Majority of Executives believe Attackers will overcome Corporate Defenses

Many technology executives don’t have a favorable outlook on their ability to sideswipe cybercriminals, according to research conducted by McKinsey and World Economic Forum.

2DThe research also shows that both big and small businesses lack the ability to make sturdy decisions, and struggle to quantify the effect of risk and resolution plans. As the report authors state, “Much of the damage results from an inadequate response to a breach rather than the breach itself”.

These results come from interviews with more than 200 business leaders such as chief information officers, policy makers, regulators, law enforcement officials and technology vendors spanning the Americas, Europe, Asia, Africa and the Middle East.

Cybercrimes are extremely costly and the cost can hit the trillions of dollars mark.

Several concerning trends regarding how decision makers in the business world perceive cyber risks, attacks and their fallouts were apparent in the research findings:

  • Over 50 percent of all respondents, and 70 percent of financial institution executives, think that cybersecurity is a big risk. Some executives believe that threats from employees equal those from external sources.
  • A majority of executives envision that cyber criminals will continue being a step ahead of corporate defenses. 60 percent believe that the gap between cyber crooks and corporate defense will increase, with, of course, the crooks in the lead.
  • The leaking of proprietary knowledge is a big concern for companies selling products to consumers and businesses.
  • Service companies, though, are more worried about the leaking of their customers’ private information and of disruptions in service.
  • Large organizations, says ongoing McKinsey research, reported cross-sector gaps in risk-management competency.
  • Some companies spend a lot but don’t have much sophistication in risk-management capabilities, while other companies spend little but are relatively good at making risk-management decisions. Even large companies can stand to improve their risk management capabilities substantially.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Russian Organized Crime: Krem D’la Krem of Hackers

The Russians have definitely come…in the world of cybercrime. A Russian ring of hackers has amassed 1.2 billion stolen passwords and usernames involving 400,000 websites. The criminals have also garnered 542 million e-mail addresses.

11DAnd these Russians didn’t discriminate: Any website they could bust into, they did, ranging from big U.S. companies to little websites—anything. Most of these sites remain vulnerable.

Apparently, the thieves are not working for Russia’s government (which rarely goes after hackers anyways), nor have they sold the stolen information…yet. They’ve been paid by third-party entities who want to send out spam.

This gang of thieves operates like a business, with some doing the programming and others doing the stealing. The crooks use botnets to scope a site’s weaknesses, then plow in there.

This massive breach has called attention to the reliance that businesses have on usernames and passwords; this will need to be changed.

Tips for Preventing Getting Hacked

  • Say NO to clicking on links inside e-mails, even if the apparent (note “apparent”) recipient is your bank or a friend.
  • URL security. Trust only sites whose URL starts with a padlock icon and “https.” An “http” won’t cut it.
  • Two-step verification. If your financial institution offers this, then activate it. Call the bank if its website doesn’t have this information.
  • Online banking. If possible, conduct this on a separate computer just for this purpose.
  • Change the router’s default password; otherwise it will be easy for hackers to do their job.
  • Wired ethernet link. This is better than a powerline or Wi-Fi for protection. To carry out an ethernet attack, the thief would probably have to break into a home and set up a device, whereas Wi-Fi data can be snatched out of the air, and powerline data can leak into next-door.
  • Encryption. If you must use Wi-Fi or powerline networks, encryption will scramble data, but a hacker can crack into Wi’Fi’s WEP.
  • Say no to third-party Wi-Fi hotspots.
  • Security updates. Keeping up to date will guard against hackers who use a keylogger to figure out your keystroke pattern—which can tell him your passwords.
  • Hotshot Shield; This service protects you from fraudulent activity when you’re working online in an unprotected network (wired or wireless), such as at airports, hotels or coffee houses.
  • Get identity theft protection. Generally your identity is protected from new account fraud. Many of the services monitor your data on the dark web.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

How Law Enforcement Detects Breaches Before Victims

Law enforcement agencies detect data breaches before businesses do because the former seeks evidence of the cyber crime, reports a networkworld.com article.

1GUnlike law enforcement agencies, businesses don’t go undercover in hacker forums. Nor do they get court permission to bust into enclaves of cyber thieves. Businesses don’t have moles. It continues: Law enforcement agencies interview imprisoned cyber crooks. The FBI does a lot of undercover work.

Law enforcement may then approach a company and say, “You’re being victimized; we have the evidence.” But often, the company may be skeptical of such a claim. Admittance means facing government response and upset customers

The law is always buffing up on its skills at fighting cybercrime to keep up with its evolution, such as a drastic decrease in solitary criminals and an increase in complex crime rings. These rings have all sorts of technical tricks up their sleeves, including hosting their own servers and changing up their communication methods to vex law enforcement. It doesn’t help that some foreign countries don’t place an emphasis on fighting cybercrime.

The evidence that the law presents to the business when that time comes is rock solid, though again, the company may lack aggression in its immediate response. The company’s legal counsel is commonly the first person to get the forensics report. Upper management usually gets involved before the IT department does. This is all part of keeping legal control over potentially harmful situation.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Bankers on the Front lines of Cyber Defense

There was once a time when the only threat to a bank’s security was when that innocent-looking man hands a note to the bank teller that makes her face go ashen. And the only security, save for video surveillance, was the armed guards and the silent alarm that the teller triggers.

2DNowadays, terms like firewalls, encryption, anti-virus and cloud providers are just as important to a bank’s security as are the armed guards, huge windows, security cameras and steel vaults. No longer is the masked robber who says “Hand over the money” a bank’s biggest threat. ATM skimming, where nobody is ever shot at, is at the top of the list.

The Three Directions of Banking Security

  • Analyzing big data and assessing potential threats
  • Banks joining forces by sharing information relevant to protection against cybercrime
  • Focusing more on fast recovery and less on prevention of crime

That last point is because breaches are always going to occur no matter how thick the security is, and there’s a lot of room to improve in terms of recovery speed. So it makes sense that this shift in attention is developing at an increasing rate.

A New Breed of Locks

Banks require many layers of protection, and this includes keycards, which allow select employees through specific doors at specific times. Just stick the card in a slot and the door opens (a common device also used in hotels).

Keycards are also used by extraneous service people. A lost card can be immediately turned off, and cheaply replaced, whereas traditional locks would cost a bundle.

Customized badges are another way that financial institutions have improved security measures, replacing keys and keycards. Employees can be “add onto” a badge, and a lost and found badge can be deactivated and activated, respectively.

Anti-Skimming Devices

Anti-skimming devices can significantly reduce this crime, when a thief puts a phony reader over an ATM device to capture a customer’s card data. The volume of skimming crimes is enormous, yet many ATMs still have no anti-skimming protection.

Cloud Storage for Data

More and more financial organizations are relying upon cloud computing, though this technology also brings with it some concerns, since the cloud involves a third-party provider—which can turn bank data over to the government without the bank’s permission.

A way around this is for the bank to encrypt data prior to placing it in a cloud, and to keep encrypting it even when at rest, and retain the encryption keys.

Biometrics

Fingerprint swiping to withdraw money is one of the latest security tactics: multispectral imaging (MSI). Who can possibly “skim” that? This is biometric technology and is already in thousands of ATMs. This “inner fingerprint” is immune to breakdown from grime, wear or moisture, making it very tamper resistant.

Look for even more progress in the multilayered security of financial institutions in the years to come—technologies that right now we can’t even comprehend.

For more information about this shifting industry, visit:

securitymagazine.com/articles/print/85356-banking-battlegrounds-cyber-and-physical-security-risks-today

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Study Shows Businesses not prepared for Attacks

Amazing: With the proliferation of cyber attacks globally, most businesses are ill-prepared to deal with this, says research from the Economist Intelligence Unit and Arbor Networks.

1DPerhaps businesses have an “It won’t happen to us” mindset, even though hackers steal the most sensitive data, force the company to make enormous payments to fix the situation, and crush its customers’ trust, in turn damaging future profits. It’s a pebble-thrown-into-a-pond effect: Those ripples just keep going out and out.

Haven’t companies learned from that giant retailer breach in December of 2013? That big retailer was left toppled. Companies don’t realize that if they nickel-and-dime security, they’ll get what they pay for.

The research turned up the following after surveying 360 senior business leaders in organizations nationwide and in Europe and Asia-Pacific:

  • 77 percent experienced a security breach within the past two years.
  • 38 percent lack a response plan for a cyber attack.
  • 17 percent believe they’re “fully prepared” for a cyber attack.
  • Many of the survey participants reported that they relied upon IT departments to deal with the issue of cyber threats. However, companies that indeed suffered a data breach within the past two years were actually twice as likely to have relied upon a third-party IT team.
  • 41 percent of business decision makers believe that a more solid understanding of risks and potential threats would assist them in being better prepared, but, oddly, only one-third of businesses share concerning situations with other businesses for the sake of spreading best practices and information.
  • 57 percent do not report incidents on a voluntary basis if they’re not legally required to do this.

Interestingly, while 41 percent of business decision makers believe that a more solid understanding of potential threats would increase preparedness, only one-third of businesses are willing to share information with other businesses about incidents concerning data security.

The big message regarding cyber attacks on businesses all over the world: It’s not “if,” it’s WHEN.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

What is a Man-in-the-Middle Attack?

There’s a reason why most people feel uncomfortable about the idea of someone eavesdropping on them—the eavesdropper could possibly overhear sensitive or private information. This is exactly the risk that computer users face with a common threat called a “Man-in-the-Middle” (MITM) attack, where an attacker uses technological tools, such as malware, to intercept the information you send to a website, or even via your email.

11DJust imagine you are entering login and financial details on an online banking site, and because the attacker is eavesdropping, they can gain access to your information and use it to access your account, or even steal your identity.

There are a variety of ways that attackers can insert themselves in the middle of your online communications. One common form of this attack involves cybercriminals distributing malware that gives them access to a user’s web browser and the information being sent to various websites.

Another type of MITM attack involves a device that most of us have in our homes today: a wireless router. The attacker could exploit vulnerabilities in the router’s security setup to intercept information being sent through it, or they could set up a malicious router in a public place, such as a café or hotel.

Either way, MITM attacks pose a serious threat to your online security because they give the attacker the ability to receive and request personal information posing as a trusted party (such as a website that you regularly use).

Here are some tips to protect you from a Man-in-the-Middle attack, and improve your overall online security:

  • Ensure the websites you use offer strong encryption, which scrambles your messages while in transit to prevent eavesdropping. Look for “httpS:” at the beginning of the web address instead of just “http:” which indicates that the site is using encryption.
  • Change the default password on your home Wi-Fi connection so it’s harder for someone to access.
  • Don’t access personal information when using public Wi-Fi networks, which may, or may not, be secure.
  • Be wary of any request for your personal information, even if it’s coming from a trusted party.
  • Protect all of your computers and mobile devices with comprehensive security software, like McAfee LiveSafe™ service to protect you from malware and other Internet threats.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

What is a Backdoor Threat?

Did you accidentally leave the back door open? This thought can be scary because you know that leaving the back door open at home could allow someone to enter your home and take your personal belongings.

6DThe same is true for a backdoor in the computer world. It is a vulnerability that gives an attacker unauthorized access to a system by bypassing normal security mechanisms. This threat works in the background, hiding itself from the user, and it’s very difficult to detect and remove.

Cybercriminals commonly use malware to install backdoors, giving them remote administrative access to a system. Once an attacker has access to a system through a backdoor, they can potentially modify files, steal personal information, install unwanted software, and even take control of the entire computer.

These kinds of attacks represent a serious risk to users of both computers and mobile devices since an attacker can potentially gain access to your personal files, as well as sensitive financial and identity information.

Say, for instance, an attacker uses a backdoor to install keylogging software on your computer, allowing them to see everything that you type, including passwords. And once this information is in the hands of the cybercriminals, your accounts could be compromised, opening the door to identity theft.

Here are a few tips to protect you from back door threats:

  • Use comprehensive security software on your computers and mobile devices, like McAfee LiveSafe™ service, to protect you from malware.
  • Never click on an email attachment or a link sent from people you don’t know and watch what you download from the web.
  • Be careful about which sites you visit, since less secure sites could contain a so-called “drive-by download”  which is able to install malware on your computer simply by visiting a compromised web page. You can check the safety of a website before you visit it by using our free McAfee® SiteAdvisor® tool, which tells you if a site is safe or not right in your search window.
  • Only install programs that you really need, minimizing your exposure to potential vulnerabilities.

Make sure you don’t leave any back doors open. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

What is Social Engineering?

No, it’s not some new engineering field to develop social media sites. Social engineering has been around as long as the con artist has been around. The terms stems from the social science world where social engineering is deemed as an act of psychological manipulation.

social_engineeringIn our tech-laden world of today, social engineering still involves deceit but it’s used to deceive you into giving up personal or sensitive information for the bad guys’ financial gain. Social engineering can take many forms from an email, phone call, social networking site, text messages, etc., but they all have the same intent—to get you to part with valuable information.

Any one of us can be a target. And social engineering continues to be a tool that cybercriminals use because it works. They play on our emotions and our innate sense to want to trust others and be helpful. The also rely on the fact that many of us are not aware of the value of the information we possess and are careless about protecting it.

For instance, after major natural disasters or major news topics, like a hurricane or earthquake, cybercriminals sent out scores of bogus emails, calling for sympathy and donations for the victims, just so they could line their pockets.

In addition to sympathy, the bad guys also barter in fear, curiosity and greed. From emails offering fake lottery winnings (greed), to dangerous download sites advertising a preview of the latest Lady Gaga song (curiosity), to devious popup messages that warn you that your computer is at risk (fear), today’s cybercriminals are masters at manipulating our emotions.

And because their tricks often look legitimate, it can be hard for you to identify them. You could wind up accidentally infecting your machine, or sharing personal and financial information, potentially leading to monetary loss and even identity theft.

How can you protect yourself?

  • Never respond to a message from someone you don’t know and never click on a link in an unsolicited message, including instant messages, and any time the phone rings and they are requesting personal information consider it a scam.
  • Be suspicious of any offer that seems too good to be true, such as the lure of receiving thousands of dollars just for doing a wire transfer for someone else.
  • If you are unsure whether a request is legitimate, check for telltale signs that it could be a fake, such as typos and incorrect grammar. If you are still unsure, contact the company or organization directly. Financial institutions, and most sites, don’t send emails or text messages asking for your user name and password information.
  • When using social networking sites, don’t accept friend requests from people you don’t know, and limit the amount of personal information you post to your profile.
  • Consider using a safe browsing tool such as McAfee® SiteAdvisor® software, which tells you whether a website is safe right in your search results, helping you navigate away from phony sites.
  • Make sure your all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that protects all your PCs, Macs, smartphones and tablets.

So remember to ask yourself if this is really legit, the next time you get a message that plays on your emotions. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Stolen Identities are cheap on the Darknet

What a steal: You can purchase a U.S. stolen identity for $25, and an overseas one for $40. Cybercrime is booming. Cybercriminals are competing even against each other. Data theft is becoming increasingly easier, with more and more people gaining entry into this realm. It’s no longer for the elite.

11DHiring someone to perform a cybercrime doesn’t take technical knowledge; only the ability to pay. Even a computer isn’t necessary, and the crime can be outsourced.

The underground of cyberspace is known as the Darknet. Illegal activities of the Darknet are mighty cheap these days.

  • Under $300: credentials for a bank account that has a balance of $70,000-$150,000.
  • $400-$600 a month: Hire a crook to fire a denial-of-service attack on your online competitor to knock it offline. This service can also go for $2 to $5 per hour. Prices are actually quite varied, but the range goes well into the cheap end.
  • $40 bought a personal identity (U.S. stolen ID as of 2011), and $60 bought a stolen overseas ID (as of 2011). Currently, these IDs cost 33 to 37 percent less.

Other Crime Fees

  • $100 to $300: hack a website
  • $25 to $100: A hacker will steal all the data they can on a person or business by using social engineering or Trojan infiltration.
  • $20: a thousand bots; and $250 will get you 15,000.
  • $4 to $8: one stolen U.S. credit card account including CVV number ($18 for European accounts)

What does all this mean to you? It means your identity is at risk.

  • Update your PC with the most current antivirus, antispyware, antiphishing and a firewall.
  • Update your devices critical security patches.
  • Require password access for all your devices and use strong passwords for your accounts.
  • Invest in identity protection because even if you secure your data, a major retailer or bank can be breached putting your data at risk.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Socint: disseminating cybercrime through social intelligence

People talk—A LOT. They can’t stop talking. Talking, getting something off your mind and out there feels good. Talking takes the pressure off one’s mind; our mouths are like relief valves for our heads. The problem has always been that people blurt out whatever is on their mind and say things that often get them in trouble. And yes, I’ve done it too.

But now people now post their thoughts online, which in many cases is even worse because it’s not one on one; it’s to the world. We’ve seen numerous kids, teachers, employees, officials, politicians, celebrities, and folks from just about every walk of life say or post something that has resulted in backlash and sometimes arrest.

The arrest part is very interesting. Law enforcement and government are paying close attention to social media and what is being said. A man in Toronto posts on Twitter he’s looking for a drug dealer, provides a location for where he is, and says, “I need a spliff”—slang for marijuana—and the Toronto police respond, “Awesome, can we come too?”

But it goes much deeper than that. NextGov.com reports, “Criminals, organized crime syndicates, gangs and terrorists also use social media. They post information and share photos and videos, and terrorist groups use the tools to recruit new members, disseminate propaganda and solicit funds.”

It seems the next stage to investigate and prevent crime is through social intelligence combined with social analytics, hence “Socint”. Continues NextGov.com: “Officials can use this type of social media-driven intelligence to gain insight, investigate, construct countermeasures and refocus resources.”

So what do YOU do? If you are doing anything illegal, stop…or just keep doing what you are doing and let’s just hope you get caught. For the rest of us who want a little more privacy or don’t want to get in trouble because we say stupid stuff, pay attention:

  • Know that everyone’s watching: What you say or post lasts forever, and it can and will bite you.
  • Lock down privacy settings: Each social site has its own privacy settings. They change often and they require your attention at least semiannually.
  • Update security settings: Criminals are creating viruses in record numbers for computers, mobiles and tablets. It is essential to updates your operating system’s critical security patches and antivirus, antispyware and antiphishing.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures For Roberts FREE ebook text- SECURE Your@emailaddress –