis are fairly well organized and have a strong interest in gaining and keeping an adequate level of security.”

“Having the attack surface metrics, the ravs, means that they can watch trends and keep a close eye on how changes in operations affect their security directly. I can definitely confirm that many of our clients who have to change the supplier for security policy reasons expect their future suppliers to apply the OSSTMM.”

OSSTMM was developed by the Institute for Security and Open Methodologies (ISECOM), a non-profit collaborative community established in January 2001.

ISECOM is dedicated to providing practical security awareness, research, certification and project support services for non-partisan and vendor-neutral projects to assure their training programs, standards, and best practices are truly neutral of national or commercial influence.

Be On The Pulse of Your Home Security

Being on top of what is new and ahead of what is next in technology has always been my thing. I had a beeper the size of a pack of cigarettes and a mobile phone bigger than a shoe box.  I’m somewhat of a gadget geek. I like new and shiny. However, when it comes to all these new technologies I am far from a first adopter.

First adopters are the ones who camp out overnight, wait in line and generally spend lots of money on something not ready for prime time. Sometimes there are flaws with new technologies that need to be worked out before you should get involved in them. My suggestion is to always let others make the mistakes and learn from them, and then you benefit from what they went through.

When it comes to home security and home automation, there have been many innovations in these technologies, most of the mistakes have been made and lots of them have gone the way of the wooden nickel.  ADT has taken their time and carefully orchestrated the best of the best technology and combined home security and home automation and created ADT Pulse. This is a “ready for prime time” technology that has learned from everyone else’s mistakes.

ADT Pulse is a new interactive smart home solution that goes beyond traditional home security to provide a new level of control, accessibility and connection with the home.

Connectivity and interactivity are driving the way people live and manage their homes.  ADT Pulse provides customers with anywhere, anytime access to their home via smart phones or personal computers, including an iPhone application to:

  • Arm and disarm their home security system.
  • Get notified of alarms and selected events via email and text messages as well as video clips.
  • View their home through cameras and watch secure real-time video or stored video clips of events from monitored areas of the home.
  • Access lights and appliances or set schedules to automate them.

All of these options have been around for years, but nobody has gotten them right until now. If you travel for business, have a vacation home, go away for the weekend or simply want to check in while you are at school or work, this technology is for you.

Robert Siciliano personal security expert to Home Security Source discussing Home Security on NBC Boston. Disclosures.

Five Ways Identities Are Stolen Online

Cybercrime has become a trillion dollar issue. In a recent survey, hundreds of companies around the world estimated that they had lost a combined $4.6 billion in intellectual property as a result of data breaches, and spent approximately $600 million repairing the damage. Based on these numbers, McAfee projects that companies lost more than a trillion dollars in the last year.

There are several motives for this type of theft, but the most prevalent is to steal identities. Your identity is your most valuable asset, but most consumers lack the time, knowledge, and resources to protect their identities. Five of the most common ways identities are stolen online are through phishing scams, P2P file sharing, social networking, malicious websites, and malicious attachments.

Phishing: Phishing scams still work. Despite consumer and employee awareness, a carefully crafted email that appears to have been sent by fellow employee or trusted entity is probably the most effective spear phish. “Whaling,” or targeting a CEO or other high level executive with a phishing email can be even more successful. As they say, the bigger they are, the harder they fall. Never click links in emails, even if they appear to come from a bank or other trustworthy source. Instead, type the address in manually or use a bookmark.

P2P File Sharing: Peer-to-peer file sharing is a fantastic way to leak company and client data to the world. Obama’s helicopter plans, security details, and notes on Congressional depositions have all been leaked on government-controlled computers via P2P. You should set administrative privileges to prevent the installation of P2P software.

Social Networking: One of the easiest ways into a company’s networks is through social media. Social networking websites have grown too big, too fast, and can’t keep up with security. Criminals know exactly how to take advantage of this, so create policies and procedures that outline appropriate use, and beware of social networking scams.

Malicious Websites: Websites designed to attack your computer and infect it with viruses number in the millions. Hacked websites, along with out-of-date operating systems and vulnerable browsers, put your identity at risk. Use antivirus software to protect your PC and your data.

Malicious Attachments: PDFs used to be safe, but Adobe is the same boat today that Microsoft found itself in years ago: hack central. Adobe’s software or files are used on almost every PC and across all operating systems, and criminal hackers love it. Every browser requires software to view PDFs and many websites either link to PDFs or incorporate Adobe Flash to play video or for aesthetic reasons. According to an estimate from McAfee, in the first quarter of this year, 28% of all exploit-carrying malware leveraged an Adobe Reader vulnerability.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first, providing live access to fraud resolution agents who work with victims to help restore identities. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss P2P file sharing on Fox News. (Disclosures)

7 Ways to Combat Scareware

You may have seen this before, it goes like this: a pop-up pops and it looks like a window on
your PC. Next thing a scan begins. It often grabs a screenshot of your “My Computer” window
mimicking your PCs characteristics then tricking you into clicking on links. The scan tells you
that a virus has infected your PC. And for $49.95 you can download software that magically
appears just in time to save the day.

From that point on if you don’t download and install the software, your computer goes kooky
and pop-ups will invade you like bedbugs in New York City.

Web pages may be infected or built to distribute scareware. The goal is to trick you into clicking
on links and download their crappy software.

Information Week reports those behind a new fake antivirus software have added a new social engineering element — live support agents who will try to convince potential victims that their PCs are infected and that payment is the cure.

The rogue software comes equipped with a customer support link leading to a live session with the bad guy. Real scammers on the other end of chat have the ability to offer live remote access support instructed by support to click a link initiating remote access to their PC.  Once connected remotely, the scammer can potentially retrieve documents to steal your identity.

Another new twist on the scam involves a popup in the form of a browser with a warning that looks like what your browser may present to you when you visit a page that might have an expired security certificate, malware warning or be a potential phishing site. The page is usually red with a warning: “Visiting This Site May Harm Your Computer” then it provides you with a link, button or pop-up that gives you the option of downloading security software or to update your browsers security.

The software is sometimes known as “AntiVirus2010” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2010” or something like “Security Toolkit”. These are actually viruses or spyware that infect your PC, or just junk software that does nothing of value.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

Protect yourself:

#1 Use the most updated browser. Whether Internet Explorer 8, Chrome or Firefox, download the latest and greatest. At least download whatever security updates there are for your exiting browser.

#2 Usually by default, a pop-up blocker is turned on in new browsers. Keep it on. No pop-ups, no scareware.

#3 If you are using another browser and a pop-up –pops-up, shut down your browser. If the pop-up won’t let you shut it down, do a Ctrl-Alt-Delete and shut down the browser that way.

#4 Never click links in pop-ups.  If the pop-ups are out of your control, do a hard shutdown before you start clicking links.

#5 Persistence counts. Shutting off this pop-up is often difficult and any buttons you press within this pop-up could mean downloading the exact virus they warned you of.

#6 Employ the most recent versions of anti-virus and keep it set to automatically update your virus definitions.

#7 Never click on links in the body of a “WARNING” webpage that is suggesting to download updates for your browser or suggesting to download security software. Just hit the little red X in the upper right corner.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

Typosquatting for Fun and Profit

Typosquatting, which is also known as URL hijacking, is a form of cybersquatting that targets Internet users who accidentally type a website address into their web browser incorrectly. When users make a typographical error while entering the website address, they may be led to an alternative website owned by a cybersquatter or criminal hacker.

Typosquatters often create spoofed sites that may have the look and feel of the intended site. Operations like these may actually sell products and services that are in direct competition with the site you wanted to go to or they may be a front to steal your credentials including credit cards or social security numbers. Examples from Veralab might be “leson vs. lesson” or extra double characters such as “yahhoo vs. yahoo” or wrong character sequencies such as “IMB vs. IBM”, or a wrong key pressed such as “fesex vs. fedex.”

In some cases the typosquatters employ phishing to get you to visit the site. Phishing of course is the criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Typosquatting and phishing go hand in hand.

SC Magazine reports “in most cybersquatting cases, the web address can be similar in appearance to the actual corporate site, but will instead contain pay-per-click advertisements, according to a 2007 McAfee report, which studied 1.9 million typographical variations of 2,771 of the most trafficked websites.”

Last year Scammers created a website imitating Twitter.com called tvvitter that’s t-v-v-itter, cute huh? They sent phishing emails to millions of users, many of whom clicked on the link contained within the emails, which sends them to the phishing site, where they enter their user names and passwords in order to log in.

When doing a search online look carefully at any links you click.

When typing in a browser, before hitting “enter” look at the address bar to confirm you spelled it properly.

Do business with e-tailers you are familiar with and carefully spell their domain.

Set up your favorites menu with your most visited sites.

So heads up, be careful out there and don’t get hooked.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

Half Billion Records Breached in 5 Years

In the late 90s and early 2000s, hacking had evolved from “phreaking” (hacking phone systems) to “cracking” (breaking into networks). At the time, hackers hacked for fun, for the challenge, and for fame and popularity within the hacking community. But soon enough, the public began spending more time online, shopping, banking, and managing personal affairs. Hackers are no longer wreaking havoc for its own sake, deleting files, or tormenting IT administrators. Now, they’re stealing proprietary data. Instead of fun and fame, today’s hackers are motivated by illegal financial gain.

Over the past five years, criminal hackers from all over the world have been targeting huge databases of Social Security and credit card numbers. The endgame for criminal hackers is identity theft. Once they obtain stolen data, their objective is to turn it into cash as quickly as possible. This either entails selling the data to identity thieves on black market forums, or using the information to create new accounts or to take over existing credit card accounts.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

So when a so-called “identity theft expert” claims that you can protect yourself from identity theft for free, simply by shredding documents, not giving out your Social Security number, locking your mailbox, and monitoring your online accounts, that person does not have the full picture. You should take all these precautions. But when almost everyone’s personal information has been stolen or compromised once or twice, as a result of breaches that are entirely out of our control, it’s clear that you simply can’t protect yourself on your own. This is why identity theft protection is a must.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft pandemic on CNBC. (Disclosures)

5 Ways to Prevent Check Fraud Scams

Check fraud is a billion dollar problem. Check fraud victims include banks, businesses and consumers. Our current system for cashing checks is somewhat flawed. Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

There are 5 main forms of check fraud to watch out for:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized. An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check written to someone else, forges and endorsement and cashes or deposits it.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn. A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud. When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves.

Uni-ball pens contain specially formulated gel ink that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

Consider a locked mailbox so nobody can access your bank statements.

Using online banking and discontinuing paper statements.

Never toss old checks in the rubbish, always shred them.

Have checks delivered to the bank for pick up opposed to your home.

Guard your checks in your home or office, lock them up.

Go over your bank statements carefully.
Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.