How to Protect Your Privacy From “Leaky” Apps

/in /by

Back in 2010, The Wall Street Journal was already warning us about app developers’ lack of transparency with regard to their intentions.

“An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders. The findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them.”

And since then, our level of engagement with mobile apps has only increased (with over 10 billion apps downloaded), while there has not been a lot of movement to prevent applications from accessing your data.

So what to do? Privacy concerns are justified, but there is a limit to what how this information can be utilized. If you feel the urge to free yourself from data tracking, you could delete and avoid apps, or you could provide false information, but that could violate terms of service and might not be effective, anyway.

When downloading an application, make an effort to consider what you are giving up and what you are getting in return, and to consciously decide whether that particular tradeoff is worthwhile.

You can also use mobile security software like McAfee Mobile Security that scans your installed apps to determine the level of access being granted to each of them. This feature then alerts you to apps that may be quietly siphoning data and enjoying unnecessarily extensive control of device’s functionality and then you can decide if you want to keep the app or delete it.

With better insight, you can take more your mobile security and privacy into your own hands.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

What Are the Latest Identity Theft Statistics?

/in /by

The 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier, released by Javelin Strategy & Research, reports that in 2011 identity fraud increased by 13 percent. More than 11.6 million adults became a victim of identity fraud in the United States, while the dollar amount stolen held steady.

Approximately 1.4 million more adults were victimized by identity fraud in 2011, compared to 2010. Countering this rise is the successful effort to combat identity fraud coupled with greater consumer awareness of the issue. While the number of fraud incidents increased, the total amount lost remained steady.

One of the key factors potentially contributing to the increase in incidents was the significant rise in data breaches. The survey found 15 percent of Americans, or about 36 million people, were notified of a data breach in 2011. Consumers receiving a data breach notification were 9.5 times more likely to become a victim of identify fraud.

According to the survey the three most common items exposed during a data breach are:

— Credit card number

— Debit card number

— Social Security number

What Are the Latest Identity Theft Statistics?

Here are some eye-opening statistics:

•           500 million—the number of consumers from 2005 to 2009 whose personal and financial data has been exposed as a result of corporate data breaches—events the victims cannot control despite taking personal safety measures

•           400%—victims who found out about their identity theft more than six months after it happened incurred costs four times higher than the average

•           165 hours—the average amount of time victims spent repairing the damage done by creation of new fraudulent accounts

•           58 hours—the average amount of time victims spent repairing the damage done to existing accounts

•           43%—the percentage of identity theft occurring from stolen wallets, check-books, credit cards, billing statements, or other physical documents

•           1 in 4—number of American adults who have been notified by a business or checkbooks, credit cards, billing statements, or other physical documents

•           Once every three seconds—how often an identity is stolen

The most efficient way to protect your identity is with an identity theft protection service and get a credit freeze.

Robert Siciliano personal and home security specialist to Home Security Source and author of 99 Things You Wish You Knew Before Your Identity Was Stolen. Disclosures.

Computer Failure – Top Warning Signs Your PC is dying

/in /by

Computers are like humans in that in some ways they can tell you when they are sick or they don’t feel good. But computers are also like pets who may not be able to speak, but if you are paying attention, they begin to behave in ways that alert you to problems. There are numerous built in warning signs that alert you to their failings. As business PC’s age they start to express themselves in ways telling you they are approaching their end of life and it’s time to check your back-up strategies.

The following computer failures indicate your computer may be close to death:

A blue screen is often a sign of a driver conflict or hardware issue. When your formerly fully functional PC displays a blue screen informing you that a serious error has occurred, it could mean total failure, or require a simple reboot.

Lengthy start up or shut down times may mean that your computer is overwhelmed by too much software, or particular programs are not shutting down properly. Or it could mean that motherboards or hard drives are not long for this world.

If you hear strange noises, like beeping, whirling, or grinding, during startup or when computing, this may be a sign of hardware failure.

Error messages as pop ups or in the device manager pointing out hardware of software failure or conflicts.

Computer data logging is the process of recording events, with an automated computer program, in a certain scope in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems.

Logs are essential to understand the activities of complex systems particularly in the case of applications with little user interaction (such as server applications).

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Protect Yourself from Vishing

/in /by

“Vishing” occurs when criminals cold-call victims and attempt to persuade them to divulge personal information over the phone. These scammers are generally after credit card numbers and personal identifying information, which can then be used to commit financial theft. Vishing can occur both on your landline phone or via your mobile phone.

The term is a combination of “voice,” and “phishing,” which is, of course, the use of spoofed emails to trick targets into clicking malicious links. Rather than email, vishing generally relies on automated phone calls that instruct targets to provide account numbers. Techniques scammers use to get your phone numbers include:

Wardialing: This is when a visher uses an automated system to target specific area codes with a phone call involving local or regional banks or credit unions. When someone answers the phone a generic or targeted recording begins, requesting that the listener enter a bank account, credit, or debit card number and PIN.

VoIP: Voice over Internet Protocol, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once a visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams you should:

Educate yourself – Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to stay up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

9 Warning Signs Your Identity Has Been Stolen

/in /by

The Federal Trade Commission (FTC) provides the following list of warning signs that your identity may have been stolen:

  1. Accounts you didn’t open and debts on your accounts that you can’t explain
  2. Fraudulent or inaccurate information on your credit reports, including accounts and personal information, such as your Social Security Number, address, name or initials, or employer
  3. Failing to receive bills or other mail (this could indicate that an identity thief has taken over your account and changed your billing address—follow up with creditors if your bills don’t arrive on time)
  4. Receiving credit cards that you didn’t apply for
  5. Being denied credit or being offered less favorable credit terms, like a high interest rate, for no apparent reason
  6. Getting calls or letters from debt collec­tors or businesses about merchandise or services you didn’t buy.
  7. You may find out when bill collection agencies contact you for overdue debts debts you never incurred.
  8. You may find out when you apply for a mortgage or car loan and learn that problems with your credit history are holding up the loan.
  9. You may find out when you get something in the mail about an apartment you never rented, a house you never bought, or a job you never held.

The most efficient way to protect your identity is with an identity theft protection service and get a credit freeze.

Robert Siciliano personal and home security specialist to Home Security Source and author of 99 Things You Wish You Knew Before Your Identity Was Stolen. Disclosures.

P2P Security Concerns for Small Business

/in /by

Peer to peer file sharing is a great technology used to share data over peer networks.  It’s also great software to get hacked. This is the same P2P software that allows users to download pirated music, movies and software.

In my own P2P security research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your client’s data. This can result in business securitybreaches, credit card fraud and identity theft. This is the easiest form of hacking. There have been numerous reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

#1 HaveP2P security policies in place not allowing the installation of P2P software on your workplace computers or employee laptops.

#2 A quick look at the “All Programs Menu” will show nearly every program on your computers. If you find an unfamiliar program, do an online search to see what it is you’ve found.

#3 Set administrative privileges prevent the installation of new software without your knowledge.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

5 Lessons Learned from RSA

/in /by

A couple of weeks ago, the RSA Security conference took place in San Francisco, CA.  The increasing sophistication of hackers and visibility of data breaches (including one on the conference’s namesake company last year) makes this an exciting time to be in the security business.. While this show is for corporate IT and security professionals, there are some things that consumers can take away from all of this.

Social networking sites are prime targets for cybercriminals: Hackers are aware of the large numbers of people using sites like Facebook, Twitter, YouTube, and are using this to their advantage by putting offers out there to try and get you to click on malicious links. Security companies are using it to get the word out on protection. Security companies are using social media to help educate consumers – take the time to read their advice. McAfee pulls together lots of great content and advice and has over 575k on Facebook.

Hackers are targeting intellectual property: For a decade now credit card numbers, Social Security numbers and everything needed to take over accounts or open news ones has been a target. Criminals still want all that, and they also want proprietary data that will help their nation or company get an edge.

Advanced Persistent Threats (APTs) will be a bigger topic: You’ve heard the term “it’s not a matter of IF, but WHEN” and this applies to APTs. APTs are ongoing threats where the intent to persistently and effectively target a specific entity and can take criminals days to decades to achieve their goal.

Multiple layers of protection: For the enterprise, this is protection at all points, but this also applies to consumers. It used to be that all you needed was a firewall, then you needed antivirus, now you need anti-spam, anti-phishing, anti-spyware and for heavens sake make sure your wireless is protected too.  This is just the beginning! Expect more layers to come.

Protect the data and the device: It used to be all you had to be concerned about was protecting your PC. Now you have to be equally proactive in protecting your Mac, tablet and mobile phone. You still need antivirus and all the different layers of protection mentioned in the point above, but you also need to be aware of what stuff you have all your devices that can expose your personal information and identity.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

QR Codes Could Deliver Malware

/in /by

You’ve seen barcodes all your life. So you know what they look like: rectangles “boxes” comprised of a series of vertical lines. When a cashier scans a barcode, you hear a familiar beep and you are charged for that item.

A QR code looks different and offers more functionality. QR stands for “quick response.” Smartphones can download QR readers that use the phone’s built-in camera to read these codes. When the QR code reader application is open and the camera detects a QR code, the application beeps and asks you what you want to do next.

