Social Network is Accused of Identity Theft

/0 Comments/in , , , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

The state of New York, Office of the Attorney General plans to sue the social-networking site Tagged.com for allegedly using deceptive e-mails in order to gain new users.

It is alleged that the social-networking service stole the identities of more than 60 million Internet users by sending e-mails to people saying that members of the site had tagged them in photos but the photos did not exist and that Tagged raided their private accounts.

The e-mails that people received appeared to come from their friends via the website as an offer to look at the friends pictures and join in. It is believed that Tagged, would then illegally get access to those new users’ e-mail address books and send out more messages without those users’ knowledge. Tagged will be sued for deceptive e-mail marketing practices and invasion of privacy, the office said.

In a statement by their CEO he said “Simply put, it was too easy for people to quickly go through the registration process and unintentionally invited all their contacts.”

I received the same emails from friends, people who were “duped”. I spoke to those people and understand it to be true that, it was too easy for people to quickly go through the registration process and unintentionally invited all their contacts.

I don’t believe identities were stolen at any level and that anyone using terms such as “stolen Identity” or “identity theft” are grossly mistaken, but “email harvesting” and a degree of spam and questionable marketing may have occurred.

Here is exactly what happened. A person receives an email saying their friend wants to show them a picture. They have to visit the site, sign in, and register to view it. In that process they are asked for their user name and password from their web based email account to invite more friends to their new account. Many people have done this in Twitter, LinkedIn and Facebook. The lie told is there is no picture to be seen. That’s deceptive marketing, not identity theft.

Criminal hackers have been using the same ruse to get people to log in to a spoofed Facebook account for the past year. Once logged in the user is requested to download a file to watch a video. This download has a virus that allows a full takeover of their account. It almost looks like Tagged took a page out of the criminal hackers book using the same ruse, but without the virus or the spoofed site.

The fact is whenever you register for a social networking site you are asked to plug in your credentials and invite your address book. Doing this is not a bad thing, unless the company you are trusting is a bad corporate citizen. That said; don’t provide any website your log in credentials to your web based email account if you don’t believe them to be 100% legit. Further, when you have web based cloud accounts that contain email and also have proprietary documents or files within that account NEVER GIVE THAT DATA TO ANY COMPANY.

All that said, regardless, you should still protect yourself from real identity theft.

Here is how;
1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.
2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing social network is accused of identity theft.

Sarah Palin Victim of Social Media Identity Theft, LaRussa Drops Suit

/1 Comment/in , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Since the beginning of the presidential campaign, Sarah Palin has used Twitter and Facebook to communicate with the public. Impostors have taken every opportunity to jack her persona, even hacking into her personal email account.

Now, hackers and impostors are chiming in on Sarah Palin’s resignation. The Twitter profile for ExGovSarahPalin snags and reuses graphics, photos and tweets from Sarah Palin’s “Verified” Twitter acount, AKGovSarahPalin. This fake Palin account is still live as of this writing. In one tweet, a Palin impersonator invited followers to her home for a barbecue. Her security staff was reading these tweets and quickly dispatched security personnel to her home to intercept unwanted visitors.

Twitter has a “parody impersonation policy” that permits impersonation, as long as the parody is clear to readers. It’s puzzling to me that they would allow this, particularly in the case of the fake Sarah Palin account, which is plastered with Governor’s likeness.

Social media is not prepared for this type of use. And Twitter should rethink its policies.

Meanwhile, USA Today reports that St. Louis Cardinals manager Tony LaRussa, who has also fallen victim to social media identity theft and has sued Twitter, claiming damage resulting from “cybersquatting” and misappropriation of his name, has now dropped his lawsuit. One report mentions an out of court settlement that compensates LaRussa for his legal fees and includes a donation to his favorite charity. Twitter co-founder Biz Stone blogged a denial of such a settlement.

Financial identity theft is impossible to prevent 100% of the time, and so is social media identity theft. However, there are ways to lock down your name and protect yourself, or at least to mitigate the potential damage to your name and reputation.

As we spend more time online, meeting people, posting photos and offering glimpses into our personal lives, here are some action steps to keep Social Media Identity Theft at bay:

1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
2. Set up a free Google Alerts for your name and get an email every time your name pops up online. Go to iSearch.com by Intelius and search your name and any variations of your name in what would be a screen name.
3. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web.
4. Consider dropping a few bucks on Knowem.com and other sites like them. These online portals go out and register your name at what they consider the top social media sites. Their top is a great start. The user experience is relatively painless. There is still labor involved in setting things up with some of them. And no matter what you do, you will still find it difficult to complete the registration with all the sites. Some of the social media sites just aren’t agreeable. This can save you lots of time, but is only one part of solving the social media identity theft problem.
5. Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. This is a combination of online reputation management and search engine optimization for your brand: YOU.
6. If you ever stumble upon someone using your likeness in the social media, be very persistent in contacting the site’s administrators. They too have reputations to manage and if they see someone using your photo or likeness they would be smart to delete the stolen profile.
7. Despite all the work you may do to protect yourself, you still need the Intelius Identity Protect service I’m working with and recommend coupled with Internet security software.

Robert Siciliano, identity theft speaker, discusses scams.

TJX Identity Theft Costs Another 10 million, Protect Yourself from WarDriving

/0 Comments/in , , , , , , , , , , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Most people are familiar with the TJX data breach, in which 45 million credit card numbers were stolen. TJX recently agreed to pay $9.75 million to 41 states to settle an investigation of the massive data breach. According to some reports, TJX has spent up to $256 million attempting to fix the problem that led to the breach.

It’s been said repeatedly that the criminal hackers responsible for the breach were sitting in a car outside a store when they stumbled across a vulnerable, unprotected wireless network using a laptop, a telescope antenna, and an 802.11 wireless LAN adapter. This process is called “Wardriving.”

WiFi is everywhere. Whether you travel for business or simply need Internet access while out and about, your options are plentiful. You can sign on at airports, hotels, coffee shops, fast food restaurants, and now, airplanes. What are your risk factors when accessing wireless? There are plenty. WiFi wasn’t born to be secure. It was born to be convenient. As more sensitive data has been wirelessly transmitted over the years, the need for security has evolved. Today, with criminal hackers as sophisticated as they ever have been, wireless communications are at an even higher risk.

When setting up a wireless router, there are two different security techniques you can use. WiFi Protected Access is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy. Wired Equivalent Privacy was introduced in 1997 and is the original form of wireless network security. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks.

It’s one thing to access your own wireless connection from your home or office. It entirely another story when accessing someone else’s unprotected network. Setting up a secure WiFi connection will protect the data on your network, for the most part, but if you’re on someone else’s network, secured or unsecured, your data is at risk. Anyone using an open network risks exposing their data. There are many ways to see who’s connected on a wireless connection, and gain access to their data.

There are a few things you should do to protect yourself while using wireless. Be smart about what kind of data you transmit on a public wireless connection. There’s no need to make critical transactions while sipping that macchiato.

Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s nothing on either device that would compromise me.

Install Hotspot Shield. A free ad supported program, Hotspot Shield protects your entire web surfing session by securing your connection, whether you’re at home or in public, using wired or wireless Internet. Hotspot Shield does this by ensuring that all web transactions are secured through HTTPS. They also offer an iPhone application. There are fee based programs, including Publicvpn.com and HotSpotVPN, which can create a secure “tunnel” between a computer and the site’s server.

Turn off WiFi and blue tooth on your laptop or cell phone when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.

Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is meant to act as bait.

Beware of evil twins. These are connections that appear legitimate but are actually traps set to snare anyone who connects.

Keep your antivirus and operating system updated. Make sure your anti-virus is automatically updated and your operating systems critical security patches are up to date.

Invest in Intelius Identity Protect. Because when all else fails you’ll have someone watching your back. Includes a Free Credit Report, SSN monitoring, Credit & Debit Card monitoring, Bank Account monitoring, Email fraud alerts, Public Records Monitoring, Customizable “Watch List”, $25,000 in ID theft insurance, Junk Mail OptOut and Credit Card Offer OptOut.

Robert Siciliano identity theft speaker discussing criminal wireless hack

Social Media Identity Theft Hits MLB Coach On Twitter

/0 Comments/in , , , , , , , , , , , , , /by

Identity Theft Expert Robert Siciliano

The scourge of identity theft knows no boundaries. It can happen to anyone: rich, poor, good credit, bad credit. Victims include children, the elderly, celebrities and politicians, even the dead. Identity theft may include new account fraud, account takeover, criminal identity theft, business identity theft and medical identity theft. Most of these result in financial loss.

One form of identity theft that is particularly damaging to the victim’s reputation is social media identity theft. Social media identity thieves have various motivations. The most damaging type of social media identity theft occurs when someone poses as you in order to disrupt your life. This disruption can take on many forms. They may harass and stalk you or your contacts, or they may steal your online identity for financial gain.

In the case of St. Louis Cardinals manager Tony La Russa, someone created a Twitter account in his name. La Russa is suing Twitter, claiming the impostor Twitter page damaged his reputation and caused emotional distress. The lawsuit includes a screen shot of three tweets. One, posted on April 19, read, “Lost 2 out of 3, but we made it out of Chicago without one drunk driving incident or dead pitcher.” Apparently, La Russa has had a drunk driving arrest and two Cardinals pitchers have died since 2002. One pitcher died of a heart attack, the other in a drunk driving accident.

There is no limit to the damage someone can do by using your name and picture in order to impersonate you online. In Milwaukee, Wisconsin, an 18 year old student was accused of posing as a girl on Facebook, tricking at least 31 male classmates into sending him naked photos of themselves, and then blackmailing some of these young men for sex acts.

Social media websites were created with the intention of bringing people together in a positive way, but we are beginning to see these sites being used in very sinister ways. The root of the problem is the fact that social media sites are all based on the honor system, with the assumption that people are honestly setting up accounts in their own names. There are few checks and balances in the world of social media, which means that you need to adopt a strategy from yet another form of predator to protect yourself.

There are hundreds or even thousands of social media sites, including Facebook, MySpace, Twitter and YouTube. Even your local newspaper’s website has a place for user comments, and most people would prefer to register their own names before someone else has done so on their behalf.

I have obtained over 200 user names pertaining to my given name in order to mitigate social media identity theft. This may sound obsessive, but the two examples given above are all the proof anyone needs to clamp down on social media. I’m on everything from Affluence.org to Zooomr.com. Some I use, others just have my profile and a link back to my website. I should also mention that there are some hazards involved in such a mission. You may experience a spike in spam, as I did, so I suggest creating an alternate email address. Furthermore, some websites make you join various groups that you don’t have much control over. I’m now a member of some masochistic fetish group of the opposite sex. Not exactly what I signed up for. So be careful.

The goal is to obtain your real first and last name without periods, underscores, hyphens, abbreviations or extra numbers or letters.

These tips bear repeating:

  1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
  2. Set up a free Google Alerts for your name and get an email every time your name pops up online.
  3. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web.
  4. Consider dropping $65 on Knowem.com. This is an online portal that goes out and registers your name at what they consider the top 120 social media sites. Their top 120 is debatable, but a great start. The user experience with Knowem is relatively painless. There is still labor involved in setting things up and with some of the 120. And no matter what you do, you will still find it difficult to complete the registration with all 120 sites. Some of the social media sites just aren’t agreeable. This can save you lots of time, but is only one part of solving the social media identity theft problem.
  5. Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. This is a combination of online reputation management and search engine optimization for your brand: YOU.
  6. If you ever stumble upon someone using your likeness in the social media, be very persistent in contacting the site’s administrators. They too have reputations to manage and if they see someone using your photo or likeness they would be smart to delete the stolen profile.
  7. Or do nothing and don’t worry about it. But when some other John Doe does something stupid or uses your name in a disparaging way or for identity theft, and people assume that it’s you, remember that I told you so.
  8. Despite all the work you may do to protect yourself, you still need identity theft protection and Internet security software.

Robert Siciliano, identity theft speaker, discusses social media privacy.

mCrime; Hacking Mobile Phones for Identity Theft

/0 Comments/in , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

History indicates that we are at the forefront of an era in which criminal hackers develop tools and techniques to steal your money using your own cell phone.

Fifteen years ago, cell phones were so bulky and cumbersome, they had to be carried in bags or briefcases. Then they became chunky, heavy bricks. Calls dropped every other minute. Clearly, cell phones have evolved since then. Today’s cell phone is a lot more than a phone. It’s a computer, one that rivals many desktops and laptops being manufactured today. A cell phone can pretty much do everything a PC can do, including online shopping, banking, and merchant credit card processing.

The personal computer started out slow and stodgy, and was mainly used for things like word processing and solitaire. Today, PCs are fast, multimedia machines, capable of performing amazing tasks.

There are consequences to the rapid evolution of these technologies.

A decade ago, during the slow, dial up era, hackers (and, in the beginning, phreakers) hacked for fun and fame. Many wreaked havoc, causing problems that crippled major networks. And they did it without today’s sophisticated technology.

Meanwhile, the dot-com boom and bust occurred. Then, as e-commerce picked up speed, high speed and broadband connections made it easier to shop and bank online, quickly and efficiently. Around 2003, social networking was born, in the form of online dating services and Friendster. PCs became integral to our fiscal and social lives. We funneled all our personal and financial information onto our computers, and spent more and more of our time on the Internet. And the speed of technology began to drastically outpace the speed of security. Seeing an opportunity, hackers began hacking for profit, rather than fun and fame.

Now, iPhones and other smart phones have become revolutionary computers themselves. For the next generation, the phone is replacing the PC. AT&T recently announced that they’ll be upping the speed of the latest version of their 3G network, doubling download speeds. It has been reported that the next iPhone will have 32 gigabytes. That’s more hard drive than my three year old laptop.

So naturally, criminal hackers are considering the possibilities offered by cell phones today, just as they were looking at computers five years ago.

Two things have changed the game: the speed and advancement of technology and spyware. Spyware was created as a legitimate technology for PCs. Spyware tracks and records social network activities, online searches, chats, instant messages, emails sent and received, websites visited, keystrokes typed and programs launched. It can be the equivalent of digital surveillance, revealing every stroke of the user’s mouse and keyboard. Parents can use spyware to monitor their young children’s surfing habits and employers can make sure their employees are working, as opposed to surfing for porn all day.

Criminal hackers created a cocktail of viruses and spyware, which allows for the infection and duplication of a virus that gives the criminal total, remote access to the user’s data. This same technology is being introduced to cell phones as “snoopware.” Legitimate uses for snoopware on phones do exist: silently recording caller information, seeing GPS positions, monitoring kids’ and employees’ mobile web and text messaging activities. Criminal hackers have taken the snoopware and spyware technology even further. Major technology companies agree that almost any cell phone can be hacked into and remotely controlled. Malicious software can be sent to the intended victim disguised as a picture or audio clip, and when the victim clicks on it, malware is installed.

One virus, called “Red Browser,” was created specifically to infect mobile phones using Java. It can be installed directly on a phone, should physical access be obtained, or this malicious software can be disguised as a harmless download. Bluetooth infared is also a point of vulnerability. Once installed, the Red Browser virus allows the hacker to remotely control the phone and its features, such as the camera and microphone.

While this may sound improbable, I’ve consulted and appeared on television (Tyra Banks and Fox) with an entire family that seems to have been victimized by every aspect of snoopware. The Kuykendalls, of Tacoma, Washington, found that several of their phones had been hijacked in order to spy on them. They say the hacker was able to turn a compromised phone on and off, use the phone’s camera to take pictures, and use the speakerphone as a bug. Ever since the program featuring the Kuykendalls’ story aired and continues to repeat, I’ve received dozens of emails from people around the world who have experienced the same thing. Many of these people seem totally overwhelmed by what has happened to them, and some are beginning to suffer financial losses.

If history is any indication of the future, mobile phones, just like computers, will soon be regularly hacked for financial gain. Prepare for mCrime in the form of credit card fraud, identity theft and data breaches.

Some Internet security software providers are beginning to offer software specifically for mobile phones. In the meantime, identity theft protection services are one line of defense against the latest cybercrime techniques.

Robert Siciliano, identity theft speaker, discusses hacked cell phones.

Data Breaches; LexisNexis – FAA Hacked, Botnets Grow, Hackers Hold Data Ransom

/1 Comment/in , , , , , , , , , , , , , , /by

Identity Theft Expert

What a week. Just when it starts to get boring, criminal hackers put on a spectacular show.

Criminal hackers continue to step up to the plate. Security professionals are fighting, and sometimes losing, the battle. Here’s one week’s worth of hacks:

Lexis Nexis, which owns ChoicePoint, an information broker I recently blogged about that was hacked in 2005, was just hacked again this week. On Friday, LexisNexis Group notified more than 32,000 people that their information may have been stolen and used in a credit card scam that involved stealing names, birth dates and Social Security numbers to set up fake credit card accounts. The cybercriminals broke into USPS mailboxes of businesses that contained LexisNexis database information, according to a breach notification letter sent by LexisNexis to its customers. The U.S. Postal Inspection Service is investigating the matter. (Check your credit reports and examine        your credit card statements carefully!)

CNET reports that hackers broke into FAA air traffic control systems, too. The hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, for 48,000 current and former FAA employees. In a House Oversight and Government Reform Subcommittee testimony, it was stated, “FAA computer systems were hacked and, as the FAA increases its dependence on modern IP-based networks, the risk of the intentional disruption of commercial air traffic has increased.”

Computerworld reports that a hacker has threatened to expose health data and is demanding $10 million. Good for him, bad for the Virginia Department of Health Professions. The alleged ransom note posted on the Virginia DHP Prescription Monitoring Program site claimed that the hacker had backed up and encrypted  more than 8 million patient records and 35 million prescriptions and then deleted the original data. “Unfortunately for Virginia, their backups seem to have gone missing, too. Uh oh,” posted the hacker. Holding data hostage is nothing new, but it is      becoming increasingly common.

The Register reports that bot-herders have taken control of 12 million new IP addresses in the first quarter of 2009, a 50% increase since the last quarter of 2008, according to an Internet security report from McAfee. The infamous Conficker superworm has occupied all the headlines, and makes a big contribution to the overall figure of compromised Windows PCs, but other strains of malware collectively make a big contribution to this number. McAfee’s Threat Report notes that the US is home to 18% of botnet-infected computers.

While you can’t do much about others being irresponsible with your data, you can protect your identity, to a degree. Consider investing in identity theft protection and always keep your Internet security software updated.

Robert Siciliano, identity theft speaker, discusses Ransomware.

P2P on Your PC Equals Identity Theft

/2 Comments/in , , , , , , , , , /by

Robert Siciliano Identity Theft Speaker

Peer to peer file sharing is a great technology used to share data over peer networks.  It’s also great software to get hacked.

The House Committee on Oversight and Government Reform is responding to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

What’s interesting is that they didn’t already realize this was going on. Most of the committee members probably have kids, and their own home PCs probably have P2P software installed.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

The House Committee on Oversight and Government Reform sent letters to the Attorney General and FTC Chairman, asking what the Department of Justice is doing to prevent the illegal use of P2P. Which is kind of ridiculous, because it’s not illegal to use P2P programs. Even if it were made illegal, P2P file sharing is a wild animal that can’t be tamed.

The letter also asks what the government is doing to protect its citizens. Okay. I’ve sat with both the FTC and the DoJ. These are not dumb people. I‘ve been very impressed by how smart they are. They know what they are doing and they see the major issues we face. But they are not in a position to prevent an Internet user from installing a free, widely accessible software, and subsequently being stupid when setting it up and unintentionally sharing their C-drive with the world. No government intervention can prevent this. The House Committee on Oversight and Government Reform should focus more on educating the public about the use of P2P file sharing.

Politicians are most likely being lobbied and funded by the recording and motion picture industries to put pressure on the providers of such software. Letters and government noise will not do anything to stop file sharing. While there have been plenty of witch hunts leading to prosecutorial victories, the public will always be vulnerable. It is up to us, as individuals, to protect ourselves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Government Agencies Engaging in Criminal Hacking Techniques

/4 Comments/in , , , , , , , , , , /by

Identity Theft Expert Robert Siciliano

This article may be a little political. However bad guys are trying to win a cyberwar against us and it’s important to understand what’s being done to protect us.

The US National Security Agency is probably the most sophisticated group of security hackers in the world. Many will argue this point. The fact is, without NSA, US STRATCOM, which directs the operation and defense of the military’s Global Information Grid, and US CERT, attacks on our critical infrastructures would be successful. We’d be living in the dark, telephones wouldn’t work, food wouldn’t be delivered to your supermarket and your toilet wouldn’t flush. These are not the same bumbling government employees you see on C-SPAN.

The Obama administration is in the process of completing aninternal cyber-security review,  announcing plans for cyber-security initiatives and determining who’s going to lead the charge.

The New York Times reports that the NSA wants the job and of course, this is raising hackles amongst privacy advocates and civil libertarians who fear that the spy agency already has too much power. I’m all for checks and balances. However, in order to detect threats against our nation and other global computer infrastructures from criminal hackers and terrorists, those in charge of cyber-security must have full and unlimited access to networks. There is certainly a legitimate concern here that any government agency with too much power can overstep citizens’ rights. However, coming from a security perspective, there are some very bad guys out there who would like nothing more for you to be dead.

Here’s a glowing example of how this power is used for good. Wired.com’s Kevin Poulsen (who should be required reading) reports on an FBI-developed super spyware program called “computer and Internet protocol address verifier,” or CIPAV, which has been used to investigate extortion plots, terrorist threats and hacker attacks in cases stretching back to before the dotcom bust. This is James Bond, Hollywood blockbuster technology that makes for a gripping storyline. The CIPAV’s capabilities indicate that it gathers and reports a computer’s IP address, MAC address, open ports, a list of running program, the operating system type, version and serial number, preferred Internet browser and version, the computer’s registered owner and registered company name, the current logged-in user name and the last-visited URL. That’s the equivalent of a crime scene investigator having fresh samples of blood for the victim and perpetrator, and 360 degree crystal clear video of the crime committed.

The FBI sneaks the CIPAV onto a target’s machine like any criminal hacker would, using known web browser vulnerabilities. They use the same type of hacker psychology phishers use, tricking their target into clicking a link, downloading and installing the spyware. They function like any illegal hacker would, except legally. In one case, they hacked a mark’s MySpace page and posted a link in the subject’s private chat room, getting him to click it. In another case, the FBI was trying to track a sexual predator that had been threatening the life of a teenage girl who he’d met for sex. The man’s IP addresses were anonymous from all over the world, which made it impossible to track him down. Getting the target to install the CIPAV made it possible to find this animal. Numerous other cases are cited in the Wired.com article, including an undercover agent working a case described as a “weapon of mass destruction” (bomb & anthrax) threat, who communicated with a suspect via Hotmail, and sought approval from Washington to use a CIPAV to locate the subject’s computer.

So while Big Brother may yield some scary power, criminals and terrorists are a tad scarier. I’ve always viewed the term “Big Brother” as someone who watches over and protects you. Just my take.

As always, invest in identity theft protection and Internet security solutions to keep the bad guys and the spyware out.

Robert Siciliano, identity theft speaker, discusses spyware.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Scamming the scammers

/0 Comments/in , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Scammers and even pedophiles are getting hacked by vengeful insidious opportunists.

Who doesn’t love vigilante justice? Some readers may remember Charles Bronson, an American actor who starred in the popular series Death Wish. Bronson played Paul Kersey, a man whose wife is murdered and whose daughter raped. In response, Kersey becomes a crime-fighting vigilante. This was a highly controversial role, as his executions were cheered by crime-weary audiences.

There is a certain amount of satisfaction when the victim becomes victor, exacting justice, and the predator that violates the law is sufficiently punished by the vigilante. Anyone who has ever entertained vengeance fantasies can relate. Of course, one doesn’t need to have been victimized in order to seek justice. Security guard David Dunn, played by Bruce Willis in the movie Unbreakable, avenges a crime committed against someone else.

The Internet has spawned a new breed of opportunist predator. The anonymity of the web, coupled with the inherent naïveté of many computer users, along with development of new technology at a speed that outpaces the learning curve of most users, make confidence crimes easier than ever.

What I find most disturbing are parents with young families who allow their children full, unsupervised Internet access. Fox News reports that in the past 5 years, federal agents have set up honeypots of agents posing as minors to attract pedophiles and have caught upwards of 11,000 in their nets. If they caught 11,000, there must be multitudes that haven’t been caught. What most people don’t realize is that there are over a half million registered sex offenders in the United States, and over 100,000 more sex predators unaccounted for.

“Don’t talk to strangers” used to be the extent of our personal security training. Now, a stranger can be in your 12-year-old daughter’s bedroom at 2 am, chatting on his or her webcam, or even under the covers on the iPhone that he bought her in order to evade her parents’ grasp.

Now, a new form of vigilante justice is occurring: scammers are illegally scamming, blackmailing and extorting other scammers.

The FBI recently caught up with one couple who has been posing as minors, engaging sexual predators in explicit online conversations and then adding a twist. This tech savvy couple are also hackers who engage in black-hat activities. As the predators attempted to gain the trust of the supposed “minors,” the couple was actually gaining access to the predators’ computers, sending numerous files that, when opened, launched an executable and granted full and unauthorized access to the kiddy-fiddlers’ computer systems. After gaining access to the predators’ computers, the couple learned their names, addresses, family members’ contact information, places of employment, and the user names and passwords for all of their financial accounts. Once armed with this type of data, the fun began. The couple would access the pedophiles’ bank, eBay and Paypal accounts. They would also blackmail their victims, threatening to expose their deviant behaviors to anyone who would listen if they didn’t cough up some cash. In one instance, after financial demands were made and not met, the couple accessed the user name and password of a New York teacher who didn’t comply and posted the explicit chats to the teacher’s school’s intranet.

In another example, 3 men apprehended in Kentucky set up a fake child pornography website, then extorted money out of their customers. When arrested, the men confessed to the crime but claimed that they were doing it to punish child pornographers.

Call this blackmail, call it extortion, or call it vigilante justice. You decide.

Robert Siciliano, personal security and identity theft speaker discusses online predators.

Protect your identity and your child’s identity. Install McAfee security software on your PC to prevent predators from intruding. And install child monitoring software to watch your kids online.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

WWW. Weird Wild Web Goes Nutty

/0 Comments/in , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Every day new reports of another flaw and another breach. Today we learn attacks rise 33 percent. I’m not surprised.

Credit card details of 19,000 Brits have been found on a cached Google page, where they had been accidentally published by fraudsters. Silly criminal hackers need to tighten up their data security controls and not publish sensitive data like that!

Reuters reports – Fraud on the Internet reported to U.S. authorities increased by 33 percent last year, rising for the first time in three years, and is surging this year as the recession deepens, federal authorities said.

Internet fraud losses reported in the United States reached a record high $264.6 million in 2008, according to a report released on Monday from the Internet Fraud Complaint Center, run by the FBI and the National White Collar Crime Center.

CNBC reports Online scams originating from across the globe—mostly from the United States, Canada, Britain, Nigeria and China—are gathering steam this year with a nearly 50 percent increase in complaints reported to U.S. authorities in March alone.

About 74 percent of the scams were through e-mail messages last year, especially spam, while about 29 percent used websites. But criminals were increasingly tapping new technologies such as social networking sites and instant messenger services.

The report highlights one new ‘significant’ identity-theft scam involving e-mail messages that give the appearance of originating from the FBI but seek bank account information to help in investigations of money being transferred to Nigeria.

Recipients of the e-mails are told they could be richly rewarded by cooperating. Duh.

Criminal hackers are going hog wild.

Invest in identity theft protection and secure your PC with anti-virus protection such as McAfee

Meanwhile two scumbag criminal hackers are arrested while spying on children between the ages of 14 and 17 using the child’s personal Web cam. The degenerates worked together to extort money from teenagers in exchange for stolen images.

They allegedly gained access to computers using a variety of e-mail addresses and screen names.

Conficker is spawning new hacks such as Scareware as Scammers are taking advantage of the huge interest in the impending “activation” of the Conficker superworm by poisoning search engine results.

Washington Post reports experts have discovered a security hole in the computer code that powers the Conficker worm, an aggressive contagion that has spread to more than 12 million Microsoft Windows systems worldwide.

Stay tuned…

Robert Siciliano Identity Theft Speaker discusses credit card scams here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.