Dumb Criminals – The Best Way to Get Caught? Call 911!

In Daytona Beach, Florida, the dumb criminal capital of America, two Florida teenagers are facing charges after breaking into cars. Apparently one teen’s phone was programmed to call 911 and the phone was smarter than the teens and called (maybe accidentally) 911 to inform law enforcement of the crimes taking place.

Dispatchers from the police department listened in at the duo discussing the cars they were breaking into and the stuff that was worth taking. Seems some info was given that directed law enforcement to the parking lot of a local nightclub where the teens were apprehended. Karma man karma.

Meanwhile, another Cro-Magnon Mickey-the-dunce in Utah stole 2 phones from a convenience store. In the process he left a piece of paper with an address he was going to. So now cops had a lead. But it gets better. The store clerk reported the theft and gave a description of the man to police.

Moments later as Mickey was driving and looking for the address, he pulled over to ask a cop for directions. Immediately the cop recognized the address and the dunces description and arrested him. Karma man karma.

And in an amazing criminal history that spans 55 years, an 80-year-old woman, known as the “Beverly Hills Burglar,” gets three years for breaking into a medical building.  Her rap sheet was well known in Beverly Hills as she’s been to the clink in the past. She was quoted saying “I’m 80 years old,” she said. “I don’t think I’ll ever come back – except I’m going to die and be in the morgue.”

That’s amazing and sad all at the same time.

Lock up. Don’t be victimized. And don’t be dumb.

Home Safety Tips:

1. Install outdoor lighting on timers and motion sensors.

2. Make sure your home has a “lived in” look.

3. Use indoor timers for lights, TVs and automatic shades.

4. Install security cameras that can be remotely monitored.

5. Install a home alarm system monitored by an alarm company and the police.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Is That Portable Device a Data Hazard?

Robert Siciliano Identity Theft Expert

According to a survey of London and New York City taxi companies last year revealed that more than 12,500 devices, such as laptops, iPods and memory sticks, are forgotten in taxis every six months. Portable devices that may have troves of sensitive data.

Recent reports of identity data including names, addresses, Social Security numbers on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowed. A company spokesperson said the stolen information was on a portable media device. “It was simple, old-fashioned theft, it was not a hacker incident.” Lovely. That’s just ducky spokesboy.

The survey further reached out to 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners they got a figure of approximately 9000 USBs lost and found annually.

Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that: USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.

It’s not just lost portable devices that are an issue. Found ones can be scary too.

Dark reading reports an oldie but goodie from Steve Stasiukonis, a social engineering master, he says those thumb drives can turn external threats into internal ones in two easy steps.

When hired to penetrate a network he says “We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems”

I did a program recently for a client where I presented in front of other security professionals. I had my laptop set up on the stage with my presentation loaded. The client was introducing me and asked if he could load a quick file onto my laptop to assist in his opening remarks. I inserted the drive for him and my anti-virus went NUTS! Seems his flash drive had a nice little virus on it. His boss, standing right next to him said “that’s why we are phasing out non-military grade security enabled flash drives as soon as we get back.”

I checked out BlockMaster SafeStick® 4.0 – a fast and user-friendly secure USB flash drive, which streamlines military-grade security and meets those standards to protect your data. The SafeStick hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. SafeStick is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, SafeStick is as simple to use as a standard USB flash drive.

The one I got just plugs in, initializes, then launches a program requiring the user to set up a password. From that point on any time the user has to access the data, a password needs to be entered.

Flash drives can be a security mess. Organizations need to have policies in place requiring secure flash drives and never plugging a stray cat into the network.

Disclosures: I have no financial ties to BlockMaster. I just like this thing.

Robert Siciliano Identity Theft Expert discussing good ole fashion identity theft on Good Morning America.

Beware of Door to Door Conmen

There are bazillion scammers using a bazillion ruses to get your money. The lowest of the low are the ones who scam the elderly. These same conmen often do it door to door and can be very dangerous.

Con men posing as city employees seem to be the most effective scam. In one incident 2 men posed as city workers who were trimming trees in a neighborhood. One man would knock on the door and schmooze the resident into allowing him into the home. He would then coax the person into the back area of the home while his partner would sneak in the front door.

Once the second man was in he’d rob the person. Often they’d head straight for the bedroom and grab jewelry boxes and look for wallets and pocketbooks.

In another scam a man would go door to door and offer his labor for gardening and yard work for elderly. He would do the job he was hired to do at an agreed fee. But when the job was over he would request a significant amount of money that wasn’t previously discussed. In this case he would escalate the situation to yelling and threats.

He was so bold he would drive the person to an ATM machine to get the money.

In both of these situations the home owners were lucky the situations didn’t escalate to physical violence. It’s unfortunate that elderly are preyed upon in this way. If you have an elderly parent or neighbor, keep a close eye on them and watch out for them. Unfortunately with some people you can tell them to be careful and not open the door to strangers until you are blue in the face and they may not listen.

If you have an elderly person you care for and they live away from you I’d recommend installing a video security system in their home. Today’s surveillance systems can be remotely monitored from any PC in the world. I’m able to monitor mine from my iPhone. You can set an alarm on individual cameras to alert you to activity.

Consider a home alarm system too. Make it real easy for them to activate and deactivate using a remote control. Have the alarm company call them first, the police second and you third when an alarm goes off.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams.

Is Your Facebook Friend a Fed, or Sex Offender?

When you think about it, Facebook is weird. Where else in the world do you call people who you don’t know your friends? I probably have about 10-15 friends. Most are acquaintances and the others 400 are total strangers.

There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. They have no reason to distrust. People who are your “Friends” are generally those who you “know, like and trust.” In this world, your guard is as down as it will ever be. You are in the safety of your own home or office hanging with people all over the world in big cities and little towns and never have to watch your back.

Reports of sex offenders on social media abound. Do you know who your child is befriending?

Many of the “strangers” came into my life as a result of what I do, and I appreciate and accept them for connecting. But I know plenty of other people who don’t write or do media and might be in college, and have 2000 friends! And they know 5 of them! Social media is weird.

Employers, potential employers and others will often friend someone for the sole purposes of getting a solid profile of that person to determine if they want to hire them. Now the AP reportsU.S. law enforcement agents are following the rest of the Internet world into popular social-networking services, going undercover with false online profiles to communicate with suspects and gather private information, according to an internal Justice Department document that offers a tantalizing glimpse of issues related to privacy and crime-fighting.”

I don’t think there is anything wrong with this; it’s a good thing actually. There is a question of legality and whether or not government agents can pose as someone else and lie, which often violates the terms and conditions of the sites themselves.

But the fact remains, there are bad people out there and they need looking after. And if it means an FBI agent posing as someone to catch the bad guy, I’m all for it. So next time you get a friend request from a stranger, they might be someone checking up on you. Guilty conscience? Hope not.

Robert Siciliano personal security expert to Home Security Source discussing social media security on Fox Boston.

New Facebook Phish Steals Passwords

I got an email from a colleague today:  Subject: “My Facebook account got hacked.

I wonder if you could give me some guidance here –

I received the following email from Facebook:

——————————————————————–

From: Facebook [XXXXXX@facebook.com]

Sent: Wednesday, March 17, 2010 5:58 AM

To: XXXXXXXXXXX

Subject: Security Warning From Facebook

Dear XXXXXXXXXX,

We have detected suspicious activity on your Facebook account and have temporarily suspended your account as a security precaution.

You can regain control of your account by logging into Facebook and following the on-screen instructions.

Please be sure to visit the Facebook Help Center (http://www.facebook.com/help/) for further information regarding these security issues and let us know if you need assistance.

Thanks,

Facebook Security Team

————————————————————————-

Reuters reports Hackers have long targeted Facebook users, sending them tainted messages via the social networking company’s own internal email system. With this new attack, they are using regular Internet email to spread their malicious software.

McAfee estimates that hackers sent out tens of millions of spam across Europe, the United States and Asia since the campaign began on Tuesday.

Dave Marcus, McAfee’s director of malware research and communications, said that he expects the hackers will succeed in infecting millions of computers.

“With Facebook as your lure, you potentially have 400 million people that can click on the attachment. If you get 10 percent success, that’s 40 million,” he said.

McAfee says:

Tip 1: Do not open the attachment. Promptly delete the Facebook scam email.

Tip 2: Consumers can protect their computer from this type of cybercrime by installing a complete security software suite that includes anti-virus, anti-spyware, and firewall protection.

Tip 3: Consumers should make sure they are running the most up-to-date security software and their subscription is active.

Tip 4: If consumers are unsure if their security software vendor has an update for this type of malware, McAfee recommends that they check for and install any available updates, then immediately run a full scan.

