Posts

What We Learned About Digital Security In 2012

Sometimes it’s the worst things that can happen that become the eye-opening best things that effect positive change. The year 2012 saw numerous high-profile data breaches, epic hacks, full-on hacktivism and lots of major identity theft ring busts. The best news is the public is more aware, which means they are better equipped to protect themselves and law enforcement is well prepared to take down criminals. Individuals, companies and governments worldwide all have their eyes open and are taking action to protect themselves.

High-Profile Breaches

LinkedIn, Yahoo and many others were hacked—and hacked BIG. Unpatched system vulnerabilities and simple passwords were the common denominator in many of these hacks. It’s not enough to have antivirus protection; you also need antispyware, antiphishing, a firewall, updated critical security patches in your operating system and strong passwords that can’t easily be cracked. The good news is all these things are easy to do.

Epic Hack:

Wired reporter Matt Honan recounts how his connected digital life was used to destroy all his data. From this we learn that even a technologist is vulnerable and that there is no shortage of lessons to be learned from his experience.

“In many ways, this was all my fault. In the space of one hour, my entire digital life was destroyed,” he says. “First my Google account was taken over, then deleted. Next my Twitter account was compromised and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad and MacBook.”

The chance of this happening to you are slim, but knowing it’s possible will make you better prepared.

Hactivism Grows Up

Hackers have evolved significantly over the past 20 years. At first “hacker” meant someone who was inquisitive and tested the boundaries of technology. But then in the late ‘90s, hacker became a bad word as a result of a few hackers going too far and the media latching onto the title. Last year saw groups like Anonymous and others take action not just to disrupt, but also to right what they considered wrong. While their actions are often illegal, many feel they have evolved into a sort of voice for those that don’t have one.

The Long Arm of the Law

There isn’t a week that goes by that news reports of federal law enforcement, assisted by state, local and even foreign governments, takes down a carder ring or organized web mob responsible for stealing hundreds of thousands to millions of dollars. It was the year when the law got smart, savvy and as sophisticated as the criminal hackers, and that’s the best news of all!

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Many Die in World of WarCraft Hack

In a war like event thousands of players avatars dropped dead for no apparent reason. Hackers, or players using some form of exploit hacked the game and something went wrong. World of WarCraft is a massive multiplayer online game (MMO)where people from all over the world can ply online.

In a forum post a Community Manager wrote “Earlier today, certain realms were affected by an in-game exploit, resulting in the deaths of player characters and non-player characters in some of the major cities. This exploit has already been hotfixed, so it should not be repeatable. It’s safe to continue playing and adventuring in major cities and elsewhere in Azeroth. As with any exploit, we are taking this disruptive action very seriously and conducting a thorough investigation. If you have information relating to this incident, please email hacks@blizzard.com. We apologize for the inconvenience some of you experienced as a result of this and appreciate your understanding.”

iovation’s ReputationManager 360 is a proven service that helps protect MMOs against chargebacks, virtual asset theft, gold farming, code hacking, and account takeovers. The service identifies devices being used to play and examines their history and reputation as they are interacting with the game – setting off alerts that could relate to velocity triggers, geolocation, device anomalies, past gold farming abuse, financial fraud, chat abuse, and more.

For years, leading game publishers have prevented game abuse and ensured a safe and fun experience for players with the help of iovation’s device reputation service. These publishers (along with iovation’s network of more than 2,000 fraud analysts from other online businesses) share information, trends, and best practices with iovation and with each other in order to stay one step ahead of cheaters and criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

City Bank Account Hacked for 400K

KOMO reports “The city of Burlington (Washington) is warning its employees to check their bank accounts after finding out funds have been stolen. They believe computer hackers got access to the city bank account, which is used as a direct deposit to pay workers. It is unknown how much money was taken, but more than $400,000 has been transferred to several accounts over the past two days.”Any time that more than $400,000 actually moves out of a city of Burlington account, there can’t possibly be a joke involved,” said town administrator Bryan Harrison. “It actually is very chilling.”

Chilling indeed. Hacks like this often take place as a result of a virus getting into a machine that has access to the bank account. In one scenario the offending machine is not properly updated with antivirus and the virus allows a criminal remote access to the device or the virus acts as a “Man In The Middle” Attack.

RSA reports in one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.

RSA further reports American banks are the major target.  “Another attractive element for the attackers appears to be the slim deployment of two-factor authentication (2FA) for private banking consumers in the US, unlike many European banks that generally require all consumers to use 2FA for wire transfers.”

Multi-factor authentication, requires a username, password “something you know” and “something you have”—a personal security device separate from the PC. But that’s not even enough.

The Federal Financial Institutions Examination Council (FFIEC) states: “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.”

Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate device reputation management.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Hackers: The Good, The Bad and The Money

The term Hacker was made popular by Steven Levy in his book “Hackers: Heroes Of The Computer The Revolution” published in 1984 was about those brilliant and eccentric nerds from the late 1950s through the early ’80s who took risks, bent the rules, and pushed the world in a radical new direction.

 

In the past decade there have been hundreds of data breaches resulting in millions of compromised records. The motivation behind these hacks? Identity Theft. Meanwhile dozens of new laws and government intervention to protect citizen data have emerged.

Black Hat (bad), White Hat (good) or Grey Hat (good by day bad by night), over the past decade the media has given the term “hacker” a negative connotation. Or is it hackers that gave the term a negative connotation?

Either way, whenever I’m talking bad guy hacker I’m careful to precede the word hacker with “criminal” so I don’t piss off anyone who considers themselves a good guy hacker.

Thomas Edison, Benjamin Franklin and Alexander Graham Bell were all hackers. Good ones too.

Today we are faced with a real issue of hackers attacking our financial systems, critical infrastructure and even our own PC’s. And now as we use our mobile phones for commerce hackers are going after them too.

John Haney, Sales Executive at iovation stated “With more people than ever conducting banking activities from mobile devices, being able to proactively detect risk and suspicious activity in real-time is essential to protecting financial institutions and their customers. Although mobile banking is a powerful tool, it can also be used as a weapon for cybercrime and we want financial institutions to be prepared to fight mobile fraud. This is especially poignant given the FFIEC guidelines that established expectations for companies to adopt a layered approach to prevent cyber-attacks.”

Through its ReputationManager 360 service, iovation tracks the reputations of everything from desktops to laptops, mobile phones to tablets, and gaming consoles to smart TVs. By utilizing iovation’s device reputation intelligence.

Meanwhile, as a consumer, you are directly responsible for the security of your own network and devices.

Install and update antivirus, antispyware, antiphishing and a firewall on your devices.

Update your operating systems critical security patches.

Encrypt your home/office WiFi connection

Beware of phishing, vishing and internet scams.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

FBI: Focusing on Hackers and Intrusions

Your tax dollars are being put to work in ways to secure your bank accounts and our critical infrastructure. But there’s still more work to do.

The FBI reports Early last year, hackers were discovered embedding malicious software in two million computers, opening a virtual door for criminals to rifle through users’ valuable personal and financial information. Last fall, an overseas crime ring was shut down after infecting four million computers, including half a million in the U.S. In recent months, some of the biggest companies and organizations in the U.S. have been working overtime to fend off continuous intrusion attacks aimed at their networks.

To that end, the FBI over the past year has put in place an initiative to uncover and investigate web-based intrusion attacks and develop a cadre of specially trained computer scientists able to extract hackers’ digital signatures from mountains of malicious code. Agents are cultivating cyber-oriented relationships with the technical leads at financial, business, transportation, and other critical infrastructures on their beats.

Richard McFeely, executive assistant director of the Bureau’s Criminal, Cyber, Response, and Services Branch was quoted saying “It’s important that everybody understands that if you have a computer that is outward-facing—that it’s connected to the web—that your computer is at some point going to be under attack,” he said. “You need to be aware of the threat and you need to take it seriously.”

When he says “you” he means banks, retailers, and just about everyone involved in eCommerce or anyone with a connection to the internet.

Smart businesses engaged in eCommerce are helping to stem the tide of cybercrime by incorporating device reputation into their transactions. iovation, is headquartered in Portland, Oregon, and has pioneered the use of device reputation to stop online fraud and abuse. The software-as-a service used by online businesses assesses risk of Internet transactions all over the world and recognizes if a device such as a PC, tablet or smartphone has a history of fraudulent behavior.  This helps organizations make educated decisions if they want to do business with the person using the device.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Credit Card Processors Targeted In Hacker Attacks

WE DO NOT SELL DUMPS. DO NOT EMAIL OR CALL US.

WE DO NOT SELL DUMPS

A European hacker broke into a U.S. company’s computer network and stole 1,400 credit card numbers, account holders’ names and addresses, and security codes. The hacker, nicknamed Poxxie, sold the stolen credit card data to other cyber criminals through his own website, CVV2s.in, for $3.50 per credit card.

The malicious software or virus cyber criminals used in these hacker attacks are often known as “sniffer” software used to intercept credit and debit card numbers.  “Sniffer” software or “malware” malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

Other hacker attacks targeting credit card processors are called “spear phishing”. When an employee receives a spear phishing email and clicks the link, a program beings to download disabling the company’s anti-virus and defeating all network security measures. This is why one must never click links in the body of an email. There are hardly ever links in emails that can’t be worked around either in the favorite menus or via manually typing in the browser.

Protecting small business customer credit card data starts with PCI Compliance and basic network security tips including:

Software: Antivirus, anti-phishing, antispyware. Total protection “all access” suites of protection and full disk encryption

Hardware: Routers, firewall security appliances

Physical security: Commercial grade solid core doors, security alarm systems, security cameras.

Email Security: NEVER click links in an email of a person or company you are unfamiliar with or have not requested information from. It’s shear laziness, naiveté or foolishness when someone clicks links in the body of an email from an unfamiliar address.

Ethical hackers: Get yourself and ethical hacker to test your network and see what damage he can do before the bad guy does.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Dutch Hacker Extradited From Romania, Charged With Credit Card Fraud

A 21-year-old Dutch hacker known within the online hacking community as “Fortezza” was arrested in Romania in March, and extradited to the United States in June.

U.S. Attorney Jenny A. Durkan, who chairs the Attorney General’s Advisory Committee on Cybercrime and Intellectual Property Enforcement, said, “This defendant has wrought havoc on victims and financial institutions around the world, this indictment alleges that in just one transaction he trafficked in as many as 44,000 stolen credit card numbers resulting in millions of dollars in losses to financial institutions. Cybercriminals need to know: We will find you and prosecute you. I commend the cyber investigators at the U.S. Secret Service Electronic Crimes Task Force and Seattle Police Department for tracking down these international criminals.”

Hackers like “Fortezza” employ a variety of methods to obtain credit card data. One technique is wardriving, in which criminals hack into wireless networks and install spyware. Another is phishing, in which spoofed emails prompt the victim to enter account information. “Smishing” is similar to phishing, but with text messages instead of emails. Some hackers use keylogging software to spy on victims’ PCs, while others affix devices to the faces of ATMs and gas pumps in order to skim credit and debit card data.

All this stolen data is ultimately used to steal from financial institutions, which lose $40 billion a year to credit card fraud, and from retailers. These business fraud targets must employ multiple layers of protection to thwart cybercriminals.

One layer that businesses put upfront in their fraud detection process is based on device intelligence—what that device is doing right now on the site, and what fraud or abuse that device has caused with other businesses, even in other geographies. The leader in device identification technology is iovation, and they offer a fraud prevention service that allows online businesses to create customized business rules for identifying potentially risky transactions, and those rules can be adjusted on the fly as new threats emerge.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Network Hacking – Why Taunting Computer Hackers Isn’t a Good Idea

Would you dare a burglar to break into your home while your family was sleeping? Would you taunt a murderer or serial killer to try and get you? And would you say to a gang of thieves “just try and break into my business”. Maybe if you are a little daring and maybe if you had a screw loose you’d make these irresponsible requests. But in reality “bring it on” is never a good idea. Especially when it comes to your network security. Because “they” just might win.

