Researchers say your Mobile Carrier’s Network isn’t all that Secure

Gee, even the tools that update your smartphone’s operating system over the air have holes that hackers can slip into.

5WIt’s estimated that as many as two billion handsets are vulnerable, and in some instances, security patches haven’t even been released.

The open mobile alliance device management (OMA-DM) protocol is used by around a hundred smartphone companies to release software updates and conduct network administration. And that’s what they say where the problem lies.

A hacker must know the handset’s distinct international mobile station equipment identity (IMEI) number, plus a secret token, to take remote control. It’s not difficult to obtain the IMEI number or the secret token of the company, thanks to lax networks and vulnerable operating system versions.

Researchers discovered they could easily upload code to a phone after following a WAP message from a base station, then proceed like a hacker would.

Another experiment showed that a fake femtocell could be used to get into BlackBerry, Android and some iOS devices by using weak security protocols. Participants turned off their smartphones and set the femtocell to its lowest power setting. The researchers still managed to pick up over 70 handsets.

They found that Android was the most vulnerable, along with BlackBerry. iOS was tougher to crack, but some devices that were run by Sprint were vulnerable.

Another flaw was that devices could be tricked into checking on their OMA-DM servers; the connections had http instead of https.

The researchers reported that most of the manufacturers and carriers had fixed the OMA-DM systems—most, not all.

What are the network threats?

Hackers practically have the cyberworld at their fingertips, able to attack in so many ways, using so many methods, from apps to users, users to users, and various machines to machines. Hackers don’t just want to access data; they want to manipulate it.

4G refers to fourth generation network, succeeding 3G to offer the fastest speed for wireless activity. The protocol for 4G, however, is flawed, allowing for weakening of the protection for phones and their networks.

The hacker would go right for mobile networks to get simpler, wider entry points. Networks for mobile devices, thus, need to be toughened up. If a smartphone is infected, it will be able to target and scan other smartphones within its proximity (since 4G is IP based), all while the carrier has no clue.

The hacker could infiltrate a desired network, access the 4G network, then have a nice, easy launching pad for the crime.

If a hacker uses weak wireless APN connections for his activities, this forces the smartphones in use to rely upon an ongoing network connection. This will make batteries wear out faster. Furthermore, jammed-up signals may lead to denial of service.

One way to protect wireless networks is by using Hotspot Shield to override any insecurities of open free WiFi and to help protect from some of 4Gs failings.

With the fast speed that stands to come with 4G are also weak security levels and lame network structures. Users will not appreciate this price, and mobile operators will need to step quite a bit up on security tactics for keeping hackers out.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

4 Identity Protection Habits Every College Student Should Have

For some of us, fall is about to begin and the graduates of the class of 2014 are heading off to colleges across the country. It’s an exciting time—there’s a reason so many people call college the best four years of their lives. You learn so much about the world and yourself. You make lifelong friends. You are an adult without the full responsibility of being an adult.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813It’s pretty easy to believe that because you are young and not in the “real world” yet that you are immune to identity theft or credit card fraud. But crime isn’t so choosy about age. College students are actually a prime target for identity thieves because of naiveté. According to University of Colorado—Boulder, only 21% of college students are concerned about identity theft. And lack of concern leads to lack of managing financial and personal data making college students vulnerable to identity theft.

Luckily, managing your identity doesn’t have to be hard. Whether you’re an incoming freshman or a graduate student, here are four simple habits to help you protect your identity.

