McAfee Reports Most Malware Ever in Early 2011

Malware refers to malicious software, which includes computer viruses and rootkits. McAfee recently released the McAfee Threats Report: First Quarter 2011. With six million unique samples of recorded malware, the first quarter of 2011 was the most active in malware history.

In February alone, approximately 2.75 million new malware samples were recorded.  Fake antivirus software had an active quarter as well, reaching its highest levels in more than a year, with 350,000 unique samples recorded in March.

Mobile malware is the new frontier of cybercrime.

Malware no longer affects just PCs. As Android devices have grown in popularity, the platform has solidified its position as the second most popular environment for mobile malware, behind Symbian OS, during the first three months of the year.

Cybercriminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting real or phony products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular, and in Australia and China, fake delivery status notifications were the spam of choice. So far this year, we’ve also seen a new trend of “banker” Trojans, malware that steal passwords and other data, using UPS, FedEx, USPS and the IRS as lures in their spam campaigns.

McAfee Labs saw significant spikes in malicious web content corresponding with major news events, such as the Japanese earthquake and tsunami, and major sporting events, with an average of 8,600 new bad sites per day. In the same vein, within the top 100 results of each of the daily top search terms, nearly 50% led to malicious sites, and on average contained more than two malicious links.

Protect yourself from these and other threats.

McAfee Wave locates, locks, or wipes your phone, and even restores your data when you trade it in for a new one. If necessary, you’ll be able to lock down your service remotely or wipe out important stored data to protect your privacy. You can back up your data directly or use the web to so remotely. You can access your data online from anywhere, or locate your missing phone and plot its location on a map. If it’s lost or stolen, SIM cards and phone calls can help get it back for you.

Invest in an identity protection service. There are times when you cannot withhold your Social Security number, but an identity protection service can monitor your personal and financial data. McAfee Identity Protection provides alerts if your information is misused, credit monitoring and unlimited credit checks, and if necessary, identity fraud resolution. (For more information, visit CounterIdentityTheft.com.)

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss mobile phone spyware on Good Morning America. (Disclosures)

 

Security Cameras Catch Intruder

Video is a great thief repellant. It is one layer of security that must be incorporated into every home security system. However there is no such thing as 100% security. And while video often catches a thief in the act, it can’t actually catch a thief. That’s what police are for.

In Des Moines Iowa, which I’ve been to a few times and is a very cool place, lots of Bald Eagles, a bar owner was awoken to a phone call from ADT Security calling to tell him the alarm in his bar was going off. At the same time the police were summoned.

Meanwhile the bar owner logged into his security systems internet enabled cameras and saw the legs of a man dangling from the ceiling through ceiling tiles! The criminal apparently cut a hole in the roof! Then he saw the man jump to the floor with a crowbar and immediately head towards his target: a ticket machine full of cash.

Obviously the thief knew what he was after. After about 3 minutes he ran out when the police arrived and narrowly escaped.

Now the police have video footage of the thief to use to hopefully catch him.

Security is about layers of protection. The protection in this case at least minimized the damage by sending off a piercing alarm reducing the damage the criminal would do if he stayed longer and then the cameras will help identify the thief. Fortunately the bar owner has insurance (which is another layer of protection) that will ultimately pay for the loss and damage.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse on Fox News. Disclosures

What The FFIEC Is Doing to Protect You and Your Bank

FFIEC is the Federal Financial Institutions Examination Council which is a government body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions by and for numerous other government, public, private and financial entities.

If there is a “good” place for your tax dollars to head, it’s to the FFIEC. And very recently the FFIEC has issued updated guidelines for financial institutions in regards to their cyber security and new threats your bank needs to counter.

Over the past decade as we have all (mostly) have banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

The FFIEC has certainly pointed this out and at the same time has made additional security recommendations since the last time they did in 2005 based on new kinds of criminal hacking and new technologies to combat it.

Hacking in its many forms involves compromising a system from numerous vantage points. A network can be hacked from the inside by an employee or former employee with credentialed access or from the outside by seeking vulnerabilities in a networks technology. But more often hacking takes place when an account holders access such as username and passwords are compromised.

To defend against all of these hacks the FFIEC recommends to financial institutions what’s called a “layered approach” of anti-fraud tools and techniques to combat crime. Meaning it’s not simply a matter of applying a firewall and having anti-virus to protect the network, but going much deeper in protecting many interaction points within the banking site (not just login) and using a variety of proven fraud prevention solutions.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Talk To Your Kids about Teen Dating Violence

Teen dating violence is a difficult and touchy subject. But approaching the issue, or not, can mean the difference between life and death. Some studies show as many as 1 in 3 teens are affected.

Both young men and women are capable of acting out in abusive ways, and parents need to be aware of any signs of trouble.

Teen angst can be a low level annoyance or escalate to dangerous uncontrollable anger. I was a teen once and can attest to both ends of the spectrum. Ultimately teen domestic violence is about one person controlling another person when the controller has no control over themselves.

Abusers speak out of both sides are their mouths. They brilliantly abuse their partner while demonstrating an outwardly clean cut genial appearance.

Parents must observe their child as either a potential abuser or the abused. They must realize their kid is capable of being a perp or a victim. To ignore the signs of abuse is to enable it.

Look for red flags. Parents know if their teens have dominant or submissive personalities. Any exaggeration of the latter or obvious shift in demeanor is a red flag.

Signals of a controlling relationship range from the obvious signals exhibited by a person’s overbearing body language to the not so obvious manipulative text messages. Look for signs of fear in your child such as behaving oddly (which can mean a thousand things) or verbal or physical abuse. If your child begins to change their daily routine to accommodate their partner that may mean they are being manipulated. If they exhibit signs or speak of being responsible for the feelings of their partner that’s a big red flag.

Nobody is ultimately responsible for another’s feelings, but parents are ultimately responsible for observing their teens and educating them on what’s appropriate and inappropriate then intervening when behaviors tip in a destructive direction.

For more information go to CDC.gov.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse™ on Fox News Live. Disclosures

Social Networking Security Awareness

One in five online consumers has been a victim of cybercrime in the past two years. Social networking is a direct link to the problem. While social networks allow you to keep in touch with family and friends, there are issues to be concerned about.

Most concerns revolve around online reputation management, identity theft, or physical security issues. Social networking creates a risk of posting content that will be damaging to yourself, your profile being hacked or your credentials being compromised, or inviting burglars to your home by publicizing your whereabouts.

Facebook faces a security challenge that few companies, or even governments, have ever faced: protecting more than 500 million users of a service that is under constant attack. I’m a huge proponent of “personal responsibility,” and that means that you are ultimately responsible for protecting yourself.

Keep your guard up. Cybercriminals target Facebook frequently. Every time you click on a link, you should be aware of the risks.

Be careful about making personal information public. Sharing your mother’s name, your pet’s name, or your boyfriend’s name, for example, provides criminals with clues to guess your passwords.

Technology can help make social networking more secure. The most common threats to Facebook users are links to spam and malware sent from compromised accounts. Consumers must be sure to have an active security software subscription, and not to let it lapse.

Get a complimentary antivirus software subscription from McAfee. Simply “like” McAfee’s Facebook page, go to “McAfee 4 Free,” and choose your country from the dropdown menu to download a six-month subscription to McAfee’s AntiVirus Plus software. The software protects users’ PCs from online threats, viruses, spyware, other malware, and includes the award-winning SiteAdvisor website rating technology. After the six-month McAfee AntiVirus Plus subscription period, Facebook users may be eligible for special discount subscription pricing.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss hackers hacking social media on Fox Boston. (Disclosures)

Your “Status” is Important to Others

People have always paid attention to your status. Now they do it on social media. Status is your “standing” in society. It could mean whether you are married, employed, rich, poor, saving the world, up to no good, home or not.

Status in terms of home security begins with your whereabouts.

By now we should all know posting your whereabouts (or where you aren’t) can be an invitation for criminals to break into your home while you are gone. It’s simply not a good idea to post you are not home and your house is vacant. On the other hand it is a great idea to have home security cameras and an alarm system.

Furthermore, if you travel, contrary to what some might suggest, I’ve never thought it was a good idea to place your status on a “stop mail” list at the post office.  It’s the same thing with stopping delivery of your newspaper. Once you are on that list, it is known you are away. The best case scenario for both issues is to have a trusted friend, family member or neighbor grab your mail and newspaper for you. Never list your vacation plans on social media. The last thing you need to be doing on Facebook is telling the world you are 2000 miles away.

In Houston, two dumb criminals, one a teller at a bank that was just robbed and her boyfriend posted their status as “IM RICH” and “WIPE MY TEETH WITH HUNDREDS”  were arrested shortly after someone notified police on their status.

People are definitely paying attention to your status, so secure your social media.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse on Fox News Live. Disclosures

This Doesn’t Happen In Small Towns

If you have children you know what worry is. If you have a daughter you worry times ten. I have 2 daughters and I worry times 10,000. Worrying is unproductive however, but taking action can and putting your worry to work can create positive results.

In a small Massachusetts town a recently graduated and talented 18 year old woman got off work and went to the beach to meet an 18 year old man she was in some type of relationship with.

She was supposed to check in with her dad early evening and never did. Her father got worried and called all her fiends then the police. The next day a bicyclist found her body in a wooded area in the small town.

The 18 year old man was arrested in the same day as the suspect in her murder. Her dad was quoted saying “When we fall in love, we allow ourselves to become vulnerable and we lose perspective.” That’s an amazingly poignant and correct observation coming from a man who just lost his daughter and only child

The Boston Globe reported one of the residents stated “People who are not from a small town don’t understand. We are all so tight here. . . . Stuff like this doesn’t happen here.’’

Stuff like this happens in small towns. It happens everywhere. Predators are people not “right in the head” and they are part of every town.

Reporting this isn’t fun.  Reading is less so. Worrying is futile. But taking action and learning self defense, teaching your kids at an early age how to protect themselves is fundamental to living.

Robert Siciliano personal and home security specialist to Home Security Source discussing self defense on Fox Boston. Disclosures.

15 Tips To Better Password Security

Protect your information by creating a secure password that makes sense to you, but not to others.

Most people don’t realize there are a number of common techniques used to crack passwords and plenty more ways we make our accounts vulnerable due to simple and widely used passwords.

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

How to make them secure

  1. Make sure you use different passwords for each of your accounts.
  2. Be sure no one watches when you enter your password.
  3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
  4. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
  5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
  6. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
  7. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  8. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
  9. Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

10. Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

11. Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.

12. Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

13. It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

14. You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

15. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

How to Reset Your Gmail Password After Being Hacked

I finally got one of those “I’m stuck in London” emails. My friend Kate’s Gmail account was hacked, and everyone on her contact list received an email from a hacker posing as Kate:

“Hi, Apologies, but I made a quick trip, to London,United Kingdom and got mugged, my bag, stolen from me with my passport and credit cards in it. The embassy is willing to help by authorizing me to fly without on a temporary identification, instead of a passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately,I can’t have access to funds without my credit card, I’ve made contact with my bank but they need more time to come up with a new one. I was thinking of asking you to lend me some quick funds that Ican give back as soon as I get in. I really need to be on the next available flight back home. Get back to me so I can send you details on how to get money to me. You canreach me via email  or hotel’s desk phone, +44208359**** waiting for your response. Kate”

The hacker also created a replica of her Gmail address using Yahoo’s webmail service, and set Kate’s Gmail account to automatically forward all messages to the Yahoo address.

As soon as I received this email, I called Kate and left her a message letting her know she’d been hacked, and asked her to call me with an alternative email address.

Then I responded to the hacker:

“Kate I will help you. Where do I send money? Robert”

The hacker wrote back:

“Robert, Thanks for responding, I need about $2000, can you make a western union transfer to me? I will pay back once am home, let me know what you can do ASAP thanks.

See details needed for western union
Receiver: Kate [redacted]
City: London
United Kingdom

What you need to do, is take cash or a debit card to a western union agent location and request to make transfer to me in United Kingdom. You can get the address of a nearby WU agent from this website

You will email me the mtcn number for the transfer so I can receive the money here, I have an embassy issued identification, which I will use to get the money from WU Thanks Kate”

I wrote:

“Send me a picture. I want to see your pretty face! What did you see in your travels? Did you talk to Mum this week?”

The hacker responded:

“Did you send the money yet?”

I wrote:

“You didnt answer me.”

At this point, the hacker figured out what I was doing, and blew me off:

“Don’t bother, I no longer need your help”

It’s hard to scambait these guys because they’re much more aware of how scambaiting works. Plus, I’m not that good at it.

The hacker and I then got into an unproductive series of email exchanges calling each other nasty words.

When the real Kate called me back, I sent her this Google Help link explaining how to reset your password if you’ve been hacked. Google also offers help accessing a Gmail or Google Apps account that has been taken over by a hacker.

If you haven’t already created a secondary email address that can be used to recover an inaccessible Gmail account, do that now. (This feature isn’t currently available for Google Apps.)

Once Kate went through this process, she regained control of her account within minutes. But the criminal had deleted every single email, leaving her with nothing. He’s probably going through those messages now, searching for any useful personal information.

Kate then sent me an email, thanking me, and I noticed that the Yahoo email address was still being copied, meaning that the hacker was still seeing every email sent to Kate’s Gmail account. If you’ve been hacked, check your Gmail settings to make sure your messages aren’t being forwarded automatically.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

 

Spear Phishing Leaves a Bloody Wound

Once criminal hackers get a person’s username and email address, they can begin to launch a targeted spear phish scam. Scammers copy the design of each breached entities outgoing email campaign and blast the breached list with “account update” or other ruses.

Gaming site Sega Pass was hacked. On the Sega Pass website it states, “we had identified that unauthorized entry was gained to our Sega Pass database.” Numerous outlets report hackers stole Sega Pass members’ email addresses, dates of birth, and encrypted passwords.

The recent Epsilon data breach resulted in a similar loss of data. Epsilon is a marketing company that sends over 40 billion emails a year, and keeps millions of consumer email addresses on file. When hackers breached Epsilon’s database, the email subscriber lists for over 100 major companies were compromised.

Consumers received breach notifications from financial institutions including Citigroup, Capital One, and JPMorgan Chase, and from hotels such as the Marriot and the Hilton.

All of these organizations customers are eternally susceptible to spear phish scams.

The Wall Street Journal reports that GlaxoSmithKline sent email notifications to consumers who had registered with any of GlaxoSmithKline’s websites for prescription or nonprescription drugs and products, warning that consumers’ names and email addresses had been hacked, and that the stolen data may have included the specific product websites where consumers registered.

GlaxoSmithKline provides medications that help victims of HIV and mental health disorders. The possibility of the stolen data being used to target the ill with spear phishing attacks is a major concern.

These kinds of breaches will have long-lasting effects on the public.

Never disclose personal information or login credentials in response to an unsolicited email. Never click links in an unsolicited email. Instead, use your bookmarks menu or type the address into your browser’s address bar. If your email address has been compromised, consider switching to a new address. Create new, unique passwords, without repeating the same password for multiple accounts.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)