Cyber Security in This Year’s Election – The Role It Played In 2012

For more than a decade, we have been at risk of cyber war and cyber terror due to political disputes or hacktivists bent on disruption. Our information, financial systems and critical infrastructures are the main targets. In 2012, cyber security became part of our popular culture due to the elections.

The Obama administration made the most significant advances in 2 ways: moving the discussion forward in creating minimum cyber security standards for all those responsible for critical infrastructure and moving forward in creating trusted identities in cyberspace. The National Strategy for Trusted Identities in Cyberspace (NSTIC) envisions a cyber world – the Identity Ecosystem – that improves upon the passwords currently used to log-in online. It would include a vibrant marketplace that allows people to choose among multiple identity providers – both private and public – that would issue trusted credentials that prove identity.

And of course the Democrats and Republicans do not agree on next steps. The Republicans have stated Obama’s plans cost too much and are ineffective. Both candidates disagreed throughout the campaign.

ABC News reports  “The uncomfortable reality of our world today is that bits and bytes can be as threatening as bullets and bombs,” Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, told lawmakers.

Now it is up to this administration to follow through and get citizens properly identified and to properly protect our critical infrastructure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Cybersecurity Matters in The Election

The term “cyberattack” or cyberwarfare is defined as “politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare although this analogy is controversial for both its accuracy and its political motivation.”

“Weapons of Mass Disruption” are a growing concern. The U.S. and many other countries are electrically and digitally dependent. Our critical infrastructures, including drinking water, sewer systems, phone lines, banks, air traffic, and government systems, all depend on the electric grid. After a major successful attack we’d be back to the dark ages instantly. No electricity, no computers, no gasoline, no refrigeration, no clean water. Think about when the power goes out in your house for a few hours. We’re stymied.

The New York Times reports “Defense Secretary Leon E. Panetta warned Thursday that the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government.”

The threats of a cyberattack are real. Unfortunately tis is one of those “it’s not IF but WHEN” scenarios.

The AP reports “President Barack Obama wants owners and operators of essential U.S. infrastructure to meet minimum cybersecurity standards that the private sector and federal agencies would develop together.”And “Republican presidential candidate Mitt Romney says within his first 100 days in office he would order all federal agencies to develop a national strategy to deter and defend the country from cyberattacks.”

Whomever is elected president will face an unknown unseen digital enemy unlike any other president has seen in history.

Think before you click. Know who’s on the other side of that instant message. What you say or do in cyberspace stays in cyberspace — for many to see, steal and use against you or your government.

The Internet is incredibly powerful tool that must be used intelligently and cautiously. Do your part to protect your little network and we will all be that much safer.

Use antivirus software, spyware removal, parental controls and firewalls.

Back up your data locally and in the cloud.

Understand the risks associated with the wireless web especially when using unsecured public networks.

Protect your identity too. The most valuable resource you have is your good name. Allowing anyone to pose as you and let them damage your reputation is almost facilitating a crime. Nobody will protect you, except you.

Robert Siciliano, personal security expert contributor to Just Ask GemaltoDisclosures

Your Rights To Online Privacy

“Americans have always cherished our privacy. From the birth of our republic, we assured ourselves protection against unlawful intrusion into our homes and our personal papers. At the same time, we set up a postal system to enable citizens all over the new nation to engage in commerce and political discourse. Soon after, Congress made it a crime to invade the privacy of the mails. And later we extended privacy protections to new modes of communications such as the telephone, the computer, and eventually email.” The Whitehouse.

Corporations, without any FTC or privacy advocate oversight, would pretty much invade your online privacy.  Most major websites now install cookies on your computer, which, over time, help develop a profile that serves as your digital fingerprint. This is why, after searching for a specific product, you may notice advertisements for that particular product or brand appearing on various other websites. This is generally harmless.

A cookie is a small piece of text or code that is stored on your computer in order to track data. Cookies contain bits of information such as user preferences, shopping cart contents and sometimes user names and passwords. Cookies allow your web browser to communicate with a website. Cookies are not the same as spyware or viruses, although they are related. Many anti-spyware products will detect cookies from certain sites, but while cookies have the potential to be malicious, most are not.

With privacy watchdogs addressing this kind of advertising as a major concern, and the Obama administration now stepping in, we will surely see the implementation of some standards in this kind of marketing practice over the next few years.

The New York Times reports “The Obama administration and the nation’s chief privacy regulator pressed Congress to enact online privacy legislation, saying new laws would level the playing field between companies that already had privacy policies and those that lacked them, and thus escape regulatory oversight.”

The White House has put forward what it calls a Privacy Bill of Rights to provide basic online protection guarantees. Read up, and recognize you have rights.

The Obama Administration’s framework consists of four key elements: A Consumer Privacy Bill of Rights, a multi-stakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of the US’s international partners.

Robert Siciliano, personal security expert contributor to Just Ask GemaltoDisclosures

10 Ways To Protect Kids Online

Children engage in online shopping, social media, mobile web, and computers just like adults do. Many parents feel a bit overwhelmed by technology and often throw their hands in the air and give up. Unfortunately, that’s not an option. It is essential that parents educate themselves on safe, secure online practices in order to set a positive example and provide guidance for their children as they navigate the web.

Parents who lack experience with the Internet, computers, or mobile phones must learn the basics before they can adequately monitor their children’s habits. A parent’s discomfort or unfamiliarity with technology is no excuse to let a child run wild on the Internet.

As with any task, one should start with the fundamentals. Spend as much time as possible with kids in their online world. Learn about the people with whom they interact, the places they visit, and the information they encounter. Be prepared to respond appropriately, regardless of what sort of content they find. Remember, this is family time.

  1. Narrow down devices: Many parents set up the family computer in a high-traffic family area, and limit the time children may spend using it. This is still good advice, but it becomes less feasible as more children have their own laptops and mobile phones, which can’t be so easily monitored.
  2. Recognize predatory behavior: Teach children to recognize inappropriate behavior. Kids will be kids, but that doesn’t mean it’s okay to say mean things, send racy pictures, make rude requests, or suggest illegal behavior. If it isn’t okay in the physical world, it isn’t okay on the Internet.
  3. Use parental controls: Consider investing in computer security software with parental controls, which limit the sites kids can access.
  4. Discuss right from wrong: Decide exactly what is and is not okay with regards to the kinds of websites kids should visit. This dialogue helps parents and children develop a process for determining appropriate online behavior.
  5. Clamp down: Children should be restricted to monitored, age-appropriate chat rooms. Spend time with your children to get a feel for the language and discussion occurring on the websites they wish to visit.
  6. Stay anonymous: Do not allow children to create usernames that reveal their true identities or are provocative.
  7. Be secretive: Children should be reminded never to reveal passwords, addresses, phone numbers, or other personal information.
  8. Limit exposure: Kids should not be permitted to post inappropriate photos or photos that may reveal their identities. (For example, a photo in which a t-shirt bears the name of the child’s city or school.)
  9. No strangers: Never allow a child to meet an online stranger in person.

10. No attachments: Children should be taught not to open online attachments from strangers.

Robert Siciliano, personal security expert contributor to JustAskGemaltoDisclosures

Be Proactive During Cyber Security Awareness Month

We use the web to search, shop and to connect with friends and family. And in the process criminals are trying steal from us.

It used to be that a person only had to know not to open a file in an attachment from someone they didn’t know. Today there are more ways than ever that your PC can be hijacked.

Today you can simply visit a website thinking you are safe and the bad guy was there before you and injected code on the site and now it infects your out-dated browser. That’s a “drive by” and it’s very common today.

Protect yourself:

Update your browser. Internet Explorer and Firefox are the most exploited browsers. Whenever there is an update to these browsers take advantage of it.   Keep the default settings and don’t go to the bowels of the web where a virus is most likely to be. Consider the Google Chrome browser as it’s currently less of a target.. Systems using old or outdated browsers such as IE 5, 6, or older versions of Firefox offer the path of least resistance.

Update your operating system. Computers with old, outdated, or unsupported operating systems like Windows 95, 98, and 2000 are extremely vulnerable. No matter what brand of computer you are on you have to update the critical security patches for your Windows operating system. Microsoft will no longer support Windows XP after 2014, so start thinking about upgrading to Windows 7 or wait for windows 8 (which is pretty sweet). Go to Windows Update. Keep your critical security patches up-to-date by setting Windows Update to run automatically as well.

Update Adobe Reader and Flash. Adobe PDFs and Flash Player are ubiquitous on almost every PC. Which makes them a prime target for criminals. To update Reader go to Help then Check for Updates. To update Flash go here.

Don’t be suckered into scareware. A popup launches and it looks like a window on your PC. Next thing a scan begins. The scan tells you that a virus has infected your PC. And for $49.95 you can download software that magically appears just in time to save the day.

Beware of social media scams. Numerous Twitter (and Facebook) accounts including those of President Obama, Britney Spears, Fox News and others were taken over and used to make fun of, ridicule, harass or commit fraud. Often these hacks may occur via phish email

Surfing pornography websites increases your risk, as does frequenting gaming websites hosted in foreign countries. And don’t engage in risky online activities that invite attacks.

Downloading pirated content from P2P (peer-to-peer) websites is also risky. Remember, there is no honor among thieves.

Make sure to set your antivirus software to update automatically. Use a paid product that provides antivirus, antiphishing, antispyware and a firewall.

Robert Siciliano, personal security expert contributor to Just Ask GemaltoDisclosures

What Security Benefits Does Contactless Technology Offer?

Contactless technology offers many benefits, including faster and easier transactions, versatility to be incorporated into various personal devices including mobile phones, and improved data security over the magnetic stripe technology.

According to the Smart Card Alliance, “Contactless smart card technology includes strong security features optimized for applications involving payment and identities. Every day tens of millions of people around the world safely use contactless technology in their passports, identity cards and transit fare cards for secure, fast and convenient transactions. Multiple layers of security protect these transactions, making them safe for consumers and merchants. Some of these features are in the contactless smart card chip and some are in the same networks that protect traditional credit and debit card transactions.”

Nicely put.

Contactless technology improves data security in several potential scenarios.

ATM skimming: It’s difficult to skim a card that doesn’t actually come into physical contact with the reader. With the old magnetic striped cards, a card must be physically swiped through a reader device. These point-of-sale readers are found in retail environments, gas stations, and on ATMs. Countless skimming devices installed by criminals have been found in all of these environments.

Data breaches: In recent years, there have been hundreds of data breaches resulting in the loss or theft of more than a half billion records. Companies whose databases have been compromised have spent or lost millions of dollars as a result of these breaches. Contactless payment methods incorporating chip and PIN technology encrypt data to prevent it from being read in plain text.

Lost cards: If your wallet is stolen or you lose a credit card, it is highly probable that a thief will take advantage of the opportunity to rack up charges on your magnetic stripe credit card. A contactless chip and PIN card, on the other hand, can’t be used by just anyone, since any transaction requires a PIN.

So there you have it. These are just a few of the security benefits offered by contactless technology.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Where Will I See Contactless Technology in My Everyday Life?

As contactless technology embeds itself into the fabric of everyday transactions all over the world, numerous industries are fine-tuning integration of this latest payment technology into their operations.

Employee Badges: Organizations all over the world are using contactless technology to verify individuals’ authenticity before granting access to a restricted facility, computer system, or electronic device.

For example, a government employee might be required to use a “proximity” card in order to enter a secure facility. Where that employee might have once swiped a magnetic stripe card through a reader, she can now use a contactless card that is more secure and allows her to pass through the access control gate more efficiently.

Or a financial institution might have employees processing sensitive client information. If an employee steps away from his computer for a coffee break, a proximity device he is wearing might trigger his computer to perform a system lockdown until he returns.

Public Transportation: Planes, trains, buses, automobiles, and even shared bicycle services are implementing some form of contactless technology. In fact, multiple citywide transportation services now employ contactless payment methods and many more are making the move to contactless, allowing riders to carry one less card in their wallets by effectively rolling the transit card into the bankcard.

Your local retailers: Before you know it, most, if not all, of your payment cards will offer a contactless option. And once mobile companies and handset providers hash out the best and most efficient way to use mobile payment via contactless on your mobile phone, we will see thousands of mobile payment applications for every possible retailer emerge.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

What is Contactless Technology?

“Contactless” refers to technology embedded in a personal device — typically a mobile phone, key fob, credit card, or access card — that transmits your data to another device from a distance of a few inches in order to complete a transaction.

Transactions involving data transfer have traditionally involved plastic cards with a magnetic stripe or some type of a bar code. And while these technologies remain commonly used, the migration to contactless is well underway, for a number of reasons:

  1. Contactless tends to be a more secure data transfer method. Classic credit cards often contain sensitive yet unencrypted data, stored in plain text in magnetic stripes that can be compromised by various skimming devices.
  2. Contactless technology can handle more data. Devices equipped for contactless transactions contain a small chip, which stores user data and has a vastly greater capacity than a traditional magnetic stripe.
  3. Contactless technology is far more versatile than the payment technology it replaces. Relying on a plastic card and magnetic stripe limit your transaction options, whereas contactless technology can be used to store data in a variety of different devices, from a plastic card to a mobile phone to just about any type of product.
  4. Contactless transactions are more convenient. We’re all accustomed to producing one card or another to make a purchase or access a restricted building or other area. But carrying all those cards around requires a wallet. And frankly, wallets are cumbersome and bulky. I long for the day when my mobile phone is the only device I need, containing everything I need to get anywhere and buy anything.

When your bank, employer, or local public transportation system rolls out contactless technology, embrace it. Before long, it will without a doubt be the preferred method for the majority of our daily transactions.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

What Differentiates EMV Cards?

In the United States, our credit and debit cards still rely on outdated magnetic stripe technology. The magnetic stripe is the black or brown band on the back of your credit or debit card. The stripe stores data, such as your account number, via tiny, iron-based magnetic particles. When you swipe your card through a card reader, the device accesses the data stored on the magnetic stripe. A quick YouTube search yields numerous vendors offering to sell skimming devices, which can be used to steal data from credit cards as they are swiped in an ATM.

EMV, or chip and PIN cards, on the other hand, are far more secure. These so-called “smart cards” contain embedded microchips and are authenticated using personal identification numbers, or PINs. When a customer uses a smart card to make a purchase, the card is placed into a terminal or a modified card reader, which accesses the card’s microchip and verifies the card’s authenticity. The customer then enters a four digit PIN, which is verified against the PIN stored on the card.

EMV technology supports four cardholder verification methods: offline PIN, online PIN, signature, or no cardholder verification. This enhanced cardholder verification process is an additional security feature, ensuring that the person initiating a transaction is in fact the legal cardholder.

Meanwhile, the only way to verify a regular magstripe credit card is for a cashier to check a customer’s identification, but this occurs irregularly at best and may even promote a false sense of security. In card not present transactions, such as online purchases, the CVV or credit verification value is the primary verification method, but this number is visibly printed on the card itself, and is as easily stolen as an account number or PIN.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Banks Should Promote EMV

The old magnetic stripe technology currently used in credit and debit cards in the United States is inexpensive and readily available, making our cards highly vulnerable to fraud. It’s understandable then that credit and debit card fraud is Americans’ primary fear, with 68% of those surveyed describing themselves as extremely or very concerned about the security of their credit or debit card data and 66% as extremely or very concerned about identity theft.

Compare that to the 58% who are extremely or very concerned about terrorism and war, or 41% who fear the possibility of a serious health epidemic. If a health epidemic actually occurred, that would naturally take prevalence over our financial concerns. But for now, we’re mostly worried about our money.

Credit card fraud comes in two different flavors: account takeover and new account fraud. Account takeover occurs when an identity thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or sometimes even when you hand it over to pay at a store or restaurant. Technically, account takeover is the most prevalent form of identity theft, though I’ve always been inclined to categorize it as simple credit card fraud.

EMV credit cards—or “chip and PIN” cards—are safer than the magnetic stripe cards still used in the U.S. According to the Smartcard Alliance, “[EMV] transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.”

In simple terms, with EMV technology, users’ financial data is thoroughly scrambled. It makes sense, therefore, for smart, forward thinking banks to encourage EMV migration as soon as possible.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures