Infrastructures under attack

It’s been stated more than once that WWIII will most likely be cyber-based, such as dismantling a country’s entire infrastructure via cyber weapons. And don’t think for a moment this doesn’t mean murdering people.

4DA report at bits.blogs.nytimes.com notes that foreign hackers have cracked into the U.S. Department of Energy’s networks 150 times; they’ve stolen blueprints and source code to our power grid as well. Some say they have the capability to shut down the U.S.

The bits.blogs.nytimes.com article goes on to say that cyber warfare could result in death by the masses, e.g., water supply contamination of major cities, crashing airplanes by hacking into air traffic control systems, and derailing passenger trains. So it’s no longer who has the most nuclear missiles.

The list of successful hacks is endless, including that of a thousand energy companies in North America and Europe and numerous gas pipeline companies. The U.S.’s biggest threats come from Russia and China.

So why haven’t they shut down our grid and blown up furnaces at hundreds of energy companies? Maybe because they don’t have the ability just yet or maybe because they don’t want to awaken a sleeping giant. To put it less ominously, they don’t want to rock the boat of diplomatic and business relations with the U.S.

Well then, what about other nations who hate the U.S. so much that there’s no boat to be rocked in the first place? The skills to pull off a power grid deactivation or air traffic control infiltration by enemies such as Iran or Islamic militants are several years off.

On the other hand, such enemies don’t have much to lose by attacking, and this is worrisome. It is these groups we must worry about. They’re behind alright, but they’re trying hard to catch up to Russia and China. For now, we can breathe easy, but there’s enough going on to get the attention of Homeland Security and other government entities.

Recent attacks show that these bad guys in foreign lands are getting better at causing mayhem. At the same time, the U.S.’s cyber security isn’t anything to brag about, being that very recently, some white hat hackers had tested out the defenses of the Snohomish County Public Utility District in Washington State. They infiltrated it within 22 minutes.

Another weak point in our defenses is the component of pinning down the source of major hacking incidents. So if WWIII becomes real, the U.S. won’t necessarily know where the attack came from.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How to avoid Online Fundraising Scams

You’ve probably heard of the gofundme.com site, where all sorts of stories are posted of people seeking donations. Some are tragic, others are trite. You may be touched by a particular story, perhaps one in which an entire family is killed in a house fire.

9DYou click the “Donate Now” button and donate $50. So just how do you know that family who died in the fire really existed?

Gofundme.com and similar sites are loaded with “campaigns,” just tons of them. Think of the logistics involved if these sites hired people to verify every campaign. This would require enormous amounts of time and a lot of people and expense.

People don’t think. They just assume every campaign is for real. Do you realize how easy it is to start a campaign? Gofundme.com, for instance, only requires that you have a Facebook account with a valid-looking profile picture of the campaign starter, and at least 10 Facebook friends (last I checked, anyways).

  • Who at Gofundme.com and similar sites verifies that the profile picture is that of the campaign starter?
  • Who at these sites verifies that the “friends” are legitimate, vs. all phony accounts or “friends” purchased from seedy overseas companies that create fake profiles?
  • Even if the avatar and friends are for real, how do these crowdfunding sites confirm the authenticity of the campaigns?

It’s all based on the honor system. You take their word for it, though some campaigns are high profile cases. People have given money to fake campaigns. How can you prevent getting conned?

  • Check the news to see if the campaign story really happened. But a house fire in a small town doesn’t always hit the Internet. Nor is it newsworthy that some housewife is trying to raise money to buy her disabled son a set of golf clubs. So stay with campaign stories that you know have occurred.
  • But again, a scammer could take a real story, pretend to know a victim and scam donators. So see if there’s a legitimate pathway to donate to the real people involved in the story, such as through their local police department.
  • Stick to reputable charity sites. Offline, never give money solicited over the phone.
  • Be leery of charity solicitations for very high profile cases, as these attract scammers.
  • If donations are solicited by snail mail, check the Better Business Bureau. Any scammer could create a legitimate sounding name: “American Association for Autistic Children.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

LinkedIn targeted by Scammers

LinkedIn is a free service that allows professional people to network with each other. Often, a LinkedIn member will receive an e-mail from another LinkedIn member “inviting” them to join their network. Sometimes, the inviter is someone the recipient doesn’t know, but the recipient will link up anyways. And that’s the problem.

14DA report at www.secureworks.com says that Dell SecureWorks Counter Threat Unit™ (CTU) researchers discovered 25 phony LinkedIn profiles.

With this particular phony network (called TG-2889), most of the intended victims live in the Middle East. The profiles are convincing, including some having over 500 connections.

Signs of Fraudulence

  • Profile photos appear on other, unrelated sites.
  • Duplicate summary profiles, some duplicated from other sites.
  • “Supporter persona” profiles use same basic template and have other similarities.

Using phony profiles, the scammers aim to lure legitimate LinkedIn users into giving up personal information that the “threat actors” can then use either against them (like getting into their bank account) or scamming their associated company out of money.

Or, as evidenced by that one-fourth of the targets work in telecommunications, the scammers may be planning on stealing data from telecommunications companies.

TG-2889 is doing a pretty good job of maintaining the fake profiles, as they regularly make revisions, continues the secureworks.com report. This suggests that a new campaign is planned, perhaps one targeting the aerospace industry, since at least one fake profile mentions Northrup Grumman.

It’s also likely that some TG-2889 profiles have not been identified, and let’s also assume that LinkedIn is tainted with even more bogus profiles from other threat actors.

For Legitimate LinkedIn Users

  • If you suspect a profile is fake, cyber-run for the hills.
  • Link up with profiles of only people you know.
  • Be leery of interacting with members you don’t know even if they appear to be part of the network of someone you do know.
  • If you get a job offer through LinkedIn, don’t respond via that conduit. Instead contact directly the employer for verification.
  • For employers: Have you instructed your employees in proper use of the LinkedIn system? Are you sure they are not abusing it (either intentionally or non-intentionally), which could put your company at risk?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Burglars Use Social to target Victims

So you think it’s really a far-out left-field idea: a burglar studying Facebook and other social media to select homes to rob. Well think again.

14DA survey, conducted by home security expert Friedland, found:

  • 78 percent of burglars use social media to select targets.
  • 74 percent touted the virtues of Google Street View.
  • 54 percent pointed out how risky it is for social media users to reveal their whereabouts and status.
  • 80 percent said a home alarm system would scare them away.

So with everyone and his brother on social media, why wouldn’t burglars also jump on this bandwagon?

Why Burglars Love Social Media

  • People share every detail of their vacation—while on vacation. If there’s a photo of you sipping a margarita in Cancun, a burglar knows he has plenty of time to break into your house. Can’t you wait till you’re home to post all the photos?
  • Apps may have location-sharing features. Find out if yours do and review the privacy features. Did you know that these features can synchronize with other social media and reveal your whereabouts to strangers?
  • Do you know just who can see what you post on Facebook? Check the privacy settings and make sure you understand just who can see your posts.
  • Applications on your phone may be using your GPS without your knowledge. If you have an Android, go to Settings, then Location Services, then turn off the GPS. For the iPhone go to Settings, Privacy, Location Services and System Services. Turn on Status Bar to see which apps know your every move. For the Windows phone go to Settings, then Location.
  • Did you know that a photo is worth a thousand words when posted online? Words that burglars love, too. Crooks could extract “EXIF” data from photos that reveal where and when they were taken—including your home address. Though Facebook strips out this data, many sites don’t. EXIF data can be removed.
  • In theory, a burglar can do a reverse image search and learn too much about you. He may do a search on one of your images to learn everywhere else it appears in cyberspace, leading to your social media accounts and hence, username/s. If your username is your actual name, and it’s not too common like Patricia Adams, and your social media accounts reveal your city, he can find your address via a people-search directory.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

1 in 4 Female Undergrads sexually assaulted

One in four (25 percent) of college women reported they received unsolicited sexual contact while in college, says the recent Association of American Universities Campus Climate Survey of 150,000 students.

1SDHow can on-campus safety be heightened?

  • Students should have a hardcopy and smartphone-stored list of contact information for all kinds of help. The school’s emergency and security numbers should be on speed dial.
  • Memorize key numbers in case your phone is stolen or the juice dries up.
  • Ditch the headphones when walking outside.
  • See if the campus has a security escort service.
  • Take self defense classes often. Many college campuses have martial arts clubs; join and learn.
  • Don’t always walk the same paths to and from classes so that predators don’t learn your patterns.
  • Review the privacy settings of all your social media accounts, as some accounts have geolocation features that can reveal your location via photos.
  • Keep your windows locked! Always keep the door locked as much as possible and always overnight.

What about social settings?

  • Out late at a bar? Never leave alone; always have someone with you. And make sure you know precisely how to get to your next destination.
  • Never get drunk. Yep, I’m serious. Though many victims are sober at the time of assault, getting drunk can open many opportunities for being victimized, such as being unaware that someone just slipped the “date rape” drug in your fifth drink.
  • In fact, never let your drink out of sight. If you don’t want to take it with you to the restroom, then either finish it or trash it first.
  • Never accept a drink that you didn’t see poured, and never accept an opened can of soda.
  • If you feel it’s time to leave, it probably is. You don’t owe any explanations. In fact, if you say, “I have to go,” pushy people will ask why and urge you to stay. So instead, silently and nonchalantly make your exit. If someone nabs you along the way, tell them you need to 1) get some air outside, 2) make a phone call or answer a text, 3) get something from your car.
  • If it’s more obvious you’re leaving for the night (e.g., putting on coat and boots), say you 1) just received an urgent text, 2) have an early exam tomorrow, 3) look ‘em hard in the eye and say, “I’m leaving. DEAL.” Then leave.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Think Your Door can’t get Kicked in, Think Again

Part of my role as security guy is to keep tabs on the crime climate around the globe. Recently I kept seeing article after article about burglaries with one common theme: “door kicked in”. Don’t believe me? See below. But before you do, probably all of these could have been prevented with Door Reinforcement Technology.

2B9/17/15 Alabama; Front door kicked in at Cahaba Road residence:
The call came in around 2:47 a.m., and officers found an unknown suspect kicked in the front door of a residence to gain entry.

9/21/15 Illinois; Bloomington Police investigating home invasion:
According to Sarah Mayer with BPD, officers were called Saturday to a home that had the door kicked in. Officers say that the resident of the home told them a young black male entered her bedroom and pointed a handgun at her, telling her to lay face down.

9/22/15 Michigan; Couple uses ‘special skills’ to help solve their own burglary:
Sergio and Maura Rodriguez returned to their Southside home on July 17 to find their front door kicked in. Burglars had stolen the couple’s television and Maura’s purse containing her Lone Star and debit cards.

9/23/15 Alabama; Law enforcement blotter:
Caller checking on location for owner, door kicked in, Ashby 2 men with 31 previous arrests nabbed in Hoover break-in 9/21/15 The break-in happened about 3:15 p.m. Thursday in the 5000 block of Tree Crossings Parkway at Ridge Crossings Apartments, said Capt. Gregg Rector. The resident arrived home to find his door kicked in. When he went inside, he interrupted two burglars.

9/24/15 Alaska; Man admits to trying to steal Toyo stove, charged with first-degree burglary:
The homeowner called troopers about 11 a.m. and said he arrived home to find his door kicked in and a man trying to steal his Toyo.

9/24/15  South Carolina; Police Blotter for Sept. 24: A 58-year-old Aiken woman reported Monday that it looked as if a nearby vacant house on Springfield Church Road was burglarized. Deputies found the back door kicked in and several appliances missing from inside.

9/25/15 Georgia; Police Blotter Residential Burglary:
800 block of Loridans Drive—A front door was kicked in and a patio door was tampered with. An Apple MacBook Pro, a black Kindle Fire, Skull Candy headphones, a Wells Fargo checkbook, a PlayStation 4 with controllers, a Burberry watch, a JOS A Bank watch, a white laundry basket, an Xbox with controllers and four games, four watches, an Amazon Fire HD7 and 500 Pesos were taken.

And

100 block of 26th Street—The top of a condo’s door lock was punctured and the door was kicked in. A MacBook Pro laptop, an Apple iPad, jewelry, iPhone 3GS, Apple iPad, Social Security card and personal papers were taken.

And

900 block of Cardova Drive—A homeowner received a text about his alarm sounding but refused police because he didn’t want to be fined. A neighbor discovered the front door kicked in and a TV from the living room was in the driveway. No other items were taken.

And

1800 block of Wellbourne Drive—A 60-inch Sony TV a WII controller, a diamond ring, an Apple MacBook Air, an Apple Thunder Bolt display, a MacBook Pro, two Apple keyboards and wireless mice, a Canon camera, a Sony video camera and a external hard drive were taken when a house’s front door was kicked in.

Now don’t think for one second, “Well I don’t live in Alabama or wherever, so I’m OK”. Wrongo bongo. Go to GoogleNews , type your Town and or state and “Door kicked In” and you will be amazed at how many results come up. Doors, without reinforcement technology are useless. Install high-grade door reinforcement technology. Door Devil, is the door jamb reinforcement I use.

Robert Siciliano is a home and personal security expert to DoorDevil.com discussing Anti-Kick door reinforcement on YouTube. Disclosures.

20 Home Security Tips

Angee, the new Kickstarter campaign that raised over $250,000 already, will revolutionize home security in more ways than one. Meanwhile, get going on these 20 home security tips: ANG3

  • Keep all doors and windows locked at all times. Yes, on hot summer days it’s tempting to keep windows open, but at least be very discriminate about this.
  • Keep the garage door closed at all times, even on hot days. But if you’re positive that leaving it slightly open cools the rest of the house, limit this to about four inches.
  • Reinforce doors with door jamb reinforcements.
  • All doors should have high grade deadbolts.
  • All first-story and basement windows should have Charlie bars, rods or gadgets that prevent horizontally-sliding windows from being slid open.
  • The address numbers for your house should be big and easy for first responders to see.
  • Though you may not care what your grass looks like when not cut, burglars do. That’s because a lawn that looks like it hasn’t been cared for in a while makes burglars think nobody’s been home for weeks…
  • And speaking of which, burglars also notice if paper delivery has been accumulating, or the house is always dark in the evenings. If you’re away a lot or don’t use much lighting when you’re home, use automatic lighting devices.
  • Never put a note on any door outside that says you’ll “be back in a few.”
  • Before you go out on errands, put the phone’s ringer on mute so that burglars don’t hear unanswered rings.
  • Before dusk approaches, close curtains and blinds. A favorite way burglars case houses is to look inside when it’s dark.
  • Never smoke when drowsy and always rinse butts before tossing them.
  • Never hide spare keys near your front door; a burglar will find them. Give to a trusted neighbour or other adult.
  • Put valuables in a safe—preferably a big one (small safes are often stolen without being picked open on the spot).
  • Doors should have peepholes. Never open the door if you can’t tell who’s there and are not expecting anyone.
  • Have a smoke alarm on each floor.
  • Devise a fire escape plan and then regularly drill the family in it.
  • Always turn off hot things like curling irons when you’re not using them.
  • Never leave anything burning while you’re outside the house.
  • Flammable items should be kept away from the house. This includes dried up leaves and brush.

Robert Siciliano, personal and home security specialist to Angee. Learn more about Angee in this Video. Support Angee on Kickstarter. See Disclosures.

Fake IDs are everywhere

Okay, so you’re 18 or 19 and in college, and are stressed because you have to be 21 in order to gain entry to a night club or bar where you’d like to drink up a storm and mingle with a “more mature” crowd. Or really, you just want to meet someone.

8DLife sure is tough, isn’t it? You have to wait till you’re 21, but by then…you may be graduated from college (and a lot more mature, and thus, getting plastered would no longer have appeal). What a bummer, dude! The time to have fun is when you’re young and irresponsible!

Many U.S. college kids circumvent this age restriction with the fake ID. And over the years, it’s gotten easier to get the fake ID, thanks to the Internet. In fact, the Internet is replete with sellers of fake IDs to anonymous customers.

An article at businessinsider.com describes how the “subreddit” vendor site even provides threads where visitors could get information on how to use this site, which is encrypted (not surprising).

Nevertheless, college kids can still get fake IDs the old-fashioned way: by asking around. It won’t be long before they have contact information and simple instructions regarding payment and sending the supplier a photo.

Beware of the Consequences of Getting Caught with a Fake ID

  • Come on, is it really worth it? Do you know any grad students who go through their days haunted with agony because they never had a fake ID as undergrads?
  • Depending on what state you’re residing in if you get busted, you can get put in jail.
  • Some states yield only the misdemeanor charge, while other states will get you a felony charge.
  • Using an older person’s ID (e.g., Big Sis who looks like you) will not only mean trouble for you, but for Big Sis, too.
  • Don’t think for a second that getting caught means a little time facing a crabby judge and then going home like nothing ever happened.
  • Sending all your data to a criminal who makes fake IDs can facilitate your own identity stolen. There is no honor among thieves.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Surveillance Video captures Home Invasion

A man was assaulted by three or four men when he arrived home, through his garage door at 5:40 a.m. It’s very apparent that the attackers knew he’d be arriving home at around this time and decided to wait for him, says a report at ksla.com.

2BThis recent home invasion occurred in the Dogwood South subdivision in Louisiana. Though video surveillance recorded the crime, it’s not clear who the assailants are, as they were masked. Detectives are working hard at getting some leads.

The man, along with his wife, were bound with duct-tape. The man suffered minor injuries. The couple’s two young children were not harmed. The assailants made off with money and jewelry.

