Posts

USB Drives – With Convenience Comes Risk

I’m sure most of us have used a USB drive (or thumb drive) at one point or another. They are super convenient to transfer files, especially when they are too large for email or you don’t have access to an Internet connection.

2DBut it’s this same convenience of being portable, readily available, and inexpensive that make them a prime target for cybercriminals. There’s a number of ways that these devices can fall victim to the underworld.

Because USB drives are primarily used to share and transfer files, it’s an easy target for hackers who are looking to distribute malware. And because most USB drives are set to auto-run (meaning that when you plug it into your computer, it will automatically open up the drive), the malicious software could be automatically transferred to your computer as soon as you plug this in. So once they get you to copy an infected file to the USB drive, it’s easily spread to other computers every time the USB drive is plugged in.

While their small size and portability make them easy to carry in your pocket or pretty much anywhere, it also makes them susceptible to loss or theft. Depending on what type of information is stored on here, losing this device could expose your personal information. A USB drive could easily be misplaced, dropped or taken from a table so it’s important to be careful when using these devices.

Another thing to keep in mind is that files aren’t really deleted, even if you hit the “delete” button to take something off your USB drive. In this case “delete” really means “hide” so unless you run a “wipe” program to really get rid of the files, someone could still retrieve your data, so you still need to make sure you are careful with these devices.

So here’s some tips how can you ensure that you stay safe and protect your information when using USB drives:

  • Watch your USB drive – don’t set it down and make sure you keep track of it so it’s not lost or stolen.
  • Disable auto-run – Turn off auto-run on your computer so that if a USB drive has malware, then it won’t automatically be transferred to your machine.
  • Be careful who you share your USB drives with – Be careful what computers you place your USB drive in and who you let borrow your USB drive.
  • Use comprehensive security software – make sure your security software not only scans your computer for threats, but also any drives that are attached.

Remember just as with being online, we need to make sure our conveniences don’t expose us to risk.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Huge IE Attack: Will Microsoft fix It in Time while XP Users are Left to the Dogs?

If you have IE 6 through 11, watch out. There’s a glitch that enables hackers to exploit flaws in these systems. Microsoft is racing to fix this vulnerability bug. Unfortunately, news is not so good for those using Windows XP, because Microsoft has ceased support, period. This means no security updates. It’s estimated that almost 30 percent of all the personal computers across the world are using Windows XP. Business owners and other decision makers of organizations need to overestimate just how risky it is to cling onto an old favorite rather than promptly switch to a new system that has stronger support.

IESecurity researchers came upon the bug, calling it a “zero day threat”: The initial attacks occurred before Microsoft knew of the problem. Researchers also say the flaw has been exploited by a savvy hacker group with a campaign called “Operation Clandestine Fox.”

Nobody seems to know what makes this hacking group tick. Maybe they just want to get their hands on some sensitive military and financial institution data. Microsoft says that the attacker means serious business and can potentially gain massive control of the flawed system.

Protect yourself:

  • Do not use IE. Use another browser like Chrome or Firefox.
  • If you have Adobe Flash update it now or disable it immediately. The attacks depend on Adobe Flash.
  • Microsoft urges XP users to upgrade to Windows 7 or 8. If your PC can’t support these, buy a new one. Or, consider getting the Windows Upgrade Assistant from Microsoft, which can be downloaded.

With hackers swarming in like killer bees, knowing that XP’s support is over, XP users must stay in heavyweight mode for any attacks. Thieves can even use new security updates for Windows Vista (and later) as a guide to hacking into systems running on XP.

Anti-malware solutions aren’t very effective on operating systems that lack support, and hackers know this. But more alarming is that fewer users, including business owners, are ready to accept this or even have a clue about it. Regardless, update your antivirus now.

Though it seems that for good measure, Microsoft should provide one last support run for XP users who are affected by the bug, the software behemoth won’t budge.
Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Windows XP not dead yet—but users Beware

Would you reasonably expect success when attempting to drive cross country in a 1975 Pinto with balled tires, no brakes, dried cracked belts and with already 250k on the motor? You might if you didn’t stop and think about things.

winxpThe same is true of an individual or a business who’s still using a Windows XP operating system on devices that have even 1 megabyte of sensitive data. You cannot reasonably expect security with one of the most hacked operating systems in existence.