Robert Siciliano personal security expert to Home Security Source discussing Facebook hacking on CNN.

 

Why Debit Cards Are a Nightmare

Robert Siciliano Identity Theft Expert

Not all plastics cards are created equal. The major differences in credit vs. debit is in the protections (or lack of protections) that come along with the fine print. A debit card is connected directly to a persons bank account and when compromised can devastate your bank balance.

I know too many people who’ve fallen victim to some type of debit card fraud whether through skimming or unauthorized purchases and never recouped their losses. Sometimes the banks just won’t budge. They tend not to believe a person who’s PIN and card number was leaked.

Creditcards.com reports The Federal Reserve’s Regulation E  (commonly dubbed Reg E), covers debit card transfers. It sets a consumer’s liability for fraudulent purchases at $50, provided they notify the bank within two days of discovering that their card or card number has been stolen. TWO DAYS. That’s it! After that, the maximum liability jumps to $500. Some banks will extend the grace period up to a year, but good luck getting your money back.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

Don’t use a debit card. Use credit cards and pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Debit Card Fraud on CNBC

If You Care About Privacy Don’t Do These 8 Things

I don’t care as much about privacy like some people do. My concern is personal security. If I was concerned about people knowing “me” stuff then you wouldn’t be reading this because I’d live in a cave in Wyoming with no Internet and I’d blow glass all day. But personal security is something I deeply care about. The following are both privacy issues and a little personal security in there too.

Don’t throw away anything that can be used against you. For privacy and security reasons consider how someone could use something in your trash against you. I never toss anything with a name or account number on it and I’m careful not to toss DNA related stuff either. And I know people are saying that’s crazy. If it can be planted at a crime scene its flushed.

 Don’t publish your phone number. Many data aggregators use phone company records to index you. Without a published phone number they have a harder time indexing your name associated with an address. My home phone number is under a pseudonym and it’s also under a business name.

Don’t allow your name to be searchable on Facebook or be on Facebook at all. I broke that rule. When logged into Facebook go HERE to change it.

 Don’t broadcast your location. Location-based services (LBS) are information and entertainment services, accessible with mobile devices through the mobile network and utilizing the ability to make use of the geographical position of the mobile device. Twitter, Facebook and others are getting in the game with LBS.  Carnegie Mellon University compiled more than 80 location services that don’t have privacy policies or collect and save all data for an indefinite amount of time. I see this more as a personal security issue.

Don’t post videos on Youtube that reveal your personal life. I have a business Youtube page and a personal. The iPhone has a direct connection to Youtube and it’s a blast taking video and quickly uploading. However, my personal page is under another name and all the videos are private. The only way to see them is to login.

Don’t forget to read privacy policies. I don’t like reading privacy policies because they are long winded and confusing. But not knowing what companies may do with your data is not good.

 Don’t use your real name as a username. I broke this rule a few hundred times. It’s a privacy issue when you don’t shield your name. It’s a personal security issues not to grab your name allowing someone else to get it and use it against you. Get all of them at Knowem.com.

Don’t put your name on your mailbox or on a plaque on your home. All the postal carrier needs is a street number. There’s no reason to plaster your last name on your home either. I see this more as a personal security issue. But there are certainly privacy concerns here too.

Robert Siciliano personal security expert to Home Security Source discussing Location Services on The CBS Early Show.

If You Want To Be an Identity Thief, Go To Jail

Robert Siciliano Identity Theft Expert

Willie Sutton a famous thief when asked why he robbed banks he was quoted saying, Because that’s where the money is.” Where’s the money today? Identity Theft! What’s a great way to commit identity theft? Go to jail.  Prisons in eight states let convicts work in jobs that give them access to Social Security numbers and other personal information for the public, despite years of warnings that the practice should end, a federal audit finds.

In a related story all sex offenders convicted of pedophilia will be made swimming coaches at summer camps.

“Although we recognize there may be benefits in allowing prisoners to work while incarcerated, we question whether prisoners have a need to know other individuals’ Social Security numbers,” the audit says. “Allowing prisoners access to Social Security numbers increases the risk that individuals may improperly obtain and misuse (the data).”

States where prisoners have direct access to Social Security numbers: Alabama, Arkansas, Kansas, Nebraska, Oklahoma, South Dakota, Tennessee and West Virginia.

“In Kansas, where five prisons allow inmates to hold jobs processing data with personal identifying information, a prisoner was found last year to have stolen names, birth dates, and Social Security numbers while in a job making digital images of public records, the audit says. The data was found in a routine search of inmates when their shift is over”.

What we’ve got here is a failure to communicate. Some men you just can’t reach. And I’m not talking about the prisoners. Any government agency head that sees fit to put a felon in charge of personal identifying information that can lead to identity theft needs to be put on a chain gang himself. With incompetence like this its no wonder 10-12 million people are victims of identity theft every year.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Social Security numbers on Fox News.

10 Wicked Inexpensive Ways to Secure Your Home

1. Call the cops. Most communities have programs in place where a law enforcement officer will inspect a personal home or apartment and make recommendations based on exiting vulnerabilities. Generally they will make those recommendations within your budget upon request.

2. Install signage. I bought 2 “Beware of Dog” neon signs for $1.98 this week. One for the front door and one for the back door. The same hardware store had “This House is Alarmed” signs for short money.

3. Go to the pet store. Dogs are a great form of home security. A few things I can do without include all the barking, tumbleweeds of fur, financial expense of shots and all the dog doo. Save a few bucks and buy the biggest dog food bowl possible. Get 2, one for the front porch and one for the back. Write “Killer” in permanent marker on it. This gives the impression you have a big dog. You can even buy a barking dog alarm.

4. Get your neighbors to guard your home. Why pay for security guards or lame remote security monitoring when you can have your neighbor Ed keep a keen eye on your property? Start a neighborhood watch program and design it so everyone has a monthly responsibility to work the neighborhood.

5. Make your home seem occupied 24/7/365. When you are away put the stereo or TV on loud enough to hear from the immediate exterior. Buy inexpensive timers and plug all your lamps in.

6. Install motion sensors that make a burglar think they are being watched.

7. Use your existing door locks and LOCK THEM! Or buy better ones and install yourself. Beef up the strike plate, which is the metal plate where the bolt enters the jam. Install 3 inch screws deep into the jam.

8. For short money you can buy a “security bar” that wedges up under your door knob and is also alarmed.

9. Secure your windows so they don’t raise more than 6-10 inches. Install small angle brackets that prevent the windows from going any higher.

10. Get a home alarm system for less than 100 bucks; then a dollar a day. A home alarm is the best protection while you are home and away.

Robert Siciliano personal security expert to Home Security Source discussing Home Security on NBC Boston.

Top 10 Cities for Cyber Crime

Robert Siciliano Identity Theft Expert

I love that dirty water, oh Boston you’re my home. Boston Legal, “Cheers,” Boston Bruins, Red Sox, Celtics, Chowda, Lobsta, Pahkin the Cah in Havad Yahd and home to the second worst ranking of cyber crime in America. Lovely! Seems whatever advice I give in Boston media, means squat. After all, I am a Proper Bostonian. Boston missed first place by a lousy 11 points. I blame the college kids. Boston has the highest concentration of college students on the planet. It’s their fault. Seattle took first place. What’s your excuse Seattle? Microsoft?

1. Seattle
2. Boston

3. Washington, D.C.

4. San Francisco

5. Raleigh, N.C.

6. Atlanta
7. Minneapolis
8. Denver
9. Austin, Texas

10. Portland, Ore.

Cities with high concentrations of “spam zombies” placed the highest. Becoming a Zombie and part of a Botnet happens to PCs that aren’t properly secured, coupled with user behavior that invites attacks.

If you are surfing porn all day or gaming on distant websites in foreign countries then you are at a higher risk. Downloading files from P2P sites or seeking software cracks or pirated content is also risky. Remember frat boy, there is no honor among thieves.

The Boston Business Journal stated another factor is the Hub’s many unsecured WiFi hotspots — 53.6 per 100,000 residents — where cyber criminals may lurk, trolling for unwitting users. While high-profile or widespread computer attacks are relatively rare, small-scale attacks like these threaten even savvy computer users, the report noted.

Hey Top 10, pay attention:

Computers that are old and have outdated unsupported operating systems like Wind 95/98/2000 are extremely vulnerable.

Systems using older outdated browsers such as IE 5, 6 or older versions of Firefox are the path of least resistance.

Update your operating system to XP SP3 or Wind 7. Make sure to have automatic updates for anti-virus. Don’t engage in risky web-based behaviors.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ATM Skimming on Fox Boston.