Posts

Visual Hacking is High Tech Shoulder Surfing

A visual hacker can infiltrate you—from the outside in. Quite literally, a person (ranging from a snoop to a cyber criminal) can peer over your shoulder while you’re using your computer or mobile (“shoulder surfing” or “visual hacking”), and collect your personal information—whatever you have up on the screen.

4DThis is so easy to observe Go to any airport or café and you’ll see scores of people using their laptops, headset on, head nodding to some beat, totally oblivious that a world exists beyond their little comfy spot.

However, shoulder surfing can also happen from a distance, e.g., a thief using binoculars or a small telescope. He can be nearby aiming his high-quality smartphone camera at the user. A cheap camera can be hidden near a spot where people often settle down with their devices, aimed right where people most often open their laptop or whip out their mobile.

You might be able to prevent shoulder snoopers by covering your screen with a hand, but this isn’t practical. If you’re working remotely, you should think about setting yourself up so that passers-by can’t see your screen, such as sitting up against a wall. However, these maneuvers aren’t always possible and you know that you need protection every single second to prevent information you are working on from a potential leak.

A recent survey of IT professionals found that 82 percent had little to zero confidence that employees were capable of concealing their device’s screen from peeping eyes; 82 percent believed it was possible that data had already been viewed off of their screens by the wrong eyes; and 85 percent reported being able to view sensitive data on a screen that they were not supposed to be looking at. So why aren’t more people – and more importantly, more organizations – taking the necessary precautions to protect their visual privacy?

From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless. To prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack 3M now offers its ePrivacy Filter software. When paired up with the traditional 3M Privacy Filter, which blacks out side views and helps prevents hackers from stealing a glance at your screen, the ePrivacy Filter notifies you when someone is peering over your shoulder. You can now protect your visual privacy from nearly every angle.

Not only do thieves try to see what’s on the screen, but they’ll also study the user’s fingers at key times, such as right after they open the laptop. This could be the password they’re typing in to gain access to the device. A skilled visual hacker can determine which group of keys was pressed, then confine a brute-force attack to those characters to crack the password.

If you think shoulder surfing is uncommon and more so the product of overactive imaginations, think again. Take yourself, for example. Imagine being on a long flight. You’re wide awake but drained from using your device and reading magazines. Sooner or later (and you know this), your eyes will drift towards the stranger seated next to you—to see what’s on their screen. Since you, an honest, non-criminal person, is apt to do this, imagine how tempting it is for thieves.

Research results that were released last year revealed that 72 percent of commuters in the UK peer over the shoulder of fellow commuters. But don’t think that shoulder surfing is confined to the public; it can also take place right inside your office building. This can be particularly true for offices with an open floor plan design. With more and more screens out in full view and not enough attention paid to the types of data being accessed for all to see, you can never let your guard down when it comes to protecting confidential and sensitive information.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

What is a Computer Worm?

Worms. Most of us probably think of them as those squirmy invertebrates we dissected as a kid or found on the sidewalk after a storm. You might have used them as bait for fishing (not phishing), to pull a prank or have even eaten them (no judgment).

6DWhether you like worms or not, there’s one kind of worm that definitely isn’t your friend—the computer worm. This kind of worm is a computer program that can replicate and send copies of itself to other computers in a network. Worms are considered a subset of viruses, but unlike viruses they can travel without any human action.

Most worms are designed to exploit known security holes in software, although some spread by tricking Internet users. Mass-mailing worms, for instance, spread via email or instant message (IM). They arrive in message attachments and once you download them the worm silently infects your machine. Peer-to-peer (P2P) networks are another avenue for worms: cybercriminals upload infected files with desirable names to entice users into downloading them. And once you download the file your computer is infected.

Once your machine is infected, the worm can corrupt files, steal sensitive information, install a backdoor giving cybercriminals access to your computer, or modify system settings to make your machine more vulnerable. They can also degrade your Internet connection and overall system performance.

The good news is there are steps you can take to keep your computer from being infected:

  • Don’t download or open any files on P2P sites.
  • Since some worms now have a phishing component—meaning that they try to trick users into running the malicious code—do not click on links in unexpected emails and IMs, or download attachments connected to them.
  • Use comprehensive security software, like McAfee LiveSafe™ service, with a software firewall to block unauthorized traffic to and from your computer. Make sure to keep your security software updated.

If you fear that your machine is already infected, immediately run a security scan.

Of course, given the fast-moving nature of Internet worms, your best bet is to be cautious and take steps to avoid getting infected in the first place.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Cybersecurity Insurance still Requires Cybersecurity

OpenSSL vulnerabilities are sticking around for a while. In fact, recently two new ones were announced: One allows criminals to run an arbitrary code on a vulnerable computer/device, and the other allows man-in-the-middle attacks. A more famous openSSL vulnerability that made headlines earlier this year is the Heartbleed bug.

3DMight cybersecurity insurance be a viable solution?

As reported in SC Magazine, Yes, says Hunton & Williams LLP. Cybersecurity insurance fixes the problems that these vulnerabilities cause—that technology alone can’t always mitigate.

Hunton & Williams LLP reports that GameOver Zeus malware infiltrated half a million to a million computers, resulting in gargantuan losses to businesses and consumers. The firm says that antivirus software just isn’t enough to prevent mass infection. The fact is, advances in malicious code have rendered antivirus software frightfully weak, continues the firm..While not everyone agrees on this point, Hunton & Williams recommends a proactive approach which includes assessment of risk transfer methods, e.g., insurance.

Laurie Mercer, from the security consulting company Contest Information Security, also believes in cybersecurity insurance. Mercer uses cars as an analogy. A car must stick to safety standards. The car gets serviced every so often. But the car also has various buttons and whatnots inside that can alert the driver of a problem.

Likewise, with cybersecurity, products can be certified with commercial product assurance accreditation. A website can get a regular security audit every so often. And like the interior buttons of a car, a website can have a response strategy to a cyber incident or some kind of detection for an attack. However, the car should still be insured.

At a recent SC Congress London, Sarah Stephens from Aon EMEA pointed out that cyber insurance is rising in popularity. But Andrew Rose, a security analyst with Forrester, noted that many threats can be resolved with adequate plans in place.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Russian Organized Crime: Krem D’la Krem of Hackers

The Russians have definitely come…in the world of cybercrime. A Russian ring of hackers has amassed 1.2 billion stolen passwords and usernames involving 400,000 websites. The criminals have also garnered 542 million e-mail addresses.

11DAnd these Russians didn’t discriminate: Any website they could bust into, they did, ranging from big U.S. companies to little websites—anything. Most of these sites remain vulnerable.

Apparently, the thieves are not working for Russia’s government (which rarely goes after hackers anyways), nor have they sold the stolen information…yet. They’ve been paid by third-party entities who want to send out spam.

This gang of thieves operates like a business, with some doing the programming and others doing the stealing. The crooks use botnets to scope a site’s weaknesses, then plow in there.

This massive breach has called attention to the reliance that businesses have on usernames and passwords; this will need to be changed.

Tips for Preventing Getting Hacked

  • Say NO to clicking on links inside e-mails, even if the apparent (note “apparent”) recipient is your bank or a friend.
  • URL security. Trust only sites whose URL starts with a padlock icon and “https.” An “http” won’t cut it.
  • Two-step verification. If your financial institution offers this, then activate it. Call the bank if its website doesn’t have this information.
  • Online banking. If possible, conduct this on a separate computer just for this purpose.
  • Change the router’s default password; otherwise it will be easy for hackers to do their job.
  • Wired ethernet link. This is better than a powerline or Wi-Fi for protection. To carry out an ethernet attack, the thief would probably have to break into a home and set up a device, whereas Wi-Fi data can be snatched out of the air, and powerline data can leak into next-door.
  • Encryption. If you must use Wi-Fi or powerline networks, encryption will scramble data, but a hacker can crack into Wi’Fi’s WEP.
  • Say no to third-party Wi-Fi hotspots.
  • Security updates. Keeping up to date will guard against hackers who use a keylogger to figure out your keystroke pattern—which can tell him your passwords.
  • Hotshot Shield; This service protects you from fraudulent activity when you’re working online in an unprotected network (wired or wireless), such as at airports, hotels or coffee houses.
  • Get identity theft protection. Generally your identity is protected from new account fraud. Many of the services monitor your data on the dark web.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Cyber Security Insurance Difficult for Business to Navigate

Cyber insurance is now booming, with about 50 carriers in the industry. An increasing number of companies have cyber insurance to protect against cyber crime. However, businesses claim it’s not easy to get adequate coverage.

4DLosses from data breaches are difficult to quantify. The tangible losses are more easily insured, says a New York Times online report. When it comes to a data breach, there are often related losses such as reputational damage and loss of customer loyalty that are harder to quantify.

Add to this the fact that underwriters don’t yet have sufficient data to estimate the likeliness or cost of an attack; most breaches get missed or aren’t reported publicly.

While an insurance company can tell you the precise odds of a major city office building burning down, nobody knows when the next giant retailer will be hacked. Statistics on hacking risks aren’t constant due to the continuous evolution of cyber crimes.

According to New York Times estimates, companies seeking coverage can only hope for, at best, a $300 million policy, peanuts compared to the billions devoted to property protection. Though this still sounds generous, the cost of a major breach can easily exceed it. Target’s situation is on course for just that, says the New York Times online article. The 2011 Sony breach has already exceeded $2 billion in fallout.

The best policies cover costs associated with alerting customers, plus forensics, call center setups, consumer identity monitoring, legal fees and a crisis management firm. But that may only dent the disaster. Policies don’t address loss in profits due to customers jumping ship. A policy can’t prevent a marred brand reputation. “Although a solid cyber policy will cover notification, crisis management expenses, defense costs, damages and the costs associated with regulatory action, it would not cover other, potentially much larger losses, such as reputational injury and loss of brand and market share,” says Roberta Anderson, an insurance coverage and cybersecurity attorney with the law firm of K&L Gates, LLP.  “Those losses are difficult to value and remain uninsurable in the market today.”

Expect the cyber insurance industry to continue swelling while cyber crime continues to remain several steps ahead of businesses and security systems.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Healthcare Providers: Customer Security is Good Marketing

Consumers are on red alert about sharing personal data with businesses, thanks to the widespread publicity of major data breaches. As a result, many consumers feel trapped when they know they must reveal personal information just to get basic quotes for healthcare services.

2PTo get a quote, the potential customer must fork over a Social Security number and birthdate—enough information for a thief to use to commit fraud and identity theft.

Consumers feel as if there’s no escape: Data can be stolen at any point: over the landline phone or smartphone, on “trusted” websites, in servers … thieves are just waiting to pounce. So even though a potential (or current) customer has faith in an organization, the customer may be afraid of the pathways they must use to interact with the organization.

Stolen healthcare information is a goldmine for cyber criminals. It’s big business. This means that protecting it is big business.

A way for healthcare organizations to set themselves apart from their competition is to put a big premium on caring about the customer’s data security. You can’t be nonchalant. You must create a striking impression of sincere concern.

Consumers need a lot more than just hearing how well you’ll reduce employee negligence, enforce HIPAA compliance and create methods of foiling cyber attacks.

Of course, consumers need assurance you’re doing the aforementioned tasks, but consumers also want to know what the healthcare organization will do in the event of a breach.

AllClear ID outlines the key strategies that will make a big impression on current and potential enrollees in a healthcare plan:

  1. The most state-of-the-art IT practices must be brought on board so that all facets are secured, such as cloud services, computers and smartphones.
  2. All levels of personnel must receive training to minimize errors and be able to comfortably discuss data security with customers
  3. A stronger security system must be set in place for the business’s computers and the employees’ personal devices.
  4. Adherence to HIPAA policies must be improved.
  5. Potential customers must be made aware that the company offers an identity protection plan—as this will ease apprehension in the potential consumer.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

What is Social Engineering?

No, it’s not some new engineering field to develop social media sites. Social engineering has been around as long as the con artist has been around. The terms stems from the social science world where social engineering is deemed as an act of psychological manipulation.

social_engineeringIn our tech-laden world of today, social engineering still involves deceit but it’s used to deceive you into giving up personal or sensitive information for the bad guys’ financial gain. Social engineering can take many forms from an email, phone call, social networking site, text messages, etc., but they all have the same intent—to get you to part with valuable information.

Any one of us can be a target. And social engineering continues to be a tool that cybercriminals use because it works. They play on our emotions and our innate sense to want to trust others and be helpful. The also rely on the fact that many of us are not aware of the value of the information we possess and are careless about protecting it.

For instance, after major natural disasters or major news topics, like a hurricane or earthquake, cybercriminals sent out scores of bogus emails, calling for sympathy and donations for the victims, just so they could line their pockets.

In addition to sympathy, the bad guys also barter in fear, curiosity and greed. From emails offering fake lottery winnings (greed), to dangerous download sites advertising a preview of the latest Lady Gaga song (curiosity), to devious popup messages that warn you that your computer is at risk (fear), today’s cybercriminals are masters at manipulating our emotions.

And because their tricks often look legitimate, it can be hard for you to identify them. You could wind up accidentally infecting your machine, or sharing personal and financial information, potentially leading to monetary loss and even identity theft.

How can you protect yourself?

  • Never respond to a message from someone you don’t know and never click on a link in an unsolicited message, including instant messages, and any time the phone rings and they are requesting personal information consider it a scam.
  • Be suspicious of any offer that seems too good to be true, such as the lure of receiving thousands of dollars just for doing a wire transfer for someone else.
  • If you are unsure whether a request is legitimate, check for telltale signs that it could be a fake, such as typos and incorrect grammar. If you are still unsure, contact the company or organization directly. Financial institutions, and most sites, don’t send emails or text messages asking for your user name and password information.
  • When using social networking sites, don’t accept friend requests from people you don’t know, and limit the amount of personal information you post to your profile.
  • Consider using a safe browsing tool such as McAfee® SiteAdvisor® software, which tells you whether a website is safe right in your search results, helping you navigate away from phony sites.
  • Make sure your all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that protects all your PCs, Macs, smartphones and tablets.

So remember to ask yourself if this is really legit, the next time you get a message that plays on your emotions. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

On the Internet, FREE is a Dangerous Four Letter Word

The wild, wild web is like any major metropolitan city. There are high-class neighborhoods, retail districts, theater districts, business centers, popular social areas, seedy red-light districts (in Boston we called this the Combat Zone), and bad, bad, BAD neighborhoods.

Depending on where you go, you may pick up a virus or get bonked on the head.

The Internet is the same.

As more consumers seek out more free entertainment online, cybercriminals are shifting their attacks accordingly. McAfee recently conducted a series of studies determining that searching for celebrities like Cameron Diaz can increase your chances of infecting your PC. McAfee’s new “Digital Music & Movies Report: The True Cost of Free Entertainment” also confirmed that your PC is equally vulnerable when searching the word “free.” This report reveals the significantly increased risk of fraud when including “free” and “MP3” in the same search query. And when you add the word “free” to a search for ringtones, your risk increases by 300%.

Cybercriminals lure users with words like “free” in order to infect their PCs with malicious software, which is designed to take over the infected computer and allow hackers full access to private files, usernames, and passwords.

To stay safe, avoid searching for “free content.” Stick to legitimate, paid sites when downloading music and movies.

If a website is not well established, avoid clicking links in banner ads.

Use comprehensive security software to protect against the latest threats.

Use common sense: don’t click on links posted in forums or on fan pages.

Use a safe search plug-in, such as McAfee® SiteAdvisor® software that displays a red, yellow, or green annotation in search results, warning users about potential risky sites ahead of time, and highlighting safe results.

Be aware that the more popular a topic, movie or artist is, the more risky the search results will be.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures