Highschooler Opens Bogus Twitter Account In School Directors Name

We’ve seen this before and it never ends good. This time it’s resulting in an identity theft charge  for Ira Trey Quesenberry III, an 18-year-old student at Sullivan Central High School. A few years ago this would have been looked upon as a victimless prank. But times have changed and as social media sites like Twitter, Facebook, Linkedin and others have morphed into much more than just recreational websites, it’s not just unacceptable, it’s a crime.

The Twitter account was created with the name and photo of Dr. Jubal Yennie, director of the Sullivan County school district. The account has since been deleted but the tweets sent in Yennie’s name were reported to be of an embarrassing nature and not appropriate for a school administrator. Why would an 18 year old do something like that?

The Smoking Gun reports “Yennie contacted sheriff’s deputies last Friday to report the phony Twitter account. After investigators linked Quesenberry to the account, the teen reportedly confessed to opening it. Quesenberry was booked today by sheriff’s deputies, and is due to appear tomorrow in General Sessions court.”

Grab your/companies name/products/services people. Sites like Knowem.com will do this for free or for a small fee. The worst thing you can do is nothing. There are millions of stupid 18 year olds out there to make you look stupid-er.

Robert Siciliano, personal security and identity theft expert and Advisory Board member to Knowem. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Enacted Maryland Child Identity Lock Bill, is Useless

This week the Maryland Child Identity Lock bill, went into effect. CBS Baltimore reports “Maryland State Delegate Craig Zucker is behind a new state law that just went into effect designed to protect a child from identity theft. “It will be the first time parents or guardians can proactively contact any of the three credit agencies and freeze their child or dependent information to protect against identity theft,” Zucker said. By freezing a child’s credit, crooks are out of luck.

Not quite Craig, but A for effort.  I mean that, and I hope you follow through and finish what you started.

The Huffington Post reported back in April “Under current Maryland law, credit agencies must place a security freeze on the credit of anyone who requests it. However, they can refuse to lock the credit of those who do not have a pre-existing credit report. That’s a problem for children. If they have a credit report, it likely means they’re already a victim of fraud.” Which is kind of exactly where we are today. Not much has changed.

Unless all 3 bureaus offer a proactive credit freeze then the bill fails, and it fails further if ALL children can’t get one, not just Maryland kids.

I contacted all 3 credit bureaus and only Experian offers a credit freeze for children and only if your child is a victim,  no matter what state you live in.  First go to Experians Credit Freeze Center then click “Add A Security Freeze” then Continue then “Place a Security Freeze on a Minor’s Credit File”

As of this writing, a phone call to Equifax at 1-800-603-9430 (a phone number only available by initiating a chat session) reveals the customer service agents have no knowledge of the Maryland Child Identity Lock bill, and will only freeze credit if the child is currently a victim of identity theft. Once a credit report is generated for a minor the damage is done and then a credit report can be frozen.

Transunion was a little more helpful in that they offer what they call a “Minor Supression” by going online seeking out “child identity theft” then calling 800-680-7289. The operator will then open a case and forward you to the fraud department. You should make sure to get a “Minor Supression File#” on each child and then send in the required documentation to the address they provide. But no credit freeze.

Being in the trenches and working with child identity theft victims I can tell you first hand that child identity theft is extremely damaging to a childs future. Most kids who are victimized have a hard time getting started as adults at the age of 18, when their credit makes them look like deadbeats. Their reputation is already damaged and getting credit, getting into schools or getting a job becomes 100 times harder than it already is.

The credit bureaus are in the best position to prevent child identity theft by simply tweaking their systems to allow a credit freeze BEFORE THE CHILD IS A VICTIM OF IDENTITY THEFT.

Us parents aren’t asking a lot. We just want to do our jobs and protect our children from what harm can come to our kids.

Robert Siciliano is personal security and identity theft expert and speaker. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.

Classified Ad Scams Target Pet Lovers

Classified Ad Scams Target Pet Lovers

I love my dog, 60lb German Shepherd. Small for a shepherd, but she was the runt. I’ve always rooted for the underdog. The underdog has more heart, more passion and often tries harder.

Anyway people love their pets, which is why it’s a multi-billion dollar a year business. Scammers know this too and they prey upon classified ad users who are seeking their next pet.

This story caught my eye, “A warning for internet users: an online scam targeting pet-lovers is circulating the web, and it could cost you more than a new pet.”

An ad was posted to a local online classifieds website by a man who claimed he was living in Florida. The seller said he had recently moved to Miami, and couldn’t keep his dog due to his new living conditions. He was willing to give the Labrador Retriever puppy named Dely away for the cost of shipping, which was $220.

The couple sent a delivery service $220 by way of Western Union. The delivery service told the family to send another $820 or risk losing the dog. That’s when the couple realized they’d been scammed. They told the person on the other end of the phone the deal was off. But the caller kept calling, becoming more aggressive each time.

“He kept calling me saying the dogs here,” said the victim. “Making me feel like this poor dog is sitting somewhere unattended.” When the caller realized the couple wasn’t sending the extra $820 he threatened to turn them into authorities and charge them with animal abandonment. Officials determined the entire thing was a scam.

Scammers will say and do anything to get a person to part with their money. At first they had a sob story that sounded like a legitimate issue, new housing that wouldn’t allow a pet. When posted as a classified ad, it looks legitimate. Then they involved a “shipping company” that was a front for the scam. Once the victims were asked to send a money transfer, this should have been a red-flag.

It’s usually best to do business like this locally.

Never automatically trust anyone over the phone or via the internet.

Unless the business is one that is well established online, don’t ever send money that you can’t get back.

Many classified sites stop fraudulent ads from being published in the first place by incorporating device-based intelligence that helps them assess risk upfront. Fraud prevention technology offered by iovation Inc. not only helps these sites identify repeat offenders coming in under multiple fake identities, but they also detect when scammers are attempting to place multiple fraudulent ads using a variety of computers, tablets and smartphones to do so.  This greatly helps rid these sites of undesirables and protect their valued members.

Fraud analysts review thousands of transactions per month on auction sites. They watch for emerging schemes such as the popular “advanced fee schemes” where bad actors posing as sellers require down payments to be wired to them, and “text message fraud” where the legitimate sellers receive text messages that starts the process of being scammed.

Online businesses can see what kind of fraud records are associated with a device touching their website before accepting a new account registration, by tapping into iovation’s cybercrime intelligence network with over 10 million fraud events and more than 1 billion devices.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesidentity theft  in front of the National Speakers Association. (Disclosures)

Are Your Mobile Apps Up To No Good?

Most of us have heard the saying “It’s 2am, what are your kids doing?” and you may know, but do you know what your mobile apps are doing? I know before I started working in the industry, I would not have given a second thought to this, but consider this.

Why would an app designed to monitor your mobile’s battery need to know your location via your GPS? How come some gaming applications ask users for their phone numbers? Mobile applications, especially free ones, require some level of your personal data in order to supplement development costs. This means “free” isn’t exactly free.

Unsurprisingly 97% of users don’t understand how permissions correspond to the risk of an app. The consequences of not knowing is once you share your personal data, it now can be use and sometimes abused and is out of your control forever. Check out this infographic…


If it’s digital then that means it’s also “repeatable” and can be copied, pasted, duplicated and sent an infinite amount of times. For example 18.3 million US adult Smartphone owners have looked up medical information.  32.5 million US adult Smartphone owners access banking information. Using applications that don’t care much about your privacy can expose this data.

Android applications can ask for 124 types of permissions and with these permissions someone can turn on your camera, monitor or modify or even kill outgoing calls, record images of your screen while you enter personal information, monitor and view texts or pictures and even scarier capture conversations in the room when no call is active!!

What’s troubling is 33% of apps ask for more permissions than they need, 42% of users don’t know what these permissions are and 83% of users don’t pay attention to permissions when installing an app. This all adds up to needing to know what your apps are doing.

To help you protect your privacy and identity when using apps you should:

Research apps by checking their ratings and reviews before you download

Only download apps from reputable apps stores

Read the Terms of Service (TOS) to determine what data the app is going to access on your mobile device.

Use comprehensive  mobile security app with app privacy features, such as McAfee Mobile Security, that will provide insight into the activity and safety of your apps

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

IT Security: Preventing Insider Threat

A “Logic Bomb” isn’t really logical, it’s a virus, designed to take down your corporate network and disable existing systems that may monitor data, protect it, back it up or access it. A logic bomb is designed to multiply like any virus and spread throughout a network multiplying its effects.

In a Wall Street Journal story an example provided, depicts an employee at Fannie Mae, knowing he is about to be fired commits an act of workplace violence by installing a logic bomb set to detonate almost 3 months after his departure. The detonation would have taken the organization off line for almost a week and cost millions and millions of dollars.

In this true insider threat story, an observant programmer, still employed noticed the code and disabled it before the damage could be done.

Think for a moment about your small business and how you would get in if you lost your keys. Maybe through an unlocked window?  And if a burglar knew what you knew about where you hide that extra key? How much damage could he do, knowing what you know? Insider threats pose the same problem. They know the ins and outs of all systems in place and can wreak havoc on your operation while they are employed and sometimes after they are let go.

The problems begin when we put people in a trusted place. They are granted access because that’s their job to perform certain duties and they are granted carte blanche access. Ultimately IT security is a people problem and needs to be addressed that way.

Preventing Insider Threat

1. Limited Sources; only grant access to a few trusted sources. Minimize the amount of staff that has access to whatever systems in place.

2. Due Diligence; in the information age, our lives are an open book. Background checks from information brokers are very necessary. Not doing a background check increases your liability. A person previously convicted of a crime just might do it again.

3. Limit Access; even a good apple eventually can go bad. By restricting the access to even those who are in a trusted position, in the event they turn sour, they can only do limited damage.

4. Defense in Depth; audit, audit, audit. This is all about checks and balances. Separation of powers. Multiple layers of authorization. We’ve all watched the movie where in order to launch the missile there were 2 keys held by 2 people, who pressed 2 buttons in order for the missile to launch. Put systems in place that facilitate someone always watching over someone’s shoulder. This way the bad apple can’t hide or execute their malicious intent.

5. Prosecute the Guilty; in the event of a breach of trust, make an example of the person that others won’t forget. Public hangings set a strong deterrent.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Protect Yourself From Fraud While Filing Taxes

Identity theft complaints rose to more than 11 million last year, and tax-related scams have increased by over 700% since 2008. Two million fraudulent tax returns were filed in 2011 alone, at a cost of two billion dollars. Common scams include:

Double filing: If you receive a notification from the IRS informing you that multiple tax returns have been filed in your name, you should respond immediately to begin working through the restoration process.

Employment scams: Receiving wages from an unknown employer is often the first tipoff that you have been victimized by an employment scam. Avoid this issue by protecting your Social Security number. You can also make your Social Security number less attractive to thieves with a credit freeze.

Phishing scams: If you receive an unsolicited email or text message that appears to have been sent by the IRS, hit delete without clicking any links within the message.

Scam tax preparers: These con artists set up shop for just long enough to collect victims’ personal information in order direct refunds to themselves. Stick to doing business with accountants you know, like, and trust.

You should also take the following additional precautions to protect yourself from these and other tax-related scams:

Protect your data: Thoroughly secure any and all sensitive documents from the moment they arrive in your mailbox. File cabinets must have locks, and important documents should be stored in a fire resistant safe.

Shred non-essential paperwork: Use a crosscut shredder before disposing of any documents continuing sensitive data.

Go paperless: Opt out of paper statements in favor of having electronic statements sent to your email.

File early: Filing your sooner rather than later is a simple way to thwart any potential attempts to file on your behalf and fraudulently collect your refund.

Go to the post office: If you submit your taxes through the mail, do so by mailing them directly from your local post office, rather than leaving them in a mailbox.

Protect your PC: Before filing online, be sure that your computer’s operating system is up-to-date with the latest critical security patches. You should also use comprehensive security software that includes antivirus, anti-spyware, anti-phishing, and anti-spam protection as well as a two-way firewall.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

I’m Running the Boston Marathon Monday April 16th

Hello Friends, Colleagues, Clients, Media, Readers and all those who we’ve ever come in contact with:

The following is one sentence of business updates AND THEN more importantly, Robert’s running the Boston Marathon next week, Monday April 16th for Children’s Hospital Boston. Sick kids need your help.

Quick Biz: Robert was in Time Magazine http://ow.ly/adxbp in March, VERY FUNNY. Also, his YouTube page http://ow.ly/adx0t has over one million views! And check out his NEW book http://ow.ly/adxlW  And he’s done an incredible amount of media this year here: http://twitter.com/#!/RobertSiciliano

The IMPORTANT stuff:

Robert is taking on the challenge and running the 26.2 miles Monday April 16th as part of the Children’s Hospital Boston, Miles for Miracles Team. He has written a note below and provided a few links to track him on-line and more importantly make a donation for the kids at Children’s Hospital Boston. Please read on:

Please Donate HERE: http://ow.ly/7Amb8

Hey Everyone,
This hasn’t been easy. Only my wife knows and others who have done this, it’s quite a task. It’s expensive and extremely time consuming. Early in my training I’ve had “IT Band Syndrome” issues. And anytime they attach “syndrome” to anything you’re pretty much disadvantaged. This means the medical community doesn’t have an answer.  This is a ligament/tendon that starts at your hip and ends at your knee that hurts to heck after about 2 miles at the knee. After about 20 physical therapy treatments and another 15 chiropractic adjustments topped with a half dozen “Active Release Technique” treatments, I did 15 miles Saturday, which is the most I’ve done and it’s about 120 miles and 6 weeks behind where my team from Children’s Hospital Boston is at in their overall training.

So while this has all been a challenge to say the least, Marathon Monday may end up a hot sunny day resulting in dehydration or over-hydration for many which should make for a dramatic race with lots of people passing out.

And a little perspective: I’m 43. I can do this. I’m healthy and so are my kids. The children at Childrens Hospital Boston are not healthy. They need us and their doctors to help them get well. So to those of you who raised some great cash at our Feast of the 7 Fishes, THANK YOU. To all those who have donated, THANK YOU! Your generosity at times has brought me to tears.

(First a special note to my close friends and those who I’ve know since I was a kid…I know where you live. And I can get your Social Security number too. DONATE http://ow.ly/7Amb8).

To everyone else: donating is tax deductible, it’s good karma, it will make you feel good, the kids at Childrens Hospital Boston will significantly benefit from it and you are contributing to saving the life of a child. Please pull a couple bucks out of your pocket, donate more than you think you have…surprise yourself, go BIG: HERE http://ow.ly/7Amb8

Tracking: If you want to track Roberts progress you can sign up here to receive 3 automatic text messages towards the beginning, half and at the finish line of the race here:  http://www.baa.org/races/boston-marathon/participant-information/att-athlete-alert.aspx  The BAA.org websites homepage will change on marathon day allowing you to type in Roberts bib #22111 to get an immediate location.

Meeting area at finish in YELLOW. http://www.baa.org/races/boston-marathon/participant-information/course-map.aspx

Boston Marathon Course Map: http://www.baa.org/~/media/Files/BAA/Races/Boston%20Marathon/BMCourseMap2012.pdf

PS: I should finish by 4pm. If you sign up for alerts and don’t get a text saying I finished: PRAY!!

Much Love and many many thanks to everyone and a special thanks to all those who have supported us!
Robert & Family

PS, My large German Shepherd will be in the house while I’m gone, the alarm will be on, booby traps are set and a cop lives right next to me.  Just sayin’

Facebook connect: https://www.facebook.com/robert.siciliano?ref=mf
LIKE https://www.facebook.com/pages/Personal-Security-and-Identity-Theft-Expert-Speaker-Robert-Siciliano/97839383800

How Much Would You Pay For a Fake Girlfriend?

They say there’s a sucker born every minute. Not everyone can be sophisticated and worldly. Unfortunately, naiveté invites predators and victimization.

Social engineering is the act of manipulating people into performing certain actions or divulging confidential information. Essentially it’s a fancier, more technical form of lying.

Combine naiveté with predators who use social engineering to manipulate their victims, and you get stories like this one, about an Illinois man who sent more than $200,000 to an “online girlfriend,” who didn’t actually exist. The man believed he had been in a relationship with the fictional woman for more than two years when he called police to report that she had been kidnapped in London. He then explained that over the course of the relationship, he had wired money to bank accounts In Nigeria, Malaysia, England, and the United States at his supposed girlfriend’s request.

It’s not as difficult as you might imagine to get swindled out of your money this way. Everyone wants to love and to be loved, and everyone likes to think they’re too smart to get scammed. The scammer’s advantage is his ability to appeal to a victim’s loneliness, which often trumps common sense and facilitates bad decision-making.

More than 40 million people subscribe to online dating services, and millions of those subscribers develop intimate, albeit virtual relationships with anonymous strangers. The most vulnerable users are often those who married young, divorced, and are now in their late 40s or early 50s, facing a new chapter of their lives. This dramatic life transition can foster a degree of loneliness and uncertainty that is extremely difficult to overcome without support from others.

Dating sites could protect users by incorporating another layer of protection, such as device reputation management, which would analyze the computers, smartphones, and tablets used to create new accounts. By examining the device used to connect to one’s website, the website’s operator can reject new accounts or transactions from users with a history of running online scams and spamming in other online communities.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Stories. (Disclosures)

5 Tips to Avoid bin Laden Scams

After Osama bin Ladens Death a flurry of internet scams hit the internet. Most notably scam emails with links to pictures, videos and phony Facebook messages with links to videos that don’t exist.

When clicking these links your PC can be infected with a RAT which is a remote access Trojan and all your information may end up in the hands of a criminal.

Bottom Line: Be wary of any unsolicited messages that claim to have news on bin Laden, and never click on links or attachments included in these messages.

Tips to Avoid Becoming a Victim:

1)    Never download or click anything from an unknown source. If you really think your friend is sending you a video clip, double-check with the friend to be sure before you click on the link.

2)    Before clicking on any links related to the news, check to see that the address is going to a well-established site. If it is a shortened URL, use a URL preview tool such as http://hugeurl.com/, to make sure it is safe to click on.

3)    The most common threats are links to spam and malware. Buy consumer security software from a reputable, well known vendor, such as McAfee, and make sure the suite includes anti-virus, anti-spyware, anti-spam, anti-phishing, a two-way firewall, and a website safety advisor to stay protected against newly discovered malware and spam.

4)    If your social media account has been compromised, change your password immediately and delete all dangerous messages and links. Also, let your friends know that your account could be sending them spam in your name.

5)    Contact the Cybercrime Response Unit at www.mcafee.com/cru, an online help center for advice and technical assistance, if you think you’ve been a victim of a cybercrime.

To sign up to receive alerts by email, please visit: http://home.mcafee.com/consumer-threats-signup. To see if your machine has been infected, scan your computer for free using McAfee Security Scan Plus: http://us.mcafee.com/root/mfs/default.asp?cid= 9913

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Study Shows Single Software Security Incidents Costs Average $300,000

A recent study of more than 150 organizations conducted by Aberdeen Group(1) found that the average total cost to remediate a single application security incident is approximately $300,000. As security incidents can happen at any point in the application life cycle, modernization initiatives can prove especially costly if they are not proactively secured from development to operations.

“Application security” is an often used term when, during the software development cycle, the software or application goes through a series of “penetration tests” designed to seek out vulnerabilities that could be exploited in the field. It is important to understand that flaws, bugs, holes, vulnerabilities, or whatever you call them, are often detected after the launch of software. This costs companies big bugs when a security incident arises.

While both developers and criminals have many of the same tools, the bad guys seem to have an edge and are often able exploit those flaws before developers can find and fix them.

HP today announced the first application security analysis solution that discovers the root cause of software vulnerabilities by observing attacks in real time.

HP Fortify Real-Time Hybrid Analysis, used in concert with the new HP Fortify 360 v3.0 and HP Application Security Center 9.0, helps organizations proactively reduce business risk and protect against malicious software attacks.

Enterprises using the new HP offerings can deliver the application security intelligence required to effectively manage risk across the life cycle. By taking a pragmatic approach that secures applications from development to operations, organizations can develop a scalable, repeatable and cost-effective security assurance program to further reduce risk.

“The traditional approach of single-point security solutions helps secure parts of a business, but limits enterprises from making informed decisions,” said Joseph Feiman, vice president and fellow, Gartner. “To make optimal security and risk management decisions, enterprises must move from technological security silos to enterprise security intelligence. This can be achieved through the interaction of different technologies as well as contextual analyses of integrated security and business information.”

Based on advanced application security technologies, the new solutions help clients:

—  Immediately respond to business threats: With new technology that correlates code-level analysis, HP Fortify Real-Time Hybrid Analysis allows organizations to observe security attacks as they happen to identify the point of vulnerability in code;

—  Manage enterprise risk from applications: Proactively protect against threat risks and address compliance requirements through HP Fortify 360 Server, which detects security vulnerabilities across architectural layers and prioritizes remediation;

—  Accelerate innovation with the latest technologies: Through expanded automation and web services testing capabilities, HP WebInspect 9.0 and HP Assessment Management Platform 9.0 increase security testing coverage of complex Web 2.0 applications;

—  Enhance productivity through greater collaboration: With new features that centralize vulnerability and remediation issues, HP WebInspect 9.0 reduces the time to recreate and fix security defects, allowing developers, quality assurance and security teams to cover more applications with fewer resources; and

—  Protect the integrity of the enterprise: Providing new programming language support and integrations with HP WebInspect, HP Fortify On Demand tests the security of all applications quickly, accurately and affordably.

“Applications bring new enterprise opportunities, but the threat landscape is constantly evolving,” said John M. Jack, vice president, HP Fortify business unit, Software, HP. “With new advanced real-time security technologies, HP is delivering the application security intelligence needed to drive innovation while lowering the enterprise risk associated with it.”

These new security solutions are key elements of the HP Security Intelligence and Risk Management Framework, which helps businesses and governments in pursuit of an Instant-On Enterprise. In a world of continuous connectivity, the Instant-On Enterprise embeds technology in everything it does to securely serve customers, employees, partners and citizens with whatever they need, instantly.

The new HP Fortify releases, part of HP Hybrid Delivery, are offered through multiple delivery models, including on-premise, on-demand software-as-a-service and managed services.

Robert Siciliano is an Identity Theft Expert. See him discussing identity theft on YouTube. (Disclosures)