Posts

Businesses Struggling to Keep Up with Latest Wave of Malware Attacks

Companies have been struggling for years to keep cyber-attacks at bay. Cyberthieves are working faster than ever before to send out their malicious attacks, and it’s become increasingly difficult for companies to keep up.

CNN reports that almost one million malware strains are released every day. In 2014, more than 300 million new types of malicious software were created. In addition to new forms of malware, hackers continue to rely on tried and true bugs because many companies simply haven’t found a fix or haven’t updated their systems to mitigate the threats.

In almost 90% of these cases, the bugs have been around since the early 2000s, and some go back to the late 1990s. The irony here is that companies can protect themselves and create patches for these bugs, but there tends to be a lack of effort and resources when it comes to getting the job done.

Some industries are targeted more than others. After hackers get information from these companies, such as proprietary data, they attempt to sell the information on the black market.

Cyberattacks are spreading quickly, and it takes almost no time after an email is sent for a victim to fall for the scheme. When a hacker is successful at breaking into a certain type of company, such as a bank or insurance firm, they will typically use the same exact method to quickly attack another company in the same industry.

New and improved cyber attacks

While old methods of cyber-attack can still be effective, it is the new scams that users should be nervous about. Here are some examples:

  • Social media scams
    Social media scams work and cybercriminals just love them because the people being scammed do most of the work. Cybercriminals release links, videos or stories that lead to viruses, and people share them with their friends because they are cute, funny or eye-raising. These tend to spread quickly because people feel as if they are safe.
  • Likejacking
    Hackers may also use a practice known as “likejacking” to scam people on social media. In this case, they will use a fake “like” button that tricks people into installing malware. The programs then post updates on the user’s wall or newsfeed to spread the attack.
  • Software update attacks
    Hackers are also focusing on more selective attacks. For example, a hacker may hide malware inside of a software update. When a user downloads and installs the update, the virus is set free.
  • Ransomware
    These attacks, where thieves steal or lock files on a person’s computer and then demand a ransom for access, climbed more than 110% in the last year alone. Once infected, the only way to regain access to the files is to pay a fee, usually between $300 and $500, for a decryption key.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Scareware Scam almost snags Victim

Cybercriminals know that the best way to get their claws on the next victim is to appeal to their emotions, not logic.

4DThere’s lots of scary things in life, and one is learning that your computer has been infected with a virus. If this happens, you’re now vulnerable to spending money on getting rid of the malware. The tactic of scaring users is called scareware.

  • A pop up tells you “Warning! Your Computer Has Been Infected with Malware!”
  • The pop-up can be triggered by visiting an infected website or by making a bad click.
  • The pop-up can’t be closed out, or if it can, another appears.
  • Additional information in the pop-up lures you into clicking a link inside it, such as buy some downloadable security software that will destroy the virus.
  • Once the alleged security software is downloaded/installed, it crashes your computer—even if you already have a legitimate security software program in place.
  • You’re screwed at this point. (Hope you had all your data backed up before this happened!)

Here’s another way the scam can unfold, from someone who wrote to me:

I was notified by a notice supposedly from Windows Security that my PC has been attacked.  They claim that all my PC ID numbers were stolen and that Russia had got about 8-12 other IDs.  They took control of my computer and said they scanned it to find this out. They claimed the only way that I could clear this problem was to have them clear it for $199.99 and security for 1year (sic) for $149.99.  They said the only way to accomplish this was by check.  They said it couldn’t be done by credit card because them (sic) numbers would be stolen too.  I refused to go along with that plan and closed them out.  

P.S. I checked my account and it is paid thru 6/2016.  How do I know if I get a notice from Windows that it is legit? 

All windows notifications come via Windows Update. That “pop-up” emanates via your notifications area on your taskbar and NOT a popup via your browser. What a mess.

Protect Yourself

  • Use security software only from a name-brand company.
  • Keep it updated.
  • See a pop-up? Close it out. Never click inside it—which you can’t do if you close it out immediately.
  • Exit the site you think triggered it.
  • Play it safe and run a scan using your legitimate security software.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Bitdefender’s BOX: All-in-one Cybersecurity from one App

Gee, if your home is connected to lots of different devices, doesn’t it make sense that your cybersecurity integrates all your connected devices? Meet the Bitdefender BOX, a network bulletproofing hardware cybersecurity tool for the home that embraces smart home protection focusing on the Internet of Things with remote device management offering next generation privacy protection.

boxBOX description:

  • One complete security solution for connected homes
  • Sets up to a router
  • Is controlled by the user’s mobile device and hence, can be controlled anywhere
  • Everything is protected: not just your computer, but all of your connected devices, like your baby monitor, TV, thermostat, garage door opener and house alarm system. You name it; it’s protected from hackers.
  • BOX works with an annual subscription much like most cyber security “security as a service” technologies.

Features:

  • Easy Setup. Just plug and play.
  • Advanced Threat Protection. In and outside your home network. You’re safe on the go as well!
  • Management and Control. All available in one app, at your fingertips, anywhere you are.

So, protection from hackers means that you can have peace of mind knowing that BOX is warding off attempts at ID theft, fraudulent activities, cyber snooping and other threats.

All you need to do is connect BOX to your router via one of its ethernet ports. Then get the BOX application going. Its user friendly and you just follow its easy instruction: all of a few minutes’ worth. BOX then goes to work to intercept cyber threats at the network level. And all from just one app.

So yes, you need a smartphone (Android or iOS) to take advantage of BOX. If you’ve been on the fence about getting a mobile device, move out of your cave, junk your Pinto, cut your mullet, and get the BOX.

Think of how great it would be to be alerted of network events through this does-it-all application that you can control no matter where you’re located. This means you can control all of your connected devices.

One of BOX’s features is the Private Line. This protects your Internet browsing experience, including making you anonymous. Other features:

  • Protection against hacking attempts including lures to malicious sites.
  • Protection against viruses, malware including downloads, phishing, etc.
  • Protection against anyone wanting to pry open your files and see what’s in them or steal them.
  • Protection occurs even when you’re using public Wi-Fi, such as at a hotel, airport or coffee house!

Who needs BOX?

Everyone who has connected devices at home and uses the Internet. This is like asking, who needs a lock on their home’s door? Anyone who lives in a home.

Think about a home and home security as an example. If you’re going to have a lock, it should be a good lock, right? But the lock is only effective if you actually lock it. You also need to lock up your windows and consider a home security system. These are all “layers of protection. Well, the BOX is multiple layers of protection for protecting your online experience as well as computer files.

BOX is designed for non-techy users, so if you’re one of those people who is “not good with computers,” you’ll still find BOX’s setup and navigation quite friendly. It also helps set up password-protected Wi-Fi network does for you and you can even let guests use a secured Wi-Fi network. This post is brought to you by Bitdefender BOX.

Why Are Cyber Hucksters so successful?

Often, hucksters prey on the consumer’s desperation, which is why it’s no surprise that the No. 1 rip-off (at least between 2011 and 2012)) was bogus products promising weight loss.

6DVICE (vice.com) interviewed psychologist Maria Konnikova about how cyber cons are so successful—even with the most ridiculous sounding bait (Nigerian prince, anyone?).

The bait becomes more attractive when the target is receiving an influx of cyber attention. Sad to say, this trips up a person’s rationale, making them susceptible to the huckster’s plan.

Konnikova is quoted as stating, “Few things throw us off our game as much as so-called cognitive load: how taxed our mental capacities are at any given moment.” She explains that people are vulnerable when the con artist hits them up with their scheme while the victim is distracted with Twitter, texting, etc. In short, it’s cognitive overload.

Konnikova is the author of the book, “The Confidence Game: Why We Fall For It, Every Time.” In the book, she mentions that victims such as the U.S. Navy were too humiliated to prosecute the crooks who conned them. She tells vice.com: “Because admitting it [getting rooked] would mean admitting you’re a sap.”

And in this day of rapidly evolving cyber technology, the huckster’s job is becoming easier, what with all sorts of pathways he can snag a victim, such as dating sites and pop-up ads warning your computer has been infected. But something else is on the crook’s side: the false sense of security that all this techy mumbo jumbo gives the common user—who hence lets down their guard.

And despite all the parodies and mockeries surrounding the so-called Nigerian prince scam (aka 419 scam), it’s still out there in full force and effect. Look how technology has made it swell. And it will continue evolving as long as people want something for nothing. Why else would the Powerball swell to over 1.3 billon. “The basic contours of the story won’t change,” Konnikova tells vice.com.

Another factor is that some people equate online with credibility: “It’s online so it must be legitimate,” is the mindset. According to this mindset, the Loch Ness Monster must really exist, since there are many stories about it online. Despite how irrational this mindset is, scammers know that many people think this way and will design their ploys to look even more legitimate (with creative layouts, slogans, links, etc.).

Though it takes skill to be a successful huckster, they can’t get the job done without the victim being “vulnerablized” by cognitive overload.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

2016 Information Security Predictions

No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off…

4WWearable Devices

Cyber crooks don’t care what kind of data is in that little device strapped around your upper arm while you exercise, but they’ll want to target it as a passageway to your smartphone. Think of wearables as conduits to your personal life.

Firmware/Hardware

No doubt, assaults on firmware and hardware are sure to happen.

Ransomware

Not only will this kind of attack continue, but an offshoot of it—“I will infect someone’s device with ransomware for you for a reasonable price”—will likely expand.

The Cloud

Let’s not forget about cloud services, which are protected by security structures that cyber thieves will want to attack. The result could mean wide-scale disruption for a business.

The Weak Links

A company’s weakest links are often their employees when it comes to cybersecurity. Companies will try harder than ever to put in place the best security systems and hire the best security personnel in their never-ending quest for fending off attacks—but the weak links will remain, and cyber crooks know this. You can bet that many attacks will be driven towards employees’ home systems as portals to the company’s network.

Linked Stolen Data

The black market for stolen data will be even more inviting to crooks because the data will be in sets linked together.

Cars, et al

Let’s hope that 2016 (or any year, actually) won’t be the year that a cyber punk deliberately crashes an Internet connected van carrying a junior high school’s soccer team. Security experts, working with automakers, will crack down on protection strategies to keep cyber attacks at bay.

Threat Intelligence Sharing

Businesses and security vendors will do more sharing of threat intelligence. In time, it may be feasible for the government to get involved with sharing this intelligence. Best practices will need hardcore revisions.

Transaction Interception

It’s possible: Your paycheck, that’s been directly deposited into your bank for years, suddenly starts getting deposited into a different account—that belonging to a cyber thief. Snatching control of a transaction (“integrity attack”) means that the thief will be able to steal your money or a big business’s money.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Nineways to shop safely on Cyber Monday

With Cyber Monday, you don’t have to camp outside in the cold overnight so you can be the first person busting through the doors like on Black Friday. But you still may get trampled to a pulpby cyber scammers waiting for their prey.

2DHow can you avoid these predators?

  • You know that old mantra: If it’s too good to be true, it probably is. Be highly suspicious of outrageously great deals, and also assume that e-mails that link to unbelievable savings are scams. You may think it won’t hurt to just “check it out,” but consider the possibility that simply clicking on the link will download a virus to your computer.
  • Back up your data. Shopping online means it’s inevitable that you’ll stumble upon an infected website designed to inject malicious code into your computer or phone. “Ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the “ransom.”
  • Say “No” to debit cards. At least if you purchase with a credit card, and the sale turns out to be fraudulent, the credit card company will likely reimburse you. Try getting your money back from a scam with a debit card purchase. Good luck.
  • If you’re leery about using a credit card online, see if the issuer offers a one-time use credit card. If someone steals this one-time number, it’s worthless for a second purchase.
  • Make sure you understand the online merchant’s shipping options.
  • When buying online, read up on the retailer’s privacy policy.
  • When completing the purchase, if the merchant wants you to fill in information that makes you think, “Now why do they need to know that?” this is a red flag. See if you can purchase the item from a reputable merchant.
  • Never shop online using public Wi-Fi such as at a hotel, coffee house or airport.

If the retailer’s URL begins with “https” and has a padlock symbol before that, this means the site uses encryption (it’s secure). If it doesn’t, don’t buy from that merchant if the product is something you can buy from a secure site. Of course, I don’t expect, for instance, Veronikka’s Death by Chocolate Homemade Cookies to have an encrypted site, but if you’re looking for more common merchandise, go with the big-name retailers.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Infrastructures under attack

It’s been stated more than once that WWIII will most likely be cyber-based, such as dismantling a country’s entire infrastructure via cyber weapons. And don’t think for a moment this doesn’t mean murdering people.

4DA report at bits.blogs.nytimes.com notes that foreign hackers have cracked into the U.S. Department of Energy’s networks 150 times; they’ve stolen blueprints and source code to our power grid as well. Some say they have the capability to shut down the U.S.

The bits.blogs.nytimes.com article goes on to say that cyber warfare could result in death by the masses, e.g., water supply contamination of major cities, crashing airplanes by hacking into air traffic control systems, and derailing passenger trains. So it’s no longer who has the most nuclear missiles.

The list of successful hacks is endless, including that of a thousand energy companies in North America and Europe and numerous gas pipeline companies. The U.S.’s biggest threats come from Russia and China.

So why haven’t they shut down our grid and blown up furnaces at hundreds of energy companies? Maybe because they don’t have the ability just yet or maybe because they don’t want to awaken a sleeping giant. To put it less ominously, they don’t want to rock the boat of diplomatic and business relations with the U.S.

Well then, what about other nations who hate the U.S. so much that there’s no boat to be rocked in the first place? The skills to pull off a power grid deactivation or air traffic control infiltration by enemies such as Iran or Islamic militants are several years off.

On the other hand, such enemies don’t have much to lose by attacking, and this is worrisome. It is these groups we must worry about. They’re behind alright, but they’re trying hard to catch up to Russia and China. For now, we can breathe easy, but there’s enough going on to get the attention of Homeland Security and other government entities.

Recent attacks show that these bad guys in foreign lands are getting better at causing mayhem. At the same time, the U.S.’s cyber security isn’t anything to brag about, being that very recently, some white hat hackers had tested out the defenses of the Snohomish County Public Utility District in Washington State. They infiltrated it within 22 minutes.

Another weak point in our defenses is the component of pinning down the source of major hacking incidents. So if WWIII becomes real, the U.S. won’t necessarily know where the attack came from.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Sales Staff Targeted by Cyber Criminals

Companies that cut corners by giving cybersecurity training only to their technical staff and the “big wigs” are throwing out the welcome mat to hackers. Cyber criminals know that the ripe fruit to pick is a company’s sales staff. Often, the sales personnel are clueless about the No. 1 way that hackers “get in”: the phishing e-mail. Salespeople are also vulnerable to falling for other lures generated by master hackers.

11DIn a recent study, Intel Security urges businesses to train non-technical (including sales) employees. Sales personnel are at highest risk of making that wrong click because they have such frequent contact in cyberspace with non-employees of their company.

Next in line for the riskiest positions are call center and customer service personnel. People tend to think that the company’s executives are at greatest risk, but look no further than sales, call center and customer service departments as the employees who are most prone to social engineering.

It’s not unheard of for businesses to overlook the training of sales employees and other non-technical staff in cybersecurity. Saving costs explains this in some cases, but so does the myth that non-technical employees don’t need much cybersecurity training.

Intel Security’s report says that the most common methods of hackers is the browser attack, stealth attack, SSL attack, network abuse and evasive technologies.

In particular, the stealth attack is a beast. Intel Security has uncovered 387 new such threats per minute. IT teams have their work cut out for them, struggling to keep pace with these minute-by-minute evolving threats. This doesn’t make it any easier to train non-technical staff in cybersecurity, but it makes it all the more crucial.

Training non-technical staff, particularly those who have frequent online correspondence and have the gift of cyber gab, is the meat and potatoes of company security.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

State sponsored Attacks big Problem

The U.S. Office of Personnel Management, an identity database, was attacked by hackers rather recently, and they hit the jackpot: More than 21 million federal workers are at risk of identity theft for perhaps the rest of their lives, reports an article on forbes.com.

1DThe hackers from overseas now have security clearance documents for these employees that contain some very sensitive personal information. And nobody can take these documents away from the hackers.

That’s the problem with these centralized identity databases. It’s like all the loot is in one location, so that when the thieves strike, they get it all. And as the forbes.com article points out, not too many governments care to invest the money and energy in optimizing the security of these huge central databases. And it’s not just the U.S. with this problem. Other countries have also had either cyber attacks or big issues with their national ID systems.

On the security evolution clock of 24 hours, cybersecurity comes in in the last few seconds. Governments for eons have been very staunch about issuing security in the physical form, such as constructing walls and other barricades near borders.

But protecting a computer database from harm? It’s just not as prioritized as it should be. The forbes.com article notes that the cybersecurity of a country’s citizens makes up the whole of the nation’s security.

Seems like things will be getting way more out of hand before things start getting under control, if ever. In line with this trend is that hackers have, in their possession for all time, fingerprint data of more than one million U.S. security clearance holders.

Governments need to start focusing on protecting the cyber safety of all the millions and millions of ants that make up its nation, or else one day, the empire just might crumble.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

Ins and Outs of Call Center Security

Companies that want to employ at-home workers for their call centers to save money and reduce the hassles of office space have to look at security considerations. In addition to thorough vetting of the agents and their equipment, organizations also need to ensure that the security is top-notch. A cloud-based contact center combats these issues. 3DHere are some considerations:

  • Will it anger customers to have an agent who can’t speak clear English? Not only does poor speech of the employee drive some customers away, it also concerns customers who are accessing their data over seas.

When choosing an outsourcer, organizations look for important factors including: (1) agent language capabilities, (2) security capabilities, and (3) financial stability of the outsourcer. – Study conducted by Ovum

  • There comes a point where businesses need to put customer comfort first, especially when it comes to security, such as in the case of healthcare and financial concerns—more complex issues. “Homeshoring” eliminates the awkwardness that sometimes arises when someone is trying to bushwhack through the broken English of the customer support. Though homeshoring will cost companies more, this will be offset by lower turnover rates, small learning curve and a higher rate of first-call resolution.
  • Telecommuters (agents) should be screened vigorously, including (as a minimum) a background check for Social Security Number, criminal history and citizenship.
  • Then, a contract should be drawn up that should include an agreement to customer confidentiality as well as learning specifications.
  • A system should allow the customer to enter, via phone keypad, sensitive information such as credit card number—but without the agent seeing this entry.
  • Sessions between agents and customers can be infringed upon by hackers who want to gain access or snoop, creating a need for an end-to-end security system.
  • Zero-day attacks, which give hackers access, are a big threat. To prevent this, companies must have regularly updated and patched-up systems.
  • A firewall is a must, for server protection and back-end systems.
  • Also a must is two-factor authentication. This superb verification method includes the factor of device location and other identifiers. An agent must have a way of receiving a one-time code sent by the company to gain access to a critical system. A hacker, for instance, won’t be in possession of an agents cell phone to receive the texted code.
  • In tandem with two-factor authentication, the cloud service should require a very uncrackable password so that only at-home agents can gain access. A strong password is at least eight characters (preferably 12) and contains caps and lower case letters, plus numbers and other characters like #, $ and @.
  • Cloud services should be 100 percent PCI Level 1 compliant. To enhance security, have a minimum of two PCI-compliant data centers.

Offshoring and outsourcing for call center agents places an even higher demand for security—which is already greatly needed by virtue of the at-home, virtual workplace. When choosing an outsourcing solution consider all of the above. Ask lots of questions and get quality references.

Robert Siciliano is a Personal privacy, security  and identity theft expert to Arise discussing identity theft prevention. Disclosures.