What Makes My Passwords Vulnerable?

There is no such thing as a truly secure pass­word. There are only more secure or less secure passwords. Passwords are currently the most convenient and effective way to control access to your accounts.

Most people aren’t aware of the numerous com­mon techniques for cracking passwords:

Dictionary attacks: There are free online tools that make password cracking almost effortless. Dictionary attacks rely on software that automatically plugs com­mon words into password fields. So, don’t use dictionary words, slang terms, common misspellings, or words spelled backward. Avoid consecutive keyboard combinations such as qwerty or asdfg.

Cracking security questions: When you click the “Forgot Password” link within a webmail service or other website, you’re asked to answer a question or series of questions to verify your identity. Many people use names of spouses, kids, other relatives, or pets in security questions or as passwords themselves. These types of answers can be deduced with a little research, and can often be found on your social media profile. Don’t use traceable personal information in your security questions or passwords.

Simple passwords: When 32 million passwords were exposed in a breach last year, almost 1% of victims were using 123456. The next most popular password was 12345. Other common choices are 111111, princess, qwerty, and abc123. Avoid these types of passwords, which are easily guessed.

Reuse of passwords across multiple sites: When one data breach compro­mises passwords, that same login infor­mation can often be used to hack into users’ other accounts. Two recent breaches revealed a password reuse rate of 31 percent among victims. Reusing passwords for email, banking, and social media accounts can lead to identity theft.

Social engineering: As previously described, social engineering is the act of manipulating others into performing cer­tain actions or divulging confidential information, and can be used as an alter­native to traditional hacking. Social engineering can be employed to trick tar­gets into disclosing passwords.

One day we will develop a truly secure password, perhaps a cross-pollination of various access control tools such as biometrics, dynamic-based biometrics, image-based access, and multi-factor authentication. In the meantime, protect your information by creating a secure password that makes sense to you, but not to others.

Use different passwords for each of your accounts.

Be sure no one watches as you enter your password.

Always log off if there are other people in the vicinity of your laptop or other device. It only takes a moment for some­one to steal or change your password.

Use comprehensive security software and keep it up to date to avoid keystroke log­gers and other malware.

Avoid entering passwords on computers you don’t control, such as at an Internet café or library. These computers may have malware that steals passwords.

Avoid entering passwords when using unsecured Wi-Fi connections, such as at an airport or in a coffee shop. Hackers can intercept your passwords and other data over this unsecured connection.

 

Robert Siciliano is an Online Security Expert to McAfee. See him discussing identity theft on YouTube.(Disclosures)

City Bank Account Hacked for 400K

KOMO reports “The city of Burlington (Washington) is warning its employees to check their bank accounts after finding out funds have been stolen. They believe computer hackers got access to the city bank account, which is used as a direct deposit to pay workers. It is unknown how much money was taken, but more than $400,000 has been transferred to several accounts over the past two days.”Any time that more than $400,000 actually moves out of a city of Burlington account, there can’t possibly be a joke involved,” said town administrator Bryan Harrison. “It actually is very chilling.”

Chilling indeed. Hacks like this often take place as a result of a virus getting into a machine that has access to the bank account. In one scenario the offending machine is not properly updated with antivirus and the virus allows a criminal remote access to the device or the virus acts as a “Man In The Middle” Attack.

RSA reports in one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.

RSA further reports American banks are the major target.  “Another attractive element for the attackers appears to be the slim deployment of two-factor authentication (2FA) for private banking consumers in the US, unlike many European banks that generally require all consumers to use 2FA for wire transfers.”

Multi-factor authentication, requires a username, password “something you know” and “something you have”—a personal security device separate from the PC. But that’s not even enough.

The Federal Financial Institutions Examination Council (FFIEC) states: “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.”

Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate device reputation management.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Internet Safety Is Not A Technology Problem, It Is A Parenting Problem

A recent story about a teen romance gone wrong, had reportedly started on Xbox. Now their parents and police say the four Iowa teens have run away from their homes. Two teenage girls from Shellsburg and two teenage boys from Atlantic went missing in what police think may have been a plotted escape.

One of the boy’s mothers said, “I don’t let him have a Facebook account because I don’t want him meeting people online.” She added, “I didn’t realize they could do so much on Xbox.”

Parents need to understand the technology that their kids are using, not just let them blindly do whatever they want.  Yes, this takes time.  And, yes, this is more trouble than my parents had to deal with.  But, this is the era we live in.

A study recently conducted by McAfee and MSI Research called, “The Digital Divide,” revealed that this instant access to information and digital devices is impacting our teens more than many of us parents realize. Some of the findings include:

Meeting strangers – 12% of 13-17 year olds, after communicating with a stranger online met them in the real world.

Physical safety – 7% feared for their safety because of something that happened online, and 5% reported getting into a physical fight because of a problem that started online.

Criminal record – 15% said they have hacked someone’s social networking account and 31% have pirated music and movies.

Innocence – 46% of teens report accidentally accessing pornography online and 32% reported accessing pornography intentionally.

And what about the parents? The study showed:

1 in 3 believes their teen to be much more tech-savvy then they are, leaving them feeling helpless to keep up with their teen’s online behaviors.

22% of parents do not believe their kids can get into trouble online.

Less than 1 in 10 parents are aware their teens are hacking accounts or downloading pirated content.

78% of parents are not worried about their kids cheating at school.

Only 12% of parents thought their children accessed pornography online.

How can this be prevented?

Parents, you must stay in-the-know. Since your teens have grown up in an online world, they may be more online savvy than their parents, but you can’t give up. You must challenge yourselves to become familiar with the complexities of the teen online universe and stay educated on the various devices your teens are using to go online.

What are the conversations that parents should be having with their teens?

As a parent of two young girls, I proactively participate in their online activities and talk to them about the “rules of the road” for the Internet. Talk with your kids about the risks and rewards of the online world, and be specific about threats that exist. Stay involved in their online activities by asking them to show you things they enjoy online and sites they visit.

Stay involved in your teens social networking activities by joining the sites and connecting to them. Talk with them about strangers, new friends and suspicious messages.

Ask them what sites they use to communicate with others. There are many lesser-known networks used by teens to communicate with one another — such as Skout,  MeetMe, Tagged, Tumblr and many more.

Consider using tools to help keep your kids safe online and support family Internet rules. While Anti-virus software protects against security threats, parental control software such as McAfee Safe Eyes gives parents tools to protect their kids from inappropriate contact and stay informed about their online behavior.

How can parents become more tech savvy?

Get device savvy: Whether you’re using a laptop, desktop, Mac, tablet, mobile, wired Internet, wireless, or software, learn it. No excuses. No more, “My kids know more than I do,” or, “All I know how to do is push that button-thingy.” Take the time to learn enough about your devices to wear them out or outgrow them.

Get social: One of the best ways to get savvy is to get social. By using your devices to communicate with the people in your life, you inevitably learn the hardware and software. Keep in mind that “getting social” doesn’t entail exposing all your deepest, darkest secrets, or even telling the world you just ate a tuna sandwich. Proceed with caution here.

Manage your/their online reputation: Whether you are socially active or not, whether you have a website or not, there are plenty of websites that know who you are, that are either discussing you or listing your information in some fashion. Google yourself and your kids to see what’s being said. Developing your online persona through social media and blogging will help you establish and maintain a strong online presence.

Get secure: There are more ways to scam people online than ever before. Your security intelligence is constantly being challenged, and your hardware and software are constant targets. Invest in antivirus, anti-spyware, anti-phishing, and firewalls. Getting security-savvy is a great way to start a new year.

I’m hoping that this report and new case opens other parent’s eyes so they’ll become more involved in educating their teens with advice and tools.

For more information, please visit:

Full report: http://www.mcafee.com/us/resources/misc/digital-divide-study.pdf

Press release: http://www.mcafee.com/us/about/news/2012/q2/20120625-01.aspx

Identity Theft Crime Ring Leader Gets 25 Years

The leader of a crime ring was sentenced to 25 years in state prison for stealing thousands of personal identities and counterfeiting credit cards to buy high-end goods to be resold on eBay and Craigslist. Christopher John Aragon, 52, Capistrano Beach, pleaded guilty March 26, 2012, to 50 felony counts including 33 counts of unauthorized use of personal identifying information, 13 counts of grand theft, two counts of counterfeiting access cards, and one count each of conspiracy to commit a crime and the sale or transport of a controlled substance. He also admitted to two sentencing enhancements for property damage over $1 million and aggravated white collar crime over $500,000.

Dude was a prolific identity thief.

Between March 29, 2004, and April 15, 2007, Christopher Aragon led a crime ring which included his wife Clara Aragon and six co-defendants. Co-defendant Shitrit was a hacker who obtained victims’ credit card numbers used to encode forged credit cards. Christopher Aragon and his co-defendants used credit profiles and personal identifying information of victims to make fraudulent California driver’s licenses, credit cards, and gift cards. The defendants encoded the magnetic strips of the credit and gift cards with stolen account information, and used the cards to purchase high-end merchandise, including designer handbags, jewelry, clothing, and electronics.

At Shirit’s Aliso Viejo apartment, investigators found a forgery lab designed to encode credit cards in the process of being set up, and credit card writers, and thumb drives with thousands of hacked and stolen credit card numbers.

In a similar bust, Kirkland Washington police detectives received a great deal of assistance from Portland-based iovation. iovation’s ReputationManager 360 service was used to track down the fraudulent credit applications at various retail chains, which originated from a group of computers that iovation linked together within their vast network of more than 950 million unique devices. In addition to nabbing the thief, they were able to help identify other victims within the state who were not yet aware they had been impacted.

Protect yourself:

Get a credit freeze

Monitor your credit card statements

Get a locking mailbox

Check your credit report at least every year.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Actress Sofia Vergara’s Personal Photos Hacked or Stolen Via Mobile

In my line of work I get emails such as this one: “Hi Robert, I’m not sure if you saw what had happened on my Facebook page last night, but someone stole my cell phone while I was at a concert, and posted all of my naked pictures off of my phone and posted them to my wall. They were up there for hours.”

Apparently if you are under the age of 40 this is common place. After the age of 40, not so much.

My response: “Horrible lesson learned. And, ahm, maybe no naked pics on your phone? Jeesh. Digital is forever.”

Her response: “That’s what everyone keeps telling me, I should’ve deleted them. Just never thought someone would do that. They could’ve just taken the phone, they didn’t have to embarrass me like that.”

The problem is “they” don’t just look to embarrass someone, they try to sell them, and in some cases extort the victim. We must remember some people aren’t looking to play nice.

The NY Post reports, ““Personal” photos of stunning actress Sofia Vergara have been put up for sale after being allegedly stolen from her fiancé Nick Loeb’s BlackBerry. The sexy pictures, which we’re told are personal in nature but are not nude images, were somehow hacked or stolen from Loeb’s phone before the couple got engaged in July.”

In both of these situations just simply locking the device would solve this issue.

Have you ever thought about what would happen if you lost your mobile phone? For a lot of us, it can also be a nightmare if it’s lost, stolen or hacked, especially since an untold amount of people are using their mobiles like a bedroom accessory.

But despite the fact that 1/2 of us would rather lose our wallet than our mobile phone, only 4% of us have taken steps to protect our mobile device with security.

We don’t realize that our photos, emails, text messages and our apps can be an open door for thieves into our personal information, privacy and financial accounts.

Mobile devices are on the move, meaning they can more easily be lost or stolen and their screens and keyboards are easier targets for “over the shoulder” browsing. Below are some tips to protect you and your device.

Never leave your phone unattended in a public place

Put a password on your mobile

Set your phone to auto-lock after a certain period of time

When doing online banking and shopping, always log out and don’t select the “remember me” function

Use mobile device protection that provides anti-theft

Mobile device protection can be used to backup and restore the information on your phone, as well as remotely locate it and wipe data in the case of loss or theft. Plus mobile device protection offers as virus and web and app protection.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video.Disclosures.

Hackers: The Good, The Bad and The Money

The term Hacker was made popular by Steven Levy in his book “Hackers: Heroes Of The Computer The Revolution” published in 1984 was about those brilliant and eccentric nerds from the late 1950s through the early ’80s who took risks, bent the rules, and pushed the world in a radical new direction.

 

In the past decade there have been hundreds of data breaches resulting in millions of compromised records. The motivation behind these hacks? Identity Theft. Meanwhile dozens of new laws and government intervention to protect citizen data have emerged.

Black Hat (bad), White Hat (good) or Grey Hat (good by day bad by night), over the past decade the media has given the term “hacker” a negative connotation. Or is it hackers that gave the term a negative connotation?

Either way, whenever I’m talking bad guy hacker I’m careful to precede the word hacker with “criminal” so I don’t piss off anyone who considers themselves a good guy hacker.

Thomas Edison, Benjamin Franklin and Alexander Graham Bell were all hackers. Good ones too.

Today we are faced with a real issue of hackers attacking our financial systems, critical infrastructure and even our own PC’s. And now as we use our mobile phones for commerce hackers are going after them too.

John Haney, Sales Executive at iovation stated “With more people than ever conducting banking activities from mobile devices, being able to proactively detect risk and suspicious activity in real-time is essential to protecting financial institutions and their customers. Although mobile banking is a powerful tool, it can also be used as a weapon for cybercrime and we want financial institutions to be prepared to fight mobile fraud. This is especially poignant given the FFIEC guidelines that established expectations for companies to adopt a layered approach to prevent cyber-attacks.”

Through its ReputationManager 360 service, iovation tracks the reputations of everything from desktops to laptops, mobile phones to tablets, and gaming consoles to smart TVs. By utilizing iovation’s device reputation intelligence.

Meanwhile, as a consumer, you are directly responsible for the security of your own network and devices.

Install and update antivirus, antispyware, antiphishing and a firewall on your devices.

Update your operating systems critical security patches.

Encrypt your home/office WiFi connection

Beware of phishing, vishing and internet scams.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

The Seedy Site of Web Searches

Ever seek out information online and end up somewhere you never meant to go? I’m not talking about some website that didn’t have what you were looking for, I’m talking about a website that you REALLY didn’t want to go to or would never go to. This is the dark side of the Net.

Think of it like this: when you drive, you might make take a wrong turn, and that wrong turn may result in you entering a bad neighborhood. But what’s scary about the dark side of the Web is that you didn’t end of on that website because you took a wrong turn, it’s because you were most likely re-directed there by cybercriminals.

There are 131 billion web searches conducted worldwide every month. Search engines consider numerous factors when you enter terms into a search query to determine what results to send back to you, including the popularity of the search, the number of times a page contains what you are searching on, what the search engines knows about you (like your device type and location), and the reputation of the links. These factors are utilized by marketing teams to make sure that relevant content is seen by you when you enter words to search for in your browser.

But this same process is also used by criminals who are looking to infect your device, and steal your personal information and finances. Criminals know that popular topics are ones that receive a lot of search queries and they use these topics to set up fake sites that are meant to cause you or your device harm.

Currently, there are more than 700,000 websites serving up malicious software and every minute a new phishing site is detected. In order to help you navigate the dark side of the Web and search safely, you should:

Be suspicious: Any links to free stuff or too good to be true offers are suspect.

Be cautious: Searches on hot topics, popular photos or videos are big targets for cybercriminals.

Check the URL: Typosquatting (common misspellings that direct you to a fake site) or even expired domains can direct you to the dark side of the Net.

Protect yourself: Use tools that offer secure Internet surfing. Make sure you use up-to-date comprehensive security software with a safe search plug-in on all your devices and that you are using the latest version of the operating system and browser on your device.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Bieber Fever Results In Fraudulent Ticket Sales

Bieber Fever is a sickness that has recently become more common, where a kid is extremely obsessed with Justin Bieber, and everything related to him. The act, or disease is most commonly found in girls, but occasionally a guy or two.

Example: Girl- Dude omgomgomgomgomg i loooooove Justin Bieber he doesn’t know it yet but I’m gonna marry him!” If you are 12, you probably caught it. If you have a 12 year old then you may have unfortunately got the bug from your kid. There is no known cure for this.

The fever sometimes make people do crazy things like buy Bieber tickets off Craigslist. Dallas News reports “Many go through different venues to try to find the best tickets and this can end up costing a lot more than they bargained for. According to the report several people have allegedly been scammed by the same man. Concert tickets like the ones for Bieber’s concert are the specialty of scammers due to the high demand for these. It is always advised to buy concert tickets from an authorized seller or venue.”

Avoid scalpers, period. Unless you know them personally, just buy tickets at the venue’s window. When purchasing tickets online, stick to legitimate websites. An online search will probably turn up plenty of options, but only buy from familiar, trusted brokers.

Scam artists often take advantage of online ticket companies by buying up blocks of tickets with stolen credit cards, either to counterfeit or simply to overcharge the public.

Fortunately, some ticket brokers have deployed device reputation, which allows them to uncover computers or other devices responsible for fraudulent activity or exhibiting suspicious behavior at the point of sale, and deny transactions from these devices. This kind of visibility gives ticketing services businesses a powerful advantage. More than ever, they can easily identify the scam artists where they’re coming from.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

FBI: Focusing on Hackers and Intrusions

Your tax dollars are being put to work in ways to secure your bank accounts and our critical infrastructure. But there’s still more work to do.

The FBI reports Early last year, hackers were discovered embedding malicious software in two million computers, opening a virtual door for criminals to rifle through users’ valuable personal and financial information. Last fall, an overseas crime ring was shut down after infecting four million computers, including half a million in the U.S. In recent months, some of the biggest companies and organizations in the U.S. have been working overtime to fend off continuous intrusion attacks aimed at their networks.

To that end, the FBI over the past year has put in place an initiative to uncover and investigate web-based intrusion attacks and develop a cadre of specially trained computer scientists able to extract hackers’ digital signatures from mountains of malicious code. Agents are cultivating cyber-oriented relationships with the technical leads at financial, business, transportation, and other critical infrastructures on their beats.

Richard McFeely, executive assistant director of the Bureau’s Criminal, Cyber, Response, and Services Branch was quoted saying “It’s important that everybody understands that if you have a computer that is outward-facing—that it’s connected to the web—that your computer is at some point going to be under attack,” he said. “You need to be aware of the threat and you need to take it seriously.”

When he says “you” he means banks, retailers, and just about everyone involved in eCommerce or anyone with a connection to the internet.

Smart businesses engaged in eCommerce are helping to stem the tide of cybercrime by incorporating device reputation into their transactions. iovation, is headquartered in Portland, Oregon, and has pioneered the use of device reputation to stop online fraud and abuse. The software-as-a service used by online businesses assesses risk of Internet transactions all over the world and recognizes if a device such as a PC, tablet or smartphone has a history of fraudulent behavior.  This helps organizations make educated decisions if they want to do business with the person using the device.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.