Cellular Base Station Range Extenders Vulnerable to Attack

Low-powered cellular base stations are often found in residential homes and small businesses where mobile coverage is scant. The device, which also known as a femtocell, connects to DSL or cable connections and extends cellular coverage to a functional level where cell towers simply don’t reach. Some cellular base stations can accommodate up to 16 devices indoors or outdoors. The benefits of deploying a cellular base station include better voice quality and stronger wireless internet connections over 3G or 4G.

A few of the mobile carriers offering cellular base stations include Vodafone, SFR, AT&T, Sprint Nextel, Verizon and Mobile TeleSystems. The devices cost under a few hundred dollars and offer a significant improvement in areas with poor wireless connections.

While all this is good and dandy, researchers discovered a flaw in the firmware of a top mobile carrier that may affect up to 30 other cell network devices.

The Register reports, “Security researchers have demonstrated a flaw in femtocells that allows them to be used for eavesdropping on cellphone, email and internet traffic. The researchers bought a femtocell for $250, and used open-source software to test out the bugging attack. They also managed to boost the range of the femtocell to enable a much wider radius of data-slurping beyond the advertised 40-meter radius. Since the firmware of femtocells is seldom updated, an attacker could eavesdrop for some time before being detected.”

Once notified of the firmware flaw, carriers are supposed to communicate with base station clients with a firmware update and instructions on how to install it. However, just like a consumer’s PC not being properly updated with antivirus or operating system-critical security patches, it is doubtful many of the devices have been updated.

If you have a cellular base station deployed in your home or office, it is advised that you contact your carrier and/or search out your cellular base station’s model number to see if there is a patch—and install it. Otherwise, anyone connecting to cellular base station should employ a virtual private network software such as Hotspot Shield VPN to encrypt wireless communications.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

10 Years: National Cyber Security Awareness Month 2013

Today marks the beginning of National Cyber Security Awareness Month (NCSAM). This year we celebrate the 10th anniversary of NCSAM. Since its inception a decade ago under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has been a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and more secure online.

NCSAM is the one month a year that everyone is proactively reminded that online security is everyone’s responsibility. Taking personal responsibility for life begins with you and taking personal responsibility for your security is no different. All of us need to take assertive action if we don’t want to end up in the dark because some criminal hacker decides to attack our critical infrastructure. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. Individual actions have a collective impact and when we use the Internet safely, we make it more secure for everyone.

If each of us does our part—implementing stronger security practices, raising community awareness, educating young people, training employees—together we will be a digital society safer and more resistant from attacks and more resilient if one occurs. This means taking charge of our own security, by investing time and resources to protect our devices and educate ourselves on online safety practices and scams that hackers use.

Here are some basic steps you can take to do your part in this shared responsibility.

  • Update your security: Use up-to-date comprehensive security software and use the latest versions of your Web browser, and operating systems.
  • Update your privacy: When available, make sure to set your privacy and security settings to private or friends only on social media to reduce broad information sharing.
  • Password security: Make passwords long, strong and unique. Use upper and lowercase letters, numbers and symbols to create a more secure password and don’t use the same password for all your sites.
  • Protect mobiles too: All devices that connect to the Internet are vulnerable. Along with your PC, make sure to protect your Macs, smartphones, tablets and other Internet-enabled devices.
  • Exercise caution when using Wi-Fi: Wi-Fi hotspots are risky. Save your banking and shopping online  for when you are using a secure connection.

To help celebrate and promote online safety, there are many events taking place during NCSAM that McAfee is participating in:

Tweet chat on October 10th at 12pm PT/3pm ET with the National Cyber Security Alliance, Visa, Department of Homeland Security, FTC, Paypal and AT&T on protecting your personal information and your devices safe no matter how you’re accessing the Internet, especially via mobile. Use the hashtag #ChatSTC to join the conversation!

Intel and McAfee, along with the National Cyber Security Alliance, are making it easy for users to participate in NCSAM with Digital Lifehacks. These lifehacks are providing simple tips to stay safe online and are encouraging sharing of this content by offering prizes like an Ultrabook™ and McAfee LiveSafe™ for sharing this content! Learn more atwww.mcafee.com/lifehacks . You can also join in the conversation on Twitter and online by using the hashtag #HackYourLife.

Remember, we all need to be vigilant about our own security—during NCSAM and all year long. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Mirror Mirror Online, Who Is the Most Dangerous Celebrity of Them All?

We all do it. We probably all just don’t admit it. Well I admit it—I’ve searched for that elusive picture of Kimye’s baby North (who I thought would be called Kadence, but I’m not in the know, which is why I’m on the search engines constantly). But what most of us don’t realize is that searching for celebrities and other hot topics in the news could put us and our computers, smartphones and tablets at risk.

Cybercriminals know that search engines (like Google, Yahoo! and Bing) can also be used for criminal means. They know that if they use breaking news, celebrity gossip, or must-have free content, they are more likely to lure you into clicking on phony pages that are designed to steal your money and personal information.

Today, McAfee released research that found Lily Collins, star of The Mortal Instruments: City of Bones, has replaced Emma Watson as the 2013 Most Dangerous Celebrity™.  McAfee found that searching for the latest Lily Collins pictures and downloads yields more than a 14.5% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware.

This actress and natural beauty can give you much more than you bargained for, so be careful what you ask that mirror on the wall. She first gained attention as Sandra Bullock’s (who’s #3 on the list) daughter in The Blind Side and has been gaining momentum with films such as Mirror Mirror and the Mortal Instruments series. She’s also daughter of renowned singer and songwriter, Phil Collins, and has been in showbiz for almost 20 years. With notoriety like she has, the bad guys are bound to pay attention.

The study uses McAfee® SiteAdvisor® site ratings, which indicate which sites are risky when attached to celebrity names on the Web and calculate an overall risk percentage. The study also found that, for a second year in a row, women are more dangerous than men, with Mad Men star Jon Hamm, being the only male to crack the top ten.

So while it’s probably not feasible for us to stop searching on the latest hot topics and celebrity gossip, we can make sure we are safe while doing so. Here are some tips for you to stay safe online:

  • Be suspicious — If a search turns up a link to free content or too-good-to-be-true offers
  • Be extra cautious when searching on hot topics — Cybercriminals set up fake and malicious sites that dominate these time-sensitive search results
  • Check the Web address — Look for misspellings or other clues that the link might be directed to a phony website
  • Protect yourself — Use comprehensive security on all your PCs, Macs, smartphone and tablets, like McAfee Live Safe™ service, that comes with a safe search tool that protects your from going to risky websites.

To learn more about Most Dangerous Celebrities™, click here or read the press release.

Follow @McAfeeConsumer for live online safety updates and tips and use hashtag #RiskyCelebto discuss the Most Dangerous Celebrities of 2013 or like McAfee on Facebook.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Identity Thieves Go After the Deceased

There are a reported 2.5 million cases of identity theft among the deceased every year. Theft of deceased people’s identity happens partly because of the availability of public records coupled with the time it takes for credit bureaus, the Social Security Administration, financial institutions and others to process a deceased person’s Social Security number (SSN) in their systems and close all current and future lines of credit.

Many states’ vital statistics registries include Social Security numbers in their records and on their certified death certificates. Because these records are public, anyone can obtain a death certificate with a Social Security number. Criminals also seek out a recently deceased person’s information upon learning of his or her death via hospitals, funeral homes and obituaries. In some cases, the thief may have direct access to the person’s information from the inside, and in other cases the scammer contacts a relative posing as any of the above or a government agency.

The three credit bureaus maintain a list of the deceased based on data from the Social Security Administration’s Death Master File Index. Sometimes it takes months for bureaus to update their databases with the Social Security Administration’s Death Master File Index.

Relatives who learn of identity theft are not responsible for any fraud that occurs. However, they may find themselves spending lots of time explaining away the fact that the person is deceased—and death doesn’t always stop collection agencies from trying to get a loved one’s money, either.

Here’s how to avoid that information from falling between the cracks.

  • Report the death yourself by calling the Social Security Administration at 1-800-772-1213.
  • Contact the credit bureaus directly to report a death and request the information to be recorded immediately.
  • Right now, before anyone perishes, get the person a credit freeze. Upon death (as in life), the person’s Social Security number will be useless to the thief.
  • Invest in identity theft protection. This is a layer of security that monitors one’s information, including Social Security number, in the wild. Have it activated for six months to a year after death.
  • The Identity Theft Resource Center suggests, “Immediately notify credit card companies, banks, stockbrokers, loan/lien holders and mortgage companies of the death. The executor or surviving spouse will need to discuss all outstanding debts. If you close the account, ask them to list it as: ‘Closed. Account holder is deceased.’ If there is a surviving spouse or other joint account holder, make sure to notify the company the account needs to be listed in that surviving person’s name alone. They may require a copy of the death certificate to do this, as well as permission from the survivor.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

5 Ways to Limit Mobile WiFi Risks

WiFi is everywhere, and some connections are more secure than others. There are five ways to ensure more secure use of a mobile WiFi connection:

Turn off WiFi. The most secure WiFi is one that is turned off. Disabling the WiFi signal on your device prevents anyone from seeing your device. If WiFi is turned off, your device will use your carrier’s more secure 3G/4G network for transferring data and will likely count against your data plan.

Forget networks. Auto-connecting to networks isn’t just a pain due to some networks not having internet access, which then disrupts whatever you are doing; auto-connecting is also a security issue. “Forgetting” or un-checking “auto connect” prevents your mobile from randomly connecting to just any available WiFi.

Never pirate WiFi. If you connect to a homeowner’s or small business’ random WiFi network without permission, that is illegal—and the WiFi may even be set up specifically to skim your data as it passes through the network.

Use a VPN. A virtual private network (VPN) uses encryption to protect your data from unauthorized access. You will need to connect to a server or use a service. A VPN server may be available through your workplace, or you can install one at home. A quick search in your mobile application store will result in numerous free and paid VPN client apps. Hotspot Shield VPN is free and fast and supported with advertising. The paid version is under 30 bucks without ads and is even faster. Refer to your device manufacturer or network administrator for more information.

Only use https. “HTTPS,” or hypertext transfer protocol (HTTP) with secure sockets layer (SSL, hence the S after “HTTP”), is a more secure option set up by a website owner who knows security is essential. Look for “https://” in the address bar to signify you are on a secure page. Even on an open, unsecured wireless connection, HTTPS is more secure than HTTP.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

It’s Even Easier Now For Regular Folks To Conduct Cybercrime

Here’s a late night infomercial for you: How’s that burger flipping going? That cubicle working out? Anyway, I’m sure your boss is such a nice guy. Guess what! If you’re interested in a career in criminal hacking, you don’t even need a computer! This (scary) special, one-time offer comes to you right now from the Internet! Get your credit card ready!

Yes people, this is no joke. Everything you, ‘the average person,’ need to conduct cybercrime can now be purchased online—for example, you can get access to your spouse, neighbors or bosses emails, conduct research, create malware, execute an attack—all of it! Today’s cybercriminals don’t need great technical expertise, or even need to own a computer. Everything can be available for a price.

I often hear people say, “If criminals just used their skills for good, think of how much money they could make and how much better the world would be.” The sad fact is that the bad guys can make in one day what the good guys make in a year.

In a new report called “Cybercrime Exposed,” Raj Samani, vice president and CTO of McAfee, exposes the shift that has taken place with cybercrime easily getting in the hands of everyday people. Here’s a quick snapshot of the report:

The growth of the cybercrime “as-a-service” business model allows cybercriminals to execute attacks at considerably less expense and easily assessible tools now more than ever before.

From renting services to buying email lists for a small sum, the types of exploits that are now available with a click of the button are shocking.

The four categories of cybercrime as a service are:

Research-as-a-Service—One of the primary items research is used for is discovering and identifying vulnerabilities in software or operating systems. The sale of this information can be used for bad or good, so this is why this is considered a gray market. It becomes a cybercrime when these vulnerabilities are sold on the black market so cybercriminals can use the “holes” to exploit users.

Crimeware-as-a-Service—This is what you’d expect to find for sale in the black market. It involves the sale of online tools, or development of tools that can be used by the bad guys to carry out a cybercrime attack.
Also it includes the sale of hardware that may be used for financial fraud (for example, credit card skimming) or equipment used to hack into systems.

Cybercrime Infrastructure-as-a-Service—Once the toolset has been developed, cybercriminals are faced with the challenge of delivering their exploits to their intended victims. An example of this service is the rental of a network of computers controlled by a hacker (known as a botnet) to carry out a denial-of-service (DoS) attack. What is DoS? That’s where the criminal floods a target website with large amounts of traffic so users can’t access the site).

Hacking-as-a-Service—Getting a hold of the individual components* of an attack remains one option; but there are services that allow a criminal to outsource everything about the attack.

This path requires minimal technical expertise, although it is likely to cost more than acquiring individual components and is often used by criminals wanting to obtain information such as bank credentials, credit card data, and login details to particular websites.

While the news is grim, the solutions are not. Here’s what you can do to protect yourself from the bad guys (or your neighbor):

  • For starters, use comprehensive security on all your Internet connected devices, like McAfee® LiveSafe, that includes antivirus, anti-phishing, anti-spyware  and anti-spam, and a firewall
  • Keep your browser and your devices’ operating systems updated to make sure you receive critical security patches
  • Beware of any emails that might contain infected links
  • Secure your wireless connection by using encryption

And if you do decide to go into the business of being a criminal, make sure you have money in reserves for a lawyer because law enforcement and companies like McAfee are relentless in the pursuit of criminal groups or networks who steal your money, your information, or your identity and of those who engage in online abuse of children.

*Each cybercrime attack consists of a variety of components, such as getting a hold of usernames, email addresses, passwords, sending a phishing email, finding the mobile number, determining someone’s Operating System identification, etc.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

What’s the Point of $1 Million in Insurance for Identity Theft?

Honesty is the best policy, right? I’ve spent my life being honest, and do you know what is the most important lesson I’ve learned is? The truth hurts. And when you (meaning me too) says it like it is, someone somewhere isn’t going to like it. So I’m being honest here: The identity theft protection services offering a $1 million identity theft insurance policy is baloney.

OK, I have no friends now…at least in those who provide identity theft insurance. I still like you, though.

Here’s some perspective: I just looked at my automobile insurance policy. It provides $300,000 if I drive over someone, mangle the person and leave him or her a paraplegic. But identity theft insurance provides more than three times that? Why? Why would they offer $1 million in insurance? Seems out of whack.

When identity theft protection was born, the one company that was first to market offered the $1 million insurance guarantee as an incentive (think creative marketing) to buy its service. It worked—lots of people bought. Bravo! However, the way the company marketed the $1 million insurance guarantee made it sound like you’d actually get a million dollars if your identity got stolen. I think someone got in trouble for that, and I think the government told the company the language had to be toned down.

So from that point on, all the other new kids on the block had to offer the same million-dollar guarantee in order to keep up with the Joneses. At one point, one of the identity theft protection startups even sent out a press release offering a $2 million guarantee. Which to me was comical, because it was obvious what the startup was doing…and it was, frankly, sad.

Now I’m not saying the $1 million insurance guarantee is useless, because it does provide value. Certainly there are costs associated with the cleanup and restoration of a stolen identity, and the way the services now read in the fine print is that they will spend up to a million dollars to fix your problem, which essentially is a good thing. In some cases the costs might revolve around lost wages, criminal prosecutions, lawyers (and you know how expensive they are…I do), etc. But how much might it cost to fix a stolen identity? Maybe five, 10, 15 grand? Maybe 50k? The court cases you see on TV that involve someone shooting and killing someone might cost the defendants a half million dollars. So…a million? It’s marketing.

So don’t base the identity theft protection on the $1 million insurance guarantee. Base it on all the ways in which they seek out your data in the wild and what they’ll do to make sure you are made whole in the event of a breach.

So it’s official: I have no friends left. I really need to start lying more. Sorry, guys.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Danger: Wireless Toilets Next on Hackers’ List

Just about anything wireless is hackable today. Everything—from PCs to mobiles to tablets to home automation devices to pacemakers to insulin dispensers and even cars—are hackable.

And now “smart” toilets.

CNET reports, “[Smart] toilets can be controlled using an Android app, but the Bluetooth PIN is hard-coded to ‘0000.’ Just knowing that code number means the awesome power of the Satis (toilet) could fall into evil hands. All a hacker would have to do is download the My Satis app, get in range, pair it to the toilet using the code and flush away.”

Scary!

As we rely more and more on wireless communication, it is important to keep your wireless devices secure from hackers bent on flushing your data out. (That was bad.) Anyway…

  • Be smart about what kind of data you transmit on a public wireless connection. Limit your transmission of critical data and use secure sites, ones where “HTTPS” appears in the address bar. These sites have additional encryption built in.
  • Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s no data on either device that would compromise my identity or financial security.
  • Turn off WiFi and Bluetooth on your mobile when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.
  • Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is being used as bait.
  • Beware of evil twins. Anyone can set up a router to say “T-Mobile” “AT&T Wireless” or “Wayport.” These connections may appear legitimate but are often traps set to ensnare anyone who connects to it.
  • Keep your mobile security software and operating system updated. Make sure your security software is automatically updated and your operating system’s critical security patches are up to date.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Workplace Violence Red Flags, Prediction and Prevention

Every school shooting, workplace shooting and even the Navy Yard shooting could have been prevented if we crowdsourced our security. The fact is that when someone’s about to “go postal,” that person tells the world in many obvious ways. Organizations that do nothing and say it can’t happen to them are next in line when it comes to being unprepared.

In the workplace violence prevention program, you will learn the red flags that at-risk students and employees exhibit and know how to best educate and inform front-line employees, managers and supervisors. When you recognize what methods to use, you will create an observant and security-conscious company culture.

You Learn How To:

  • Identify resources to reduce workplace risks.
  • Conduct an overview of workplace hazards.
  • Develop a policy plan to reflect company culture.
  • Screen potential employees.
  • Decipher the best high and low-tech options.
  • Secure the worksite premises.
  • Incorporate non-violent means of de-escalating violence.
  • Respond to crises, including rape and domestic violence.
  • Identify the signals and characteristics of potential offenders.
  • Intervene to assist overly stressed employees.

Top 11 Workplace Violence Red Flags by Robert Siciliano ©

Studies of workplace violence have built enough data to psychologically profile someone who is most likely to commit a potential act of violence. Any one or combination of the following traits should be reason for concern.

  1. Unreasonable: They constantly make slighting references to others. They are never happy with what is going on. They are consistently unreasonable.
  2. Controlling: They consider themselves as being superior. They feel a need to constantly force their opinion on others. They have a compulsive need to control others.
  3. Paranoid: They think other employees are out to get them. They think there is a conspiracy to all functions of society. They are essentially paranoid.
  4. Power Freaks: They may own firearms and have interests in military, law enforcement or underground military groups.
  5. Irresponsible: They don’t take responsibility for any of their behaviors or faults or mistakes, it is always someone else’s fault.
  6. Litigious: They may take legal action against the company, constantly filing one grievance after another. They blow everything out of proportion.
  7. Angry: They have many hate and anger issues on and off the job, whether it is with co-workers, family, friends, or the government.
  8. Violent: They applaud certain violent acts portrayed in the media such as racial incidences, domestic violence, shooting sprees, executions, etc. They may have had trouble with the law, even just a minor incident.
  9. Vindictive: They make statements like “he will get his” or “what comes around goes around” or ” one of these days I’ll have my say”.
  10. Odd: They very well can be good at what they do, paying attention to the details, but lack people skills. Their presence makes others feel uneasy.
  11. Unhealthy: They might be experiencing sleep disorders, fatigue, sudden weight loss or gain, or other health related problems. They might be addicted to alcohol, prescription or street drugs.

Sometimes a combination of these traits including job loss is enough to lead to workplace violence. Further studies show that in addition to these traits, in days or weeks prior to a violent act, certain significant emotional events will push the employee over the edge.

Cybercriminals Camping Out on Hotel WiFi Using Evil Twins

When traveling on business or for pleasure, seeking out a reliable WiFi connection is usually a priority for most travelers. While mobile 3G/4G connections satisfy some, the speed of WiFi for laptops or uploading/downloading larger files doesn’t compare.

NBC news reports, “More and more hotels are stepping up and offering guests free WiFi, but security experts say some thieves are using the popular service to steal guests’ sensitive information, and they’re doing it by tricking people into using a fake free WiFi connection.

“A cyber thief creates a dummy WiFi connection using a mobile hot spot, and will give it a generic name to resemble a hotel’s actual WiFi connection, such as ‘Free Hotel WiFi.’ If a guest connects [his or her] laptop to the dummy WiFi, the thief gains access to all of the guest’s browsing activity, and will often times use a key-logger program to capture username and password information.”

This is called an evil twin: Anyone can set up a router to say “T-Mobile” “AT&T Wireless” or “Wayport.” These connections may appear legitimate but are often traps set to ensnare anyone who connects to it.

Wireless users who connect to an evil twin risk their data being scraped by a criminal who captures all of their unencrypted communications that are going through his wireless router. Each and every wireless data packet is sniffed and captured by a software program that will later piece together all the information in order to steal identities. Unsecured, unprotected and unencrypted communications over an evil twin on any publicly connected WiFi (such as at a coffee shop, airport or hotel) are vulnerable to sniffers.

On wireless connections that aren’t properly secured, your best line of defense is to use virtual private network software that protects your identity by ensuring that all web transactions (shopping, filling out forms, downloads) are secured through HTTPS. Hotspot Shield VPN is free and available for PC, Mac, iPhone and Android.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.