State sponsored Attacks big Problem

The U.S. Office of Personnel Management, an identity database, was attacked by hackers rather recently, and they hit the jackpot: More than 21 million federal workers are at risk of identity theft for perhaps the rest of their lives, reports an article on forbes.com.

1DThe hackers from overseas now have security clearance documents for these employees that contain some very sensitive personal information. And nobody can take these documents away from the hackers.

That’s the problem with these centralized identity databases. It’s like all the loot is in one location, so that when the thieves strike, they get it all. And as the forbes.com article points out, not too many governments care to invest the money and energy in optimizing the security of these huge central databases. And it’s not just the U.S. with this problem. Other countries have also had either cyber attacks or big issues with their national ID systems.

On the security evolution clock of 24 hours, cybersecurity comes in in the last few seconds. Governments for eons have been very staunch about issuing security in the physical form, such as constructing walls and other barricades near borders.

But protecting a computer database from harm? It’s just not as prioritized as it should be. The forbes.com article notes that the cybersecurity of a country’s citizens makes up the whole of the nation’s security.

Seems like things will be getting way more out of hand before things start getting under control, if ever. In line with this trend is that hackers have, in their possession for all time, fingerprint data of more than one million U.S. security clearance holders.

Governments need to start focusing on protecting the cyber safety of all the millions and millions of ants that make up its nation, or else one day, the empire just might crumble.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

Twitters ups its Security Game

Twitter recently announced its new tool to help with management and monitoring of its users’ accounts: the Twitter data dashboard.

7WAn article on lifehacker.com details what this new tool will offer. For instance, you will not need to use your real name on Twitter—and I have to admit, this is an odd way to promote the tool, because I’m sure that scads of Twitter users haven’t been using their real name for years. It’s not as though Twitter can tell that “Emily White” is really Sashea Fiopwieei.

Anyways, users will be happy that their privacy settings will let them control whether or not their tweets are kept public. You will be able to enable login verification to increase your account’s security.

The Twitter data dashboard can be accessed from the settings menu that users can find on twitter.com. It shows the user’s account activation details and recent login history. It also reveals any devices that have accessed the account.

This setup allows the user to review account activity in an expedient way and make sure that everything looks right.

Now suppose you notice login activity from an unfamiliar app. You can go to your settings and look for the apps tab and revoke the application’s access to your account.

The lifehacker.com article also points out that if you notice logins from unfamiliar locations, you can immediately change your password.

You also have the option for setting up login verification to add an extra layer of security to your account. Twitter’s new dashboard will let you manage your Twitter archive and control your address book contacts, among other items that you will have more jurisdiction over.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Mother Nature can ruin your business: Get ready for natural disasters now

September is almost over. This means National Preparedness Month is nearing its end. Nevertheless, you must be prepared all year long to stay safe. National Preparedness Month culminates September 30th with National PrepareAthon Day.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294In the boxing ring, if you focus on the knockout punches too much, the quick sharp jabs are what may bring you down. This is how some businesses approach their security. They put too much emphasis on preventing that mountainous data breach, while smaller everyday threats sneak by.

Those smaller threats may be difficult to get at, and they can knock you out for good. A company may have all eyes on that Russian hacking ring, a fire or hurricane. But threats come in all flavors.

A business just can’t use all its artillery against the “big” threats, because this will create non-flexible tactics that unravel in the face of an unexpected threat.

Unless company leaders are psychic, they can’t anticipate every possible threat. But being narrowly focused is no good, either. Here are some tips on how to widen that focus and plan for disaster:

  • Certainly, gear up for the “big” threats like natural disasters and brick-and-mortar crimes. This includes having insurance plans, conducting evacuation training, and implementing additional protection like smoke detectors and fire extinguishers.
  • Create a list of as many possible threats you can think of. If you can conceive it, it probably can happen.
  • Come up with a backup location should your primary office location be rendered inoperable.
  • Create a core response team for any kind of disasters, and see to it that the members are easy to reach. Have a secondary team in place in case anyone in the primary core can’t function.
  • Establish post-disaster communication plans for employees, customers/clients and vendors. Have a list of backup vendors.
  • Create security plans that are flexible rather than rigid, and make sure they are regularly updated.
  • Back up all data. Have an onsite data backup as well as cloud backup.
  • Replace computers every 2-3 years. But don’t wait that long if the following symptoms of a croaking computer occur: odd noises during boot-up; things taking way too long; a blue screen.

The preparation and prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use. To learn more about preparing your small business for disasters, download Carbonite’s e-book, “Five Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures.

7 Ways to protect Yourself Online

The biggest mistake that you can make to threaten your online safety is to treat the online world different—as far as your private information—than you would treat the physical world. In other words, if someone walked up to you and said, “Hi, can you please provide me with your name, address, birth date, home phone, cell phone, email, usernames, passowords all your friends names and all their contact info?” I think not.

9DWhat sane person would pass out cards with their Social Security number, birth date, full name, home address and bank account information to every stranger they walk past on the street? But essentially, that’s what many people do online.

Here are seven risky online behaviors:

  • Posting photos. As innocent as this sounds, photos of children have been known to get stolen and posted on child porn sites. Right click, save image as, then save to desktop; that’s all it takes. Does this mean never post photos of your kids? No. But save the picture of your naked two-year-old girl in the bathtub for your desktop. And don’t post vacation photos until after you return home.
  • Another thing about photos: Don’t post pictures of yourself engaging in activities that could come back to haunt you in some way. For example, you post a picture of yourself smoking while at a picnic. You apply for new health insurance and say you’re a nonsmoker. The insurance company might decide to view your social media pictures to catch you in the act.
  • Sounds innocent: You let your kids use your computer. But even if there are parental controls in place, your kids can still unknowingly let in a virus. Then you sit down to do some online banking…and the hacker whose virus is in your computer will then have your login credentials and bank account numbers, plus everything else. Ideally, you use a designated computer only for conducting sensitive online transactions.
  • A hacker sends (via bot) out 10,000 e-mails that are made to look like they’re from UPS. Out of 10,000 random recipients, chances are that a good number of them are waiting any day for a UPS shipment. This could be you. Will you open the e-mail and click on the link inside it? If you do, you’ll likely download a virus. This is a phishing scam. Contact the company by phone to verify the e-mail’s legitimacy. Better yet, just never click on the doggone links.
  • Do you know your apps? They most certainly know you—way too much, too. Applications for your phone can do the following: read your phone’s ID, continuously track your location, run your other applications, know your SIM card number and know your account number. Before downloading an app, find out what it can find out about you.
  • Don’t take silly online quizzes. Whoever’s behind them might just want to get as much information on you as possible with the idea of committing identity theft. Got some extra time? Read a book or do a crossword puzzle.
  • Never conduct business transactions using free Wi-Fi unless you have a virtual private network. Otherwise, anyone can cyber-see what you’re doing.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

A new kind of home security. Smart, voice controlled and autonomous

One of the reasons you—and many others—don’t have your alarm on during the day is because you know you’ll keep forgetting to turn it off every time you want to step into the garage or go outside. So you just keep it off. And that’s not smart because many home invasions and burglaries occur during daylight hours.

ANG1Typically, home security systems require you to push buttons.

  • What if you panic and forget the code?
  • What if you accidentally disable it?
  • What if your naughty visiting nephew messes with it?

It’s high time for the kind of home security system you’ve seen on ‘The Jetsons’—one that’s activated automatically when you leave your home.

Enter Angee—an up-and-coming company devoted to a smart, voice-controlled home security system.

What can Angees system do for you?

  • Say so long to those unsightly wall keypads where you might accidentally hit the wrong button.
  • Kiss goodbye to having to remember numerical codes, worrying if your elderly parent will remember it and worrying if a burglar could crack it.
  • By detecting the Bluetooth signal from your phone, Angee will automatically arm when you leave, and disarm when you arrive home.
  • As a backup method of identification should you lose your phone, or the battery run out, you can use voice recognition to disarm Angee. This can also be used for two-step authentication if you want to be extra secure.
  • Enjoying your private moments? Don’t want Angee to observe? Just say “Turn away.” You can even set Angee to automatically activate privacy mode when specific people are present at home.

Video Surveillance

  • Instead of cameras trained on one spot, Angee’s surveillance will respond to motion and rotate to face it. This allows Angee to capture events, wherever the action is. This way, an intruder will not be able to avoid camera range.

Angee Knows Youre Coming

  • When Angee is paired up with your smartphone, it will perform commands once you get near enough to your house after being out. So if you want the alarm to be disarmed as you approach your front door, Angee will do this—because it will detect when your mobile device is within a certain range.

There is a working prototype and the team behind it is on Kickstarter right now asking for your support to start serial production and make the future of smart home security reality: http://meetangee.com/get/08a33a.

Robert Siciliano personal and home security specialist to Angee. Learn more about Angee in this Video. See Disclosures.

Finding out which Employees keep clicking on Phishing E-mails

You have the best IT security, but dang it…the bad guys keep getting in. This means someone inside your house keeps opening the back door and letting the thieves slip inside. You have to find out who this enabler in your company is, and it may be more than one.

11DThey don’t know they’re letting in the crooks, because the crooks are disguising themselves as someone from your company or a vendor or some other reputable entity.

After figuring out who these welcome-mat throwers are, you then have to continuously keep them trained to recognize the thieves.

So how do you locate these gullible employees? The following might come to mind:

  • Create a make-believe malicious website. Then create an e-mail campaign—toss out the net and see how many phish you can catch. You must make the message seem like it’s coming from you, or the CEO, or IT director, a customer, a vendor, the company credit union, what-have-you.
  • You’ll need to know how to use a mail server to spoof the sender address so that it appears it really did come from you, the CEO, IT director, etc.
  • This giant undertaking will take away good time from you and will be a hassle, and that’s if you already have the knowledge to construct this project.
  • But if you hire an extraneous security expert or phish-finder specialist to create, execute and track the campaign, you’ll be paying big bucks, and remember, the campaign is not a one-time venture like, for example, the yearly sexual harassment training. It needs to be ongoing.
  • What leads to a data breach is that one doggone click. Thus, your “find out who the enabler is” should center on that one single click.
  • This means you don’t have to create a fake website and all that other stuff.
  • Send out some make-believe phishing e-mails to get an idea of who’s click-prone.
  • Set these people aside and vigorously train them in the art of social engineering. Don’t just lecture what it is and the different types. Actually have each employee come up with five ways they themselves would use social engineering if they had to play hacker for a day.
  • Once or twice a month, send them staged phishing e-mails and see who bites.
  • But let your employees know that they will receive these random phishing tests. This will keep them on their toes, especially if they know that there will be consequences for making that single click. Maybe the single click could lead them to a page that says in huge red letters, “BUSTED!”
  • This approach will make employees slow down and be less reflexive when it comes to clicking a link inside an e-mail.
  • Of course, you can always institute a new policy: Never click on any links in any e-mails no matter whom the sender is. This will eliminate the need for employees to analyze an e-mail or go “Hmmmm, should I or shouldn’t I?” The no-click rule will encourage employees to immediately delete the e-mail.
  • But you should still send them the mock phishing e-mails anyways to see who disregards this rule. Then give them consequences.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Seniors big Target for Romance Scams

Janet N. Cook, 76, was duped by a dashing younger man. A report at nytimes.com explains that in July 2011 she connected with Kelvin Wells via a dating site.

1FNext thing, this seemingly-together man was in trouble and needed lots of money. Cook got burned; she sent the crook nearly $300,000 (amazing; just try to get a friend to give you $100).

The FBI’s Internet Crime Complaint Center warns:

  • If that wonderful man (or woman) sounds too good to be true and speaks poetically, e.g., “We were meant to be together,” run for the hills.
  • If they claim they love you, can’t live without you, etc., come on, this should turn you OFF, not ON.
  • Be suspicious of those claiming they’re originally from the U.S. but are now overseas or are entrenched in some heavy business or family situation.
  • Be leery of those insisting, very early on, that all communications be done via e-mail, phone or instant message (to avoid detection by the dating site).
  • If they claim they need you to send money for their travel expenses to meet you, make like an airplane and drop the bomb on them.
  • Older women are typical targets due to their accumulated wealth.

It’s a numbers game for these smooth-talking scammers. They keep hunting ‘til they find that lonely, vulnerable victim, usually a woman living by herself who becomes enthralled at all the gushy e-mails and phone calls from Mr. Dashing. He may have told his sob story to 500 women just to land one victim, but for $300,000, it’s time well spent.

According to the IC3, about 6,000 people reported such scams between July 1 and December 31 of 2014.

Is this $300,000 an anomaly? The nytimes.com article tells of a woman in Pensacola, Florida who gave her swindler $292,000.

Victims aren’t necessarily uneducated. The article cites Louise B. Brown, a nurse from Vermont, who’d been scammed. Brown, 68, met Thomas on Match.com. He was about to leave for Malaysia (typical story; originally from the U.S. but currently living in or about to travel to a foreign land—HUGE red flag!). She sent Thomas $60,000 and ate up her savings. These guys must be good; where do they find such vulnerable victims?

Really, the rule is simple: If the guy asks you for money, drop him. End of story. But by the time these clever crooks tell you they’ve been robbed by bandits in a remote Southeast Asian village, the victim is already under his spell—but there were warning signs before even that happened (see above bullet list).

It took only three weeks for Betty L. Davies of Georgia to fall under the spell of Donald Leo Moore. Davies, 62, gave him a whopping amount of money after he claimed he’d been robbed while in Malaysia. Then his chemical engineering project ran into trouble and she gave him $20,000. He then needed $30,000 thanks to Singaporean officials. Total money lost: nearly $300,000.

“Script” of the Scammer

  • Build victim’s trust
  • Create sense of urgency

If Mr. Dashing has any of the aforementioned traits, immediately report him to law enforcement, even if you know the truth: That your lent money is gone forever.

Prevent Getting Scammed

  • I’m going to play psychologist here and ask you why you’d want to get involved with a man who travels. Think of all the hardships this would bring to a relationship. One of the common denominators in scammers is that they claim they’re overseas or will soon be going there.
  • Psychologist again: Lower your standards. MUST he have a glamorous job like international relations, foreign road construction or cruise ship engineering? MUST he type and speak like a poet? Swindlers will present themselves as very accomplished and above the common man.
  • MUST you equate constant attention from Mr. Dashing with compatibility and honesty? Cook was hooked by Kelvin’s constant attention.
  • MUST you travel to the Bahamas and Bermuda to be happy? Brown’s scammer promised her trips there.
  • Right-click on the man’s profile image to see where else online it shows up.
  • If his verbiage sounds canned, paste it into the search engine to see if it appears on romance scam sites.
  • Immediately alert the dating site when a suitor asks for money.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Using a knife for survival

An article at indefinitelywild.gizmodo.com informs on how to use a knife safely and efficiently for survival.

1MSafety

  • For outdoors, carry a fixed-blade knife, as this is less likely to break.
  • The knife should always stay in its sheath. Otherwise, you could stumble and fall into it, slicing and dicing an organ.
  • Practice drawing the knife so that you don’t accidentally grab the sheath or somehow get cut. You may need to draw it at a second’s notice.
  • The draw should have two steps. First, take the handle with your forehand to loosen the blade in the sheath; push against the sheath with your thumb. Next, wrap thumb around handle and slowly withdraw the knife away from your body.
  • Always use slow movements with a knife.
  • When giving a knife to someone, use a forehand grip; rotate knife between forefinger and thumb. The handle should face the recipient, edge of knife pointed up. Do not release the knife until the recipient has a secure hold.
  • A sharper blade is safer because it requires less force, so always keep it sharpened.

Gripping a Knife

  • For most tasks, use a forehand grip: Knife is inside your fist, its edge facing your first finger.
  • This is why before you buy a knife, first make sure you can completely close a fist around the handle. Huge handles are no good.
  • A reverse grip is preferable when cutting cords of any type. The knife edge points towards the thumb. And pull with your shoulder or torso rather than arm to avoid an over-pull.
  • Chest lever grip. Hold blade with edge pointed in reverse direction to the forehand grip, pointed up towards knuckles.

Knife Uses

  • Chopping wood. Place knife with forehand grip against the wood. Use a wooden object shaped like a baton to “hammer” the blade through the wood.
  • Splitting wood. Place knife’s blade, using forehand grip, over the wood. Use the baton to drive it through in the direction of the grain.
  • Slicing. You’ve certainly already done this many times at home: slicing celery, carrots, lettuce, bread, apples (if you’re a man you should know how to do these things!). The key in survival or outdoor slicing is to slice with a forehand grip against a surface that mimics a cutting board at home.
  • Power cutting. Use the chest lever grip while securely holding the object you want to cut. Draw the blade through it hard, using your back muscles.
  • Controlled cutting. The chest lever grip is also used, but you work your way around the object being cut.
  • Drilling. Place tip of knife onto the object (knife is vertical) and begin twisting right and left. Don’t be too forceful or your hand might slip down the knife.

With any use or grip of a knife, always make sure—before you begin the task—that no body part is in the path of the knife if the knife were to slip.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Ins and Outs of Call Center Security

Companies that want to employ at-home workers for their call centers to save money and reduce the hassles of office space have to look at security considerations. In addition to thorough vetting of the agents and their equipment, organizations also need to ensure that the security is top-notch. A cloud-based contact center combats these issues. 3DHere are some considerations:

  • Will it anger customers to have an agent who can’t speak clear English? Not only does poor speech of the employee drive some customers away, it also concerns customers who are accessing their data over seas.

When choosing an outsourcer, organizations look for important factors including: (1) agent language capabilities, (2) security capabilities, and (3) financial stability of the outsourcer. – Study conducted by Ovum

  • There comes a point where businesses need to put customer comfort first, especially when it comes to security, such as in the case of healthcare and financial concerns—more complex issues. “Homeshoring” eliminates the awkwardness that sometimes arises when someone is trying to bushwhack through the broken English of the customer support. Though homeshoring will cost companies more, this will be offset by lower turnover rates, small learning curve and a higher rate of first-call resolution.
  • Telecommuters (agents) should be screened vigorously, including (as a minimum) a background check for Social Security Number, criminal history and citizenship.
  • Then, a contract should be drawn up that should include an agreement to customer confidentiality as well as learning specifications.
  • A system should allow the customer to enter, via phone keypad, sensitive information such as credit card number—but without the agent seeing this entry.
  • Sessions between agents and customers can be infringed upon by hackers who want to gain access or snoop, creating a need for an end-to-end security system.
  • Zero-day attacks, which give hackers access, are a big threat. To prevent this, companies must have regularly updated and patched-up systems.
  • A firewall is a must, for server protection and back-end systems.
  • Also a must is two-factor authentication. This superb verification method includes the factor of device location and other identifiers. An agent must have a way of receiving a one-time code sent by the company to gain access to a critical system. A hacker, for instance, won’t be in possession of an agents cell phone to receive the texted code.
  • In tandem with two-factor authentication, the cloud service should require a very uncrackable password so that only at-home agents can gain access. A strong password is at least eight characters (preferably 12) and contains caps and lower case letters, plus numbers and other characters like #, $ and @.
  • Cloud services should be 100 percent PCI Level 1 compliant. To enhance security, have a minimum of two PCI-compliant data centers.

Offshoring and outsourcing for call center agents places an even higher demand for security—which is already greatly needed by virtue of the at-home, virtual workplace. When choosing an outsourcing solution consider all of the above. Ask lots of questions and get quality references.

Robert Siciliano is a Personal privacy, security  and identity theft expert to Arise discussing identity theft prevention. Disclosures.

Cheating Website hacked hard

Bad guys hacked bad guys. Hmmm, whose side should we take?

2DAshleymadison.com got hacked. This site helps and suggests married people cheat. The hack threatens millions of users, potentially revealing their credit card information, addresses, real names, pictures and content of their chat logs.

This dating site has 37 million users and is owned by Avid Life Media. Their other sites, Established Men and Cougar Life, were also hacked.

The hackers responsible call themselves The Impact Team. They object strongly to Ashleymadison.com and had threatened to release all the hacked data unless the site closed down.

The Impact Team is especially unnerved over the site’s Full Delete service that supposedly wipes clean a customer’s profile and everything associated for $19. The Impact Team alleges that Ashleymadison.com took the money but did not delete, retaining clients’ credit card information, names and addresses.

The site denies the claims and is offering the deletion service for free. It’s also fighting to get the millions of personal data pieces removed from cyber space. If it’s already been exposed… too late.

Sounds like some spuses are going to get the frying pan for sure.

The Hacking Team might sell all this personal data for a lot of dough, but that’s a rumor. Either way, the customers are surely shaking in their boots.

A similar thing happened with another site called Adult Friend Finder. Recently, the sex life of its nearly four million users was revealed—purchased underground for $16,800.

What do these recent hacking incidents teach us? Not to cheat? Well, maybe, but more so that you risk a lot by putting your identity and other sensitive information online. Online services cannot guarantee protection from hackers. Maybe Ashleymadison.com’s customers should have used a virtual credit card number, but that wouldn’t have kept other sensitive information concealed.

Had this site used encryption, the hackers would have seen nothing but a bunch of garbled characters: zero value. But most sites don’t use encryption. And when they do, it’s often crackable.

Some sites, like Ashley Madison, have a privacy flaw: If someone knows your e-mail, they can find out if you’re registered with the site because its password reset requires only the e-mail.

If you don’t want anyone to know you have an account with a site, then create an e-mail just for that site. But that’s only one small thing you can do. Your private information may still get hacked into and revealed to the world.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.