Beware of Facebook Dangers

Robert Siciliano Identity Theft Expert

Danger!! Hows that for a blog title that screams fear, uncertainty and doubt!? Fact is Facebook boast 400 million users and is in so many ways seems out of the control of its founder, and is looking dangerous. This is a company that has grown faster than fast and has a (very intelligent) 20 something CEO just out of puberty calling the shots. It seems the amount they (his Board? CIO? ) lets him run at the mouth that privacy is no big deal, shows an immature lack of control over this operation. Any company that wields this much power needs to be checked and balanced.

Their growing pains are publicly played out in numerous lawsuits and visceral rants by every possible pundit (like me) and privacy professional on the block.

Sure when you are that big there will always be someone who wants to take you down. But every week there is a new story about a security breach or a privacy violation. That tells me it’s more than growing pains or jealousy. There are serious management problems there resulting in reputation issues for the company and for the user, security issues.

DANGER, DANGER!

The 3rd party applications in the form of games and quizzes are sharing data that’s not meant to be shared. While the user may agree to the terms of service, they aren’t reading the fine print. Is it really in Facebooks interest to allow this?

Seems like every 2 weeks they change whatever privacy settings there are and the public gets more pissed off with each change. Why doesn’t someone inside this company have a clue what the public wants? What’s more obvious is they don’t care!

Criminals and scammers set up fake profiles of companies and individuals all day every day. These social media identity theft profiles are designed to get people to provide data for free gift cards or other offers that ultimately allow for financial fraud to occur. Is there no way they can more effectively police this?

Recently, the chat feature was made public. For a period of time users chats were available for anyone to see. They had to shut it down to calm the mess. How the heck does that happen? Don’t they have redundancy built in to prevent this?

Ads appearing on Facebook are sanctioned in some way by Facebook and some are malicious. When clicked they can infect your PC. You would think that a private company worth billions would have systems in place to prevent its users from getting hacked via ads placed on their own servers?

So now that I’m done throwing up, protect your identity. Because when it gets hacked on Facebook, don’t say I didn’t warn you.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN.

Watching Out For Criminal Hacks

Robert Siciliano Identity Theft Expert

We use the web to search out tons of information, to shop online and to connect with friends and family. And in the process criminals are trying to whack us over the head and steal from us. And they’ve become very proficient at their craft while most computer users know enough about protecting themselves today as they did 15 years ago. Which equates to not so much.

Back in the day, a person only had to know not to open a file in an attachment from someone they didn’t know. Maybe even not opening one from someone they knew and making a phone call first. Today there are more ways than ever that your PC can be hijacked.

Today you can simply visit a website thinking you are safe and the bad guy was there before you and injected code on the site and now it infects your out-dated browser. That’s a “drive by” and it’s very common today. Here is a list of likely attacks occurring every day.

Fundamentals:

Update your browser. Internet Explorer and Firefox are the most exploited browsers. Whenever there is an update to these browsers take advantage of it.   Keep the default settings and don’t go to the bowels of the web where a virus is most likely to be. Consider the Google Chrome browser as it’s currently less of a target.

Update your operating system. No matter what brand of computer you are on you have to update the critical security patches for your Windows operating system. Microsoft will no longer support Windows XP after 2014, so start thinking about upgrading to Windows 7 (which is pretty sweet). Go to Windows Update. Why anyone would keep XP running unless they had to is a mystery to me. It’s a dog who has been kicked too many times.

Update Adobe Reader and Flash. Adobe PDFs and Flash Player are ubiquitous on almost every PC. Which makes them a prime target for criminals. To update Reader go to Help then Check for Updates. To update Flash go here.

Don’t be suckered into scareware. A popup launches and it looks like a window on your PC. Next thing a scan begins. The scan tells you that a virus has infected your PC. And for $49.95 you can download software that magically appears just in time to save the day. Studies show that organized criminals are earning $10,000.00 a day from scareware. That’s approximately 200 people a day getting nabbed. Some “distributors” have been estimated to make as much as $5 million a year. Just shut down your browser and do a scan with your existing anti-virus. Then update your browser because it’s probably outdated, which is why you saw scareware in the first place.

Beware of social media scams. Numerous Twitter (and Facebook) accounts including those of President Obama, Britney Spears, Fox News and others were taken over and used to make fun of, ridicule, harass or commit fraud. Often these hacks may occur via phish email. Worms infiltrating Twitter requesting to click on links would infect user’s accounts and begin to multiply the message. Then your followers and their follower would get it, causing more grief than anything else.

Invest in social media protection @ Knowem.com

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing social media identity theft on CNN

Facebooks New (and only) Security Feature

Identity Theft Expert Robert Siciliano

So maybe you used a public PC to log into your Facebook account and you hit a button that saved your login credentials. Or maybe you received an email from what you thought was Facebook and you plugged in your username and password and got phished. Now someone other than you has your account information and they are logging in to torture you or steak from your friends.

Wouldn’t it be nice to have a degree of control over that?

Facebook just introduced a security setting that sends you an email telling you someone has just logged into your account.

The feature doesn’t protect you from being stupid and giving your credentials away, but it does give you an opportunity to log into your account and change the password and thereby block the bad guy from getting back in. But the bad guy can change your log in information too. All they have to do is change your email address. Once they do they receive an email at the new address and hit a confirm link. At the same time you will also get an email to the original login email gving you the opportunity to dispute the new account number. So if this ever happens, act quickly.

To set up and enable notifications

1. go to “Account” upper right hand corner

2. in the drop down menu to “Account Settings”

3. in the main menu go to “Account Security”

4. click “Yes” next to “Would you like to receive notifications from new devices”

5. the same can be done with text messages if you have your mobile plugged into Facebook. But don’t have your mobile displayed on your page publically.

6. Log out then log back in and it will ask you to identify the computer.

I did this on 2 PCs and a phone. It didn’t ask me to identify the phone, but it did send me an email:

Your Facebook account was accessed using Facebook (Today at 8:36am).

If this happened without your permission, please change your password immediately.

If this was an authorized login, please ignore this email.

To change your password:

1. Log in to your Facebook account.
2. Click the Account tab at the top of the screen and select “Account Settings” from the drop-down menu.
3. Scroll to the Password section of the Account Settings page.
4. Click the “change” link on the right and follow the instructions.

Thanks,
The Facebook Team

Hey Facebook, after 400 million users you are just getting around to this? It’s a start.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN.

Criminal Hackers Had Their Best Year

Identity Theft Expert Robert Siciliano

The FBI reported that last year, organized criminals made double what was reported in 2008. Phishing emails containing the name and logo of the FBI were one of the top money makers for scam artists.

Successful scams included auction scams where products were bought and paid for but product was not delivered. Advanced fee scams also topped the list.

Scammers will say and do anything to get a person to part with their money.

Never automatically trust over the phone or via the internet. Unless the business is one that is well established online; don’t ever send money that you can’t get back. Never send money in response to an email or a phone call or even a classified ad. Money orders and wiring money have less security than a credit card does.

Anytime the transaction involves wiring money, that’s a dead giveaway. In any virtual transaction, I’d suggest using a credit card, but not without first checking the legitimacy of the business or the individual. A quick scan online of a company, individual, or even the nature of a transaction can often provide enough information to make an informed decision.

Scareware was also a big player. Studies show that organized criminals are earning $10,000.00 a day from scareware. That’s approximately 200 people a day getting nabbed. Some “distributors” have been estimated to make as much as $5 million a year.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

The software is sometimes known as “AntiVirus2009” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2008.” These are actually viruses or spyware that infect your PC, or just junk software that does nothing of value.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Ransomeware on Fox Boston.

Top 10 Jobs For Criminal Hackers

Identity Theft Expert Robert Siciliano

So you wanna go to the dark side? You’ve been hearing all about this hacking thing and you’d like to impress your girlfriend and show her how you can hack into corporate databases eh? Well, first if you are nodding your head, you’re an idiot. Second, chances are better than ever that you’ll get caught. Law enforcement is actually getting pretty good at finding the bad guy. In the meantime, the FBI posted the top jobs in computer crime and the bad guys are hiring.

They need:

1. Programmers: They are the dudes that write the actual viruses that end up on your PC because you were surfing porn or downloading pirated software off of torrents.

2. Carders: the most visible of criminals who distribute and sell stolen data to whoever is willing to take it and burn it onto a white card or make purchases over the internet.

3. IT Dudes: these are like any computer professionals who maintain all the hardware to keep the operation running as it should.

4. Criminal Hackers: these are the tech savvy penetration testers who aren’t legitimate penn testers but black hat hackers. They look for vulnerabilities in networks and plant code to exploit the users.

5. Social Engineers: these are the scammers and liars that think up all the different scams and communicate with people via phishing emails.

