Researcher Proves Your Friend Isn’t Your Friend

I’ve said numerous times that there’s too much trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. Apparently, they see no reason to distrust. Generally, your “friends” are people who you “know, like and trust.” In this world, your guard is as down as it will ever be. You can be in the safety of your own home or office, hanging with people from all over the world, in big cities and little towns, and never feel that you have to watch your back.

Computerworld reports, “Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named ‘Robin Sage,’ whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking.”

Apparently, one of the easiest ways to gain acceptance as a trusted colleague is to be an attractive woman. I recently wrote about “Sandra Appiah,” a curvy lady who sent me a friend request. She had already friended two of my buddies, who accepted because they already had two friends in common. She had posted questionable photos of herself. Red flag? But my buds didn’t seem to see it the way I did.

The security researcher set up profiles on Facebook, LinkedIn and Twitter. “Then he established connections with some 300 men and women from the U.S. military, intelligence agencies, information security companies and government contractors.”

Steve Stasiukonis, another ethical hacker, took it to the next level. He used a similar technique and, with permission, infiltrated a company’s network to test their security. By creating a group on Facebook, he was able to access employees’ profiles.

He set up his own employee persona with a fake company badge, business cards, a shirt embroidered with the company logo, and a laptop. “Upon entering the building, he was immediately greeted by reception. Then displayed fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.”

Social media can and is being used as a smokescreen. The idea behind social media is that we are social creatures that thrive in community and want to connect. The problem is that this ideal is based on the mindset that we are all sheep and there are no wolves.

When mama told you to not talk to strangers, there was wisdom in that advice. When you friend people who you don’t know, you are friending a stranger and going against moms advice.

Robert Siciliano, personal security and identity theft expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

10 Ways to Prevent Social Media Scams

The trouble with social media revolves around identity theft, brand hijacking and privacy issues.  The opportunity social media creates for criminals is to “friend” their potential victims in order to create a false sense of trust and use that against their victims in phishing or other scams.

It was big news when someone had their Facebook account jacked by someone who impersonated the victim, claiming to have lost their wallet in the UK and begging for a money wire. Now it’s old news, but it’s still happening.

  • Register your full name and those of your spouse and kids on the most trafficked social media sites. If your name is already gone, include your middle initial, a period or a hyphen. You can do this manually or by using a very cost effective service called Knowem.com
  • Get free alerts. Set up Google alerts for your name and kids names and get an email every time someone’s name name pops up online. You want to see if someone is talking about you or using your name.
  • Discuss social media with your kids. Make sure they aren’t providing their “friends” with personal information that would compromise their security or your families.
  • Monitor what they do online. Don’t sit in the dark hoping they are acting appropriately online. Be prepared to not like what you see.
  • Maintain updated security. Whether hardware or software, anti-virus or critical security patches, make sure you are up to date.
  • Lock down settings. Most social networks have privacy settings that need to be administered to the highest level.
  • Always delete emails you receive in social media from those who you don’t know. I’m messaged all the time by scammers and I’m sure you are too.
  • Don’t enter all the “25 most amazing things about you” or whatever other games that extract your personal information. Nothing good can come from that.
  • Always log off social media sites when you walk away from the PC. If you are ever at someone else’s home or on a public PC, this habit will save lots of aggravation. My sister-in-law, a Boston Bruins fan, left her Facebook open on the family PC. I changed her Facebook picture to the Philly Flyers and wrote Go Phillys! as her status. Bruins lost that night. I blame her.
  • Do not activate geolocation services that tell the world your every move. Nothing good can come out of allowing anyone in the world to stalk your every move.

Robert Siciliano personal security expert to Home Security Source discussing Facebook Jacking on CNN. Disclosures.

Study Shows Tweens and Teens are Clueless About Privacy

The Secret Online Lives of Teens, a survey conducted by McAfee, reveals that tweens and teens are relatively clueless about online privacy. The study sheds light on this generation’s tendency to use the Internet in ways that translate to danger in the real world.

The fundamental problem is their belief that privacy is unimportant or irrelevant, which stems from their lack of understanding of what privacy actually entails. Most alarming is the extent to which they are willing to share certain types of information online, information which is often visible to complete strangers. In doing so, they make themselves easy targets for data mining by adults whose reasons are not always well intended.

While most adults are not predators or pedophiles, there are certainly many of them out there who prey upon the young and naïve.  Statistics show there are as many as half a million registered sex offenders in the U.S. alone. And many more simply haven’t been caught yet.

There always has, is, and will be a predatory element out there. Generally, most people don’t want to think about that or even admit that it’s true. Instead of acknowledging the risks, most people completely discount this reality, telling themselves, “It can’t happen to me or my kids.”

The Last Watchdog sums up the study as follows:

“McAfee commissioned Harris Interactive to query 955 American teens, including 593 aged 13-15 and 362 aged 16-17. Survey responses were weighted for age, gender, ethnicity and other variables. The McAfee/Harris poll found:

  • 69 percent of teens divulged their physical location
  • 28 percent chatted with strangers

Of those teens who chatted with strangers, defined as people whom they did not know in the offline world:

  • 43 percent shared their first name
  • 24 percent shared their email address
  • 18 percent post photos of themselves
  • 12 percent post their cell phone number

What’s more, girls make themselves targets more often than boys: 32% of the girl respondents indicated they chat with strangers online vs. 24% of boy respondents.”

It’s not just tweens who don’t understand that they’re living in a fishbowl. Young adults and parents are equally clueless. Channel 4 News in Jacksonville exposed a Florida mother who took a picture of her 11-month-old son with his mouth over a pot bong and posted it on Facebook. The mom’s behavior was obviously reckless, but what she and many don’t understand is that anything digital is repeatable.

Many now blame social networks for the erosion of whatever privacy we once had. Social networking sites aren’t inherently bad, but they are self serving entities, promoting transparency that ultimately leads to marketing and advertising dollars. For them it’s all about profit, and it’s to their advantage to gather as much information about you as possible, which allows them to fine-tune their offerings to advertisers.

My belief that people need to “live consciously,” making informed decisions about and ultimately taking responsibility for themselves, makes it difficult for me to blame anyone but users themselves for their lack of security. But I know the reality is that people are easily led, easily bamboozled, and they need to be told what to do and what not to do.

Studies like this bring much needed attention to these issues, hopefully raising awareness for teens and their parents. As a parent, I am as laser focused on the media my children consume, in all its forms, as I am on any food they eat. No responsible parent would allow their child to eat spoiled food, because they understand why it’s bad, but those same parents may allow their children to roam freely online without supervision. This is mainly because the parents don’t understand the risks.

When a quarter to a third of teens are revealing all their information to total strangers, it should give society pause. Understand that as this trend continues, more and more kids will be blindsided when they are solicited by adults who, with an additional twenty or more years of live experience, know how to con a kid.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

Reality Actor Jailed Six Months For Burglarizing Orlando Bloom’s Home

Orlando Bloom’s break-in is one of several robberies linked to Hollywood’s “Bling Ring,” teenage gang of celebrity-obsessed wannabes who allegedly stole from Paris Hilton, Lindsey Lohan, Megan Fox and others.

Their methods were simple. They tracked their victims by using social media, Facebook and Twitter. They knew when they were home and when they were away. They even used Google Earth to scope out their homes.

Police estimated that from October 2008 to August 2009, the “Bling Ring” stole more than $3 million in jewelry and high-end designer brands.

A star of the E! show “Pretty Wild” about growing up in the fast lane, the young woman was caught on security tape as she broke into Bloom’s house last summer with two other hooded females. “The women ransacked the house and made off with more than $500,000 in watches, cash and other booty, authorities said. Bloom collects rare watches, and his prized Rolex Milgauss from the 1950s is worth $250,000 alone, according to a Manhattan-based watch dealer.”

It’s painfully obvious that the victims in these crimes didn’t do enough to protect themselves. Some locked their doors and others didn’t. Some had security cameras and others didn’t. But NONE had a home alarm system that activated when the home was broken into. A home alarm system would have prevented most of these crimes.

Bloom had security cameras and my guess is he has an alarm but chose not to set it. I can’t imagine having a net-worth like he does and not have sufficient security. My insurance company requires me to have a monitored alarm system along with a safe in order to protect certain insured items. Without these systems in place, a homeowner may never recover their losses.


Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston.

Parents Navigating the Social Media Mess

Robert Siciliano Identity Theft Expert

Children say and do things that make them vulnerable to dangers in the outside world. A parent can parent all day long and do everything possible to protect their kids from themselves, but a child’s persistence to have their way can wear a parent down. It’s a constant fight that makes a parent adopt a philosophy where they “pick their battles.

Growing up, it wasn’t all that uncommon for a parent to spank their kids to teach them a lesson. I experienced the occasional “windmill” from my father that set me straight more than once. And I’m thankful for it. By all accounts, if you add up all the number of risks I took and how many times the speedometer redlined and all the stupid things I did, I really shouldn’t be writing this. If a cat has nine lives I have 999,999,999,999. I think that’s trillion.

At one point political correctness crept into our culture and the fear of a child calling the Department of Social Services (DSS) on their parents because of a deserved fanny smack sent a cold chill down every parent’s spine. I’m certainly not saying it’s OK to beat your kids, or cage them for that matter. And when a child has zero fear of a parent, they tend to walk all over them. It’s in their nature to manipulate until they get their way. I’m just sayin.

A 16 year old ungrateful, self righteous teen has filed charges against his mother for making entries on his Facebook page. The kid further filed a no contact order against his mother. The mother apparently took over his Facebook account after she noticed some reckless behavior.

She was quoted saying “I read things on his Facebook about how he had gone to Hot Springs one night and was driving 95 m.p.h. home because he was upset with a girl and it was his friend that called me and told me about all this that prompted me to even actually start really going through his Facebook to see what was going on.”

What mother wouldn’t be concerned?  Hey kid, the day you deliver anything in excess of 10 pounds out of an orifice on your body, then you can have a say. I hope you have kids just like you.

I think my head is going to explode.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Breach of 3.3 million Social Security numbers on Good Morning America

Self-revelation Can Help Assemble a Social Security Number

I am not done nor will I ever be done sounding that alarm, ringing that bell and informing you about how ridiculous social media is. I was asked in a radio interview today what it will take to get people to recognize they are sharing too much data. In a word, tragedy. When a home is broken into, they install a home security alarm. When someone is mugged, they take a self defense course. When planes fly into buildings, we get frisked. Being smart is understanding risk and being proactive.

Most people are smart enough to NOT give out a social security number on Facebook. However between what you say, your family, friends and colleagues say and post, your profile is becoming more complete every minute. Even your mom or wife posts her name as “First Maiden Last” because she saw someone else do it and it made sense to allow her old friends/flames to find her.

But today with all this personal information readily available there are now rumblings from academia that they have cracked the code and have assembled technologies to decipher all this information and turn it into hard decipherable data that leads to opening new accounts in your name.

The New York Times reportscomputer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number. So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.”

SearchSecurity.com reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

From this point on I’d suggest locking down social media profiles in a way that they are not publicly accessible. Prevent anyone (except those very close to you) from seeing and reading everything about your daily activities, who you associate with and all the names and contact information of all your friends and family.

Robert Siciliano personal security expert to Home Security Source discussing cracking the code and wireless security on Fox Boston.

Facebook Newest Portal for Social Media Identity Theft

Robert Siciliano Identity Theft Expert

Imagine trying to log into your online accounts one after the other and being locked out. At first you think the site you are visiting screwed up but then it keeps happening over and over again no matter where you go.  Then you start receiving messages from friends and family asking you why you are behaving so freakishly online.

This is what happened to Matasha Allen as described in the Eastern Michigan Universitys Eastern Echo.

“Allen, 28, was a substitute teacher at the time, teaching music as well as elementary classes. Her only outlet to the Internet was limited to libraries and public computer labs, where she would check her accounts, look through e-mail and stay in touch with friends on Facebook. It was during one of these trips to the computers that it happened, Allen deduced. She thinks her Facebook account wasn’t completely logged off, or the computer didn’t log out. However it happened, someone found their way onto Allen’s accounts and took complete control.

“Social media is built on the honor system. There are no checks and balances to prove who is who. Anyone can pose as you and blog as you. This makes for social media identity theft,” said Robert Siciliano, a security consultant for Intelius.com and a speaker on preventing identity theft.

“The problem with social media identity theft is that when it takes over your account, all the people that you communicate with within your account may believe the identity thief is you. And when that identity thief begins to ask for money, from your friends and from your family and your coworkers, then they may actually pull money out of their pocket and send it via Western Union to the imposter. They think that you’ve actually come into the trouble that the identity thief is saying you’re in.”

In Allen’s case, her identity theft didn’t escalate to the thief asking for money from friends, but the thief was malicious. Messages were sent to friends and family, using profanity and insults. One of the incidents Allen related was toward an organization focusing on eliminating poverty in children. The identity thief sent the organization a message reading, “I hate children. I hope they all starve.””

  1. Steer clear of public computers whenever possible, or at least not accessing accounts or sites that require passwords.
  2. If you use a public PC get a USB drive that has a built in browser that allows you to surf securely
  3. No matter what PC you use to access accounts always log out when your are done
  4. Register your name at as many social media sites as possible. Use Knowem.com to do it for you.

Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing social media identity theft on  on Fox Boston

10 Ways to Prevent Social Media Scams

Robert Siciliano Identity Theft Expert

For the past year, I’ve been screaming about the trouble with social media as it relates to identity theft, brand hijacking, privacy issues, and the opportunity social media creates for criminals to “friend” their potential victims in order to create a false sense of trust and use that against their victims in phishing or other scams. I predicted long ago that the problem will get a lot worse before it gets better and there’s no question about it, criminal hackers have taken hold and are in full force.

We hear about a new Twitter phishing scam almost daily, whether it’s via direct messaging or a shortened URL. My spam folder is filled with emails from Facebook phishers, requesting new login credentials, or a “friend” who’s sending me a video that’s actually a virus.

Not too long ago, it was big news when someone had their Facebook account jacked by someone who impersonated the victim, claiming to have lost their wallet in the UK and begging for a money wire. Lately, I see another story about another victim every week.

Last time I checked, Facebook had more than 400 million users and Twitter has more than 50 million. These numbers jump exponentially every month, and old and new users are still being victimized.

James Carnall, manager of the cyberintelligence division at security monitoring firm Cyveillance, says, “Social media cybersquatting is where domain name cybersquatting was ten years ago”.

Scammers aren’t just stealing identities and spreading malware. They are brand jacking in ways that are hurting companies’ bottom lines. While many may not have sympathy for the bottoms lines of billion dollar corporations, this hurts the little guy, too. Knock off software, hardware, merchandise, and movies ultimately cost legitimate taxpayers jobs and hurt the economy when the money is heading to criminal hackers elsewhere in the world. Liz Miller, vice president of the Chief Marketing Officer Council, says, “Counterfeiting operations are highly organized, are very global and are picking up steam because of the economy.”

MarkMonitor, a company that tracks online threats for its clients, determined that phishing attacks on social networking sites increased by 164% over the past year. And in a CMO Council survey of 4,500 senior marketing executives, nearly 20% of the respondents said they had been affected by online scams and phishing schemes that had hijacked brand names. These statistics undeniably point to organized crime syndicates.

Protect yourself from social media identity theft.

  1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday. You can do this manually or by using a very cost effective service called Knowem.com.
  2. Register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cybersquatting.
  3. Get free alerts. Set up Google alerts for your name and get an email every time your name pops up online. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google does of fetching your name on the web.
  4. Implement policies. Social media is a great platform for connecting with existing and potential clients. However, without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network. Teach effective use by provide training on proper use and especially what not do to.
  5. Encourage URL decoding. Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
  6. Limit social networks. In my own research, I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure. Knowem has a mind blowing list of 4600 as of this writing.
  7. Train IT personnel. Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
  8. Maintain updated security. Whether hardware or software, anti-virus or critical security patches, make sure you are up to date.
  9. Lock down settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
  10. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker with ID Analytics discussing Social Media Identity Theft on Fox Boston

12 Awful Reasons Why Impostors Commit Social Media Identity Theft

Imagine if someone used your name and image, or the name and logo of a business you own, to create a profile on Facebook, Twitter, or any other social networking website. Then they start posting blogs and sending out links while pretending to be you. They may contact your acquaintances, colleagues, or clients, or they may simply show up when others search for your name. Either way, their intentions are fraudulent. Establishing an online presence using someone else’s identity creates unlimited opportunities for a scammer.

Traditional phishing, in which scammers send a fake email that appears to come from a trusted entity, is no longer as successful as it used to be. So identity thieves are taking advantage of social networking sites to build a home base. Once established, they seem as legitimate as any other user. There are few, if any, checks and balances to prevent this.

Social media identity theft occurs for a number of reasons:

  1. An impersonator may be attempting to steal your clients or potential clients.
  2. He or she could be squatting on your name or brand, hoping to profit by selling it back to you or preventing you from using it.
  3. They could be criminal hackers posting infected links that, if clicked on, will infect the victim’s PC or network with a virus that gives hackers backdoor access.
  4. An impersonator may intentionally pose as you, and even blog as you, in order to damage your name or brand. Anything they say to the world that is libelous, defamatory, or just plain wrong hurts your reputation and can even make you the target of a lawsuit.
  5. He or she may be using your identity to harass someone you nkow.
  6. The impersonator may wish to harass you, perhaps as revenge over a percieved slight or because you sold them a defective product or service.
  7. They may wish to use a name or brand that has leverage, such as a celebrity or Fortune 500 company, as a form of social engineering, to obtain priveledged access.
  8. If you or your business sell products or services, identity thieves might pose as you and offer deals with links to spoofed websites, in order to extract credit cards numbers.
  9. They may pose as a government entity for the purpose of extracting data and committing new account fraud.
  10. An impostor may be obsessed with you or your brand, and simply want to be associated with you. Posing as you could yield attention and satisfaction.
  11. They could be parodying you or your brand, by creating a tongue in cheek website that might be funny and obvious, but will most likely not be funny to you.
  12. They could be posing as you to elicit contact from others for the purposes of a relationship, sexual or otherwise, either in person or virtually. A young man was recently caught posing as an attractive girl in his school. He contacted guys in his class through a fake Facebook account and requested naked photos of them. When he revealed who he was, he used the incriminating photos to extort sex from them.

Social media is just a baby. All of the above stems from real world examples over the past few years. Unfortunately, this list is going to keep growing. Varieties of fraud that can occur via social media are only up to the imagination of the thief. Submit your own findings. Let’s hear what other whacked out social media identity thieves are doing.

To prevent social media identity theft, register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cybersquatting. You can do this manually or by using a very cost effective service called Knowem.com.

Robert Siciliano is an Online Security Expert to McAfee. See him discussing identity theft on YouTube. (Disclosures)

8 Ways to Prevent Business Social Media Identity Theft

Robert Siciliano Identity Theft Expert

There are hundreds, or maybe even thousands of social media sites worldwide such as FacebookMySpaceTwitter, and YouTube. Social media networks are quickly becoming the bane of the IT Manager. Twitter phishing and Facebook jacking are growing rapidly.

Social media is still in its infancy and its security has been an issue since its inception. Facebook has been perceived as an ongoing privacy and security issue and Twitter has become a big target. Users are tricked into clicking links. Viruses enter the network as a result of employees downloading or simply visiting an infected page.

Computerworld reports that “Twitter is dead”. Twitter is dead because it is now so popular that the spammers and the scammers have arrived in force. And history tells us that once they sink their teeth into something, they do not let go. Ever.

  1. Implement policies: Social media is a great platform for connecting with existing and potential clients. However without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network.
  2. Teach effective use: Provide training on proper use and especially what not do to.
  3. Encourage URL decoding: Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
  4. Limit social networks: In my own research I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure.
  5. Train IT personnel: Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
  6. Maintain updated security: Whether hardware or software, anti-virus or critical security patches, make sure you are up to date.
  7. Lock down settings: Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
  8. Prevent social media identity theft: Register all your officers, company names and branded products on every social media site you can find to prevent twittersquatting and cybersquatting. You can do this manually or by using a very cost effective service called Knowem.com.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker with ID Analytics discussing Social Media Identity Theft on Fox Boston