IT Security: Preventing Insider Threat

A “Logic Bomb” isn’t really logical, it’s a virus, designed to take down your corporate network and disable existing systems that may monitor data, protect it, back it up or access it. A logic bomb is designed to multiply like any virus and spread throughout a network multiplying its effects.

In a Wall Street Journal story an example provided, depicts an employee at Fannie Mae, knowing he is about to be fired commits an act of workplace violence by installing a logic bomb set to detonate almost 3 months after his departure. The detonation would have taken the organization off line for almost a week and cost millions and millions of dollars.

In this true insider threat story, an observant programmer, still employed noticed the code and disabled it before the damage could be done.

Think for a moment about your small business and how you would get in if you lost your keys. Maybe through an unlocked window?  And if a burglar knew what you knew about where you hide that extra key? How much damage could he do, knowing what you know? Insider threats pose the same problem. They know the ins and outs of all systems in place and can wreak havoc on your operation while they are employed and sometimes after they are let go.

The problems begin when we put people in a trusted place. They are granted access because that’s their job to perform certain duties and they are granted carte blanche access. Ultimately IT security is a people problem and needs to be addressed that way.

Preventing Insider Threat

1. Limited Sources; only grant access to a few trusted sources. Minimize the amount of staff that has access to whatever systems in place.

2. Due Diligence; in the information age, our lives are an open book. Background checks from information brokers are very necessary. Not doing a background check increases your liability. A person previously convicted of a crime just might do it again.

3. Limit Access; even a good apple eventually can go bad. By restricting the access to even those who are in a trusted position, in the event they turn sour, they can only do limited damage.

4. Defense in Depth; audit, audit, audit. This is all about checks and balances. Separation of powers. Multiple layers of authorization. We’ve all watched the movie where in order to launch the missile there were 2 keys held by 2 people, who pressed 2 buttons in order for the missile to launch. Put systems in place that facilitate someone always watching over someone’s shoulder. This way the bad apple can’t hide or execute their malicious intent.

5. Prosecute the Guilty; in the event of a breach of trust, make an example of the person that others won’t forget. Public hangings set a strong deterrent.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Protect Yourself From Fraud While Filing Taxes

Identity theft complaints rose to more than 11 million last year, and tax-related scams have increased by over 700% since 2008. Two million fraudulent tax returns were filed in 2011 alone, at a cost of two billion dollars. Common scams include:

Double filing: If you receive a notification from the IRS informing you that multiple tax returns have been filed in your name, you should respond immediately to begin working through the restoration process.

Employment scams: Receiving wages from an unknown employer is often the first tipoff that you have been victimized by an employment scam. Avoid this issue by protecting your Social Security number. You can also make your Social Security number less attractive to thieves with a credit freeze.

Phishing scams: If you receive an unsolicited email or text message that appears to have been sent by the IRS, hit delete without clicking any links within the message.

Scam tax preparers: These con artists set up shop for just long enough to collect victims’ personal information in order direct refunds to themselves. Stick to doing business with accountants you know, like, and trust.

You should also take the following additional precautions to protect yourself from these and other tax-related scams:

Protect your data: Thoroughly secure any and all sensitive documents from the moment they arrive in your mailbox. File cabinets must have locks, and important documents should be stored in a fire resistant safe.

Shred non-essential paperwork: Use a crosscut shredder before disposing of any documents continuing sensitive data.

Go paperless: Opt out of paper statements in favor of having electronic statements sent to your email.

File early: Filing your sooner rather than later is a simple way to thwart any potential attempts to file on your behalf and fraudulently collect your refund.

Go to the post office: If you submit your taxes through the mail, do so by mailing them directly from your local post office, rather than leaving them in a mailbox.

Protect your PC: Before filing online, be sure that your computer’s operating system is up-to-date with the latest critical security patches. You should also use comprehensive security software that includes antivirus, anti-spyware, anti-phishing, and anti-spam protection as well as a two-way firewall.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

I’m Running the Boston Marathon Monday April 16th

Hello Friends, Colleagues, Clients, Media, Readers and all those who we’ve ever come in contact with:

The following is one sentence of business updates AND THEN more importantly, Robert’s running the Boston Marathon next week, Monday April 16th for Children’s Hospital Boston. Sick kids need your help.

