Spy on your Kids yes or no
/in privacy /by Robert SicilianoIt’s one thing to bust into your kid’s diary and read it, but if your kids want the privilege of engaging in the cyber world, they need to understand that parents are justified in “spying” on them. Or are they? Depends on whom you ask and how far they go at “spying” on their kids.
Frankly It’s not spying at all and both kids and parents should get over it. It’s called parenting. My kids are still young, but as they get older there will be hardly a thing they do online that I won’t be aware of. The internet isn’t a right, it’s a privilege to someone under age. No 13 or even 17 year old of mine will be on it without being supervised. Same goes for passwords. I’ll have access to all of them. This may be far-reaching to some, akin to the ancient form of spying: listening in on the extension phone to a phone conversation between your kid and his buddy. But really, it’s simply being a parent.
Spying can also be a life saver. Kids are being bullied today like never before. And as a result, they are hurting themselves. And then there are all the illegal things they may be doing. These same acts can get them killed. In this case, knowledge is definitely power to keep your kids safe.
Parent believe and they are right that spying is “an invasion of privacy and a violation of trust.” If you get caught, your relationship could be sabotaged, this is true. So spy openly and honestly. Tell them. Show them. Remind them. If kids know you are watching, they are often less likely to do things they aren’t supposed to.
The element of surprise, however, may be a factor. It makes a world of a difference if, from an early age, the parent establishes with their children that there will be “spying,” vs. never discussing this concept with the kids, and then one day you get busted.
Don’t use the word “spy,” either. Instead say “monitor” and let your kids know
How do you balance protecting your kids and maintaining trust? Team up with your kids. Make family agreements and contracts that show transparency. This will go far is keeping a close eye on their safety and security.
Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.
Survival is about being Persistent
/in home security tips /by Robert Siciliano“Survivor.” What comes to mind when you see or hear this word? A victim of a disease or of a perverted crime? A TV show? We’re all survivors in that every day, we do something to stay alive—life-saving things we don’t even think about as life-saving, such as eating healthy and exercising. People die every day from killing themselves with food.
Survival also may conjure up true spectacular stories of survival, like the man who cut off his arm to free himself from a boulder because he was starving to death, and the man who ate a caterpillar and lotion from a bottle because he was starving to death after getting lost in the wilderness (both men fully recovered, though one has an artificial arm).
Sometimes we get a chance to survive, like being lost in the wilderness or adrift at sea in a raft. Sometimes that chance is shorter, like being in a house that catches fire.
And sometimes you don’t get a chance to employ tactics, like the guy who’s hit in the head from behind (or even from the front), falls to the cement and the pavement shatters his skull, causing a fatal acute subdural hematoma. Of course, that’s a better way to go, perhaps, than experiencing the terrifying six minutes it takes for an airplane to take a nose dive from 35,000 feet.
You can’t do much when you’re sitting in that plane or your leg’s in that wood chipper that’s rapidly pulling you in and nobody could hear you screaming. Ouch!
However, many people die because they simply didn’t have their wits. They had the time to survive, but made the wrong choices. Sometimes, survival begins with a choice. Do you want to get into that stranger’s car just because your legs are a little tired? Will walking kill you? Probably not. But the stranger who’s offering a perfectly able-bodied, young woman a ride in perfect weather likely has something sinister up his sleeve.
So many people worry about survival in terms of things that they’re very unlikely to ever die from, such as a terrorist attack. Don’t forget that the No. 1 killers are heart disease and cancer. And believe it or not, medical errors rank right up there in the top five too.
Perhaps the greatest weapon for survival, however, is the mind. Are you a screamer or a fighter? Panic disables, but anger enables! I’m reminded of a woman who was assaulted by a tall teen boy. After struggling, she eventually got him on the ground, pinning his arms over his head and sitting on him till police arrived. She states in an article at torontosun.com: “When I get angry, I have a lot of strength. The secret to getting through something like this is, ‘Don’t panic, but think through what you’re going to do now.’ ” Love her!
Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.
Researcher says HTTPS can track You
/in Identity Theft /by Robert SicilianoPerhaps you’ve read that “HTTPS” at the start of a website address means that the site is secure, encrypted. However, a feature of the HTTPS can track you, says an article at theregister.co.uk.
HTTP is not secure. Carnegie Mellon University in a Register article states “HSTS”, which is “Strict Transport Security” redirects users to HTTPS. The HSTS authors decided that this redirection every single time was a bit much, so they came up with a feature that browsers could remember regarding the HSTS policy of visited sites. I know, a LOT OF INFORMATION.
The Register article goes on to explain that this feature is a “super cookie.” If you use a redirected site, an HSTS “pin” is set. It’s unique to you and the site you visit. Sam Greenhalgh says, as quoted in the article, “Once the number is stored it could be read by other sites in the future. Reading the number just requires testing if requests for the same web addresses are redirected or not.”
The browsing modes of incognito or private have no effect, continues the article. IE doesn’t support HSTS, but Chrome, Firefox and Opera browsers permit HSTS flags to be cleared.
Safari is a different story, says Greenhalgh. The article quotes him: “When using Safari on an Apple device there appears to be no way that HSTS flags can be cleared by the user. HSTS flags are even synced with the iCloud service so they will be restored if the device is wiped. In this case the device can effectively be ‘branded’ with an indelible tracking value that you have no way of removing.”
Think of all of this as a kind of fingerprinting of the user, you. A crook who runs a malicious site is capable of exploiting this feature. However, Google has reported to Greenhalgh that it’s “not practical” to “defeat such fingerprinting.”Its not practical getting hacked either.
Protect your privacy:
- Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
- Use private browsing mode on your Internet browser or at least turn off your browser cookies.
- Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
- Only friend or connect with people online you know in real life.
- Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
- Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow
Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.
What is ATM Skimming?
/in ATM scams, ATM Skimmer /by Robert SicilianoEver hear of a crime called skimming? It may not be as dramatic a crime as assault or Ponzi schemes, but it can cause significant problems to you as your savings account can be wiped out in a flash.
Picture a scrawny nerd tampering with an automated teller machine (ATM)—the machine you use with your debit card to get cash. The thief places a device over the slot through which you slide your debit card. You have no idea it’s there. You swipe your card, and the device “skims” or reads your card’s information. In the middle of the night, the thief creeps back, removes the skimming device, downloads your data, burns it to a blank ATM card, makes a fat withdrawal and goes home with the loot. Or they could download your information from the skimmer and then use your information to make online purchases or access your account. Either way, they could clean you out before you wake up next morning!
Now, to be successful, the criminal not only needs a skimming device, they also need to attach a tiny wireless camera to capture your PIN. These cameras are usually concealed in the lighting fixture above the keypad, in a brochure near the machine, or attached directly to the ATM.
To protect yourself from being skimmed, and generally staying safe when using your debit or credit cards, follow these tips:
- Scrutinize the ATM. This means every ATM, even ones from your bank. You also want to check any of the card sliders like ones at gas stations, etc, especially if you’re using your debit card. If the scanner does not match the color and style of the machine, it might be a skimmer. You should also “shake” the card scanner to see if it feels like there’s something attached to the card reader on the ATM.
- Cover the keypad when entering your PIN. In order to access your bank accounts, thieves need to have your card number and your PIN. By covering the keypad, you prevent cameras and onlookers from seeing your PIN.
- Check your bank and credit card statements often. If someone does get your information, you have 60 days to report any fraudulent charges to your credit card company in order not to be charged. For a debit card, you only have about 2 days to report any suspicious activity.
- Be choosy. Don’t use general ATMs at bars or restaurants. These are not usually monitored and therefore, can be easily tampered with by anyone.
Stay safe from skimming!
Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.
Don’t Believe These 6 Mobile Security Myths
/in mobile phone security /by Robert SicilianoSmartphones are picking up popularity. You can now access email, social media, and other things from a device that fits in your pocket (most of the time). And, although we hear about breaches and security flaws in the news, it seems like a lot of us don’t think it applies to our mobile device. Here are some of the most common mobile security myths.
- “Antivirus protection isn’t worth it for a smartphone.” Just because this device fits in the palm of your hand doesn’t mean it’s not worthy of as much protection as your computer. It should have comprehensive security that includes, antivirus, anti-malware and anti-spyware. Think of how often and indiscriminately you use that little thing, even while you’re in between bench press sets or stuck in line somewhere. The more you use it, the more important protecting the information on it becomes.
- “If I lose my phone I’ll just call it to find it.” A better way to locate it is to use an app with global positioning system (GPS), like McAfee® Mobile Security. With GPS, you can see the location of your device on a map, much easier than trying to hear your ringtone.
- “Smartphones don’t get phishing scams.” Actually, phishing scams can occur via text (also known as SMiShing ) and social media apps. Plus, the mobile device’s smaller screen makes it harder to detect suspicious links.
- “Apps for my phone are safe if they’re from trusted brands.” Fraudsters can easily make a malicious app look safe, and can even find its way into a reputable app store. McAfee Labs™ found that over 80% of Android apps track you and collect your personal information. Apps are also the main way that malware can be downloaded to your smartphone or tablet.
- “As long as my phone has PIN protection, it’s fine to have apps automatically log into my accounts.” A PIN is incomplete protection because hackers may guess the PIN code or use software to nail the four-digit sequence. You’d be surprised how many people’s PINs are 1234 or 2222. Even if you have a longer PIN or passcode on your device, it’s good practice to not have your apps automatically log you in, even though this may be convenient. You don’t want something to be able to easily access your bank accounts or post random messages on your social accounts.
- “SMS” adds protection. The short message service does not provide protection or monitoring of any kind. This means that text messaging is not secure and in fact, it’s often subject to spam.
Keep your mobile device safe with McAfee® Mobile Security, available on both Android and Apple devices. The Android version includes antivirus and anti-malware software, an app manager, anti-theft features, and web protection. The Apple version includes Secure Vault to protect your pictures and videos from prying eyes.
Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.
Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?
/in fraud, fraud alert, fraud prevention /by Robert SicilianoIn the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.
FraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.
FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.
So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.
- How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems. - Do you think this would be an effective method for cybercriminals to get around those defenses?
FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.
- Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear. - Any other thoughts?
It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.
Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.
If You use these Passwords, You will get hacked
/in passwords /by Robert SicilianoHave you heard of iDict? It’s a tool that hackers can use to get passwords via what’s called brute force attacks. It’s designed to crack into iCloud’s passwords, and supposedly it can circumvent Apple’s anti-brute force attack security.
But iDict doesn’t have as big a bite as you might think. A long, strong password is no match for iDict. But if you have a password that’s commonly used (yes, hundreds of people may have your exact passwords; you’re not as original as you think), then it will be a field day for iDict.
Some examples of passwords that iDict will easily snatch are:
password1, p@ssw0rd, passw0rd, pa55word—let me stop here for a moment. What goes on in the heads of people who use a variation of the word “password” as a password? I’m sure that “pa$$word” is on this list too.
And here are more: Princess1, Michael1, Jessica1, Michelle1 (do you see a pattern here?) and also John3:16, abc123ABC and 12qw!@QW. Another recently popular password is Blink182, named after a band.
Change your password immediately if it’s on this list or any larger list you may come upon. And don’t change it to “passwerdd” or “Metallica1” or a common name with a number after it. Come on, put a little passion into creating a password. Be creative. Make up a name and include different symbols.
For additional security, use two-factor authentication when possible for your accounts.
Though iCloud has had some patch-up work since the breach involving naked photos of celebrities (Don’t want your nude pictures leaking out? Don’t put’em in cyberspace!), iCloud still has vulnerabilities.
And hackers know that and will use iDict. If your password isn’t on the top 500 list from github.com, but you wonder if it’s strong enough, change it. If it has a keyboard sequence or word that can be found in a dictionary, change it. If it’s all letters, change it. If it’s all numbers, change it.
Make it loooooong. Make it unintelligible. Dazzle it up with various symbols like $, @, % and &. Make it take two million years for a hacker’s automated password cracking tools to stumble upon it.
Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.
Feds warn of more Online Predators
/in online predators /by Robert SicilianoWhat goes on in the home life of a 14-year-old girl such that she feels there’s nothing better to do than send nude photos of herself to a man whom she’s been corresponding with online? Though this goes well-beyond the parents not bothering to find out what their kids do online, another huge issue is the proliferation of online predators.
And for parents who DO care enough to monitor their kids’ cyber activities, here’s some unsettling news: A 2013 survey called Digital Deception: Exploring the Online Disconnect between Parents and Kids revealed that 69 percent of the young respondents reported they knew how to conceal their online activities from their parents. The study also showed that 80 percent of the parent-respondents said they wouldn’t even know how to figure out what their kids’ online activities were. Conclusion: Parents are clueless.
This makes it easier for predators to find victims. There’s the case of a girl who, at age 13, sent an image of herself to a 26 year old man who for the next five years cyber-harassed her, demanding more images. The girl was driven to two suicide attempts and finally alerted authorities who found him.
Another predator tricked a 15-year-old into sending him photos who turned out to be a 50 year old man. They do this by sending photos of younger cuter boys around the same age as their victim females. Parent need to have ongoing dialog with their kids that this is going on everyday somewhere and “it can happen to you too”
These act can often be prevented which once again, brings to mind what kind of parenting or lack of parenting is going on. Though parents can’t monitor their kids’ activities every second, something has to be said about why a young person’s life would be so empty that they end up sending out nude photos of themselves—even if the victim thinks the recipient is the same age!
What Parents Should Do
- Educate kids about online predators
- Educate yourself about online predators
- Warn kids about never sending images into cyber space
- Make sure kids understand that they will never be shamed for reporting a perilous situation
- Tell kids that no matter how aggressive or threatening a cyber predator seems to be, they ultimately don’t have that much power; they’re ground meat once the authorities find them.
- The less time kids spend tinkering around on the Internet, the less likely they’ll meet up with a predator. Get your kids involved in confidence-building activities that develop independent thinking skills and assertiveness.
Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.
Fingerprint hacked by a Photo
/in biometric /by Robert SicilianoYou can’t change your fingerprint like you can change your password. But why would you want to change your fingerprint? The thought might cross your mind if your fingerprint gets stolen.
How the heck can this happen? Ask Starbug. He’s a hacker who demonstrated just how this could happen at an annual meeting of hackers called the Chaos Communication Congress, says an article at thegardian.com. His “victim” was defense minister Ursula von der Leyen.
Starbug (real name Jan Krissler) used VeriFinger, a commercial software, with several photos of von der Leyen’s hands taken at close range. One of the photos he took, and the other was from a publication.
And this gets more fun, total and complete James Bond stuff: The conference showed that “corneal keylogging” can happen. Reflections in the user’s eyes occur as they type. Photos of these reflections can be analyzed to figure out what they typed. This is another lovely gateway to getting passwords.
But back to the fingerprint thing. In 2013, says The Guardian article, Starbug took a fingertip smudge from a smartphone, and using a few clever techniques, printed an imposter finger. He used the fake thumb to get into the phone. This shows it’s possible to crack into a mobile device with a stolen fingerprint—obtained without even having to be near the victim.
Biometrics is a groundbreaking advance in security, and it was just a matter of time before hackers would figure a way to weaken it. All is not lost. Hacks like this aren’t easy to accomplish and there’s always multi factor authentication available as another layer of protection.
Biometrics can certainly be a replacement for passwords, but again should include, a second-factor authentication. Passwords are secrets, stored inside people’s heads (ideally, rather than written on hardcopy that someone could get ahold of), but biometric features, such as fingerprints, photos and voice IDs, are out there for all to perceive. Though it’s hard to imagine how a hacker could figure out a way to fool voice recognition software, don’t count this out.
Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.