llegal Alien Steals Identity, Becomes Cop

/in /by

In a story that could have come right out of a movie, a widely respected police officer turned out to be a Mexican national who stole an American identity and moved to Alaska to become a cop. I’ll bet Sarah Palin didn’t see this one coming.

Fox News reports that the identity thief had been employed as an Anchorage police officer using his assumed name since 2005. Police and federal prosecutors said he didn’t have a criminal record. He does now!

“Federal agents processing a renewal request for his passport discovered the alleged fraud. He was arrested Thursday after authorities searched his home and found documents confirming his true identity, officials said. The passport fraud case is similar to one involving a Mexican national who took the identity of a dead cousin who was a U.S. citizen in order to become a Milwaukee police officer in 2007.”

Crimes like this are possible because citizens have yet to be identified effectively and reliably. We are identified solely by paper documents and photographs, and our Social Security numbers are our primary identifying account numbers.

All an identity thief needs is your Social Security number, which they can use to apply for additional documentation and, eventually, a passport or driver’s license in your name. Once they begin this process they will also apply for credit under your name and, in most cases, ruin your credit history.

You will not know someone has obtained a passport or driver’s license under your name until there is a problem, unless perhaps a red flag pops up when renewing your identification. But by then, whoever has obtained identification in your name will probably have run up unpaid credit card bills in your name, too. That’s where identity theft protection comes in.

McAfee, the most trusted name in digital security, includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss illegal immigrant identity theft on Fox news. (Disclosures)

15 Social Media Security Tips

/in /by

1. Realize that you can become a victim at any time. Not a day goes by when we don’t hear about a new hack. With 55,000 new pieces of malware a day, security never sleeps.

2. Think before you post. Status updates, photos, and comments can reveal more about you than you intended to disclose. You could end up feeling like some silly politician as you struggle to explain yourself.

3. Nothing good comes from filling out a “25 Most Amazing Things About You” survey. Avoid publicly answering questionnaires with details like your middle name, as this is the type of information financial institutions may use to verify your identity.

4. Think twice about applications that request permission to access your data. You would be allowing an unknown party to send you email, post to your wall, and access your information at any time, regardless of whether you’re using the application.

5. Don’t click on short links that don’t clearly show the link location. Criminals often post phony links that claim to show who has been viewing your profile. Test unknown links at Siteadvisor.com by pasting the link into the “View a Site Report” form on the right-hand side of the page.

6. Beware of posts with subjects along the lines of, “LOL! Look at the video I found of you!”  When you click the link, you get a message saying that you need to upgrade your video player in order to see the clip, but when you attempt to download the “upgrade,” the malicious page will instead install malware that tracks and steals your data.

7. Be suspicious of anything that sounds unusual or feels odd. If one of your friends posts, “We’re stuck in Cambodia and need money,” it’s most likely a scam.

8. Understand your privacy settings. Select the most secure options and check periodically for changes that can open up your profile to the public.

9. Geolocation apps such as Foursquare share your exact location, which also lets criminals know that you aren’t home, so reconsider broadcasting that information.

10. Use an updated browser. Older browsers tend to have more security flaws.

11. Choose unique logins and passwords for each of the websites you use. I’m a big fan of password managers, which can create and store secure passwords for you.

12. Check the domain to be sure that you’re logging into a legitimate website. So if you’re visiting a Facebook page, look for the www.facebook.com address.

13. Be cautious of any message, post, or link you find on Facebook that looks at all suspicious or requires an additional login.

14. Make sure your security suite is up to date and includes antivirus, anti-spyware, anti-spam, a firewall, and a website safety advisor.

15. Invest in identity theft protection. Regardless of how careful you may be or any security systems you put in place, there is always a chance that you can be compromised in some way. It’s nice to have identity theft protection watching your back.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss social media scammers on CNN. (Disclosures)

 

McAfee Reports Most Malware Ever in Early 2011

/in /by

Malware refers to malicious software, which includes computer viruses and rootkits. McAfee recently released the McAfee Threats Report: First Quarter 2011. With six million unique samples of recorded malware, the first quarter of 2011 was the most active in malware history.

In February alone, approximately 2.75 million new malware samples were recorded.  Fake antivirus software had an active quarter as well, reaching its highest levels in more than a year, with 350,000 unique samples recorded in March.

Mobile malware is the new frontier of cybercrime.

Malware no longer affects just PCs. As Android devices have grown in popularity, the platform has solidified its position as the second most popular environment for mobile malware, behind Symbian OS, during the first three months of the year.

Cybercriminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting real or phony products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular, and in Australia and China, fake delivery status notifications were the spam of choice. So far this year, we’ve also seen a new trend of “banker” Trojans, malware that steal passwords and other data, using UPS, FedEx, USPS and the IRS as lures in their spam campaigns.

McAfee Labs saw significant spikes in malicious web content corresponding with major news events, such as the Japanese earthquake and tsunami, and major sporting events, with an average of 8,600 new bad sites per day. In the same vein, within the top 100 results of each of the daily top search terms, nearly 50% led to malicious sites, and on average contained more than two malicious links.

Protect yourself from these and other threats.

McAfee Wave locates, locks, or wipes your phone, and even restores your data when you trade it in for a new one. If necessary, you’ll be able to lock down your service remotely or wipe out important stored data to protect your privacy. You can back up your data directly or use the web to so remotely. You can access your data online from anywhere, or locate your missing phone and plot its location on a map. If it’s lost or stolen, SIM cards and phone calls can help get it back for you.

Invest in an identity protection service. There are times when you cannot withhold your Social Security number, but an identity protection service can monitor your personal and financial data. McAfee Identity Protection provides alerts if your information is misused, credit monitoring and unlimited credit checks, and if necessary, identity fraud resolution. (For more information, visit CounterIdentityTheft.com.)

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss mobile phone spyware on Good Morning America. (Disclosures)

 

Social Networking Security Awareness

/in /by

One in five online consumers has been a victim of cybercrime in the past two years. Social networking is a direct link to the problem. While social networks allow you to keep in touch with family and friends, there are issues to be concerned about.

Most concerns revolve around online reputation management, identity theft, or physical security issues. Social networking creates a risk of posting content that will be damaging to yourself, your profile being hacked or your credentials being compromised, or inviting burglars to your home by publicizing your whereabouts.

Facebook faces a security challenge that few companies, or even governments, have ever faced: protecting more than 500 million users of a service that is under constant attack. I’m a huge proponent of “personal responsibility,” and that means that you are ultimately responsible for protecting yourself.

Keep your guard up. Cybercriminals target Facebook frequently. Every time you click on a link, you should be aware of the risks.

Be careful about making personal information public. Sharing your mother’s name, your pet’s name, or your boyfriend’s name, for example, provides criminals with clues to guess your passwords.

Technology can help make social networking more secure. The most common threats to Facebook users are links to spam and malware sent from compromised accounts. Consumers must be sure to have an active security software subscription, and not to let it lapse.

Get a complimentary antivirus software subscription from McAfee. Simply “like” McAfee’s Facebook page, go to “McAfee 4 Free,” and choose your country from the dropdown menu to download a six-month subscription to McAfee’s AntiVirus Plus software. The software protects users’ PCs from online threats, viruses, spyware, other malware, and includes the award-winning SiteAdvisor website rating technology. After the six-month McAfee AntiVirus Plus subscription period, Facebook users may be eligible for special discount subscription pricing.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss hackers hacking social media on Fox Boston. (Disclosures)

15 Tips To Better Password Security

/in /by

Protect your information by creating a secure password that makes sense to you, but not to others.

Most people don’t realize there are a number of common techniques used to crack passwords and plenty more ways we make our accounts vulnerable due to simple and widely used passwords.

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

How to make them secure

  1. Make sure you use different passwords for each of your accounts.
  2. Be sure no one watches when you enter your password.
  3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
  4. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
  5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
  6. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
  7. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  8. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
  9. Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

10. Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

11. Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.

12. Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

13. It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

14. You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

15. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

How to Reset Your Gmail Password After Being Hacked

/in /by

I finally got one of those “I’m stuck in London” emails. My friend Kate’s Gmail account was hacked, and everyone on her contact list received an email from a hacker posing as Kate:

“Hi, Apologies, but I made a quick trip, to London,United Kingdom and got mugged, my bag, stolen from me with my passport and credit cards in it. The embassy is willing to help by authorizing me to fly without on a temporary identification, instead of a passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately,I can’t have access to funds without my credit card, I’ve made contact with my bank but they need more time to come up with a new one. I was thinking of asking you to lend me some quick funds that Ican give back as soon as I get in. I really need to be on the next available flight back home. Get back to me so I can send you details on how to get money to me. You canreach me via email  or hotel’s desk phone, +44208359**** waiting for your response. Kate”

The hacker also created a replica of her Gmail address using Yahoo’s webmail service, and set Kate’s Gmail account to automatically forward all messages to the Yahoo address.

As soon as I received this email, I called Kate and left her a message letting her know she’d been hacked, and asked her to call me with an alternative email address.

Then I responded to the hacker:

“Kate I will help you. Where do I send money? Robert”

The hacker wrote back:

“Robert, Thanks for responding, I need about $2000, can you make a western union transfer to me? I will pay back once am home, let me know what you can do ASAP thanks.

See details needed for western union
Receiver: Kate [redacted]
City: London
United Kingdom

What you need to do, is take cash or a debit card to a western union agent location and request to make transfer to me in United Kingdom. You can get the address of a nearby WU agent from this website

You will email me the mtcn number for the transfer so I can receive the money here, I have an embassy issued identification, which I will use to get the money from WU Thanks Kate”

I wrote:

“Send me a picture. I want to see your pretty face! What did you see in your travels? Did you talk to Mum this week?”

The hacker responded:

“Did you send the money yet?”

I wrote:

“You didnt answer me.”

At this point, the hacker figured out what I was doing, and blew me off:

“Don’t bother, I no longer need your help”

It’s hard to scambait these guys because they’re much more aware of how scambaiting works. Plus, I’m not that good at it.

The hacker and I then got into an unproductive series of email exchanges calling each other nasty words.

When the real Kate called me back, I sent her this Google Help link explaining how to reset your password if you’ve been hacked. Google also offers help accessing a Gmail or Google Apps account that has been taken over by a hacker.

If you haven’t already created a secondary email address that can be used to recover an inaccessible Gmail account, do that now. (This feature isn’t currently available for Google Apps.)

Once Kate went through this process, she regained control of her account within minutes. But the criminal had deleted every single email, leaving her with nothing. He’s probably going through those messages now, searching for any useful personal information.

Kate then sent me an email, thanking me, and I noticed that the Yahoo email address was still being copied, meaning that the hacker was still seeing every email sent to Kate’s Gmail account. If you’ve been hacked, check your Gmail settings to make sure your messages aren’t being forwarded automatically.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

 

Spear Phishing Leaves a Bloody Wound

/in /by

Once criminal hackers get a person’s username and email address, they can begin to launch a targeted spear phish scam. Scammers copy the design of each breached entities outgoing email campaign and blast the breached list with “account update” or other ruses.

Gaming site Sega Pass was hacked. On the Sega Pass website it states, “we had identified that unauthorized entry was gained to our Sega Pass database.” Numerous outlets report hackers stole Sega Pass members’ email addresses, dates of birth, and encrypted passwords.

The recent Epsilon data breach resulted in a similar loss of data. Epsilon is a marketing company that sends over 40 billion emails a year, and keeps millions of consumer email addresses on file. When hackers breached Epsilon’s database, the email subscriber lists for over 100 major companies were compromised.

Consumers received breach notifications from financial institutions including Citigroup, Capital One, and JPMorgan Chase, and from hotels such as the Marriot and the Hilton.

All of these organizations customers are eternally susceptible to spear phish scams.

The Wall Street Journal reports that GlaxoSmithKline sent email notifications to consumers who had registered with any of GlaxoSmithKline’s websites for prescription or nonprescription drugs and products, warning that consumers’ names and email addresses had been hacked, and that the stolen data may have included the specific product websites where consumers registered.

GlaxoSmithKline provides medications that help victims of HIV and mental health disorders. The possibility of the stolen data being used to target the ill with spear phishing attacks is a major concern.

These kinds of breaches will have long-lasting effects on the public.

Never disclose personal information or login credentials in response to an unsolicited email. Never click links in an unsolicited email. Instead, use your bookmarks menu or type the address into your browser’s address bar. If your email address has been compromised, consider switching to a new address. Create new, unique passwords, without repeating the same password for multiple accounts.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Security Threat Concerns ATM Industry

/in /by

Today, there are over 2.2 million ATMs worldwide, and by 2015 there will be around 3 million. ATM skimming accounts for as much as 30% of all data theft. That’s about $350,000 in fraud every day in the United States alone, or more than a billion dollars a year.

The ATM Industry Association is now attempting to address the security threat posed by decommissioned ATMs, urging ATM deployers to exercise more caution when discarding old machines.

This is partially in response to recent media reports about criminals who hunt for discarded ATMs in junkyards. Old ATMs sometimes contain stored card data. Criminals can study a discarded ATM’s security features in order to improve their own skimming techniques. The faces of old ATMs can also be used to mold plastic covers for skimming devices.

In some cases, used ATMs are purchased on eBay or Craigslist, then installed anywhere with ample foot traffic. These machines, which may be powered by car batteries or simply plugged into the nearest outlet, are programmed to read and copy credit card data. I was able to find a used ATM on Craigslist, which I bought from a guy at a bar for $750.

Protect yourself from ATM skimming by checking your credit and debit card statements online at least once every two weeks, and refuting any unauthorized transactions within 30 or 60 days.

When using an ATM, pay close attention to the appearance and behavior of the machine. Look for red flags like wires, tape, unusual features, or anything that seems out of place. Try to avoid using generic ATMs in less secure locations. Whenever possible, choose an ATM at a more trustworthy and secure location, but do not drop your guard simply because an ATM is located in a bank. And when entering your PIN, use your other hand to cover the keypad.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss ATM skimming on Fox Boston. (Disclosures)

Judge Says Its OK to Post Social Security Numbers Online

/in /by

B.J. Ostergren is a proud Virginian. She’s known as “The Virginia Watchdog,” but I like to call her “The Pit Bull of Personal Privacy.” She is relentless in her efforts to protect citizens’ privacy, and her primary concern is the posting of personal information online. To make this point, she finds politicians’ personal information, usually Social Security numbers, on their own states’ websites, and republishes that information online.

Publicly appointed government employees known as Clerks of Courts, County Clerks, or Registrars are responsible for handling and managing public records, including birth, death, marriage, court, property, and business filings for municipalities. Every state, city, and town has its own set of regulations determining how data is collected and made available to the public.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information maintained in systems of records by federal agencies.

Over the years, many have interpreted this law to allow public information, including Social Security numbers, to be posted online. I’ve seen Social Security numbers for Jeb Bush, Colin Powell, former CIA Director Porter Goss, Troy Aiken, and Donald Trump, all published on the Internet.

Ostergren so embarrassed the Virginia lawmakers that they passed a law known by some as the “anti-B.J. law,” prohibiting her from doing what public officials have been doing for years.

United States District Court Judge Robert E. Payne signed an order overturning the anti-B.J. law, ruling that privacy advocate B.J. Ostergren may post public records that contain Social Security Numbers on her website, despite a 2008 Virginia law prohibiting the dissemination of such information.

While two wrongs generally don’t make a right, one has to see the irony in this case. And if Ostergren’s actions create awareness that ultimately leads to all Social Security numbers being redacted, then this wrong is right.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

Data Breaches Up, Lost Records Down

/in /by

According to a recent report from Verizon, data breaches are on the rise. There were 760 data breaches recorded in 2010, compared to 140 breaches in 2009. However, there were approximately four million records stolen in 2010, as opposed to 144 million stolen in 2009.

This means there were fewer large-scale data breaches compromised of multimillions of records, and many more data breaches that compromised fewer records at a time.

Criminals have shifted their focus away from large corporations that have implemented multilayered security measures to protect mass amounts of data, and are now targeting smaller companies with smaller databases, who have yet to implement strong security measures.

Verizon’s study further shows that in 2010, 92% of data breaches were external hack attacks, a 22% increase from 2009. Nearly 80% of the stolen data was accessed via malware that gave attackers back door computer access.

This shift from bigger to smaller breaches may also indicate that hackers are realizing that big breaches get more attention, and therefore increase their chances of being caught. Furthermore, a breach of 100 million credit card numbers might be discovered quickly, and all those credit numbers would immediately be cancelled. A breach of just 10,000 credit card numbers would be more likely to stay under the radar, meaning those cards would remain active for longer.

There are now multiple breach lists, and not all define a data breach the same way. According to the Identity Theft Resource Center, there were at least 662 data breaches in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit or debit card data.

The ITRC elaborated, “Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events that occur. It is clear that without a mandatory national reporting requirement, many data breaches will continue to be unreported, or under-reported.”

Identity theft can happen to anyone. McAfee Identity Protection, offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first and provides live access to fraud resolution agents who work with the victim to help restore their identity even from past theft events. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)