Quick Biz: Robert was in Time Magazine http://ow.ly/adxbp in March, VERY FUNNY. Also, his YouTube page http://ow.ly/adx0t has over one million views! And check out his NEW book http://ow.ly/adxlW  And he’s done an incredible amount of media this year here: http://twitter.com/#!/RobertSiciliano

The IMPORTANT stuff:

Robert is taking on the challenge and running the 26.2 miles Monday April 16th as part of the Children’s Hospital Boston, Miles for Miracles Team. He has written a note below and provided a few links to track him on-line and more importantly make a donation for the kids at Children’s Hospital Boston. Please read on:

Please Donate HERE: http://ow.ly/7Amb8

Hey Everyone,
This hasn’t been easy. Only my wife knows and others who have done this, it’s quite a task. It’s expensive and extremely time consuming. Early in my training I’ve had “IT Band Syndrome” issues. And anytime they attach “syndrome” to anything you’re pretty much disadvantaged. This means the medical community doesn’t have an answer.  This is a ligament/tendon that starts at your hip and ends at your knee that hurts to heck after about 2 miles at the knee. After about 20 physical therapy treatments and another 15 chiropractic adjustments topped with a half dozen “Active Release Technique” treatments, I did 15 miles Saturday, which is the most I’ve done and it’s about 120 miles and 6 weeks behind where my team from Children’s Hospital Boston is at in their overall training.

So while this has all been a challenge to say the least, Marathon Monday may end up a hot sunny day resulting in dehydration or over-hydration for many which should make for a dramatic race with lots of people passing out.

And a little perspective: I’m 43. I can do this. I’m healthy and so are my kids. The children at Childrens Hospital Boston are not healthy. They need us and their doctors to help them get well. So to those of you who raised some great cash at our Feast of the 7 Fishes, THANK YOU. To all those who have donated, THANK YOU! Your generosity at times has brought me to tears.

(First a special note to my close friends and those who I’ve know since I was a kid…I know where you live. And I can get your Social Security number too. DONATE http://ow.ly/7Amb8).

To everyone else: donating is tax deductible, it’s good karma, it will make you feel good, the kids at Childrens Hospital Boston will significantly benefit from it and you are contributing to saving the life of a child. Please pull a couple bucks out of your pocket, donate more than you think you have…surprise yourself, go BIG: HERE http://ow.ly/7Amb8

Tracking: If you want to track Roberts progress you can sign up here to receive 3 automatic text messages towards the beginning, half and at the finish line of the race here:  http://www.baa.org/races/boston-marathon/participant-information/att-athlete-alert.aspx  The BAA.org websites homepage will change on marathon day allowing you to type in Roberts bib #22111 to get an immediate location.

Meeting area at finish in YELLOW. http://www.baa.org/races/boston-marathon/participant-information/course-map.aspx

Boston Marathon Course Map: http://www.baa.org/~/media/Files/BAA/Races/Boston%20Marathon/BMCourseMap2012.pdf

PS: I should finish by 4pm. If you sign up for alerts and don’t get a text saying I finished: PRAY!!

Much Love and many many thanks to everyone and a special thanks to all those who have supported us!
xoxo,
Robert & Family

PS, My large German Shepherd will be in the house while I’m gone, the alarm will be on, booby traps are set and a cop lives right next to me.  Just sayin’

Facebook connect: https://www.facebook.com/robert.siciliano?ref=mf
LIKE https://www.facebook.com/pages/Personal-Security-and-Identity-Theft-Expert-Speaker-Robert-Siciliano/97839383800

How Much Would You Pay For a Fake Girlfriend?

They say there’s a sucker born every minute. Not everyone can be sophisticated and worldly. Unfortunately, naiveté invites predators and victimization.

Social engineering is the act of manipulating people into performing certain actions or divulging confidential information. Essentially it’s a fancier, more technical form of lying.

Combine naiveté with predators who use social engineering to manipulate their victims, and you get stories like this one, about an Illinois man who sent more than $200,000 to an “online girlfriend,” who didn’t actually exist. The man believed he had been in a relationship with the fictional woman for more than two years when he called police to report that she had been kidnapped in London. He then explained that over the course of the relationship, he had wired money to bank accounts In Nigeria, Malaysia, England, and the United States at his supposed girlfriend’s request.

It’s not as difficult as you might imagine to get swindled out of your money this way. Everyone wants to love and to be loved, and everyone likes to think they’re too smart to get scammed. The scammer’s advantage is his ability to appeal to a victim’s loneliness, which often trumps common sense and facilitates bad decision-making.

More than 40 million people subscribe to online dating services, and millions of those subscribers develop intimate, albeit virtual relationships with anonymous strangers. The most vulnerable users are often those who married young, divorced, and are now in their late 40s or early 50s, facing a new chapter of their lives. This dramatic life transition can foster a degree of loneliness and uncertainty that is extremely difficult to overcome without support from others.

Dating sites could protect users by incorporating another layer of protection, such as device reputation management, which would analyze the computers, smartphones, and tablets used to create new accounts. By examining the device used to connect to one’s website, the website’s operator can reject new accounts or transactions from users with a history of running online scams and spamming in other online communities.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Stories. (Disclosures)

5 Tips to Avoid bin Laden Scams

After Osama bin Ladens Death a flurry of internet scams hit the internet. Most notably scam emails with links to pictures, videos and phony Facebook messages with links to videos that don’t exist.

When clicking these links your PC can be infected with a RAT which is a remote access Trojan and all your information may end up in the hands of a criminal.

Bottom Line: Be wary of any unsolicited messages that claim to have news on bin Laden, and never click on links or attachments included in these messages.

Tips to Avoid Becoming a Victim:

1)    Never download or click anything from an unknown source. If you really think your friend is sending you a video clip, double-check with the friend to be sure before you click on the link.

2)    Before clicking on any links related to the news, check to see that the address is going to a well-established site. If it is a shortened URL, use a URL preview tool such as http://hugeurl.com/, to make sure it is safe to click on.

3)    The most common threats are links to spam and malware. Buy consumer security software from a reputable, well known vendor, such as McAfee, and make sure the suite includes anti-virus, anti-spyware, anti-spam, anti-phishing, a two-way firewall, and a website safety advisor to stay protected against newly discovered malware and spam.

4)    If your social media account has been compromised, change your password immediately and delete all dangerous messages and links. Also, let your friends know that your account could be sending them spam in your name.

5)    Contact the Cybercrime Response Unit at www.mcafee.com/cru, an online help center for advice and technical assistance, if you think you’ve been a victim of a cybercrime.

To sign up to receive alerts by email, please visit: http://home.mcafee.com/consumer-threats-signup. To see if your machine has been infected, scan your computer for free using McAfee Security Scan Plus: http://us.mcafee.com/root/mfs/default.asp?cid= 9913

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Study Shows Single Software Security Incidents Costs Average $300,000

A recent study of more than 150 organizations conducted by Aberdeen Group(1) found that the average total cost to remediate a single application security incident is approximately $300,000. As security incidents can happen at any point in the application life cycle, modernization initiatives can prove especially costly if they are not proactively secured from development to operations.

“Application security” is an often used term when, during the software development cycle, the software or application goes through a series of “penetration tests” designed to seek out vulnerabilities that could be exploited in the field. It is important to understand that flaws, bugs, holes, vulnerabilities, or whatever you call them, are often detected after the launch of software. This costs companies big bugs when a security incident arises.

While both developers and criminals have many of the same tools, the bad guys seem to have an edge and are often able exploit those flaws before developers can find and fix them.

HP today announced the first application security analysis solution that discovers the root cause of software vulnerabilities by observing attacks in real time.

HP Fortify Real-Time Hybrid Analysis, used in concert with the new HP Fortify 360 v3.0 and HP Application Security Center 9.0, helps organizations proactively reduce business risk and protect against malicious software attacks.

Enterprises using the new HP offerings can deliver the application security intelligence required to effectively manage risk across the life cycle. By taking a pragmatic approach that secures applications from development to operations, organizations can develop a scalable, repeatable and cost-effective security assurance program to further reduce risk.

“The traditional approach of single-point security solutions helps secure parts of a business, but limits enterprises from making informed decisions,” said Joseph Feiman, vice president and fellow, Gartner. “To make optimal security and risk management decisions, enterprises must move from technological security silos to enterprise security intelligence. This can be achieved through the interaction of different technologies as well as contextual analyses of integrated security and business information.”

