Hackers Hacked Away in Las Vegas

For the uninitiated, per WikipediaDEF CON” (also written as DEFCON or Defcon) is one of the world’s largest annual hacker conventions, held every year in Las Vegas, Nevada. The first DEF CON took place in June 1993.

Many of the attendees at DEFCON include computer security professionals, journalists, lawyers, federal government employees, crackers, cyber-criminals, security researchers, and hackers with a general interest in computer code, computer architecture, phone phreaking, hardware modification, and anything else that can be “hacked”.”

This year’s DEFCON expected 10,000 registrants. That’s a lot of hackers! One interesting tidbit about DEFCON is you can’t pre-register, as in give them your credit card ahead of time to book your spot because DEFCON only accepts cash! And for good reason!  What most people don’t realize is not all hackers are bad. Certainly “crackers and cyber criminals” are bad, but many hackers are full time security professionals and work around the clock to create the security software to protect us.

If you have someone local that does computer security or as it’s known in the industry “penetration testing” they will lock down your network and protect you from the “crackers and cyber criminals”.

Meanwhile if you are a do it yourself-er:

Lock down your wireless internet with WPA security. Check your owner’s manual.

Install antivirus or update your virus definitions automatically

Install spyware removal or make sure your antivirus is a “Total Protection” product

Make sure your firewall is turned on

Set your PC to update your critical security patched for your operating system.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.


Tracking Lost or Stolen Devices

Lost your iPad? Someone steal your iPhone? Can’t find your laptop? Misplaced your Android phone? You can call your phone and hope it rings, but maybe it’s on vibrate, or miles away. If your car gets broken into and your laptop goes missing, what do you do?

There are plenty of software programs that can track your device, using location data such as GPS and IP addresses to pinpoint it on a Google map. Some services can even activate the laptop’s webcam to take snapshots of a thief!

Prey Project works on MacBooks, Windows, and Android to keep track of your phone or laptop at all times and to help you find it if it ever gets lost or stolen. It’s lightweight, open source software, and free for anyone to use.

Find My iPhone is a free application that can be enabled on your iPhone or iPad. You’ll need a MobileMe or iCloud account to sign in from your iPhone, iPad, or any computer, to display your device’s approximate location on a fullscreen map. Find My iPhone also allows you to send a message to whoever may have found the phone, and if you’re near your phone but can’t find it, Find My iPhone can override your vibrate setting and emit an alarm. In a worst-case scenario, this application can remotely wipe your phone’s data to help prevent identity theft.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking hotels on CNBC. Disclosures

Barefoot Bandit Gets a Movie Deal

Colton Harris Moore was busted for committing over 100 burglaries in the Pacific Northwest. He stole cars, speedboats and airplanes (at least 3). He is known as the “Barefoot Burglar” because he kicked off his shoes running from the police through the woods.

He was a “door knob jiggler”. Most of the homes didn’t have home security systems installed.

You may recall the Barefoot Bandit was arrested in the Bahamas after a boat chase that came to a halt when cops shot out the boats motor. This 19 year old has never taken a flying lesson but stole a plane in Indiana and crashed it off Abaco Island and he was hunted ever since.

This young adult achieved celebrity like status with over 20,000 Facebook fans. However, Harris-Moore isn’t one to be celebrated. He stole as much from the average hard worker as he does from the dot-com rich. And he admits it:

“I did things that were not only a violation of law, but also of trust, I can’t undo what I did. I can only try to make things better.” This was via a written statement provided by his lawyers.

He just signed a movie deal to make $1.3 million with 20th Century Fox. However he won’t earn any money from this, as all the funds will go to restitution.

  1. Lock your doors and windows
  2. Install a monitored alarm system. Consider ADT Pulse.
  3. Give your home that lived in look
  4. Leave the TV on LOUD while you are gone
  5. Install timers on your lights both indoor and outdoor
  6. Close the shades to prevent peeping inside
  7. Use defensive signage

Robert Siciliano personal and home security specialist to Home Security Source discussing burglar proofing your home on Fox Boston.

How Phishing is Like a Home Invasion

Phishing of course is when you receive a fraud based email designed to trick you into clicking links and entering your personal information. In some cases when clicking those links you may download a virus. Their intention is to bypass your computers security.

Phishing is emerging as sophisticated due to ways in which the phish emails are disguised to look like legitimate communications often from other trusted employees on the inside or companies you may do business with.

The criminals behind these emails are doing their research on company websites finding key individuals to model and following up their research on Facebook and LinkedIn to make their phish emails more personal.

And while criminals are still targeting “whales” or CEOs of major corporations and their officers, they are using similar attacks on consumers, as well.

Home invaders are using similar tactics to stalk their prey. You receive a knock on the door, and the minute you open it, like clicking a link, you’re vulnerable. Their intention is to bypass your home security alarm by getting you to open the door.

Home invaders use some ruse like they are from the gas company or making a delivery or some may lie that their car broke down. All of these methods prey upon your trusting of another person or business that you may have a relationship with.

Home invaders do their research. They watch you on social media, they look up basic information and they often target the head of the household.

Protecting yourself from phishing or home invasions comes down to one fundamental principle: Don’t automatically trust or believe that whoever is contacting you in any form has good intentions. We trust by nature, and that’s great, but not allowing yourself to question others intentions set you up to fail.

Robert Siciliano personal and home security specialist toHome Security Source discussingADT Pulse on Fox News Live. Disclosures

North Korea Hacks Online Games to Fund Terrorism?

The Guardian reports, “South Korean police recently arrested five people who allegedly collaborated with North Korean hackers to steal millions of dollars in points from online gaming sites. Members of the gang, which included North Korea’s technological elite, worked in China and shared profits after they sold programs that allowed users to rack up points without actual play.”

Scammers resell stolen points to gamers, who use the points to play more games or to purchase equipment or accessories for their avatars. According to Seoul police, the cybercriminals behind this particular scheme made $6 million in less than two years. 55% of that went to the team of hackers, while some went to Kim Jong-il’s multibillion-dollar slush fund, which American and South Korean officials say is at least partially used to fund a nuclear weapons program.

South Korean officials blame the North Korean government’s Computer Center, an IT research venture, for orchestrating the fraud.

Many of the world’s largest gaming publishers and digital goods providers rely on iovation’s ReputationManager 360 to detect fraud upfront through its extensive, globally-shared database of 700 million devices seen connecting to online businesses and the 6 million fraud events already associated with many of these devices.

iovation has already flagged more than 13 million activities within gaming sites for gaming publishers to either reject as completely fraudulent, or to send for manual review as high-risk activity was detected in real time. This has saved gaming publishers millions of dollars in fraud losses by not only stopping a fraudulent activity (such as a cyber criminal setting up a new account in the game, or a purchase from the in-game store using stolen credentials), but it connects cyber criminals working together so that the publisher can identify entire fraud rings and shut them down at once.

Gaming operators can customize business rules around geolocation, velocity, and negative device histories (including gold farming, code hacking, virtual asset theft, and policy violations) to identify nefarious accounts activity, or fraudulent use of stolen accounts. More than 2,000 fraud-fighting professionals contribute to iovation’s global database every single day, continuously strengthening the system while maintaining a safe and inviting environment for their players.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

Security is a Journey, Not a Destination

This title of this post is a security industry axiom. In other words, we can strive for security, and by making this effort we put ourselves on a path to security. But while we may achieve a relative degree of security, we can never be 100% secure. Even Fort Knox is vulnerable.

We can, however, apply strategies that significantly reduce our risk level. One of the best techniques is “layering.” Layers of security make a criminal’s job more difficult by addressing all of the vulnerabilities in your home or office.

A bank, for example, has multiple layers of security. First, consider the perimeter of the building, which is often designed to include large windows, so that passerby or law enforcement can easily see any problems occurring inside. The bank’s doors have locks. Of course, there is an alarm system, which includes panic buttons, glassbreak detectors, and motion sensors. These are all layers, as are security cameras, bulletproof glass, and armed guards. Ideally, tellers and management should have robbery response training. Many banks use dye packs or even GPS to track stolen cash.

Each of these layers is designed to make it harder for a robber to do his job.

All banks have safes, because banks know that a well-constructed safe is the ultimate layer of security. A safe not only makes it extremely difficult for a bank robber to steal the bank’s money, it also protects the cash in the event of a fire.

Consider a layered approach to your home or small business security plan, one that includes a SentrySafe, the last line of defense in your protection strategy.

Robert Siciliano is a Personal and Home Security Expert for SentrySafe discussing Home Security on NBC Boston. Disclosures.

Snow Shovel Bandit Busted

I know the last four letter word you want to hear is SNOW. But everyone needs to know the Snow Shovel Bandit has been sentenced to 6 years in prison!!

This guy generally broke into homes without home security alarms occupied by single women.

For a small time crook, this guy had a pretty solid and innovative business plan. The 51 year old basically undercut all the 9-12 year olds in the neighborhood that generally shovel snow for all the local single ladies.

He would approach the home owners and under charge them to shovel driveways and then ask for a few more bucks for spreading rocksalt. His scheme was to gain their trust while he was casing their homes.

So basically these women were paying this guy to shovel snow and case, and then burglarize their homes.

Sometimes moments after they left he’d kick in a door and rob the place, other times he’d do it at night when they were home!

Police checked with the local pawn shops for items that were stolen and were able to track him down.

This is a guy with a long criminal record with extensive burglary convictions. Obviously if he keeps getting caught he’s not that good at it. But achieving “Snow Shovel Bandit” status is quite an accomplishment. Take THAT Billy The Kid!

So I guess Rule #1 is if the person knocking on your door to shovel your driveway was born before 1990, I’d be suspicious. Accuse me of profiling; I’m just making a point.

Further, don’t open the door to strangers! Especially 51 year olds with shovels!

Install a home security system and keep it armed around the clock.

Robert Siciliano personal and home security specialist toHome Security Source discussingADT Pulse on Fox News. Disclosures

Insider Identity Theft Still a Problem

More than ten years ago, when I began speaking to organizations about personal security and identity theft, headlines often read “Utility Worker Steals Identities” or “Human Resource Officers Steal Identities” and even “Police Officer Steals Identities.” Back then the primary concern was insider identity theft, perpetrated by those who had direct access to victims’ data.

Ecommerce grew up, and more people started banking and shopping online. Black Friday turned into Cyber Monday, and companies like eBay and Amazon have made it easier than ever to find and inexpensively ship anything you might need. This has created many new opportunities for criminal hackers, and the result has been lots and lots of data breaches.

Headlines have shifted to “Bank Loses 1.2 Million Records to Hackers” or “Hackers Steal Over 100 Million Credit Card Numbers.” The stereotypical bad guy has become a mysterious criminal hacker, slipping into our PCs or our banks in the dead of night.

But just last month, a nurse was accused of stealing Social Security numbers and other sensitive information from patient files at several hospitals in Denver, Colorado. Prosecutors say the defendant opened credit cards in patients’ names and made purchases.

My point is that even today, the Human Resources director at some company may have a new boyfriend who happens to have a drug problem, and who needs her to steal your identity so that he can get a fix. The fundamental issue of identity theft hasn’t changed, and the people doing it are the same. Frequently, they are those on the inside, with direct access to your data.

It is important to observe basic security precautions to protect your identity. But when you provide information to businesses, its safety is beyond your control.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection includes all these features as well as live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)

Bad News For Banks: Courts Side With Customers

Who is responsible for financial losses due to fraud? The bank, or the customers whose accounts have been drained?

One Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this case.

Clearly, the bank’s client, Experi-Metal, made some serious errors, but in the end, the bank paid the price. The court’s decision acknowledges that a vice president of Experi-Metal made the initial mistake of clicking on a link within a phishing email, which appeared to have been sent by Comerica but was in fact sent by a scammer. He then responded to a request for his Comerica account data, despite Comerica’s regular warnings about phishing scams and advice to never provide account information in response to an email. In doing so, the customer offered the scammer immediate online access to his company’s Comerica bank accounts. Naturally, the scammer began transferring money out of the accounts.

I’ll spare you the legalese and get to the nitty-gritty.

“The Court considered several factors as relevant to whether Comerica acted in good faith, including:

  • The volume and frequency of the payment orders and the book transfers that enabled the fraudster to fund those orders;
  • The $5 million overdraft created by those book transfers in what is regularly a zero balance account;
  • Experi-Metal’s limited prior wire activity;
  • The destinations (Russia and Estonia) and beneficiaries of the funds; and
  • Comerica’s knowledge of prior and current phishing attempts.

It was the Court’s inclination to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Furthermore, the Court found that Comerica “fails to present evidence from which this Court could find otherwise.”

This case means that Comerica and, by extension, all banks, must adhere more closely to the FFIECs recently released supplement to its previously released guidelines on authentication in an Internet banking environment, by adding multiple layers of security.

In this case, the computer or other device the scammer used to access Comerica’s website could surely have been traced overseas and flagged for: hiding behind a proxy, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360, and is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)


Back Up Google And Facebook Data

We are increasingly reliant on online calendars and address books, but when you store everything in the cloud, there is the possibility that your essential data could evaporate.

Some insist that you have nothing to worry about but what if you got hacked and all your data was deleted? What if you temporarily lost Internet access, but you need your contacts or calendars?

Backing up any type of vital data is always a smart decision.  Here’s a few simple and inexpensive tools to back-up data you’ve stored in the cloud:

MyCube Vault, for Mac or Windows, is a free utility that backs up your Facebook data, Google Contacts, and Picasa photos and albums at regular intervals. You choose how frequently and where your data should be saved. Once you have installed the app and authorized it to access each of the services you want to back up, the process is painless and automatic. If you’re concerned about downtime or wary of keeping your data in the cloud, MyCube Vault is worth a look.

Backupify, for Google Apps, keeps independent backups of all your Google Apps data, where it can’t be stolen, corrupted or deleted, even by your own domain users. You can search, download, and restore your Google Apps data any time. Backupify offers a free trial.

In addition to using a cloud-based backup storage service, you should also back up this data locally on an external drive.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking hotels on CNBC. Disclosures