How to pwn Anyone

Define Pwn: Pwn is a slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival. And when it’s done by hacking email, the person is effectively pwned. No matter how “private” you are on the Internet, no matter how infrequently you post on your Facebook page—even if you don’t have a Facebook account—your life can be hacked into as long as you own just one password—and the ability to be tricked.

11DSuch was the case of Patsy Walsh, reports an article at bits.blogs.nytimes.com. She gave a few white hat hackers permission to try to hack into her life, and they accomplished this in under two hours, without even entering her house. She figured it would be next to impossible because she had no smart gadgets in the home and rarely posted on her Facebook page.

The “ethical” hackers, part of a security start-up, quickly found Walsh’s Facebook page (which presumably contained personal information such as her town, since there’s many “Patsy Walsh” accounts).

The scarcely posted-to account, however, revealed that she had liked a particular webpage. Based on that information, the hackers phished her and she took the bait, giving up a password, which happened to be for many of her accounts.

The good guy hackers were then invited into her home where they easily obtained her garage door opener code with the brute force attack, but even scarier, cracked into her DirecTV service because it didn’t have a password. Such a breach means that the hacker could control the TV remotely: Running a porn movie while the homeowner’s grandmother is visiting.

They also found Walsh’s passwords tacked onto her computer’s router. The exposed passwords allowed them to get into Walsh’s and her daughter’s e-mail accounts. From that point they got ahold of Walsh’s Social Security number, PayPal account, insurance information and power of attorney form.

She was probably thinking, “Well of course! They’re professional hackers and I let them inside!” But the hackers also discovered that there were about 20 malicious programs running on her computer. Their recommendations to Walsh:

  • New garage door opener
  • Password for DirecTV
  • Password manager to create unique passwords for all of her accounts
  • Security software always kept updated
  • Two-step authentication when offered
  • A nice lecture on phishing attacks

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

What’s in a Bugout Bag

There’s a name for the survival sack that you take with you outdoors in the event of survival emergency: bugout bag.

1MLet’s start with the key components to net a three-day survival:

  • Water: one liter per person per day
  • Food: “energy bars” or backpack meals
  • Small pot or large cup (though if you have only energy bars plus iodine tablets, you won’t need to boil water for food or purification).
  • Clothes: sturdy footwear, long pants, two pairs non-cotton socks, two shirts, rainwear hooded jacket and rainwear pants, long underwear, wide-brimmed hat
  • Tarp or tent plus a ground tarp; sleeping bag
  • First aid kit (not necessarily a prepackaged one from the store; it may be better to build one; you’ll know exactly what’s in there, like tweezers to remove ticks).
  • Poncho
  • Fire starters
  • Survival knife (find the one that suits you best)
  • Small mirror (in case something gets in your eye, but also to reflect the sun to get the attention of rescue aircraft)
  • Two flashlights and backup batteries
  • Weapon (the knife may suffice, but you probably won’t be too confident with only a knife to fend off a bear, so better have pepper spray on hand) If you are a gun person, please be properly trained.
  • Baby wipes. Hygiene is as important as nutrition.
  • Sunglasses and sunscreen (imagine the sunburn three days out in the sun, even during winter; snow reflects sun from a clear sky like mad).
  • GPS or some kind of beacon to help find you if you get lost.
  • Paracord. Google it.

There are so many more things that can be added to the bug-out bag, but remember, this list refers to three days’ worth of survival. Obviously, if you want to pack the bag for seven days, you’d want to include more things. These additional items may be anything from a map and compass to a snake-bite kit.

Small plastic bags and long shoelaces are also invaluable, as they can be used to trap water moisture from non-poisonous vegetation branches and condense it over several hours, filling the bag with enough to drink from.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Phishing works and here’s why

A phishing e-mail is sent by a cyberthief to trick its recipient into revealing sensitive information so that the crook could steal money from the recipient or gain access to a business’s classified information. One way to lure an employee is for the crook to make the e-mail appear like it was sent by the company’s CEO. Often, phishing e-mails have urgent subject lines like “Your Chase Bank Balance Is Negative.”

PSHIn its 2015 Data Breach Report, Verizon reported that 23 percent of employees open their phishing e-mails. Eleven percent go further by clicking on something they shouldn’t.

Why do so many employees (and mainstream users) fail to recognize a phishing e-mail? Strong security awareness training at companies is lacking. Perhaps the company simply tosses a few hardcopy instructions to employees. Perching them before videos isn’t enough, either.

Security awareness training needs to also include staged phishing attacks to see which employees grab the bait and why they did so. With a simulated phishing attack approach, employees will have a much better chance of retaining anything they’ve learned. It’s like teaching a kid to hit a homerun; they won’t learn much if all they do is read instructions and watch videos. They need to swing at balls coming at them.

The return on investment from staged phishing attacks will more than offset the cost of this extra training. Living the experience has proven to be a far more effective teacher than merely reading about it or listening to a lecture. As straightforward as this sounds, this approach is not the rule in companies; it’s the exception.

Even rarer is when phishing simulation is ongoing rather than just an annual or semiannual course. But just because it’s rare doesn’t mean it’s not that effective. Companies tend to cut corners any way they can, and foregoing the phishing simulations is often at the top of the list of investments to nickel-and-dime.

If you want to see how gullible your employees (or family and friends) are to phishing e-mails, which again, are geared towards tricking the recipients to click on a malicious link or attachment, pay a visit to Phish.io.

Here you can register, and this free service will send phishing e-mails to your specified recipients. However, these are harmless tests and will not lead to anything negative—other than to reveal who can be duped.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Is that Viral Story real?

The Internet has almost as many videos as there are stars in the heavens. And you know that some have to be hoaxes. Sometimes it’s obvious, while other times it’s easy to be fooled. For example, the hoax of the “angel” intercepting a truck just about to run over a bicyclist is obviously fake. Isn’t it?

1DBut what about the video of the man cut in half by a bus while riding a bicycle, lying on the ground, staring at his intestines, talking for a full five minutes, while his pelvis and legs lie catty-corner to him? That video looks eerily real.

And so did the enormously viral one of the Syrian refugees holding the ISIS flags and assaulting German police officers.

There are free, non-techy ways to check if a video or image is a fake, from an article at gizmodo.com:

“Reverse Image”

Simply right-click an image, and a selection box will appear. Click “Search Google for this image.” Different sources for the same image will appear, but this won’t necessarily rule out a hoax.

For example, multiple links to the man cut in half appear, and the dates of postings differ, but there’s no way to rule out a hoax based on just this information.

However, suppose there’s a photo of a female ghost crashing a funeral photo. A reverse image search shows that ghost’s face as identical to the image of a mommy blogger on her blog; it’s safe to assume the ghost image is a hoax (aren’t they all?).

YouTube DataViewer

Go to YouTube DataViewer. Plug in the suspect video’s URL. Any associated thumbnail image plus upload time will be extracted. You now can find the earliest upload and see if anything is suspicious. Alongside that you can do a reverse image on the thumbnails and see what you get.

FotoForensics

FotoForensics can detect photoshopping or digital manipulation. If you want to pursue a video, you’ll need to plug in the URL of a still shot, like the ones you see after a video has ended that clutter up the video space. FotoForensics uses a tool called ELA, and you’ll have to do some reading on it before understanding how it works.

WolframAlpha

WolframAlpha can look at weather conditions at a certain time and location, such as “weather in Davie, Florida at (time) and (date). So if the weather in a suspect image with a date and location doesn’t match what Wolfram turns up, consider it a fake.

Jeffrey’s Exif Viewer

Images taken with smartphones and digital cameras contain tons of data called EXIF, including date, time and location of image shoot. See if the date, time and location don’t jive with what the suspect image conveys. Jeffrey’s Exif Viewer is one such EXIF reader.

Google Street ViewGoogle Earth and Wikimapia are tools for mapping out the truth, such as matching up landmarks and landscapes.

So, did your ex really take a trip to Paris, as she stands there with the Eiffel Tower behind her? And is her new beau for real, or was he “shopped” in off of a male fitness model site?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Nineways to shop safely on Cyber Monday

With Cyber Monday, you don’t have to camp outside in the cold overnight so you can be the first person busting through the doors like on Black Friday. But you still may get trampled to a pulpby cyber scammers waiting for their prey.

2DHow can you avoid these predators?

  • You know that old mantra: If it’s too good to be true, it probably is. Be highly suspicious of outrageously great deals, and also assume that e-mails that link to unbelievable savings are scams. You may think it won’t hurt to just “check it out,” but consider the possibility that simply clicking on the link will download a virus to your computer.
  • Back up your data. Shopping online means it’s inevitable that you’ll stumble upon an infected website designed to inject malicious code into your computer or phone. “Ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the “ransom.”
  • Say “No” to debit cards. At least if you purchase with a credit card, and the sale turns out to be fraudulent, the credit card company will likely reimburse you. Try getting your money back from a scam with a debit card purchase. Good luck.
  • If you’re leery about using a credit card online, see if the issuer offers a one-time use credit card. If someone steals this one-time number, it’s worthless for a second purchase.
  • Make sure you understand the online merchant’s shipping options.
  • When buying online, read up on the retailer’s privacy policy.
  • When completing the purchase, if the merchant wants you to fill in information that makes you think, “Now why do they need to know that?” this is a red flag. See if you can purchase the item from a reputable merchant.
  • Never shop online using public Wi-Fi such as at a hotel, coffee house or airport.

If the retailer’s URL begins with “https” and has a padlock symbol before that, this means the site uses encryption (it’s secure). If it doesn’t, don’t buy from that merchant if the product is something you can buy from a secure site. Of course, I don’t expect, for instance, Veronikka’s Death by Chocolate Homemade Cookies to have an encrypted site, but if you’re looking for more common merchandise, go with the big-name retailers.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

How to store Water for Survival

What do you really know about water storage? Below you’ll find information that you probably never even thought of before, or information that contradicts what you’ve always believed to be correct.

1MStorage barrels. These can remain on cellar or basement cement that’s not heated. Cooler cement will not transfer toxins into the barrels. However, garage cement will get heated by the driveway, so in that case, place barrels on floor boards. In addition, some of your water should be stored in portable bottles for easier handling.

Reusing bottles. Filling old juice and soda bottles with water is fine as long as the plastic is rated “PET” or “PETE.” Don’t use milk jugs. If you’re still concerned about leached plastic chemicals, treat the water at the time of consumption, not before you store it.

Boiling (212 degrees). A full boil is not necessary to kill bacteria; heating at 160 degrees for 30 minutes, or 185 degrees for three minutes, will burn less fuel than boiling for the popular 10 minutes.

Pool water. The FDA says pool water is safe to drink up to 4 PPM of chlorine.

Nearby river. Make sure you have iodine tablets ready. Keep in mind during a water shortage, the river will be bedlam, what with everyone else going for it.

Amount stored. Don’t just store a month’s worth. A disaster could cause a year-long or even several-year water shortage.

How much water does one person need? One gallon a day. But this includes for hygiene and cooking, and unforeseen medical needs.

Food vs. water. Though food has calories and water has zero, water is much more important to the body. A few days without any water and you’ll be dragging yourself on the ground, whereas a few days without food, but with plenty of water, and you’ll still be in good shape. And sports drinks and soda do not replace water.

Taste. Stored water will taste bad because it’s been without oxygen. Before drinking, pour it back and forth between two glasses to replenish oxygen.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Introducing the very first Biometric Password Lockdown App

This application for your mobile device will change things in a huge way:

  • Locks down smartphones with a finger-based biometric password
  • Multi-factor authentication all-in-one
  • It’s called BioTect-ID

bioAnd why should you consider the world’s first biometric password for your mobile device? Because most smartphone security devices have been cracked by cyber thieves.

Layers of protecting your online accounts have historically involved the password, a PIN, security questions or combinations of these which isn’t that secure. However getting into your devices requires even less – a single password, connecting dots with your finger or nothing at all. Some devices can be accessed with stronger security using your fingerprint or in some cases a combination of biometrics like face scan, voice or fingerprints.

Now you may be convinced that a physical biometric, such as your fingerprint, palm pattern or face scan are so unique that they’re impossible to hack, but guess what: These are all hackable. In fact, a cyber crook could steal, for instance, your face or fingerprint image—for all time—and then what? You’re out of luck.

So why have that possibility looming over you? Why not eliminate it with the BioTect-ID app? You have only one voice, one fingerprint, one palm, etc., but fingering in a hand written password means you can change the gesture biometric or the “drawing” of the password any time—because this is a behavior, not a static physical characteristic. Nobody can steal your gesture, not even your identical twin.

BioTect-ID is also very privacy-conscious because there is nothing invasive about recording a gesture.

The choice of which biometric to use becomes a very important consideration. The Internet of Things (IOS) will see our devices increase in value as they control our home access, record our health scores and process/retain many other aspects of our personal lives. The use of biometrics will increase dramatically to protect our privacy and security. But you want to choose carefully. Remember your unchanging physical body information will be hugely attractive to thieves who can steal your identity or use it for other purposes. But you can’t steal the BioTect-ID information.

Here’s how the BioTect-ID multi-factor authentication works.

  • With your mouse or finger, create a four-character password.
  • BioTect-ID “learns” your unique finger/hand movements as you do this.
  • To access your mobile phone, you “draw” your password into the BioTect-ID application.
  • If you are the registered owner, you get access — with bad guys out of luck.

BioTect-ID even solves the big problem of physical data being irreplaceable because it is a gesture biometric also known as a “dynamic” biometric, rather than something like a fingerprint or facial recognition.

This is such exciting news from Biometric Signature ID that we just have to run through it again:

  • The first biometric app that does not require invasive information about a body part like your eyes.
  • The only privacy-conscious biometric security app in existence.
  • Passwords cannot be stolen, not even borrowed, and of course, can’t be lost.
  • Just draw your password with your finger, stylus or mouse, and this gesture will be captured.
  • Only this gesture will unlock (and lock) your smartphone, and it takes only seconds.
  • Easily reset your password at will.
  • The strongest identity authentication on the planet.

Don’t wait about getting this kind of protection, because biometrics is increasingly becoming a part of modern day life.

The final frontier of privacy is your body, and by continuing to rely upon body-part biometrics, you keep that door open enough for a hacker to copy and, essentially, retain a part of your body. There goes your privacy, to say the least.

The gesture-based, multi-factor authentication is poised to change the future of cyber protection. But not before this technology gets adequate awareness and support. We need to get this groundbreaking technology out there into the minds of Internet users.

Here is how you’ll benefit with the BioTect-ID:

  • Peace of mind, knowing that even the most brilliant hacker will never be able to duplicate or steal your gesture.
  • Elimination of having to keep body-part details in files
  • Keeping your privacy and security safe from being exposed against your control
  • Being the first to benefit from this cutting-edge security technology

You can actually receive early edition copies of the app for reduced prices and get insider information if you become a backer on Kickstarter for a couple of bucks. Go to www.biosig-id.com to do this.

What are Bug Bounties?

A bug bounty refers to the reward a bad-guy hacker gets upon discovering a vulnerability, weakness or flaw in a company’s system.

6DThis is akin to giving a reward to a burglar for pointing out weaknesses in your home’s security.

But whom better to ask than a burglar, right? Same with a company’s computer systems: The best expert may be the black hat or better, white hat hacker.

An article at bits.blogs.nytimes.com says that Facebook, Google, Microsoft, Dropbox, PayPal and Yahoo are on the roster of companies that are offering hackers bounties for finding “bugs” in their systems.

A “zero day bug” refers to an undiscovered flaw or security hole. Cybercriminals want to know what these zero day bugs are, to exploit for eventual hacking attempts. There is a bustling black market for these non-identified bugs.

Compounding the issue is that it is becoming easier for Joe Hacker to acquire the skills to infiltrate—skills that common hackers never would have had just a few years ago, and especially a decade ago. So you can see how important it is for businesses to hire the best at finding these bugs and rewarding them handsomely.

So yes, hackers are being paid to report bugs. The bits.blogs.nytimes.com article says that Facebook and Microsoft even sponsor an Internet Bug Bounty program. Such a program should have been started long ago, but it took some overlooked bugs to motivate these technology companies to offer the bounties.

Heartbleed is an example. Remember that? It was a programming code mistake that affected certain SSL certificates—which help protect users on a secure website. As a result, over a dozen major tech companies began an initiative to, as the bits.blogs.nytimes.com article says, “pay for security audits in widely used open-source software.”

So as clever as bug bounties sound, it shouldn’t be regarded as the be-all end-all solution. How about an incentive to get developers to implement secure, mistake-free coding practices? Well, companies are trying. And they keep trying. But with humans behind the technology, there will always be mistakes.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

17 ways to prevent identity theft when traveling

There should be more TV commercials for preventing identity theft—it’s nearly epidemic. But also epidemic is the lack of identity security that people have when traveling. Here are some ways to avoid having your identity stolen while traveling: 3D

  • Prior to leaving for your trip, clean out your purse and wallet. Figure out what you really need for the trip, then bring only those items.
  • Contact the post office to put your mail on vacation hold.
  • Get a home-screen-locking password for your smartphone.
  • Equip your computer devices with encryption software.
  • Your smartphone should have lock/locate/wipe software.
  • Bring your driver’s license with you even if you don’t plan on driving anywhere, for ID; don’t rely on your passport alone. The driver’s license and international ID should have online backups made.
  • When using public Wi-Fi (even in your hometown), use only WEP, WPA and WPA2 networks, and visit only the sites that have the padlock symbol and “https” before their URLs. That’s how you know they are secure.
  • Arrange to have enough cash with you to make the majority (if not all) of your travel purchases. Avoid using a debit card because if it gets compromised, you won’t be able to get reimbursed.
  • Back up your data prior to leaving and every day when away. Prior to your trip and during, make sure to have local and cloud backup set up on your devices. Cloud backup such as Carbonite will update your data based on custom settings as frequently as you require.
  • Even if you have encryption software, avoid financial transactions when using the hotel’s computer. The person using it after you could be a skilled cyber thief, or the person before you could have plugged a keylogger into the computer.
  • Avoid isolated ATM kiosks. Use those only inside a bank. Shield your fingers when using the keypad. Promptly destroy the receipts.
  • Never give private information over the phone to hotel staff. The “staff” could be a thief posing as an employee. When personal information is involved, always deal face to face at the front desk.
  • Any documents or paperwork with private information should be locked inside your hotel room’s safe at all times unless in use.
  • Give your phone number out only to service personnel who absolutely need it.
  • Have your credit put on freeze status (unless you plan on applying for a loan very soon).
  • Get ID theft protection.
  • Review your credit card statements monthly and look for unexpected charges.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Why you want a Copy of your Medical Records

After receiving medical treatment, many people never look over the paperwork (save for bill total) and just shove it into some folder in a file cabinet. But medical identity theft is very much out there; know the signs:12D

  • You’re denied coverage because you allegedly have a condition you were never diagnosed with.
  • A collection agency is hounding you about unpaid medical bills you never had.
  • Your credit report shows medical collection notices.
  • The bill is for treatment you didn’t receive.
  • Your health care provider says you’ve reached your coverage limit.

Thieves steal identities to use the victim’s medical coverage, and this could prove life threatening to the victim depending on the victim’s health status. This is why you should keep records for all medical visits and treatments. Read everything carefully as though you’re searching for mistakes or mis-matched information. Keep records of all associated phone calls and e-mails.

But remember this: You always have a right to all of your records, so don’t let any resistance from the carrier make you give up.

  • If you run into problems getting any records, learn about your state’s health privacy laws.
  • Obtaining copies may require a fee.
  • Request a copy of “accounting of disclosures.” This tells who has ever received copies of your medical records, and when and why.
  • Look for mistakes and request corrections from the provider via certified mail.
  • If someone has stolen your medical identity, the provider may not want to turn over the records to you. Check the provider’s Notice of Privacy Practices and appeal to the contact person listed there.
  • With all that said, you should get the records within 30 days. If not, report this to the U.S. Department of Health and Human Services Office for Civil Rights.

Medical identity theft can result in you not receiving coverage for major treatment. Here are tips from vitals.lifehacker.com for prevention of this crime:

  • Never reveal your Medicare number to anybody in public, even if it’s a person inside a medical clinic lobby approaching you and offering a free service for Medicare users.
  • Never give your Medicare number over the phone. No exceptions, even if the caller is claiming to be from Medicare.
  • Check all medical bills for any odd charges, duplicate charges or errors.
  • If a charge appears unauthorized, promptly report it to the provider. If that doesn’t help, escalate it to Medicare if you’re on Medicare.
  • Contact the Federal Trade Commission if you suspect medical identity theft.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.