But I digress. Fret not, there’s temporary hope yet for Windows XP procrastinators: Microsoft is extending support into 2015. It was previously believed that April 8, 2014 was the end of the world for support towards MS Security Essentials, System Center Endpoint Protection, Forefront Endpoint Protection and Forefront Client Security.

This meant that on that date, new malware signatures plus engine updates to XP users would cease, even though updates for the same software that was running on Windows Vista would continue to be provided.

However, a recent blog post by Microsoft’s Malware Protection Center notes that XP users will continue receiving support—but it won’t last long: July 14, 2015 will be here before business owners know it.

With hackers swarming in like killer bees, knowing that XP’s support’s days are limited, XP users must stay in heavyweight mode for any attacks. Thieves can even use new security updates for Windows Vista (and later) as a guide to hacking into systems running on XP.

Anti-malware solutions aren’t very effective on operating systems that lack support, and hackers know this. But more alarming is that fewer users, including business owners, are ready to accept this or even have a clue about it.

After all, it’s estimated that almost 30 percent of all the personal computers across the world are using Windows XP. Business owners and other decision makers of organizations need to overestimate just how risky it is to cling onto an old favorite rather than promptly switch to a new system that has stronger support.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tightening up Security is Everyone’s Responsibility

Most information technology (IT) experts are very much unnerved by cyber criminals, says the biggest study involving surveys of IT professionals in mid-sized businesses.3D

  • 87% send data to cloud accounts or personal e-mail.
  • 58% have sent data to the wrong individual.
  • Over 50% have confessed to taking company data with them upon leaving a post.
  • 60% rated their company a “C” or worse for preparation to fight a cyber threat.

Here is an executive summary and a full report of the survey’s results.

second study as well revealed high anxiety among mid-size business IT professionals.

  • Over 50% of those surveyed expressed serious concern over employees bringing malware into an organization: 56% for personal webmail and 58% for web browsing.
  • 74% noted that their organization’s networks had been infiltrated by malware that was brought in by web surfing; and 64 percent via e-mail—all in the past 12 months.

The above study is supported by this study.

  • 60% of respondents believed that the greatest risk was employee carelessness.
  • 44% cited low priority given to security issues in the form of junior IT managers being given responsibility for security decisions.

The first (biggest) study above showed that about 50% of C-level management actually admitted that it was their responsibility to take the helm of improving security.

And about half of lower level employees believed that IT security staff should take the responsibility—and that they themselves, along with higher management, should be exempt.

The survey size in these studies was rather small. How a question is worded can also influence the appearance of findings. Nevertheless, a common thread seems to have surfaced: universal concern, and universal passing the buck. It’s kind of like littering the workplace but then thinking, “Oh, no problem, the custodian will mop it up.”

  • People are failing to appreciate the risk of leaving personal data on work systems.
  • They aren’t getting the memo that bringing sensitive data home to personal devices is risky.
  • Web browsing, social sharing and e-mail activities aren’t being done judiciously enough—giving rise to phishing-based invasions.

IT professionals are only as good as their weakest link: the rest of the employees who refuse to play a role in company security will bring down the ship.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Analyze Security to reduce Threats

A deep analysis into security (security analytics programs) unveils some riveting areas that need to be addressed if business users are serious about reducing threats of data breaches.

1DReveal data leaks. Convinced your business is “data leak proof”? See what stones that security analytics turn over. Don’t be surprised if the leaks that are discovered have been ongoing, as this is a common finding. You can’t fix a problem that you don’t know exists.

An evolution of questions. Analytics programs can create questions that the business owner never thought to wonder about. Analytics can reveal trends and make them visible under the business owner’s nose.

Once these questions and trends are out of the closet, decision makers in the organization can have a guideline and even come up with additional questions for how to reduce the risk of threats.

Connections between data sources. Kind of along the same concept described in the previous point, security analytics programs can bring forth associations between sources of data that the IT security team many not have unearthed by itself.

Think of data from different sources being poured into a big funnel, and then what comes out the other end are obvious patterns and associations between all that data, even though it was “poured” from differing sources. When “mixed” together, the data reveals connections among it.

Uncovering these associations is important so that businesses can have a better understanding of disparate segments of their network, various departmental information, etc.

Discovery of operational IT issues. Take the previous points a step further and you get a revelation of patterns and connections in the IT operations realm—associations that can help mitigate problems with workflow and efficiency.

In other words, an issue with IT operations could be something that’s causing a drain on productivity, or, something that’s not creating a problem per se, but can be improved to spark productivity.

Uncover policy violations. Analytics can turn up policy violations you had no idea were occurring. Not all violations are malicious, but once they’re uncovered, they cannot be covered up; the next step is to do something about it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Protection For Your Shiny New Devices

After Santa heads back to the North Pole, there will be many new devices in the hands of good girls and boys that will be targeted by criminals. With the enjoyment of these cool devices should come top-notch protection for them, as they can be vulnerable to a number of malicious threats.

5WLaptop or PC

What should your security software include?

  • A two-way firewall: monitors the activity on your devices making sure nothing bad is coming in (like unauthorized access) and nothing good is leaving (like your data).
  • Anti-virus software: protects your devices from malicious keyloggers and other badware.
  • Anti-phishing software: watches your browser and email for suspicious inbox activity.
  • Anti-spyware software: keep your PC spyware free.
  • Safe search capacities: McAfees SiteAdvisor plugs into your browser and tells you what websites are good and which are suspicious.

Go further with wireless network protection, anti-spam, anti-theft protection and parental controls.

Free software is not recommended, as it provides only basic protection and you’ll likely end up purchasing more anyways.

Make sure you have a subscription to software that’s automatically renewed every year so that you don’t forget. This is after you figure out whether or not your new device’s protection software is on a trial basis.

Smartphone or tablet

  • Be leery of third-party apps you install on your mobile phone, since malicious apps are the main threat.
    • Download apps only from reputable app stores.
    • Read reviews and make sure you know what information the app requests prior to download.
  • Use mobile security software that includes:
    • Anti-virus and malware protection
    • Anti-theft
    • App protection
    • Web protection
    • Call and text filtering
  • Turn off automatic connections to Bluetooth and Wi-Fi unless you’re using them.
  • Apply app and operating system updates.
  • Never store account numbers, passwords, etc., on your phone or tablet
    • Do not have your apps set to automatically.
  • Apple products are at highest threat; install security software that’s been designed just for the Mac.
  • Never leave your phone or tablet unattended.

Gaming or entertainment device

These devices are vulnerable to many of the same attacks that PCs are, since they’re connected to the Internet.

  • Create backups of your games.
  • Make sure you understand the built-in parental controls.
  • Never store personal information on this device.
  • Connect it only to a secure Wi-Fi network.
  • Use a secure, encrypted USB drive that will muddle up your information to make it unreadable to thieves.
  • Purchase security software to protect the portable hard drive; and set a password.
  • Employ technologies for protecting your information.
  • Never leave the USB drive unattended.

The most important thing to remember is “don’t worry about it” but definitely do something about it. Once you invest in your devices security go play, have fun and be smart about what you do online.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Why Should You Shop on Sites with Trustmarks?

With the holiday season in full swing, this is a busy time for a lot of us with parties, gift buying and possibly even figuring out travel arrangements. With all there is to do, many of us will turn to online shopping to help beat the crowds, find deals and not have to worry about what time we shop.

mcaWhile online shopping may be convenient, we also need to exercise some caution. After all, there are websites that are set up to sell fake or pirated digital downloads that can carry viruses or malware along with the product you thought you purchased legally. But there are also a lot of honest people who run legitimate e-commerce sites and care about the privacy and security of their customers.

So, how can you tell if a site is safe and protects your personal information? Well, one indicator of a safe site is one that displays a trustmark. A trustmark is a seal, logo, insignia or other icon that is usually placed on the site (often on the checkout/cart page) to show that the merchant is making an effort to protect you from cybercriminals and online fraudsters who might be out to distribute malware or collect your personal and financial data for the purposes of identity theft. There are a wide variety of trustmarks that indicate various levels of protection.

To better understand trustmarks, and how to use them, follow these simple tips:

  • Don’t just trust it; verify it! Trustmark providers usually provide a live link with their trust seal or icon that allows you to verify the trustmark and whether it is up to date. Don’t just look at the icon and assume that it is legitimate—click to make sure
  • Not all protection is the same. It’s best to conduct your own research on a trustmark to find out what it really means.  Look for regular audits, recent updates and other indications that it provides protection and security for your personal data.
  • Universal protection doesn’t exist. No single trustmark can guarantee protection against anything and everything. Be skeptical and do additional research if you encounter this claim.
  •  Details, details, details. Read the fine print on both the merchant’s and the trustmark provider’s sites. Prominent placement of a privacy policy might look secure, but what level of security and privacy does that policy really offer you?

Legitimate trustmarks can be helpful tools that let you connect with confidence when shopping online. Just remember to take the time to learn a little about the trustmarks you come across so you can make informed decisions about which sites to do business with in the future. For more tips on safe shopping this holiday season, read this blog or download McAfee’s eguide.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Hackers Hacked Away in Las Vegas

For the uninitiated, per WikipediaDEF CON” (also written as DEFCON or Defcon) is one of the world’s largest annual hacker conventions, held every year in Las Vegas, Nevada. The first DEF CON took place in June 1993.

Many of the attendees at DEFCON include computer security professionals, journalists, lawyers, federal government employees, crackers, cyber-criminals, security researchers, and hackers with a general interest in computer code, computer architecture, phone phreaking, hardware modification, and anything else that can be “hacked”.”

This year’s DEFCON expected 10,000 registrants. That’s a lot of hackers! One interesting tidbit about DEFCON is you can’t pre-register, as in give them your credit card ahead of time to book your spot because DEFCON only accepts cash! And for good reason!  What most people don’t realize is not all hackers are bad. Certainly “crackers and cyber criminals” are bad, but many hackers are full time security professionals and work around the clock to create the security software to protect us.

If you have someone local that does computer security or as it’s known in the industry “penetration testing” they will lock down your network and protect you from the “crackers and cyber criminals”.

Meanwhile if you are a do it yourself-er:

Lock down your wireless internet with WPA security. Check your owner’s manual.

Install antivirus or update your virus definitions automatically

Install spyware removal or make sure your antivirus is a “Total Protection” product

Make sure your firewall is turned on

Set your PC to update your critical security patched for your operating system.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

 

Beware Of PC Remote Access Assistance Scams

Admittedly, I don’t know EVERYTHING about computers. I know enough to break them and enough to fix them most of the time. But, occasionally I need help.  Generally that help comes in the form of remote assistance from Dell, where I buy all my PCs.

With each PC I get the 3 year Dell warranty, so if something fails they replace or will come in remotely and fix. Just this week, my built in webcam failed. Little bugger was working just fine, then, nothing.  So I reinstalled the software, rebooted and still no webcam. My fear was the hardware failed so I called Dell.

Dell tech support agents always request the user log into a website and punch a code, and then download a program that allows for them to come in and remotely access my PC to diagnose the issue. Every time this occurs I watch each move they make so I’m comfortable knowing they aren’t downloading or installing anything not approved to later access my PC. That said, I trust Dell and don’t think they’d do that, but its good security to watch.

The Windsor Star reports “police are warning people about a new scam to hit the area after criminals almost duped a man into handing over remote access to his computer, along with all his personal and financial information. The so-called technician started by telling the man his computer had sent an error message to Microsoft and he was calling to help him rectify the problem. The scammer told him to press “Windows Key + R” which opens the “Run” dialogue.”

Fortunately, the intended victim got suspicious and hung up.

In this process, if the victim moved forward, he would have inevitably downloaded a program and installed it on his PC that would have allowed the criminal the ability to come into the persons PC any time he wanted.

Any time anyone emails or calls you with a ruse that your PC needs attention, just hang up or delete the email.

And as for my webcam? Dells tech went into my device manager and uninstalled the cam and went to Dells website and got an updated version of my cams software. Apparently, an update I did corrupted the cameras software and the version I had was conflicting. I could have figured this out and it might have taken me another 30-90 minutes to do so. But one quick call to Dell and 10 minutes later it was done. Nice.  Not all remote assistance is bad.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.