Hacking Cars Getting Easier and More Dangerous

If your car is in any way connected to the Internet, it can get hacked into. You know it’s only a matter of time before hackers begin infiltrating motor vehicles in droves, being that vehicles are plagued with hundreds to thousands of security vulnerabilities.

11DThis hack is more serious than you think. Drivers and passengers should be aware that “flawed” and compromised vehicles can suddenly be overtaken remotely, forced into shutting down the engine in the middle of a highway or drive the car into other cars.  And it’s not just cars, but 18-wheelers and busloads of people.

In fact, white-hat hackers (the good guys) have even demonstrated that a bad hacker could take control of a motor vehicle, ranging from annoying pranks such as turning on the windshield wipers and radio, to potentially lethal actions like stopping the engine.

Hackers could demand ransom from governments in bitcoins for the return of the vehicles’ control to their drivers. Or, as the Assistant Attorney General for National Safety has indicated, “connected cars are the new battlefield”. Connected cars could be used by terrorist organizations to create havoc on mass scale.  The possibilities are limited by the imagination.

This concern has motivated the FBI, Department of Transportation and the National Traffic Safety Administration to issue a public safety alert, warning consumers to keep their service schedule in order to enable to upgrade cars’ software with remedies to those security vulnerabilities.

Solutions are available and in the works.

  • If your car has any web connecting abilities, do your research for year/make/model. Searched “hacked” along with the cars particulars.
  • Manufacturers that have discovered security vulnerabilities (often because a researcher makes it public) have offered subsequent patches in response. These notices may come in the mail or through a dealership.
  • It’s important to check with your cars manufactures website to determine if a vulnerability exists.
  • A connected vehicle has ECUs: electronic control units. An article in Fortune says Karamba Security’s “Carwall” can detect and thwart cyber attacks. Carwall is like a firewall for your vehicle ECU. It detects anything that’s not permitted to load or run on ECUs.

When the ECU software is being built, security software can be seamlessly embedded, becoming part of the entire process. No change of code, no developers’ know-how, no false positives and no hacks. Problem solved.

Anonymous Begins a 30 Day Assault Against Central Banks

“Anonymous” is an activist hacking group that has recently boasted that it will engage in 30 days of cyber assaults against “all central banks,” reports an article on cnbc.com.

2DAnd their bite is as big as their bark, as this announcement came soon after several major banks around the world were struck—and Anonymous proudly claimed credit. The banks that were apparently breached by Anonymous include:

  • Bangladesh Central Bank
  • National Bank of Greece
  • Qatar National Bank

Anonymous put up their plans on a YouTube video: a “30-day campaign against central banks around the world.” The hacking group calls their endeavor Operation Icarus, bragging about how they crumbled the Bank of Greece with a denial of service attack.

Anonymous has stated that it will target the following financial institutions:

  • Visa
  • MasterCard
  • Bank for International Settlements
  • London Stock Exchange
  • And of course, “all central banks” and “every major banking system”

Anonymous has a real gripe against banks, because they further state, “We will not let the banks win,” continues the report at cnbc.com. The hacking group wants everyone to know that their operation will be “one of the most massive attacks” ever committed in Anonymous’s history.

The article adds that another media outlet, Gulf News, reports that the hackers who infiltrated Qatar National Bank attacked yet another bank and intend on making the stolen data public for this second attack—very soon. It’s possible that this leaked data will be used for ransom.

For you, every day bank customer, don’t worry about any of this, BUT, always pay close attention to bank activity and make sure all transactions have been authorized by you. Sign up for alerts and notifications via text and email so you see every transaction in real-time.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How the FBI hacks You

In a recent Wired.com expose’, they expose how the FBI has been secretly hacking civilian computers for about 20 years, but thanks to Rule 41, their ability to hack has been expanded.

11DNevertheless, effective record keeping for these hacking incidents doesn’t exist. For instance, search warrants that permit hacking are issued using elusive language, and this makes it difficult to keep track of when the feds hack.

Also, it’s not required for the FBI to submit any reports to Congress that track the FBI’s court-sanctioned hacking incidents—which the FBI would rather term “remote access searches.”

So how do we know this then? Because every so often, bits of information are revealed in news stories and court cases.

Carnivore

  • Carnivore, a traffic sniffer, is the FBI’s first known remote access tool that Internet Service Providers allowed to get installed on network backbones in 1998.
  • This plan got out in 2000 when EarthLink wouldn’t let the FBI install Carnivore on its network.
  • A court case followed, and the name “Carnivore” certainly didn’t help the feds’ case.
  • Come 2005, Carnivore was replaced with commercial filters.

The FBI had an issue with encrypted data that it was taking. Thanks to the advent of keyloggers, this problem was solved, as the keylogger records keystrokes, capturing them before the encryption software does its job.

The Scarfo Case

  • In 1999 a government keystroke logger targeted Nicodemo Salvatore Scarfo, Jr., a mob boss who used encryption.
  • The remotely installed keylogger had not yet been developed at this time, so the FBI had to break into Scarfo’s office to install the keylogger on his computer, then break in again to retrieve it.
  • Scarfo argued that the FBI should have had a wiretap order, not just a search warrant, to do this.
  • The government, though, replied that the keylogger technology was classified.

Magic Lantern

  • The Scarfo case inspired the FBI to design custom hacking tools: enter Magic Lantern, a remotely installable keylogger that arrived in 2001.
  • This keylogger also could track browsing history, passwords and usernames.
  • It’s not known when the first time was that Magic Lantern was used.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

10 Ways to Protect your WordPress Site or Blog from Hackers

As much as you try, the unfortunate truth is that hackers are going to try to attack and access your WordPress website or blog, whether you like it or not. So, it is up to you to make sure you make the hacker’s job as difficult as possible. Here are some tips:

2D1. Use Plugins

One way to make your WordPress account less appealing is to use security plugins. These vary in quality, and you might have to purchase some of them, too. Just make sure to do some research before buying them, and when you do, only buy them from a trusted marketplace.

2. Choose The Right Password and Change It Often

When choosing a password for your account, make sure it is a minimum of 8 characters, and mix it up with letters, numbers and symbols. Also, change your password about every 2-3 months.

3. Change Your Defaults

Also, make sure that you are changing the default user name and password that you are given for your hosting account.  It’s best, in fact, if you change any detail that you are allowed to change, simply because you don’t know how secure your host’s servers are.

4. Only Choose Secure Hosting

Use a secure hosting company. There is no better tip that that. If you go with a free package, understand that you will get what you pay for.

5. Install All Updates

Make sure you are installing any updates you get from WordPress. These often contain security features that can protect you.

6. Consider Hosting Company Security Options

Many good hosting companies offer security options for their clients, and if you have this option, do it. Just make sure you are not paying too much, and look for coupon codes, if possible.

7. Delete What You Are Not Using

If you have unused images or plugins in your account, delete them. They waste space and can put your account and site at risk.

8. Back Up Everything

Your best defense against hackers is to make sure you are backing up everything, and do it often. You can delete any old backups to save space.

9. Watch the Powers You Give Contributors

Though it might be tempting to allow authorized contributors to post their own blogs and articles, don’t give them any more access to your site than you have to.

10. Use Security suites

There are a variety of web based security products designed to proactively monitor your site and block unauthorized activity. Check out Cloudbric. This all-inclusive solution helps in preventing web attacks including DDoS, while also providing SSL and CDN services.

Robert Siciliano is a personal privacy, security and identity theft expert to Cloudbric discussing identity theft prevention. Disclosures.

Ransomware Hackers provide Customer Service Dept. to Victims

Yes, believe it or not, ransomware has become such a booming business for thieves, that these cyber thugs even provide bona fide customer service departments to guide their victims!

4DWhen ransomware infects your computer, it holds your files hostage; you can’t access them—until you pay the hacker (usually in bitcoins). Once paid, the crook will give you a decryption “key.” Sometimes the fee will go up if you don’t pay by a deadline. Fees may a few to hundred to several hundred dollars to way more for big businesses.

Thieves typically include instructions on how to pay up, and they mean business, sometimes being “nice” enough to offer alternatives to the tedious bitcoin process. They may even free one file at no cost just to show you they’re true to their word.

As the ransomware business flourished, particularly Cryptolocker and CryptoWall, hackers began adding support pages on their sites to victims.

An article at businessinsider.com mentions that one victim was able to negotiate a cheaper ransom payment.

Why would thieves support victims?

  • It raises the percentages of payments made; the easier the process, the more likely the victim will pay. The businessinsider.com article quotes one ransomware developer as stating, “I tried to be as [much of] a gentleman thief as my position allowed me to be.”
  • It makes sense: If victims are clueless about obtaining bitcoins and are seeking answers, why wouldn’t the crook provide help?

Perhaps the most compelling reason why bad hackers would want to help their victims is to get the word out that if victims pay the ransom, they WILL get their decryption key to unlock their encrypted files.

This reputation puts the idea into the heads of victims to “trust” the cyberthief. Otherwise, if ransomware developers don’t give the key to paying victims, then word will spread that it’s useless to pay the ransom. This is not good for the profit-seeking hacker.

These crooks want everyone to know that payment begets the key. What better way to establish this reliability than to provide “customer” support on websites and also via call centers where victims can talk to live people?

Apparently, at least one ransomware developer has a call center where victims can phone in and get guidance on how to get back their files.

Prevent ransomware by keeping your devices update with the latest OS, antivirus, updated browser, and back up your data both locally and in the cloud.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Hacker for hire a rising Trend

Hackers and wannabe hackers can easily purchase cheap tools of the trade online. The security firm Dell SecureWorks Inc. confirms this in their latest report and adds that underground markets for hackers, including those from Russia, is thriving.

11DThe “Dark Web” is the go-to place for hackers looking for guidance and tools like malware. Yes, you can buy malware. If you don’t want to be the hacker, you can hire a hacker.

There’s any number of reasons why a non-techy person would want to hire a hacker. Maybe that person wants to make money and thus hires a hacker to create a phishing campaign that generates lots of credit card numbers and other personal data for the hacker’s client to then open credit lines in victims’ names.

Maybe another client wants revenge on an ex-lover, their current boss or neighbor; they hire a hacker to crack into the target’s Facebook account, and then the client is able to log in, impersonate the victim and post comments and images that will make the victim look frightfully bad.

Dell SecureWorks Inc., also found:

  • For $129 a hacker will steal e-mails from personal Yahoo or Gmail accounts.
  • For business accounts, however, hackers want $500 per e-mail.
  • Wannabe hackers can buy phishing tutorials as well as other tutorials for $20 to $40.
  • Gee, for just $5 to $10, you can buy a Trojan virus that you can infiltrate someone’s computer with and control it—even if you’re a thousand miles away.

So booming is the hacker for hire and hacker-in-training industry, that these cybercriminals even offer customer service. Makes you wonder why hackers are selling their knowledge, tools and providing customer service, if they can make so much more money just hacking.

Well, maybe deep down inside, these crooks have a kind heart and want to help out people, even if it means helping them commit crimes. Another explanation is ego; they’re so good at what they do that they want to share their knowledge, albeit for a fee.

What else is for sale on the Dark Web? Stolen hotel points and frequent flyer accounts. Buyers can use these to get gift cards on legitimate sites, says the report from Dell SecureWorks Inc.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Beware of Amazon’s scary Customer Service Hack

Do you shop at Amazon.com? Are you aware they have a back door through which hackers can slip in?

11DLet’s look at Eric’s experience with hackers and Amazon, as he recounts at medium.com/@espringe.

He received an e-mail from Amazon and contacted them to see what it was about. Amazon informed him that he had had a text-chat and sent him the transcript—which he had never been part of.

Eric explains that the hacker gave Eric’s whois.com data to Amazon. However, the whois.com data was partially false because Eric wanted to remain private.

So Eric’s “fake” whois.com information wasn’t 100 percent in left field; some of it was true enough for the customer service hack to occur, because in exchange for the “fake” information, Amazon supplied Eric’s real address and phone number to the hacker.

The hacker got Eric’s bank to get him a new copy of his credit card. Amazon’s customer service had been duped.

Eric informed Amazon Retail to flag his account as being at “extremely high risk” of getting socially engineered. Amazon assured him that a “specialist” would be in contact (who never was).

Over the next few months, Eric assumed the problem disintegrated; he gave Amazon a new credit card and new address. Then he got another strange e-mail.

He told Amazon that someone was impersonating him, and Amazon told him to change his password. He insisted they keep his account secure. He was told the “specialist” would contact him (who never did). This time, Eric deleted his address from Amazon.

Eric became fed up because the hacker then contacted Amazon by phone and apparently got the last digits of his credit card. He decided to close his Amazon account, unable to trust the giant online retailer.

  • Frequently log into your account to check on orders. See if there are transactions you are unaware of. Look for “ship to” addresses you didn’t authorize.
  • Amazon’s customer support reps should be able to see the IP address of the user who’s connecting. They should be on alert for anything suspicious, such as whether or not the IP address is the one that the user normally connects with.
  • Users should create aliases with their e-mail services, to throw off hacking attempts. In other words, having the same email address for all your online accounts will make it easy for them to be compromised.
  • If you own domain names, check out the “whois” info associated with the account. It may be worth making it private.

Be very careful when sharing information about yourself. Do not assume that just because a company is a mega giant (like Amazon), it will keep your account protected from the bad guys.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Hackers don’t play well with Kids’ Toys

No company is immune from hackers—even a toy company. Hong Kong based VTech got hit by a hacker recently. This company makes techy educational toys for kids, and its database got breached.

11DCustomers go to the Learning Lodge store and download content to their children’s VTech devices. The devices for downloading to are a tablet, watch and action camera.

But recently, this gateway store was attacked.

Some customers’ private information—now in the hands of the hacker—may put them at risk for being victims of identity theft or even a crime against their children. The customer database is comprised of people from many countries including the U.S., UK, Canada, China, Latin America, France and Australia.

