Social Media Security: Using Facebook to Steal Company Data

Robert Siciliano Identity Theft Expert

There is a reason why computer users are called “users.” Like crack addicts who are drug users, more is never enough. And when under the influence, people do stupid things. I find myself scanning the Dell catalog like it’s the latest (or any) Victoria Secrets catalog. I’m amazed at how many people I know are online all day long and digitally stoned. The bad guy knows you are obsessed and uses this against you. He sees that you are comfortably numb here. He understands that in the virtual world you’re delirious and more apt to respond to his message then log your credentials.

Meanwhile Facebook’s security and privacy issues are being challenged from all sides. And during the brouhaha one of the Facebooks investors fell for a Facebook phishing scam.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. and publishes to Dark Reading tested his clients network using a bogus identity, and joined the companies Facebook site and started mining the names and email addresses of individuals who identified themselves as employees.

As he collected a database of names for a penetration test in the phish, he secured a domain name similar to that of his client. This domain name took on the appearance of a human resources or benefits portal. When he emailed the employees as “human resources,” they were redirected to a Web page, such as https://www.xyzcompany-benefits.com.

He has been able to accumulate significant numbers of emails for phishing targets from Facebook and other social networking sites. When he launched his companie’s Facebook spear-phishing attack, he usually got an average response rate of 45 to 50 percent. So nearly half of the employees responded to an email with the logins and passwords they use on their employers’ network.

Steve says:

— Officially sponsor the social networking site and assign an administrator who is responsible for permitting employees to join. This will help control somebody infiltrating the site for devious purposes.

— Establish a social networking policy. If your employees are participating in social networking sites (company sponsored or not) make sure company policies dictate what is and is not permissible. For example, divulging your corporate email account on social networking sites should not be permitted.

— Last but not least, if employees feel the need to gather and converse about their day-to-day work, personal lives, and hobbies, consider a corporate intranet. Maybe someday social networking vendors will launch a product that will provide the same features and benefits, but with the security tools needed to keep employees and company secrets safe. But in the meantime, it’s up to you.

Sober up and protect your identity.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN

Dumb Criminals – The Best Way to Get Caught? Call 911!

In Daytona Beach, Florida, the dumb criminal capital of America, two Florida teenagers are facing charges after breaking into cars. Apparently one teen’s phone was programmed to call 911 and the phone was smarter than the teens and called (maybe accidentally) 911 to inform law enforcement of the crimes taking place.

Dispatchers from the police department listened in at the duo discussing the cars they were breaking into and the stuff that was worth taking. Seems some info was given that directed law enforcement to the parking lot of a local nightclub where the teens were apprehended. Karma man karma.

Meanwhile, another Cro-Magnon Mickey-the-dunce in Utah stole 2 phones from a convenience store. In the process he left a piece of paper with an address he was going to. So now cops had a lead. But it gets better. The store clerk reported the theft and gave a description of the man to police.

Moments later as Mickey was driving and looking for the address, he pulled over to ask a cop for directions. Immediately the cop recognized the address and the dunces description and arrested him. Karma man karma.

And in an amazing criminal history that spans 55 years, an 80-year-old woman, known as the “Beverly Hills Burglar,” gets three years for breaking into a medical building.  Her rap sheet was well known in Beverly Hills as she’s been to the clink in the past. She was quoted saying “I’m 80 years old,” she said. “I don’t think I’ll ever come back – except I’m going to die and be in the morgue.”

That’s amazing and sad all at the same time.

Lock up. Don’t be victimized. And don’t be dumb.

Home Safety Tips:

1. Install outdoor lighting on timers and motion sensors.

2. Make sure your home has a “lived in” look.

3. Use indoor timers for lights, TVs and automatic shades.

4. Install security cameras that can be remotely monitored.

5. Install a home alarm system monitored by an alarm company and the police.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Is That Portable Device a Data Hazard?

Robert Siciliano Identity Theft Expert

According to a survey of London and New York City taxi companies last year revealed that more than 12,500 devices, such as laptops, iPods and memory sticks, are forgotten in taxis every six months. Portable devices that may have troves of sensitive data.

Recent reports of identity data including names, addresses, Social Security numbers on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowed. A company spokesperson said the stolen information was on a portable media device. “It was simple, old-fashioned theft, it was not a hacker incident.” Lovely. That’s just ducky spokesboy.

The survey further reached out to 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners they got a figure of approximately 9000 USBs lost and found annually.

Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that: USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.

It’s not just lost portable devices that are an issue. Found ones can be scary too.

Dark reading reports an oldie but goodie from Steve Stasiukonis, a social engineering master, he says those thumb drives can turn external threats into internal ones in two easy steps.

When hired to penetrate a network he says “We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems”

I did a program recently for a client where I presented in front of other security professionals. I had my laptop set up on the stage with my presentation loaded. The client was introducing me and asked if he could load a quick file onto my laptop to assist in his opening remarks. I inserted the drive for him and my anti-virus went NUTS! Seems his flash drive had a nice little virus on it. His boss, standing right next to him said “that’s why we are phasing out non-military grade security enabled flash drives as soon as we get back.”

I checked out BlockMaster SafeStick® 4.0 – a fast and user-friendly secure USB flash drive, which streamlines military-grade security and meets those standards to protect your data. The SafeStick hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. SafeStick is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, SafeStick is as simple to use as a standard USB flash drive.

The one I got just plugs in, initializes, then launches a program requiring the user to set up a password. From that point on any time the user has to access the data, a password needs to be entered.

Flash drives can be a security mess. Organizations need to have policies in place requiring secure flash drives and never plugging a stray cat into the network.

Disclosures: I have no financial ties to BlockMaster. I just like this thing.

Robert Siciliano Identity Theft Expert discussing good ole fashion identity theft on Good Morning America.

Beware of Door to Door Conmen

There are bazillion scammers using a bazillion ruses to get your money. The lowest of the low are the ones who scam the elderly. These same conmen often do it door to door and can be very dangerous.

Con men posing as city employees seem to be the most effective scam. In one incident 2 men posed as city workers who were trimming trees in a neighborhood. One man would knock on the door and schmooze the resident into allowing him into the home. He would then coax the person into the back area of the home while his partner would sneak in the front door.

Once the second man was in he’d rob the person. Often they’d head straight for the bedroom and grab jewelry boxes and look for wallets and pocketbooks.

In another scam a man would go door to door and offer his labor for gardening and yard work for elderly. He would do the job he was hired to do at an agreed fee. But when the job was over he would request a significant amount of money that wasn’t previously discussed. In this case he would escalate the situation to yelling and threats.

He was so bold he would drive the person to an ATM machine to get the money.

In both of these situations the home owners were lucky the situations didn’t escalate to physical violence. It’s unfortunate that elderly are preyed upon in this way. If you have an elderly parent or neighbor, keep a close eye on them and watch out for them. Unfortunately with some people you can tell them to be careful and not open the door to strangers until you are blue in the face and they may not listen.

If you have an elderly person you care for and they live away from you I’d recommend installing a video security system in their home. Today’s surveillance systems can be remotely monitored from any PC in the world. I’m able to monitor mine from my iPhone. You can set an alarm on individual cameras to alert you to activity.

Consider a home alarm system too. Make it real easy for them to activate and deactivate using a remote control. Have the alarm company call them first, the police second and you third when an alarm goes off.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams.

Report 1.8 Billion Cyber Attacks Per Month

You read that right. While the US government sits high on its perch, snipers are taking aim 60 million times a day. The Senate Security Operations Center alone receives 13.9 million of those attempts per day.

The US National Security Agency is probably the most sophisticated group of security hackers in the world. Many will argue this point. The fact is, without NSA, US STRATCOM, which directs the operation and defense of the military’s Global Information Grid, and US CERT, attacks on our critical infrastructures would be successful. We’d be living in the dark, telephones wouldn’t work, food wouldn’t be delivered to your supermarket and your toilet wouldn’t flush.

“Like in the rest of the world, the attacks are increasingly targeted and using application flaws, including Office and Acrobat. “In the last five months of 2009, 87 Senate offices, 13 Senate committees and seven other offices were attacked by spear-phishing attacks, which appeared as e-mail messages to staffers, urging them to open infected attachments or click on bad links.” No matter how good their defenses are, nothing’s 100% effective. Some attacks get through.”

The Adobe Reader and Acrobat is a cross platform application that opens and its the Portable Document Format (PDF) ubiquitous on most PCs. Criminal hackers discovered a flaw that allows for an injection of hostile code into unprotected systems.  Studies show in the last quarter of 2009 as many as 80% of all web-based attacks were directed at PDFs.

Adobe Flash is also vulnerable software becoming standard on most PCs where multimedia is present. The Register reports Adobe advises users to upgrade to Acrobat version 9.3.1 and Reader version 9.3.1, as explained in a bulletin here.

Run Windows Update, Install Anti-Virus, Install Spyware Removal Software, Run Firefox, Secure Your Wireless, Install a Firewall, Use Strong Passwords.

Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Identity Theft Ring Busted on MSNBC

Cell Phone Spying Nightmare: ‘You’re Never the Same’

Robert Siciliano Identity Theft Expert

Technology makes it easier to connect with the people in your life, but it can also enable others to connect to you without your knowledge.

The engine behind this is RATs, AKA “Remote Access Trojans. RAT’s can capture every keystroke typed, take a snapshot of your screen and even take rolling video of your screen via a webcam. RAT’s covertly monitor a PC generally without the user’s knowledge. RAT’s are a criminal hackers dream and are the key ingredient in spyware. Common RAT’s are the LANRev Trojan and “Backdoor Orifice”.

Now RATs come to mobile phones. When somebody remotely activates your phone, you’re not going to know it and they can use that phone to monitor the conversations in the room you’re in. Your phone could be sitting next to you while you are watching TV, and somebody can actually log into your phone and can actually watch what you are watching on television.

Cell Phone Spying Software is Affordable and Powerful. I worked with Good Morning America (GMA) on this issue.

GMA found thousands of sites promoting cell phone spying software, boasting products to “catch cheating spouses,” “bug meeting rooms” or “track your kids.” Basic cell phone spying software costs as little as $50. Someone can easily install a spyware program on your phone that allows them to see every single thing you do all day long, via the phone’s video camera. GMA spent $350 to get the features that remotely activate speaker phones, intercept live calls and instantly notify you every time a call is made.

A virus, called “Red Browser,” was created specifically to infect mobile phones using Java. It can be installed directly on a phone, should physical access be obtained, or this malicious software can be disguised as a harmless download. Bluetooth infrared is also a point of vulnerability. Once installed, the Red Browser virus allows the hacker to remotely control the phone and its features, such as the camera and microphone. For all you techies who want to take a crack at decoding tricks for defeating SSL on mobile phones see Mobile Security Labs HERE.

If history is any indication of the future, mobile phones, just like computers, will soon be regularly hacked for financial gain. Prepare for mCrime in the form of credit card fraud, identity theft and data breaches.

To protect your mobile phone:

Spyware can be installed remotely or directly on the phone. Never click on links in a text or email that could contain a malicious link to a download.

Always have your phone with you and never let it out of your site or let anyone else use it.

Make sure your phone requires a password to have access. If your phone is password protected it will be difficult to install spyware.

If you suspect spyware on your phone re-install the phones operating system. This can be done by consulting your user manual or calling your carriers customer service to walk you through it.

And protect your identity.

Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Mobile Phone Spying on Good Morning America

Copy Machines Can Store Your Private Info

Robert Siciliano Identity Theft Expert

Today, copy machines, fax machines and many printers are just like computers; they’re smart and they have hard drives or flash drives and can store data that can be extracted. Peripherals in the olden days, just like when dot-com was a significant part of a person’s stock portfolio, were dumb.

Because of the increased demand of networked technologies, manufacturers of all these peripherals met the demand and built them so they can be easily accessed by everyone in the office.  These same peripherals are often wireless too.

The issue here is that these devices, sometimes, but aren’t always treated with the same considerations as a computer would have.  PCs are often locked down, access is limited and the data might be encrypted. Worse, when someone upgrades to a new PC, the old PC’s data is supposed to be removed, reformatted etc. This procedure is often overlooked on a copier/printer/fax.

Consider what kind of data is copied at your doctors, banks, mortgage broker and accountants office. Generally, there might be personal identifying information that can be used to create a new accounts or take over exiting accounts.

Where do old peripherals go? Many of them head to warehouses to be resold. Others end up on eBay. A quick search on eBay results in 7845 copiers for sale and 1130 used ones. If I can buy an ATM off Craigslist with over 1000 credit and debit card numbers on it, how much data do you think we can get from used copiers?

All the more reason to protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing copy machine scams on CBS Boston

Is a Protection Dog Right for You?

As mentioned in a previous post I’m a big believer in furry beasts as a layer of protection. My 60lb German shepherd last fall is now a 75lb GSD due to a lazy winter and a busy Daddy who hasn’t taken her out enough.

“Lola” the furriest of all beasts is all bark, love and very territorial. When anyone walks within 100 yards of the property she’s barking. If the door bell rings or someone knocks on the door forget it. All mayhem breaks out. If I or anyone enters through a door and she is even a little surprised she goes nuts.

In the event a bad guy was to walk through my door my feeling is he’d end up “sausage. A dog is another home alarm system. It’s an extra video security system too. They often see and hear what you can’t day and night. Whenever my dog starts barking the first thing I do is check the video surveillance system monitor to see what she’s cracking about.

In the Boston area, it is reported that a German Shepherd thwarted a home invasion.

The key to getting a protection dog is to understand what a protection dog is and isn’t. First and foremost a protection dog doesn’t mean that the dog is a non stop-snarling-growling-aggressive-ready to pounce-rabid animal. Most protection dogs are relatively sublime, but aware. They respond to the call of duty when they sense a reason to.

A real protection dog is one that is trained for such a purpose. Certain breeds are more trainable and often go through a technique called “schutzhund. German Shepherds, Malinois and Dobermans are breeds that come to mind. Generally, these dogs have whats called “prey drive.Prey drive is the instinctive behavior of a carnivore to pursue and capture prey.

Without prey drive the dog doesn’t have much motivation to do much, never mind put themselves in harms way.

My neighbors have these 2 little “Toto” dogs that think they are 125lbs Rottweilers. And frankly, I don’t get to close to them because they act the part too. They snarl and hiss and bark when their “Mom” walks them and they have razor sharp teeth. It’s not the size of the dog in the fight; it’s the size of the fight in the dog.

Ultimately you want a dog that is safe around you and children. Just as important the dog needs to be safe around strangers too. The dog needs to be sensitive to who or what is good, and when there is a threat. A dog that bites for no reason isn’t a protection dog; it’s a lawsuit and a burden.

Do your research to determine what’s best for you and your family. No matter what dog you get, show them respect and they will watch your back.

Robert Siciliano personal security expert to Home Security Source discussing Home Security on Fox Boston

She Said WHAT? On Facebook?

Robert Siciliano Identity Theft Expert

I don’t know about you, but high school was a nightmare for me. I spent a lot of my time in the assistant principal’s office for fighting. My taste for GQ style clothing along with slicked back greasy hair made me a target. My forked tongue didn’t help me any either. Not much has changed.

In Melrose, Massachusetts a woman was run down by a pack of teenagers in a car because of a dispute that started amongst high school kids on Facebook. If there was Facebook when I was in high school I would have definitely made the paper.

The feud started because of a “she saidshe said” dispute that involved a boy between 2 girls.  I always fought boys because I wasn’t tough enough to fight girls. Girls hit you with their car.

The woman hit was the mother of one of the girls in the Facebook/cat/car fight and spent the night in Mass General Hospital after she did an endo, that’s when your “end” goes over your head then over the windshield.

This same diarrhea of the mouth on Facebook is happening with employees at small to large businesses. It might not end up as violent, but it’s certainly damaging corporate brands. People are saying mean things, blabbering about how they hate their jobs, their fellow employees, their bosses or even their clients. It’s never good when an employee publicly says bad things about the company they work for.

Just as bad they are leaking sensitive information about products coming to market, product specs or new and potential clients that gives the competition an edge. This kind of transparency is causing a tremendous stir and hurting many.

People mistakenly believe that what they say around the water cooler, to a friend or spouse or even on an IM in private can be said in public on Facebook or Twitter.  They couldn’t be more wrong.

The Wall Street Journal reports to nab violators, some business owners frequently conduct Web searches of their companies’ names. Others make a habit of checking employees’ social-media profiles if they’re open to the public or they’ve been granted access. They say such strategies can be helpful for quickly doing damage control, as well as for digging up digital dirt on employees and prospective recruits.

As an employer, you must have a written policy as to appropriate and inappropriate behaviors in social media. Just because you may block access at work, doesn’t mean they are saying stuff when they get off work. As an employee, don’t be stupid. Shut up and don’t act like an idiot pack of teenage high schoolers.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Scams on CNN

The $10,000 Fake ID

Robert Siciliano Identity Theft Expert

When I was 17, my friend “Baldo,” as he was known by all, was the Fake ID Master. He also fixed TV’s and still does today. But he didn’t actually create “fake IDs,” he altered real ones. The technology he used back then is still used today. It’s called Crayola Crayons. He would take a Massachusetts ID and heat the laminate over the stove and peel it back. Then he’d dab a premixed batch of liquid aqua green/blue crayon on the left side of an 8 to make it a 3. He’d bust out his heating iron and some wax paper and seal up the laminate. Then a 17-year-old became 22, using the same technology my 1 year old eats. Packy run, anyone?

Today is a little different. It’s not so easy to peel back the laminate. Most cards today are treated plastics: PVC, styrene, polypropylene, direct thermal, and teslin hybrids. However, while all that sounds technically challenging, it’s really not. Some of the do-it-yourself ID making machines are the size of a shoebox. It is however a tad more complicated than that. Sure you can go to your local office supply and buy ID making materials or simply buy fake IDs online, but will they pass the muster when put in front of numerous technologies that look for tampering?

That’s where the $10,000 fake ID comes in. In New York, authorities busted an identity theft ring and charged 22 people with selling driver’s licenses and other identification documents.

Among those implicated in the ring are two New York State Department of Motor Vehicles employees, who are believed to have earned over a $1 million dollars issuing more than 200 licenses and other documents over the past three years. The alleged ring leader of the group was identified as Wilch Dewalt, also known as “Sharrief Sabazz” Muhammad’ and “License Man.” Authorities say he acted as a broker who, in exchange for a fee of between $7,000 and $10,000, served as a one-stop shop for fraudulent documents.

In this case, the clients who were dropping 10G on IDs were people who were hiding from the law in plain sight, including felons, a drug dealer whose claim to fame was once a cameo on “America’s Most Wanted,” and someone from the government’s No Fly List. These were people that: A) could afford it and, B) needed the best of the best in real fake identification.

In the meantime, identity theft is again the top 2009 consumer complaint, the FTC reports. The number of American identity fraud victims rose 12% last year to 11.1 million, with losses hitting $54 billion, according to an annual report from Javelin Strategy & Research.

Protect your financial identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)