The UFC.com, the official website of the Ultimate Fighting Championship, was hacked by a group calling themselves the “Underground Nazi H4ck3rGr0up.”

Fox5 reported Dana White, UFC President issued the challenge to hackers because he supports the recently debated online piracy legislation known as SOPA and PIPA.

“They will not intimidate me,” White said in a phone interview with FOX5. “I’m not intimidated. I’m not scared of what they’re doing.”

The computer hacker, known only as UgNazi, successfully took over UFC.com

Within a day of this attack it was reported that Whites Social Security number and additional personal information was hacked and exposed for the world to see. But in fact the information was for another person who went through a pretty harrowing harassment over the course of a few days.

Kicking a hornets’ nest isn’t advisable. And neither is taunting a collective of criminal hacktivists who have lots of time and lots of resources to make your small business network a target.

Robert Siciliano personal and small business security specialist to ADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Jailbreaking an iPad Exposes Vulnerabilities

At the McAfee FOCUS conference in October of last year, members from McAfee Labs™ spoke about malware and other threats that affect security. One of the most popular events was when they brought an iPad on stage and did a live hack.

The researchers were able to remotely watch as a user accessed his email and even interacted with the device by accessing the iPad via an unprotected wireless Internet connection (like many of use in a café, airport or other public place).

The issue that made the iPad vulnerable has since patched, but the tools used in this hack were some that are also used to “jailbreak” a mobile phone or tablet.

Jailbreaking is the process of removing the limitations imposed by Apple and the associated carriers on devices running the iOS operating system. A jailbroken iPhone or iPad breaks Apple’s security and allows users to download applications, some of which are pirated from unofficial third party stores.

Similar to jailbreaking, rooting is the term used for this process of removing the limitations on any mobile phone or tablet running the Android OS.

Jailbreaking or rooting your mobile device may be desirable in some cases for some people, but what we all need to be aware of that by doing so, we are opening the device up to vulnerabilities which can be used for malicious purposes.

Here’s the link to the full paper that was written from this demo:http://www.mcafee.com/us/resources/white-papers/wp-apple-ipad-hack.pdf

The lesson we all can learn from this? We need to protect ourselves by:

Using strong passwords and locking our devices

Ensuring that anti-malware and anti-theft protection are in place on our mobile devices

Taking precautions when using public Wi-Fi connections

Being aware of what we do online and how it can make us vulnerable

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Wireless Security:Wi-Fi Hacking Burglars Busted

In Seattle 3 men have been arrested for hacking the wireless networks of over a dozen businesses along with 41 burglaries. They are alleged to have stolen at least $750,000 in funds, computer equipment and other items.

SeattlePIreported their Wi-Fi hacking techniques included “wardriving,” in which hackers mount a high-strength Wi-Fi receiver inside a car and search for networks that can be penetrated. Once a Wi-Fi network is located through wardriving, hackers can remotely watch for information that may reveal the network’s security setup and vulnerabilities”. Police said they used sophisticated electronic equipment to break through networks using a 12-year-old security algorithm — Wired Equivalent Privacy, or WEP protection.

Right out of a Mission Impossible movie these burglars hacked wireless networks and stole employee and client data. Their burglaries involved stealing laptops they used those laptops to crack payroll accounts and steal banking information. Once they turned the data into cash they turned the cash into prepaid debit cards.

Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security. But WEP has been cracked, hacked, and decimated.

Home or office Wi-Fi with a WPA encryption is better. Wi-Fi Protected Access is a certification program that was created in response to several serious security vulnerabilities researchers found in WEP, the previous system. WPA and WPA2 are tougher to crack, but not impossible.

Small businesses would fare much better if they also installed a monitored security alarm system with cameras. It’s not enough to lock doors especially if there is thousands of dollars in technology waiting for a burglar to take it.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures