January 2014 - Page 3 of 4

Home Invasion results in Child Casualties

January 16, 2014/in burglary /by Robert Siciliano

Two young girls died after a man broke into their second-story Cleveland apartment and set it afire. This was after the man forced the 55-year-old babysitter (the children’s’ aunt) into a bathroom, where she remained—until she began smelling smoke. Then she fled to outside and later reported that the man had started the fire.

Ironically, in the week prior, the victims’ mother had been robbed at gunpoint. The man who broke in and the man who robbed the mother are still at large, and police aren’t sure if they’re not the same man.

Could this home invasion have been prevented? Possibly. Here are tips that will go a long way in preventing someone from breaking or forcing their way into your home:

Never speak to a stranger when all that separates you from that person is a screen door. Even worse is talking to a stranger when no screen is between the two of you. If possible, speak to them only through a locked door.
Instruct your children, or any kids in your house, never to respond to a doorbell ringing or knocking at any doors of the house. This includes even if you’re expecting someone, including pizza delivery. This also includes if you happen to be momentarily indisposed.
Get a burglar alarm system and keep it on, always. This means you’ll need to remember to turn it off when opening the door (or window). Kids in the house will also need to learn to turn it off or ask you to turn it off when they want to go out.
If you think that the previous suggestion is too difficult to manage, it’s important to realize that not all burglars (or rapists) knock or ring bells. Some will break in and you won’t know it till they’re inside your home pointing a gun at you.
A 24-hour camera surveillance system should be installed. The sight of a camera or the warning sign from the system’s company can be a strong deterrent to a break-in. Cameras should be aimed at all doors and entry points.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Mobile Phone Hacking: proactive and reactive Responses

January 14, 2014/in mobile phone security /by Robert Siciliano

Mallorie’s Android phone was acting odd, like it was possessed. The thing had a mind of its own, sending garbled texts and gambling. Ghost? Or hacked?

Mallorie locked down the phone when it was charging so it wouldn’t purchase poker chips. One day she forgot to lock it and it went on a shopping binge. Packages began appearing at her doorstep.

Obviously, someone had access to her credit card. But how? And what could poor Mallorie do to disable this thief?

Millions of mobile devices get infected. But police officers won’t bother with this. Mallorie cancelled her credit card and deleted the “possessed” apps. Then she crossed her fingers.

How do mobile phones get attacked?

A study showed that 86 percent of Android malware employs “repackaging.” Here’s how it’s done:

Download an application
Decompile it.
Add malware.
Recompile the app.
Submit it back into public circulation—after changing its name.
Someone else downloads this changed-name application, and the malicious payload infects their device.
A repackaging variation, “updating,” involves adding a code that will tag a malicious payload at a later date.

How can you tell your mobile has been infected?

It begins behaving oddly. Something is off—sometimes slightly, sometimes blatantly, such as the device is sending your address book to a foreign IP address. Hook your mobile to a WiFi and see where it sends information to.
Unfamiliar charges on the bill. Malware on a phone will produce unauthorized charges. The device is hooked to an accounting mechanism, making it a snap for thieves to send premium SMS text messages or make in-app purchases—which cost you money.

How can you protect your mobile?

Keep its software up to date: easy to do on iOS but difficult on Android.
Some phones cannot be updated; these phones have OS vulnerabilities within them, making them open to attack. Users end up downloading malware which uses this OS vulnerability to infect the device.

Android vs. iOS for security

iOS beats Android for security against malware.
Apple placed restrictions on application functionality (e.g., premium SMS messages can’t be sent), which is why Android isn’t as secure against malware as is iOS.
Another reason: Android’s app review process is not top-notch at screening out bad applications (but it’s improving).
Both Android and iOS allow your personal data to leak out to ad networks. This isn’t considered malicious since a user may wish this to occur.

Scope of Problem

The verdict isn’t quite out on this.
Some say the problem is limited just to third-party app sellers and this can be avoided by going to iOS’s or Google Play’s app store.
Others believe everybody has a compromised application on their mobile.
More research is warranted to define scope of problem.

Who should protect the user?

The app maker? The carrier? Or the operating system provider?
Nobody has taken this responsibility currently. It’s kind of like a “that’s not my problem you downloaded a malicious app that we didn’t write,” or, “You wanted it; I only delivered it—not my problem.”
The buck is passed because user protection is expensive.

Solutions?

It would be great if the app store could provide very in-depth screening for all the types of malicious actions that apps can perform.
The caveat: This isn’t in the platform provider’s best interest because they want their store to carry a lot of applications.
Stores want more and more apps, and better ones, and don’t want anything to slow that process down.
Data can be secured when you communicate via a wireless network with a VPN like Hotspot Shield VPN. All web transactions can be secured via https.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

IT Guys get duped Pretty Girl on Social Media

January 13, 2014/in social media privacy /by Robert Siciliano

Defenses of a U.S. government agency were duped by an experimental scam created by security experts.

The “scam” involved Emily Williams, a fictitious attractive woman with a credible online identity (including a real photo that was allowed by a real woman), posing as a new hire at the targeted agency.

Within 15 hours, the fake Emily had 55 LinkedIn connections and 60 for Facebook, with the targeted agency’s employees and contractors. Job offers came, along with offers from men at the agency to assist her with her new job.

Around Christmastime the security experts placed a link on Emily’s social media profiles linking to a Christmas card site they created.

Visitations to this site led to a chain of events culminating in the security team stealing highly sensitive information from the agency. Partner companies with the agency were also compromised.

The experimenters got what they sought within one week. The penetration scam was then done on credit card companies, banks and healthcare organizations with very similar results.

An authentic attacker could have easily compromised any of the partner companies, then attacked the agency through them, making the assault more difficult to detect.

Recap: The scam began from the ground up, inflating Emily’s social network till it enabled the attack team to suck in security personnel and executives. Most of the people who assisted Emily were men. A similar experiment using a fake male profile had no success.

Preventing getting suckered into Social Media Scams

For agencies and other organizations, social engineering awareness training is crucial, and must be done constantly, not the typical annually.
Suspicious behavior should always be questioned.
Suspicious behavior should be reported to the human relations department instead of shared on social networks.
Work devices should not be used for personal activities.
Access to various types of data should be protected with separate and strong passwords.
The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
Learn from this. Reverse engineer this same scenario in your own life or organization to see how this might happen to you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Next Steps in Wearable Tech

January 12, 2014/in phone scams /by Robert Siciliano

Tech devices are rapidly evolving from those you carry around with you in a pocket to those you wear on an arm, and they seem to be getting smaller and smaller. We have the laptop as the progenitor, culminating in the smartphone and tablet.

And beyond: Google Glass, a computer you wear, freeing your hands, that can connect to the Internet via voice commands. The “smartwatch” is now in the works. Plus, there are little fitness gadgets you can wear that record vital data including number of steps taken in a day.

Inspiration for an Invention

Isabel Hoffman’s daughter, 14, became very sick after moving to America from Europe. Doctors couldn’t diagnose her.

Hoffman, an entrepreneur, then took her daughter to Dr. Neil Nathan, who diagnosed the teen with toxicity to the mold Aspergillus penicillium. A house mold test confirmed this. The Hoffmans moved, and the girl was put on a gluten free diet, since the toxicity causes gluten intolerance, and her health was restored.

Hoffman wondered how many other people suffer with unexplained ailments. So she, with a partner who’s a mathematician, created a handheld device: TellSpec.

Point it at or hold near an object, including food, and it transmits ingredient information to its smartphone app and displays the data.

Have celiac disease? Scan foods with TellSpec to see if they have gluten. Allergic to soy or simply want to avoid it? Hover the device, which is smaller than a mobile, near the food to get your readout on your smartphone.

TellSpec also supplies information about potential health issues with the ingredient. Sounds like “Star Trek,” but this device will be on the market August 2014.

How Wearable Technology will save Lives

Can identify substances in foods that can literally kill a person with an allergy, such as peanuts, or harm a person, such as gluten.
Can identify sugar content: valuable for diabetics.
Can identify toxins in water and walls.
Current wearable devices can track blood pressure, heart rate and other vitals: data that not only is helpful to fitness conscious people, but those with medical conditions.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Corporate BYOD puts Client Data at risk

January 12, 2014/in Data Security /by Robert Siciliano

When employees improperly use mobiles, they put their companies at risk for data breaches. This includes leaving lots of sensitive data on the devices—which can pave the way to leakage of data, plus other issues.

Mobile device use in workplaces is increasing—and so is its associated security risks. Current security measures are lagging behind the increased rate of mobile device use in the corporate realm.

One study not only showed that a lot of company information was left on handsets, but personal information as well was left on, putting employees at risk for personal compromises.

This small study demonstrates a clear need for improved guidelines and policies governing smartphone use and security of the devices. This becomes even more relevant as businesses turn more to cloud storage for data.

Non-approved software-as-a-service (SaaS) apps, used by employees, is widespread, according to a McAfee study. These apps are not approved by the company’s IT department. Employees can easily bypass the IT department by using the cloud. The study showed:

Over 80 percent of survey participants reported using unauthorized SaaS apps.
About 35 percent of SaaS apps used on the job are not approved.
About 15 percent of users have had a security problem using SaaS.

Employees may not realize that their chosen SaaS apps are poorly safeguarded. Such employees aren’t malicious; they’re just trying to be more efficient. Businesses need to find the right balance of protecting themselves yet allowing employees to use apps for increased productivity.

An ideal situation would be to monitor SaaS apps and apply policies that do not inhibit employees’ ability to be productive.

A recent Forbes article got my attention and the authors solutions make good business sense.

Six Solutions

1) XenMobile. This allows IT to secure and manage smartphones, data and apps, and establish policies based on smartphone ownership, location or status. Users can then more easily access the web, e-mail, corporate apps and documents with a single click on a mobile.

2) Airwatch. This mobile device system provides management of apps, content and e-mail, to oppose inadvertent mismanagement of smartphones by employees (e.g., storing documents in vulnerable locations).

Just enter username and password; Airwatch will wirelessly and automatically configure all the settings, apps, security policies and more based on the worker’s role in the company.

3) Mobile Iron. This system manages and secures apps, devices and content, ideal for businesses that support the BYOD program. Personal content can be separated from corporate content, protecting the employee’s private data.

4) Good Dynamics secure mobility platform. This is a BYOD program that keeps employees productive while zeroing in on security. Personal data is partitioned off from business data to protect programs like e-mail.

5) Samsung Knox. This system is for Android devices, managing with a multi-tiered security approach. One’s network will be protected from malware, hacking, viruses and non-approved access.

6) Protect your BYOD on wireless networks. Use VPN if you’re on a portable wireless device. Hotspot Shield VPN is free, though its paid version is more e expanded and faster. First launch Hotspot before you use your PC laptop, iPad or iPhone to connect to free public Wi-Fi services like at the airport or at a coffee shop or hotel.

Your entire web surfing session will then be protected. All of your connections will be secured. This will eliminate some of the aggravation for your company’s IT department.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

10 Tips to Keep Your Data Private Online

January 11, 2014/in Data Security /by Robert Siciliano

The Internet has become an essential tool for most of us and a part of our everyday lives. We rely on it to send/receive emails, post/share photos and messages on social networking sites, shop for clothes, search for information, etc. But how do all these online activities affect your privacy?

Your online privacy depends on your ability to control both the amount of personal information that you provide and who has access to that information. Unfortunately, some of us are too casual and careless with how we manage our personal information and activities online. This leaves us vulnerable to identity theft and invasion of our privacy, both from legitimate and illegitimate sources.

That’s because your personal information, including your email address, phone number and Social Security number and other personally identifiable information, is worth a lot of money. The bad guys will use it to steal from you and businesses want to know as much about you as possible so they can sell you more products and services or serve you ads that are highly relevant to your demographics and preferences.

So take these simple steps to protect your valuable personal information:

Be careful what you share and post online. Remember, don’t post or share anything that you wouldn’t want shared publically, even if you think you’re just sending it to one person.
Don’t freely give out personal information online any more than you would to a stranger on the street. Keep personal information (such as your hometown, birth date with year and phone number) off social networks.
Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
Use private browsing mode on your Internet browser or at least turn off your browser cookies.
Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
Only friend or connect with people online you know in real life.
Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow
Routinely update your social media privacy settings to ensure your profile is appropriately protected and also make sure to change your passwords on your accounts at least 3x a year.
10. Make sure all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that provides not only antivirus, anti-spyware, anti-phishing, anti-spam and a firewall, but also protects your data and identity on your PCs, Macs, smartphones and tablets.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Teens trash Million Dollar Mansion

January 10, 2014/in home security /by Robert Siciliano

If your home is full of valuables, why not add one more valuable: a home security system?

A mansion in La Habra Heights (California) was ransacked by 16 teenagers; they made off like bandits with over $1 million worth of property. It all began when some local teens noticed that the mansion was vacant (the homeowner was out of town). They announced a backyard party via Twitter.

The $7 million house was burglarized during the party. The teens made a party of the robbery, going as far as tweeting images of theft in progress.

Thank goodness 16 of these male and female crooks were taken into custody. Some of the stolen items have been recovered, including a stuffed snow leopard valued at $250,000, a suit of armor, statues, electronics and scuba gear. Looks like this glorious mansion did not have a security system, or if it did, it was not left on before the homeowner went out of town.

Had this home had a comprehensive security system (or at least any pre-existing one turned on), the teenagers would not have been able to gain entry without setting off ear-piercing alarms and activating a response from the local police department. The police would have been there within minutes.

In fact, a complete security system would have made it impossible for the kids to even remain outdoors and party. A complete security setup should include a deterrent to even walking onto the property, let alone hanging out on it.

However, the most elaborate security system won’t make your home look occupied. Adjuncts to an electronic security system can include:

A small device that generates flickering light, simulating a TV set on. Place these in several rooms whose windows are easily seen, and cruising teens or older thugs will think someone’s home.
Devices that turn lights on and off at timed intervals.
Leaving a TV or sound system on loud.
Having a trusted adult keep an eye on the house.
Hiring a trusted house sitter, preferably one with a dog that will bark when someone approaches the house.
The security company’s logo should be in plain site on main doors and on all ground level windows. The company’s sign should also be staked into the ground at several points where a burglar is likely to traverse.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

McAfee Labs 2014 Predictions

January 9, 2014/in online security /by Robert Siciliano

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threat Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.

Here’s some security resolutions to help you stay safe online in 2014:

Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Online Shopping Warnings and Advice

January 8, 2014/in Online Shopping /by Robert Siciliano

Shopping online can be just as dangerous to your security as leaving your car unlocked in the mall parking lot.

Consumer Reports notes the following:

Don’t judge a website by its cover. A malicious website can look legitimate, even though it aims to nab your personal data, even identity, or sell counterfeit products.

Others aim to lure you in “with low prices they honor only if you buy extra items, or quietly adding unexpected charges based on fine-print disclosures they know you won’t read.”

Look up any unfamiliar online store on bbb.org (Better Business Bureau). Check the rating, any adverse reviews and confirm its address. Search it out with keywords like “complaints.”
Carefully read the seller’s fine print.
Don’t use a debit card; use a credit card, so that the dispute process is easier.

Defective products. Read the fine print; it may say that all goods “are sold as is.” This means you won’t have the right to receive a replacement for bad merchandise.

You may be able to get a refund within 30 days of purchase, but beyond that, many sites say you must deal directly with the product’s manufacturer (you’ll need to pay for return shipping). Another problem is when the website is not an authorized dealer for the product you bought.

Make sure the site is an authorized dealer. Contact the manufacturer if necessary. Read the terms and conditions.
Be suspicious of sites that you know or believe will send you tons of spam after your purchase.
Understand the site’s privacy policy before giving personal data. “Many retailers let you elect to receive offers or have your info shared.” Others will automatically spam you or share your information unless you uncheck the pre-checked option boxes. “And limit the info you provide to what’s critical for completing the purchase.”

Infected computer, or your payments are disrupted.

Never give out credit card information unless the Internet connection is secured.
Don’t peruse the Web unless the computer (or smartphone) is protected.

Make sure the retailer’s URL begins with a “https” (the “s” is necessary) preceded by a padlock icon.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Protecting Yourself from Debit Card Fraud

January 6, 2014/in Credit Card Fraud, Debit Cards /by Robert Siciliano

A thief got ahold of woman’s debit card information and raided her bank account. This true story is described in a recent St. Louis Post-Dispatch article.

Thieves can wire money over the Internet and get the cash by showing a false ID, says the article. This kind of fraud is more common than people think. In the woman’s case, Visa detected the theft quickly and she got her money back. Many victims, though, learn they were robbed only after a check bounces.

You can’t 100 percent prevent card fraud because thieves hack into computers at banks and retailers to get card information. A clerk, even, can run your card through electronic skimmers to duplicate it. Skimmers are then swiped through ATM machines or gas pumps, ripping you off. However, there are ways you can reduce the fraud.

Don’t be phishing bait. An e-mail comes to you claiming you must make a payment and includes a link where to do this. These scam e-mails make gullible people think they’re from banks, retailers, even what seems like the IRS. The link to a phony website entices victims into typing in their bank account or credit card numbers: a done deal for the thieves.

Review bank and credit card statements promptly. Reporting something suspicious within two days means minimal liability with bank accounts. Wait too long and you may never recover your loss.

Never lose sight of your debit card. Always watch clerks swipe it. Don’t hand it to anyone else at the store.

Consider ditching the debit/credit card. Use an ATM card and a separate credit card rather than the combo.

Never give your card to anyone. This means a caregiver, nanny, dog sitter, relative—you never know what they may do.

Never give your card or account information to someone who phones you.

Never leave your checkbook around where someone can get at it. The St. Louis Post-Dispatch article reports the case of a man whose girlfriend’s heroin-addict son found his checkbook and wrote checks totaling $40,000 before he realized he’d been robbed.