Posts

The Growing Demand for Cybersecurity Professionals

Cybersecurity professionals are always in demand[i]. Threats to intellectual property and sensitive data constantly evolve with technology, which means a security professional’s job is never done. There’s always another security problem to solve.

Consider the recent proliferation of cyber attacks: it’s become easier and easier for a small group of people to compromise vast networks of corporate and government information. Worse still, cyber criminals are getting better at covering their tracks.

Experts believe the global shortage of top-flight cybersecurity professionals exceeds one million–our federal government is currently seeking more than 10,000 candidates. The trend will continue in the near future as more and more features of day-to-day living are converted to digital.

As the private sector feels the crush of data breaches, the increasing sophistication of attacks fuels demand to counter or prevent them. Unfortunately, cybersecurity is rarely considered a “glamor job.” Ask a hundred eight-year-olds what they want to be when they grow up and few (if any) will answer “cybersecurity specialist.”

But that’s all the more reason to consider a career in this booming field! Governments and private organizations of all kinds are desperately seeking skilled candidates to protect their data and critical infrastructures from cyber criminals. The shortage of cybersecurity talent is not simply a lucrative opportunity for IT experts–it’s a matter of national security in defense of privacy, property and fair commerce.

Simply stated: there have never been better opportunities for advancement in the cybersecurity profession.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.


[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

Hacker isn’t a bad Word

Did you know that the original meaning of hacker, as far as computers, was that of a person who built codes into computers? In fact, the bad guy was called a “cracker.” Somehow, “cracker” didn’t catch on. But the mainstream folk out there hears “hacker,” and right away, they think of a digital thief, often someone who breaks into governmental computer systems or Russian “hacking rings” that steal credit card numbers.

4DAn article at motherboard.vice.com mentions that Richard Stallman gets the credit for cracker. Stallman, creator of the GNU operating system, is quoted as saying, “I coined the term ‘cracker’ in the early ‘80s when I saw journalists were equating ‘hacker’ with ‘security breaker.’”

The news media began noticing hackers around 1980. Some hackers were security breakers. Security breaking is one thin slice of the pie, but the media jumped on this, creating the impression that hackers were bad guys.

The article also notes something that Biella Coleman explains. She’s a hacker expert and is quoted as stating that the American government “has tended to criminalize hacking under all circumstances, unwilling to differentiate between criminal activities, playful pursuits, and political causes.”

The reality is, is that a security breaker is no more a hacker than a home burglar is an architect.

In the 1990s were movies that portrayed hackers as cyber villains, and all along, the real hackers were trying to get the word out that “crackers” was the term of choice. But it just didn’t take.

Maybe one reason is because the word “hacker” has more of a novel sound to it. When you hear “cracker,” several possible things come to mind, including a detective who cracks a case, and something you put in your soup. But “hacker”? Wow – it has more punch. It conveys more action.

But how did innocent code writers get to be called “hackers” in the first place? Perhaps it’s because writing code is such an imperfect science—more of an art, full of bugs and crimps. Code writers must hack their way through muddle to get it right.

At this point, however, hacker is here to stay to refer to the bad guy, whether a teenager with too much time on his hands breaking into some company’s network, or an intricate Chinese cyber criminal organization that cracks into the U.S. government’s system.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Trusting too much brings Trouble

There will always be the person who lives on the Equator to whom you can sell an electric heater. As they say, there is a sucker born every minute.

12DThis is why cyber criminals will always have a field day, like the crook who posed as a tax man who got an elderly couple to send $100,000 to an offshore bank account after he tricked them.

This was a fear-based scam. The other two categories are compassion and self-interest. And just because a person can’t be frightened doesn’t mean that their heart strings can’t be tugged by a charity scam.

Elderly people and those with low income are more likely to be tricked. Other people…well, you just have to wonder what’s between their ears.

For example, the popular Microsoft scam involves a person calling the victim to tell them that their computer has a virus. The caller is a crook who wants to convince the victim to allow him remote access to the computer. Don’t the victims ever wonder how the heck Microsoft would even know their computer had a virus? Red flag, anyone?

Some say ask the caller for their number so you can call back–they’ll probably hang up. Probably. The scammer may have a number in place just to cover this possibility. Really, just hang up. It’s a scam.

Some people will just keep giving money out, again and again, to the same scammer; it’s not always a flash-in-the-pan payout. What compels them to behave this way? Perhaps it’s to continually convince themselves that they’re not dumb enough to be scammed.

Another way cons trap people is by asking for small amounts of money first; this lowers the victim’s guard.

More Popular Scams

  • Charity. These can range from natural disaster relief to donations for made-up charities, or those with names very similar to well-known ones.
  • Rental. The crook sends the landlord an overpayment by check of the first month’s rent before living there, then tells the landlord to wire back the difference. The check bounces.
  • IRS: Always hang up on callers identifying themselves as tax people claiming you underpaid or are owed a refund, even if the caller ID says “IRS.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Latest Russian Cyber Attack on White House a Boon for CISA

The Russians have come…again—in the form of hackers. Not long ago Russian cyber criminals busted into the U.S.’s State Department system and mangled it for months.

1DThis time, they got into a computer system at the White House. Luckily, this system did not hold any classified information, but nevertheless, the hackers got ahold of President Obama’s private itinerary. So it just goes to show you just what hackers a world away can do.

This isn’t the first time that the White House has been hacked into. Remember the attacks that were allegedly committed by the Chinese? These, too, did not involve sensitive information, but the scary thing is that these cyber invasions show how easy it is for other countries to bang into the computer systems of the No. 1. Superpower.

So President Obama’s personal schedule got hacked, and in the past, some White House employee e-mails got hacked. What next—top secret plans involving weaponry?

What the Russians may do next is of grave concern to the FBI. Perhaps the Russians are just teasing us with this latest break-in, and the next hacking incident will really rattle things.

Ironically, Obama had recently signed an executive order in the name of stomping down on cyber crime. Well, someone didn’t stomp hard enough, and the Russians, Chinese and everyone else knows it.

Obama’s efforts involve CISA: Cybersecurity Information Sharing Act. The Act would mandate that there’d be greater communication between the government, businesses and the private sector relating to possible cyber threats.

CISA is not well-received by everyone because it involves what some believe to be a compromise in privacy. This latest attack on the White House, say CISA critics, might encourage lawmakers to hastily pass the Act without first building into it some features that would protect the privacy of the private sector.

The chief concern, or at least one of the leading ones, of CISA opponents or skeptics is that of the government gaining access to Joe’s or Jane’s personal information. And why would the government want to get our private information? For surveillance purposes—that harken back to the efforts to increase cyber protection and prevent more hacking episodes.

The bottom line is that this latest attack by the Russians will surely add a few more logs to the fire in that lawmakers will feel more pressure than ever to strongly consider passing CISA.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

Russian Hackers getting rich from your Identity

Where’s the $$$ at? Selling credit card data. Have you heard of the Russian hacking ring that raked in two and a half billion dollars? Check it out: 4D

  • Phishing attacks are lucrative for these cybercriminals.
  • ATM hacks continue to increase, in part due to targeted attacks and new software.
  • Smartphone attacks are on the upswing.

There are three ways criminals obtain credit card data, and selling it is enormous business. And data breaching at the point of sale has been a big issue for the past few years. POS attacks are conducted with skimming tactics or by using Trojans. Unless significant changes are made, look for POS attacks to swell up, not shrivel up.

Selling credit card information is such big business that there exist professional wholesalers who specialize in this. Ukrainian, Russiona and many in eastern Europe are some of the largest brokers of and the main suppliers of stolen card data. But the wholesalers who purchase his acquired data are also rolling in the dough.

More on the Russian Hacking Empire

  • Lots of DDoS attacks
  • Over a quarter of a billion dollars in the sale of nefarious products
  • Spam, spam and more spam: an $841 million goldmine
  • A rise in the number of crime rings, the result of the development of new ways to commit theft off of users of smartphones.
  • In fact, several new crime rings have emerged this year that center on bank theft of mobile device users.

There’s currently just no end in sight for the Russian hackers, and there perhaps never will be, especially since geography is a barrier to prosecution.

6 ways to watch your statements.

  1. Monitor your paper statements monthly
  2. Monitor your e-statments when they come in
  3. Login to your credi card company’s website as often as you can
  4. Download your credit card company’s smartphone app and check often
  5. Sign up for Mint or BillGuards credit card alerts
  6. Go to your credit card company’s website and sign up for text and email alerts for every transaction.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Mobile Employees Are a Security Risk

Not too long ago, the office computer filled an entire room. Now, it fills the palms of one-third of employees—those workers who use only the mobile device for their jobs. Security, however, lags behind in keeping up with this growing trend. This is the BYOD generation: bring your own device (to work).

