7 Types of Hacker Motivations

/in /by

There are good and bad hackers. Here is a window into what they do and why:

White Hat Hackers: These are the good guys, computer security experts who specialize in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers.

Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers. The term is often used specifically for hackers who break into networks or computers, or create computer viruses. Black hat hackers continue to technologically outpace white hats. They often manage to find the path of least resistance, whether due to human error or laziness, or with a new type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats’ motivation is generally to get paid.

Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to attack networks and deface websites in an attempt to make names for themselves.

Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment.

State Sponsored Hackers: Governments around the globe realize that it serves their military objectives to be well positioned online. The saying used to be, “He who controls the seas controls the world,” and then it was, “He who controls the air controls the world.” Now it’s all about controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians, corporations, and governments.

Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.

Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread fear, terror and commit murder.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

Tsunami Scam Warnings Keep Coming In

/in /by

In light of the earthquake and tsunami in Japan, and the subsequent tsunami warnings in Hawaii and on the US West Coast, McAfee is warning consumers about a number of online scams that have appeared within hours of these devastating events.

Sadly, scammers seem to come out of the woodwork during a natural disaster to catch consumers when they’re in a panic, looking for answers, and when they’re most vulnerable.  People should not click on links or respond to phishing e-mails for relief donations that ask for credit card numbers or other personal information.  In addition, be wary of tiny URLs on social media services and posts on social networking sites. Hundreds of domains that could be related to the disaster have been registered so far today, including a scam site that appeared within just two hours of the earthquake.

Follow these guidelines to ensure that donations to victim relief efforts are sent through legitimate sites:

.Org domains are cheap.  Registering does not indicate charitable status in any way.  Verify that the organization is actually a registered charity by typing the URL directly into a web browser.

Domain solicitations that arrive by unsolicited email, especially those sounding overly urgent or desperate, are very likely to be scams.

Be aware that donation requests made via advertising banners can also be scams.

If you’d like to help, support one of the major international organizations that have a “most in need” fund such as the Red Cross.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Washington Man Steals Over 1000 Identities

/in /by

While we often hear about international criminal hackers compromising databases and stealing credit card information, identity theft is often committed locally, by someone with access to sensitive paperwork.

In one such case, a suspected identity thief was recently arrested in Washington, after driver’s licenses, credit cards, and Social Security numbers were stolen from more than a thousand victims across the state.

Detectives believe the documents were stolen from cars and homes and used to open fraudulent bank accounts in victims’ names. Seized evidence includes bags of driver’s licenses, credit cards, credit card swipers, Social Security cards, and a list of thousands of names and Social Security numbers. It is difficult to estimate the total financial loss as the investigation is still underway, but so far the number is into the high thousands, and sure to increase.

According to court documents, the suspect admits being involved in identity theft in order to support his drug habit.

It is important to observe basic security precautions to protect your identity, like using a locked mailbox and checking your online statements often. But while you can store paperwork containing personal information in a locked safe and refrain from keeping sensitive documents in your car, there’s little you can do to ensure the safety of your personal information when it’s stored by corporations and government agencies.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on their accounts. McAfee Identity Protection includes all these features, as well as immediate assistance from fraud resolution agents if your identity is ever compromised. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Banks Need You To Be Responsibly Secure

/in /by

Our culture deemphasizes individual responsibility. In my mind, life begins when you begin taking responsibility for everything in your life. Personal security is fundamentally your own responsibility and, while you may not be responsible for a crime happening to you, you are the one in the best position to prevent it.

In the last decade, as much as 80% of all banking has taken place online, a major change after hundreds of years of traditional banking. Online banking is all about convenience. It has become apparent that these conveniences of technology have outpaced consumers’ security intelligence. It is possible to secure systems in a way that will defeat most online criminal activity, but that level of security comes with inconveniences that the consumer may not be equipped to handle.

Doug Johnson, the American Bankers Association VP of risk-management policy, explains, “The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a continuous, almost daily, basis. That’s because PCs and smartphones have become the online bank branch for a lot of individuals. The customer needs to really recognize that security is most effective when they work in partnership with their financial institution.”