The hacker anonymously contacted the company to reveal what was stolen: customers’ names, their kids’ names and birthdates, passwords, e-mail addresses, IP addresses, home addresses and even their secret question. And we all know that hackers have been known to find the answer to a secret question by perusing the potential victim’s Facebook posts!

At least credit card information wasn’t leaked.

But imagine how unnerving it is to know that someone out there has your mailing address, IP address, children’s names and birthdates. Oh, and it doesn’t stop there. The hacker revealed that photos of kids were also leaked.

Customers were notified and since, VTech has made changes to the attacked website in the name of preventing another breach, though it’s not publically known what those changes were.

Many toys and gadgets for kids are connected to the Internet. But don’t let fear of data breaches stop you from buying educational devices for your kids. Today’s connected toys offer a whole new educational experience.

  • Google the gadget to see if it was ever hacked or has “vulnerabilities.”
  • Immediately scan the product once purchased.
  • The toy should be connected only to a secure Wi-Fi network.
  • Keep its software and firmware updated regularly.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

What are Bug Bounties?

A bug bounty refers to the reward a bad-guy hacker gets upon discovering a vulnerability, weakness or flaw in a company’s system.

6DThis is akin to giving a reward to a burglar for pointing out weaknesses in your home’s security.

But whom better to ask than a burglar, right? Same with a company’s computer systems: The best expert may be the black hat or better, white hat hacker.

An article at bits.blogs.nytimes.com says that Facebook, Google, Microsoft, Dropbox, PayPal and Yahoo are on the roster of companies that are offering hackers bounties for finding “bugs” in their systems.

A “zero day bug” refers to an undiscovered flaw or security hole. Cybercriminals want to know what these zero day bugs are, to exploit for eventual hacking attempts. There is a bustling black market for these non-identified bugs.

Compounding the issue is that it is becoming easier for Joe Hacker to acquire the skills to infiltrate—skills that common hackers never would have had just a few years ago, and especially a decade ago. So you can see how important it is for businesses to hire the best at finding these bugs and rewarding them handsomely.

So yes, hackers are being paid to report bugs. The bits.blogs.nytimes.com article says that Facebook and Microsoft even sponsor an Internet Bug Bounty program. Such a program should have been started long ago, but it took some overlooked bugs to motivate these technology companies to offer the bounties.

Heartbleed is an example. Remember that? It was a programming code mistake that affected certain SSL certificates—which help protect users on a secure website. As a result, over a dozen major tech companies began an initiative to, as the bits.blogs.nytimes.com article says, “pay for security audits in widely used open-source software.”

So as clever as bug bounties sound, it shouldn’t be regarded as the be-all end-all solution. How about an incentive to get developers to implement secure, mistake-free coding practices? Well, companies are trying. And they keep trying. But with humans behind the technology, there will always be mistakes.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

What is a Hacker?

You probably think you know what a “hacker” is, but the images portrayed in the media can be misleading. You may be thinking of a geeky-looking guy who causes peoples’ computers to get infected with viruses or cracks passwords to raid the accounts of big business. This is one kind of hacker, but in a broader sense a hacker is a person (male or female) who uses their programming skills and technical knowledge to create and modify computer software and hardware by finding their weaknesses and exploiting them.

11DHackers can be motivated by a number of reasons, both positive and negative. For instance, criminal hackers can create malware to commit crimes, such as stealing information and money, while other hackers are benevolent. They may work for big companies or the government in the name of protecting them from bad hackers.

It helps to be familiar with these general categories of hackers:

Black hat hackers

This is a hacker who gains unauthorized access into a computer system or network with malicious intent. They may use computers to attack systems for profit, for fun, for political motivations, or as part of a social cause. Such penetration often involves modification and/or destruction of data, as well as distribution of computer viruses, Internet worms, and spam.

White hat hackers

Also known as “ethical hackers,” white hat hackers are computer security experts who specialize in penetration testing and other testing methodologies to ensure that a company’s information systems are secure. These security experts may utilize a variety of methods to carry out their tests, including social engineering tactics, use of hacking tools, and attempts to evade security to gain entry into secured areas.

Gray hat hackers

These are skilled hackers who sometimes act legally, sometimes in good will and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.

In addition to these definitions, the term “hacker” is currently used to refer to any individual who deliberately tries to compromise a computer system—regardless of objective.

It may also simply refer to someone who likes to tinker around with the innards of computer systems, and it may also mean a really smart person who can solve any computer problem.

So, while you may have generally thought of hackers as criminals, the term actually describes a range of people with different technical skills and motives. That’s why it would be more helpful if we used the term with descriptors, such as “white hat hacker” or “criminal hacker,” so we have a better idea to whom we are referring.

After all, hackers shouldn’t have a bad reputation overall. They are usually very talented people and we need more of the good variety: white hats.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.