8DIT departments need to keep one step ahead of this fast-growing trend. It’s here to stay, and one reason is because it’s responsible for significantly pumping up productivity. Employers love this. More productivity = higher profits. You’d think that some of these increased profits would be reinvested in security training that correlates to the BYOD movement, since the BYOD movement strongly correlates with an increase in data breaches and risks of breaches.

But it’s not. Organizations still aren’t seeing the light.

A recent Ponemon Institute survey reveals that for a large portion of employees, the mobile device is a first-line medium for conducting business. That one-third figure mentioned earlier is forecasted to jump to 50 percent over the next 12 months.

With all the improvements in productivity comes a corresponding jump in the risks of data breaches—both intentional and accidental. The survey reveals that 52 percent of the participants said that security training for smartphones was shelved in the name of sharpening worker productivity.

Another finding: One-third of businesses don’t even have existing security programs for the BYOD’ers. About three-quarters of respondents said that their existing security was lax. And don’t think that security risks mean only computer viruses, phishing e-mail scams, being lured to malicious websites, being tricked into downloading malware, etc.

There’s a huge risk in the form of roving eyes. A “visual hacker” uses his eyes, and sometimes with the assistance of binoculars or a mobile device camera, to prowl for unguarded computer screens in public like at airports, hotels and coffee houses. He swipes sensitive data by recording it with a camera or seeing it and then writing down what he sees or even memorizing it. Workers can prevent “shoulder surfing” with the ePrivacy Filter software by the 3M company. Combine this software with a 3M Privacy Filter, and the user will be able to thwart a hacker hovering over his or her shoulder from virtually any angle.

The typical business, says the survey, handles 20,000 mobiles, and that number is fast-rising. This will heap on the pressure to implement solid security plans. Managing each device won’t be cheap, either, but a pricey stitch in time will save an obscene expense times nine.

Sixty percent of the survey takers said that mobiles have made employees rather lazy with security awareness. There’s definitely a human factor involved with all of this that businesses must address.

If employees want to use mobiles to conduct business, they should also embrace the responsibility that comes with the use of these devices—that of being willing to learn how to keep the sensitive data that’s stored in these devices safe, and also being willing to learn how to recognize social engineering and other cyber criminal tricks.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

Visual Hacking is High Tech Shoulder Surfing

A visual hacker can infiltrate you—from the outside in. Quite literally, a person (ranging from a snoop to a cyber criminal) can peer over your shoulder while you’re using your computer or mobile (“shoulder surfing” or “visual hacking”), and collect your personal information—whatever you have up on the screen.

4DThis is so easy to observe Go to any airport or café and you’ll see scores of people using their laptops, headset on, head nodding to some beat, totally oblivious that a world exists beyond their little comfy spot.

However, shoulder surfing can also happen from a distance, e.g., a thief using binoculars or a small telescope. He can be nearby aiming his high-quality smartphone camera at the user. A cheap camera can be hidden near a spot where people often settle down with their devices, aimed right where people most often open their laptop or whip out their mobile.

You might be able to prevent shoulder snoopers by covering your screen with a hand, but this isn’t practical. If you’re working remotely, you should think about setting yourself up so that passers-by can’t see your screen, such as sitting up against a wall. However, these maneuvers aren’t always possible and you know that you need protection every single second to prevent information you are working on from a potential leak.

A recent survey of IT professionals found that 82 percent had little to zero confidence that employees were capable of concealing their device’s screen from peeping eyes; 82 percent believed it was possible that data had already been viewed off of their screens by the wrong eyes; and 85 percent reported being able to view sensitive data on a screen that they were not supposed to be looking at. So why aren’t more people – and more importantly, more organizations – taking the necessary precautions to protect their visual privacy?

From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless. To prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack 3M now offers its ePrivacy Filter software. When paired up with the traditional 3M Privacy Filter, which blacks out side views and helps prevents hackers from stealing a glance at your screen, the ePrivacy Filter notifies you when someone is peering over your shoulder. You can now protect your visual privacy from nearly every angle.

Not only do thieves try to see what’s on the screen, but they’ll also study the user’s fingers at key times, such as right after they open the laptop. This could be the password they’re typing in to gain access to the device. A skilled visual hacker can determine which group of keys was pressed, then confine a brute-force attack to those characters to crack the password.

If you think shoulder surfing is uncommon and more so the product of overactive imaginations, think again. Take yourself, for example. Imagine being on a long flight. You’re wide awake but drained from using your device and reading magazines. Sooner or later (and you know this), your eyes will drift towards the stranger seated next to you—to see what’s on their screen. Since you, an honest, non-criminal person, is apt to do this, imagine how tempting it is for thieves.

Research results that were released last year revealed that 72 percent of commuters in the UK peer over the shoulder of fellow commuters. But don’t think that shoulder surfing is confined to the public; it can also take place right inside your office building. This can be particularly true for offices with an open floor plan design. With more and more screens out in full view and not enough attention paid to the types of data being accessed for all to see, you can never let your guard down when it comes to protecting confidential and sensitive information.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

What is a Computer Worm?

Worms. Most of us probably think of them as those squirmy invertebrates we dissected as a kid or found on the sidewalk after a storm. You might have used them as bait for fishing (not phishing), to pull a prank or have even eaten them (no judgment).

6DWhether you like worms or not, there’s one kind of worm that definitely isn’t your friend—the computer worm. This kind of worm is a computer program that can replicate and send copies of itself to other computers in a network. Worms are considered a subset of viruses, but unlike viruses they can travel without any human action.

Most worms are designed to exploit known security holes in software, although some spread by tricking Internet users. Mass-mailing worms, for instance, spread via email or instant message (IM). They arrive in message attachments and once you download them the worm silently infects your machine. Peer-to-peer (P2P) networks are another avenue for worms: cybercriminals upload infected files with desirable names to entice users into downloading them. And once you download the file your computer is infected.

Once your machine is infected, the worm can corrupt files, steal sensitive information, install a backdoor giving cybercriminals access to your computer, or modify system settings to make your machine more vulnerable. They can also degrade your Internet connection and overall system performance.

The good news is there are steps you can take to keep your computer from being infected:

  • Don’t download or open any files on P2P sites.
  • Since some worms now have a phishing component—meaning that they try to trick users into running the malicious code—do not click on links in unexpected emails and IMs, or download attachments connected to them.
  • Use comprehensive security software, like McAfee LiveSafe™ service, with a software firewall to block unauthorized traffic to and from your computer. Make sure to keep your security software updated.

If you fear that your machine is already infected, immediately run a security scan.

Of course, given the fast-moving nature of Internet worms, your best bet is to be cautious and take steps to avoid getting infected in the first place.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Cybersecurity Insurance still Requires Cybersecurity

OpenSSL vulnerabilities are sticking around for a while. In fact, recently two new ones were announced: One allows criminals to run an arbitrary code on a vulnerable computer/device, and the other allows man-in-the-middle attacks. A more famous openSSL vulnerability that made headlines earlier this year is the Heartbleed bug.

3DMight cybersecurity insurance be a viable solution?

As reported in SC Magazine, Yes, says Hunton & Williams LLP. Cybersecurity insurance fixes the problems that these vulnerabilities cause—that technology alone can’t always mitigate.

Hunton & Williams LLP reports that GameOver Zeus malware infiltrated half a million to a million computers, resulting in gargantuan losses to businesses and consumers. The firm says that antivirus software just isn’t enough to prevent mass infection. The fact is, advances in malicious code have rendered antivirus software frightfully weak, continues the firm..While not everyone agrees on this point, Hunton & Williams recommends a proactive approach which includes assessment of risk transfer methods, e.g., insurance.

Laurie Mercer, from the security consulting company Contest Information Security, also believes in cybersecurity insurance. Mercer uses cars as an analogy. A car must stick to safety standards. The car gets serviced every so often. But the car also has various buttons and whatnots inside that can alert the driver of a problem.

Likewise, with cybersecurity, products can be certified with commercial product assurance accreditation. A website can get a regular security audit every so often. And like the interior buttons of a car, a website can have a response strategy to a cyber incident or some kind of detection for an attack. However, the car should still be insured.

At a recent SC Congress London, Sarah Stephens from Aon EMEA pointed out that cyber insurance is rising in popularity. But Andrew Rose, a security analyst with Forrester, noted that many threats can be resolved with adequate plans in place.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.