Posts

Why Hacking is a National Emergency

Foreign hackers, look out: Uncle Sam is out to get you. President Obama has issued an order that allows the State Department and Treasury Departments to immobilize the financial assets of anyone out-of country suspected of committing or otherwise being involved in cyber crimes against the U.S.

7WkThis order, two years in the making, covers hacking of anything. The order refers to hacking as a national emergency. Imagine if entire power grids were hacked into. Yes, a national emergency.

Another reason hacking is a national crisis is because the guilty parties are so difficult to track down. Hackers are skilled at making it seem that an innocent entity is guilty. And a major hacking event can be committed by just a few people with limited resources.

However, the order has some criticism, including that of assigning it an over-reaction to the Sony data breach. But it seems that the government can never be too vigilant about going after hackers.

Proponents point out that the order allows our government greater flexibility to go after the key countries where major hacks come from, like Russia and China. This flexibility is very important because the U.S. has a crucial financial relationship with these countries. And that needs to be preserved.

For instance, there’d be little adverse impact to the U.S. if our government choked off the bank accounts of isolated hackers who were part of the Chinese government, vs. strangling the entire Chinese government.

In short, the activities of small hacking groups or individual hackers within a foreign government will be dealt with without penalizing the entire government—kind of like doing away with punishing the entire fourth grade class because one kid threw a spitball.

Hacking is now elevated to terrorism status; the order is based on the anti-terrorism bill. So foreign hackers, you’ve been warned; the U.S. is not reluctant to level you because the order allows for sparing your government as a whole from being sanctioned.

You can do your part to protect the Homeland simply by protecting your own devices using antivirus, antispyware, antiphishing and a firewall. Keep your devices operating system updated and uses a VPN when on public WiFi.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention.

Hackers for Hire both Good and Bad

Ever see those public bulletin boards with all the business cards on them? Don’t be surprised if you spot one that says “Hacker•for•Hire.” These are hackers who will, for a nice juicy fee, hack into your wife’s Facebook account to see if she’s cheating on you.

4DHowever, there’s at least one hackmaking site that matches hackers to clients who want to infiltrate a network for personal gain or even revenge. The site, Hacker’s List, is a good idea, certainly not the first of its kind; the site’s founders (who wish to remain anonymous) get a piece of the pie for each completed job. Kind of sounds like one of those freelance job sites where someone bids on a posted job. The client must put the payment in escrow prior to the job being carried out. This pretty much guarantees payment to the hacker.

The site began operation in November. Imagine the possibilities, like business people getting a complete list of their competitors’ clients, customers, prices and trade secrets. And yes, a college student could hire a hacker for changing a grade. Makes you kind of wish you were skilled at hacking; what a freaking easy way to make a lot of money.

Is a site like this legal? After all, cracking into someone’s personal or business account is illegal. The site has a lengthy terms of service that requires agreement from users, including agreeing not to use the service for illegal activity. The verdict isn’t out if Hacker’s List is an illegal enterprise, and further complicating this is that many of the job posters are probably outside the U.S.

Hacker’s List was carefully developed, and that includes the founders having sought legal counsel to make sure they don’t get in trouble.

Hiring hackers can easily occur beyond an organized website where jobs are posted and bid on. And there’s no sign of this industry slowing down. The line of demarcation between good hackers and bad is broad and blurry, beginning with legitimate businesses hiring hackers to analyze the companies’ networks for any vulnerabilities.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Password Security vulnerable to Trickery

There’s only one entrance to the house: a steel door two feet thick. If someone from the outside touched the door—even with a battering ram—they’ll get an electric shock. No bad guys could get through, right?

2DWell, suppose the bad guy tricks the homeowner into opening the door…and once open, the bad guy strangles the homeowner. Do you see what happened? All that security is worthless if the homeowner can be tricked. And the same goes for passwords. You can have the longest, strongest, most gibberish password around…but if you allow yourself to be skunked by a hacker…it’s over.

Think you can’t get skunked? A hacker could post a link to a “video” claiming it’s Taylor Swift with a 50 pound weight gain—anything to get you to click—and you end up downloading a virus to your computer.

Or maybe you get suckered into giving your credit card number and the three-digit code on its back to some site to “re-verify your credentials” because your account has been “compromised” – says an e-mail supposedly from the company you have the account with. Instead it’s a phony e-mail sent by a hacker.

Security begins by not falling for these ruses but also by not having crummy passwords.

First ask yourself if it’s super easy to remember any of your passwords. If it is, chances are, they contain actual names of people…or pets…in your life. If you have your pet and its name plastered all over your Facebook page, for instance…a hacker will figure that your password contains the name.

Another way to easily remember—and type—passwords is to use keyboard sequences. Maybe you use the same password for 14 accounts: 123kupkake. Is this easy for a hacker to crack? Depending on the level of sophistication of the hacker and the tools he possess, maybe. Imagine a hacker cracking this with his software. He’ll get into all your accounts if you have the same password.

There are many password manager services out there to help you create a strong, long password, though randomly hitting keys on your keyboard will produce the same result. But the password manager will grant you a single password to get into all your accounts, sparing you the drudgery of having to remember 14 long passwords of jumbled characters.

Another layer of security is to try to only register with online accounts that have two-factor authentication. For instance, see if your bank offers this (many actually don’t). Two-factor makes it next to impossible for someone to hack into your account.

Strong and long passwords—all different for all of your accounts; a password manager; two-factor authentication; and what else? Don’t be suckered into giving up your private information!

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

The White Hat Hacker

These days, it is hard to pick up a newspaper or go online and not see a story about a recent data breach. No other example highlights the severity of these types of hacks than the Sony breach late last year.

11DWhile a lot of information, including creative materials, financials and even full feature-length movies were released – some of the most hurtful pieces of information were the personal emails of Sony executives. This information was truly personal.

You have a right to privacy, but it’s not going to happen in cyberspace. Want total privacy? Stay offline. Of course, that’s not realistic today. So the next recourse, then, is to be careful with your information and that includes everything from downloading free things and clicking “I agree” without reading what you’re approving, to being aware of whom else is viewing your information.

This takes me to the story of a white hat hacker—a good guy—who posed as a part-time or temporary employee for eight businesses in the U.S.. Note that the businesses were aware and approved this study. His experiment was to hack into sensitive data by blatantly snooping around computers and desks; grabbing piles of documents labeled confidential; and taking photos with his smartphone of sensitive information on computer screens.

The results were that “visual hacking” can occur in less than 15 minutes; it usually goes unnoticed; and if an employee does intervene, it’s not before the hacker has already obtained some information. The 3M Visual Hacking Experiment conducted by the Ponemon Institute shed light on the reality of visual hacking:

  • Visual hacking is real: In nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach. On average, five pieces of information were visually hacked per trial.
  • Devices are vulnerable: The majority (53%) of information was visually hacked directly off of computer screens
  • Visual hacking generally goes unnoticed: In 70 percent of incidences, employees did not stop the white hat hacker, even when a phone was being used to take a picture of data displayed on screen.

From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless.

One way to prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack is to get equipped with the right tools, including privacy filters. 3M offers its ePrivacy Filter software, which when paired up with the traditional 3M Privacy Filter, allows you to protect your visual privacy from nearly every angle.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

What is Ransomware?

Imagine that you want to pull up a certain file on your computer. You click on the file and suddenly a notice flashes on your screen saying your computer has been compromised and in order to get your files back, you need to pay up some money. This, ladies and gentlemen, is ransomware, a nasty type of malware that, unfortunately, hackers love to use.

4DRansomware is malicious software created by a hacker to restrict access to your device and demand a fee to be paid to the hacker in order to give you back access to your device. It can prevent you from using your computer or mobile device, opening your files, or running certain applications like your browser. Or it could lock down your photos, documents, videos on your mobile phone or PC and hold them hostage until you pay the ransom.

Users unknowingly download ransomware from malicious by clicking on email attachments or visiting infected websites, also known as drive-by downloads . There are several ways hackers use ransomware to extort money from users. One, the hackers pretend they are a law enforcement agency and claim that you have downloaded illegal content and demand a fine to pay for this violation. Another popular trick is a message that claims your Windows installation is counterfeit and requires activation or that your security software is out of date or not working.