6. Hosted Systems Providers: are often unethical businesses that provide servers for the bad guy to do his dirty work.

7. Cashiers: provide bank accounts where criminals can hide money.

8. Money Mules: these may be unsuspecting Americans who act as shipping managers and do the dirty work for the bad guy and open bank accounts too. Sometimes the mule may be foreign and travel to the US specifically to open bank accounts.

9. Tellers: Help transfer and launder money through digital currency’s such as e-gold.

10. Bosses: These are the Mafia Dons. They run the show, bring together talent, manage, delegate, tell people what to do and maybe cut a head or two off.

If this whole writing, speaking and consulting thing doesn’t pan out I know who is hiring.

Invest in Intelius identity theft protection and prevention. Not all forms ows.f identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing hackers on Fox News.

Why Everyone Should Learn to Be A Hacker

I know enough about hacking to make all of my software un-usable, mess up my operating system, and crash my PC. I also know enough about hacking to re-install my operating system, re-install all my software and get my PC running fresh and relatively secure. I’m no criminal hacker. And I am not suggesting that. Nor can I program; I don’t know code but I do know enough to hack in a way that keeps me running, and again, secure.

Hacker isn’t a bad word and hacking isn’t a bad thing to do. It’s something that if everyone who plugs into a PC every day did, they’d be a heck of a lot more versed in the functionality and security of a computer.

The beauty of becoming a “do it yourself” (DIY) hacker is you don’t need to pay a dude to come to your home or office to fix your computer when it’s not working. Three hundred and twenty five years ago I used to pay someone to fix me. Now I can do most of it myself, and when I don’t know how to do it I look it up on Google. Chances are if you have had this problem, then thousands of others have too. There are a bazillion forums that you can go to and solve annoyances and real technology issues.

Once you start asking questions you begin to find people who know the answers. Next thing you know you are the person with the answers. Along the way you connect with people that are smarter than you are who actually do know code and how to really hack a system. Then keep this stable of experts on your contact list so when you are in a pinch, you reach out. But do your best to figure it out on your own first so you aren’t constantly bugging them. You’d be amazed at how capable you are once you invest the necessary time to learn this stuff.

Another great way to learn how to be a DIY hacker is through tech support of your new PC. Most computers come with a one year guarantee that includes phone support. Now many people complain about lousy support, but the hundred or so hours I’ve spent over the years with these people from all over the world has definitely upped my hack-abilities. Even when the tech support guy is wrong, you learn something.

Recently I got rid of all my old 5-6-8 year old PCs and upgraded all but one to Windows 7 boxes and couldn’t be happier. In the process, I had to go through a litany of changes that were always frustrating, but made me a better, smarter, faster DIY hacker. I’ve spent about 20 hours with tech support on the phone getting everything to work like it should and now I know how to do it myself when things go wrong.

“Why I want my daughter to be a hacker” is the title of a post that’s been making waves in the blogosphere. It doesn’t exactly make my point, but worth a read.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing the identity theft on CNBC.

Personal Knowledge or “Qualifying Questions” as Authenticators

How many times have you forgotten a password? Fortunately the website you were on only needed your username or an email address and they would respond with a few questions for you to answer. Once you responded with what was in the system you then re-set your password and you’re in.  Easy peazy.

What’s your favorite food? Where did you honeymoon? Your first pets name? Name of your first car? The name of your elementary school?  Your fathers middle name? All these questions are meant to replace that used-to-be-secret-obscure word that only you and your parents would know the answer too – your mothers maiden name.

Then came Ancestry.com, Geneology.com, Google and for crying out loud Facebook. Now much of this information is available by doing a quick search online via public records or it’s easy to guess if the “hacker” is an acquaintance.

I’m a member of an organization in which I have been granted access to a bank account we have. But I haven’t accessed the account in months.  Since the last time I logged in the bank instituted a qualifying question as another layer of protection. Instead of calling the other person who was also managing the account I simply guessed the answer. “Where did you go to high school?” I didn’t know where this person went to high school but I knew where his mother lived. I entered the name of the town and BOOM, I was in.

It shouldn’t be that easy.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing hacked email on Fox News.

A Great Way to Ruin an Online Reputation

I’m all about transparency. But that’s just me. Not everyone is so forthright. Most people prefer to fly a click or more below the radar and never have a light shine on them. I prefer to make sure what’s being said, is said by me and not some troll. My brother used to say “the worst thing that can happen to a person is to end up on one of those stupid talk shows.” Then I proceeded to do every talk show including Howard Stern. But that’s just me.

My only regret was doing the Maury Povich show. That guy just played me and took advantage of me and used me as a pawn on his show. He would ask the audience leading questions adverse to my sound advice and continually allow the stupidest person in the room to answer. Controversy is fine, but bad, potentially deadly advice isn’t.

My point in all this? Things are heading in a direction that if you aren’t transparent, if you aren’t doing things to boost your credibility, if you aren’t “open” and someone decides to use the internet to slam you, then they automatically have the upper-hand. Today a person has less control over what is said about them than ever.

Unvarnished is a new website, in beta, you need to be invited. Users connect with Facebook. PC World seems to allude to anonymous posting on Unvarnished that can only happen if someone fakes a Facebook profile. Anything in the form of anonymous posting doesn’t benefit the common good.

For example, when I read the comments in newspapers or blogs, I often see people throwing up all over everyone and saying the meanest, rudest and most hateful things. These cowards can easily do this anonymously. But none of them have the nerve to assign their actual name to it.

PC World reports Unvarnished functions like other social networking sites–especially the popular professional social networking site, LinkedIn. Users can create a profile with their resume and work information, and request reviews from their professional colleagues. The difference, of course, is that users can also “create” a profile for non-Unvarnished users–if you, say, want to leave a review of that shoddy intern from two summers ago and he/she doesn’t have a profile–no worries, you can still leave the review. Shoddy intern can then claim said profile later, if he/she so desires.

The best way to gain more control over this kind of site is to set up your own profile. It’s a start. Then build positive commentary. Another tool for managing online reputation management is to go to Knowem.com and grab up all the social media sites and get your name.

And protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN.

9 Year Old Kid Hacks Schools Computers

Hacking has gone from “phreaking”- hacking phone systems to “cracking”-breaking into networks for fun and fame and over the past 5 years criminal hackers from all over the world are targeting huge databases full of credit card numbers. But hacking is also becoming part of popular culture. The “scriptkiddie” from back in the day is the 9 year old today who is just very intelligent, anxious and doesn’t k now anything other than technology.

Police say a nine year old boy hacked the county school system to change teachers’ and staff members’ passwords, change or delete course content, and change course enrollment. “The boy did not intend to do any serious damage, and didn’t, so the police withdrew and are allowing the school district to handle the half-grown hacker.”

“He’s a very intelligent 9-year-old,” said the police, “with no criminal intent.” Someone give that boy a lollipop.

Meanwhile a study in New York City points to one out of 6 city teens have tried hacking. Roughly 39 percent of the New York City teens said they think hacking is “cool,” and about 16 percent admitted to trying it. Seven percent reported they hacked for money, and 6 percent said they viewed it as a viable career.

I know some are going to look at this study and slam me for even acknowledging it. However in my own informal pole I’m seeing the same thing. Heck I have a 4 year old that’s in the process of hacking my network.  “Da-da, did you install spyware on my laptop?“Yes, but that’s beside the point!

Most kids know more about technology than their parents which makes a ripe situation for the kid heading down a rabbit hole and the parents unable to pull him out. How can mom or dad prevent the kid from doing something bad if they don’t understand it themselves? The solution? Up your technology and security vocabulary.  And install spyware on your kids PC, you might learn something.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing criminal hackers on Fox News.

Google Hack Whacks Passwords

Code named Gaia after “Greek Goddess of Earth” a Google single sign on password system was hacked in December.

The NY Times reports “the intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.”

Google is a significant part of many individuals and businesses online activities. Millions rely on Google every day to be fast, functional and most important, secure. A breach such as this may erode the confidence of Google users, but for many, they have all their eggs in one basket.

The hack occurred when a Google employee in China received an instant message over Microsoft’s IM program, and clicked and infected the link. Once the Google employees computers were hijacked the criminal hackers obtained access to his files and credentials. This gave the bad guy’s access to Google.

Google has since added layers of encryption and beefed up security for its data centers and end users.

However, now is a good time to go through all your passwords and change them up.

I’ve said this multiple times. DON’T CLICK LINKS IN EMAILS AND INSTANT MESSAGES. These links are merely conveniences.  All you have to do is either go to whatever the link may be in your favorites menu or search out the site online. Spend the extra 30 seconds to leapfrog the links and go there manually.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing a Google hack on Shepard Smith with Fox News.