Posts

Deepfakes and the Impact on Cybersecurity Now and in the Future

Can you believe what you see in a video? Most people say ‘yes,’ but the truth is, you no longer can. We all know that photos can be altered, but videos? Thanks to artificial intelligence, these, too, are being altered at a very quick rate.

These videos, known as “deepfakes,” are out there, and they are doing a number on cybersecurity. In fact, leaders in the cybersecurity sector are warning consumers that high tech video alteration is here, and it is very difficult to tell with the naked eye whether or not a video is real or fake.

Leaders in cybersecurity shared an example of how this works. Basically, they created a video of a man, Steve Grobman, an executive from McAfee, speaking. However, the words he was speaking were not his own; they were the words of Celeste Fralick, a female data scientist, who had created this deepfake video to make a point. This might seem like a fun trick to play on your friends, but in reality, it could have a huge impact on cybersecurity, as things like phishing and social engineering will become easier than ever for hackers.

Deepfakes and artificial intelligence can also be used for audio too. Meaning a person’s words can be spliced together seamlessly to create full sentences. Joe Rogan the comedian and podcaster who has 1300+ podcasts was used as a demo. But even more disturbing is Joe Rogans voice with Taylor Swifts face.

What could this mean for you? Well, since it’s so relatively easy to make a video like this, it could cause some real issues for the public. One way that it could be used is to start with a photo, and then change a very small part of it. This change would be unable to be noticed by a human, but the change would be enough for AI to see the photo as something else. So, if you can confuse something like artificial intelligence, you could certainly confuse the systems that are built to stop cybersecurity.

This could have a lot of negative impact on all of us, and it could really give a boost to those who make a living in taking advantage of others via cybercrimes.

The good news is that though this type of technology could be used for bad, artificial intelligence could also be used for good things. For example, the technology could be used to create a crime map of where crimes have happened and where arrests could be made, which would make our streets, safer. At the same time, it could also be used by criminals to know where they could commit a crime without being arrested. You could also look at it like this. During World War II, more than two million people were killed by bombs that were dropped from airplanes. Based on that information, Orville Wright, the inventor of the airplane, was asked if he regretted this invention. He said ‘no.’ Why? Because he looked at the airplane as similar as to fire; it could cause terrible destruction, but at the same time, it is so very useful. This new technology is the same, and it will be interesting to see how it comes to truly be used in the future.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Want to be a Cybercriminal? Try Facebook

When you think of a cybercriminal, you probably picture someone in a black hoodie in a dark room on the dark web, but most cybercriminals are out there in plain sight, including on Facebook.

facebook security

Talos, a cybersecurity firm, found that people can easily join Facebook groups, and then participate in cybercrime including buying and selling credit card info, obtaining spamming tools, or even getting account logins and passwords. All in all, these groups have almost 400,000 members.

Though that does sound like a lot, and it is a lot, you also have to remember that Facebook has about 2 billion users logging into the site each month. With that number of people, it is difficult for the social media giant to deal with these groups.

The failure of Facebook to remove these cybercriminals shows that it is struggling to keep bad online behavior at bay, and this also include hate speech, inciting violence, and sharing false information. This also, of course, show how this behavior can be amplified by the algorithms that Facebook uses.

These groups are easy to find on Facebook. All you have to do is type things like CVV or spam. Once you join one of these groups, Facebook’s algorithms come into play and suggest other groups that are similar in nature. Plus, Facebook doesn’t have a great way to catch these criminals, as it relies on reports from other users to stop this type of behavior.

Because of this, Facebook really has a long way to go before it stops relying on the reports of its users. It’s also true that these reports aren’t always taken seriously, and they often fall through the cracks.

One such example of this is with the recent terrorist attack in Christchurch, New Zealand. The gunman who was responsible for the attack streamed his murderous act on Facebook Live. Though Facebook eventually took the video down, it was seen by thousands of people. However, Facebook said that it had no report of the video during the attack, which is why it took so long to remove it.

Knowing all of this, Talos tried to take on some of these crybercrime groups through the reporting system at Facebook. Some of these groups were, indeed, removed from the platform, but others were not. Instead, only specific posts were removed, while the group itself was able to live another day. Talos kept reporting these groups, however, and eventually, most of them were removed. However, new groups are now popping up to take the removed groups’ places. Facebook has acknowledged that there is a problem, and it admits that these groups have violated its policies. It also said that it knows that more vigilance is required and that it is investigating all types of criminal activity on the platform.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Background Checks Don’t Tell the Whole Story

When it comes to background checks, the National Crime Information Center is the gold standard. It is only available to law enforcement agencies and is the most accurate and complete database tracking convictions and arrests in the US. That sounds pretty great, right? Unfortunately, it’s not all as it seems.

The Department of Justice

The Department of Justice recently released a report based on a two-year study of convictions and arrests from 2016. The report shows that a very low percentage of convictions and arrests actually make it to the National Crime Information Center. What does this mean? It means that even if a commercial background check company is using the best information, it’s only able to get information on about 13% of all crimes. On top of that, there is a pretty standard 30% error rate on background checks based on factors such as typos, misspellings, and data entry errors. Yikes.

The Reliance of Background Checks

It doesn’t matter if you are an employer, a landlord, or even a private citizen hiring a babysitter or contractor, odds are good that you think a criminal background check is a good idea. But, the fact that we not only rely on these checks, but also believe that they are fool-proof, is quite problematic.

Other Implications of Background Checks

The inaccuracy of background checks is only one of the issues associated with them. Another issue is that there is a big possibility that these commercial background checks could violate the Fair Housing Act because it might be seen as intentional discrimination. Additionally, though people with criminal records are not protected under the Fair Housing Act, statistically, this creates a disproportionate impact on minorities. According to the Fair Housing Act, minorities are protected.

Though it seems like a great idea to run a criminal background check, as you can see, it’s not always a black and white result. Criminal history databases are not complete, there are high rates of errors, and these background checks might be violations of the Fair Housing Act. At the very least, someone could have a good case against it if you use a criminal background check as a basis for a housing decision. When thinking about if a background check is worth it or not, it probably is, but you also have to be aware of the possibility that you are not going to get the entire story.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

A “Credit Profile Number” is a fake SSN, and it Works

Cyber criminals are constantly trying to stay one step ahead of the good guys, and there is now another scam out there that you should know about: synthetic identity theft. Basically, the criminals take information from someone, and then make up the rest. They also often use fake Social Security numbers, called CPNs, or “credit profile numbers,” or names.

This type of identity theft shows us that our credit system is more vulnerable than we might think. Basically, it is easy to create a credit file on these identities, and once they have that, they can get a credit card or loan.

Of course, using a CPN like this on an application for credit card or loan is illegal, but lenders currently don’t have a conclusive way of distinguishing a real Social Security number from one of these fake ones. The Social Security Administration generates SSNs randomly. This makes it difficult for a lender to notice a fake one. Technically, a lender can contact the SSA and cross-check, but most of them don’t. Why? Because the SSA requires a handwritten signature from the person who has that SSN, and this is a pain in the neck for lenders.

So, of course, the best thing to do is to create a way for lenders to instantly check to see if a Social Security number is valid or not, and as of now, they do not have the capacity to do this. Lenders do, however, use their own fraud-detection tools, but these requests for credit still fall through the cracks.

This practice also has created more open windows for fraudsters, because they know that the system is vulnerable. It’s true that many lenders won’t accept a credit application from someone with no history of borrowing, which is the case with a CPN, but some still do, and the more activity the file sees, the more likely it is that credit will be given. Once credit is approved, a full credit report is created. Though it likely won’t be a high amount of credit, many lenders take a chance on new borrowers, and at a minimum, extend a couple of hundred dollars. Some people will even get a card that has, say a $300 limit, and use the card for a time. Once they establish a good payment history, they can get a credit increase, and that’s where the fun really begins.

This is just one more scam that you should be aware of, and one more reason to keep your private and personal information safe.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Be aware of all these Confidence Crimes

Criminals have a reliance on tricking victims to get access to account information, like passwords. This is known as social engineering, and is also called a “confidence crime.” These come in many forms:

Do Not Take the Bait of These Phishermen

  • A phishing email that targets a specific person is known as spear-phishing. A spear-phishing email looks like an email that might come from a legitimate company to a specific person. For example, a thief might send a fake email to a company’s employee who handles money or IT. It looks like the email is from the CEO of the company, and it asks the employee for sensitive information, such as the password for a financial account or to transfer funds somewhere.
  • Telephones are used for phishing, too, also called “vishing,” which is a combination of phishing and voicemail.
  • Fake invoices are also popular among hackers and scammers. In this case, a fake invoice is sent to a company that looks like one from a legitimate vendor. Accounting pays the invoice, but the payment actually goes to a hacker.
  • Another scam is when a bad guy leaves a random USB drive around the office or in a parking lot. His hope is that someone will find it, get nosy, and insert it into their computer. When they do, it releases malware onto the network.
  • Cyber criminals also might try to impersonate a vendor or company employee to get access to business information.
  • If someone calls, if you get an email, if the doorbell rings, or if someone enters your office, always look at it with suspicion.

Be thoughtful about security:

  • Set up all bank accounts with two-factor authentication. All web-based email accounts should have two factor authentication. This way, even if a hacker gets your password, they still can’t access your accounts.
  • Train staff to be careful about what they post on social media, such as the nickname the CEO goes by in the office.
  • Do not click any link inside of an email. These often contain viruses that can install themselves on your network.
  • Any requests for money or other sensitive data should be verified over the phone or in-person. Never just give the information in an email.
  • All money transfers should require not one, but two signatures.
  • Make sure all employees are fully trained to recognize a phishing attempt. Also, make sure to stage phishing simulation attempts to make sure they are following protocol.
  • Help people understand the importance of looking out for things like a new email address for the CEO or Kathy in accounting suddenly signing her name Kathi.
  • Also, teach staff to report any uncharacteristic behaviors with long-time vendors or even fellow coworkers.

I once presented a security awareness program to a company that was almost defrauded. They hired me because of an email accounting had received from the CEO. The CEO sent a nice proper letter to accounting requesting payment be made to a specific known vendor.

A number of things were wrong with the email. First and foremost, like I mentioned, the email was nice and proper. Apparently the CEO isn’t all that nice, is somewhat of a bully, and all his communications are laden with profanity. So the red flags, where the fact that the email was nice. Imagine.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Researchers Say Office of Personnel Management Hack Leads to Ransomware

In June, 2015, it was revealed by an anonymous source that the Office of Personnel Management was hacked. This office, which administers civil service, is believed to have been the target of the Chinese government. This is one of the largest hacks in history involving a federal organization.

Slowly, the motivation behind the hacking is being understood. At first, it seemed obvious, the stolen data being personally identifiable information, which is what was taken can be used for new account fraud. But in government breaches, they usually look for military plans, blueprints, and documents that deal with policy.

The question, of course, is why did the hackers focus on this information? Well, some of the data that was taken was used to launch other attackers against contractors, and this resulted in the access to several terabytes of data.

Now, those who have become victims of this attack have found themselves being the target of ransomware.

Security experts have recently noticed that the victims have been getting phishing emails, and these messages look like they are coming directly from the Office of Personnel Management. When these emails arrive, the body and subject of the message seem as if the email contains an important file. When the unsuspecting victim downloads the .ZIP file, however, they instead receive a type of ransomware called Locky.

These attacks are much more dangerous than the average phishing attack. This is mainly due to the fact that they are being received by those who have worked with the Office of Personnel Management before. Thus, they have seen the genuine emails from the office, which look remarkably similar to the fake ones. The only thing that set the two emails apart was a typo that said “king regards,” instead of “kind regards,” and a phone number that doesn’t work. These are details that many people overlook, which makes it easy for hackers to be successful with these schemes.

Who was Really Behind This Hack?

Though experts believe that the Chinese government is behind this hack, there are some facts that look a bit fishy. For instance, since personal data was taken and data has been taking hostage, this seems much more like a typical cybercrime operation instead of something that a nation would do. After all, why would China be looking for a few hundred dollars from people who want their files back?