Needless to say, neighbors are unraveled, and the victims do not want to appear on camera for a news interview. The presence of police that lingered around the victims’ house went anything but unnoticed, so a post went up on the sheriff’s department Facebook page.

Rumors had developed that there were more home invasions in Dogwood South, but the Facebook page straightened this out by reporting “This simply isn’t true.”In fact, it’s been a very long time since the last home invasion in this area.

Residents should not equate the vehicle burglaries in the area with the crime of home invasion.

The Facebook post is asking that people call in tips to 318-965-2203.

I guess the good news is that, unlike some home invaders, these crumbs spared their victims’ lives. But now the victims probably keep wondering if the assailants, who were armed, will return.

Could home invaders be waiting for you? You just never know. Certainly, the victim in this story never thought something like this could happen as he arrived home.

  • Have pepper spray in your home and car, ready to pull out.
  • Look carefully around before you exit your car in the dark.
  • Have the pepper spray in your hand.
  • Close the garage immediately; don’t let it linger open.
  • Make sure no obscuring shrubbery is growing near any entrances to your house or near any windows.
  • Before entering your car, even if it’s been in the garage, look in the back seat. You just never know if a dangerous person could have somehow gotten in and is waiting for you.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

5 In-Demand Cybersecurity Specialties

There are numerous subspecialties within the booming cybersecurity field[i]. Here are some of the most in-demand professions:

Cybersecurity Engineer: This is the all-around, jack-of-all-trades, go-to guy or gal of cybersecurity. For all intents and purposes, a cybersecurity engineer is a hacker – but a good one. Using their advanced knowledge of malware, viruses, theft, DDoS attacks and other digital threats, cybersecurity engineers defend organizations against crime online. Personality traits required for this role include being flexible, nimble and a do-it-yourselfer. Candidates also must have:

  • A good background in penetration testing.
  • Experience with additional online security measures.
  • On-the-job experience, which is an absolute must for this position.

Malware Analyst: If you choose to specialize, working as a malware analyst is like being an oncologist fighting cancer. There’s research, removal or treatment, and it’s up to you to decide how to apply your training.

With millions of types of malware on PCs, Macs and even mobile devices there’s a significant shortage of experts in this highly in-demand field. Responsibilities include:

  • Identifying and fighting viruses, worms and Trojan attacks.
  • Educating companies about malicious software.
  • Analyzing malware inside and out.
  • Developing tactics to help prevent future attacks.

Application Security Administrator: Back in the days of desktop computing, the only means of compromising data were to insert a contaminated floppy disk into a PC or open an infected email attachment. We’ll call this the “anti-virus era.”

Next came the “network security era.” The need for cybersecurity evolved with the Internet as more companies developed internal and external networks.

Information security has evolved yet again. Today, we live in the “application security era.” The demand for application security administrators is nearly limitless. The job includes:

  • Performing application security reviews, looking for potential weaknesses.
  • Writing testing code for applications.
  • Ensuring a company’s applications comply with the minimum standards for security.
  • Ensuring that any applications that the company uses conform to the minimum standards for privacy.

Chief Information Security Officer (CISO): CISO is the top position managers in the field of cybersecurity work toward achieving. Prospective candidates should take a multifaceted approach to cyber education with courses in business fundamentals. Responsibilities might include:

  • Monitoring the efficacy of security operations.
  • Preparing a company to fight cyber attacks.
  • Designing strategies to oppose imminent threats as well as threats in their early stages.
  • Looking for cyber intrusions.
  • Analyzing the company for possible holes in its network.
  • Managing other security personnel.

Security Consultant: It’s tough to land a 9-5 job as a security consultant, but this is one of the most gratifying positions one can pursue when engaged in the diverse and rapidly changing world of cybersecurity.

Consultants come in two flavors: they have a knack for solving problems in a particular niche, or they have accumulated knowledge of multiple systems over the course of their career. Security consultants are expected to:

  • Work with companies to come up with security tactics that align with the company’s particular needs.
  • Possess knowledge about security standards, systems, etc.
  • Have superb communication and management skills, as the security consultant will need to interface with management and know the company’s corporate policies.
  • Test security measures that they’ve recommended.

When choosing a specialty keep a few things in mind. Try to choose one that can compliment another in the event you decide to make a change. Research how much training and education in time and money might be needed. Are there certifications that need to be re-qualified for and how often? Consider the dynamics of the specialty such as will you be working with individuals, teams, or by yourself. Will there be travel involved? Does it require overtime or is it a straight 40 hour a week job?

No matter what you choose, follow your heart.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.

[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm