Posts

The Beginners Guide to using TOR

Want to be invisible online? Get to know Tor.

TORTor will make you cyber-anonymous, concealing your cyber footprints, ID, browsing history and physical location. It even makes the sites you visit anonymous. Now, all that being said, there seems to be a concerted effort by certain US government agencies and others to crack Tor, but that hasn’t been completely accomplished…yet.

More on Tor

Realize, that Tor can’t provide 100 percent security. On paper, the Tor network is secure. But the typical Joe or Jane may unintentionally exit Tor using an “exit node,” and end up getting on a website or server that’s in the “open web.” If the visited site is not encrypted, Joe or Jane’s communications can be hijacked.

Tor is actually easy to set up. You can download packages for your operating system: Mac, Windows or GNU/Linux, and this includes the Tor Browser. The Covert Browser supports Tor for iOS and Android.

You may find, however, that your device may fight against installing Tor; the device thinks it’s malevolent and won’t accept the download. Keep trying. Have faith in the Tor code and download it.

The Tor experience is quite leisurely, slowing down what you can do in a given amount of time. It’s not going to get faster, either, as more and more people decide to use Tor. It’s slow because it directs traffic through multiple, random relay nodes prior to arriving at the destination node. So realize that you’ll be dealing with more of a turtle than a hare.

Tor blocks applications, too. If you want total anonymity, you should use the Tor software with the Tor Browser. But plugins will be blocked by the Tor Browser—because plugins can be used to see your IP address. This is why the Tor Project suggests not installing plugins. This means giving up YouTube and other sites while using Tor.

Be warned, Tor can get you undesired attention because the government is more suspicious of Tor users. This doesn’t mean the government will knock down your doors if you’re using Tor. It just means that Tor users may get the attention of the government more than typical Internet users.

As previously stated there’s evidence that government agencies, including the NSA, are trying to dismantle the Tor network, even though it delivers strong privacy protection to average Internet users.

If you want this level of anonymity, you’re going to have to get used to the fact that using Tor will change your online experiences (can you get by without YouTube?). The Tor Project says: “You need to change some of your habits, as some things won’t work exactly as you are used to.”

No matter whether on Tor or the open web, make sure if you are on free public WiFi that you are using Hotspot Shield to encrypt any wireless data.

Give Tor a try if privacy and anonymity are important enough for you to give up some of the features that make your online activities enjoyable, convenient and/or productive timewise.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Majority of Executives believe Attackers will overcome Corporate Defenses

Many technology executives don’t have a favorable outlook on their ability to sideswipe cybercriminals, according to research conducted by McKinsey and World Economic Forum.

2DThe research also shows that both big and small businesses lack the ability to make sturdy decisions, and struggle to quantify the effect of risk and resolution plans. As the report authors state, “Much of the damage results from an inadequate response to a breach rather than the breach itself”.

These results come from interviews with more than 200 business leaders such as chief information officers, policy makers, regulators, law enforcement officials and technology vendors spanning the Americas, Europe, Asia, Africa and the Middle East.

Cybercrimes are extremely costly and the cost can hit the trillions of dollars mark.

Several concerning trends regarding how decision makers in the business world perceive cyber risks, attacks and their fallouts were apparent in the research findings:

  • Over 50 percent of all respondents, and 70 percent of financial institution executives, think that cybersecurity is a big risk. Some executives believe that threats from employees equal those from external sources.
  • A majority of executives envision that cyber criminals will continue being a step ahead of corporate defenses. 60 percent believe that the gap between cyber crooks and corporate defense will increase, with, of course, the crooks in the lead.
  • The leaking of proprietary knowledge is a big concern for companies selling products to consumers and businesses.
  • Service companies, though, are more worried about the leaking of their customers’ private information and of disruptions in service.
  • Large organizations, says ongoing McKinsey research, reported cross-sector gaps in risk-management competency.
  • Some companies spend a lot but don’t have much sophistication in risk-management capabilities, while other companies spend little but are relatively good at making risk-management decisions. Even large companies can stand to improve their risk management capabilities substantially.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cybersecurity Insurance still Requires Cybersecurity

OpenSSL vulnerabilities are sticking around for a while. In fact, recently two new ones were announced: One allows criminals to run an arbitrary code on a vulnerable computer/device, and the other allows man-in-the-middle attacks. A more famous openSSL vulnerability that made headlines earlier this year is the Heartbleed bug.

3DMight cybersecurity insurance be a viable solution?

As reported in SC Magazine, Yes, says Hunton & Williams LLP. Cybersecurity insurance fixes the problems that these vulnerabilities cause—that technology alone can’t always mitigate.

Hunton & Williams LLP reports that GameOver Zeus malware infiltrated half a million to a million computers, resulting in gargantuan losses to businesses and consumers. The firm says that antivirus software just isn’t enough to prevent mass infection. The fact is, advances in malicious code have rendered antivirus software frightfully weak, continues the firm..While not everyone agrees on this point, Hunton & Williams recommends a proactive approach which includes assessment of risk transfer methods, e.g., insurance.

Laurie Mercer, from the security consulting company Contest Information Security, also believes in cybersecurity insurance. Mercer uses cars as an analogy. A car must stick to safety standards. The car gets serviced every so often. But the car also has various buttons and whatnots inside that can alert the driver of a problem.

Likewise, with cybersecurity, products can be certified with commercial product assurance accreditation. A website can get a regular security audit every so often. And like the interior buttons of a car, a website can have a response strategy to a cyber incident or some kind of detection for an attack. However, the car should still be insured.

At a recent SC Congress London, Sarah Stephens from Aon EMEA pointed out that cyber insurance is rising in popularity. But Andrew Rose, a security analyst with Forrester, noted that many threats can be resolved with adequate plans in place.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Bankers on the Front lines of Cyber Defense

There was once a time when the only threat to a bank’s security was when that innocent-looking man hands a note to the bank teller that makes her face go ashen. And the only security, save for video surveillance, was the armed guards and the silent alarm that the teller triggers.

2DNowadays, terms like firewalls, encryption, anti-virus and cloud providers are just as important to a bank’s security as are the armed guards, huge windows, security cameras and steel vaults. No longer is the masked robber who says “Hand over the money” a bank’s biggest threat. ATM skimming, where nobody is ever shot at, is at the top of the list.

The Three Directions of Banking Security

  • Analyzing big data and assessing potential threats
  • Banks joining forces by sharing information relevant to protection against cybercrime
  • Focusing more on fast recovery and less on prevention of crime

That last point is because breaches are always going to occur no matter how thick the security is, and there’s a lot of room to improve in terms of recovery speed. So it makes sense that this shift in attention is developing at an increasing rate.

A New Breed of Locks

Banks require many layers of protection, and this includes keycards, which allow select employees through specific doors at specific times. Just stick the card in a slot and the door opens (a common device also used in hotels).

Keycards are also used by extraneous service people. A lost card can be immediately turned off, and cheaply replaced, whereas traditional locks would cost a bundle.

Customized badges are another way that financial institutions have improved security measures, replacing keys and keycards. Employees can be “add onto” a badge, and a lost and found badge can be deactivated and activated, respectively.

Anti-Skimming Devices

Anti-skimming devices can significantly reduce this crime, when a thief puts a phony reader over an ATM device to capture a customer’s card data. The volume of skimming crimes is enormous, yet many ATMs still have no anti-skimming protection.

Cloud Storage for Data

More and more financial organizations are relying upon cloud computing, though this technology also brings with it some concerns, since the cloud involves a third-party provider—which can turn bank data over to the government without the bank’s permission.

A way around this is for the bank to encrypt data prior to placing it in a cloud, and to keep encrypting it even when at rest, and retain the encryption keys.

Biometrics

Fingerprint swiping to withdraw money is one of the latest security tactics: multispectral imaging (MSI). Who can possibly “skim” that? This is biometric technology and is already in thousands of ATMs. This “inner fingerprint” is immune to breakdown from grime, wear or moisture, making it very tamper resistant.

Look for even more progress in the multilayered security of financial institutions in the years to come—technologies that right now we can’t even comprehend.

For more information about this shifting industry, visit:

securitymagazine.com/articles/print/85356-banking-battlegrounds-cyber-and-physical-security-risks-today

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Study Shows Businesses not prepared for Attacks

Amazing: With the proliferation of cyber attacks globally, most businesses are ill-prepared to deal with this, says research from the Economist Intelligence Unit and Arbor Networks.

1DPerhaps businesses have an “It won’t happen to us” mindset, even though hackers steal the most sensitive data, force the company to make enormous payments to fix the situation, and crush its customers’ trust, in turn damaging future profits. It’s a pebble-thrown-into-a-pond effect: Those ripples just keep going out and out.

Haven’t companies learned from that giant retailer breach in December of 2013? That big retailer was left toppled. Companies don’t realize that if they nickel-and-dime security, they’ll get what they pay for.

The research turned up the following after surveying 360 senior business leaders in organizations nationwide and in Europe and Asia-Pacific:

  • 77 percent experienced a security breach within the past two years.
  • 38 percent lack a response plan for a cyber attack.
  • 17 percent believe they’re “fully prepared” for a cyber attack.
  • Many of the survey participants reported that they relied upon IT departments to deal with the issue of cyber threats. However, companies that indeed suffered a data breach within the past two years were actually twice as likely to have relied upon a third-party IT team.
  • 41 percent of business decision makers believe that a more solid understanding of risks and potential threats would assist them in being better prepared, but, oddly, only one-third of businesses share concerning situations with other businesses for the sake of spreading best practices and information.
  • 57 percent do not report incidents on a voluntary basis if they’re not legally required to do this.

Interestingly, while 41 percent of business decision makers believe that a more solid understanding of potential threats would increase preparedness, only one-third of businesses are willing to share information with other businesses about incidents concerning data security.

The big message regarding cyber attacks on businesses all over the world: It’s not “if,” it’s WHEN.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cross-Site Scripting Criminal Hacks

Secure computing requires an ongoing process, as you learn about risks and then implement processes and technology to protect yourself. Without a concerted effort to defend your data, you will almost certainly by victimized by some type of cyber-invasion.

JavaScript is everywhere, making the Internet pretty and most websites user friendly. Unfortunately, hackers have learned to manipulate this ubiquitous technology for personal gain. Java can be used to launch a cross-site scripting attack, which leverages a vulnerability often found in applications that incorporate Java. The vulnerability allows hackers to insert code into a website you frequent, which will infect your browser and then your PC.

Following links without knowing what they point to, using interacting forms on an untrustworthy site, or viewing online discussion groups or other pages where users may post text containing HTML tags can put your browser at risk.

Facebook, one of the most popular websites, is a likely place for JavaScript hacks, due to cross-site scripting vulnerabilities and the overall lack of security of Facebook users. This allows hackers to read a victim’s private Facebook messages, to access private pictures, to send messages to the victim’s contacts on his or her behalf, to add new (and potentially dangerous) Facebook applications, and to steal the victim’s contacts.

Beware of going down the rabbit hole when browsing the Internet. Once you start clicking link after link, you may find yourself on an infected site. And look out for scams such as contests that require you to paste code into Facebook, your blog, or any other site.

To protect yourself from cross-site scripting attacks, update your browser to the most recent version, with the most current security settings.

McAfee offers a free tool, SiteAdvisor, which helps detect malicious sites. In Firefox, you can install NoScript, a plug-in that lets you control when to enable JavaScript. NoScript also includes a list of good and bad sites. In Chrome, you can disable JavaScript in preferences, and in Internet Explorer, you can fiddle with the settings and adjust “Internet Zones,” but the default settings are best for most people. In Adobe Reader, JavaScript can be disabled all together, under “Edit” and then “Preferences.”

That being said, after messing with default browser or program settings, the reduced functionality may impede your ability to do anything online. The trick is to have the most updated security software and to avoid social engineering scams that ask you to click links or copy code.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)