Posts

Dept. of Homeland Security Computers Vulnerable

There’s a problem on the home front: security lapses in the computers of the Secret Service and Immigration and Customs Enforcement, says a report on townhall.com. These departments were recently audited, and weaknesses were revealed.

1DRecently, hackers got into the White House, State Department and the Office of Personnel Management, among other entities. And this has caused the public to wonder about just how strong cybersecurity is for the U.S. government. So thus, the audit was carried out.

The root of the problem may be inadequate training of the investigators and analysts for the Department of Homeland Security. This seems to have stemmed from Congress cutting corners with the training budget. The internal websites for the Secret Service and ICE were shown to be deficient.

How many employees are in the Department of Homeland Security? 240,000. That’s a lot of potential for inadequate training to result in the accidental opening of a back door for hackers.

The audit made nine recommendations to the DHS. The DHS has reported that it’s been making efforts to address these recommendations.

  • The Secret Service and ICE are responsible for coming down on financial fraud, money laundering, identity theft and fraud involving banks and credit cards.
  • The National Protection and Programs Directorate (NPPD) was also audited, and this entity is responsible for the security of government computers.
  • ICE, the Secret Service and the NPPD blame Congress for the security lapses. They point out that Congress has a stop-and-go style of funding for cybersecurity, because Congress will not authorize ongoing funding throughout the year.
  • In fact, an ICE analyst revealed that he had to pay out of pocket for cybersecurity training, and thanks to the limited budget for this, was not able to attend formal training in four years.

The report states that employees may not be able to perform assigned incident responses to a cyber attack, nor efficiently investigate such an incident, as long as training was come-and-go and only peppered throughout the DHS instead of being department-wide.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Opportunities in Government for Skilled Security Personnel

As recent data breaches have shown, cyber attacks are particularly threatening to government entities handling sensitive data like Social Security numbers. Unfortunately, state agencies struggle to hire cybersecurity professionals.

The cause of this staffing shortage? There simply aren’t enough qualified people for the job[i]. Thankfully, change is in the air.

To attract skilled cybersecurity experts, some state governments are expanding IT internships for high school and college students. Many are offering more money, telecommuting jobs and flexible hours in hopes of landing the right candidates.

Some challenges states face in the hiring of skilled IT staff include:

  • Recruiting new workers to fill vacant IT slots
  • Offering competitive salaries to entice skilled professionals from the private sector
  • Filling senior-level IT positions quickly
  • Retaining skilled employees and minimizing turnover

One novel approach is “cross-training” talent: state governments have begun rotating cybersecurity employees through different positions to improve skills quickly. Like an endurance athlete cross-training with weight lifts and short sprints, exposure to different kinds of threats, networks, technologies and security strategies rapidly builds expertise among IT professionals and provides meaningful training for young hires. Cross-training can help improve retention while bolstering a state’s digital security apparatus.

Aspiring cybersecurity professionals should explore options in the public sector. Government employment offers a meaningful, multidisciplinary approach to continuing your cybersecurity journey.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.

[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

Very Bad People for hire online

The Deep Web is not a nice place. Here, people can hire assassins, take ransomware payments, purchase U.S. citizenship without revealing their identity, among other things, says an article on darkreading.com.

6DThis information comes from Trend Micro, which used a tool called the “Deep Web analyzer,” something of a web crawler, that collected URLS that were linked to TOR- and I2P-hidden sites, domains with nonstandard TLDs and Freenet resource identifiers, says darkreading.com.

The Deep Web is that portion of cyberspace that’s not indexed by the search engines. The Dark Web is part of the bigger Deep Web, accessible only via special tools.

A Dark Web user could literally hire a rapist or assassin. In fact, assassins even advertise, such as the group C’thulhu. Pay them their fee and they’ll maim, cripple, bomb and kill for you.

$3,000 will get you a “simple beating” to a “low-rank” target. $300,000 pays for the killing of a high-ranking political figure, staged to look like an accident.

Users can also hire (and do so much more commonly than the above) cybercriminals and child exploitation services.

The article points to additional research of the Deep Web, that cybercrooks use anonymization tools in creative ways. In fact, they are using TOR for the hosting of their command-and-control infrastructure. TorrentLocker is a type of malware, and it uses TOR to accept Bitcoin payments and host payment sites.

In other words, cybercriminals are using the Deep Web/Dark Web more and more commonly these days. TOR is being used for cybercriminals to receive payments for their hacking services.

But that’s not the biggest problem of the deep, dark Web, is it? As mentioned, it can be used to hire someone to murder. Just what will all of this eventually evolve into in the next 10 years?

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

The Growing Demand for Cybersecurity Professionals

Cybersecurity professionals are always in demand[i]. Threats to intellectual property and sensitive data constantly evolve with technology, which means a security professional’s job is never done. There’s always another security problem to solve.

Consider the recent proliferation of cyber attacks: it’s become easier and easier for a small group of people to compromise vast networks of corporate and government information. Worse still, cyber criminals are getting better at covering their tracks.

Experts believe the global shortage of top-flight cybersecurity professionals exceeds one million–our federal government is currently seeking more than 10,000 candidates. The trend will continue in the near future as more and more features of day-to-day living are converted to digital.

As the private sector feels the crush of data breaches, the increasing sophistication of attacks fuels demand to counter or prevent them. Unfortunately, cybersecurity is rarely considered a “glamor job.” Ask a hundred eight-year-olds what they want to be when they grow up and few (if any) will answer “cybersecurity specialist.”

But that’s all the more reason to consider a career in this booming field! Governments and private organizations of all kinds are desperately seeking skilled candidates to protect their data and critical infrastructures from cyber criminals. The shortage of cybersecurity talent is not simply a lucrative opportunity for IT experts–it’s a matter of national security in defense of privacy, property and fair commerce.

Simply stated: there have never been better opportunities for advancement in the cybersecurity profession.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.


[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

Hacker isn’t a bad Word

Did you know that the original meaning of hacker, as far as computers, was that of a person who built codes into computers? In fact, the bad guy was called a “cracker.” Somehow, “cracker” didn’t catch on. But the mainstream folk out there hears “hacker,” and right away, they think of a digital thief, often someone who breaks into governmental computer systems or Russian “hacking rings” that steal credit card numbers.

4DAn article at motherboard.vice.com mentions that Richard Stallman gets the credit for cracker. Stallman, creator of the GNU operating system, is quoted as saying, “I coined the term ‘cracker’ in the early ‘80s when I saw journalists were equating ‘hacker’ with ‘security breaker.’”

The news media began noticing hackers around 1980. Some hackers were security breakers. Security breaking is one thin slice of the pie, but the media jumped on this, creating the impression that hackers were bad guys.

The article also notes something that Biella Coleman explains. She’s a hacker expert and is quoted as stating that the American government “has tended to criminalize hacking under all circumstances, unwilling to differentiate between criminal activities, playful pursuits, and political causes.”

The reality is, is that a security breaker is no more a hacker than a home burglar is an architect.

In the 1990s were movies that portrayed hackers as cyber villains, and all along, the real hackers were trying to get the word out that “crackers” was the term of choice. But it just didn’t take.

Maybe one reason is because the word “hacker” has more of a novel sound to it. When you hear “cracker,” several possible things come to mind, including a detective who cracks a case, and something you put in your soup. But “hacker”? Wow – it has more punch. It conveys more action.

But how did innocent code writers get to be called “hackers” in the first place? Perhaps it’s because writing code is such an imperfect science—more of an art, full of bugs and crimps. Code writers must hack their way through muddle to get it right.

At this point, however, hacker is here to stay to refer to the bad guy, whether a teenager with too much time on his hands breaking into some company’s network, or an intricate Chinese cyber criminal organization that cracks into the U.S. government’s system.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Trusting too much brings Trouble

There will always be the person who lives on the Equator to whom you can sell an electric heater. As they say, there is a sucker born every minute.

12DThis is why cyber criminals will always have a field day, like the crook who posed as a tax man who got an elderly couple to send $100,000 to an offshore bank account after he tricked them.

This was a fear-based scam. The other two categories are compassion and self-interest. And just because a person can’t be frightened doesn’t mean that their heart strings can’t be tugged by a charity scam.

Elderly people and those with low income are more likely to be tricked. Other people…well, you just have to wonder what’s between their ears.

For example, the popular Microsoft scam involves a person calling the victim to tell them that their computer has a virus. The caller is a crook who wants to convince the victim to allow him remote access to the computer. Don’t the victims ever wonder how the heck Microsoft would even know their computer had a virus? Red flag, anyone?

Some say ask the caller for their number so you can call back–they’ll probably hang up. Probably. The scammer may have a number in place just to cover this possibility. Really, just hang up. It’s a scam.

Some people will just keep giving money out, again and again, to the same scammer; it’s not always a flash-in-the-pan payout. What compels them to behave this way? Perhaps it’s to continually convince themselves that they’re not dumb enough to be scammed.

Another way cons trap people is by asking for small amounts of money first; this lowers the victim’s guard.

More Popular Scams

  • Charity. These can range from natural disaster relief to donations for made-up charities, or those with names very similar to well-known ones.
  • Rental. The crook sends the landlord an overpayment by check of the first month’s rent before living there, then tells the landlord to wire back the difference. The check bounces.
  • IRS: Always hang up on callers identifying themselves as tax people claiming you underpaid or are owed a refund, even if the caller ID says “IRS.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Latest Russian Cyber Attack on White House a Boon for CISA

The Russians have come…again—in the form of hackers. Not long ago Russian cyber criminals busted into the U.S.’s State Department system and mangled it for months.

1DThis time, they got into a computer system at the White House. Luckily, this system did not hold any classified information, but nevertheless, the hackers got ahold of President Obama’s private itinerary. So it just goes to show you just what hackers a world away can do.

This isn’t the first time that the White House has been hacked into. Remember the attacks that were allegedly committed by the Chinese? These, too, did not involve sensitive information, but the scary thing is that these cyber invasions show how easy it is for other countries to bang into the computer systems of the No. 1. Superpower.

So President Obama’s personal schedule got hacked, and in the past, some White House employee e-mails got hacked. What next—top secret plans involving weaponry?

What the Russians may do next is of grave concern to the FBI. Perhaps the Russians are just teasing us with this latest break-in, and the next hacking incident will really rattle things.

Ironically, Obama had recently signed an executive order in the name of stomping down on cyber crime. Well, someone didn’t stomp hard enough, and the Russians, Chinese and everyone else knows it.

Obama’s efforts involve CISA: Cybersecurity Information Sharing Act. The Act would mandate that there’d be greater communication between the government, businesses and the private sector relating to possible cyber threats.

CISA is not well-received by everyone because it involves what some believe to be a compromise in privacy. This latest attack on the White House, say CISA critics, might encourage lawmakers to hastily pass the Act without first building into it some features that would protect the privacy of the private sector.

The chief concern, or at least one of the leading ones, of CISA opponents or skeptics is that of the government gaining access to Joe’s or Jane’s personal information. And why would the government want to get our private information? For surveillance purposes—that harken back to the efforts to increase cyber protection and prevent more hacking episodes.

The bottom line is that this latest attack by the Russians will surely add a few more logs to the fire in that lawmakers will feel more pressure than ever to strongly consider passing CISA.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

Russian Hackers getting rich from your Identity

Where’s the $$$ at? Selling credit card data. Have you heard of the Russian hacking ring that raked in two and a half billion dollars? Check it out: 4D

  • Phishing attacks are lucrative for these cybercriminals.
  • ATM hacks continue to increase, in part due to targeted attacks and new software.
  • Smartphone attacks are on the upswing.

There are three ways criminals obtain credit card data, and selling it is enormous business. And data breaching at the point of sale has been a big issue for the past few years. POS attacks are conducted with skimming tactics or by using Trojans. Unless significant changes are made, look for POS attacks to swell up, not shrivel up.

Selling credit card information is such big business that there exist professional wholesalers who specialize in this. Ukrainian, Russiona and many in eastern Europe are some of the largest brokers of and the main suppliers of stolen card data. But the wholesalers who purchase his acquired data are also rolling in the dough.

More on the Russian Hacking Empire

  • Lots of DDoS attacks
  • Over a quarter of a billion dollars in the sale of nefarious products
  • Spam, spam and more spam: an $841 million goldmine
  • A rise in the number of crime rings, the result of the development of new ways to commit theft off of users of smartphones.
  • In fact, several new crime rings have emerged this year that center on bank theft of mobile device users.

There’s currently just no end in sight for the Russian hackers, and there perhaps never will be, especially since geography is a barrier to prosecution.

6 ways to watch your statements.

  1. Monitor your paper statements monthly
  2. Monitor your e-statments when they come in
  3. Login to your credi card company’s website as often as you can
  4. Download your credit card company’s smartphone app and check often
  5. Sign up for Mint or BillGuards credit card alerts
  6. Go to your credit card company’s website and sign up for text and email alerts for every transaction.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Mobile Employees Are a Security Risk

Not too long ago, the office computer filled an entire room. Now, it fills the palms of one-third of employees—those workers who use only the mobile device for their jobs. Security, however, lags behind in keeping up with this growing trend. This is the BYOD generation: bring your own device (to work).

8DIT departments need to keep one step ahead of this fast-growing trend. It’s here to stay, and one reason is because it’s responsible for significantly pumping up productivity. Employers love this. More productivity = higher profits. You’d think that some of these increased profits would be reinvested in security training that correlates to the BYOD movement, since the BYOD movement strongly correlates with an increase in data breaches and risks of breaches.

But it’s not. Organizations still aren’t seeing the light.

A recent Ponemon Institute survey reveals that for a large portion of employees, the mobile device is a first-line medium for conducting business. That one-third figure mentioned earlier is forecasted to jump to 50 percent over the next 12 months.

With all the improvements in productivity comes a corresponding jump in the risks of data breaches—both intentional and accidental. The survey reveals that 52 percent of the participants said that security training for smartphones was shelved in the name of sharpening worker productivity.

Another finding: One-third of businesses don’t even have existing security programs for the BYOD’ers. About three-quarters of respondents said that their existing security was lax. And don’t think that security risks mean only computer viruses, phishing e-mail scams, being lured to malicious websites, being tricked into downloading malware, etc.

There’s a huge risk in the form of roving eyes. A “visual hacker” uses his eyes, and sometimes with the assistance of binoculars or a mobile device camera, to prowl for unguarded computer screens in public like at airports, hotels and coffee houses. He swipes sensitive data by recording it with a camera or seeing it and then writing down what he sees or even memorizing it. Workers can prevent “shoulder surfing” with the ePrivacy Filter software by the 3M company. Combine this software with a 3M Privacy Filter, and the user will be able to thwart a hacker hovering over his or her shoulder from virtually any angle.

The typical business, says the survey, handles 20,000 mobiles, and that number is fast-rising. This will heap on the pressure to implement solid security plans. Managing each device won’t be cheap, either, but a pricey stitch in time will save an obscene expense times nine.

Sixty percent of the survey takers said that mobiles have made employees rather lazy with security awareness. There’s definitely a human factor involved with all of this that businesses must address.

If employees want to use mobiles to conduct business, they should also embrace the responsibility that comes with the use of these devices—that of being willing to learn how to keep the sensitive data that’s stored in these devices safe, and also being willing to learn how to recognize social engineering and other cyber criminal tricks.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.