Don’t’s and Do’s when using Public Wi-Fi

Curl up in a chair at your favorite coffee house, the aroma of premium coffee filling the air, take a few sips of your 700 calorie latte, and then enter cyberspace. Little do you know that you could have a stalker. Or two. Or 3,000. Because public Wi-Fi is there for the picking for hackers. Online transmissions can be intercepted. The credit card number that you enter onto that retailer’s site can be “seen.”

3WDon’t Do These at a Public Wi-Fi Site

  • Never leave your spot without your device on you—not even for a moment. You may come back and still see your computer where you left it…but a thief may have installed a keylogger into it to capture your keystrokes.
  • Do not e-mail messages of a sensitive or serious nature.
  • When your computer begins seeking out a network to connect to…do not let it just drift to the first one it wants; see if you can choose one.
  • Don’t leave on your file sharing.
  • If you’re not using your wireless card, then do not leave it on.
  • Don’t do banking or any other sensitive activities.
  • Don’t position your device so that someone nearby can see the screen.

Yes, Do These when at a Public Wi-Fi Spot

  • Look around before you settle into a nice spot.
  • Sit somewhere so that your back is facing a wall.
  • Assume all Wi-Fi links are suspicious—kind of like assuming all drivers are drunk whenever you go out driving. A wireless link may have been set up by a hacker.
  • See if you can confirm that a given Wi-Fi link is legitimate.
  • Assume that if the connection name is similar to the Wi-Fi spot, that this could mean that the hacker was clever. Inquire of the manager of the coffee shop, hotel, etc., for information about their Wi-Fi access point.
  • You should consider using your cell phone for sensitive activities such as online shopping.
  • But cell phone or not, see if you could avoid visiting sites that can make it easier for hackers to nab your data—sites such as banking, social media and any site where your credit card information is stored.

Use a VPN. This stands for virtual private network. What a VPN does is create an impervious tunnel through which your data travels. Hackers cannot penetrate this tunnel, nor can they “see” through it. Your data is safe. The tunnel encrypts all of your banking and other sensitive transactions, as well as sensitive e-mail communications, plus downloads, you name it. With a virtual private network, you will not have to worry about a thief or snoop intercepting your transmissions.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Very Bad People for hire online

The Deep Web is not a nice place. Here, people can hire assassins, take ransomware payments, purchase U.S. citizenship without revealing their identity, among other things, says an article on darkreading.com.

6DThis information comes from Trend Micro, which used a tool called the “Deep Web analyzer,” something of a web crawler, that collected URLS that were linked to TOR- and I2P-hidden sites, domains with nonstandard TLDs and Freenet resource identifiers, says darkreading.com.

The Deep Web is that portion of cyberspace that’s not indexed by the search engines. The Dark Web is part of the bigger Deep Web, accessible only via special tools.

A Dark Web user could literally hire a rapist or assassin. In fact, assassins even advertise, such as the group C’thulhu. Pay them their fee and they’ll maim, cripple, bomb and kill for you.

$3,000 will get you a “simple beating” to a “low-rank” target. $300,000 pays for the killing of a high-ranking political figure, staged to look like an accident.

Users can also hire (and do so much more commonly than the above) cybercriminals and child exploitation services.

The article points to additional research of the Deep Web, that cybercrooks use anonymization tools in creative ways. In fact, they are using TOR for the hosting of their command-and-control infrastructure. TorrentLocker is a type of malware, and it uses TOR to accept Bitcoin payments and host payment sites.

In other words, cybercriminals are using the Deep Web/Dark Web more and more commonly these days. TOR is being used for cybercriminals to receive payments for their hacking services.

But that’s not the biggest problem of the deep, dark Web, is it? As mentioned, it can be used to hire someone to murder. Just what will all of this eventually evolve into in the next 10 years?

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Meet the FBI’s most wanted Hackers

Want to earn up to $4.2 million? Then find the hackers on the FBI’s most wanted list. Or at least give the FBI information leading to their arrest and/or conviction. These snakes have stolen hundreds of millions of dollars. Here is the list from the hackernews.com:

Evgeniy Mikhailovich Bogachev (reward: $3 million)

  • Ironically, one of his aliases is one of the most common (and thus easily cracked) passwords: lucky12345.
  • He’s the brains behind the GameOver Zeus botnet and CryptoLocker Ransomware.
  • Over a million computers were infected with this malware, causing nearly $100 million in losses.

Nicolae Popescu (reward: $1 million)

  • From Romania, Popescu tricked Americans with fraudulent auction posts on various websites.
  • AutoTrader.com, Cars.com and eBay were some of these sites.
  • He was selling cars that didn’t exist. (Please, people, never, ever send money for something as grand as a car unless you have proof it exists—which includes actually test driving it!)
  • Hundreds of people sent money without ever seeing more than an ad for the cars. If you think that’s bad, it gets worse: Some of the victims handed over their money for private planes and yachts! Nearly 800 people didn’t have on their thinking caps, but this doesn’t make Popescu’s deed any less obscene.

Alexsey Belan (reward: $100,000)

  • Belan breached the cybersecurity systems of three big U.S. based e-commerce sites.
  • He then tried to sell all of these stolen databases, which included passwords.

Peteris Sahurovs (reward: $50,000)

  • His crime involved creating and selling malware by putting ads up on various websites.
  • These advertisements forced users to buy the phony antivirus software that the ads pitched.
  • If the user declined the purchase, their desktop would be bombarded with phony security alerts and pop-ups.
  • This crook from Latvia collected over $2 million with the scheme.

Shailesh Kumar Jain (reward: $50,000)

  • Despite the name, Jain is a U.S. citizen.
  • He scored $100 million in less than two years.
  • He should have quit while he was ahead (maybe after the first $10 mil?), but he just couldn’t earn enough, so he kept hacking away at unsuspecting Internet users.

With fraudulent e-mails and pop-up ads, he tricked users into thinking their computers were infected with malware, and then sold them his fake antivirus software packages for $30 to $70. Do the math: Can you imagine how many people got rooked?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Want Mobile Privacy? Read

If you don’t want your smartphone to know more about you than you do, here are top choices, as detailed on gizmodo.com:

2PBlackPhone 2

  • The Blackphone 2 will black out the federal government from spying on you.
  • Has a five inch handset with full HD screen (with Gorilla Glass 3 that prevents shoulder surfing).
  • 3 GB or RAM
  • Its Silent Circle’s PrivateOS 1.1 provides a “Spaces” UI: Data will be encrypted and compartmentalized.
  • The “Spaces” allow you to set up distinct spaces for different types of data, including a Silent Space that’s akin to Chrome’s incognito mode.
  • The Silent Suite allows you to keep various kinds of communications encrypted.
  • Also provides a Silent Store for apps.

Nokia 3310

  • This outdated “dumb phone” might still be available out there, somewhere.
  • The dumb phone is not capable of transmitting data through cyberspace. Thus, you don’t ever have to worry about being “followed,” “tracked” or hacked into.
  • If you’re comfortable not being connected to the Internet of Things, this phone is for you—if you can find one.

Payphones

  • If you want to pretty much guarantee that you’ll be untraceable, then use payphones.
  • Locate the payphones in your town and anywhere you normally travel, so that when it’s time to make a call, you won’t be spending time hunting for the phone.
  • Always have change on you, too.
  • To be even more non-traceable, always have in your car a thin pair of gloves to prevent your fingerprints from being on the phone.

Honorable Mention: Apple iPhone/Microsoft Lumia 930/Google Nexus 5

  • Apple, Microsoft and Google are no more crazier about government surveillance programs than you are.
  • Nevertheless, their phones gather data—but at least it goes to the maker of these devices rather than to the government.
  • The manufacturers analyze the data in the name of giving the user a better experience with the product.

Let’s also throw in the landline. Your calls can be traced, but at least data about you like your shopping preferences, health, income, marital status, etc., won’t go leaking out anywhere.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

What’s the difference between VPNs and Proxies and which Option is more secure?

If you are overseas somewhere and want to access your Facebook page…don’t be surprised if you can’t do this. In fact, you won’t even be able to get onto the Facebook site (or YouTube, for that matter), depending on what country that you are visiting. This is because some countries limit website access for their citizens.

4WYou can get around this with a VPN (virtual private network) or proxy server. However, they are not one and the same. Let’s look at the features of each.

VPN

  • A VPN does the so-called scrambling or encryption of data so that hackers can’t tell what you are doing. To put this another way, a VPN provides a “tunnel” through which your data goes. This tunnel cannot be penetrated. Your transmissions are hidden, unable to be viewed.
  • This protected data includes e-mail communications, login information, instant messages, which sites you visit, downloads and more.
  • A VPN is private communication over a public network and can be used on all types of devices.
  • A VPN will alter your IP address, making it seem that you are using your computer somewhere other than the country that prohibits access to Facebook. You can navigate Facebook with ease while visiting that country.

Proxy Server

  • This makes the user anonymous. The proxy server does the job of anonymizing. The server of the site you want to visit receives requests from this anonymous server. As a result, even if you are in that country that bans Facebook access, it will have no idea where you are located. Hence, you can get on Facebook.
  • Your data, transmissions, etc., however, are not hidden by any tunnel or scrambled (encrypted).
  • Therefore, with the proxy server, even though you can spend hours on Facebook or YouTube in that foreign country…any transmissions or activities you conduct can be intercepted by a hacker if you are using public Wi-Fi.

Now if you have a VPN with the proxy server, this solves that problem. Nobody will be able to snoop or steal data like your credit card information when you shop online.

However, there is no point in having both, when one can do the entire job: the virtual private network. Think of a VPN as having a built-in proxy server.

Hotshot Shield is a VPN that encrypts all of your online activities in that non-penetrable tunnel, while at the same time making it impossible for your location to be identified. You are essentially anonymous. Hotshot Shield works for both wireless and wired connections.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Zeus Malware Gang take-down

Zeus is no longer a god of malware; he’s been taken down by law enforcement agencies spanning six European nations. Five people were recently arrested—believed to have infected tens of thousands of computers across the globe. There have been 60 total arrests pertaining to this cybergang.

They also used malware called SpyEye, and that, along with Zeus, stole money from major banks. This was a clever operation that included ever-changing Trojans, and mule networks.

Another malware that was asphyxiated was the BeeBone botnet, which had taken over 12,000 computers across the world.

We can thank the Joint Investigation Team for these successes. And they don’t stop there. The JIT put a stop to the Ramnit botnet, responsible for infecting 3.2 million computers globally.

The JIT is comprised of judicial authorities and investigators from six European nations. The cybergang is believed to have its origins in Ukraine. This crime ring was sophisticated, repeatedly outsmarting banks’ revisions of their security measures. Each crook in this ring had specially assigned duties and caused total mayhem to their victims. They even sold their hacking expertise and recruited more thieves. This was one hefty cybergang.

The six nations that are members of JIT are the UK, Norway, Netherlands, Belgium, Finland and Austria. The investigation began in 2013 and had a most thrilling ending. And it wasn’t easy. Here’s some of what was involved in this investigation:

  • Analysis of terabytes of data (one terabyte = one million million bytes)
  • Forensic analysis of devices
  • Analysis of the thousands of files in the Europol Malware Analysis System
  • Operational meetings and international conference calls

But the game isn’t over; there are still more cybergang members out there, and JIT will surely hunt them down by analyzing the mountainous load of data that was collected from this investigation. The funding comes from Europol and Eurojust. In fact, Eurojust has provided legal advice and was part of the composition of the JIT Agreement.

Other countries were instrumental in achieving this capture: Latvia, Estonia, Moldova, Poland, Germany, Ukraine and the U.S.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Tell your Grams about these Scams

Do we really get wiser with old age, or just more vulnerable to all the scammers out there? Here are the top scams directed towards senior citizens.
9D
IRS
The phone rings; it’s from the IRS, claiming you owe money.

  • Caller ID says IRS (spoof technology).
  • Caller says if you don’t pay within 24 hours, you’re going to jail.
  • Caller wants your bank account information and routing number, or wants you to wire what you owe.
  • Or, caller says IRS owes you, but to get the refund, you must pay a processing fee within 24 hours.
  • The IRS never calls people for back taxes; it sends a certified letter.
  • Refunds are sent via snail mail without the IRS ever notifying you.

Reverse Mortgages

  • There’s no monthly payment, but whatever balance and interest has accumulated by the time the borrower sells, it must be paid back. If the borrower dies before this, family members must pay it.
  • Misleading ads make it seem this loan is affiliated with the government.
  • You CAN lose your home.
  • If you run out of equity before you sell or die, you’ll need to repay the loan. If you can’t, it’s foreclosure time.

Sob Story

  • The caller identifies self as a grandchild, great niece, etc.
  • Or, the caller says he’s your grandchild’s doctor, lawyer, etc.
  • The caller is in trouble and wants you to wire them money ASAP.
  • They may know details of the person they’re impersonating and you as well, because they’ve visited that person’s Facebook page—and yours.
  • If you ask if you can call back, the caller won’t accept this.
  • Asking additional questions about the “accident” or “burglary” won’t get you answers.

Obituaries and Funeral Homes

  • The caller says that the deceased owes a debt.
  • Or, the caller says he provides funeral services.
  • The victim is a spouse usually.
  • A funeral home that you’re already working with may also try to scam you by talking you into the most expensive casket, memorial plaques, etc.

Phony Pharma

  • Caller or e-mail sender claims to be from the government or authorized by such, to fill your drug prescription at a cheap price.
  • You must act now because the great deal is for a limited time.
  • If you DO receive something, it’s probably vitamins in a prescription bottle.
  • The crook may know details about you from reading your Facebook page.
  • A similar scam exists for Medicare.

Solutions

  • Use a mobile phone as much as possible; scammers usually call landline numbers.
  • Never answer the phone if the number is unfamiliar or says IRS.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

UL to launch Cybersecurity Cert

UL in this case stands for Underwriters Laboratories. An article on darkreading.com notes that a UL official, Maarten Bron, says that they are taking part in the U.S. government’s plan to promote security certification standards.

1WThe U.S. government is interested in developing a UL-type program directed at computers and smartphones. This initiative will encourage the private sector and the government to create the standards.

So that’s what we have thus far; this initiative is in its early childhood stage, so there isn’t much more information about it that’s available to the media. UL is looking forward to sharing involvement with the White House’s initiative to unite the private and public sectors to combat cybercrime.

In the meantime, UL is fine-tuning its own test and certification program for Internet of Things products.

The darkreading.com article quotes Bron as follows: “We are prepared to release a test and certification program for this,” that will be fueled by users’ concerns and needs.

Historically, UL has been involved with the testing and certifying of appliances for their electrical safety. About four years ago, UL developed a cybersecurity division. In the darkreading.com article, Bron points out that the security of electronic payments is of particular concern, “namely certification of chip and PIN technologies.”

The transition from magnetic stripe credit cards (which are so easy to fraudulently use) to chip and PIN technology for the cards is underway.

UL has come up with some testing tools that cross-validate the settings from bank card chips against Visa best practices, says Bron. But that’s all just one slice of the cybersecurity pie.

Another big slice is health, and yet another big chunk relates to industrial control systems. UL wants to be on top of holes or vulnerabilities.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Teen pleads to SWATTING

Just what kind of punishment should a 17-year-old get for making fraudulent 911 calls (a crime known as swatting)?

11DThis happens more than you think. What’s outright astounding is how these teens could think they won’t be discovered. Have they been living in a cave all their lives, using a torch for light?

A 17-year-old boy in Ottawa, Canada, has made several fake 911 calls, including several in the U.S.

  • Told dispatcher his mother was lying in a pool of blood; pretended to follow the CPR instructions.
  • Pretended to be holding people hostage, demanding $100,000.
  • Threatened to blow up a school.
  • Arrested in May 2014, he faces 34 charges.
  • Evidence includes recordings of the phony calls found on the boy’s computer, plus Skype and Twitter logs.
  • So based on the evidence, it’s clear that this boy knows something about modern technology. Wow, he must be as dense as a box of bricks to think he couldn’t be traced.

Maybe if kids, perhaps starting in adolescence, were taught in school how easy it is for authorities to track down a swatter, there’d be a lot fewer swatters. Certainly there would be; it’s not a “maybe.”

It’s the parents’ job to raise good kids, but we know this happens only some of the time. The kid may still be a rotten apple (thanks to a dysfunctional home life), but at least if he’s educated in how simple it is for detectives to trace fraudulent 911 calls, there at least wouldn’t be all of these fake 911 calls that tie up staff while other people really need their help.

And while we’re on the topic of swatting, is there a name for the authentic 911 calls—but that deal with absurd complaints? People will call 911 to report lightning—simply in the sky. Other examples:

  • Caller couldn’t figure out how to exit a locked car.
  • Caller complained her husband was viewing porn.
  • Complaints about inadequate restaurant service.
  • Caller complained her boyfriend wouldn’t warm her cold feet.
  • Caller (drunk) complained a bouncer wouldn’t let him into a night club.

I say no jail time for these morons. Instead, make ‘em stand all day at a busy intersection wearing a sign that says, “I’m a stupo. Called 911 because (fill in the blank).

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

The Growing Demand for Cybersecurity Professionals

Cybersecurity professionals are always in demand[i]. Threats to intellectual property and sensitive data constantly evolve with technology, which means a security professional’s job is never done. There’s always another security problem to solve.

Consider the recent proliferation of cyber attacks: it’s become easier and easier for a small group of people to compromise vast networks of corporate and government information. Worse still, cyber criminals are getting better at covering their tracks.

Experts believe the global shortage of top-flight cybersecurity professionals exceeds one million–our federal government is currently seeking more than 10,000 candidates. The trend will continue in the near future as more and more features of day-to-day living are converted to digital.

As the private sector feels the crush of data breaches, the increasing sophistication of attacks fuels demand to counter or prevent them. Unfortunately, cybersecurity is rarely considered a “glamor job.” Ask a hundred eight-year-olds what they want to be when they grow up and few (if any) will answer “cybersecurity specialist.”

But that’s all the more reason to consider a career in this booming field! Governments and private organizations of all kinds are desperately seeking skilled candidates to protect their data and critical infrastructures from cyber criminals. The shortage of cybersecurity talent is not simply a lucrative opportunity for IT experts–it’s a matter of national security in defense of privacy, property and fair commerce.

Simply stated: there have never been better opportunities for advancement in the cybersecurity profession.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.


[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm