These are the Bigtime Hackers

/in /by

Hackers with big skills and a big ego will be drawn to Facebook and Twitter as their targets. But they’ll also target dozens of other companies, reports an article on arstechnica.com.

11DOne group in particular stands out as the attackers, using zero-day exploits. They are known as Wild Neutron and Morpho, says the article, and have been active possibly since 2011, burrowing their way into various businesses: healthcare, pharmaceutical, technology.

It’s been speculated that the hackers want the inside information of these companies for financial gain. They’ve been at it for three or four years; we can assume they’ve been successful.

Researchers believe that these hackers have begun using a valid digital certificate that is issued to Acer Incorporated to bypass code-signing requirements that are built into modern operating systems, explains the arstechnica.com report.

Experts also have identified use of some kind of “unknown Flash Player exploit,” meaning that the hackers are using possibly a third zero-day exploit.

The report goes on to explain that recently, Reuters reported on a hacking group that allegedly busted into corporate e-mail accounts to get their hands on sensitive information for financial gain.

You’re probably wondering how these big companies could be so vulnerable, or how it is that hackers can figure out a password and username. Well, it doesn’t really work that way. A company may use passwords that, according to a password analyzer, would take nine million years to crack.

So hackers rely on the gullibility and security un-awareness of employees to bust in. They can send employees an e-mail, disguised to look like it’s from a company executive or CEO, that tricks the employee into either revealing passwords and usernames, or clicking on a malicious link that downloads a virus, giving the hacker access to the company system’s stored data. It’s like removing a dozen locks from the steel chamber door to let in the big bad wolf.

The security firms interviewed estimate that a minimum of 49 companies have been attacked by the hacking ring’s surveillance malware. The cybercriminals have, in at least one instance, got into a company’s physical security information management system.

The arstechnica.com article notes that this consists of swipe card access, HVAC, CCTV and other building security. This would allow the hackers to surveil employees, visually following them around.

This hacking group is smart. They don’t reuse e-mail addresses; they pay hosting services with bitcoins; they use multi-staged control/command networks that have encrypted virtual machines to foil forensics detectives. The only good news is that the group’s well-documented code suggests it’s a small band of hackers, not some giant one.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Idiot Burglar takes Selfie

/in , , /by

About 7 a.m. on a Saturday a burglar entered a home through an unlocked side door (how anyone can sleep overnight while a door stays unlocked is a whole new article).

3BThe dumb criminal saw an iPhone and unknowingly triggered a video selfie—showing him standing in the living room during this recent L.A. crime—while three residents were fast asleep including two teen girls. (Again, why didn’t the adult of the home, a woman, lock all the doors…)

A similar scene played out in the UK when a woman tried to unlock a hot iPhone. It had an app called iGotYa. This application automatically sends a photo to the owner.

Another case has the owner of a phone receiving an e-mail of a photo of a man who tried to access the phone with a wrong PIN.

These “got ya” moments can happen to an innocent finder of a lost phone.

There’s yet another case of a man who apparently stole a phone on the beach while its lax female owner went skinny dipping. This occurred in Dubai, and the thief was not able to figure out how to switch off the auto-photo upload tool. As a result, a video ensued called “Life of a stranger who stole my iPhone.”

There are easier ways to locate a lost phone than a “got ya” type app, though this application might one day come in handy for the woman whose unlocked door let in the burglar—who is still at large and nameless.

Android

  • Google has a “Find My Phone” tool. Just type this into the Google search engine and take it from there.
  • There are many paid and free apps that provide numerous commands for remote control such as wiping data, locking the phone, setting off an alarm and resetting the passcode.

Apple

  • Apple has “Find my iPhone”.
  • The lost phone is tracked.
  • Users can remotely wipe it.
  • Just locking it (without wiping it) can still leave messages viewable to anyone who comes upon the phone.

A “kill switch” would allow the phone’s owner to remotely wipe all data and render the phone unusable. In California a new law was passed mandating that, starting this past July, all mobiles sold in the state must have a kill switch.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Phishing Scams: Don’t Click that Link!

/in , , /by

You’re sitting on your front porch. You see a stranger walking towards your property. You have no idea whom he is. But he’s nicely dressed. He asks to come inside your house and look through your bank account records, view your checkbook routing number and account number, and jot down the 16-digit numbers of your credit cards. Hey, he also wants to write down all your passwords.

13DYou say, “Sure! Come on in!”

Is this something you’d be crazy enough to do? Of course not!

But it’s possible that you’ve already done it! That’s right: You’ve freely given out usernames, passwords and other information in response to an e-mail asking for this information.

A common scam is for a crook to send out thousands of “phishing” e-mails. These are designed to look like the sender is your bank, UPS, Microsoft, PayPal, Facebook, etc.

The message lures the recipient into clicking a link that either leads to a page where they then are tricked into entering sensitive information or that link is infected and downloads malware to the users’ device.

The cybercriminal then has enough of your information to raid your PayPal or bank account and open up a new line of credit—in your name.

The message typically says that the account holder’s account is about to be suspended or deactivated due to (fill in the blank; crooks name a variety of reasons), and that to avoid this, the account holder must immediately re-enter login information or something like that.

Sometimes a phishing e-mail is an announcement that the recipient has won a big prize and must fill out a form to collect it. Look for emails from FedEx or UPS requiring you to click a link. This link may be infected.

Aside from the ridiculousness of some subject lines (e.g., “You’ve Won!” or “Urgent: Your Account Is in Danger of Being Deactivated”), many phishing e-mails look legitimate.

If you receive an e-mail from a company that services you in any way, simply phone them before you click on any link. If you click any of the links you could end up with malware.

Watch this video to learn about how to avoid phishing:

https://youtu.be/c-6nD3JnZ24

Save yourself the time and just call the company. But you don’t even have to do that. Just ignore these e-mails; delete them. Nobody ever got in trouble for doing this. If a legitimate company wants your attention, you’ll most likely receive the message via snail mail, though they may also call.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Getting attacked by a Police Dog

/in /by

Have you ever seen men getting “attacked” by a police or military dog as part of the dog’s training? The men (I’ve never seen a woman, but I’d like to think there are some strong, feisty women who suit up for this role) wear either just a big padded thing on one of their arms, or they’re engulfed entirely in a padded suit.

The dog lunges for the padded arm, and the “victim” can’t do squat while this occurs.

So from the man’s point of view, what is this all like? According to an article on indefinitelywild.gizmodo.com, a 125-pound Military Working Dog named Fritz “attacked” the author who was wearing a “heavily padded safety suit” that included a “rubber prosthetic arm.”

He was instructed to hold out his arm while Fritz sat obediently. The dog was given orders by a handler to clamp onto the author’s arm. The 150-pound author had no control over his body being thrashed about. The goal is to prevent the dog from biting up and down the arm, which the author was not able to do.

The dog instantly released his “victim” upon hearing commands. The author was then told to “say something mean to the dog and then run away” to “provoke him.” So the author said “Profane-you Fritz!” and bolted.

Fritz bolted after him “at full speed, in anger.” Now let me interject here. I question that the dog was angry. A human might be if you said something mean, but not a dog. I’m no dog expert, although Ive had 2 German Shepherds in the past 2 years, but it’s fair to suppose that the combination of tone in the author’s voice, and his sudden sprinting away, kicked up Fritz’s instinct to charge after prey. This is why dogs run after a tossed ball.

The author was brought to the ground in an instant. Fritz remained clamped onto him as the handlers escorted him and the dog towards some spectators. Fritz was rewarded with just a pat on the head (but hey, maybe to a dog, that’s serious stuff).

I’ve always wondered what this is like from the dog’s point of view. If the dog was truly in attack, shred-him-up mode, wouldn’t he go for the face instead of clinging on to just a padded arm that tastes like rubber and not live flesh? When people are attacked by dogs while jogging, walking or inside their homes, almost always, they receive injuries (sometimes very serious) to the face and scalp, even neck. Such dogs will also often tear out chunks of the victim’s legs.

But police or military dogs in training always go after that big rubber arm—and stay with it. To a degree, the dogs think it’s just a game, especially since sometimes, the “victim” is the dog’s own handler—who in the next scene is lovingly interacting with the animal.

