Posts

3 Ways We are Tricked into Cyber Attacks

So just how are hackers able to penetrate all these huge businesses? Look no further than employee behavior—not an inside job, but innocent employees being tricked by the hacker.

9Drecent survey commissioned by Intel Security reveals that five of the top seven reasons that a company gets hacked are due to employee actions.

One of the things that make it easy to trick employees into giving up critical information is the information employees share on social media about their company.

People just freely post things and tweet all day long about company matters or other details that can be used by a hacker to compromise the company. What seems like innocuous information, such as referring to a company big wig by their nickname, could lead to social engineering (tricking users into believing the request is legitimate so the user gives up sensitive information).

Between social media and the golden nuggets of information on Facebook, Twitter, LinkedIn and other platforms, hackers have a goldmine right under their nose—and they know it.

3 Key Pathways to Getting Hacked

  1. Ignorance. This word has negative connotations, but the truth is, most employees are just plain ignorant of cybersecurity 101. The survey mentioned above revealed that 38% of IT professionals name this as a big problem.
    1. Do not click on links inside emails, regardless of the sender.
    2. Never open an attachment or download files from senders you don’t know or only know a little.
    3. Never visit a website on the job that you’d never visit in public. These sites are often riddled with malware.
  2. Gullibility. This is an extension of the first pathway. The more gullible, naive person is more apt to click on a link inside an email or do other risky tings that compromise their company’s security.
    1. It’s called phishing(sending a trick email, designed to lure the unsuspecting recipient into visiting a malicious website or opening a malicious attachment. Even executives in high places could be fooled as phishing masters are truly masters at their craft.
    2. Phishing is one of the hacker’s preferred tools, since the trick is directed towards humans, not computers.
    3. To  check if a link is going to a phishing site, hover your cursor over the link to see its actual destination. Keep in mind that hackers can still make a link look like a legitimate destination, so watch our for misspellings and bad grammar.
  3. Oversharing. Malicious links are like pollen—they get transported all over the place by the winds of social media. Not only can a malicious link be shared without the sharer knowing it’s a bad seed, but hackers themselves have a blast spreading their nasty goods—and one way of doing this is to pose as someone else.
    1. Be leery of social media posts from your “friends” that don’t seem like things they would normally post about. It could be a hacker who is using your friend’s profile to spread malware. Really think…is it like your prude sister-in-law to send you a link to the latest gossip on a sex scandal?
    2. Don’t friend people online that you don’t know in real life. Hackers often create fake profiles to friend you and then use their network of “friends” to spread their dirty wares.
    3. Take care about what you post online. Even if your privacy settings are set to high, you should think that when you post on the Internet, it’s like writing in permanent ink—it’s forever. Because did we all really need to know that time you saw Kanye from afar?

All of us must be coached and trained to keep ourselves and our workplaces safe, and that starts with practicing good cyber hygiene both at home and at work.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

11 Ways to prevent your Email from getting hacked

#1. Whenever possible, configure your Internet connection to always use HTTPS. This is the “https” that appears before the “www” in a Web address, and the https is preceded by a padlock icon.

3DFor Gmail, this works by clicking Settings in the top right; select the General tab, then hit Always use HTTPS, then save this setting. This option is not available for those who access email via Hotmail.

#2. Do not open unfamiliar emails. If you open one you think is from someone you know but realize it’s not, delete immediately. Do not click any links in the message or send the sender personal or banking information. Once you open that link, your computer could become infected by a phishing scam and your information stolen.

#3. Install anti-virus, anti-spyware and firewall on your computer and keep them updated. Automated updates are the ideal choice.

#4. Do not log into your accounts from an untrusted computer (e.g., at the coffee house, library), or one that you don’t maintain (e.g., friends’ and family’s). Even if you trust your friends and family, their computer could be infected from spyware.

#5. Make sure your passwords, plus security questions and answers are strong. Every six months, change your passwords. Never use the same password for different accounts. A strong password has upper and lower case letters plus numbers and punctuation, forming a non-English word.

For questions and answers, they don’t have to be true; false information cannot be researched or discovered on your Facebook page, such as the name of “your first pet” when you never had a pet: “Fuzzie-Glow” – who’s ever going to figure that out?

#6. Find out just how secure your passwords are. Some setups indicate strength with a rating of “weak” to “strong.” Always choose “strong.” If there’s no rating, go to How Secure Is My Password to see how fast your account can be hacked.

On the “How Secure” site, don’t type in your actual password if you’re skittish about doing that (even though the site is secure and will never release it anywhere), but type in something similar. So if your password is “catlover,” type in “horselover” and see what happens.

#7. Your password should not be on the list of the most popular passwords. Here is the full list. If yours is there, change it immediately, even if you must give up an easy-to-type sequence.

#8. Enable 2-step verification if you use Google for any activity. The 2-step adds additional security to a Google account. After entering your username and password, you’ll then enter in a code that Google sends out via voicemail or text when you sign in. This will make it harder for someone to guess a password.

#9. Use a password manager. This service eliminates the need to type in a password at log-in; log in with one click. A master password eliminates having to remember all your different passwords.

#10. You may think your password is unique because it’s a jumble of characters, but it may not be very strong simply because it’s not long enough. The longer that uniqueness, the more uncrackable the password will be.
#11 Use a virtual private network software to encrypt any wireless communications. A virtual private network (VPN) is a network set up to communicate privately over a public network. For example: You occasionally want to or need to work from home and your employer knows that if you do, the data that travels between your PC and an office PC needs to be protected.

Another example is when you use public WiFi, knowing your wireless data can be sniffed out by criminals. Using a VPN solves that problem.

Hotspot Shield VPN service is a great option that protects your entire web surfing session, securing your connection on both your home internet network and public internet networks (both wired and wireless). 

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Actress Sofia Vergara’s Personal Photos Hacked or Stolen Via Mobile

In my line of work I get emails such as this one: “Hi Robert, I’m not sure if you saw what had happened on my Facebook page last night, but someone stole my cell phone while I was at a concert, and posted all of my naked pictures off of my phone and posted them to my wall. They were up there for hours.”

Apparently if you are under the age of 40 this is common place. After the age of 40, not so much.

My response: “Horrible lesson learned. And, ahm, maybe no naked pics on your phone? Jeesh. Digital is forever.”

Her response: “That’s what everyone keeps telling me, I should’ve deleted them. Just never thought someone would do that. They could’ve just taken the phone, they didn’t have to embarrass me like that.”

The problem is “they” don’t just look to embarrass someone, they try to sell them, and in some cases extort the victim. We must remember some people aren’t looking to play nice.

The NY Post reports, ““Personal” photos of stunning actress Sofia Vergara have been put up for sale after being allegedly stolen from her fiancé Nick Loeb’s BlackBerry. The sexy pictures, which we’re told are personal in nature but are not nude images, were somehow hacked or stolen from Loeb’s phone before the couple got engaged in July.”

In both of these situations just simply locking the device would solve this issue.

Have you ever thought about what would happen if you lost your mobile phone? For a lot of us, it can also be a nightmare if it’s lost, stolen or hacked, especially since an untold amount of people are using their mobiles like a bedroom accessory.

But despite the fact that 1/2 of us would rather lose our wallet than our mobile phone, only 4% of us have taken steps to protect our mobile device with security.

We don’t realize that our photos, emails, text messages and our apps can be an open door for thieves into our personal information, privacy and financial accounts.

Mobile devices are on the move, meaning they can more easily be lost or stolen and their screens and keyboards are easier targets for “over the shoulder” browsing. Below are some tips to protect you and your device.

Never leave your phone unattended in a public place

Put a password on your mobile

Set your phone to auto-lock after a certain period of time

When doing online banking and shopping, always log out and don’t select the “remember me” function

Use mobile device protection that provides anti-theft

Mobile device protection can be used to backup and restore the information on your phone, as well as remotely locate it and wipe data in the case of loss or theft. Plus mobile device protection offers as virus and web and app protection.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video.Disclosures.

How To Recover a Hacked Facebook Account

At least weekly some stressed out victim of a Facebook hack a.k.a “account takeover”, contacts me to help them get their account back in order. While I do have a connection or two at Facebook, I’m not in a position to send an email or flip a switch and make it all good just like that. Facebook doesn’t allow that.

The victim of the hack is in the best position to fix it themselves.

First, be proactive. Set up your computer with auto updates for your operating system, anti-virus, anti-phishing, anti-spyware and have a 2-way firewall turned on and lock down your wireless connection.

Facebook offers a number of security features, Use all of them. Take screenshots of your settings and contact info, print them, and store them in a secure place.

Opt-in security features:

Trusted Friends

What are trusted friends?

Trusted friends are friends you can reach out to if you ever get locked out of your Facebook account (ex: you turn on login approvals and then lose your phone, you forget your Facebook password and can’t get into your login email account to receive a password reset). If you get locked out, we’ll send each of your trusted friends a security code. All you need to do is call your friends and collect the codes.

Secure Browsing (https)

What is Secure Browsing (https)? What are the benefits?

Secure Browsing (https) is an opt-in security feature. When you turn this feature on, your traffic (i.e. all of your activity) on Facebook becomes encrypted, making it harder for anyone else to access your Facebook information without your permission.

Login Notifications

What are Login Notifications?

Login Notifications are an opt-in security feature where alerts are sent to you each time your account is accessed from a new device.

To turn on Login Notifications:

Go to your Security Settings page (Account > Account Security > Security)

Click on the Login Notifications section

Check the box next to the type of alerts you’d like to receive and save your changes

Note: If you want to receive text message alerts, you’ll need to add a mobile number to your account.

Login Approvals

What is Login Approvals?

Login Approvals is an opt-in security feature similar to Login Notifications, but with an extra security step. With Login Approvals, each time you try to access your Facebook account from an unrecognized device (ex: any computer or mobile phone you haven’t named and saved to your Facebook account), you will first have to enter a security code we’ve sent to your mobile phone.

To turn on Login Approvals:

Go to your Security Settings page (Account > Account Security > Security)

Click on the Login Approvals section

Check the box and save your changes

If all else fails go here: https://www.facebook.com/hacked this is the system Facebook has in place to help you get your account back regardless of if the hacker changed your email address.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Mobile Phones Being Hacked and Cloned

Cloning occurs when hackers scan the airwaves to obtain SIM card information, electronic serial numbers and mobile identification numbers, and then using that data on other phones.

Cloning can happen anywhere, anytime that you’re using your phone. The bad guy simply uses an interceptor, hardware, and software to make a phone exactly like yours.

A few years ago, I was in San Diego on business. Two weeks later I received a call from my carrier alerting me to $1500.00 worth of international calls I had not made. The activity triggered an alert within their system and they shut my account down.

Fortunately for me, my carrier recognized the fraud and relieved me of the charges, rather than me discovering it and having to fight to reverse the charges. Apparently, it was a known issue that scammers in Tijuana were cloning U.S.-based phones.

Anita Davis, another mobile clone victim, wasn’t so lucky. One month, her cell phone bill showed $3,151 worth of calls in one month, to Pakistan, Israel, Jordan, Africa, and other countries. Anita called her carrier immediately and told them she didn’t know anyone in those countries, or anyone outside the U.S. for that matter. She says, “They told me I had to have directly dialed these numbers from my cell phone and I needed to make a payment arrangement or they would send my bill to collections.” After begging and pleading, Anita convinced them to drop the charges.

The extent of your vulnerability varies depending on your phone and the network you’re on. Cloning mobile phones is becoming increasingly difficult, but consumers can’t do anything to prevent it from happening. The best way to mitigate the damage is to watch your statements closely. The moment you see an uptick in charges, contact your carrier and dispute the calls.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures)



When FTC Sends a Warning, Data Theft Has Jumped the Shark

When Fonzie jumped the shark on his HOG, that spelt the end of Happy Days.

The FTC sending a warning to 100 companies and agencies that their employees are leaking client  and sensitive data on the web via Peer to Peer file sharing (P2P) is the single most pathetic and embarrassing communication to come across the desk of an IT professional. It’s over, Johnny IT’S OVER!

The FTC certainly has their hands full with the mess of information security that we call identity theft. I’ve met some from the FTC. These are smart people who are doing the best they can with what they have to work with. But government is usually the last to be on top of what is new and ahead of what is next. Especially, with technology issues. Generally, they are reactive and fix it after it’s broke. They step in when there is a problem and work to fix it so it’s not a problem in the future.

How is it that after hundreds of data breaches and numerous articles that all point to leaks via P2P; there are still companies who allow the installation of technology that opens a big hole in your network, big enough for a car bomb?

As Byron Acohido eloquently stated The Federal Trade Commission today finally voiced concern about the long-known problem of data leaking into criminal hands via LimeWire, BearShare, Kazaa and dozens of other  peer-to-peer (P2P)  file sharing networks.” The operative word here being “FINALLY!” Why are we having this conversation?

For the under a rock crowed, P2P has been around since before the days of Napster. Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software to get hacked.

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Mom Was Wrong. Strangers Good. People We Know Bad.

Robert Siciliano Identity Theft Speaker

An axiom in business is that we buy from and do business with those who we know like and trust. In the 21st century we have seen CEOs, investment bankers, politicians and those in the highest positions of trust completely screw everyone who put them on their pedestal.

Madoff pleads guilty for orchestrating a 65 billion dollar Ponzi scheme and 3 rows of investors in attendance at his trial clapped, applauded and sang. These are people that bestowed an incredible amount of money in a man that is probably a psychopath.

What does this say about us as a species that trusts so much?

Charles Ponzi began his scheme 100 years ago and was caught 10 years later. The SEC stepped in and stopped him. The SEC didn’t stop Madoff. They allowed him to prosper, until his operation imploded.

Growing up most of us were schooled on “Stranger Danger” because our parents were also told not to talk to strangers. Strangers are “strange” therefore dangerous. At least that seemed to be the theory. Unfortunately I’ve seen all too often that people we know are sometimes the baddest apples in the bunch. Kids coaches, swim teacher, clergy etc.

In a Wall Street Journal article Bruce Schneier makes the point that people are over all good and generally honest. So approaching a stranger probably wouldn’t mean imminent danger. Basically true.

On the other hand if someone pursues or approaches you, they are essentially paying unwanted attention to you, or distracting you from the truth. Maybe getting ready to take advantage of you in some devious way.

We see this all the time when law enforcement sets up a 14 year old female named Dixey14 in a chatroom and she’s (or he) is quickly approached by 50 men with webcams snapping pictures of themselves. So in this sense talking to strangers is bad. Video Here

Nigerian identity theft 419 scams are based on one single principle to be successful; get to know your mark, get them to like you and they will trust you. Done. They start off a stranger, then become their victims night in shining armor coming to your emotional (and financial) rescue. Scambaiter video Here

I’ve talked over and over about insiders at a company maliciously hacking away at the network and stealing data. They aren’t strangers, they are the funny drunk dudes at the Christmas party.

You want to prevent being scammed? Prevent Data theft? Prevent identity theft? Prevent being hacked?

Do not exclusively rely on any one system to protect you. Don’t expect the government and their bazillion bureaucratic agencies to protect you. Don’t think law enforcement or any other authoritative agency will be there when a predator strikes.

All existing systems work often, and fail as much.

Security is about layers. The more layers of protection you have in place, the more difficult you make it for the bad guy to get access. Redundancy, predictive, proactive thinking.

Someone pour me a scotch. Single malt.

Oh, and I’m very excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information

Robert Siciliano Identity Theft Expert Discussing Bernie Madoff Con Man Here