Based on advanced application security technologies, the new solutions help clients:

—  Immediately respond to business threats: With new technology that correlates code-level analysis, HP Fortify Real-Time Hybrid Analysis allows organizations to observe security attacks as they happen to identify the point of vulnerability in code;

—  Manage enterprise risk from applications: Proactively protect against threat risks and address compliance requirements through HP Fortify 360 Server, which detects security vulnerabilities across architectural layers and prioritizes remediation;

—  Accelerate innovation with the latest technologies: Through expanded automation and web services testing capabilities, HP WebInspect 9.0 and HP Assessment Management Platform 9.0 increase security testing coverage of complex Web 2.0 applications;

—  Enhance productivity through greater collaboration: With new features that centralize vulnerability and remediation issues, HP WebInspect 9.0 reduces the time to recreate and fix security defects, allowing developers, quality assurance and security teams to cover more applications with fewer resources; and

—  Protect the integrity of the enterprise: Providing new programming language support and integrations with HP WebInspect, HP Fortify On Demand tests the security of all applications quickly, accurately and affordably.

“Applications bring new enterprise opportunities, but the threat landscape is constantly evolving,” said John M. Jack, vice president, HP Fortify business unit, Software, HP. “With new advanced real-time security technologies, HP is delivering the application security intelligence needed to drive innovation while lowering the enterprise risk associated with it.”

These new security solutions are key elements of the HP Security Intelligence and Risk Management Framework, which helps businesses and governments in pursuit of an Instant-On Enterprise. In a world of continuous connectivity, the Instant-On Enterprise embeds technology in everything it does to securely serve customers, employees, partners and citizens with whatever they need, instantly.

The new HP Fortify releases, part of HP Hybrid Delivery, are offered through multiple delivery models, including on-premise, on-demand software-as-a-service and managed services.

Robert Siciliano is an Identity Theft Expert. See him discussing identity theft on YouTube. (Disclosures)

Identity Thief Steals Identity For 17 Years

This mess Joseph Kidd stole Larry Smith’s identity 17 years ago, when Smith was 50 years old. While operating under Smith’s identity, Kidd “spent time in jail, as sent to prison, paroled, obtained welfare and Medicare benefits, and got married.”

He did all this using Smith’s name, which means that Smith has had to deal with the imposter’s actions from afar, as if he himself had a criminal record, was married, and on welfare. While the real Smith has no criminal record, he spent eight days in jail because of Kidd’s crimes. The real Smith has had liens placed on his home, was denied medical care, and lost his driver’s license, all because Kidd stole his identity.

When people ask, “Why would anyone steal my identity? I have no money,” I point to Kidd. When they say, “But I have bad credit,” I point to Kidd. When they say, “I don’t have a computer or credit cards. I pay cash and I don’t bank online,” I point to Kidd.

This is what identity theft looks like. Identity theft goes way beyond your computer being hacked or your credit card number being used without your permission. What happened to Larry Smith is identity theft.

Identity theft can happen to anyone. McAfee Identity Protection, offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first and provides live access to fraud resolution agents who work with the victim to help restore their identity even from past theft events. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing an identity theft pandemic on CNBC. (Disclosures)

LinkedIn Gone Wild: Invades Inboxes

Did you know there is a setting on LinkedIn where they will email your entire contact list in your behalf to let everyone know about a new position you have taken with a company?

I didnt.

Until I got all kinds of  “Congratulations” in my inbox.

Apparently there is a new setting that by default is left “On” which in fact tells all your contacts that you’ve taken a new job or got a new contract or whatever. And while you may post this to your profile, it may not be something you want to stick in someone’s inbox.

I know it’s posted online for the world to see. But some things posted are meant to be passive not direct. Linkedin is supposed to be a place to catalog your accomplishments and business interests. Not a sounding board to push out content in people inboxes. I choose what to pushout. Not LinkedIn.

What’s bothersome is LinkedIn knows this new feature is a problem and only passively tells their members.

It looks like this:

“”By selecting this option, your activity updates will be shared in your activity feed.

  • Note: You may want to turn this option off if you’re looking for a job and don’t want your present employer to see that you’re updating your profile.””

That’s incredible “if you’re looking for a job and don’t want your present employer to see” THEY WROTE THAT!!!!


OK, so you’d have to be a tool to update your profile with a new job while having an existing job, but the fact that by default LinkedIn has gone in and chosen to tell all your contacts is disturbing. It’s wrong on so many levels they take it upon themselves to send that email.

My issue is I don’t have a “Job” I have “clients” and now my clients think I got a Job. Which is unusual for a consultant to have a job and consult and makes me look like a “Moonlighter”.

It’s just wrong Linkedin. You had no right to do that.

Robert Siciliano has no job. He is a consultant to great security companies. See him discussing home security and identity theft on TBS Movie and a Makeover.

Be Aware Online Daters – Romance Scams & Threats

With Valentine’s Day around the corner, many single people return to thoughts of finding love online.   But while your head is in the online clouds, you should know – and sorry to sound like a parent – that cyberscammers may be there with you looking to take advantage of your vulnerable heart.

To help you stay safe on Valentine’s Day and year-round, here is a look at some of the top romance scams and threats, followed by safety tips in honor of your heart:

1) Online Dating ScamsMillions of people use online dating sites to broaden their networks and meet potential mates, but not everyone on these sites are sincere—some are scammers hoping to lure you in with false affection, with the goal of gaining your trust, and eventually, your money.

2) Love Exploits—These threats have you looking for love in all the wrong places—like dangerous websites designed to steal your information. One recent example of this is the Koobface worm, which targeted Match.com users by sending messages that appeared to be from other users, inviting them to look at photos and videos on a Match.com look-a-like site. When users tried to log in to the malicious site, it recorded their usernames and passwords and attempted to install a Trojan.

3) Valentine’s Day Spam & eCards–Scammers know that the holidays are the perfect time to send out themed messages and eCards, knowing they will grab your attention. Spam messages with subject lines such as “The Perfect Valentine’s Day Gift” may contain a link to a dangerous website that asks for personal information. And, a message that appears to be an eCard from a loved one could actually download malware on your machine when you click on the link, leaving you with an infection, rather than affection.

In Honor of Your Heart – How To Stay Safe

  • When signing up for online dating, go with a well-known dating site and get referrals from friends on which sites they use
  • Design your dating profile with care—think about the image you want to project and NEVER, under any circumstance, post personal information, such as your full name, address and phone number
  • Vet potential dates by checking to see that their profile information matches other online information, such as their LinkedIn or Spokeo profile
  • If a potential date asks you for a loan or any financial information, immediately report them to the dating site
  • NEVER EVER click on links in emails or eCards from people you do not know – if you don’t trust it, DO NOT click it
  • To help protect you from malware, use a comprehensive security software, such as McAfee Total Protection, and keep it up-to-date

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing discusses Safe Personal Dating on Tyra. (Disclosures)

High Tech Alarm Systems Are Much More Than Home Alarms

So I have the new ADT Pulse system. It’s pretty amazing. I’ve had a “plain old” system for the past 15 years, which has been upgraded 3 times. The standard home alarm system covers monitoring, doors, windows, motion and glass.

This system has all that plus wireless cameras inside, remote controlled thermostats, remote controlled/timed light controls, flood sensors in the mechanical room and laundry, full web access to the cameras, an iPad looking touchpad that controls it, an iPhone app to control/monitor its cameras/stat it from anywhere, and a web dashboard that lets you control every single aspect of each control to inform you of activity or to set up a “reaction” to an incident.

This home alarm system is very simple and easy to program and once you dive into the system it give you a tremendous amount of “awareness” of the goings on in and around your home and it does it automatically.

I haven’t spent a lot of time on the programming just yet, but just by default the basic settings will alert you via text and email whenever anything happens. You also have the ability to turn all these same alerts off.

It has no less than 5 ways to turn it on and off including a wired keypad, iPhone app, Touch pad, computer and remote control on the keychain for deactivating before the garage door goes up. The Touch pads sit in bedrooms/office/kitchen and has a live video feed tuned into kids rooms or the entrance way. There’s also a big green or red icon on the touch pad letting you know if it’s set or not. Mine is mostly red because it’s set while we are home. The touchpad definitely give you more control with, than without. It allows very simple setting of the home alarm so it’s mostly always on and you know it which reduces false alarms.

What I like most is the inside cameras. I have one in the little people’s room who are too little to tell me they don’t want them there. There’s also one in the kitchen, family room, office, entrance way, mechanical room and basement/garage. All of these spaces have a light switch in the room that I can control remotely to turn on so I can see what’s going on at night.

More visibility, more notification, more functionality, easier controls means more security. I LOVE THAT!!!!!!!!!

Oh, and when ADT installed this thing, the sales peeps and installers couldn’t have been more courteous and more professional. They weren’t run of the mill-off of craigslist-contractors, these were employees of the largest alarm company on the planet and it showed they do serious quality control over who their employees are. You don’t see that so much anymore.

It was a very impressive parade of professionalism.

I’m going to do a few posts regarding my experience with ADT Pulse as I dig deeper, so stay tuned.

Robert Siciliano personal and home security specialist to Home Security Source discussing Home Security on NBC Boston.