While banks are fighting their own battles to combat fraud and account takeover, it is imperative that the banks’ customers adhere to security fundamentals.

  • Set your computer’s operating system to update critical security patches automatically.
  • Make sure your firewall is turned on and protecting traffic from both directions.
  • Always run antivirus software, and set it to update virus definitions automatically.
  • Use a protected wireless network.
  • Never click links within the body of an email. Instead, go to your favorites menu or type the address into the address bar.
  • Check your online bank statements frequently.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss online banking security on CBS Boston. (Disclosures)

Tax Related Identity Theft Scams Up 300%

/in /by

Cases of stolen tax returns have surged over the past five years, leaving many identity theft victims struggling to recoup their lost refunds.

Approximately 155 million tax forms are filed annually. This provides identity thieves with an opportunity to come out of the woodwork and steal from Americans who are just trying to pay their taxes correctly.

A recent Scripps Howard News Service investigation analyzed more than 1.4 million ID theft records from the U.S. Federal Trade Commission from 2005 through early 2010.  In it they found that fraud complaints about stolen tax return-related identity theft jumped from 11,010 complaints in 2005 to 33,774 in 2009.  That’s nearly 300 percent.

Thieves may steal victims’ refunds, trick them into disclosing Social Security or credit card numbers, or even pose as the IRS. Below is more information for those common and lesser-known tax scams to watch out for.

Employment Identity Theft Scams: If you ever receive documentation in the mail indicating earned income that you are not aware of, it may mean that someone else has used your Social Security number to gain employment.

Account Takeover Scams: If, when filing your tax return, you receive a letter from the IRS saying that you have already filed, it it likely that someone else has filed a fraudulent return on your behalf, in order to steal your refund.

Tax Preparer Scams: In an old scam that’s still in play, tax preparers tell clients they must pay back stimulus payments, and then pocket the money. Ads are also placed by scammers posing as accountants to get your returns. Make sure you do research and choose your tax preparer wisely.

Late Payment Scam: As people fall behind on their taxes, lists are created and are printed in the local paper as public record. Thieves can use these lists to call unassuming people and pose as collectors.

Internet Phishing Scams: The IRS doesn’t send emails. Phony IRS emails that try to lure taxpayers into giving out personal information are a common scam. The messages are generally intended to convince recipients to provide personal or financial information that enables the perpetrators to commit credit card or bank fraud, or other forms of identity theft. Unless you are actively engaged in dialogue with an IRS agent, do not respond to emails or phone calls supposedly coming from the IRS.

IRS Scams: If a scammer posing as an IRS agent ever contacts you, they may already have some of your personal information, which they can use to try to convince you that they are actually from the IRS. This data could come from public records or even your trash. The scammer will often put pressure on you to comply with their request, or even offer you a tax refund.

Here are some suggestions to protect yourself and make sure that you get your return:

1. Protect yourself by filing early. It seems crazy to think that someone would fraudulently file taxes in your name, but it’s being done. Once they find a few W2s or other tax-related documents, they can file in your name and claim your refund before you’ve even begun the process. File before they do.

2. Secure your mail with a locking mailbox. Mail is stolen every day, and tax forms tend to include Social Security numbers, making them especially valuable to a thief. Don’t send out your tax return by sticking it in your home mailbox. Instead, take it to the post office or use a big blue post office drop box.

3. Protect your PC. Whether or not you file online, securing your PCs is essential. Make sure you have updated antivirus software, a two-way firewall, that you run spyware removal software regularly, and that your wireless Internet connection is protected with a network key.

If you are ever a victim of a scam involving the IRS, you may be disappointed by the way it is handled by government agencies. They simply don’t allocate the resources to fix this problem proactively, nor are they adept at responding once it has occurred. The biggest issue is the thief’s privacy. Even if you think you know who is responsible, neither the IRS nor any other government agency will release that information. All you can do is follow the IRS’s instructions for resolving the issue. Be patient, as rectifying it may take many hours, days, or weeks. If you subscribe to an identity theft protection service, a fraud resolution agent may be able to help.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as live access to fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

When a Good Guy Steals Your Identity

/in /by

Chris Roberts is a hacker. But not a black hat hacker, like the bad guys you may associate with the term. He’s a white hat hacker, or an ethical hacker, and no, that isn’t an oxymoron. Chris is the kind of guy you definitely want on your team, because if he weren’t, he’d be your worst nightmare.

I had the opportunity to meet up with him at the McAfee Focus 2010 event. His appearance fits the hacker stereotype: he’s tall and lanky, with a Viking beard and, I’m pretty sure, some tattoos. And he carries around a bag of tricks that could probably take down the Pentagon. He’s got every sort of gadget that could be used to sniff, spy, and hack.

Companies hire Chris to determine what their weaknesses are, and how vulnerable they are to a potential attack.

NetworkWorld profiled Chris, and, in the article, he brought attention to the fact that many people assume they won’t be targeted by identity thieves because they don’t have money, or status, or even good credit:

“So many people look at themselves or the companies they work for and think… Why would somebody want something from me? I don’t have any money or anything anyone would want… While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal.”

No kidding.

Your Social Security number, which represents your total identity, is always valuable to a criminal. Because our system lacks full accountability when it comes to identification, anyone can use your data to pose as you.

Until the day comes, if it ever does, that we are effectively identified and authenticated, we will always be vulnerable to imposter fraud and identity theft.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first and provides live access to fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss credit and debit card fraud on CNBC. (Disclosures)

A Good Decade for Cybercrime

/in /by

Cybercrime is one of the most successful and lucrative industries of our time, growing by double digits year after year. Over the last decade, cyber crooks have developed new and sophisticated ways to prey on an explosion of Internet users, with little danger of being caught. Meanwhile, consumers face greater risks to their money and information each year.

A few famous exploits illustrate different eras of cybercrime:

“I Love You” worm’s false affection: $15 billion estimated damage

Emails with the subject line “I love you” proved irresistible in 2000. Millions of users downloaded the attached file, which was supposedly a love letter but was actually a virus. This infamous worm cost companies and government agencies $15 billion.

MyDoom’s mass infection: $38 billion estimated damage

This fast-moving worm, which first struck in 2004, tops McAfee’s list in terms of monetary damage. It delivered enough spam to slow global Internet access by 10% and reduce access to some websites by 50%, costing billions of dollars in lost productivity and online sales.

Conficker’s stealthy destruction: $9.1 billion estimated damage

This 2008 worm infected millions of computers. It went a step further than the other two worms on our list, downloading and installing a variety of malware that gave hackers remote control over victims’ PCs.

Some of the most common and nefarious scams include:

Fake antivirus software

Selling fake antivirus software is one of the most insidious and successful scams in recent years. Cyber criminals play on users’ fears that their computers and information are at risk, displaying misleading pop-ups that prompt the victim to purchase antivirus software to fix the problem. When victims enter their credit card information, it is stolen and, instead of security software, they wind up downloading malware.

Phishing scams

Phishing, or trying to trick users into giving up personal information, is one of the most common and persistent online threats. Phishing messages can come in the form of spam emails, spam instant messages, fake friend requests, or social networking posts.

Phony websites

In recent years, cyber crooks have become adept at creating fake websites that look like the real deal. From phony online banking to auction sites and e-commerce pages, hackers lay traps in the hopes that you will be fooled into entering your credit card number or personal information.

For your own peace of mind, consider subscribing to an identity theft protection service such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, alerts when suspicious activity is detected on your accounts, and access to fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Social Security Numbers Easily Cracked

/in /by

It is easier than ever to guess or predict an individual’s Social Security number, which puts us all at a greater risk for identity theft.

Researchers at Carnegie Mellon University have developed a reliable method for predicting Social Security numbers, using information from social networking sites, data brokers, voter registration lists, online white pages, and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people born on the East Coast were assigned the lowest numbers and those born on the West Coast were assigned the highest numbers. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

The Carnegie Mellon researchers were able to guess the first five digits of a Social Security number on their first attempt for 44% of people born after 1988. For those in less populated states, the researchers had a 90% success rate. In fewer than 1,000 attempts, the researchers could identify a complete Social Security number, “making SSNs akin to 3-digit financial PINs.” The researchers concluded, “Unless mitigating strategies are implemented, the predictability of SSNs exposes people born after 1988 to risks of identity theft on mass scales.”

While the researchers’ work is certainly an accomplishment, the potential to predict Social Security numbers is the least of our problems. Social Security numbers can be found in unprotected file cabinets and databases in thousands of government offices, corporations, and educational institutions.

The problem stems from that fact that our existing system of identification is seriously outdated. We rely on nine digits as a primary identifier, the key to the kingdom, despite the fact that our Social Security numbers have no physical relationship to who we actually are. This problem can only be remedied by incorporating multiple levels of authentication into our identification process.

With more than 11 million victims just last year, identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Visit CounterIdentityTheft.com to educate and protect yourself.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Government Moves Away from SSN as Identifier

/in /by

The Department of Defense proclaims, “The national security depends on our defense installations and facilities being in the right place, at the right time, with the right qualities and capacities to protect our national resources.” But by relying on Social Security numbers as primary identifiers, this same organization puts the identities of soldiers and their families at risk.

Last month, four West Point professors released a journal article arguing, “Despite the Defense Department’s recent advances in protecting personally identifiable information (PII) such as Social Security numbers, the military continues to have a ‘cultural disregard’ for PII.” The professors also pointed out that since the first digits of a Social Security number can be deduced based on birth year and location, restricting use to the last four digits does not adequately preclude identity theft.

In 2007, an Office of Management and Budget memo ordered agencies to eliminate all nonessential uses of Social Security numbers, and the Department of Defense is currently working on limiting its use of the numbers.

If you are a soldier or have a family member away on leave, there are two ways to protect yourself or your family member:

1. Place an “active duty alert” on your credit report. To place or remove an active duty alert, call all three of the three nationwide consumer reporting companies: Equifax, Experian, and TransUnion. Each will require proof of the soldier’s identity, which may include their Social Security number, name, address, and other personal information.

Equifax: 1-800-525-6285

Experian: 1-888-397-3742

TransUnion: 1-800-680-7289

2. Whether or not you are a member of the military, consider subscribing to an identity theft protection service, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

Criminal Hackers Responsible For Most Data Breaches

/in /by

According to the Identity Theft Resource Center, there were at least 662 data breaches in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit or debit card data.

The ITRC elaborated, “Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events that occur. It is clear that without a mandatory national reporting requirement, many data breaches will continue to be unreported, or under-reported.”

The majority of these attacks were malicious hacks or insider theft, rather than the result of employee errors. InformationWeek reports, “Some states, but not all, have data breach notification laws, which require any organization that suffers a breach to notify that state’s affected residents. Interestingly, the ITRC found that information about 29% of the 662 reported breaches for 2010 could be credited to authorities in those states.”

The Privacy Rights Clearinghouse’s Chronology of Data Breaches found that more than 500 million sensitive records have been breached in the past five years. Examples of incidents in which personal data is compromised, lost, or stolen include “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

Cases of identity theft are skyrocketing, and 32% of all identity theft victims had their Social Security numbers compromised.

Now more than ever, criminal hackers are hacking into databases that contain Social Security numbers and using those numbers to open new financial accounts, or to obtain credit cards, mobile phones, or even bank loans. Some victims have had their mortgages refinanced and their equity stripped.

To protect yourself from a similar fate, you can:

1. Refuse to provide your Social Security number.

2. Invest in an identity protection service. There are times when you cannot withhold your Social Security number, but an identity protection service can monitor your personal and financial data. McAfee Identity Protection provides alerts if your information is misused, credit monitoring and unlimited credit checks, and if necessary, identity fraud resolution. (For more information, visit CounterIdentityTheft.com.)

3. Protect your PC. McAfee Total Protection software provides the most effective protection of the data stored on your computer against virus, online and network threats.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss the use of Social Security numbers as national identification on Fox News. (Disclosures)