Latest Russian Cyber Attack on White House a Boon for CISA

/in /by

The Russians have come…again—in the form of hackers. Not long ago Russian cyber criminals busted into the U.S.’s State Department system and mangled it for months.

1DThis time, they got into a computer system at the White House. Luckily, this system did not hold any classified information, but nevertheless, the hackers got ahold of President Obama’s private itinerary. So it just goes to show you just what hackers a world away can do.

This isn’t the first time that the White House has been hacked into. Remember the attacks that were allegedly committed by the Chinese? These, too, did not involve sensitive information, but the scary thing is that these cyber invasions show how easy it is for other countries to bang into the computer systems of the No. 1. Superpower.

So President Obama’s personal schedule got hacked, and in the past, some White House employee e-mails got hacked. What next—top secret plans involving weaponry?

What the Russians may do next is of grave concern to the FBI. Perhaps the Russians are just teasing us with this latest break-in, and the next hacking incident will really rattle things.

Ironically, Obama had recently signed an executive order in the name of stomping down on cyber crime. Well, someone didn’t stomp hard enough, and the Russians, Chinese and everyone else knows it.

Obama’s efforts involve CISA: Cybersecurity Information Sharing Act. The Act would mandate that there’d be greater communication between the government, businesses and the private sector relating to possible cyber threats.

CISA is not well-received by everyone because it involves what some believe to be a compromise in privacy. This latest attack on the White House, say CISA critics, might encourage lawmakers to hastily pass the Act without first building into it some features that would protect the privacy of the private sector.

The chief concern, or at least one of the leading ones, of CISA opponents or skeptics is that of the government gaining access to Joe’s or Jane’s personal information. And why would the government want to get our private information? For surveillance purposes—that harken back to the efforts to increase cyber protection and prevent more hacking episodes.

The bottom line is that this latest attack by the Russians will surely add a few more logs to the fire in that lawmakers will feel more pressure than ever to strongly consider passing CISA.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

How Hackers are Hacking Smarthomes

/in /by

“My house was hacked!” Had you said this 25 years ago, people would have thought a burglar vandalized it with an axe. Say it today and nearly everybody will know what you mean: A thief or prankster “broke” in to your house via its connected-to-the-Internet gadgets.

4DIf something’s connected, like your refrigerator, the possibility of hacking exists. All of these smarthome gadgets make it to market without a lot of attention on security, leaving them with “back doors” through which hackers could enter. This creates a larger “surface area” for potential cyber invasions.

In January 2014, connected refrigerators were actually sending out spam e-mails. So don’t think that all of this is just hyped up anxiety. And unless you’ve been living in a cave, you’ve already heard about the man who hacked into a baby monitor and yelled obscenities through it. A hacker could infiltrate through any vulnerable device in your house and use it as a launching pad to get into your e-mail account and redirect your web traffic to them.

Though nothing is ever 100 percent secure, the issue boils down to how important it is for you to control your home’s thermostat or coffee pot while you’re away, which means adding one more “smart” thing to your house, increasing its surface area of potential attack.

Smart gadgets are especially vulnerable to attack because they may not be replaced for many years, such as a smart washing machine. This means the appliance or device needs to have a long-term ability to receive security updates.

To combat security threats, makers of smart gadgets and appliances need to have security in mind from the beginning of manufacturing. They need to set up a monitoring system for these products for as long as they are in use, so that the smart washer is just as protected in its 15th year of use by the homeowner as it is in its first year.

Though the smart coffee pot may come across as a status symbol of a tech-savvy person with money to burn, some smart devices can save money such as a system that monitors water usage and can even identify which pipe has a leak.

The homeowner has to do a risk/benefit analysis and just perhaps forego the coffee pot and the smart egg container that tells you when you’re down to your last few eggs. To check if your kids are sleeping you may just have to do it the old-fashioned way: walking to their bedroom and peeking in.

When making an investment in smarthome devices make sure to check out the reviews, do your research to see if anyone has experienced security issues. And make sure to update any software of firmware over the lifespan of the device.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Home Automation in your Security System

/in , /by

Having a house run like the Jetsons’ is becoming increasingly possible: It’s called home automation. If you’re not familiar with the futuristic cartoon family, the Jetsons, just about everything in their house was automated. Today, we can have the following:
3H

  • Sensors that make noise when a door or window opens are nothing new, but real-time video surveillance of a home’s interior and exterior, viewed remotely through a smartphone thousands of miles away, is relatively new technology.
  • Controlling the temperature inside the house from anywhere outside using a phone. The smartphone connects with the thermostat’s sensors that detect radio frequency signals.
  • Odorless but deadly, carbon monoxide gas will be detected by a detector—and this has been around for a long time, but what’s relatively new is that the detection will trigger ventilation: a head start for the home’s occupants to scramble outside. Sensors can also alert to possible gas leaks.
  • Recently in the news was the seven children who died in a Brooklyn, NY house fire started by a hot plate. Apparently the house had one smoke detector—in the basement—that nobody on the second floor heard when it went off while they were sleeping. The kids would have likely survived had there been multiple fire detectors to alert the residents.
  • Furthermore, smoke alarms detect smoke before the fire begins and can simultaneously notify a central control center that then contacts the fire department. Seconds count.

Home automation may seem like something that only the rich can afford, but the makers of these systems want to score a big profit, so they develop systems to fit different budgets. Reputable home security companies can offer different packages and give price estimates.

Realize that there exist security scams, including the one in which an employee comes to your house unannounced, wearing a jumpsuit with the name of your security company on it, claiming that your system needs servicing. What he really wants to do is scope your house for vulnerabilities and also find out when you might not be home in the near future—so he could rob the place.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

How to recognize Online Risks

/in , /by

Would you give up your bank account and credit card numbers to a stranger on the street after he approaches and asks for them? Of course not. But that’s essentially what people do when they’re tricked by online crooksters into revealing sensitive personal information, including their Social Security numbers.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294One of the most common ways this is done is through phishing.

  • The phishing attack is when the thief sends out thousands of the same e-mail. If enough people receive the message, sooner or later someone will take the bait.
  • The bait may be a notice you’ve won a prize; a warning that your bank account has been compromised or that you owe back taxes; an alert that something went wrong with your UPS delivery; or something about your medical insurance.
  • These subject lines are designed to get you to open the e-mail and then follow its instructions to remedy the problem—instructions to the tune of typing out your personal information including passwords.
  • Sometimes the fraudster has already gained information from a victim and will use that to make the victim think that the phishing e-mail is legitimate.
  • These e-mails contain links; never click on them. They’re designed to entice people into giving up personal information, or, the site they take you to will download a virus to your computer.
  • Sometime the e-mail will contain an attachment. Opening it can download a virus.
  • What if the e-mail appears to be legitimate, complete with company logo, colors, design and details about you? Contact the company first, by phone, to see if they sent out such an e-mail. Don’t click any link to get on the company’s site; instead go there via typing into the URL field.
  • You may have heard that hovering over the link will show its true destination, but this isn’t always the case.
  • Remind yourself that you are not special: Why would YOU inherit money from some strange prince in a foreign country?

Passwords

  • Passwords should never contain words or names that can be found in a dictionary. I know you so desperately want to include the name of your favorite football team in it, but don’t. Such passwords are easier for hackers to crack.
  • Never use keyboard sequences; again, a hacker’s tool can find these.
  • Make a password almost impossible to crack by making it at least 12 characters, a mix of upper and lower case letters, and include numbers and other symbols.
  • Use a different password for every account.

Anti-malware Software

  • You should have a complete system that’s regularly updated.
  • Have a firewall too.

Virtual Private Network

  • Download Hotspot Shield to encrypt your data on public WiFi hotspots.
  • Shield your IP address from webtracking companies who desire your information to sell you stuff or from search engines who hand that data over to the government.

Secure Sites

  • Whenever possible, visit only sites that have https rather than http, because the “s” means it’s a secure site.

A padlock icon before the https means the site is secure.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Company proves why you shouldn’t post Kids’ Pics online

/in /by

What if you knew there existed a possibility that some company, without your knowledge, grabbed a photo of your child and put it on their product and then put their product online for sale?

2PKoppie Koppie sells coffee mugs with photos of kids on them—and YOUR child could be one. Though this begs the question, who on earth would want a coffee mug with a photo of a stranger’s child on it, there’s actually a market for this.