Today we see QR codes appearing in magazine advertisements and articles, on signs and billboards; anywhere a mobile marketer wants to allow information to be captured, whether in print or in public spaces, and facilitate digital interaction. Pretty much anyone can create a QR codes.

Unfortunately, that’s where the cybercriminals come in. While QR codes make it easy to connect with legitimate online properties, they also make it easy for hackers to distribute malware.

QR code infections are relatively new. A QR scam works because, as with a shortened URL, the link destination is obscured by the link itself. Once scanned, a QR code may link to an malicious website or download an unwanted application or mobile virus.

Here’s some ways to protect yourself from falling victim to malicious QR codes:

Be suspicious of QR codes that offer no context explaining them. Malicious codes often appear with little or no text.

If you arrive on a website via a QR code, never provide your personal or log in information since it could be a phishing attempt.

Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.

Use complete mobile device security software, like McAfee® Mobile Security, which includes anti-virus, anti-theft and web and app protection and can warn you of dangerous websites embedded in QR codes.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Small Business Tax Scams

/in /by

The Internal Revenue Service issued its annual “Dirty Dozen” ranking of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of that aren’t necessarily always perpetrated by an outsider trying to scam the business or individual, but sometimes these are inside jobs that put the company in hot water.

Hiding Income Offshore

Over the years, numerous individuals have been identified as evading U.S. taxes by hiding income in offshore banks, brokerage accounts or nominee entities, using debit cards, credit cards or wire transfers to access the funds. Others have employed foreign trusts, employee-leasing schemes, private annuities or insurance plans for the same purpose.

“Free Money” from the IRS & Tax Scams Involving Social Security

Flyers and advertisements for free money from the IRS, suggesting that the taxpayer can file a tax return with little or no documentation, have been appearing in community churches around the country. These tax fraud schemes are also often spread by word of mouth as unsuspecting and well-intentioned people tell their friends and relatives.

False/Inflated Income and Expenses

Including income that was never earned, either as wages or as self-employment income in order to maximize refundable credits, is another popular tax scam. Claiming income you did not earn or expenses you did not pay in order to secure larger refundable credits such as the Earned Income Tax Credit could have serious repercussions.  This could result in repaying the erroneous refunds, including interest and penalties, and in some cases, even prosecution.

False Form 1099 Tax Refund Claims

In this ongoing tax scam, the perpetrator files a fake information return, such as a Form 1099 Original Issue Discount (OID), to justify a false refund claim on a corresponding tax return. In some cases, individuals have made refund claims based on the bogus theory that the federal government maintains secret accounts for U.S. citizens and that taxpayers can gain access to the accounts by issuing 1099-OID forms to the IRS.

Frivolous Tax Arguments

Promoters of frivolous tax fraud schemes encourage taxpayers to make unreasonable and outlandish claims to avoid paying the taxes they owe. The IRS has a list of frivolous tax arguments that taxpayers should avoid. These arguments are false and have been thrown out of court. While taxpayers have the right to contest their tax liabilities in court, no one has the right to disobey the law.

Abuse of Charitable Organizations and Tax Deductions

IRS examiners continue to uncover the intentional tax deduction abuse of 501(c)(3) organizations, including arrangements that improperly shield income or assets from taxation and attempts by donors to maintain control over donated assets or the income from donated property. The IRS is investigating tax fraud schemes that involve the donation of non-cash assets –– including situations in which several organizations claim the full value of the same non-cash contribution.

Disguised Corporate Ownership

Third parties are improperly used to request employer identification numbers and form corporations that obscure the true ownership of the business.

Misuse of Trusts

For years, unscrupulous promoters have urged taxpayers to transfer assets into trusts. While there are legitimate uses of trusts in tax and estate planning, some highly questionable transactions promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Protect Your Small Businesses with Secure Flash Drives

/in /by

USB flash drives are handy little devices that can cause big security headaches. Even with robust datasecurity policies USBdrives often fall thru the cracks (and out of pockets). These flash drives are often used by employees for both personal and business use which could potentially spread a virus from a home PC to the corporate network.

Additionally, lost USB drives among other devices with storage can cause even bigger headaches resulting in data breaches. A survey by a U.K.-based company found that last year, 4,500 USB flash drives were forgotten in the pockets of clothes left at the dry cleaners and thousands more handheld devices were left in the back seats of taxis.

Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that:USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.

Flash drives can be a security mess. Organizations need to have business security policies in place requiring secure flash drives and never plugging a found stray catinto the network either.

Ensure all data stored on a secure flash drive is encrypted. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures