Identity Theft Speaker; April Fools Day is conficker worm day

Robert Siciliano Identity Theft Expert

Criminal hackers have created a virus that has slipped into millions of PCs and is set to strike on April Fools day. This is no joke.

So far this year it is estimated that somewhere between 3 and 12 million computers have been compromised by the “Conficker” worm, also known as “Downup,” “Downadup” and “Kido,” possibly considered the largest known global botnet.

Microsoft and others are in a 24/7/365 battle with the makers of Conficker to see who ends up at the finish line first.

None of the PCs infected with Conficker are displaying any of the characteristics generally exhibited by the recent spate of viruses, offering a remote control component and often used to host spoofed websites and other malicious fraud related activities. At least not yet.

If Conficker reaches its full potential, it will result in data breaches, credit card fraud and numerous forms of identity theft.

It has been widely believed that Conficker is waiting for its next set of updates on April 1st, to unleash the endgame its writers had in mind.

The sense among security professionals is that Conficker will unleash an uncontrollable fury not yet seen or experienced by the security community.

Conficker duplicates like viruses of old and infects PCs that are unpatched and outdated. The virus scans the Internet, seeking and infecting unpatched computers. Conficker was built with encryption pirated from an MIT researcher and has the ability to circumvent anti-virus programs.

This level of technology has the ability to slip into external hard drives, thumb drives and any memory based peripheral. When that same peripheral is plugged into another PC, that PC is also infected.

Many PCs in Asia have rogue versions of Windows, and are largely unpatched due to Microsoft not allowing updates.

Update your Microsoft Windows ASAP. Make sure you have up to date Internet security software, such as McAfee. Stay away from rogue websites and be careful what you click.

As stated in a previous post, Microsoft offered a global bounty for the arrest and prosecution of whoever created and released the Conficker virus.

Even with the security community vigorously trying to defend PCs globally, in early March, millions of Conficker-infected PCs were upgraded into a peer to peer network, which makes the botnet even more dangerous by giving each infected PC commanding authority over others. This means that every PC has the capability of running every other PC on the botnet.

The anticipation among researchers leading up to April 1st is much like that which was felt prior to midnight on December 31st, 1999. The Y2K ”bug” was considered a ticking time bomb for all major computer applications.

Much has been done to avert a Conficker disaster, but nobody knows for sure what will happen. April 1st is a day of foolery, but this year it may also be a major breakthrough for hackers, good or bad, to see who is top dog.

See Robert Siciliano, identity theft speaker, discussing viruses in peripherals here.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert; Scareware Scares You Into Paying

Robert Siciliano Identity Theft Expert

If one could have a favorite scam, for me it would be “scareware.” My reasoning for this is thats it’s one of the few scams that actually gets through to me. My defenses are pretty good, but I still see scareware. They’ve even taken my blog posts and used my name to launch scareware in Google News Alerts. I got some criminal hacker’s attention and he created scareware in honor of lil’ ole me!

Web pages may be infected or built to distribute scareware. The goal is to trick you into clicking on links. After landing on a page, pop-ups bombard you and warn that your PC is infected with an Ebola- like virus and your PC will die a horrible death with fluids running from all ports if you don’t fix it immediately for $49.95.

Shutting off this pop-up is often difficult and any buttons you press within this pop-up could mean downloading the exact virus they warned you of. BRILLIANT!

Criminals are even using Google Ads, and have posted ads on well known sites such as E-Harmony and Major League Baseball.

I’m online all day, every day and do a ton of research, which means I click lots of links, and see scareware often. If I wasn’t aware of IT security and what this ruse was about, I’d have been bilked of $49.95 long ago. Many people take the bait, more than you can imagine.

Studies show that organized criminals are earning $10,000.00 a day from scareware! That’s approximately 200 people a day getting nabbed. Some “distributors” have been estimated to make as much as $5 million a year.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

The software is sometimes known as “AntiVirus2009” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2008.” These are actually viruses or spyware that infect your PC, or just junk software that does nothing of value.

A report by the Anti-Phishing Working Group, released in March 2009, found 9,287 bogus anti-malware programs in circulation in December 2008 – a rise of 225% since January 2008. That’s simply because the scam works so well.

Teams of criminal hackers each have their own tasks and responsibilities. Team 1 creates pages loaded with scareware and works those pages into the search engines, while others infect legitimate websites. Team 2 creates the junky or spyware-ridden software you are scared into buying. Team 3 creates the infrastructure to process your credit card.

Protect yourself. Invest in anti-virus software, such asMcAfee. Make sure your browser has a pop-up blocker turned on, to avoid having to be “scared.” If you get a pop-up, you can close it by clicking the red X in the upper right corner, just don’t click on anything in the body of the pop-up. I suggest shutting down your entire browser, however, to be safe.

Make sure your PC is updated with critical security patches and most of all, be smart.

See Robert Siciliano, identity theft speaker, discuss Ransomeware, a form of scareware here.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Prevention is a People Problem

Robert Siciliano Identity Theft Expert

Every week we learn of a new hack, another breach, credit cards stolen and another identity theft victim.

Many have blamed the bad guy or criminal hackers for all the problems we have in the security world. And while the bad guy is certainly a problem, they are a small part.

The people responsible for their own physical or computer security or the security of others are often the guilty.

You wonder why your credit card company sent you a new card? Because some baboon didn’t do his job and your were compromised.

Chances are we could look at 7 out of 10 data breaches and point to someone who didn’t properly flip a switch or lock a door.

Recent studies polling companies with 1000 or more employees when asked to define the most important measures for protecting confidential data, nearly half of all respondents said, “communicating and training users on confidential data security policies.”

And when asked to rate their organizations performance with regard to, “communicating and training users on confidential data security policies,” more than one-fourth of security professionals gave their organization a rating of either “fair” or “poor.”

North Americans ranked 24% as being “poor” while Europeans ranked 38%. I suspect the North Americans are just lying and are just as lax. I read the papers and see the data. Pleeeeze. I have my eye on you Focker.

Security is not entirely an IT problem. There are many “to-dos”, policies in place regarding physical security that must be observed. And if followed properly, would reduce many of the breaches we see.

One plain and simple example is dumpster diving. How prevalent are shredders? I’ve gone though 4. Besides the copy machine or your desk/laptop, a shredder should be the most used home/office appliance.

Here is an infuriating video of a dumpster diver here, also a security professional who spent 3 minutes in the dumpster of a local bank. He found a laptop, wire transfers and Social Security Numbers. That’s not an IT problem. That’s a stupid-lazy-people problem.

How is anyone supposed to feel secure and protect their identity when others are responsible for our security? The fact remains we are an open sore and idiots keep pouring salt in the wounds.

Robert Siciliano Identity Theft Speaker discussing Idiots who didn’t secure a wireless connection and exposed 45 million credit cards Here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert; Cybersquatting Leads to Fraud

Robert Siciliano Identity Theft Expert

Ever click on a link from an email or while surfing and something just wasn’t right? The domain name in the address bar looked like a letter or two off? A misspell? Maybe it had a number tossed in there for good measure? This is either cybersqautting or typosquatting and its a problem.

Cybersquating is the act of procuring someone elses trademarked brand name online as a dot com or any other US based extension.

Cyber squatters squat for many reasons including impostering for fun, hoping to resell the domain, using the domain to advertise competitors wares, stalking, harassment or outright fraud.

Grabbing someone’s given name is also a form of cybersquatting and is happening in social networks and on Twitter. Twitter is affected by Twittersquatting where peoples names and an estimated top 100 brands have been hijacked.

There are also bunches of Kevin Mitnicks ( hacker) on Facebook that even prevented the Gent from accessing his own Facebook account. Facebook fixed the problem after Mitnick rightfully bitched then CNET made a call. Then Facebook listened. Facebook said “We are very aggressive in fostering and enforcing our real name culture and sometimes we make mistakes. But it’s rare, and it’s been fixed.”

Cybersquatting is also done maliciously for fraud. The Identity Thieves will jack a domain similar to that of a bank and create a spoofed site for phishing. Often if the domain isnt available, then the next best thing is Typosquatting. Annualcreditreport.com was a victim of that. More than 200 domains were snapped up right after the site launched.

This is just one more reason to protect yourself from identity theft.

Back in the day, I was accused of cybersquatting! Here. I wasn’t I swear! Back in the early 90’s with my IBM PS1 Consultant 3.1 Microsoft operating system and a rockin 150mb hard drive, I bought me up some domains as well. Some that I sold, others I regrettably gave up and one that will haunt me till the day I die.

I owned LEDZEPPELIN.com for about 5-6 years. Led Zeppelin then and now is my band, and as a fan I bought the domain as a keepsake. I would get emails from people globally like “I am Paulo from Brazil, I love the Led Zep!”

Then when Clinton passed a law later making cybersquatting illegal, I knew it was a matter of time. I had it for 5 years before anyone from the bands team of lawyers approached me on it. And when they did I didn’t know how to handle it. And my lawyer at the time even less so. Ultimately I gave it up without a fight on my part, but I’m sure the bands lawyers billed them for the 1 inch thick book of a lawsuit I was served with. Sorry dudes. My bad.

In this case the lawyers saw an opportunity to build a case against me, a fan that would have been happy with a stupid guitar pick from Jimmy. Instead I sat in silence for a year while they built a huge case as to why they should own the domain. When served, I freaked and called them yelling to take it, I never wanted that.

One of few regrets. But I have a nice 1 inch thick book about me and the band and why I’m an idiot.

Anyways back to cybersquatting. A recent report from the NY Times sourced MarkMonitor, a domain name seller and company that protects brands names from misuse, tracked an 18 percent rise in incidence of cybersquatting.

Which means as a brand or individual (or band, eesh) get your name on social network sites or domain name NOW. Then get your kids names as well.

Because they may be Zeppelin famous and have to fight a twit like me.

Robert Siciliano Identity Theft Speaker discussing DNS issues Here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information

Mom Was Wrong. Strangers Good. People We Know Bad.

Robert Siciliano Identity Theft Speaker

An axiom in business is that we buy from and do business with those who we know like and trust. In the 21st century we have seen CEOs, investment bankers, politicians and those in the highest positions of trust completely screw everyone who put them on their pedestal.

Madoff pleads guilty for orchestrating a 65 billion dollar Ponzi scheme and 3 rows of investors in attendance at his trial clapped, applauded and sang. These are people that bestowed an incredible amount of money in a man that is probably a psychopath.

What does this say about us as a species that trusts so much?

Charles Ponzi began his scheme 100 years ago and was caught 10 years later. The SEC stepped in and stopped him. The SEC didn’t stop Madoff. They allowed him to prosper, until his operation imploded.

Growing up most of us were schooled on “Stranger Danger” because our parents were also told not to talk to strangers. Strangers are “strange” therefore dangerous. At least that seemed to be the theory. Unfortunately I’ve seen all too often that people we know are sometimes the baddest apples in the bunch. Kids coaches, swim teacher, clergy etc.

In a Wall Street Journal article Bruce Schneier makes the point that people are over all good and generally honest. So approaching a stranger probably wouldn’t mean imminent danger. Basically true.

On the other hand if someone pursues or approaches you, they are essentially paying unwanted attention to you, or distracting you from the truth. Maybe getting ready to take advantage of you in some devious way.

We see this all the time when law enforcement sets up a 14 year old female named Dixey14 in a chatroom and she’s (or he) is quickly approached by 50 men with webcams snapping pictures of themselves. So in this sense talking to strangers is bad. Video Here

Nigerian identity theft 419 scams are based on one single principle to be successful; get to know your mark, get them to like you and they will trust you. Done. They start off a stranger, then become their victims night in shining armor coming to your emotional (and financial) rescue. Scambaiter video Here

I’ve talked over and over about insiders at a company maliciously hacking away at the network and stealing data. They aren’t strangers, they are the funny drunk dudes at the Christmas party.

You want to prevent being scammed? Prevent Data theft? Prevent identity theft? Prevent being hacked?

Do not exclusively rely on any one system to protect you. Don’t expect the government and their bazillion bureaucratic agencies to protect you. Don’t think law enforcement or any other authoritative agency will be there when a predator strikes.

All existing systems work often, and fail as much.

Security is about layers. The more layers of protection you have in place, the more difficult you make it for the bad guy to get access. Redundancy, predictive, proactive thinking.

Someone pour me a scotch. Single malt.

Oh, and I’m very excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information

Robert Siciliano Identity Theft Expert Discussing Bernie Madoff Con Man Here

Recession Turns IT Workers Into Hackers

Robert Siciliano Identity Theft Expert

What a nasty headline for an article.

From ABCnews.com the journalist roasts IT professionals on a spit. And the comments were all inspiring.

As the recession rears its ugly head, disgruntled ex employees are in the best position to drop a bomb in the companies network or suck all the data out with a few terabyte drives.

A recent study by McAfee and Purdue University put the tally of fraud, data loss and damage done at 1 trillion dollars. A thousand billion sounds like a lot of money.

To paraphrase some of the comments;

No matter how you look at it, when heads start to roll, most people that are about to be let go feel unjust and express hostility towards the employer (often, rightly so). These are the same people who were loyal company employees for years. Unfortunately, these are no win-win situations when it comes to the downsizing and companies should take proper actions to address it.

Your system admin is the gate keeper. Anyone who has access to sensitive data can potentially abuse the privilege. The loan officer, the loan processor, the secretary, the human resources gal two cubes down the hall, the cleaning people that take out our trash at night… Without proper controls in place anybody can be the bad guy. On the other hand, with adequate management these issues can be avoided, even when it comes to IT employees.

Manage your end points, your USB devices, your computer ports, your printers… Segregate your system administration roles. Tools are there. And who is going to implement them? Your IT guy. (thank you Sashimi11)

With the incredible amount of layoffs occurring, companies are bound to layoff an employee who will exact some revenge. Some say “Companies whose knee-jerk response is to cut costs by canning employees deserve some wrath”. But, in the end, the wrath doesn’t get you your job back. (thank you Patches777)

Most are working individuals, doing what they do best. All the while staying under the radar, and afraid, just like everyone else, of the threat of layoffs. The latter doesn’t mean an internal flip is switched and they bug out and start stealing trade secrets. (thank you kyleratliff)

On another note, as budgets are cut and IT pros are let go, the show must go on.

Bill Lynch of RazorThreat said to me “We are encountering lots of very frustrated CIO’s who are caught on the horns of a dilemma…their IT budgets and headcount are being slashed but their CEO’s are simultaneously demanding that they reassure them and the Board of Directors that they are not vulnerable to the same kinds of cyber attacks that have plagued some big firms lately.

They know they cannot afford to buy complex, expensive and difficult to deploy new security software and the people to manage them and yet they have to stand before the Board and profess that their networks are secure”.

The fact is, data breaches will continue and IT will often be to blame. There is a light at the end of the tunnel. There are numerous technologies that won’t break the bank and will keep the BOD happy. Companies have to consider numerous threats of theft and mayhem. Review security policies and who has access to what and why. In the end make sure employees are let go with dignity and respect.

Robert Siciliano Identity Theft Speaker discussing Credit Card Fraud Here

Twitter Is a Security Mess

Robert Siciliano Identity Theft Speaker Expert

Mischievous Hack attacks on Twitter are increasing and it seems there is no end in sight. While twitters developers are working to make it more secure, the open nature of the application fuels mischievous and even criminal hacking.

Twitter is microblogging. In 140 characters or less you tell your followers what you are doing or point them towards something that may enhance their lives. Most Tweeple are twits and say nothing of value. Their tweets are mundane and serve no benefit to anyone.

If you don’t use Twitter thats OK. But there is a chance you eventually will. Many thought they’d never use Facebook, but millions do. Micro blogging is a weird phenom that makes sense to many, and not at all to most.

Users can get tweets via email, on your phone or via SMS texts. People have sent tweets while giving birth, in the crowd watching the Obama inauguration, celebrating New Years, and just about anything you can think of.

I’m on Twitter. I spend my energies informing my readers about security. The most effective tweets have a pithy title related to an article, blog post or TV appearance. All security related.

Since Twitters inceptions hundreds of 3rd party applications have been built around Twitter. Apps that enhance, manage or are just for fun. Much of twitters technology is an open book which has allowed hackers both good and bad to build these apps, and of course wreak havoc.

One such hack is using a Twitter accounts mobile phone number to spoof messages to the users followers.

Other Twitter hacks have included full account take over where messages were sent to all followers of Obama, Britney Speakers, Fox and a CNN anchor.

Recent studys also show that Twittersquating, when brand names are hijacked is also a problem on Twitter

So if you decide to Twitter, know that its not very secure and be cautious about plugging your mobile number into the system.

Robert Siciliano Identity theft Speaker Expert discussing Scams Cons and Schemes Here