  • Check your credit card reports monthly. Many people believe that thieves will drain their accounts. Although that certainly does happen, in many cases, thieves will only take out small increments of money over time to avoid getting caught. By checking your credit card and bank statements monthly you can catch any suspicious charges and immediately alert your bank or credit card company.
  • Regularly change your passwords. Yes, it’s much easier to have one password for all of your accounts, but if hackers discover your password, they have easy access to all of your accounts.  Diversify your passwords and make it a habit to change your passwords every other month. To make this simple, you can use a password manager, like McAfee SafeKey, which comes with McAfee LiveSafe™ service. And to learn more about creating strong password, go to www.passwordday.org.
  • Cover the PIN pad when entering your PIN. Your PIN is the gateway to your bank account and thieves want it. This habit can protect you from skimming and video devices at automated teller machines (ATMs) or gas stations.
  • Think twice before giving out your personal information. Hint: Your fraternity or sorority does not need your identification or Social Security number. If you are shopping online, make sure the website is secure and not a fake before entering your credit card information.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Botnets Here, Botnets There, Botnets EVERYWHERE

What are these “botnets” you keep hearing about? Botnets (think roBOT + NETwork—gets you “BOTNET”) are a network of secretly compromised, run-of-the-mill home and office computers that have malicious software—controlled by a solitary hacker or cybercrime ring.

6DHackers use botnets to execute a variety of cybercrimes like page rank sabotage, mass spamming, bitcoin mining, and more. The FBI says there are 18 botnet infections every second worldwide and these infiltrations pose one of the gravest online threats ever. That figure means over 500 million computers a year are infected.

Needless to say, these attacks can occur without the user knowing it. Botnets will swipe the user’s personal and financial data and can result in stolen credit cards, website crashes and even record your keystroke habits.

The FBI is trying fervently to crumble the botnet empire, as this costs billions of dollars in fallout. And botnetting is on the rise. Hackers aren’t just going after Joe Smo’s credit cards, but top government secrets and technology.

This situation is compounded by another facet of the U.S. government using botnets to build up its power. Think NSA, with its pervasive surveillance program. NSA is assuming control over botnet-infected devices, using these for their own purposes.

NSA, in fact, has a legion of “sleeper cells,” according to the document that was leaked by Edward Snowden. These are remote-controlled computers infested with malware, and as of 2012, were on 50,000 networks.

So we have our government fighting to dismantle botnets, yet simultaneously, building up their arsenal with…botnets. So how on earth will this problem ever be mitigated?

It starts with you.

  • Pay attention if you notice that your Internet connection is unusually slow or you can’t access certain sites (and that your Internet connection is not down)
  • Make sure you have comprehensive Antivirus security installed on all your devices.
  • Be careful when giving out your email address, clicking on links and opening attachments, especially if they are from people you don’t know
  • Stay educated on the latest tactics that hackers and scammers use so that you’re aware of tricks they use
  • Keep your devices operating systems critical security patches updated.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

The Sweet Sixteen Rule

Your child is turning 16! As a parent in the US, your mind is occupied with planning the big sweet 16 party and preparing for a new driver on the road (and the crazy high insurance that goes with it). During this exciting time, there’s something else you should be thinking about—your child’s credit score.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Child identity theft is more common than we want to think it is. According to a study by Identity Theft Assistance, 1 in every 40 households with minor children has been affected by child identity theft. Thieves love this kind of identity theft because 1) it gives them a clean slate because kids don’t have a credit history, and 2) it usually takes years before the crime is discovered—and it’s a lot of time to do some extensive damage. Many kids who have had their identities stolen don’t find out until they are adults trying to buy a car, apply for a college loan, or rent a place and they are denied due to low credit scores. At that point, it could take years to undo the damage and build a respectable credit score. No parent wants that for their child!

So when your child turns the big 16, start a new tradition and check to see if your child has a credit report. If your child does have a report, check to make sure there are not any mistakes on it and also check in why he or she would have a credit report (since most wouldn’t). You’ll not only save your child tons of headaches later on, but you’ll have a head start on clearing this up before it becomes a big mess.

But the best way to fix child identity theft is to prevent it in the first place. Here are a few tips to protect your child’s identity.

  • Keep your child’s information in a private, safe place. Don’t carry your child’s Social Security card or identity card around with you and make sure their birth certificate is in a safe place, like a locked file cabinet, safe or safety deposit box.
  • Only give out your child’s personal info when necessary. Be particular who you share your child’s Social Security number or identification number with, and when in doubt, leave it blank. The little league coordinator does NOT need to have this information, and even places that you may think may need it like your doctor’s office, you should check to be sure. Remember, once the information leaves your hands, it is out of your control.
  • Shred any sensitive documents before discarding. Rule of thumb: if it has an identification number  or any personal information on it, shred it.
  • Be alert to robberies and security breaches. If your home has been broken into, make sure all documents are accounted for.
  • Be careful what you and your child shares online. Make sure to teach your child the “rules of the road” for online safety and why sharing personal information online can be risky.
  • Invest in security software. Use software like McAfee’s LiveSafe™ service to protect your data and identity as well as your child’s on all your computers, smartphones and tablets.

For more information on protecting your identity, make sure to like McAfee’s Facebook page or follow us on Twitter.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Child’s Honesty nabs Robbers

A four-year-old girl witnessed two young men break into her home to commit a robbery. You’d think this would cause some kind of post-traumatic stress disorder, or at least at a minimum, nightmares.

3BBut it looks like instead, Abby Dean of Washington, WI, will have dreams of flying around with a cape and rescuing people. That’s because her accurate description led to a confession by the thieves.

She was with her 17-year-old babysitter when it happened. The men told the girls to leave so that they could steal valuables. And they took off with computer devices and a small amount of cash.

The teenager told police that the burglars were black, and that one resembled the next-door neighbor. The cops took the neighbor away for questioning.

But Abby insisted that the crooks were white. Soon, the babysitter’s story wasn’t adding up very well. Eventually, the teen confessed that the robbers were her teen boyfriend and his buddy. The trio had plotted the crime. The stolen goods were returned. Abby stated, “They got it back because of me being the superhero.”

How do you prevent a crime like this?

  • You can’t beat security cameras. A surveillance system can alert a homeowner with a text or phone call, plus set off additional lighting or loud noises—not to mention provide a visual of the intruder.
  • Don’t worry about cost. The system will add value to your house. Furthermore, your homeowner’s insurance might give a discount if you have a solid security system.
  • Some surveillance systems allow the homeowner to watch what’s going on in real time; Dropcam is such a system.
  • The mere sight of a camera is a proven deterrent to burglaries and home invasions.

But suppose someone breaks in while you’re home and doesn’t care that cameras are on him. This is video evidence that will be extremely valuable in court.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

How to Secure Your iCloud

By now you’ve heard that Jennifer Lawrence’s (and other celebs’) cellphone nude pictures were leaked out, but how in the heck did the hacker pull this off? Tech experts believe it was through the “Find My iPhone” app.

Apple2Someone anonymously posted nude photos of Jennifer Lawrence and Kate Upton to the 4Chan site, and the stars confirmed the photos were of them.

It’s possible that the hacker/s discovered a vulnerability in the Find My iPhone service. This app helps people locate missing phones via cloud. hackers use a “brute force” program to protect hack accounts. These programs make repeated guesses at random passwords for a particular username until a hit is made.

So it’s possible hackers used “iBrute” to get celebs’ passwords, and hence, the photos in their iCloud accounts.

This is only a theory, as most hacking occurs in a more straightforward manner such as:

a person receiving a phishing email and responding with their password

someone’s personal computer gets hacked and spyware is installed

a laptop with all kinds of data is stolen

the wrong person finding a lost cellphone.

Also, evidence suggests that some of the leaked photos came from devices (like Android) that won’t back up to the iCloud.

Apple is investigating the leaks, and apparently put out a security upgrade Sept. 1, to prevent a brute force service from getting passwords via Find My iPhone.

You yourself are at risk of this breach if brute force indeed was used, as long as the problem hasn’t been fixed. If someone has your username, this tactic can be used.

If you want 100 percent protection, stay off the Internet. (Yeah, right.)

Bullet proof your passwords

  • Each site/account should have a different password, no matter how many.
  • Passwords should have at least eight characters and be a mix of upper and lower case letters, numbers and symbols that can’t be found in a dictionary.
  • Use a password program such as secure password software.
  • Make sure that any password software you use can be applied on all devices.
  • A password manager will store tons of crazy and long passwords and uses a master password.
  • Consider a second layer of protection such as Yubikey. Plug your flashdrive in; touch the button and it generates a one-time password for the day. Or enter a static password that’s stored on the second slot.
  • Have a printout of the Yubikey password in case the Yubikey gets lost or stolen.
  • An alternative to a password software program, though not as secure, is to keep passwords in an encrypted Excel, Word or PDF file. Give the file a name that would be of no interest to a hacker.
  • The “key” method. Begin with a key of 5-6 characters (a capital letter, number and symbols). For example, “apple” can be @pp1E.
  • Next add the year (2014) minus 5 at the end: @pp1E9.
  • Every new year, change the password; next year it would be @pp1E10. To make this process even more secure, change the password more frequently, even every month. To make this less daunting, use a key again, like the first two letters of every new month can be inserted somewhere, so for March, it would be @pp1E9MA.
  • To create additional passwords based on this plan, add two letters to the end that pertain to the site or account. For instance, @pp1E9fb is the Facebook password.
  • Passwords become vulnerable when the internet is accessed over Wi-Fis (home, office, coffee shop, hotel, airport). Unsecured, unprotected and unencrypted connections can enable thieves to steal your personal information including usernames and passwords.

Use two-step verification.

Apple’s iCloud asks users two personal questions before allowing access. And let’s face it: We’re all wondering what Jennifer Lawrence was thinking when she decided it was a smart idea to put her nude photos into cyberspace.

Passwords seem to be the common thread in data breaches. But passwords aren’t too valuable to a hacker if they come with two-factor authentication. This is when the user must enter a unique code that only they know, and this code changes with every log-in. This would make it nearly impossible for a hacker to get in.

Go to applied.apple.com and you’ll see a blue box on the right: “Manage Your Apple ID.” Click this, then log in with your Apple ID. To the left is a link: “Passwords and Security.” Click that. Two security questions will come up; answer them so that a new section, “Manage Your Security Settings,” comes up. Click the “Get Started” link below it. Enter phone number and you’ll receive a code via text. If your phone isn’t available, you can set up a recovery key, which is a unique password.

All that being said, two factor will not protect your phones data. Apple is lax in making this happen. What Apples two factor does is protect you when you:

  • Sign in to My Apple ID to manage your account
  • Make an iTunes, App Store, or iBooks Store purchase from a new device
  • Get Apple ID related support from Apple

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Credit Card Fraud booming

Online credit card fraud is flourishing, according to the U.S. Retail Fraud Survey 2014. One of the reasons is because online sales are ever on the increase, currently accounting for 6 percent of total sales, says the report, the most extensive of its kind. The projection is that within three years, retailers will be getting 15 percent of their sales online.

2CThe survey was carried out between April and May of 2014, and dealt with primary research into the processes, systems and strategies that were used by 100 of the U.S.’s leading retailers, representing 126,000 stores in the U.S.

The loss prevention manager or director for each retailer went through a detailed interview. Also interviewed was the e-commerce manager or director (if the loss prevention leader wasn’t available) regarding their prevention tactics for online fraud.

The survey has a few changes this year. Only the retailers who participated can see the detailed results. Plus, the report has an anonymous portion to help with quality and availability of the most critical data. These tweaks will assist retailers with their war against fraud.

Online fraud is higher on everyone’s radar due to so many high profile hacks. In fact, the study indicates that spending on online fraud prevention has gone up by 50 percent. Though this is good news, it hardly crushes the reality that credit card fraud continues to demonize retailers, requiring detection, prevention and management.

Protect your data:

  • Maintaining updated operating systems, including critical security patches
  • Installing and running antivirus, antispyware and antiphising software and a firewall
  • Keeping browsers updated with the latest version
  • Updating all system software, including Java and Adobe
  • Locking down wireless Internet with encryption
  • Setting up administrative rights and restricting software, such as peer-to-peer file sharing, from being installed without rights
  • Utilizing filtering that controls who has access to what kind of data
  • Utilizing Internet filters to block access to restricted sites that may allow employees or hackers to upload data to Cloud-based storage
  • Possible disabling or removing USB ports to prevent the downloading of malicious data
  • Incorporating strict password policies
  • Encrypting files, folders and entire drives

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Burglars steal Computers, Jewelry and Puppy!

If ever there were a heartless robber, it’s the one (or two/three?) who stole a little dog named Pepper, a schnauzer-poodle mix, as part of their burglary in New Jersey.

Barbara August, the homeowner, said, “I’m devastated—I keep thinking I’m seeing her.” She wonders why the burglars didn’t just put Pepper in her crate and then do the ransacking. August also explained that the burglars got in through a back door that was not locked due to a defect.

But this story has a happy ending: A few days later August and her husband were reunited with their “schnoodle.”

2BHere’s how to prevent home thefts:

  1. Keep your home’s exterior well-lit, and use timers on indoor lights so nobody thinks the house is vacant.
  1. Have an alarm system and one that sets off a sound (when you’re home) and shrieking alarm (when you’re not) whenever a door or window is opened.
  1. Lock your doors and windows! If something’s broken, waste no time getting it fixed. Hollywood likes to perpetuate the idea that burglars typically use elaborate tricks to get into a home or simply whack a window with a sledgehammer to get in. But the reality is that many just traipse right through an unlocked door or crawl through an open or unlocked window.
  1. As for burglars who get past a locked door, a solid core door will be very difficult to bust through. Use heavy deadbolts—ones that go deep into the jamb that have 3-4 inch screws. A sliding glass door can be guarded with a wooden dowel that prevents it from being opened from outside.
  1. Wooden dowels should be installed on top of windows as well. Windows should have films over the glass that prevent breaking. Top everything off with a glass-break sensor anyways.
  1. Get an alarm system AND security cameras. Today’s surveillance cameras are more affordable and easier to install than ever.
  1. Get to work now on your security system; don’t wait till you’re victimized.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

SEC comes down on Breached Companies

If you’re wondering if businesses, who’ve been targets of cybercrime, have been properly handling the fallout, you have company: The U.S. Securities and Exchange Commission.

1SThe SEC is investigating this very issue. Key Questions Include:

  • Did the businesses adequately protect data?
  • Were investors properly notified about the breach’s impact?

One of the companies being investigated is Target Corp.

The SEC, historically, has concentrated on giving guidance to companies regarding disclosure of data-breach risks, and the SEC has traditionally also assisted with ensuring that financial companies were well-equipped against hackers.

But the SEC doesn’t like when there seems to be incomplete disclosures of the data breaches or some kind of perceived misleading information.

For example, Target didn’t disclose its breach until the day after it was first reported—by renowned security blogger Brian Krebs.

Just how much should companies say about breaches? This is being debated among regulators, corporate attorneys and activist investors.

Nevertheless, public companies owe it to investors to inform them of material compromises that could affect the investors’ decisions to sell or buy shares. A material attack, says the SEC, includes one that makes a company greatly boost what it spends on defenses, and one in which intellectual property is stolen.

Businesses in general would rather keep silent about breaches to avoid negative fallout. At the same time, it’s not easy to come up with evidence that a business should have disclosed more about a data breach than it actually did. A stolen trade secret, even, won’t necessarily be harmful to a big company’s growth or profits. The interpretation here varies almost as much as the different kinds of cyber attacks do.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.