Koppie Koppie has taken photos of kids from Flickr. Koppie Koppie is actually more of a social experiment, says the duo who run the site at koppie-koppie.biz. The pair claim that the drive was to raise awareness of privacy issues, yet at the same time, insist that they haven’t done anything wrong because they haven’t violated Flickr’s rules.

The images that Koppie’s founders use come with the Creative Commons licensing rights: Commercial re-use is not restricted.

Though what Koppie Koppie has done is actually legal, it still counts as a violation of the rights of the parents of those kids.

Writers use these photos for their articles, for instance, an article about parent-child relationships, but with professional child models, the parents of the young models know this. So is taking the use of the photos up a notch (or two or three?) by putting them on mugs as a display crossing the line or is to create awareness that maybe you shouldn’t be positng pictures of your children online?

These guys found a loophole and slithered through it, since the privacy policies of social media fall short with explaining the context of how images can be shared online. But they make a good point.

Going further down the continuum, we may have a company sooner or later selling T-shirts with YOUR child’s face on them—without your knowledge.

Koppie Koppie says it will take down a mug of your child within two weeks of your complaint. But think of how many parents will never read this article and know what Koppie Koppie has been up to or anyone else for that matter.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

1 Billion Records hacked

/in , , /by

Billions and billions—it’s only a matter of time before this becomes the number of hacking incidents in a single year, because just in 2014, over one billion records were hacked out of 1,500 different hacking incidents, says a recent report.

4DSome other findings from the report:

  • A little over half the breaches involved credit card numbers, Social Security numbers and other personal information.
  • Most hacking incidents occurred in the U.S.
  • 55 percent of the incidents involved retailers, primarily affecting point of sale systems that lack encryption technology.
  • The private sector, combined with the government, took up 17 percent of the hits.

The government has had it; the White House plans on devoting an office entirely to figuring out how to stay ahead of cyber crime. Let’s hope that the White House really dissects cyber attack technology.

What can consumers, the private sector, retailers, banks and the governments do to make it difficult for hackers to cause mayhem?

  • Go through all of their passwords and replace the weak ones with strong ones. A weak password is less than eight characters (some experts advise that it be at least 12), contains actual words or names, contains keyboard sequences and has limited character variety.

    Keep in mind that an eight-character password such as $39#ikPw is strong and superior to the 12-character 123qwertyTom. But maximize the strength by making the password at least 12 characters and a jumble of character gibberish. A password manager can do this all for you.

  • Install antivirus software. This means antivirus, anti-spyware, anti-phishing and a firewall. Then make sure they are always updated. This software should also be installed on your smartphone and tablet.
  • If you’re still using windows XP because you don’t want to part from your comfort zone, get out of it immediately, because it won’t be so comfy when your system gets dismantled by a hacker. Windows XP is no longer subject to security patches and updates by Microsoft. You need a version, such as MS Win 7, that receives regular updates.
  • Your router has a password that’s been set by the manufacturer. Hackers know these passwords. Therefore, you should change it. Next, turn your WPA or WPA2 encryption on. If you don’t know how to do these things, contact the router’s manufacturer or google it. And unless you have encryption while using public Wi-Fi, consider yourself a lone zebra wandering around in the African savanna where prides of hungry lions are watching you. Get a VPN. Google it.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

Strengthen Your Digital Defenses with the 5 Habits of Practically Unhackable People

/in , , /by

At the start of the year, we all made our resolutions for 2015. Now it’s March—how are you doing on your resolutions? If you’ve already broken a few, no worries; New Year’s doesn’t have the monopoly on making goals to better yourself. This is especially true with digital safety. At a time when there are so many security breaches, it’s important to commit to strengthening your digital defenses year-round.

1DWhen making goals, it’s important to emulate people who have already mastered what you’re trying to learn. So in this case, what do super secure people do to stay safe online? Intel Security has the answer—here are the 5 habits of practically unhackable people:

  1. Think before they click. We click hundreds of times a day, but do we really pay attention to what we click on? According to the Cyber Security Intelligence Index, 95% of hacks in 2013 were the result of users clicking on a bad link. Avoid unnecessary digital drama, check the URL before you click and don’t click on links from people you don’t know.
  2. Use HTTPS where it matters. Make sure that sites use “https” rather than “http” if you’re entering any personal information on the site. What’s the difference? The extra “S” means that the site is encrypted to protect your information. This is critical when you are entering usernames and passwords or financial information.
  3. Manage passwords. Practically unhackable people use long, strong passwords that are a combination of upper and lower case letters, numbers, and symbols. Yet, unhackable people don’t always memorize their passwords; instead, they use a password manager. A password manager remembers your passwords and enters them for you. Convenient, right? Check out True Key™ by Intel Security, the password manager that uses biometrics to unlock your digital life. With True Key, you are the password.
  4. Use 2-factor authentication (2FA) all day, every day. When it comes to authentication, two is always better than one. 2FA adds another layer of security to your accounts to protect it from the bad guys so if you have the option to use 2FA, choose it. In fact Intel Security True Key uses multiple factors of authentication.
  5. Know when to VPN. A VPN, or virtual private network, encrypts your information, which is especially important when using public Wi-Fi. Practically unhackable people know that they don’t always need a VPN, but know when to use one.

To learn more about the 5 habits of practically unhackable people, go here. Like what you see? Share the five habits on Twitter for a chance to win one of five prize packs including a $100 gift card to Cotopaxi or Hotels.com.*

You don’t need to wait for another New Year to resolve to become a digital safety rock star – start today!

*Sweepstakes is valid in the U.S. only and ends May 16, 2015. For more information see the terms and conditions at intel.com/5habits.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Watch Out for Tax Scams!

/in /by

Spring is here (at least in some parts of the world in the northern hemisphere)! The bees are buzzing, the flowers are blooming, and the accountants are working late because for those in the U.S., it’s tax season! Scammers love tax season—there is a lot of money moving around as people pay taxes and receive tax refunds. And they have developed many ways to take advantage of that and steal your hard-earned money.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813The Internal Revenue Service (IRS) maintains a list of the scams that they call the Dirty Dozen and have published this again for 2015. It’s a good idea for all of us to familiarize ourselves with these. Here’s the top three.

  • Phone scams. Your phone rings—it’s the IRS stating that you owe money and you must pay it NOW! It can be disconcerting but, never fear, this is a scam. Keep in mind that if you do owe the IRS, they will first contact with you via snail mail before calling. This is the number one scam that criminals are using during tax season so don’t answer your phone (just kidding…just be aware of this).
  • Phishing Hackers imitate the IRS and send an email that asks you to update your e-file immediately. The link then directs you to a bogus website. If you enter your information, the hacker collects any information you enter on the site. Remember, the IRS generally does not send emails, text messages or social media posts to request personal or financial information. If you receive any unsolicited communication that appears to be from the IRS, report it to phishing@irs.gov.
  • Identity Theft. If a cybercriminal gets access to your Social Security number (SSN), they can pose as you and file a tax return under your name, but have the refund sent to them. When you file your tax return, you’ll get a notice from the IRS stating that more than one tax return was filed for you. If you think you are a victim of identity theft or have been in the past, make sure to contact the IRS as they can issue you an identity theft PIN that will be used in addition to your SSN.  Make sure to protect your SSN and do not share it unless absolutely necessary.

Stolen tax returns and tax scams have been growing consistently, leaving many identity theft victims struggling to recoup their lost refunds and identities. To help you, here are some tips to protect yourself this tax season.

  • Protect your data.Store sensitive documents in a fire-proof safe. If you plan to receive documents with sensitive information like your financial information in the mail, make sure you have a mail box with a lock.
  • Shred non-essential paperwork.Check with your accountant to determine what you need and what you don’t. Use a cross-cut shredder to destroy unneeded documents.
  • File early.The earlier you file, the more quickly you thwart any criminal’s attempt to file on your behalf and collect your refund.
  • Be cautious when clicking. Don’t click on any links or email attachments from emails that appear to be from the IRS. Be suspicious of strange emails and websites instead of clicking on links navigate to IRS.gov on your browser directly
  • Protect your devices. Install comprehensive software like McAfee LiveSafe™ service that protects all your PCs, Macs, smartphones and tablets and make sure to keep it updated.

Here’s a great video from the IRS about tax scams and additional information on how to report IRS phishing scams.

Hope you have a safe tax season!

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

What is a Potentially Unwanted Program (PUP)?

/in , /by

Whether you’re an animal person or not, you have to admit that puppies are pretty darn cute. So cute that there are YouTube Channels, Facebook accounts, and Buzzfeed newsletters devoted to the subject. Unfortunately, there’s a not so cute PUP out in the world, and it wants access to your device. What I’m talking about is a potentially unwanted program (PUP). What is an unwanted program? It’s software or an app that you don’t explicitly want on your device. PUPs usually are bundled with freeware and often installs without your permission.

1SNote: PUPs are not malware. The main difference is that you give consent to download the PUP, even though you might not know about it if you don’t read the agreements or installation process thoroughly.

So if PUPs aren’t malware, why are they bad? Some PUPs contain spyware including keyloggers, dialers, and other software to gather your information which could lead to identity theft. Others may display annoying advertisements on your device. Even if the PUP doesn’t have any malicious content, too many PUPs can slow down your device by taking up space on your device and it can weaker your device’s security, making you vulnerable to malware.

Companies or hackers use several techniques to get you to download PUPs. One technique is offering multiple installation options. Although the standard or default options may be highly recommended by the company or hacker, it is usually the custom or advanced option that is PUP-free. Another trick is automatically including PUPs in the installation. You have to uncheck the boxes to opt-out of the PUP. Sometimes they will gray the opt-out option so it looks like you can’t get out of downloading a PUP. Other companies will sneak clauses about PUPs into the end user license agreement. This means when you click to agree with their user terms, you also agree to download PUPs.

Here’s some tips on how to make sure you don’t get a PUP.

  • Be picky. Hesitate before downloading any freeware. Do you really need that Guardian of the Galaxy wallpaper for your laptop? Be vigilant and only download from trusted sites.
  • Customize. When downloading a program, it may be tempting to use the standard or default installation, but this version usually includes downloading programs you don’t need. Choose the custom installation.
  • Opt out. Instead of asking you to opt in to PUPs, companies will automatically include the PUPs in the installation; it’s up to you to say no. For example, a freeware program might recommend that you install a free browser add-on andbelow this statement will be a box that is checked that indicates you want to install the add-on. If you don’t uncheck the box, you can potentially download a PUP you may know very little about.
  • Read the fine print. Read the End User License Agreement before you accept it. There may be a clause about PUPs.
  • Have comprehensive security software. Install security software that works for all of your devices, like McAfee LiveSafe™ service. McAfee LiveSafe can detect PUPs and remove them from your device.

Remember it’s much more fun to snuggle with furry pups rather than the computer code kind.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Don’t be scammed into paying Back Taxes

/in /by

It’s easy to scam someone who did something wrong by telling them they need to fix their mistake. This is why thousands of people get scammed into paying back taxes to the IRS—the IRS has nothing to do with these scams, of course, but the predators prey on peoples’ fear of Uncle Sam. It all begins with the fraudster making a phone call, pretending to be an IRS employee.

9DThey have other tricks up their sleeve too, such as making the caller ID show a number that appears to be coming from the IRS and identifying themselves with phony IRS badge numbers. They’ll even leave urgent messages if they get voicemail.

Preying on emotions, the crook gets vulnerable people to give up private information right then and there—enough information for the crook to commit some kind of identity theft crime. When many people hear “IRS,” they get scared. Scammers have ripped off millions of dollars as a result.

The IRS won’t give you a phone call if you’re delinquent in your tax payment. They’ll snail mail you an official notice instead. In fact, the IRS, despite its negative stereotype, won’t use scare tactics or threatening verbiage. Anyone on the phone who does this is pond scum; hang up immediately.

The IRS also won’t ever just up and e-mail you about back taxes. If you see “IRS” in a subject line, do not open it. Instead, forward it to phishing@irs.gov and delete it.

If you want to have a little fun with these thieves, then if you ever get a call from someone claiming to be from the IRS, nonchalantly tell them that you yourself work for the IRS. See what happens.

A woman in Denver, Rachel Fitzsimmons, received calls from the “IRS” telling her they were filing a lawsuit against her. The message was a robotic-sounding female voice that left a call-back number. At first she was unnerved, but then after doing some research, recognized this as a scam. She called back the number, let the man talk a little with the threat, then told him she worked for the IRS (she doesn’t). He immediately hung up. Busted!

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.