Of course, this could be a smokescreen and someone could just be using this attack as a smokescreen…and while experts are focused on this, the real attack could be planned for the future.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to Make $5 Million a Day in Cybercrime

This post isn’t exactly a “how to” but if your current employment isn’t bringing in the bacon, I’m sure your criminal mind can figure it out. In the biggest digital advertising fraud in the history of the U.S., it was recently found that a group of hackers is bringing in from $3 million to $5 million a day from media companies and brands. That’s some scratch!

11DWhite Ops, an online fraud-prevention firm, uncovered this campaign, which they have called “Methbot,” and the firm found that the campaign is generating more than 300 million video ad impressions each day.

AFT13, which is a cyber criminal gang, has worked to develop the Methbot browser, which spoofs all of the interactions that are necessary to initiate and carry out these ad transactions.

The hackers, which are allegedly Russia-based, have registered more than 250,000 distinct URLs and 6,000 domains, all of which impersonate US brand and companies, including Vogue, ESPN, Fox News, Huffington Post, and CBS Sports. They then take these sites and sell fake ad slots.

The cybercriminals that are behind Methbot are using their servers, which are hosted in Amsterdam and Texas, to give power to almost 600,000 bots. These have fake IP addresses, most of which belong to the US, and this makes it look like the ads are being viewed by visitors in the US. The criminals then get video-ad inventory, which they display on the fake media website that they have created. They get top dollar for this, and they trick the marketplace into believing that this content is being seen by legitimate visitors. In reality, however, these ads are being “viewed” by fake viewers thanks to an automated program that mimics a user watching an ad.

To make the bots look even more real, the group also uses methods such as fake clicks, mouse movements, and even social network login info. White Ops has also found that this fake army of viewers has amassed about 300 million ad views each day, and it has an average payout of about $13 per every 1000 views. If you multiply this by the compromised IP addresses out there, the money is rolling in.

White Ops believes that the Methbot empire has created from 200 to 300 million fake video ad impressions each day, which targets about 6,000 publishers. In a 24-hour period, this is generating somewhere between $3 and $5 million in each 24-hour period.

While the operation has its headquarters in Russia, White Ops can’t say for sure that Methbot has Russian origins. The good guys have been in contact with the FBI, and together, they have been working towards stopping this scam for several weeks.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

10 ways to beef up Digital Security

#1. Keep everything up to date. You know those annoying popups telling you updates are available? Do you ever click out of them? Don’t. Always update at the time these appear.

2D#2. Two-step verification. Two-step verification or authentication should be set up for all your accounts that offer it. A unique one-time code is sent to the user’s phone or via e-mail that must be entered in the login field.

#3. Unneeded browser extensions? Review your browser extensions. Uninstall the ones you don’t use. Too many extensions can slow down your computer.

#4. Encryption. Encryption software will scramble your e-mail and other correspondence so that prying eyes can’t read them, but you and your intended correspondent can. If you must use public Wi-Fi (like at a coffee house), install a virtual private network to encrypt transactions.

#5. Lock screen protection for your mobile device. Your smartphone has lock screen protection in the form of a password to prevent a non-authorized user from gaining access. If you leave your phone lying around or lose it, you’re protected if you have a password. Otherwise you are screwed.

In the same vein, your laptop should have protection from non-authorized users. Set up a password that allows access to using the device, including after hibernation periods.

#6. Check active logins. Some accounts allow you to check active logins to see if any unauthorized users have been in your accounts, such as Twitter, Facebook and Gmail.

#7. How easy can someone impersonate you? Could anyone phone your bank or medical carrier and give the correct information to bypass security, such as your “favorite pet’s name”? Who might know this information? Well, if it’s on your Facebook page, anyone who can view it. How much of your personal information is actually online?  Many accounts allow a “secondary password” Ask them.

#8. Simple but powerful layers of protection.

  • Don’t have login information written down on hardcopy.
  • Cover your webcam with tape (yes, cybercrooks have been known to spy on people this way).

#9. Sharing your personal life with the whole world. Set all of your social media accounts to the private settings you desire. Do you really want a potential employer to see you hurling at your late-night party? Make sure images that you post are not geo-tagged with your home address.

#10. Web tools. Check out the various toolbars that you can add to your browser to beef up security. Be selective and check ratings.

Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to digitally detox on Vacation

Many years ago when you were on vacation, before Facebook, Instagram and Twitter were invented (assuming you were an adult then), you had a great time, right? You weren’t “connected,” because there was no social media to be connected with.

2DIf today you can’t imagine being disconnected from social media while on vacation, ask yourself how this can be, if years ago, you never missed what had not yet been invented.

And what about constantly checking e-mail while on vacation? Or constantly perusing various websites with your mobile while at the beach?

Intel did a recent study:

  • 55% of Americans can’t disconnect while vacationing.
  • Two-thirds actually wanted to disconnect (detox), but less than half actually did so.
  • But when they did disconnect, 88% reported feeling okay about it and connecting better with travel mates.

Motivation to Detox

  • Know that cybercrooks are banking that vacationers do not disconnect.
  • Vacationers are especially vulnerable when they use public Wi-Fi, as cyberthieves can “snoop” on login entries and steal login information (such as to your bank, or get your credit card number when you online shop at the coffee house).
  • Can’t stay away from your e-mail when vacationing? Cybercrooks can gain access here, too.
  • Though installation of a virtual private network will prevent cyber snooping, it won’t prevent shoulder surfing, or thieves using high powered cameras to capture what you’re doing across the coffee house.
  • Of course, your devices should have security software that’s always updated.
  • Your devices should be password-protected as well.
  • Before embarking on your vacation (and not a few days before, but a few weeks before), practice disconnecting for 24 hours. If you must check your e-mail daily for business purposes, at least practice disconnecting from social media for 24, even 48 hours. Can you do it?
  • Can you stay off your mobile device while waiting at the dentist’s office or at the motor vehicle agency?
  • These “home” practice sessions can help you overcome withdrawal symptoms of not checking Twitter, Facebook or e-mail every 10 minutes.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Your Ransomware Response: Prepare for the Worst

A ransomware attack is when your computer gets locked down or your files become inaccessible, and you are informed that in order to regain use of your computer or to receive a cyber key to unlock your files, you must pay a ransom. Typically, cybercriminals request you pay them in bitcoins.

binaryThe attack begins when you’re lured, by a cybercriminal, into clicking a malicious link that downloads malware, such as CDT-Locker. Hackers are skilled at getting potential victims to click on these links, such as a phony e-mail, apparently from a company you do business with, luring you into clicking on a link or opening its attachment.

And if you find your computer is being held hostage:

  • Report it to law enforcement, although it’s unlikely they can provide help. It’s just good to have it recorded.
  • Disconnect your computer from its network to prevent the infection from spreading to other shared networks.
  • You need to remove the ransomware from your computer. Remember, removal of the ransomware won’t restore access to your files; they will still be encrypted. To remove ransomware from your computer, follow the steps provided here.
  • If you already had your data backed up offline, there’s no need to even consider paying the ransom. Still, you will want to remove the ransomware and make sure your backup solution was working.
  • But what if very important files were not backed up? Prepare to pay in bitcoins. The first step is to find out what the experts say about making payments in bitcoin.
  • The crook will be essentially impossible to trace. You’ll be required to make the payment over the Tor network (anonymous browsing).
  • Finally, don’t be shocked if the crook actually provides you the decryption key—essentially a password; ransomware thieves often follow through to maintain being taken seriously. Otherwise, nobody would ever pay them. But it would not be unprecedented to not receive the key. It’s a gamble.
  • The best course of action is to prevent a ransomware attack, and that means looking for all the clues to malware and phishing scams. Don’t let threatening e-mails, saying you owe back taxes or bank fees, jolt you into hastily clicking a suspicious link or attachment. If you regularly back up your data online and to an external drive, then you’ll never feel you must pay the ransom.

Robert is a security analyst, author and media personality who specializes in personal security and identity theft and appears regularly on Good Morning America, ABC News and The TODAY Show.