Russian Organized Crime: Krem D’la Krem of Hackers

The Russians have definitely come…in the world of cybercrime. A Russian ring of hackers has amassed 1.2 billion stolen passwords and usernames involving 400,000 websites. The criminals have also garnered 542 million e-mail addresses.

11DAnd these Russians didn’t discriminate: Any website they could bust into, they did, ranging from big U.S. companies to little websites—anything. Most of these sites remain vulnerable.

Apparently, the thieves are not working for Russia’s government (which rarely goes after hackers anyways), nor have they sold the stolen information…yet. They’ve been paid by third-party entities who want to send out spam.

This gang of thieves operates like a business, with some doing the programming and others doing the stealing. The crooks use botnets to scope a site’s weaknesses, then plow in there.

This massive breach has called attention to the reliance that businesses have on usernames and passwords; this will need to be changed.

Tips for Preventing Getting Hacked

  • Say NO to clicking on links inside e-mails, even if the apparent (note “apparent”) recipient is your bank or a friend.
  • URL security. Trust only sites whose URL starts with a padlock icon and “https.” An “http” won’t cut it.
  • Two-step verification. If your financial institution offers this, then activate it. Call the bank if its website doesn’t have this information.
  • Online banking. If possible, conduct this on a separate computer just for this purpose.
  • Change the router’s default password; otherwise it will be easy for hackers to do their job.
  • Wired ethernet link. This is better than a powerline or Wi-Fi for protection. To carry out an ethernet attack, the thief would probably have to break into a home and set up a device, whereas Wi-Fi data can be snatched out of the air, and powerline data can leak into next-door.
  • Encryption. If you must use Wi-Fi or powerline networks, encryption will scramble data, but a hacker can crack into Wi’Fi’s WEP.
  • Say no to third-party Wi-Fi hotspots.
  • Security updates. Keeping up to date will guard against hackers who use a keylogger to figure out your keystroke pattern—which can tell him your passwords.
  • Hotshot Shield; This service protects you from fraudulent activity when you’re working online in an unprotected network (wired or wireless), such as at airports, hotels or coffee houses.
  • Get identity theft protection. Generally your identity is protected from new account fraud. Many of the services monitor your data on the dark web.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

10 Ways you may get Hacked this Summer

Can you name 10 ways you can get hacked this summer? I can.

Hotel Hacking

4DThose hotel electronic card locks for doors aren’t as secure as you think. A criminal attaches a little electronic gizmo beneath the lock, and presto, he’s in your room. You can’t stop this, but you can make the burglary worthless by not leaving valuables in your room. Always have your door locked overnight.

Car Hacking

Forget the bent coat hanger trick — that’s for rookies. But even a dimwitted thief could hack into your car this summer. For only $5, the thief buys a “black box,” a key fob spoofer, that electronically forces car doors open. Short of disabling your keyless entry, what you can do is park your car in lighted areas and keep valuable out of it. Or have your mechanic install a kill switch.

Credit Card Skimming

Criminals set up those card readers at stores with devices that will steal your card information. If you can’t pay with cash, use a credit card since there’s a delay in payment, whereas a debit card takes money from your account at the point of purchase. Keep a close eye on your credit card statements and bank account.

Hacking a Charging Phone

Avoid charging up your phone at a public kiosk. It doesn’t take a mental giant to install malware into these kiosk plugs. Once your phone gets plugged in, it’ll get infected. Use only your plug or wall outlets.

Finders Keepers Finders Weepers

If you happen to find a CD-ROM or thumb drive lying around in public, leave it be, even if it’s labeled “Hot Summer Babes at the Seashore.” You can bet that a crook left it there on purpose and wants you to plug it into your computer. You’ll end up installing malware that will allow the thief to remotely control your computer.

Phishing for Victims

You get an e-mail with a striking message in the subject line such as “Pics of you drunk at my party!” A percentage of people for whom these messages apply to will open the e-mail and take the bait: a link to click to see the photos. The link is malware and will infect your computer.

Wi-Fi Sharing

Using a public computer is always risky, as anyone can monitor your online actions. Hackers can even “make” your device go to malicious websites that will infect your device. Stay away from public Wi-Fi or use a VPN (virtual private network) like Hotspot Shield. A VPN will protect you summertime and all time at public WiFis.

Photo Geotagging

Every time you take a picture and post online, your location will be up for grabs in cyberspace, unless you’ve disabled your device’s geotagging.

Social Media

Beware of clickjacking and XSS. Clickjackers place a phony screen over an obscured malicious link, luring you to click. The hidden link then is triggered and gives the hacker your contacts, taking you to a malicious site. XSS puts a malicious script right in your browser that will install malware. So be judicious about clicking on popular videos and whatnot.

Airplane WiFi Hacking

Connect while 35,000 feet high and you can be revealing all sorts of private goodies. Airplanes lack online security. The aforementioned VPN is your best bet when connecting to airplane WiFi

Start your summer off securely by avoiding becoming a victim of hackers.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

How To Stop Criminal Hackers In Their Tracks

Do you offer free WiFi? Put these three safeguards in place to protect your customers and your business.

3DOn a recent trip from Boston to New York on an Acela Express train, I was writing blogs and doing some research using Amtrak’s free wireless Internet. “Free” usually translates to “unsecured,” which means a criminal hacker with the right hardware and software could have sniffed out my wireless communications and grabbed my data. That same hacker, depending on my device’s firewall, setup and sharing settings, might also have been able to access my drive and files and even plant a virus on my device.

But I wasn’t worried because I use a virtual private network software that allows me to surf on an unsecured connection.

Amtrak also knows its free wireless is risky for its users, so before you can use it, you have to agree to the terms and conditions of the Wi-Fi’s use that indemnify Amtrak.

Protecting Your Business

Free wireless is everywhere, because Wi-Fi brings in customers and is a great tool to help create customer loyalty as well. Numerous merchants, including hotels, coffee joints, fast food places and numerous others with a storefront, offer free Wi-Fi to attract people and increase sales.

But it has its downsides, too. If you’re offering it in your place of business, you need to understand that your access point can be used for criminal activity—and to hack your own business, too.

So what are criminals looking for? Criminals connect to free Wi-Fi for:

  • Pirating music, movies and software via P2P programs. This criminal activity costs the recording and motion picture industries billions of dollars every year. The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) are cracking down on any IP address associated with illegal downloading and will come after your business too.
  • Child pornography. Law enforcement spends lots of time in chatrooms posing as vulnerable kids, chatting it up with pedophiles who buy sell and trade in child pornography. If your IP address is used for this purpose, you will get a knock on the door with a battering ram.
  • Criminal hacking. Bad-guy hackers look for vulnerabilities in others’ devices when using free Wi-Fi networks. They steal keystrokes, usernames, passwords and account info, and install spyware and viruses.

You’re not powerless against these hackers. These three safeguards are the first hurdles you can put in place to secure your company’s Wi-Fi:

1. Use a web proxy/filter. IT security vendors sell software that filters out or blocks known websites and prevents the sharing of P2P files. For more details on what kind of information can be accessed, search “internet access control software” to find a suitable vendor.

2. Add an agreeable use policy. There are numerous phrases a small business can incorporate into an agreeable guest use policy. You may want to include such language as “User agrees not to …”

  • Willfully, without authorization, gain access to any computer, software, program, documentation or property contained in any computer or network, including obtaining the password(s) of other persons. Intercepting or attempting to intercept or otherwise monitor any communications not explicitly intended for him or her without authorization is prohibited.
  • Make, distribute and/or use unauthorized duplicates of copyrighted material, including software applications, proprietary data and information technology resources. This includes the sharing of entertainment (e.g., music, movies, video games) files in violation of copyright law.

You may want to search for and read other business’s agreeable use policies in order to help you compose your own. And be sure to have your lawyer or legal department review it before you begin having customers agree to it.

3. Implement a secure Wi-Fi. Wi-Fi that requires users to log in with a username and password to charge even a dollar will then have their credit card number on file. This would mostly eliminate any anonymity, thus preventing numerous e-crimes.

Don’t think for a second something bad can’t happen to your business. Performing due diligence, knowing your options and implementing these barriers will keep both you and your customers from legal troubles and from getting hacked.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

11 Ways to prevent your Email from getting hacked

#1. Whenever possible, configure your Internet connection to always use HTTPS. This is the “https” that appears before the “www” in a Web address, and the https is preceded by a padlock icon.

3DFor Gmail, this works by clicking Settings in the top right; select the General tab, then hit Always use HTTPS, then save this setting. This option is not available for those who access email via Hotmail.

#2. Do not open unfamiliar emails. If you open one you think is from someone you know but realize it’s not, delete immediately. Do not click any links in the message or send the sender personal or banking information. Once you open that link, your computer could become infected by a phishing scam and your information stolen.

#3. Install anti-virus, anti-spyware and firewall on your computer and keep them updated. Automated updates are the ideal choice.

#4. Do not log into your accounts from an untrusted computer (e.g., at the coffee house, library), or one that you don’t maintain (e.g., friends’ and family’s). Even if you trust your friends and family, their computer could be infected from spyware.

#5. Make sure your passwords, plus security questions and answers are strong. Every six months, change your passwords. Never use the same password for different accounts. A strong password has upper and lower case letters plus numbers and punctuation, forming a non-English word.

For questions and answers, they don’t have to be true; false information cannot be researched or discovered on your Facebook page, such as the name of “your first pet” when you never had a pet: “Fuzzie-Glow” – who’s ever going to figure that out?

#6. Find out just how secure your passwords are. Some setups indicate strength with a rating of “weak” to “strong.” Always choose “strong.” If there’s no rating, go to How Secure Is My Password to see how fast your account can be hacked.

On the “How Secure” site, don’t type in your actual password if you’re skittish about doing that (even though the site is secure and will never release it anywhere), but type in something similar. So if your password is “catlover,” type in “horselover” and see what happens.

#7. Your password should not be on the list of the most popular passwords. Here is the full list. If yours is there, change it immediately, even if you must give up an easy-to-type sequence.

#8. Enable 2-step verification if you use Google for any activity. The 2-step adds additional security to a Google account. After entering your username and password, you’ll then enter in a code that Google sends out via voicemail or text when you sign in. This will make it harder for someone to guess a password.

#9. Use a password manager. This service eliminates the need to type in a password at log-in; log in with one click. A master password eliminates having to remember all your different passwords.

#10. You may think your password is unique because it’s a jumble of characters, but it may not be very strong simply because it’s not long enough. The longer that uniqueness, the more uncrackable the password will be.
#11 Use a virtual private network software to encrypt any wireless communications. A virtual private network (VPN) is a network set up to communicate privately over a public network. For example: You occasionally want to or need to work from home and your employer knows that if you do, the data that travels between your PC and an office PC needs to be protected.

Another example is when you use public WiFi, knowing your wireless data can be sniffed out by criminals. Using a VPN solves that problem.

Hotspot Shield VPN service is a great option that protects your entire web surfing session, securing your connection on both your home internet network and public internet networks (both wired and wireless). 

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Hectic Holidays Heavenly for Hackers

Ahhh, it’s that time of the year again: the hustle and bustle of the holiday season—parties, gift giving, travels and get togethers with friends and family. But it also brings up the question of how and when are you going to have time to shop and get everything done in time?—let alone fight those crowds at the mall for that elusive parking space.

online-shopping
With online shopping, not only can you shop any time of day (or night if you’re like me and a night owl), from the comfort of your couch or recliner and can easily compare prices without walking up and down the mall or driving all over town. You can even get things online that you simply just can’t buy locally. But while online shopping provides you with a high level of convenience, it also provides cybercriminals with opportunities to steal your money and information through various online scams.

That’s why as Black Friday and Cyber Monday (which has become one of the biggest online shopping days of the year) approaches, you need to make sure you’re being smart when shopping online. Besides making yourself familiar with the 12 Scams of the Holidays, here’s some tips to stay safe online:

Be wary of deals. Like Mom said, “if it’s too good to be true, it probably is”. Any offer you see online that has an unbelievable price shouldn’t be believable. I saw a 25-foot camper on Craigslist for 10% of the list price, and it was within 10 miles of me. My endorphins rushed and I was filled with excitement—I wanted it! Then I found out it needed to be shipped from Chicago (I live in Boston) and I calmed down. But I can see how when a person’s endorphins peak, hasty decisions can ensue.

Use credit cards and not debit cards. If the site turns out to be fraudulent, your credit card company will usually reimburse you for the purchase; and in the case of credit card fraud, the law should protect you. Some credit card companies even offer extended warranties on purchases. With debit cards, it can be more difficult to get your money back and you don’t want your account to be drained while you’re sorting things out with your bank. Even better is a one-time-use credit card, which includes a randomly generated number that can only be used for a single transaction. While this may be an extra step in your shopping process, it can go a long way to protecting yourself online and it’s a good way to #HackYourLife.

shopping-deels

Beware of fake websites. When searching for a product online, you are likely to end up clicking on something within the first few pages of your search results. Cybercriminals often setup up fakes sites that look real at URLs that are common misspellings or typos of well-known shopping sites (also known as typosquatting).Instead of typing in the URL of your favorite site, make sure you have a safe search plug-in installed on your browser, like McAfee® SiteAdvisor®, and search for that site. SiteAdvisor will then give you color-coded safety ratings in your browser search results and give you a warning before going to sites that are known to be malicious.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Danger: Wireless Toilets Next on Hackers’ List

Just about anything wireless is hackable today. Everything—from PCs to mobiles to tablets to home automation devices to pacemakers to insulin dispensers and even cars—are hackable.

And now “smart” toilets.

CNET reports, “[Smart] toilets can be controlled using an Android app, but the Bluetooth PIN is hard-coded to ‘0000.’ Just knowing that code number means the awesome power of the Satis (toilet) could fall into evil hands. All a hacker would have to do is download the My Satis app, get in range, pair it to the toilet using the code and flush away.”

Scary!

As we rely more and more on wireless communication, it is important to keep your wireless devices secure from hackers bent on flushing your data out. (That was bad.) Anyway…

  • Be smart about what kind of data you transmit on a public wireless connection. Limit your transmission of critical data and use secure sites, ones where “HTTPS” appears in the address bar. These sites have additional encryption built in.
  • Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s no data on either device that would compromise my identity or financial security.
  • Turn off WiFi and Bluetooth on your mobile when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.
  • Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is being used as bait.
  • Beware of evil twins. Anyone can set up a router to say “T-Mobile” “AT&T Wireless” or “Wayport.” These connections may appear legitimate but are often traps set to ensnare anyone who connects to it.
  • Keep your mobile security software and operating system updated. Make sure your security software is automatically updated and your operating system’s critical security patches are up to date.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Digital Photos Held for Sextortion

This is a little over the top and if this story was happening to one person I may not even dare to discuss. But it seems to be happening to hundreds, maybe thousands and possibly tens of thousands. And the fact that kids today are posting anything and everything, it needs to be discussed.

Right now hundreds of cyber threat victims are coming forward, arrests are being made and court dates are set because criminal hackers in the form of weird men are breaking into women’s email programs and social networking sites and scanning their media for photos that show them as they were in their birthday suit.

The depraved men are then contacting these women alerting them to their dirty deeds and giving them an opportunity to save face before the photos are posted to Facebook by paying them off in money or more photos!

This is serious stuff, now while you may not participate in stupid activity like this someone you know and care for may. The Register reports One victim, who was 17 at the time, testified that she was so humiliated that she quit her summer job and dropped out of advanced college classes. Another victim attempted suicide.

The hacks occur when:

Users have simple and easy to guess passwords and their accounts are infiltrated

Malicious software is installed on the users PCs in a number of ways

The computer has Peer to Peer (P2P) file sharing programs that allow anyone to scan the computers hard drive.

Here’s the bottom line: If you don’t want the world to ever see it, then do not do it. Because if an ex-boyfriend, ex-husband, ex-girlfriend or ex-wife has an axe to grind it may go live. Worse, a devious criminal hacker may get it and “sextort” you. Otherwise you’re next consideration (if you just need to be a shutterbug) is to put all digital media on hard drives that are not connected to the internet.

Otherwise protect yourself with anti-virus, don’t install or remove P2P file sharing software and create passwords that are difficult to crack that have numbers and letters.

Robert Siciliano personal security expert to Home Security Source discussing hacked email passwords on Fox News. Disclosures.

mCrime Higher on Hackers’ Radar

This year’s Defcon convention of hackers in August brought to light a fact that many in the security industry have known: mobile phones are becoming a bigger target for criminals.

Recent news of applications on the iPhone and Android that are vulnerable to attack and possibly designed to send your data offshore have reinforced the security concerns for mobiles.

It is inevitable that over the next few years as millions of smartphones replace handhelds and billions of applications are downloaded, risks of mobile crime (mCrime) will rise. As we speak, the large antivirus companies are snapping up smaller mobile phone security companies in anticipation of a deluge of mobile attacks.

Right now, however, the path of least resistance continues to be the data-rich computer that sits in your home or office, or maybe your mortgage broker’s office. Unprotected PCs with outdated operating systems, unsecured wireless connections, antivirus software that hasn’t been updated, and reckless user behavior will continue to provide a goldmine for criminals.

The problems with computer security will continue as Microsoft abandons XP users and stops offering security updates. But as more and more users shed Windows XP and upgrade to Windows 7 and beyond, mobiles will become attractive targets.

In the meantime, protect your mobile phone.

The Blackberry is the most “natively” secure. It’s been vetted by corporations the world over to protect company data. Enable your password. Under “General Settings,” set your password to “On” and select a secure password. You may also want to limit the number of password attempts. Encrypt your data. Under “Content Protection,” enable encryption. Then, under “Strength,” select either “stronger” or “strongest.” When visiting password-protected Internet sites, do not save your passwords to the browser. Anyone who finds your phone and manages to unlock it will then have access to all of your account data and, ultimately, your identity.

The key to being a “safe” iPhone owner is to add apps that help secure your information. Enable the passcode lock and auto-lock. Go into your phone’s “General Settings” and set the four-digit passcode to something that you will remember but is not overtly significant to you. That means no birth dates, anniversary dates, children’s ages, etc. Then go back into “General Settings” and set the auto-lock. And turn your Bluetooth off when you aren’t using it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures

Stealing Secrets: Telling Lies Over the Phone

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get the necessary information that may lead to penetrating a person’s computer.

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network.

Social engineering is all based on telling a lie and getting others to tell the truth in response. Thousands of years of civilized conditioning and cultural teaching to help and trust one another has made people just a little too eager to help.

Participants in the contest successfully got employees from some Fortune 500 companies to provide full profiles of the inner workings on network PCs and software that could easily be used to launch an attack. Some revealed what operating system they had, the version of their service pack, antivirus software, browser, email, which model their laptops were, the virtual private network software the company used, and even what garbage collector hauled the company’s trash.

In some cases, the tricksters even got the Fortune 500 employees to visit certain websites while on the phone. Sometimes the simple act of visiting a website can install a malicious program on your PC if it’s not properly protected. Based on the answers provided by the employees, the social engineer can guide the person to whatever website that would infect their computer based on the answers provided.

Recognize that while you are generally not being swindled by those who call you, there is a chance that you may be. This means having systems in place regarding what can be said to whom, when, and why. Training on social engineering and how to prevent it is a must for any company and frankly for any individual who doesn’t want to fall victim to a conman.

Robert Siciliano, personal security expert contributor  to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures

Study Shows Tweens and Teens are Clueless About Privacy

The Secret Online Lives of Teens, a survey conducted by McAfee, reveals that tweens and teens are relatively clueless about online privacy. The study sheds light on this generation’s tendency to use the Internet in ways that translate to danger in the real world.

The fundamental problem is their belief that privacy is unimportant or irrelevant, which stems from their lack of understanding of what privacy actually entails. Most alarming is the extent to which they are willing to share certain types of information online, information which is often visible to complete strangers. In doing so, they make themselves easy targets for data mining by adults whose reasons are not always well intended.

While most adults are not predators or pedophiles, there are certainly many of them out there who prey upon the young and naïve.  Statistics show there are as many as half a million registered sex offenders in the U.S. alone. And many more simply haven’t been caught yet.

There always has, is, and will be a predatory element out there. Generally, most people don’t want to think about that or even admit that it’s true. Instead of acknowledging the risks, most people completely discount this reality, telling themselves, “It can’t happen to me or my kids.”

The Last Watchdog sums up the study as follows:

“McAfee commissioned Harris Interactive to query 955 American teens, including 593 aged 13-15 and 362 aged 16-17. Survey responses were weighted for age, gender, ethnicity and other variables. The McAfee/Harris poll found:

  • 69 percent of teens divulged their physical location
  • 28 percent chatted with strangers

Of those teens who chatted with strangers, defined as people whom they did not know in the offline world:

  • 43 percent shared their first name
  • 24 percent shared their email address
  • 18 percent post photos of themselves
  • 12 percent post their cell phone number

What’s more, girls make themselves targets more often than boys: 32% of the girl respondents indicated they chat with strangers online vs. 24% of boy respondents.”

It’s not just tweens who don’t understand that they’re living in a fishbowl. Young adults and parents are equally clueless. Channel 4 News in Jacksonville exposed a Florida mother who took a picture of her 11-month-old son with his mouth over a pot bong and posted it on Facebook. The mom’s behavior was obviously reckless, but what she and many don’t understand is that anything digital is repeatable.

Many now blame social networks for the erosion of whatever privacy we once had. Social networking sites aren’t inherently bad, but they are self serving entities, promoting transparency that ultimately leads to marketing and advertising dollars. For them it’s all about profit, and it’s to their advantage to gather as much information about you as possible, which allows them to fine-tune their offerings to advertisers.

My belief that people need to “live consciously,” making informed decisions about and ultimately taking responsibility for themselves, makes it difficult for me to blame anyone but users themselves for their lack of security. But I know the reality is that people are easily led, easily bamboozled, and they need to be told what to do and what not to do.

Studies like this bring much needed attention to these issues, hopefully raising awareness for teens and their parents. As a parent, I am as laser focused on the media my children consume, in all its forms, as I am on any food they eat. No responsible parent would allow their child to eat spoiled food, because they understand why it’s bad, but those same parents may allow their children to roam freely online without supervision. This is mainly because the parents don’t understand the risks.

When a quarter to a third of teens are revealing all their information to total strangers, it should give society pause. Understand that as this trend continues, more and more kids will be blindsided when they are solicited by adults who, with an additional twenty or more years of live experience, know how to con a kid.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)