If you download ransomware, you must remove it before you can access your device again. You can use security software or clean out your disk drive. If you have an Android phone, you can reboot your phone in Safe Mode. Whatever you do, don’t pay the ransom, as it doesn’t always guarantee you will get access to your device again.

It’s always better to prepare than repair. Here are a few tips for preventing ransomware from getting on your digital devices.

  • Backup your files. Then, if a ransomware attack occurs, you can wipe your disk drive clean and restore the data from the backup.
  • Think twice. Don’t open links or attachments from people you don’t know.
  • Use a web advisor. Hackers use malicious websites to spread ransomware. A web advisor, like McAfee® SiteAdvisor® will let you know what links are malicious or not.
  • Install comprehensive security software.  McAfee LiveSafe™ service includes a firewall and anti-spam filter to protect your computers, mobile phones and tablets from ransomware. If you already have your computers covered, make sure you still protect your mobile devices with our free McAfee® Mobile Security for Android or iOS.

Have a happy holiday!

 Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Russian Hackers getting rich from your Identity

Where’s the $$$ at? Selling credit card data. Have you heard of the Russian hacking ring that raked in two and a half billion dollars? Check it out: 4D

  • Phishing attacks are lucrative for these cybercriminals.
  • ATM hacks continue to increase, in part due to targeted attacks and new software.
  • Smartphone attacks are on the upswing.

There are three ways criminals obtain credit card data, and selling it is enormous business. And data breaching at the point of sale has been a big issue for the past few years. POS attacks are conducted with skimming tactics or by using Trojans. Unless significant changes are made, look for POS attacks to swell up, not shrivel up.

Selling credit card information is such big business that there exist professional wholesalers who specialize in this. Ukrainian, Russiona and many in eastern Europe are some of the largest brokers of and the main suppliers of stolen card data. But the wholesalers who purchase his acquired data are also rolling in the dough.

More on the Russian Hacking Empire

  • Lots of DDoS attacks
  • Over a quarter of a billion dollars in the sale of nefarious products
  • Spam, spam and more spam: an $841 million goldmine
  • A rise in the number of crime rings, the result of the development of new ways to commit theft off of users of smartphones.
  • In fact, several new crime rings have emerged this year that center on bank theft of mobile device users.

There’s currently just no end in sight for the Russian hackers, and there perhaps never will be, especially since geography is a barrier to prosecution.

6 ways to watch your statements.

  1. Monitor your paper statements monthly
  2. Monitor your e-statments when they come in
  3. Login to your credi card company’s website as often as you can
  4. Download your credit card company’s smartphone app and check often
  5. Sign up for Mint or BillGuards credit card alerts
  6. Go to your credit card company’s website and sign up for text and email alerts for every transaction.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Visual Hacking is High Tech Shoulder Surfing

A visual hacker can infiltrate you—from the outside in. Quite literally, a person (ranging from a snoop to a cyber criminal) can peer over your shoulder while you’re using your computer or mobile (“shoulder surfing” or “visual hacking”), and collect your personal information—whatever you have up on the screen.

4DThis is so easy to observe Go to any airport or café and you’ll see scores of people using their laptops, headset on, head nodding to some beat, totally oblivious that a world exists beyond their little comfy spot.

However, shoulder surfing can also happen from a distance, e.g., a thief using binoculars or a small telescope. He can be nearby aiming his high-quality smartphone camera at the user. A cheap camera can be hidden near a spot where people often settle down with their devices, aimed right where people most often open their laptop or whip out their mobile.

You might be able to prevent shoulder snoopers by covering your screen with a hand, but this isn’t practical. If you’re working remotely, you should think about setting yourself up so that passers-by can’t see your screen, such as sitting up against a wall. However, these maneuvers aren’t always possible and you know that you need protection every single second to prevent information you are working on from a potential leak.

A recent survey of IT professionals found that 82 percent had little to zero confidence that employees were capable of concealing their device’s screen from peeping eyes; 82 percent believed it was possible that data had already been viewed off of their screens by the wrong eyes; and 85 percent reported being able to view sensitive data on a screen that they were not supposed to be looking at. So why aren’t more people – and more importantly, more organizations – taking the necessary precautions to protect their visual privacy?

From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless. To prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack 3M now offers its ePrivacy Filter software. When paired up with the traditional 3M Privacy Filter, which blacks out side views and helps prevents hackers from stealing a glance at your screen, the ePrivacy Filter notifies you when someone is peering over your shoulder. You can now protect your visual privacy from nearly every angle.

Not only do thieves try to see what’s on the screen, but they’ll also study the user’s fingers at key times, such as right after they open the laptop. This could be the password they’re typing in to gain access to the device. A skilled visual hacker can determine which group of keys was pressed, then confine a brute-force attack to those characters to crack the password.

If you think shoulder surfing is uncommon and more so the product of overactive imaginations, think again. Take yourself, for example. Imagine being on a long flight. You’re wide awake but drained from using your device and reading magazines. Sooner or later (and you know this), your eyes will drift towards the stranger seated next to you—to see what’s on their screen. Since you, an honest, non-criminal person, is apt to do this, imagine how tempting it is for thieves.

Research results that were released last year revealed that 72 percent of commuters in the UK peer over the shoulder of fellow commuters. But don’t think that shoulder surfing is confined to the public; it can also take place right inside your office building. This can be particularly true for offices with an open floor plan design. With more and more screens out in full view and not enough attention paid to the types of data being accessed for all to see, you can never let your guard down when it comes to protecting confidential and sensitive information.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

10 tips to Secure Passwords

Ever wonder just how hackers bust into systems and cause destruction? One reason is because people are still using weak passwords. While your pet’s name and wedding anniversary dates are easy to remember and sentimental to use, this approach makes a hacker’s job all too easy. Here are 10 things you should know about passwords.5D

  1. Never use the same password more than once, because if that account is hacked, and that password is for three other accounts, you’ll get quadruple-hacked.
  2. Think of a memorable phrase, then abbreviate it, such as, “My all time favorite movie is Jaws which I’ve seen 19 times.” The password would then be: MatfmiJwis19t.
  3. Don’t stick to just letters and numbers. A “character” can be any number of signs. For an even stronger password, add some random characters: MatfmiJ&wis19t!
  4. The “dictionary attack” is when a hacker applies software that runs through real words and common number sequences in search of a hit. So if your password is 8642golfer, don’t be surprised if you get hacked.
  5. A super strong password may be 12 characters, but not all 12 character passwords are strong. So though 1234poiuyzxc is long, it contains a number sequence and keyboard sequences. Though longer means more possible permutations, it’s still smart to avoid sequences and dictionary words.
  6. Another tip is to create a password that reflects the account. So for instance, your Amazon account could be MatfmiJ&wis19t!AMZ.
  7. Opt for sites that offer two-step verification. A hacker will need to have possession of your phone or e-mail account in order to use your password, because two-step requires entry of a code that’s sent to your phone or e-mail.
  8. If you struggle to remember your passwords, you can store them in a cloud where there’s two-factor authentication. But don’t stop there; preserve your passwords in hardcopy form.
  9. A password manager will make things much easier. With one master password, you can enter all of your accounts. Google “password manager”.
  10. Don’t check the “remember me” option. Having to type in your password every single time means added protection.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

What to do in the Aftermath of an Attack

Can you hack cleaning up the mess a hacker makes after infiltrating your computer? Would you even know the first thing to do? And yes, YOU’RE computer CAN be hacked.

2DAfter the attack, locate the portal through which the crumb-bag entered. This could be the e-mail program or browser. This may be easier said than done. Give it a shot.

Next, this portal must be disconnected/uninstalled from the Internet to prevent it from getting into other systems. Look at your Task Manager or Activity Viewer for any suspicious activity. The CPU usage must be checked too. If it goes way up, you’ll have a better chance of detecting fraudulent activity. It helps to know how your computer runs so that you know what’s typical and what’s atypical.

Otherwise head over to Microsoft’s Malicious Software Removal Tool page here: http://www.microsoft.com/security/pc-security/malware-removal.aspx

After severing ties with the hacker or hackers, take inventory of their destruction.

  • Make sure that your anti-malware and antivirus systems are up to date, and enabled. Do a full system scan with both systems.
  • If something looks odd, get rid of it. Malware will continue downloading if there’s a browser extension or plugin. Inspect every downloaded item.
  • Change every password and make it unique and long.
  • Log out of all your accounts after changing the passwords.
  • Clear the cookies, cache and history in your browser.
  • Be on the alert for strange goings-on, and do not open suspicious e-mails, let alone click on links inside them.
  • If things are still acting strange, wipe your hard drive. Reinstall the operating system. But not before you back up all your data.

Preventing an Attack

  • Have a properly configured firewall.
  • As mentioned, never click links inside of e-mails, even if they seem to be from people you know. In fact, delete without opening any e-mails with melodramatic subject lines like “You Won!”
  • Have both anti-malware and antivirus systems, and keep them up to date.
  • Use long, unique passwords.
  • Never let your computer out of sight in public.
  • If, however, your device is stolen, it should have a remote wipe feature.
  • Give your data routine backups.
  • Be very cautious what you click on, since links promising you a spectacular video can actually be a trap to download a virus into your computer.
  • Use Hotspot Shield when you’re on public Wi-Fi to scramble your communications.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Researchers say your Mobile Carrier’s Network isn’t all that Secure

Gee, even the tools that update your smartphone’s operating system over the air have holes that hackers can slip into.

5WIt’s estimated that as many as two billion handsets are vulnerable, and in some instances, security patches haven’t even been released.

The open mobile alliance device management (OMA-DM) protocol is used by around a hundred smartphone companies to release software updates and conduct network administration. And that’s what they say where the problem lies.

A hacker must know the handset’s distinct international mobile station equipment identity (IMEI) number, plus a secret token, to take remote control. It’s not difficult to obtain the IMEI number or the secret token of the company, thanks to lax networks and vulnerable operating system versions.

Researchers discovered they could easily upload code to a phone after following a WAP message from a base station, then proceed like a hacker would.

Another experiment showed that a fake femtocell could be used to get into BlackBerry, Android and some iOS devices by using weak security protocols. Participants turned off their smartphones and set the femtocell to its lowest power setting. The researchers still managed to pick up over 70 handsets.

They found that Android was the most vulnerable, along with BlackBerry. iOS was tougher to crack, but some devices that were run by Sprint were vulnerable.

Another flaw was that devices could be tricked into checking on their OMA-DM servers; the connections had http instead of https.

The researchers reported that most of the manufacturers and carriers had fixed the OMA-DM systems—most, not all.

What are the network threats?

Hackers practically have the cyberworld at their fingertips, able to attack in so many ways, using so many methods, from apps to users, users to users, and various machines to machines. Hackers don’t just want to access data; they want to manipulate it.

4G refers to fourth generation network, succeeding 3G to offer the fastest speed for wireless activity. The protocol for 4G, however, is flawed, allowing for weakening of the protection for phones and their networks.

The hacker would go right for mobile networks to get simpler, wider entry points. Networks for mobile devices, thus, need to be toughened up. If a smartphone is infected, it will be able to target and scan other smartphones within its proximity (since 4G is IP based), all while the carrier has no clue.

The hacker could infiltrate a desired network, access the 4G network, then have a nice, easy launching pad for the crime.

If a hacker uses weak wireless APN connections for his activities, this forces the smartphones in use to rely upon an ongoing network connection. This will make batteries wear out faster. Furthermore, jammed-up signals may lead to denial of service.

One way to protect wireless networks is by using Hotspot Shield to override any insecurities of open free WiFi and to help protect from some of 4Gs failings.

With the fast speed that stands to come with 4G are also weak security levels and lame network structures. Users will not appreciate this price, and mobile operators will need to step quite a bit up on security tactics for keeping hackers out.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.