Posts

Protecting Your Customer Data from Hackers

Criminal hackers hack for fun, fame, revenge, trade secrets, or terror, but mostly they hack for financial gain. According to a data breach study, based on 75 incidents in the second half of 2010, 13% of web hacking cases involved leaked client data leading to financial fraud. (The top two reasons hackers attacked websites were site defacement at 15% and site downtime at 33%.)

Once customer information is hacked, it can be used to open new accounts or to take over existing accounts. It often takes only a few hackers to crack a system containing millions of customerrecords. These thieves will then broker and sell the information to other hackers.

The victims find and repair the vulnerabilities in their systems, but the damage has already been done. The individuals whose data has been compromised face an uphill, ongoing battle to protect themselves from financial fraud.

Protecting small business customer data starts with network securitybasics including:

Software: Antivirus, antiphishing, antispyware. Total protection “all access” suites of protection and full disk encryption

Hardware: Routers, firewall security appliances

Physical security: Commercial grade solid core doors, security alarm systems, security cameras.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing  ADT Pulse on Fox News. Disclosures

 

Data Theft Doesn’t Always Mean Being Hacked

Recently UCLA announced 16,000 patients were potential victims of identity theft because a doctor’s home office was broken into and burglarized. This is an unfortunate example of an employee taking home a laptop or storage device from the office resulting in a serious data breach. The thief may have no idea what he has in his hands, but the damage is done, the data is breached.

UCLA had to send letters to all 16,000 plus affected warning that there is a possibility their identities could be stolen. On top of that they had to hire an identity theft protection firm to cover each breached record in the hopes the service will mitigate the loss. Data loss like this may cost UCLA hundreds of thousands of dollars by the time the dust settles.

The documents stolen were birth certificates, home addresses, medical documents and numerical medical identifiers. The information breached did not include Social Security numbers or financial information. Meanwhile reports state the data was encrypted, but the password to access the encrypted data was on a piece of paper near the laptop, which hasn’t been located either.

Based on the reports, an identity thief would have a hard time actually using the data stolen to commit new account fraud or account takeover. Nonetheless UCLA’s response has been comprehensive and designed to reduce risk in any capacity.

Data breaches cost big bucks. Smart data security practices if done right are inexpensive and cost effective. Encryption in this scenario failed due to a password on a sticky note near the laptop. The lack of a home security system in the doctor’s home office contributed to the data loss. Putting layers of protection in both a business and home setting is an absolute must.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

 

Searching for Hotties Leads to Hacked PCs

Five or ten years ago, it was relatively easy for scammers to trick people into opening email attachments that would launch malicious programs on victims’ PCs. Nowadays, most email providers won’t permit .exe attachments, so viruses may be saved as compressed files, or hidden behind links that appear to lead to PDFs or word documents.

Scammers have been very productive in creating spoofed or infected websites, which are designed to infect your web browser with viruses. More than three million of these websites were born in 2010 alone.

The bait that lures victims to these infected websites may be the latest Twitter trend, a breaking news story, significant world event, ringtone downloads, pornography, or celebrity pictures.

Cybercriminals often use the names of popular celebrities to tempt viewers to visit websites that are actually laden with malicious software. Anyone looking for the latest videos or pictures could end up with a malware-ridden computer instead of the trendy content they were expecting.Hot stuff model/television host/Seal’s wife Heidi Klum is this year’s “Most Dangerous Celebrity.” Heidi herself may be sweet as pie, but the allure of her looks has captured scammers’ attention, leading them to exploit her fame to draw in victims.

McAfee found that searching for the latest Heidi Klum pictures and downloads yields more than a 9% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses, and other malware.

McAfee security experts urge consumers to surf safely by using McAfee Total Protection security software, a security suite that offers consumers antivirus, anti-spyware, identity, and firewall protection, plus a feature called SiteAdvisor, which displays red, yellow, or green web safety ratings within Internet search results pages. It also blocks risky websites, adds anti-phishing protection, and helps users surf, shop, and bank more safely.

Robert Siciliano is an Online Security and Safety Evangelist to McAfee and Identity Theft Expert.(Disclosures)

 

Consumers Need to Rethink IT Security and Safety

Hackers and crackers and data breaches! Oh my! Confused? Overwhelmed? Don’t care? You should, and there’s help.

Few people are head first into gadgets, technology, the cloud and security as I. I have my devices, my wife’s, my kids, there’s Apple products, Microsoft Windows, smart phones, feature phones and tablets. It’s maddening.

Now instead of one PC per household, consumers are purchasing multiple devices . And with consumers able to access the digital world as easily from their smartphones and tablets as from their personal computer, PCs are no longer the main method of connecting to the Internet.

This wave of new devices and their ease of connectivity also means that consumers are now starting to think differently about their digital security.

Mobile Device Users

The threat of lost or stolen devices and the possibility of their personal information being used for fraudulent means a significant concern. In the United States 113 mobile phones are lost every minute  and more than half of smartphone users do not use any password protection to prevent unauthorized device access.

Mac UsersMac OS is not safe from viruses. As of late last year there were 5,000 malware versions targeting the Mac, a number that is growing by ten percent per month.

Child and Teen Users
Are your kids they being exposed to pornography? Will they be contacted by strangers through their social networking profiles?  Are they downloading age-appropriate music and movies? Having protection on the household PC is no longer enough. Parents need to know that their children are safe on all the devices they use, wherever they connect.

Solutions
It is here and called McAfee All Access. Before consumers had to look for and download a hodge podge of security software from numerous vendors with multiple “keys” to activate. What McAfee knew consumers wanted was an “all in one” solution that for once and for all provides a dashboard to manage all your devices from one place regardless of if it is a PC, smartphones, tablets, netbooks, or Mac.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

 

 

Hackers Target Small Business

Big companies and big government get big press when their data is breached. And when a big company is hit, those whose accounts have been compromised are often notified. With smaller businesses, however, victims are often left in the dark, regardless of the various state laws requiring notification.

One reason for this is that smaller businesses tend not to keep customer names and contact information on file, and credit card companies discourage them from recording credit card data.

This is serious cause for concern. The Wall Street Journal reports that the majority of breaches impact small businesses:

“With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.”

If 95% of breaches affect small companies, it’s anyone’s guess how many times my or your credit card numbers have been compromised. I’ve received four new cards in the past three years as a result of major companies being breached. But I use credit cards at more than a hundred different retailers in a year. And it isn’t only credit card numbers that are stolen, but also usernames and passwords, Social Security numbers, email addresses, and more.

Check your credit card statements online weekly and refute any unauthorized charges. As long as you dispute charges within 60 days, federal laws limit your liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

Change up your passwords at least once every six months. If a business is hacked, they may not know for years, and can’t possibly notify you until it’s much too late.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing identity theft on YouTube. (Disclosures)

Neighbor Gets 18 Years for Hacking Neighbor

Home security in the physical world is locks, cameras and a home security system. In the virtual world home security is protecting your homes wireless internet connection.

I’ve spoke many times of how hackers can invade your wireless internet and steal your identity by getting onto your computer. We’ve also touched on how pedophiles can hijack your wireless internet and download child porn which can get the FBIs attention resulting in a battery ram on your front door at 3 am.

In Minnesota prosecutors put away a “depraved criminal” for 18 years as a result of virtually torturing his neighbors via their Wi-Fi connection.

After a brief encounter with his new neighbors he began “a calculated campaign to terrorize his neighbors”.

Wired reports “He demonstrated by his conduct that he is a dangerous man. When he became angry at his neighbors, he vented his anger in a bizarre and calculated campaign of terror against them,” (.pdf) prosecutor Timothy Rank said in a court filing. “And he did not wage this campaign in the light of day, but rather used his computer hacking skills to strike at his victims while hiding in the shadows.”

It’s a pretty frightening story that should scare you into locking down your wireless internet.

When setting up a wireless router, there are two suggested security protocol options. Wi-Fi Protected Access (WPA and WPA2) which is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

 

Hacking Voicemail is Scary Easy

Imagine someone jeopardizing your home security system by hacking your phone’s voicemail. There’s been a widely reported story of a British tabloid newspaper accused of accessing voicemail  messages of murder victims, government officials, celebrities and possibly victims of the 9/11 terrorist attack.

The story broke in response to the tabloids manipulating voicemail of a 13 year old girl who was a murder victim and soldiers who fought in Iraq and died. The FBI is apparently investigating.

It seems there is a flaw in many telecom systems that allow the snooper to check a targets voicemail as long as the voicemail believes the call is coming from that persons caller ID.

Snoopers can access readymade hacking scripts online to perform these tasks or simply enlist one of many “caller ID spoofing” services. These services allow for anyone to make a call to any number and trick the voicemail into believing it’s coming from the voicemails intended account holder.

Once the voicemail is accessed the caller may not need a PIN or access may be granted via default passwords like 1111 or 0000. When the voicemail receives a call they think is coming from the correct phone number spoofed by caller ID it automatically trusts it.

The quickest fix to protect voicemail is to make sure your voicemail requires a PIN especially when you call it from your phone. And make sure that PIN isn’t a default PIN or one that is easily guessed.

Robert Siciliano personal and home security specialist to Home Security Source discussing mobile phone spyware on Good Morning America. Disclosures.

15 Tips To Better Password Security

Protect your information by creating a secure password that makes sense to you, but not to others.

Most people don’t realize there are a number of common techniques used to crack passwords and plenty more ways we make our accounts vulnerable due to simple and widely used passwords.

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

How to make them secure

  1. Make sure you use different passwords for each of your accounts.
  2. Be sure no one watches when you enter your password.
  3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
  4. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
  5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
  6. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
  7. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  8. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
  9. Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

10. Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

11. Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.

12. Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

13. It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

14. You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

15. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

How to Reset Your Gmail Password After Being Hacked

I finally got one of those “I’m stuck in London” emails. My friend Kate’s Gmail account was hacked, and everyone on her contact list received an email from a hacker posing as Kate:

“Hi, Apologies, but I made a quick trip, to London,United Kingdom and got mugged, my bag, stolen from me with my passport and credit cards in it. The embassy is willing to help by authorizing me to fly without on a temporary identification, instead of a passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately,I can’t have access to funds without my credit card, I’ve made contact with my bank but they need more time to come up with a new one. I was thinking of asking you to lend me some quick funds that Ican give back as soon as I get in. I really need to be on the next available flight back home. Get back to me so I can send you details on how to get money to me. You canreach me via email  or hotel’s desk phone, +44208359**** waiting for your response. Kate”

The hacker also created a replica of her Gmail address using Yahoo’s webmail service, and set Kate’s Gmail account to automatically forward all messages to the Yahoo address.

As soon as I received this email, I called Kate and left her a message letting her know she’d been hacked, and asked her to call me with an alternative email address.

Then I responded to the hacker:

“Kate I will help you. Where do I send money? Robert”

The hacker wrote back:

“Robert, Thanks for responding, I need about $2000, can you make a western union transfer to me? I will pay back once am home, let me know what you can do ASAP thanks.

See details needed for western union
Receiver: Kate [redacted]
City: London
United Kingdom

What you need to do, is take cash or a debit card to a western union agent location and request to make transfer to me in United Kingdom. You can get the address of a nearby WU agent from this website

You will email me the mtcn number for the transfer so I can receive the money here, I have an embassy issued identification, which I will use to get the money from WU Thanks Kate”

I wrote:

“Send me a picture. I want to see your pretty face! What did you see in your travels? Did you talk to Mum this week?”

The hacker responded:

“Did you send the money yet?”

I wrote:

“You didnt answer me.”

At this point, the hacker figured out what I was doing, and blew me off:

“Don’t bother, I no longer need your help”

It’s hard to scambait these guys because they’re much more aware of how scambaiting works. Plus, I’m not that good at it.

The hacker and I then got into an unproductive series of email exchanges calling each other nasty words.

When the real Kate called me back, I sent her this Google Help link explaining how to reset your password if you’ve been hacked. Google also offers help accessing a Gmail or Google Apps account that has been taken over by a hacker.

If you haven’t already created a secondary email address that can be used to recover an inaccessible Gmail account, do that now. (This feature isn’t currently available for Google Apps.)

Once Kate went through this process, she regained control of her account within minutes. But the criminal had deleted every single email, leaving her with nothing. He’s probably going through those messages now, searching for any useful personal information.

Kate then sent me an email, thanking me, and I noticed that the Yahoo email address was still being copied, meaning that the hacker was still seeing every email sent to Kate’s Gmail account. If you’ve been hacked, check your Gmail settings to make sure your messages aren’t being forwarded automatically.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

 

Security Expert’s Credit Card Hacked

An excellent way to improve one’s level of security intelligence is to follow the writings of Robert X. Cringley, one of my favorite technology know-it-alls.

Anyway, Cringley’s credit card was recently hacked. And if his card can be hacked, anyone’s can. Like many cardholders, Cringley received a notification from his credit card company’s fraud department, informing him that his card data was being used overseas, on an online dating website.

A scammer used Cringley’s credit card number to create a fake profile, posing as a woman named Katya to lure desperate, unsuspecting men into dating scams.

Cringley determined that the IP address associated with the fraud was anonymized, going through numerous channels to disguise its origin. A Russia-based email address may mean Russian criminals are involved in the hack.

Cringley’s card was used to purchase Badoo credits, which are used to unlock certain features of the dating website, such as chatting with another user or requesting photos. The scammer used Cringley’s card to buy Badoo credits in numerous countries, making her profile internationally accessible.

Cringley surmises that his card data may have been skimmed when he used an ATM or handed his credit card to a store clerk or waiter, or possibly stolen when used to make an online purchase. Even if you are giving your card number to a legitimate online merchant, there’s always the risk they may get hacked. It’s also possible than an unknown worm could have slithered onto Cringley’s PC and sniffed out a credit card transaction.

Even a security expert’s PC can fall victim to hackers, and even someone who knows plenty about security can get hooked. So you must be that much more alert, aware, and on top these issues.

Websites like Badoo can eliminate scammers with device reputation scanning. Real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for fraud, as well as expose all of the accounts associated with the suspicious device or group of devices, allowing websites to immediately shut down sophisticated fraud rings and fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures)