Hackers Play “Social Engineering Capture The Flag” At Defcon

/in , /by

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees to identify and resist the more common attempts to trick them into letting down their guard. Criminal hackers use social engineering as a very effective tool and as part of their strategy when gathering information to piece together the parts of their scams. They often target company executives via phone and email. Once they have extracted some data from the top, accessing networks or whatever end game they had in mind is much easier.

Social engineering has always been a “person to person” confidence crime. Once the con man gains the mark’s trust, the victim begins to provide all kinds of information, or to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I suppose we would need to be able to trust one another in order to survive as an interdependent communal species, otherwise fear would prevent us from relying on others to nurture us until we are tossed out of the nest.

Defcon is a conference for hackers of all breeds. There are good guys, bad guys, and those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack. InfoWorld reports, “This year’s Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies — over the telephone instead of the Internet.”

Defcon is known for its antics but it’s also an event where hackers of all flavors improve their skills. The game they are playing this year is a social engineering fun-o-rama called Social Engineering CTF, referencing the game “Capture the Flag.” “This contest will borrow elements from the convention’s traditional computer-based CTF tournaments, but with a few variations. Prior to the conference, participants will receive an email with the name and URL of a target company. Participants will be permitted to gather preliminary information about the company using Google searches and other passive techniques. Contestants are banned from contacting their target directly via email or phone, and they get points for information gathered. Competitors then use that data during the actual tournament to fuel their social engineering attack. They have twenty minutes to call unsuspecting employees at their target companies and obtain specific bits of (nonsensitive) information about the business for additional points. Participants aren’t allowed to make the target company feel at risk by pretending to represent a law enforcement agency.”

Recognize that online predators use these tactics to get what they want. They consider you, the innocent computer user, their natural prey.

So always question authority, or the appearance of authority. Don’t automatically trust or give the benefit of the doubt. When you are contacted via phone or email, or approached in person, proceed with caution. Always be suspect of external or internal communications, and consider that you could be the target of a phishing scam. Never click on links in the body of an email, and if an email prompts you to divulge a username and password, pick up the phone to verify the legitimacy of the request. The best defense is effective policies coupled with ongoing awareness training.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Keeping Kids Safe Online

/in , , , , , /by

It is no surprise that cybercriminals are taking advantage of the Internet and the people who use it. The Internet is like a bad neighborhood with bad guys around every corner. Any parent with an ounce of sensibility should recognize that when your child is on the wild wild web, they are at the same risk as they would be walking through the red light district in any big city.

I’m not saying this because I want to instill fear and panic, I’m bringing this up because sex offenders, pedophiles, criminal hackers and identity thieves treat the online world as if it was the physical world and use the anonymity of the web and the easiness of approach to seduce your children into doing things they wouldn’t normally do.

The Secret Online Lives of Teens, a survey conducted by McAfee, reveals that tweens and teens are relatively clueless about online privacy. The study sheds light on this generation’s tendency to use the Internet in ways that translate to danger in the real world.

There always has, is, and will be a predatory element out there. Generally, most people don’t want to think about that or even admit that it’s true. Instead of acknowledging the risks, most people completely discount this reality, telling themselves, “It can’t happen to me or my kids.”

The good news is you can do something about it. As soon as a family member becomes active online, it’s time to educate them—no matter what age they are—about cyber safety.

  • Set up the computer in a high-traffic family area and limit the number of hours your children spend on it.
  • Be sure you have computer security software with parental controls.
  • Decide exactly what is okay and what is not okay with regard to the kinds of web sites that are appropriate to visit
  • Use only appropriate monitored chat rooms
  • Never log in with user names that reveal true identity or that are provocative
  • Never reveal your passwords
  • Never reveal phone numbers or addresses
  • Never post information that reveals your identity
  • Never post inappropriate photos or ones that may reveal your identity (for example: city or school names on shirts)
  • Never share any information with strangers met online
  • Never meet face-to-face with strangers met online
  • Never open attachments from strangers

Once you have established the rules, make a poster listing them, and put it next to the computer.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Security and Identity Theft on TBS Movie and a Makeover. Disclosures.

Police Arrest Six People in Ritzy Robbery Ring

/in , , , , , /by

Burglars broke into more than 50 homes in the high end areas of Miami and Palm Beach. Most of the victims were out to dinner and some were victims of home invasions.

The perps may have had a network in place of valets, waiters/waitresses or others who had an idea of who the victims were, their addresses and what their schedules were. Most importantly, someone on the inside of this network would inform the thieves when the victims would be gone from the home.

The thieves would enter the homes through locked or unlocked sliding doors generally in the back of the home. Their targets included high end jewelry, watches, gold and diamonds. Losses could be as high as 2 million dollars.

Getting the stolen jewelry back is often next to impossible. Jewelry is the quickest and easiest to fence.

“Police have dubbed the six people arrested for their participation in a burglary ring spanning three counties as the “Dinner Crew Set.”  Home surveillance video captured one of the thieves in action — a masked man with a two way radio.”

It’s obvious that most of these homes did not have home alarms or home security cameras. Many of these burglaries could have been prevented with simple investments that equate to a dollar a day for your family home security.

It’s amazing to me how people go out and spend all this money on expensive items but don’t lock them in a safe or protect them with a home security system.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Invasions on Montel. Disclosures.

As Crime Witness, Security Camera Can Speak Volumes

/in /by

Back when dinosaurs roamed the planet law enforcement had to look for witnesses, bystanders, and get on their hands and knees to look for the slightest hair or clue that would help them crack the case. They still do all that stuff today, but one of the first things they look for are security cameras in the vicinity of the crime scene that will tell them the rest of the story.

In Philadelphia, homicide detectives investigated a woman who went missing and was eventually found murdered.  After the discovery law enforcement began tracing back her steps and detectives started looking for cameras along her route of travel.

In the days after [the murder], residents provided police with a list of cameras at local businesses and apartment buildings. Soon, detectives were working around the clock, viewing hundreds of hours of footage taken by dozens of cameras.”

Cameras caught the suspect as he was on his bicycle in the area of the murder. One video showed the suspect biking past the victim and him making a U-turn on his bike and began to follow her.

“One recording provided a clear view of the suspects face. The day after it was released to the public, police got a tip that led to him.”

Joran van der Sloot, the main suspect in the Natalie Holloway murder confessed to the slaying of a 21-year-old woman in a Lima hotel room. Hotel video caught him checking into the hotel, walking in the hotel room with the victim and him walking out alone. She was discovered a day later. Video certainly helped make his confession possible. Too bad they didn’t have video cameras on the beaches in Aruba. The Peru victim may still be alive.

Cameras are everywhere. Some people call this an invasion of privacy. I say the more cameras the better. We are on camera at most retails stores, banks, ATMs, busy intersections, highways, downtown areas and in neighborhoods. We are a video camera soaked society and it’s a good thing. It keeps the honest people honest and the bad guys in-check or in jail.

Set up security cameras to monitor the perimeter of your home. Security cameras can send off an alarm triggering additional lighting, sirens and alerting the home owner to a potential breach via text and telephone calls. I can immediately see my cameras via my iPhone. Cameras inside the house are necessary as well. Wire your home to show all doors and living spaces to ensure home security. Once you take the leap you wonder how you lived without it.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Security on NBC Boston. Disclosures.

Wireless Security” is an Oxymoron, But There is Hope

/in /by

WiFi is everywhere. Whether you travel for business or simply need Internet access while out and about, your options are plentiful. You can sign on at airports, hotels, coffee shops, fast food restaurants, and now, airplanes. What are your risk factors when accessing wireless? There are plenty. WiFi wasn’t born to be secure. It was born to be convenient. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks.

Anyone using an open unsecured network risks exposing their data. There are many ways to see who’s connected on a wireless connection, and to gain access to their information. As more sensitive data has been wirelessly transmitted over the years, the need for security has evolved. Today, with criminal hackers as sophisticated as they ever have been, wireless communications are at an even higher risk.

When setting up a wireless router, there are two different security protocol options. WiFi Protected Access (WPA and WPA2) is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy. Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security.

There are a few things you should do to protect yourself while using wireless.

Be smart about what kind of data you transmit on a public wireless connection. Only transmit critical data from secure sites, ones where “HTTPS” appears in the address bar. These sites have additional encryption built in.

Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s no data on either device that would compromise my identity or financial security.

If you have file sharing set up on a home network, when venturing to wireless hot spots you need to manually turn it off on your laptop.

Turn off WiFi and Bluetooth on your laptop or cell phone when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.

Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is being used as bait.

Beware of evil twins. Anyone can set up a router to say “T-Mobile” “ATT Wireless” or “Wayport”. These are connections can appear legitimate but are actually traps set to snare anyone who connects.

Keep your antivirus software and operating system updated. Make sure your antivirus software is automatically updated and your operating system’s critical security patches are up to date.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses hackers hacking wireless networks on Fox Boston. (Disclosures)

Thieves Hit Real Estate Open Houses

/in , /by

Here’s a strange proposition; place an ad in the local paper requesting complete strangers come to your home and look inside your kitchen, bathroom, your kids room and your bedroom. In the ad tell them how nice the house is and you want them to see it from 2-4 on Sunday afternoon.

Then, to make it even more interesting, have another stranger (or someone you only have a brief relationship with) show them around the house. Meanwhile you go out, run some errands or have lunch.

Keep the block of knives on the counter and leave everything pretty much where you normally would and when you get home maybe it will still be there. Sound like a sound plan? It’s one that thousands of people execute hundreds and thousands of times a year.

Open houses are (in my mind) a weird process that is otherwise a good way to bring attention to the sale of a home. If the homeowner is smart, they will hire a professional real estate agent to facilitate the process. However, the homeowner often puts too much faith in the real estate professional to protector their belongings. This is a big mistake and a false sense of security.

No offense to the real estate professionals, many of them don’t really understand what they should and shouldn’t do in regards to “securing” your stuff.

I present about 50 programs a year to real estate agents on this topic. I always ask “what would you do if you saw someone steal something?” Inevitably I get responses where agents would say “I’d tell them to put it back!” Alrighty then. While this is the “right thing to do” it’s not the right thing for the agent to do. Because now the thief has to decide how bad they want the stuff and they now have to determine what it’s going to take to keep it. Giving a thief an ultimatum may result in violence.

The Aldergrove Star reports “These crimes are committed by thieves posing as potential homebuyers attending open houses or walking through homes for sale with a realtor. The thieves will distract the realtor, perhaps asking for a tape measure, and while the realtor facilitates the request, property is pocketed. Property targeted during these thefts includes laptops, jewelry, designer purses, small electronics, and other miscellaneous items.”

Real estate agents should not consider themselves in any way “security guards”. The home owner in no way should consider agents responsible for protecting their stuff. If you are a homeowner or a real estate agent, have a discussion that includes the following tips:

  • Hide or remove your valuables and medications.  If it can be easily stolen and has resale street value, then remove it.
  • Request your real estate agent bring additional agents. There is always strength in numbers.
  • Protect yourself from identity theft. Remove or lock up bills, credit card receipts and bank statements.
  • If anyone ever steals something and you see them, run out of that home as fast as possible. If a person is crazy enough to steal from an open house, then they are crazy enough to commit violence.  There is nothing of monetary value on the planet that I would fight for.
  • Put signage out saying “Property Under Video Surveillance
  • Always check the security status of home security systems, doors and windows before and after a showing. Make sure they are all locked and the hinges are still in the doors.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Security and Identity Theft on TBS Movie and a Makeover. Disclosures.

Study Shows Tweens and Teens are Clueless About Privacy

/in , , /by

The Secret Online Lives of Teens, a survey conducted by McAfee, reveals that tweens and teens are relatively clueless about online privacy. The study sheds light on this generation’s tendency to use the Internet in ways that translate to danger in the real world.

The fundamental problem is their belief that privacy is unimportant or irrelevant, which stems from their lack of understanding of what privacy actually entails. Most alarming is the extent to which they are willing to share certain types of information online, information which is often visible to complete strangers. In doing so, they make themselves easy targets for data mining by adults whose reasons are not always well intended.

While most adults are not predators or pedophiles, there are certainly many of them out there who prey upon the young and naïve.  Statistics show there are as many as half a million registered sex offenders in the U.S. alone. And many more simply haven’t been caught yet.

There always has, is, and will be a predatory element out there. Generally, most people don’t want to think about that or even admit that it’s true. Instead of acknowledging the risks, most people completely discount this reality, telling themselves, “It can’t happen to me or my kids.”

The Last Watchdog sums up the study as follows:

“McAfee commissioned Harris Interactive to query 955 American teens, including 593 aged 13-15 and 362 aged 16-17. Survey responses were weighted for age, gender, ethnicity and other variables. The McAfee/Harris poll found:

  • 69 percent of teens divulged their physical location
  • 28 percent chatted with strangers

Of those teens who chatted with strangers, defined as people whom they did not know in the offline world:

  • 43 percent shared their first name
  • 24 percent shared their email address
  • 18 percent post photos of themselves
  • 12 percent post their cell phone number

What’s more, girls make themselves targets more often than boys: 32% of the girl respondents indicated they chat with strangers online vs. 24% of boy respondents.”

It’s not just tweens who don’t understand that they’re living in a fishbowl. Young adults and parents are equally clueless. Channel 4 News in Jacksonville exposed a Florida mother who took a picture of her 11-month-old son with his mouth over a pot bong and posted it on Facebook. The mom’s behavior was obviously reckless, but what she and many don’t understand is that anything digital is repeatable.

Many now blame social networks for the erosion of whatever privacy we once had. Social networking sites aren’t inherently bad, but they are self serving entities, promoting transparency that ultimately leads to marketing and advertising dollars. For them it’s all about profit, and it’s to their advantage to gather as much information about you as possible, which allows them to fine-tune their offerings to advertisers.

My belief that people need to “live consciously,” making informed decisions about and ultimately taking responsibility for themselves, makes it difficult for me to blame anyone but users themselves for their lack of security. But I know the reality is that people are easily led, easily bamboozled, and they need to be told what to do and what not to do.

Studies like this bring much needed attention to these issues, hopefully raising awareness for teens and their parents. As a parent, I am as laser focused on the media my children consume, in all its forms, as I am on any food they eat. No responsible parent would allow their child to eat spoiled food, because they understand why it’s bad, but those same parents may allow their children to roam freely online without supervision. This is mainly because the parents don’t understand the risks.

When a quarter to a third of teens are revealing all their information to total strangers, it should give society pause. Understand that as this trend continues, more and more kids will be blindsided when they are solicited by adults who, with an additional twenty or more years of live experience, know how to con a kid.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

Companies Combine Efforts to Secure Data on USBs

/in , /by

Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, today announced that it will partner with security company BlockMaster and provide greater availability of centrally managed USB drives, which makes it easier to protect information on-the-move.

BlockMaster® is well known for its USB security solutions, including the centralized USB management software, SafeConsole®, which offers organizations the ability to remotely manage USB drives by resetting passwords, configuring password policy and activating audit for compliance procedures. With this partnership, Kingston will be offering its customers a centrally manageable version of its DataTraveler Vault – Privacy Edition utilizing BlockMaster’s technology to provide complete control over USB drives.

According to a survey of London and New York City taxi companies last year revealed that more than 12,500 devices, such as laptops, iPods and memory sticks, are forgotten in taxis every six months. Portable devices that may have troves of sensitive data.

Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that: USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.

I checked out BlockMaster SafeStick® 4.0 – a fast and user-friendly secure USB flash drive, which streamlines military-grade security and meets those standards to protect your data. The SafeStick hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. SafeStick is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, SafeStick is as simple to use as a standard USB flash drive.

Flash drives can be a security mess. Organizations need to have policies in place requiring secure flash drives and never plugging a stray cat into the network.

Disclosures: I have no financial ties to BlockMaster. I just like this thing.

Robert Siciliano Identity Theft Expert discussing good ole fashion identity theft on Good Morning America.

Safety Tips: Home Burglary Prevention

/in , , , , , /by

My AC is on, that means it’s summer time. It also means that occasionally the windows may be open, and because we are in the yard the doors sometimes are unlocked. As a result we are slightly more vulnerable to the bad guy. But this doesn’t mean that your guard should be down.

The FBI reports that more burglaries occur during the summer months than any other time of year and that every home is a potential target. According to U.S. Department of Justice statistics, an American home is broken into about every 15 seconds. The best defense against burglary is prevention. With planning you can help make your home unappealing to burglars.

Patrick Fiel, public safety advisor of ADT Security Services said, “There are a few simple, yet important, steps homeowners can take to make their homes less of a target.” To help homeowners secure their homes this summer, Fiel and ADT recommend the following home burglary prevention tips:

· Secure your garage. Garages can provide intruders with easy access to your home. If you have an automatic garage door opener, make sure you protect the remote control and never leave it visible in your car. Also, be sure to lock the door that leads from your garage to your home. Many people do not lock this door, creating a weak point in their home security.

· Equip your home with strong doors and locks. Exterior doors should be made of steel, other metals or solid wood, which are able to withstand more of an impact than hollow-core doors. Deadbolt locks offer the best protection from picking and prying. Always make sure to lock your doors and windows when you leave home.

· Never hide keys around the exterior of your home. Thieves look in mailboxes, under doormats and above doorways for keys. Do not make it easy for them to get into your home. If you will be out of town on vacation, leave emergency house keys with a trusted friend or neighbor.

· Consider a monitored burglar alarm system. A recent Rutgers University study found that alarm systems are an effective deterrent, making a home less attractive to intruders. Make sure your burglar alarm system includes a loud inside alarm, detectors at all exterior doors and motion sensors. It’s also important to have monitored protection which links your home to a monitoring center where trained professionals can quickly notify first responders. Most insurance companies also offer a discount of up to 20 percent off homeowner’s policies for monitored alarm systems.

· Never let burglars know you are away from home. As you plan for vacation, you may be tempted to post updates on social networking sites, including specific dates and times of your vacation. But criminals have been known to troll these sites for vacant homes and unsuspecting victims. Always keep your vacation plans as private as possible and have a trusted friend or family member collect your mail and check in on your home while you and your family are away.

Fiel said, “As summer starts to heat up, we hope these tips will help you prevent home burglary and protect your possessions before, during and after your vacation.”

Mr Fiel certainly knows his business. It’s your businesses to take responsibility for yourself and your family and make sure your home is safe and secure. It’s not enough to use the old adage “why do I care if my stuff is stolen, insurance will pay for it” because insurance doesn’t reimburse you for the hollow empty feeling of being violated. For many people who are burglarized, they often never want to step foot into their homes again.

Furthermore, in the heat of the summer many burglaries can turn into home invasions if the burglar didn’t know you were home. That’s when things can get violent.

Know your options. Don’t sit back and say “Its cant happen to me”. Sit back and sayAmerican home is broken into about every 15 seconds, mine won’t be one of them.” Enjoy the summer months, relax, have fun and be safe.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Invasions on Montel. Disclosures.

My Mexican Travel Security Ordeal

/in , , , /by

Mexico has made the news over and over due to their “Narco Wars”. 10’s of thousands have been murdered and kidnapped in many of the border towns all the way down to Acapulco. So where do I vacation? Mexico. It’s an easy trip, its economically smart, it’s usually warm and sunny, the foods good, the people are great, and there’s always a good story to tell. I do my homework and understand where the risks are and aren’t.

I don’t stay in the border towns. That’s where a lot of the bad stuff is happening. Border towns are mostly landlocked, so no ocean, and there isn’t much as far as vacationing goes. We like the beaches and prefer southern resort towns that cater to making me happy.

In my last Mexican adventure we were picked up at the airport by a car service recommended by the hotel. I usually get in the front seat so I can see where we are going and I like to have a little control. I put my laptop and backpack up front with me, but then the wife asked me to come to the back seat, which I did. But there was no room for the bags, so they stayed up front. The van was clean, and the ride was the typical white knuckler, hold on for dear life, the driver is a nut, and when was the last time this thing had its brakes checked.”

When we got to the resort we were swarmed with hotel help/bellmen pulling our bags out of the van. As I’m counting bags and counting kids and on my way back to the van to get my 2 other bags, the van drove away. My laptop and backpack were still in the front seat. ON THE FRONT SEAT. There is no way the driver didn’t see the laptop on the front seat. I frantically went to the bellman to call the security dude at the entrance to the property to stop the van. Ten minutes goes by and they said he must have gone another way because he never went back through security.

I got the car service on the phone to call the driver and they said he wasn’t answering his phone. Of course he wasn’t answering his phone, he was selling my laptop. 20 minutes goes by and I fear he’s got this thing hocked. Then another driver from the same company pulled into the resorts entrance and I flagged him down. I told him to call the driver and tell him I left 2 bags in the van. He called, the driver picked up the phone. Nailed. He answered for his buddy but not his boss.

He showed up 20 minutes later. When he pulled up he was dismissive and rude. He knows he was “caught” but didn’t even offer a response. My laptop was now on the front floor of the van, the bag had been gone through and the backpack was in the back seat of the van. He obviously tossed it there.

I never told resort security, the bellman or the car service over the phone that “my bags” that were in the van consisted of a laptop. But when resort security and the bellman saw me pull the laptop out, they all nodded their heads shaking them and proceeded to understand why he drove off.

Moral of the story: if you don’t want it stolen, don’t leave it out of your site. Because any opportunity to distract you and take your stuff, the bad guy will.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Security and Identity Theft on TBS Movie and a Makeover. Disclosures.