Posts

Hacking Humans is Painfully Easy

Hackers can take over someone’s life in a matter of hours. Just ask Patsy Walsh.

11DThough she is not a tech savvy person, the grandmother of six did have a Facebook account, and that was all the hackers needed to take over her life. By using methods such as click baiting, the act of convincing someone to click on a fake link, and then gathering information, the hackers were able to use this info to get into other accounts, and eventually hacked things such as her power of attorney form, Social Security information and learned how to open her garage door and her home.

How did they do this? Mrs. Walsh used the same password for all accounts and did not use recommended security measures.

Fortunately, Mrs. Walsh’s life wasn’t ruined. Instead, this hacking was set up by the New York Times and a private company made up of “ethical hackers”, yes there is such a thing, to show just how easy it is to gain access to someone’s digital life.

Computers Are Gold Mines of Important Information

When the team of ethical hackers gained access to Mrs. Walsh’s computer, they found a number of malicious programs running in the background. Examples include InstallBrain, a program that will download programs on demand, and programs such as SlimCleaner, SearchProtect and FunWebProducts, which can spy on Internet searches, change home pages and gather information through click baiting. More than likely she downloaded some lame tool bar that added all this bloatware. Keep in mind, Mrs. Walsh was only visiting sites such as Google and Facebook, sites that most of us visit several times a day.

Stopping the Hackers in Their Tracks

We can all learn lessons from Mrs. Walsh’s experience. Here are some things that she could have done to avoid this from occurring, and things you should do to remain safe:

  • Use a password manager to keep track of long or complicated passwords, and use a different password for every account.
  • Use a two-step authentication service, one that asks for a second password when an unrecognizable machine attempts to access an account.
  • Use automatic updates for services such as browser updates or operating system updates.
  • Wipe the computer clean if necessary, then start employing these new practices.
  • Stop downloading stupid useless tool bars that are often delivery methods for crappy software.
  • Pay attention to what you are downloading and why. Even when you are updating software, look for any checked boxes that install bloatware.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Hacking Cars Getting Easier and More Dangerous

If your car is in any way connected to the Internet, it can get hacked into. You know it’s only a matter of time before hackers begin infiltrating motor vehicles in droves, being that vehicles are plagued with hundreds to thousands of security vulnerabilities.

11DThis hack is more serious than you think. Drivers and passengers should be aware that “flawed” and compromised vehicles can suddenly be overtaken remotely, forced into shutting down the engine in the middle of a highway or drive the car into other cars.  And it’s not just cars, but 18-wheelers and busloads of people.

In fact, white-hat hackers (the good guys) have even demonstrated that a bad hacker could take control of a motor vehicle, ranging from annoying pranks such as turning on the windshield wipers and radio, to potentially lethal actions like stopping the engine.

Hackers could demand ransom from governments in bitcoins for the return of the vehicles’ control to their drivers. Or, as the Assistant Attorney General for National Safety has indicated, “connected cars are the new battlefield”. Connected cars could be used by terrorist organizations to create havoc on mass scale.  The possibilities are limited by the imagination.

This concern has motivated the FBI, Department of Transportation and the National Traffic Safety Administration to issue a public safety alert, warning consumers to keep their service schedule in order to enable to upgrade cars’ software with remedies to those security vulnerabilities.

Solutions are available and in the works.

  • If your car has any web connecting abilities, do your research for year/make/model. Searched “hacked” along with the cars particulars.
  • Manufacturers that have discovered security vulnerabilities (often because a researcher makes it public) have offered subsequent patches in response. These notices may come in the mail or through a dealership.
  • It’s important to check with your cars manufactures website to determine if a vulnerability exists.
  • A connected vehicle has ECUs: electronic control units. An article in Fortune says Karamba Security’s “Carwall” can detect and thwart cyber attacks. Carwall is like a firewall for your vehicle ECU. It detects anything that’s not permitted to load or run on ECUs.

When the ECU software is being built, security software can be seamlessly embedded, becoming part of the entire process. No change of code, no developers’ know-how, no false positives and no hacks. Problem solved.

Anonymous Begins a 30 Day Assault Against Central Banks

“Anonymous” is an activist hacking group that has recently boasted that it will engage in 30 days of cyber assaults against “all central banks,” reports an article on cnbc.com.

2DAnd their bite is as big as their bark, as this announcement came soon after several major banks around the world were struck—and Anonymous proudly claimed credit. The banks that were apparently breached by Anonymous include:

  • Bangladesh Central Bank
  • National Bank of Greece
  • Qatar National Bank

Anonymous put up their plans on a YouTube video: a “30-day campaign against central banks around the world.” The hacking group calls their endeavor Operation Icarus, bragging about how they crumbled the Bank of Greece with a denial of service attack.

Anonymous has stated that it will target the following financial institutions:

  • Visa
  • MasterCard
  • Bank for International Settlements
  • London Stock Exchange
  • And of course, “all central banks” and “every major banking system”

Anonymous has a real gripe against banks, because they further state, “We will not let the banks win,” continues the report at cnbc.com. The hacking group wants everyone to know that their operation will be “one of the most massive attacks” ever committed in Anonymous’s history.

The article adds that another media outlet, Gulf News, reports that the hackers who infiltrated Qatar National Bank attacked yet another bank and intend on making the stolen data public for this second attack—very soon. It’s possible that this leaked data will be used for ransom.

For you, every day bank customer, don’t worry about any of this, BUT, always pay close attention to bank activity and make sure all transactions have been authorized by you. Sign up for alerts and notifications via text and email so you see every transaction in real-time.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How the FBI hacks You

In a recent Wired.com expose’, they expose how the FBI has been secretly hacking civilian computers for about 20 years, but thanks to Rule 41, their ability to hack has been expanded.

11DNevertheless, effective record keeping for these hacking incidents doesn’t exist. For instance, search warrants that permit hacking are issued using elusive language, and this makes it difficult to keep track of when the feds hack.

Also, it’s not required for the FBI to submit any reports to Congress that track the FBI’s court-sanctioned hacking incidents—which the FBI would rather term “remote access searches.”

So how do we know this then? Because every so often, bits of information are revealed in news stories and court cases.

Carnivore

  • Carnivore, a traffic sniffer, is the FBI’s first known remote access tool that Internet Service Providers allowed to get installed on network backbones in 1998.
  • This plan got out in 2000 when EarthLink wouldn’t let the FBI install Carnivore on its network.
  • A court case followed, and the name “Carnivore” certainly didn’t help the feds’ case.
  • Come 2005, Carnivore was replaced with commercial filters.

The FBI had an issue with encrypted data that it was taking. Thanks to the advent of keyloggers, this problem was solved, as the keylogger records keystrokes, capturing them before the encryption software does its job.

The Scarfo Case

  • In 1999 a government keystroke logger targeted Nicodemo Salvatore Scarfo, Jr., a mob boss who used encryption.
  • The remotely installed keylogger had not yet been developed at this time, so the FBI had to break into Scarfo’s office to install the keylogger on his computer, then break in again to retrieve it.
  • Scarfo argued that the FBI should have had a wiretap order, not just a search warrant, to do this.
  • The government, though, replied that the keylogger technology was classified.

Magic Lantern

  • The Scarfo case inspired the FBI to design custom hacking tools: enter Magic Lantern, a remotely installable keylogger that arrived in 2001.
  • This keylogger also could track browsing history, passwords and usernames.
  • It’s not known when the first time was that Magic Lantern was used.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

10 Ways to Protect your WordPress Site or Blog from Hackers

As much as you try, the unfortunate truth is that hackers are going to try to attack and access your WordPress website or blog, whether you like it or not. So, it is up to you to make sure you make the hacker’s job as difficult as possible. Here are some tips:

2D1. Use Plugins

One way to make your WordPress account less appealing is to use security plugins. These vary in quality, and you might have to purchase some of them, too. Just make sure to do some research before buying them, and when you do, only buy them from a trusted marketplace.

2. Choose The Right Password and Change It Often

When choosing a password for your account, make sure it is a minimum of 8 characters, and mix it up with letters, numbers and symbols. Also, change your password about every 2-3 months.

3. Change Your Defaults

Also, make sure that you are changing the default user name and password that you are given for your hosting account.  It’s best, in fact, if you change any detail that you are allowed to change, simply because you don’t know how secure your host’s servers are.

4. Only Choose Secure Hosting

Use a secure hosting company. There is no better tip that that. If you go with a free package, understand that you will get what you pay for.

5. Install All Updates

Make sure you are installing any updates you get from WordPress. These often contain security features that can protect you.

6. Consider Hosting Company Security Options

Many good hosting companies offer security options for their clients, and if you have this option, do it. Just make sure you are not paying too much, and look for coupon codes, if possible.

7. Delete What You Are Not Using

If you have unused images or plugins in your account, delete them. They waste space and can put your account and site at risk.

8. Back Up Everything

Your best defense against hackers is to make sure you are backing up everything, and do it often. You can delete any old backups to save space.

9. Watch the Powers You Give Contributors

Though it might be tempting to allow authorized contributors to post their own blogs and articles, don’t give them any more access to your site than you have to.

10. Use Security suites

There are a variety of web based security products designed to proactively monitor your site and block unauthorized activity. Check out Cloudbric. This all-inclusive solution helps in preventing web attacks including DDoS, while also providing SSL and CDN services.

Robert Siciliano is a personal privacy, security and identity theft expert to Cloudbric discussing identity theft prevention. Disclosures.

Ransomware Hackers provide Customer Service Dept. to Victims

Yes, believe it or not, ransomware has become such a booming business for thieves, that these cyber thugs even provide bona fide customer service departments to guide their victims!

4DWhen ransomware infects your computer, it holds your files hostage; you can’t access them—until you pay the hacker (usually in bitcoins). Once paid, the crook will give you a decryption “key.” Sometimes the fee will go up if you don’t pay by a deadline. Fees may a few to hundred to several hundred dollars to way more for big businesses.

Thieves typically include instructions on how to pay up, and they mean business, sometimes being “nice” enough to offer alternatives to the tedious bitcoin process. They may even free one file at no cost just to show you they’re true to their word.

As the ransomware business flourished, particularly Cryptolocker and CryptoWall, hackers began adding support pages on their sites to victims.

An article at businessinsider.com mentions that one victim was able to negotiate a cheaper ransom payment.

Why would thieves support victims?

  • It raises the percentages of payments made; the easier the process, the more likely the victim will pay. The businessinsider.com article quotes one ransomware developer as stating, “I tried to be as [much of] a gentleman thief as my position allowed me to be.”
  • It makes sense: If victims are clueless about obtaining bitcoins and are seeking answers, why wouldn’t the crook provide help?

Perhaps the most compelling reason why bad hackers would want to help their victims is to get the word out that if victims pay the ransom, they WILL get their decryption key to unlock their encrypted files.

This reputation puts the idea into the heads of victims to “trust” the cyberthief. Otherwise, if ransomware developers don’t give the key to paying victims, then word will spread that it’s useless to pay the ransom. This is not good for the profit-seeking hacker.

These crooks want everyone to know that payment begets the key. What better way to establish this reliability than to provide “customer” support on websites and also via call centers where victims can talk to live people?

Apparently, at least one ransomware developer has a call center where victims can phone in and get guidance on how to get back their files.

Prevent ransomware by keeping your devices update with the latest OS, antivirus, updated browser, and back up your data both locally and in the cloud.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Hacker for hire a rising Trend

Hackers and wannabe hackers can easily purchase cheap tools of the trade online. The security firm Dell SecureWorks Inc. confirms this in their latest report and adds that underground markets for hackers, including those from Russia, is thriving.

11DThe “Dark Web” is the go-to place for hackers looking for guidance and tools like malware. Yes, you can buy malware. If you don’t want to be the hacker, you can hire a hacker.

There’s any number of reasons why a non-techy person would want to hire a hacker. Maybe that person wants to make money and thus hires a hacker to create a phishing campaign that generates lots of credit card numbers and other personal data for the hacker’s client to then open credit lines in victims’ names.

Maybe another client wants revenge on an ex-lover, their current boss or neighbor; they hire a hacker to crack into the target’s Facebook account, and then the client is able to log in, impersonate the victim and post comments and images that will make the victim look frightfully bad.

Dell SecureWorks Inc., also found:

  • For $129 a hacker will steal e-mails from personal Yahoo or Gmail accounts.
  • For business accounts, however, hackers want $500 per e-mail.
  • Wannabe hackers can buy phishing tutorials as well as other tutorials for $20 to $40.
  • Gee, for just $5 to $10, you can buy a Trojan virus that you can infiltrate someone’s computer with and control it—even if you’re a thousand miles away.

So booming is the hacker for hire and hacker-in-training industry, that these cybercriminals even offer customer service. Makes you wonder why hackers are selling their knowledge, tools and providing customer service, if they can make so much more money just hacking.

Well, maybe deep down inside, these crooks have a kind heart and want to help out people, even if it means helping them commit crimes. Another explanation is ego; they’re so good at what they do that they want to share their knowledge, albeit for a fee.

What else is for sale on the Dark Web? Stolen hotel points and frequent flyer accounts. Buyers can use these to get gift cards on legitimate sites, says the report from Dell SecureWorks Inc.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Hackers don’t play well with Kids’ Toys

No company is immune from hackers—even a toy company. Hong Kong based VTech got hit by a hacker recently. This company makes techy educational toys for kids, and its database got breached.

11DCustomers go to the Learning Lodge store and download content to their children’s VTech devices. The devices for downloading to are a tablet, watch and action camera.

But recently, this gateway store was attacked.

Some customers’ private information—now in the hands of the hacker—may put them at risk for being victims of identity theft or even a crime against their children. The customer database is comprised of people from many countries including the U.S., UK, Canada, China, Latin America, France and Australia.

The hacker anonymously contacted the company to reveal what was stolen: customers’ names, their kids’ names and birthdates, passwords, e-mail addresses, IP addresses, home addresses and even their secret question. And we all know that hackers have been known to find the answer to a secret question by perusing the potential victim’s Facebook posts!

At least credit card information wasn’t leaked.

But imagine how unnerving it is to know that someone out there has your mailing address, IP address, children’s names and birthdates. Oh, and it doesn’t stop there. The hacker revealed that photos of kids were also leaked.

Customers were notified and since, VTech has made changes to the attacked website in the name of preventing another breach, though it’s not publically known what those changes were.

Many toys and gadgets for kids are connected to the Internet. But don’t let fear of data breaches stop you from buying educational devices for your kids. Today’s connected toys offer a whole new educational experience.

  • Google the gadget to see if it was ever hacked or has “vulnerabilities.”
  • Immediately scan the product once purchased.
  • The toy should be connected only to a secure Wi-Fi network.
  • Keep its software and firmware updated regularly.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

What is a Hacker?

You probably think you know what a “hacker” is, but the images portrayed in the media can be misleading. You may be thinking of a geeky-looking guy who causes peoples’ computers to get infected with viruses or cracks passwords to raid the accounts of big business. This is one kind of hacker, but in a broader sense a hacker is a person (male or female) who uses their programming skills and technical knowledge to create and modify computer software and hardware by finding their weaknesses and exploiting them.

11DHackers can be motivated by a number of reasons, both positive and negative. For instance, criminal hackers can create malware to commit crimes, such as stealing information and money, while other hackers are benevolent. They may work for big companies or the government in the name of protecting them from bad hackers.

It helps to be familiar with these general categories of hackers:

Black hat hackers

This is a hacker who gains unauthorized access into a computer system or network with malicious intent. They may use computers to attack systems for profit, for fun, for political motivations, or as part of a social cause. Such penetration often involves modification and/or destruction of data, as well as distribution of computer viruses, Internet worms, and spam.

White hat hackers

Also known as “ethical hackers,” white hat hackers are computer security experts who specialize in penetration testing and other testing methodologies to ensure that a company’s information systems are secure. These security experts may utilize a variety of methods to carry out their tests, including social engineering tactics, use of hacking tools, and attempts to evade security to gain entry into secured areas.

Gray hat hackers

These are skilled hackers who sometimes act legally, sometimes in good will and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.

In addition to these definitions, the term “hacker” is currently used to refer to any individual who deliberately tries to compromise a computer system—regardless of objective.

It may also simply refer to someone who likes to tinker around with the innards of computer systems, and it may also mean a really smart person who can solve any computer problem.

So, while you may have generally thought of hackers as criminals, the term actually describes a range of people with different technical skills and motives. That’s why it would be more helpful if we used the term with descriptors, such as “white hat hacker” or “criminal hacker,” so we have a better idea to whom we are referring.

After all, hackers shouldn’t have a bad reputation overall. They are usually very talented people and we need more of the good variety: white hats.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

State sponsored Attacks big Problem

The U.S. Office of Personnel Management, an identity database, was attacked by hackers rather recently, and they hit the jackpot: More than 21 million federal workers are at risk of identity theft for perhaps the rest of their lives, reports an article on forbes.com.

1DThe hackers from overseas now have security clearance documents for these employees that contain some very sensitive personal information. And nobody can take these documents away from the hackers.

That’s the problem with these centralized identity databases. It’s like all the loot is in one location, so that when the thieves strike, they get it all. And as the forbes.com article points out, not too many governments care to invest the money and energy in optimizing the security of these huge central databases. And it’s not just the U.S. with this problem. Other countries have also had either cyber attacks or big issues with their national ID systems.

On the security evolution clock of 24 hours, cybersecurity comes in in the last few seconds. Governments for eons have been very staunch about issuing security in the physical form, such as constructing walls and other barricades near borders.

But protecting a computer database from harm? It’s just not as prioritized as it should be. The forbes.com article notes that the cybersecurity of a country’s citizens makes up the whole of the nation’s security.

Seems like things will be getting way more out of hand before things start getting under control, if ever. In line with this trend is that hackers have, in their possession for all time, fingerprint data of more than one million U.S. security clearance holders.

Governments need to start focusing on protecting the cyber safety of all the millions and millions of ants that make up its nation, or else one day, the empire just might crumble.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.