Zeus Malware Gang take-down

/in /by

Zeus is no longer a god of malware; he’s been taken down by law enforcement agencies spanning six European nations. Five people were recently arrested—believed to have infected tens of thousands of computers across the globe. There have been 60 total arrests pertaining to this cybergang.

They also used malware called SpyEye, and that, along with Zeus, stole money from major banks. This was a clever operation that included ever-changing Trojans, and mule networks.

Another malware that was asphyxiated was the BeeBone botnet, which had taken over 12,000 computers across the world.

We can thank the Joint Investigation Team for these successes. And they don’t stop there. The JIT put a stop to the Ramnit botnet, responsible for infecting 3.2 million computers globally.

The JIT is comprised of judicial authorities and investigators from six European nations. The cybergang is believed to have its origins in Ukraine. This crime ring was sophisticated, repeatedly outsmarting banks’ revisions of their security measures. Each crook in this ring had specially assigned duties and caused total mayhem to their victims. They even sold their hacking expertise and recruited more thieves. This was one hefty cybergang.

The six nations that are members of JIT are the UK, Norway, Netherlands, Belgium, Finland and Austria. The investigation began in 2013 and had a most thrilling ending. And it wasn’t easy. Here’s some of what was involved in this investigation:

  • Analysis of terabytes of data (one terabyte = one million million bytes)
  • Forensic analysis of devices
  • Analysis of the thousands of files in the Europol Malware Analysis System
  • Operational meetings and international conference calls

But the game isn’t over; there are still more cybergang members out there, and JIT will surely hunt them down by analyzing the mountainous load of data that was collected from this investigation. The funding comes from Europol and Eurojust. In fact, Eurojust has provided legal advice and was part of the composition of the JIT Agreement.

Other countries were instrumental in achieving this capture: Latvia, Estonia, Moldova, Poland, Germany, Ukraine and the U.S.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Tell your Grams about these Scams

/in /by

Do we really get wiser with old age, or just more vulnerable to all the scammers out there? Here are the top scams directed towards senior citizens.
9D
IRS
The phone rings; it’s from the IRS, claiming you owe money.

  • Caller ID says IRS (spoof technology).
  • Caller says if you don’t pay within 24 hours, you’re going to jail.
  • Caller wants your bank account information and routing number, or wants you to wire what you owe.
  • Or, caller says IRS owes you, but to get the refund, you must pay a processing fee within 24 hours.
  • The IRS never calls people for back taxes; it sends a certified letter.
  • Refunds are sent via snail mail without the IRS ever notifying you.

Reverse Mortgages

  • There’s no monthly payment, but whatever balance and interest has accumulated by the time the borrower sells, it must be paid back. If the borrower dies before this, family members must pay it.
  • Misleading ads make it seem this loan is affiliated with the government.
  • You CAN lose your home.
  • If you run out of equity before you sell or die, you’ll need to repay the loan. If you can’t, it’s foreclosure time.

Sob Story

  • The caller identifies self as a grandchild, great niece, etc.
  • Or, the caller says he’s your grandchild’s doctor, lawyer, etc.
  • The caller is in trouble and wants you to wire them money ASAP.
  • They may know details of the person they’re impersonating and you as well, because they’ve visited that person’s Facebook page—and yours.
  • If you ask if you can call back, the caller won’t accept this.
  • Asking additional questions about the “accident” or “burglary” won’t get you answers.

Obituaries and Funeral Homes

  • The caller says that the deceased owes a debt.
  • Or, the caller says he provides funeral services.
  • The victim is a spouse usually.
  • A funeral home that you’re already working with may also try to scam you by talking you into the most expensive casket, memorial plaques, etc.

Phony Pharma

  • Caller or e-mail sender claims to be from the government or authorized by such, to fill your drug prescription at a cheap price.
  • You must act now because the great deal is for a limited time.
  • If you DO receive something, it’s probably vitamins in a prescription bottle.
  • The crook may know details about you from reading your Facebook page.
  • A similar scam exists for Medicare.

Solutions

  • Use a mobile phone as much as possible; scammers usually call landline numbers.
  • Never answer the phone if the number is unfamiliar or says IRS.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

UL to launch Cybersecurity Cert

/in /by

UL in this case stands for Underwriters Laboratories. An article on darkreading.com notes that a UL official, Maarten Bron, says that they are taking part in the U.S. government’s plan to promote security certification standards.

1WThe U.S. government is interested in developing a UL-type program directed at computers and smartphones. This initiative will encourage the private sector and the government to create the standards.

So that’s what we have thus far; this initiative is in its early childhood stage, so there isn’t much more information about it that’s available to the media. UL is looking forward to sharing involvement with the White House’s initiative to unite the private and public sectors to combat cybercrime.

In the meantime, UL is fine-tuning its own test and certification program for Internet of Things products.

The darkreading.com article quotes Bron as follows: “We are prepared to release a test and certification program for this,” that will be fueled by users’ concerns and needs.

Historically, UL has been involved with the testing and certifying of appliances for their electrical safety. About four years ago, UL developed a cybersecurity division. In the darkreading.com article, Bron points out that the security of electronic payments is of particular concern, “namely certification of chip and PIN technologies.”

The transition from magnetic stripe credit cards (which are so easy to fraudulently use) to chip and PIN technology for the cards is underway.

UL has come up with some testing tools that cross-validate the settings from bank card chips against Visa best practices, says Bron. But that’s all just one slice of the cybersecurity pie.

Another big slice is health, and yet another big chunk relates to industrial control systems. UL wants to be on top of holes or vulnerabilities.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Teen pleads to SWATTING

/in , /by

Just what kind of punishment should a 17-year-old get for making fraudulent 911 calls (a crime known as swatting)?

11DThis happens more than you think. What’s outright astounding is how these teens could think they won’t be discovered. Have they been living in a cave all their lives, using a torch for light?

A 17-year-old boy in Ottawa, Canada, has made several fake 911 calls, including several in the U.S.

  • Told dispatcher his mother was lying in a pool of blood; pretended to follow the CPR instructions.
  • Pretended to be holding people hostage, demanding $100,000.
  • Threatened to blow up a school.
  • Arrested in May 2014, he faces 34 charges.
  • Evidence includes recordings of the phony calls found on the boy’s computer, plus Skype and Twitter logs.
  • So based on the evidence, it’s clear that this boy knows something about modern technology. Wow, he must be as dense as a box of bricks to think he couldn’t be traced.

Maybe if kids, perhaps starting in adolescence, were taught in school how easy it is for authorities to track down a swatter, there’d be a lot fewer swatters. Certainly there would be; it’s not a “maybe.”

It’s the parents’ job to raise good kids, but we know this happens only some of the time. The kid may still be a rotten apple (thanks to a dysfunctional home life), but at least if he’s educated in how simple it is for detectives to trace fraudulent 911 calls, there at least wouldn’t be all of these fake 911 calls that tie up staff while other people really need their help.

And while we’re on the topic of swatting, is there a name for the authentic 911 calls—but that deal with absurd complaints? People will call 911 to report lightning—simply in the sky. Other examples:

  • Caller couldn’t figure out how to exit a locked car.
  • Caller complained her husband was viewing porn.
  • Complaints about inadequate restaurant service.
  • Caller complained her boyfriend wouldn’t warm her cold feet.
  • Caller (drunk) complained a bouncer wouldn’t let him into a night club.

I say no jail time for these morons. Instead, make ‘em stand all day at a busy intersection wearing a sign that says, “I’m a stupo. Called 911 because (fill in the blank).

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

The Growing Demand for Cybersecurity Professionals

/in , /by

Cybersecurity professionals are always in demand[i]. Threats to intellectual property and sensitive data constantly evolve with technology, which means a security professional’s job is never done. There’s always another security problem to solve.

Consider the recent proliferation of cyber attacks: it’s become easier and easier for a small group of people to compromise vast networks of corporate and government information. Worse still, cyber criminals are getting better at covering their tracks.

Experts believe the global shortage of top-flight cybersecurity professionals exceeds one million–our federal government is currently seeking more than 10,000 candidates. The trend will continue in the near future as more and more features of day-to-day living are converted to digital.

As the private sector feels the crush of data breaches, the increasing sophistication of attacks fuels demand to counter or prevent them. Unfortunately, cybersecurity is rarely considered a “glamor job.” Ask a hundred eight-year-olds what they want to be when they grow up and few (if any) will answer “cybersecurity specialist.”

But that’s all the more reason to consider a career in this booming field! Governments and private organizations of all kinds are desperately seeking skilled candidates to protect their data and critical infrastructures from cyber criminals. The shortage of cybersecurity talent is not simply a lucrative opportunity for IT experts–it’s a matter of national security in defense of privacy, property and fair commerce.

Simply stated: there have never been better opportunities for advancement in the cybersecurity profession.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.

[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

How to stop Browser Tracking

/in , /by

Maybe you don’t mind the ads for that bicycle rack following you around in cyberspace after you visited a site for all things bike, but browser trackers (“cookies”) also create a profile of you that gets sold to other advertisers and third parties.

2PAre you doomed to be stalked forever by bike ads? This is caused by third-party cookies. You can use third party software such as CCleaner, which can identify third-party cookies and clean out the cookies in your hard drive. It’s the third-party cookies that are the enemy. The first-party cookies come from the site you visit so that your subsequent visits to that site are easier.

After you rid the third-party cookies, you’ll have to alter your browser settings.

Google Chrome

  • In the upper right corner click the little lined box.
  • Select Settings, click Show advanced settings.
  • At Privacy click Content Settings.
  • Under Cookies check “Block third-party cookies and site data.” Hit Done.

Internet Explorer

  • In the top right corner, click on the gear.
  • Select Internet Options.
  • At the Privacy tab click Advanced.
  • Check “Override automatic cookie handling.”
  • Set the Third-party Cookies to Block. Hit Okay.

Firefox

  • Click the lined icon in the upper right corner.
  • Click Options or Preferences for PC or Mac, respectively.
  • At Privacy, under History, change “Firefox will” to “Use custom settings for history.”
  • Change “Accept third-party cookies” to Never.

Safari

  • Safari automatically has third-party cookies turned off, but to be sure:
  • Go to Privacy and select the option that blocks third-party cookies.

Additional Ways to Stop Cookies from Tracking You

Here are things you can do, courtesy of an article on the Electronic Frontier Foundation site. These steps should take you about 10 minutes to complete.

You need not worry that these tactics will negatively impact the ease at which you navigate the vast majority of websites. For websites that get testy about these changes, you can temporarily use a private browsing mode that has disabled settings.

  • Install AdBlock Plus. After installation, change filter preference so you can add EasyPrivacy. You’ll need to visit AdBlock Plus’s website.
  • Change Cookie Settings. Go into Chrome’s settings under Settings, then Show Advanced Settings. Under Privacy click on Content Settings. Hit “Keep local data only until I quit my browser / for current session.” Check “Block third-party cookies and site data.” This will force cookies to expire after you exit the browser and prevent third-party cookies from activating.
  • Install the extension “HTTPS Everywhere.” This will prevent websites from snooping in on you and will help shield you from third parties.

Turn off referers. Install an extension called Referer Control. Scroll down, locate “default referer for all other sites” and hit Block.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Street Fights can result in Death

/in , /by

People who don’t believe they have been brainwashed by the film industry, which repeatedly shows men in a brawl who are still standing after each have received a dozen punches to the head and face.

Sometimes it takes five full minutes to just daze a man, after he’s been hit in the face over and over, and struck in the back with a chair so hard the chair breaks. Men get slammed, even tossed, into walls, into cars, but bounce right back with their dukes up.

An article on gawker.com points out that just one punch could be lethal. And that hitting your head on the ground can be fatal. Bare hands can be deadly. The article also explains that because of this, you should do whatever it takes to stop the attacker—knowing that it might kill him—but at the same time, you shouldn’t deliberately try to kill him.

If your only way out is the nearby 2 x 4, and he’s a bull, then whack him. But geez, no need to impale him with the nearby pitchfork when instead you can just swing the other end into his knees.

How can one punch or a hard fall to concrete kill? The force could jar the brain, tearing a blood vessel, causing rapid bleeding—an acute subdural hematoma or subarachnoid hemorrhage. These don’t exist in Hollywood scripts.

Street Fight Smarts

  • Consider pepper spray, but your brain is your best defense weapon.
  • Park only in well-lit areas and never next to a van.
  • Avoid walking in the dark when possible.
  • If someone demands your car, money or jewelry, give it up.
  • Micro-seconds count. You can always say, “I’m sorry for permanently damaging your eye,” later at the courthouse.
  • Don’t scratch or slap; punch with a closed fist.
  • Gouge at the eyes.
  • Go for the nose.
  • Slam fists into the sides of the neck.
  • Kick at the knees.
  • Ram a hand up between his legs—you know what the destination is.

If he’s “dragging” you to his car, drop to the ground and wrap your arms around his leg to become dead weight. If you think he’ll hit your head at that point, then make a break for it, because at that point, he doesn’t have his arms around you.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Self-Defense and Sexual Assault Prevention

/in /by

If you reach your hand to a strange dog loose on the street to pet it on top of the head, and it mauls your hand, whose fault is this? One camp would put most of the blame on the dog owner. But most people would blame the victim.

1SDBut everyone with half an ounce of sense would agree on one thing: Whose fault it is has NOTHING to do with the importance of doing whatever it takes to prevent a dog attack.

This same principle applies to sexual assault against women. An article on vice.com says that feminist Julie Lalonde isn’t too comfortable with the idea of pushing self-defense lessons on women to help prevent rape. Lalonde believes that promoting self-defense skills encourages the idea that rape is a woman’s fault.

The vice.com article quotes her talking of how society is constructed such that”…if a woman is sexually assaulted and she hasn’t taken a self-defense class, then it was her fault because she could have prevented her rape and didn’t.”

This mindset is one sandwich and the entire blanket short of a picnic. Again, fault has nothing to do with taking whatever measures are necessary to protect oneself! If it can be accomplished with self-defense lessons, then go for it!

Here’s a question for Lalonde and likeminded folks: Which is easier, teaching a woman self-defense or eliminating the urge to rape in a sociopath? Perhaps Lalonde can explain what sort of tactics have been proven to kill a sociopath’s or psychopath’s desire to violate a woman? Last time I checked, none exist (don’t say “chopping it off”; I’m talking about realistically, in our society).

What’s realistic and ethical is self-defense lessons. A study headed by Charlene Senn compared women (900 total) who were assigned self-defense training (which included psychological aspects such as assessing a situation) to women who were given only brochures on sexual crimes.

Rape was reduced among the first group of women (self defense) 5.2 percent, vs. the brochure group (9.8 percent), 12 months out from the study’s interventions.

Do not people such as Lalonde realize how easy it is to disable a man? Has she never seen a man become immobilized with pain upon accidentally hitting his knee into the edge of a cocktail table?

Or perhaps she’s seen too many movies and TV shows in which a man is shown being slammed over the head with a two-by-four, then taking half a dozen punches by another man, kicked in the ribs, knocked off a ledge and falling 10 feet, and despite all that, he ends up beating the tar out of his attacker. In real life, one good sock to the temple will knock a man’s lights out.

Self-defense doesn’t just involve punches and kicks, but depending on the style, focuses on using the laws of physics to put an attacker in a joint lock.

Predators look for prey. High quality self-defense schools teach women NOT to behave like prey, but to behave defensively when needed.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

When a Company Gets Sold, So Does Your Data

/in , /by

When you subscribe to an online service, be careful of how much information you give out about yourself.

1PMost businesses in their terms and conditions, say they “respect your privacy.” But what if these companies go under or are sold? An article from the online New York Times explores this concept. Today’s market-data-hungry-businesses can gather lots of data about subscribers. This data can be transferred to third parties in the event the company is sold or goes belly up.

The New York Times recently analyzed the top 100 U.S. websites, and the revelation is that it’s par for the course for companies to state that subscribers’ data could be transferred as part of a sales or bankruptcy transaction. Companies like this include Google, Facebook, LinkedIn, Amazon and Apple.

On one hand, such companies assure consumers that privacy is important. Next second they’re telling you your data will get into third-party hands if they sell out or fizzle out.

A real-life example is the True.com Texas dating site that attempted to sell its customer database to another dating site. However, True.com’s privacy policy assured members that their personal details would never be sold without their permission. Texas law stopped the attempt.

The Times article points out that at least 17 of the top 100 said they’d notify customers of a data transfer, while only a handful promised an opt-out choice.

This isn’t as benign as some might think. For example, WhatsApp was sold to Facebook. A user of both services ultimately complained that Facebook, without his consent, accessed his WhatsApp contact list, even though his Facebook account was set to prevent people outside his network from obtaining his phone number.

Another example is Toysmart.com. When it went bankrupt, it tried to sell customer data, which included birthdates and names of children. The company’s privacy policy, however, promised users that this information would never be shared.

To avoid fracases, companies are now jumping on the bandwagon of stating they have the right to share customer/subscriber data with third parties per business transactions.

Don’t be surprised if you read something like: “We value your privacy,” and in another section of the privacy policy, “Upon sale of our company, your personal information may be sold.”

 

Even Hackers get hacked

/in /by

Burglars get burgled, muggers get mugged, and hackers get hacked. This includes a sophisticated ring of hackers: Hacking Team, hailing from Italy, specializing in selling hacking software to major governments.

10DAn article on wired.com describes how a “400 gigabyte trove” went online by anonymous hackers who gutted the Hacking Team, including source code. Even their Twitter feed was hacked, and the secret hackers tweeted HT’s cracked files.

One of the exposed files apparently was a list of HT’s customer information, spanning the Middle East, Africa and the U.S.

Hacking Team must really be the Humiliated Team now, because they refused to respond to WIRED’s request for a comment. However, one of HT’s workers tweeted that their mystery hackers were spreading lies. His tweet was then hacked.

Sudan was one of the customers, and this shows that Hacking Team believed it could sell hacking software to any government, as Sudan is noted for its ultra-high restrictions to access.

Can the selling of hacking software be equated to the sales of weapons of mass destruction? More likely this is so than not. There is an arms control pact, the Wassenaar Agreement, designed to control the sales internationally of hacking tools.

Criticisms of the Wassenaar Agreement come from hackers (not necessarily only the bad ones) because the Agreement limits security research.

Eric King, from Privacy International, points out that the Agreement is required. Wired.com quotes him: “Some form of regulation is needed to prevent these companies from selling to human rights abusers.”

The Hacking Team organization, despite what it insists, should not be considered a “good guy.” For example, Citizen Lab uncovered that customers, including the United Arab Emirates and Sudan, used tools from Hacking Team to spy on a political dissident—who just happened subsequently get beaten up.

Eric King says, as quoted in wired.com, that Hacking Team “has continuously thrown mud, obfuscated, tried to confuse the truth.” The hacking of Hacking Team will help reveal the truth behind their “deviousness and duplicity in responding to what are legitimate criticisms,” says King.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.