Anyway, most dogs are a great layer for home protection no matter their size or abilities. Clearly some dogs aren’t, but, if it is remotely territorial it can act as an additional set of eyes and ears. And if the dog barks upon hearing an intruder, it can act as a layer added to an alarm system.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

The Impact of Ransomware on Small Businesses

/in , /by

What’s going on this September? National Preparedness Month. This will be the time to increase your awareness of the safety of your business, family, pets and community. During disasters, communication is key. National Preparedness Month concludes on September 30 with the National PrepareAthon! Day.

celebrateIt would be like a science fiction movie: You go to pull up the file detailing the records of your last quarter’s profit and loss statement, and instead you get a flashing notice: “Your computer has been compromised! To see your file, you must pay money!”

This is called ransomware: a type of malware sent by criminal hackers. Welcome to the world of cybercrime. In fact, ransomware can prevent you from doing anything on your computer.

Where does this ransomware come from? Have you clicked a link inside an e-mail lately? Maybe the e-mail’s subject line really grabbed your attention, something like: “Your FedEx shipment has been delayed” or “Your Account Needs Updating.”

Maybe you opened an attachment that you weren’t expecting. Maybe you were lured to a website (“Dash Cam Records Cyclist Cut in Half by Car”) that downloaded the virus. Other common ways crooks trick you into downloading ransomware include:

  • Hackers impersonate law enforcement; claim you downloaded illegal material; demand a fine for your “violation.”
  • You receive a message that your Windows installation requires activation because it’s counterfeit.
  • Or, the message says your security software isn’t working.

What should you do?

  • Never pay the ransom, even if you’re rich. Paying up doesn’t guarantee you’ll regain access. Are you kidding?
  • Double check that all of the newly encrypted (and utterly useless) files are backed up, wipe your disk drive and restore the data.
  • Wait a minute—your files weren’t backed up?

An ounce of prevention is worth a pound of hacking.

  • Don’t open links or attachments you’re not expecting! This includes from senders you know or companies you patronize.
  • Install an extension on your browser that detects malicious websites.
  • Use a firewall and security software and keep it updated.
  • Regularly back up data, every day ideally.

Needless to say, ransomware attacks occur to businesses. Small companies are particularly vulnerable because they lack the funds to implement strong security. Attacks on businesses usually originate overseas and are more sophisticated than attacks on the common Internet user at home or at the coffee house.

And just like the common user, the business should never pay the ransom, because this will only prolong the situation.

  • Make the criminal think you’re going to pay. Tell them you need time to prepare the fee.
  • Build your defense by gathering all the correspondence.
  • Present this to your webhosting provider, not the police.
  • The webhoster will get to work on this.
  • If the loss is extensive, present the correspondence to the FBI.
  • If the attack is in virus form, you’re finished.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained in how “phishing” e-mails work and other tricks that cyber thieves use. To learn more about preparing your small business against viruses like ransomware, download Carbonite’s e-book, “5 Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures

Don’t’s and Do’s when using Public Wi-Fi

/in /by

Curl up in a chair at your favorite coffee house, the aroma of premium coffee filling the air, take a few sips of your 700 calorie latte, and then enter cyberspace. Little do you know that you could have a stalker. Or two. Or 3,000. Because public Wi-Fi is there for the picking for hackers. Online transmissions can be intercepted. The credit card number that you enter onto that retailer’s site can be “seen.”

3WDon’t Do These at a Public Wi-Fi Site

  • Never leave your spot without your device on you—not even for a moment. You may come back and still see your computer where you left it…but a thief may have installed a keylogger into it to capture your keystrokes.
  • Do not e-mail messages of a sensitive or serious nature.
  • When your computer begins seeking out a network to connect to…do not let it just drift to the first one it wants; see if you can choose one.
  • Don’t leave on your file sharing.
  • If you’re not using your wireless card, then do not leave it on.
  • Don’t do banking or any other sensitive activities.
  • Don’t position your device so that someone nearby can see the screen.

Yes, Do These when at a Public Wi-Fi Spot

  • Look around before you settle into a nice spot.
  • Sit somewhere so that your back is facing a wall.
  • Assume all Wi-Fi links are suspicious—kind of like assuming all drivers are drunk whenever you go out driving. A wireless link may have been set up by a hacker.
  • See if you can confirm that a given Wi-Fi link is legitimate.
  • Assume that if the connection name is similar to the Wi-Fi spot, that this could mean that the hacker was clever. Inquire of the manager of the coffee shop, hotel, etc., for information about their Wi-Fi access point.
  • You should consider using your cell phone for sensitive activities such as online shopping.
  • But cell phone or not, see if you could avoid visiting sites that can make it easier for hackers to nab your data—sites such as banking, social media and any site where your credit card information is stored.

Use a VPN. This stands for virtual private network. What a VPN does is create an impervious tunnel through which your data travels. Hackers cannot penetrate this tunnel, nor can they “see” through it. Your data is safe. The tunnel encrypts all of your banking and other sensitive transactions, as well as sensitive e-mail communications, plus downloads, you name it. With a virtual private network, you will not have to worry about a thief or snoop intercepting your transmissions.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Very Bad People for hire online

/in , , /by

The Deep Web is not a nice place. Here, people can hire assassins, take ransomware payments, purchase U.S. citizenship without revealing their identity, among other things, says an article on darkreading.com.

6DThis information comes from Trend Micro, which used a tool called the “Deep Web analyzer,” something of a web crawler, that collected URLS that were linked to TOR- and I2P-hidden sites, domains with nonstandard TLDs and Freenet resource identifiers, says darkreading.com.

The Deep Web is that portion of cyberspace that’s not indexed by the search engines. The Dark Web is part of the bigger Deep Web, accessible only via special tools.

A Dark Web user could literally hire a rapist or assassin. In fact, assassins even advertise, such as the group C’thulhu. Pay them their fee and they’ll maim, cripple, bomb and kill for you.

$3,000 will get you a “simple beating” to a “low-rank” target. $300,000 pays for the killing of a high-ranking political figure, staged to look like an accident.

Users can also hire (and do so much more commonly than the above) cybercriminals and child exploitation services.

The article points to additional research of the Deep Web, that cybercrooks use anonymization tools in creative ways. In fact, they are using TOR for the hosting of their command-and-control infrastructure. TorrentLocker is a type of malware, and it uses TOR to accept Bitcoin payments and host payment sites.

In other words, cybercriminals are using the Deep Web/Dark Web more and more commonly these days. TOR is being used for cybercriminals to receive payments for their hacking services.

But that’s not the biggest problem of the deep, dark Web, is it? As mentioned, it can be used to hire someone to murder. Just what will all of this eventually evolve into in the next 10 years?

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Meet the FBI’s most wanted Hackers

/in /by

Want to earn up to $4.2 million? Then find the hackers on the FBI’s most wanted list. Or at least give the FBI information leading to their arrest and/or conviction. These snakes have stolen hundreds of millions of dollars. Here is the list from the hackernews.com:

Evgeniy Mikhailovich Bogachev (reward: $3 million)

  • Ironically, one of his aliases is one of the most common (and thus easily cracked) passwords: lucky12345.
  • He’s the brains behind the GameOver Zeus botnet and CryptoLocker Ransomware.
  • Over a million computers were infected with this malware, causing nearly $100 million in losses.

Nicolae Popescu (reward: $1 million)

  • From Romania, Popescu tricked Americans with fraudulent auction posts on various websites.
  • AutoTrader.com, Cars.com and eBay were some of these sites.
  • He was selling cars that didn’t exist. (Please, people, never, ever send money for something as grand as a car unless you have proof it exists—which includes actually test driving it!)
  • Hundreds of people sent money without ever seeing more than an ad for the cars. If you think that’s bad, it gets worse: Some of the victims handed over their money for private planes and yachts! Nearly 800 people didn’t have on their thinking caps, but this doesn’t make Popescu’s deed any less obscene.

Alexsey Belan (reward: $100,000)

  • Belan breached the cybersecurity systems of three big U.S. based e-commerce sites.
  • He then tried to sell all of these stolen databases, which included passwords.

Peteris Sahurovs (reward: $50,000)

  • His crime involved creating and selling malware by putting ads up on various websites.
  • These advertisements forced users to buy the phony antivirus software that the ads pitched.
  • If the user declined the purchase, their desktop would be bombarded with phony security alerts and pop-ups.
  • This crook from Latvia collected over $2 million with the scheme.

Shailesh Kumar Jain (reward: $50,000)

  • Despite the name, Jain is a U.S. citizen.
  • He scored $100 million in less than two years.
  • He should have quit while he was ahead (maybe after the first $10 mil?), but he just couldn’t earn enough, so he kept hacking away at unsuspecting Internet users.

With fraudulent e-mails and pop-up ads, he tricked users into thinking their computers were infected with malware, and then sold them his fake antivirus software packages for $30 to $70. Do the math: Can you imagine how many people got rooked?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Want Mobile Privacy? Read

/in /by

If you don’t want your smartphone to know more about you than you do, here are top choices, as detailed on gizmodo.com:

2PBlackPhone 2

  • The Blackphone 2 will black out the federal government from spying on you.
  • Has a five inch handset with full HD screen (with Gorilla Glass 3 that prevents shoulder surfing).
  • 3 GB or RAM
  • Its Silent Circle’s PrivateOS 1.1 provides a “Spaces” UI: Data will be encrypted and compartmentalized.
  • The “Spaces” allow you to set up distinct spaces for different types of data, including a Silent Space that’s akin to Chrome’s incognito mode.
  • The Silent Suite allows you to keep various kinds of communications encrypted.
  • Also provides a Silent Store for apps.

Nokia 3310

  • This outdated “dumb phone” might still be available out there, somewhere.
  • The dumb phone is not capable of transmitting data through cyberspace. Thus, you don’t ever have to worry about being “followed,” “tracked” or hacked into.
  • If you’re comfortable not being connected to the Internet of Things, this phone is for you—if you can find one.

Payphones

  • If you want to pretty much guarantee that you’ll be untraceable, then use payphones.
  • Locate the payphones in your town and anywhere you normally travel, so that when it’s time to make a call, you won’t be spending time hunting for the phone.
  • Always have change on you, too.
  • To be even more non-traceable, always have in your car a thin pair of gloves to prevent your fingerprints from being on the phone.

Honorable Mention: Apple iPhone/Microsoft Lumia 930/Google Nexus 5

  • Apple, Microsoft and Google are no more crazier about government surveillance programs than you are.
  • Nevertheless, their phones gather data—but at least it goes to the maker of these devices rather than to the government.
  • The manufacturers analyze the data in the name of giving the user a better experience with the product.

Let’s also throw in the landline. Your calls can be traced, but at least data about you like your shopping preferences, health, income, marital status, etc., won’t go leaking out anywhere.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

What’s the difference between VPNs and Proxies and which Option is more secure?

/in , /by

If you are overseas somewhere and want to access your Facebook page…don’t be surprised if you can’t do this. In fact, you won’t even be able to get onto the Facebook site (or YouTube, for that matter), depending on what country that you are visiting. This is because some countries limit website access for their citizens.

4WYou can get around this with a VPN (virtual private network) or proxy server. However, they are not one and the same. Let’s look at the features of each.

VPN

  • A VPN does the so-called scrambling or encryption of data so that hackers can’t tell what you are doing. To put this another way, a VPN provides a “tunnel” through which your data goes. This tunnel cannot be penetrated. Your transmissions are hidden, unable to be viewed.
  • This protected data includes e-mail communications, login information, instant messages, which sites you visit, downloads and more.
  • A VPN is private communication over a public network and can be used on all types of devices.
  • A VPN will alter your IP address, making it seem that you are using your computer somewhere other than the country that prohibits access to Facebook. You can navigate Facebook with ease while visiting that country.

Proxy Server

  • This makes the user anonymous. The proxy server does the job of anonymizing. The server of the site you want to visit receives requests from this anonymous server. As a result, even if you are in that country that bans Facebook access, it will have no idea where you are located. Hence, you can get on Facebook.
  • Your data, transmissions, etc., however, are not hidden by any tunnel or scrambled (encrypted).
  • Therefore, with the proxy server, even though you can spend hours on Facebook or YouTube in that foreign country…any transmissions or activities you conduct can be intercepted by a hacker if you are using public Wi-Fi.

Now if you have a VPN with the proxy server, this solves that problem. Nobody will be able to snoop or steal data like your credit card information when you shop online.

However, there is no point in having both, when one can do the entire job: the virtual private network. Think of a VPN as having a built-in proxy server.

Hotshot Shield is a VPN that encrypts all of your online activities in that non-penetrable tunnel, while at the same time making it impossible for your location to be identified. You are essentially anonymous. Hotshot Shield works for both wireless and wired connections.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.