75 Million Unique Malware Samples By 2012

Imagine your body being targeted by 75 million viruses. That is exactly what’s happening to your digital devices. Laptops, desktops, netbooks, notebooks, Macs, iPads, iPhones, BlackBerrys, Androids, and Symbian mobile phones are all being targeted. The most recent threats report from McAfee Labs reveals a grim outlook and a variety of threats.

Mobile: Android has become the most popular platform for new malware, and this past quarter, was targeted exclusively by all new forms of mobile malware. The Symbian OS (for Nokia handsets) remains the platform with the all-time greatest number of viruses, but Android is clearly today’s main target.

Malware: Rootkits, or stealth malware, are one of the nastiest threats we face. They are designed to evade detection, and thus are able to lurk on a system for prolonged periods. Fake AV, also known as fake alert or rogue security software, has bounced back strongly from previous quarters, while AutoRun and password-stealing Trojans remain at relatively constant levels. Mac malware continues to show a bit of growth as well.

Spam: Although spam volume has decreased significantly, McAfee Labs has observed major developments in targeted spam, or what’s often called “spear phishing.” Much like malware, total numbers are dropping but the severity of the threat and sophistication of the technique remain high.

Social engineering: Subject lines used for social engineering spam messages vary depending on geography and language. Bait can include holidays or sporting events, and often differs by month or season. Attackers have shown remarkable insight into what works for specific people at specific times.

Spam botnets: New spam botnet infections continued steadily from February through August of 2011, but dropped somewhat in September.

Bad URLs: Website URLs, domains, subdomains, and particular IP addresses can be “bad” or malicious, either because they are used to host malware, phishing websites, or potentially unwanted programs.

Phishing websites: McAfee identified approximately 2,700 phishing URLs per day during the second quarter of 2011, a slight decrease from the same period in 2010, when they counted 2900 per day.

Robert Siciliano personal and home security specialist to Home Security Source discussing identity theft on YouTube.

How to encrypt your email with PGP

Pretty Good Privacy (PGP) “is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications.”

Say you have a manufacturing plant in China that makes a one of a kind widget and you have a U.S patent that you don’t want other companies stealing. Every so often you must send an email back and forth to your man of the ground in Beijing to update the specs and ways in which that product is to be created.  You know that if your emails are intercepted that it’s just a matter of time before a cheap knockoff comes on the market and kills your business. So, you better learn how to encrypt email.

This is where PGP email encryption comes in.

#1 There are PGP key generators online and others available in purchased or open source software. To create a PGP key you will plug in your email address and provide a password. Your security vendor can point you in a direction. Or go here to generate a PGP key.

#2 PGP keys are public and private. Your public key is posted to your website or contained in your email. People use this key to send you encrypted emails. The private key is kept private. My public key looks like this:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mI0ETt1GvAEEAInk6+FnNbDug/VTJTqladmbymCx3Oh3LT/YQpB1/j8PavNAAhtr

nC5dwhludRTE2bAG28ZcPkK5j8aRZTYTmSpCjUOfwNRaIott0L4SKSgLbkUWDfim

pbEOTLN9eTmStNispjWVdmP099t5SJqsGvkPBhCxLHOCxxPae0037Lb1ABEBAAG0

FnJvYmVydEByb2JlcnRzaWNpbGlhbm+InAQQAQIABgUCTt1GvAAKCRDVXcwnBdX+

k3poA/93D0usqCSemcf0jE8BMUlqIHxdblH7eH4IXngjV+bgfZxeX6pK6BuxMghN

6NaX8VqOHV574MctAnxVkGqqjJH4jALQn+ExoG9YFh004UK46pa4BCoh+xkD72zu

dGm3I3xVjj7g3e7XJ0R7aVDStK1s+7izd00PzbJP9xDI9MqJUA==

=22J2

—–END PGP PUBLIC KEY BLOCK—–

 

#3 When receiving an encrypted email you plug in your private key that looks a lot like a public key and include the password.

Find here a cool free online tool that generates PGP keys for fun and lets you see how PGP email encryption is done.

Caution: I’m not sure of what’s going on in the background of this site so I can’t recommend using this key generator for ongoing secure use.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

 

Is Email Encryption Right for Your Business?

The Privacy Rights Clearing house currently tallies 542,608,451 records breached in the past 5 years. Unsecure email certainly contributes to the problem. Small business email (or any email) starts off on a secure or unsecure wired or wireless network then travels over numerous networks through secure or unsecure email servers often vulnerable to people who are in control of those servers.

There is also plenty of hacking and cracking tools bad guys (and good guys) use to sniff out that data in plain text.

With criminal hackers, government funded hackers and the various other snoops, email encryption today is essential.

In a recent study by Ponemon Institute, the latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

If your business operates under some form of regulation whether it is finance, healthcare, or any other regulation where fines are imposed in the event of a data breach, then email security should be a fundamental layer of your company’s information security protection plan.  Plain and simple if you are concerned about compliance with regulations like HIPAA and the HITECH Act and the numerous state data breach notification laws look to email encryption.

At its basic level PGP encryption is one way to provide email encryption. More on that in the next post.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Data Privacy Day 2012

Lately, it seems that barely a day goes by when we don’t learn about a major Internet presence taking steps to further erode users’ privacy. The companies with access to our data are tracking us in ways that make Big Brother look like a sweet little baby sister.

Typically when we hear an outcry about privacy violations, these perceived violations involve some apparently omnipotent corporation recording the websites we visit, the applications we download, the social networks we join, the mobile phones we carry, the text messages we send and receive, the places we go, the people we’re with, the things we like and dislike, and so on.

How do they do this? By offering us free stuff to consume online and infrastructure for the online communities that tie us together. We gobble up their technologies, download their programs, use their services, and mindlessly click “I Agree” to terms and conditions we haven’t bothered to read.

What’s the point of all this? Sales, marketers, advertisers, other businesses benefit from knowing every last detail about you—the “33 bits of information” necessary to pin down your identity—in order to deliver precisely targeted advertisements to your digital device of choice, whether that’s a computer, tablet, or smartphone.

Should we care? What is the potential danger? “Back in the day,” examples might include telemarketers abusing your phone number by calling incessantly, or direct marketers filling your mailbox with junk mail.

Today, it’s spammers sending unwanted emails, or the same advertisement from the same company popping up again and again on every single website you visit. The concern is that this could go from annoying to frightening.

Privacy advocates are working to prevent the worst and most extreme outcomes of personal data collection. They know that without checks and balances, without consumers knowing their rights and actively protecting their own privacy and personal data, that data could be used unethically.

Privacy is your right. But realize that in our wired, interconnected world, privacy only really consists of what you say and do within your own home, legally, with the shades pulled down, between you and your loved ones, that is not communicated, recorded, broadcast, or reproduced on the Internet or any public forum in any way. Beyond that, especially when taking advantage of various online resources, be sure that you know what it is you’re agreeing to and take precautions to protect yourself.

Saturday, January 28th is Data Privacy Day which promotes awareness about the many ways personal information is collected, stored, used, and shared, and education about privacy practices that will enable individuals to protect their personal information.  This is a good time to check your privacy settings on social networking and other sites you use, ensure you have a strong password and be aware of where and with whom you are sharing your personal data with.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

How To Steal A Car: Hack It!

No more jimmying doors with a Slim Jim, bricks through windows, extracting lock cylinders with a dent puller, or hot-wiring ignitions. Automobiles today are being built to include wireless capabilities that allow for remote unlock, remote start, and of course, there’s global positioning systems (GPS) and services like OnStar and ATX, which offer “telematics,” or information and communications technology. While these services appear relatively secure, researchers in controlled environments are searching for vulnerabilities.

OnStar offers “RemoteLink,” an application for the iPhone or Android, which allows Cadillac, Chevrolet, Buick, or GMC owners to view real-time data including fuel range, gallons of gas remaining, lifetime miles per gallon (MPG), lifetime mileage, remaining oil life, tire pressure, and account information. Chevrolet Volt owners can view their car’s electric range, electric miles, MPG, and the battery’s state of charge. Users can also use the application to remotely perform certain commands, such as unlocking doors.

While all this new technology provides us with convenience and useful information, it may also leave use open to risk. Researchers in San Francisco have been able to access a car’s central computer processor through an Internet-connected car alarm, and in Seattle, researchers “blacked out the make and model of a car that offered multiple pathways for hackers a thousand miles away to send out GPS coordinates, open the doors, and have a colleague drive away without a key in the ignition.” And a New Jersey man has developed an iPhone app that lets him unlock cars and start engines by voice.

As with most technological advances, functionality and form come well before security. But now that researchers have demonstrated the frightening vulnerabilities inherent in cars’ computers, automobile manufacturers are working with companies like McAfee to develop firewalls that will protect the latest high-tech vehicles from hackers and thieves.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Phishing Scammers Target Macs

On Christmas Day, 2011, Apple product users were targeted by a major phishing attack. The Mac Security Blog reported, “A vast phishing attack has broken out, beginning on or around Christmas day, with emails being sent with the subject ‘Apple update your Billing Information.’ These well-crafted emails could fool many new Apple users, especially those who may have found an iPhone, iPod or iMac under their Christmas tree, and set up accounts with the iTunes Store or the Mac App Store for the first time. The messages claim to come from appleidATidDOTappleDOTcom.”

As in most phishing emails, the template and body of the message mimicked Apple’s logo, design, colors, and font. When users clicked links within the email, they were directed to a spoofed website that also had the same Apple feel. Once users entered their personal information, they might be thanked for “updating” their account, or simply wind up in the Internet abyss.

One way to determine whether an email is legitimate is to hover your curser over any links and look at the text displayed. If a link isn’t something like http://store.apple.com or https://appleid.apple.com, it’s a fake.  To learn more about how to recognize a phishing attempt, watch this video from McAfee.

While I’m on the subject, however, I may as well mention that I don’t recommend clicking any links within emails, regardless of what the domain says. The safest way to determine whether your account needs updating is to log into your Apple account directly, at https://appleid.apple.com. If there is a problem, you will be notified via internal messages within your account. If not, assume the email is a phish and delete!

And remember, just because you are using a Mac, it does not mean that you are safe from web threats, so make sure you stay educated on the latest threats, use comprehensive security software and be wary of things that sound too good to be true.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

5 Digital New Year’s Resolutions For Parents

McAfee recently distributed a press release and the line that caught my eye was, “Now is the time for parents to model good behavior and etiquette.”  it This wasn’t something you’d normally expect to see from a major security company, so intrigued, I read on.

Instruction in etiquette and good behavior is something we could all probably use a little more of. And when I read McAfee’s “5 New Year’s Resolutions,” I realized that even though I have young children, I ought to brush up on some digital etiquette myself. It’s not too late to do your resolutions or start news ones or just brush up on your online safety.

McAfee suggests that parents begin the New Year with resolutions that address their own behavior, so they can model best practices for kids and teens:

When I’m with my children, I pledge not to spend more than 10% of the time on my phone or computer.
Adults spend about 3.5 hours day perusing the Internet or staring at their cell phone each day, according to estimates from eMarketer. This year, make a promise to give your full attention to your children, and develop a plan to limit your use of electronic devices.

I will not communicate with my children via text when they are in the house.
One downside of technology is that fewer people actually speak to one another. A Kaiser study found that children in grades 7-12 spend an average of 1.5 hours a day sending or receiving texts.

I will not give my child access to an Internet browser on a smartphone or tablet that is not safe for them to use.
It’s important for parents to shield children from cyber-danger by filtering explicit content on smartphones and tablets via applications such as McAfee Family Protection or McAfee Safe Eyessoftware. This software can prevent children from establishing or accessing social networking accounts, limit Internet use, and block inappropriate websites or messenger chats.

I will be prepared to have a “texting intervention” if my teen’s thumbs begin to look like tiny body-builders.
Texting may be a quick and easy way to interact with others, but the impersonal nature of the communication and frequency of use can cause problems.

I will have “the talk” with my kids, to discuss what they are doing and with whom they are connecting online.
Children often lack an understanding of online dangers, or they may lack the maturity to make appropriate decisions.

By modeling good behavior and ensuring that children’s experiences on Internet-connected devices is a safe and healthy one, parents can ensure a 2012 that is free of digital drama.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Beat the January Blues by Updating and Upgrading Your Digital Technology

A new year is always a welcome opportunity to start fresh, clean up, clean out, update, and upgrade. I’ve always believed that if you aren’t moving forward, you’re moving backward. Staying still in one spot really means that the people and the world around you are passing you by.

This philosophy also relates to the management of your digital life. Old technology isn’t necessarily outdated, but it may need updating, while obsolete technology certainly needs upgrading.

Old PCs: Thanks to “the cloud,” even an old Windows XP machine can have a new lease on life. Reinstalling the operating system and using it for cloud-based applications like mail and Google docs can allow a relic to function better than its old self ever did.

New PCs: I have a Windows 7 desktop that drags a bit, does weird things, and makes the occasional funny noise. It’s about two years old and still in relatively good shape, despite the random glitches. It’s just a matter of time, however, until it degrades to a point where it either stops working or becomes too frustrating for me to deal with. So, while that one is still functioning, I bought another desktop for about $500 that’s better, faster, and has more of everything I want in a work machine. I’ll load the new computer up with all my software and when it’s 100% ready, I’ll make the switch. Meanwhile, the old computer will still work well as a media center.

Old mobiles: If you are still using a feature phone, that’s fine. For many people, all a phone needs to do is be a phone. But make sure to at least consult the manufacturer’s website, because their may be upgrades to your phone’s operating system that can improve its functionality or security.

New mobiles: The technology in smartphones today is just astounding. Whether you use an iPhone, Android, or even a BlackBerry, having the world at your fingertips makes getting things done far more efficient. Besides the obvious benefits of communications, multimedia, and online shopping, a smartphone is a great way to save money. Just the other day, I went to a store to make a purchase and was floored by the cost of an item that I usually buy every two or three years. I immediately went online via my smartphone and found what I was looking for, for 90% less than what I had almost paid. Frankly, I don’t know how brick-and-mortars survive when consumers have this kind of access to price comparisons.

Modem: Your ISP-issued modem starts dying right out of the box. It’s just a matter of time until it starts acting up. If you’ve had it for over a year, take it to your local service center and get a new one.

Router: If you are on a wireless G and all your devices can talk to N, upgrade to N. This process is not for the faint of heart. Depending on the sophistication of your network, this could be a bear. However, by taking screenshots of all your settings and starting fresh, you will have a better Internet experience. If you are happy with the current brand you have, simply upgrade to the newest model for a smoother transition.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Cross-Device Security Means “All Access”

You may have a laptop, desktop, netbook, notebook, Ultrabook, tablet, Mac, or mobile phone. You might be single, married, or have ten kids. Either way, you probably have at least one, if not six or more, devices requiring comprehensive security. My family of four has 12 devices, all of which I do my best to lock down like the digital equivalent of Fort Knox.

In order to manage multiple devices “cross-platform,” wherein one device may run Mac OS X while another runs Windows, while your phone is completely different, you need a security solution that is comprehensive, affordable, and straightforward.

PC Magazine selected McAfee All Access for its Editors’ Choice Award, scoring the product with 4.5 stars out of 5 and praising the thoroughness of the protection offered, for any and all devices an individual or a household might own.

McAfee All Access Wins Editors’ Choice Award

In contrast to traditional consumer security products that only offer per-device subscriptions, McAfee All Access is the first solution that uniquely protects all of the PCs, Macs, smartphones, and tablets owned by an individual or household. By providing consumers with a simple, cost-effective means to holistically safeguard all of their devices, McAfee All Access also represents a fundamental shift in the way consumers think about security.

McAfee All Access users can download, activate and manage essential protections from a central console, enabling them to safeguard personal data, defend against malware, and protect kids as they browse online by allowing parents to filter inappropriate content, including YouTube videos and explicit music lyrics, and monitor the use of social media.

Learn more about McAfee All Access.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

 

FBI Needs Your Help to Take Down Cyber Fraud

Public–private partnership (PPP) describes a government service or private business venture which is funded and operated through a partnership of government and one or more private sector companies.

Here’s an example of “public-private partnerships”: Six Estonian nationals have been arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other computer viruses.

Beginning in 2007, the cyber fraud ring used a class of malware called DNSChanger to infect approximately 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses, and government agencies such as NASA.

The FBI further states “A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.”

The private partnerships refer to corporations just like yours who may have been affected by a virus or play a role in information security that help track down the bad guys.  “PPP involves a contract between a public sector authority and a private party, in which the private party provides a public service or project and assumes substantial financial, technical and operational risk in the project.” 

As President John F Kennedy once said “Ask not what your country can do for you – ask what you can do for your country”.  Today that may mean taking down international cyber criminals.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures