Posts

Infrastructures under attack

It’s been stated more than once that WWIII will most likely be cyber-based, such as dismantling a country’s entire infrastructure via cyber weapons. And don’t think for a moment this doesn’t mean murdering people.

4DA report at bits.blogs.nytimes.com notes that foreign hackers have cracked into the U.S. Department of Energy’s networks 150 times; they’ve stolen blueprints and source code to our power grid as well. Some say they have the capability to shut down the U.S.

The bits.blogs.nytimes.com article goes on to say that cyber warfare could result in death by the masses, e.g., water supply contamination of major cities, crashing airplanes by hacking into air traffic control systems, and derailing passenger trains. So it’s no longer who has the most nuclear missiles.

The list of successful hacks is endless, including that of a thousand energy companies in North America and Europe and numerous gas pipeline companies. The U.S.’s biggest threats come from Russia and China.

So why haven’t they shut down our grid and blown up furnaces at hundreds of energy companies? Maybe because they don’t have the ability just yet or maybe because they don’t want to awaken a sleeping giant. To put it less ominously, they don’t want to rock the boat of diplomatic and business relations with the U.S.

Well then, what about other nations who hate the U.S. so much that there’s no boat to be rocked in the first place? The skills to pull off a power grid deactivation or air traffic control infiltration by enemies such as Iran or Islamic militants are several years off.

On the other hand, such enemies don’t have much to lose by attacking, and this is worrisome. It is these groups we must worry about. They’re behind alright, but they’re trying hard to catch up to Russia and China. For now, we can breathe easy, but there’s enough going on to get the attention of Homeland Security and other government entities.

Recent attacks show that these bad guys in foreign lands are getting better at causing mayhem. At the same time, the U.S.’s cyber security isn’t anything to brag about, being that very recently, some white hat hackers had tested out the defenses of the Snohomish County Public Utility District in Washington State. They infiltrated it within 22 minutes.

Another weak point in our defenses is the component of pinning down the source of major hacking incidents. So if WWIII becomes real, the U.S. won’t necessarily know where the attack came from.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Sales Staff Targeted by Cyber Criminals

Companies that cut corners by giving cybersecurity training only to their technical staff and the “big wigs” are throwing out the welcome mat to hackers. Cyber criminals know that the ripe fruit to pick is a company’s sales staff. Often, the sales personnel are clueless about the No. 1 way that hackers “get in”: the phishing e-mail. Salespeople are also vulnerable to falling for other lures generated by master hackers.

11DIn a recent study, Intel Security urges businesses to train non-technical (including sales) employees. Sales personnel are at highest risk of making that wrong click because they have such frequent contact in cyberspace with non-employees of their company.

Next in line for the riskiest positions are call center and customer service personnel. People tend to think that the company’s executives are at greatest risk, but look no further than sales, call center and customer service departments as the employees who are most prone to social engineering.

It’s not unheard of for businesses to overlook the training of sales employees and other non-technical staff in cybersecurity. Saving costs explains this in some cases, but so does the myth that non-technical employees don’t need much cybersecurity training.

Intel Security’s report says that the most common methods of hackers is the browser attack, stealth attack, SSL attack, network abuse and evasive technologies.

In particular, the stealth attack is a beast. Intel Security has uncovered 387 new such threats per minute. IT teams have their work cut out for them, struggling to keep pace with these minute-by-minute evolving threats. This doesn’t make it any easier to train non-technical staff in cybersecurity, but it makes it all the more crucial.

Training non-technical staff, particularly those who have frequent online correspondence and have the gift of cyber gab, is the meat and potatoes of company security.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

State sponsored Attacks big Problem

The U.S. Office of Personnel Management, an identity database, was attacked by hackers rather recently, and they hit the jackpot: More than 21 million federal workers are at risk of identity theft for perhaps the rest of their lives, reports an article on forbes.com.

1DThe hackers from overseas now have security clearance documents for these employees that contain some very sensitive personal information. And nobody can take these documents away from the hackers.

That’s the problem with these centralized identity databases. It’s like all the loot is in one location, so that when the thieves strike, they get it all. And as the forbes.com article points out, not too many governments care to invest the money and energy in optimizing the security of these huge central databases. And it’s not just the U.S. with this problem. Other countries have also had either cyber attacks or big issues with their national ID systems.

On the security evolution clock of 24 hours, cybersecurity comes in in the last few seconds. Governments for eons have been very staunch about issuing security in the physical form, such as constructing walls and other barricades near borders.

But protecting a computer database from harm? It’s just not as prioritized as it should be. The forbes.com article notes that the cybersecurity of a country’s citizens makes up the whole of the nation’s security.

Seems like things will be getting way more out of hand before things start getting under control, if ever. In line with this trend is that hackers have, in their possession for all time, fingerprint data of more than one million U.S. security clearance holders.

Governments need to start focusing on protecting the cyber safety of all the millions and millions of ants that make up its nation, or else one day, the empire just might crumble.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

Ins and Outs of Call Center Security

Companies that want to employ at-home workers for their call centers to save money and reduce the hassles of office space have to look at security considerations. In addition to thorough vetting of the agents and their equipment, organizations also need to ensure that the security is top-notch. A cloud-based contact center combats these issues. 3DHere are some considerations:

  • Will it anger customers to have an agent who can’t speak clear English? Not only does poor speech of the employee drive some customers away, it also concerns customers who are accessing their data over seas.

When choosing an outsourcer, organizations look for important factors including: (1) agent language capabilities, (2) security capabilities, and (3) financial stability of the outsourcer. – Study conducted by Ovum

  • There comes a point where businesses need to put customer comfort first, especially when it comes to security, such as in the case of healthcare and financial concerns—more complex issues. “Homeshoring” eliminates the awkwardness that sometimes arises when someone is trying to bushwhack through the broken English of the customer support. Though homeshoring will cost companies more, this will be offset by lower turnover rates, small learning curve and a higher rate of first-call resolution.
  • Telecommuters (agents) should be screened vigorously, including (as a minimum) a background check for Social Security Number, criminal history and citizenship.
  • Then, a contract should be drawn up that should include an agreement to customer confidentiality as well as learning specifications.
  • A system should allow the customer to enter, via phone keypad, sensitive information such as credit card number—but without the agent seeing this entry.
  • Sessions between agents and customers can be infringed upon by hackers who want to gain access or snoop, creating a need for an end-to-end security system.
  • Zero-day attacks, which give hackers access, are a big threat. To prevent this, companies must have regularly updated and patched-up systems.
  • A firewall is a must, for server protection and back-end systems.
  • Also a must is two-factor authentication. This superb verification method includes the factor of device location and other identifiers. An agent must have a way of receiving a one-time code sent by the company to gain access to a critical system. A hacker, for instance, won’t be in possession of an agents cell phone to receive the texted code.
  • In tandem with two-factor authentication, the cloud service should require a very uncrackable password so that only at-home agents can gain access. A strong password is at least eight characters (preferably 12) and contains caps and lower case letters, plus numbers and other characters like #, $ and @.
  • Cloud services should be 100 percent PCI Level 1 compliant. To enhance security, have a minimum of two PCI-compliant data centers.

Offshoring and outsourcing for call center agents places an even higher demand for security—which is already greatly needed by virtue of the at-home, virtual workplace. When choosing an outsourcing solution consider all of the above. Ask lots of questions and get quality references.

Robert Siciliano is a Personal privacy, security  and identity theft expert to Arise discussing identity theft prevention. Disclosures.

Trolls: How to deal

Cartoonist Ben Garrison posted something “about the Fed” online, says an article at www.vice.com, and this created a firestorm, leading to his billing as the “most trolled cartoonist in the world.” You see, his other cartoons were altered in an offensive way, fooling people into thinking these alterations were his original creations.

11DHow can Garrison climb out of the hole others dug for him? First identify the type of trolling.The vice.com article describes several forms of trolling:

  • Hate speech. This targets anyone other than a white straight man who’s not transgender.
  • Cyberbullying. Targets are often known by the cyberbullies, though I’d like to point out that in this day and age, if you disagree with someone’s comment on an article, you might be called a bully.
  • Trolling. Like cyberbullying, trolling has developed an incredibly broad encompassment, but in its truest form, it refers to anonymous harassing. The basic difference between cyberbullying and trolling is that the target has no way of responding directly to the troller.
  • Griefing. Many people do something little, like send a nasty tweet. The act itself is minor, but when multiplied by all the people repeating it, it creates a huge effect.

After you identify the type of trolling, report it to the social media platform it occurred on.

  • Facebook doesn’t permit online harassment, but this doesn’t mean it can’t be done. If a FB user allows anyone to post on the page, then gee, a hateful message can easily be posted (though the FB user could take it down and block that person after that point).
  • Twitter doesn’t like hateful messages either, but admits that in the past, they stunk at regulating it, though they’ve gotten better, and in fact, will suspend a violator.
  • The Online Hate Prevention Institute runs Fight Against Hate. Report hateful content, then log the report to FAH, and OHPI will track how long it takes the platform to respond. If the platform is lifeless, then FAH can take action.

The third step is to watch for Phoenix pages. The vice.com article defines a Phoenix page as follows: “…a hate speech fanpage or harassing user is removed from Facebook and then immediately creates a new page or account.”

A Phoenix page can pick up steam much faster than the time it takes to remove it. In fact, Facebook was lax at taking down Garrison’s troll pages. Garrison spent “countless hours” trying to get libel removed from Facebook and Twitter. If you’ve been harassed, be on the lookout for if the harasser has been removed—the appearance of re-created pages and users. Report this promptly.

Next step: Report the problem to the police if it’s interfering with your daily life, though I need to point out that I’ve heard of people becoming unraveled simply because someone kept insulting them in some thread.

Also, the police can’t do anything if the harasser is in a different country. In fact, when writer Amanda Hess reported online harassment to the police, he asked her what Twitter was.

It’s best maybe to bypass the local cops and just give the report to the FBI. You can do this through the Internet Crime Complaint Center. Don’t even think about hiring an attorney; you’ll sink time and money. And trying to get money out of the harasser could be like trying to get blood out of a rock.

Rebuilding your tainted reputation is the final step. One way is to put a disclaimer on your site stating that you’re ignoring the trolls. Admit you’ve been trolled. Let people know what’s happening. This approach might make some of the trolls vanish. In other words, don’t “feed the trolls,” as the saying goes.

If you’re able to contact a troller, then do so with the idea of trying to reason with that person. Though this won’t stop all the other trolls, it might help you see them in a different light if you connect with just one of them.

What happened to Garrison and many others was true harassment that marred their reputation. It can affect your business. It can be very serious stuff. But I urge you also not to become overly sensitive to what really amounts to nothing more than name-calling and someone with too much time on their hands spewing nasty comments to you. Don’t get all shaken up just because someone disagrees with your post or even posts the proverbial “your an idiot” (lack of contraction is intended).

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Opportunities in Government for Skilled Security Personnel

As recent data breaches have shown, cyber attacks are particularly threatening to government entities handling sensitive data like Social Security numbers. Unfortunately, state agencies struggle to hire cybersecurity professionals.

The cause of this staffing shortage? There simply aren’t enough qualified people for the job[i]. Thankfully, change is in the air.

To attract skilled cybersecurity experts, some state governments are expanding IT internships for high school and college students. Many are offering more money, telecommuting jobs and flexible hours in hopes of landing the right candidates.

Some challenges states face in the hiring of skilled IT staff include:

  • Recruiting new workers to fill vacant IT slots
  • Offering competitive salaries to entice skilled professionals from the private sector
  • Filling senior-level IT positions quickly
  • Retaining skilled employees and minimizing turnover

One novel approach is “cross-training” talent: state governments have begun rotating cybersecurity employees through different positions to improve skills quickly. Like an endurance athlete cross-training with weight lifts and short sprints, exposure to different kinds of threats, networks, technologies and security strategies rapidly builds expertise among IT professionals and provides meaningful training for young hires. Cross-training can help improve retention while bolstering a state’s digital security apparatus.

Aspiring cybersecurity professionals should explore options in the public sector. Government employment offers a meaningful, multidisciplinary approach to continuing your cybersecurity journey.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.

[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

Phishing Scams: Don’t Click that Link!

You’re sitting on your front porch. You see a stranger walking towards your property. You have no idea whom he is. But he’s nicely dressed. He asks to come inside your house and look through your bank account records, view your checkbook routing number and account number, and jot down the 16-digit numbers of your credit cards. Hey, he also wants to write down all your passwords.

13DYou say, “Sure! Come on in!”

Is this something you’d be crazy enough to do? Of course not!

But it’s possible that you’ve already done it! That’s right: You’ve freely given out usernames, passwords and other information in response to an e-mail asking for this information.

A common scam is for a crook to send out thousands of “phishing” e-mails. These are designed to look like the sender is your bank, UPS, Microsoft, PayPal, Facebook, etc.

The message lures the recipient into clicking a link that either leads to a page where they then are tricked into entering sensitive information or that link is infected and downloads malware to the users’ device.

The cybercriminal then has enough of your information to raid your PayPal or bank account and open up a new line of credit—in your name.

The message typically says that the account holder’s account is about to be suspended or deactivated due to (fill in the blank; crooks name a variety of reasons), and that to avoid this, the account holder must immediately re-enter login information or something like that.

Sometimes a phishing e-mail is an announcement that the recipient has won a big prize and must fill out a form to collect it. Look for emails from FedEx or UPS requiring you to click a link. This link may be infected.

Aside from the ridiculousness of some subject lines (e.g., “You’ve Won!” or “Urgent: Your Account Is in Danger of Being Deactivated”), many phishing e-mails look legitimate.

If you receive an e-mail from a company that services you in any way, simply phone them before you click on any link. If you click any of the links you could end up with malware.

Watch this video to learn about how to avoid phishing:

https://youtu.be/c-6nD3JnZ24

Save yourself the time and just call the company. But you don’t even have to do that. Just ignore these e-mails; delete them. Nobody ever got in trouble for doing this. If a legitimate company wants your attention, you’ll most likely receive the message via snail mail, though they may also call.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

The Growing Demand for Cybersecurity Professionals

Cybersecurity professionals are always in demand[i]. Threats to intellectual property and sensitive data constantly evolve with technology, which means a security professional’s job is never done. There’s always another security problem to solve.

Consider the recent proliferation of cyber attacks: it’s become easier and easier for a small group of people to compromise vast networks of corporate and government information. Worse still, cyber criminals are getting better at covering their tracks.

Experts believe the global shortage of top-flight cybersecurity professionals exceeds one million–our federal government is currently seeking more than 10,000 candidates. The trend will continue in the near future as more and more features of day-to-day living are converted to digital.

As the private sector feels the crush of data breaches, the increasing sophistication of attacks fuels demand to counter or prevent them. Unfortunately, cybersecurity is rarely considered a “glamor job.” Ask a hundred eight-year-olds what they want to be when they grow up and few (if any) will answer “cybersecurity specialist.”

But that’s all the more reason to consider a career in this booming field! Governments and private organizations of all kinds are desperately seeking skilled candidates to protect their data and critical infrastructures from cyber criminals. The shortage of cybersecurity talent is not simply a lucrative opportunity for IT experts–it’s a matter of national security in defense of privacy, property and fair commerce.

Simply stated: there have never been better opportunities for advancement in the cybersecurity profession.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.


[i]  http://www.bls.gov/opub/btn/volume-2/careers-in-growing-field-of-information-technology-services.htm

A look into Cyber Weapons of the Future

Remember the good ‘ol days when you thought of a finger pushing a button that launched a Russian missile that then sped at seven miles per second towards the U.S. to blow it up?

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294Little did we know back then what would one day be a way for the Superpowers to war on each other: cyber technology!

A new book is out called Ghost Fleet: A Novel of the Next World War, written by Peter W. Singer and August Cole. WWIII certainly won’t be wrought with speeding missiles and hand-to-hand combat in the trenches—at least not the bulk of it.

An article on vice.com notes that the Third World War will take place in cyberspace (in addition to land, sea and air).

Vice.com contacted Singer about his novel. One of the villains is China, even though much of the attention has been on the Middle East and so-called terrorist attacks by radical Muslims.

To write the novel, the authors met with a wide assortment of people who, if WWIII were to come about, would likely be involved. This includes Chinese generals, anonymous hackers and fighter pilots. This gives the story authenticity, realism…a foreshadowing.

Singer explains that his novel is so realistic that it’s already influencing Pentagon officials in their tactics.

The Third World War will probably not require so much the ability to do pull-ups, slither under barbed wire and rappel down buildings, but the mastering of cyberspace and outer space: It’s likely that the winner of this war will be king beyond land, sea and air: lord over the digital world and the blackness beyond our planet’s atmosphere.

Projected Weapons of WWIII

  • A kite-shaped Chinese drone, massive enough to take out stealth planes and ships
  • Drones that, from high altitude, could get an instant genetic readout of an individual
  • Smart rings that replace computer mouses
  • Brain-machine interfaces. This already exists in the form of paralyzed people using their thoughts (hooked up to a computer) to move a limb (their own or robotic). This technology has applications in torturing the enemy.

That old saying, “What the mind can conceive and believe, can be achieved,” seems to be becoming more truer by the second. Imagine being able to wipe out the enemy by plugging your thoughts into a computer and imagining them having heart attacks.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Cyberbullying: Its Uniqueness & Prevention

Unfortunately, cyberbullying is prevalent, and a growing threat in today’s always-connected world. Cyberbullying refers to bullying done via computers, or similar technologies, such as cell phones. This kind of bullying usually includes mean or threatening comments, or public posts through texts, emails, voice mails, social media posts, all intended to embarrass the victim.

11DCyberbullying can happen to both adults and kids, but since it’s so common among youths, it’s good to know how to help your children deal with the problem.

One important idea to keep in mind is that unlike the kind of face-to-face bullying that many of us witnessed in school years ago, cyberbullying doesn’t end when the bully is out of sight.

These days, a bully can virtually follow his or her victim everywhere using technology. The bullying can take place without the victim’s immediate awareness, and because of the broad reach of social media, the audience is often much larger than at the school yard.

Since it can be difficult to get a cyberbully to stop their harassment, your best bet is to teach your kids safe online habits to try to prevent a bullying situation in the first place.

Cyberbullying Prevention Tips:

  • Let your kids know that you will be monitoring their online activities using parental control software. Explain how it works and how it can benefit everyone. This policy should be well-established long before your kids get their own cell phone and computer.
  • Make a point of discussing cyberbullying with your kids, and help them understand exactly what it is and how it happens. These discussions should take place before kids get their devices.
  • Set a condition before a child gets his or her very own smartphone and computer they must give their passwords to you. You can, of course, reassure them that you won’t use the passwords unless there’s a crisis.
  • Another condition for device ownership is that your kids will sit through instruction on smart online habits, and most importantly, they should understand that once you post something in cyberspace, it’s there forever.
  • Once your kids get their devices, role-play with them. This gives you a chance to play the part of a bully, and teach your kids appropriate responses.
  • Warn your kids not to freely give out their cell phone number and email address, and tell them that they should never reveal their passwords, even to close friends.
  • Stay aware of your children’s online activities and reassure them that they will never get in trouble if they report cyberbullying to you.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.