Posts

Analyze Security to reduce Threats

A deep analysis into security (security analytics programs) unveils some riveting areas that need to be addressed if business users are serious about reducing threats of data breaches.

1DReveal data leaks. Convinced your business is “data leak proof”? See what stones that security analytics turn over. Don’t be surprised if the leaks that are discovered have been ongoing, as this is a common finding. You can’t fix a problem that you don’t know exists.

An evolution of questions. Analytics programs can create questions that the business owner never thought to wonder about. Analytics can reveal trends and make them visible under the business owner’s nose.

Once these questions and trends are out of the closet, decision makers in the organization can have a guideline and even come up with additional questions for how to reduce the risk of threats.

Connections between data sources. Kind of along the same concept described in the previous point, security analytics programs can bring forth associations between sources of data that the IT security team many not have unearthed by itself.

Think of data from different sources being poured into a big funnel, and then what comes out the other end are obvious patterns and associations between all that data, even though it was “poured” from differing sources. When “mixed” together, the data reveals connections among it.

Uncovering these associations is important so that businesses can have a better understanding of disparate segments of their network, various departmental information, etc.

Discovery of operational IT issues. Take the previous points a step further and you get a revelation of patterns and connections in the IT operations realm—associations that can help mitigate problems with workflow and efficiency.

In other words, an issue with IT operations could be something that’s causing a drain on productivity, or, something that’s not creating a problem per se, but can be improved to spark productivity.

Uncover policy violations. Analytics can turn up policy violations you had no idea were occurring. Not all violations are malicious, but once they’re uncovered, they cannot be covered up; the next step is to do something about it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How do I protect Myself engaged in the Internet of Things?

The Internet of Things—IoT—is a formal term referring to distinctly identifiable objects (cars, kitchen appliances, smartphones) and their cyber-representations on the Internet.

3DBy 2020, it’s projected by at least one expert that there will be over 30 billion “things” represented virtually. All of this gives rise to increased security risk that seems almost paranormal.

The virtual world seems to be closing in on the physical world. Gee, sensors that track food purchases, for instance, can reveal if someone’s on a diet or is of a particular religion.

The IoT is expected to evolve in the following ways:

  1. Making dumb objects smart. Imagine house keys that don’t need to be taken out of one’s purse or pocket to open a door, or a gadget that you can scan dairy products in your refrigerator for expiration dates, and the sensor will then remind you of these dates.

    Go one step further: A mouse that can click links—not controlled by hand movements, but by thought. Well, that may be a century off, but you get the idea.

  2. “Things” that make changes by sensing changes in the environment. Imagine a garage door that opens because a sensor in it “knows” that the homeowner is approaching from 100 feet away.

    These “things” will react according to data received about what those things are virtually connected to. But if this technology is centralized, imagine what a hacker can do: The whole town’s garage doors won’t open. A national centralization will even be worse.

  3. Devices with independent autonomy. This sounds fantastic: Technology won’t require an intermediary device (like a smartphone) to take action when it “senses” a change in the environment.

    Imagine a “thing” sensing a change in your body (via sensory technology and apps) and then responding by dispensing medication. But this also sounds frightening: Imagine what a malicious hacker can do with this technology.

Security Issues

  • Ownership of data. Passing the buck for security responsibility is a major issue. Who’s responsible if a device gets hacked? The maker of the device? The owner? The hacker? Who should have secured it? This type of responsibility needs to be defined.
  • Transfer of information. Vulnerabilities exist when data is enroute. Data may sit stored in a local data collation hub where it awaits uploading, but meantime can be stolen.
  • Sensitivity of data. Varying tiers of security are needed to correspond to varying kinds of data being transferred. For example, a data stream about the amount of humidity in a greenhouse doesn’t need security, while medical record information definitely does.
  • Death by hacker. With increasing advances in the realm of IoT, hacking can become a life-and-death matter, not just the nuisance of some baby monitor getting hacked and the hacker spewing out lewd comments for mommy to hear. For instance, it’s only a matter of time before a doctor, hundreds of miles away, remotely controls a patient’s implanted heart arrhythmia controller. What if a hacker gains access and demands ransom or else?
  • IT infrastructure. Cloud security concerns will only deepen as the IoT proliferates. Data access, ID and authentication, legislative boundary constraints and other issues must be considered. And should data be stored publically or privately, is another big question to answer.
  • Unprotected wireless. Making sure any wireless connections are protected by a VPN is essential. Hotspot Shield VPN is a great option and it’s free.

At this point, nobody really knows how all of this will pan out. Regulation and legislation will be very challenging. The IoT may very well leave legislation for data protection in the dust.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

10 Tips to Keep Your Data Private Online

The Internet has become an essential tool for most of us and a part of our everyday lives. We rely on it to send/receive emails, post/share photos and messages on social networking sites, shop for clothes, search for information, etc. But how do all these online activities affect your privacy?

2PYour online privacy depends on your ability to control both the amount of personal information that you provide and who has access to that information. Unfortunately, some of us are too casual and careless with how we manage our personal information and activities online. This leaves us vulnerable to identity theft and invasion of our privacy, both from legitimate and illegitimate sources.

That’s because your personal information, including your email address, phone number and Social Security number and other personally identifiable information, is worth a lot of money. The bad guys will use it to steal from you and businesses want to know as much about you as possible so they can sell you more products and services or serve you ads that are highly relevant to your demographics and preferences.

So take these simple steps to protect your valuable personal information:

  1. Be careful what you share and post online. Remember, don’t post or share anything that you wouldn’t want shared publically, even if you think you’re just sending it to one person.
  2. Don’t freely give out personal information online any more than you would to a stranger on the street. Keep personal information (such as your hometown, birth date with year and phone number) off social networks.
  3. Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
  4. Use private browsing mode on your Internet browser or at least turn off your browser cookies.
  5. Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
  6. Only friend or connect with people online you know in real life.
  7. Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
  8. Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow
  9. Routinely update your social media privacy settings to ensure your profile is appropriately protected and also make sure to change your passwords on your accounts at least 3x a year.
  10. 10. Make sure all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that provides not only antivirus, anti-spyware, anti-phishing, anti-spam and a firewall, but also protects your data and identity on your PCs, Macs, smartphones and tablets.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Internet Safety Is Not A Technology Problem, It Is A Parenting Problem

A recent story about a teen romance gone wrong, had reportedly started on Xbox. Now their parents and police say the four Iowa teens have run away from their homes. Two teenage girls from Shellsburg and two teenage boys from Atlantic went missing in what police think may have been a plotted escape.

One of the boy’s mothers said, “I don’t let him have a Facebook account because I don’t want him meeting people online.” She added, “I didn’t realize they could do so much on Xbox.”

Parents need to understand the technology that their kids are using, not just let them blindly do whatever they want.  Yes, this takes time.  And, yes, this is more trouble than my parents had to deal with.  But, this is the era we live in.

A study recently conducted by McAfee and MSI Research called, “The Digital Divide,” revealed that this instant access to information and digital devices is impacting our teens more than many of us parents realize. Some of the findings include:

Meeting strangers – 12% of 13-17 year olds, after communicating with a stranger online met them in the real world.

Physical safety – 7% feared for their safety because of something that happened online, and 5% reported getting into a physical fight because of a problem that started online.

Criminal record – 15% said they have hacked someone’s social networking account and 31% have pirated music and movies.

Innocence – 46% of teens report accidentally accessing pornography online and 32% reported accessing pornography intentionally.

And what about the parents? The study showed:

1 in 3 believes their teen to be much more tech-savvy then they are, leaving them feeling helpless to keep up with their teen’s online behaviors.

22% of parents do not believe their kids can get into trouble online.

Less than 1 in 10 parents are aware their teens are hacking accounts or downloading pirated content.

78% of parents are not worried about their kids cheating at school.

Only 12% of parents thought their children accessed pornography online.

How can this be prevented?

Parents, you must stay in-the-know. Since your teens have grown up in an online world, they may be more online savvy than their parents, but you can’t give up. You must challenge yourselves to become familiar with the complexities of the teen online universe and stay educated on the various devices your teens are using to go online.

What are the conversations that parents should be having with their teens?

As a parent of two young girls, I proactively participate in their online activities and talk to them about the “rules of the road” for the Internet. Talk with your kids about the risks and rewards of the online world, and be specific about threats that exist. Stay involved in their online activities by asking them to show you things they enjoy online and sites they visit.

Stay involved in your teens social networking activities by joining the sites and connecting to them. Talk with them about strangers, new friends and suspicious messages.

Ask them what sites they use to communicate with others. There are many lesser-known networks used by teens to communicate with one another — such as Skout,  MeetMe, Tagged, Tumblr and many more.

Consider using tools to help keep your kids safe online and support family Internet rules. While Anti-virus software protects against security threats, parental control software such as McAfee Safe Eyes gives parents tools to protect their kids from inappropriate contact and stay informed about their online behavior.

How can parents become more tech savvy?

Get device savvy: Whether you’re using a laptop, desktop, Mac, tablet, mobile, wired Internet, wireless, or software, learn it. No excuses. No more, “My kids know more than I do,” or, “All I know how to do is push that button-thingy.” Take the time to learn enough about your devices to wear them out or outgrow them.

Get social: One of the best ways to get savvy is to get social. By using your devices to communicate with the people in your life, you inevitably learn the hardware and software. Keep in mind that “getting social” doesn’t entail exposing all your deepest, darkest secrets, or even telling the world you just ate a tuna sandwich. Proceed with caution here.

Manage your/their online reputation: Whether you are socially active or not, whether you have a website or not, there are plenty of websites that know who you are, that are either discussing you or listing your information in some fashion. Google yourself and your kids to see what’s being said. Developing your online persona through social media and blogging will help you establish and maintain a strong online presence.

Get secure: There are more ways to scam people online than ever before. Your security intelligence is constantly being challenged, and your hardware and software are constant targets. Invest in antivirus, anti-spyware, anti-phishing, and firewalls. Getting security-savvy is a great way to start a new year.

I’m hoping that this report and new case opens other parent’s eyes so they’ll become more involved in educating their teens with advice and tools.

For more information, please visit:

Full report: http://www.mcafee.com/us/resources/misc/digital-divide-study.pdf

Press release: http://www.mcafee.com/us/about/news/2012/q2/20120625-01.aspx

Lonely Hearts Target of Dating Scams

Online dating websites are aware that scammers use their platforms to defraud men and women looking for love. With the holidays around the corner, many unsuspecting people will be used and abused by scammers, who will break their hearts, their bank accounts, or both.

Many of the stories of heartbreak and fraud look like this:

“After chatting via email, they arranged to meet, but their plans ‘collapsed’ when he told her that he had been held by tax authorities over an issue while he was attempting to fly out on business.

The so-called ‘Mr. Fields’ then asked the nurse for financial help, using emails from his fake solicitor to convince the nurse that this was merely an oversight and that his client would pay her back.”

No matter who someone is, what they say, or how they look, don’t automatically trust them.

Discussion of money or loans in any capacity is a red flag.

Don’t let your heart get in the way of basic common sense.

Sometimes loneliness trumps our ability to see the truth. Keep your head up and be attentive to people’s intentions.  In context of the “Color Code of Mental Awareness” this would mean operating in the yellow zone (not in the white zone) while interacting with others on dating and social networking sites.

One company looking out for you behind the scenes is iovation Inc.  They work with dating sites and social networks around the world to rid their sites of bad actors.  They have stopped more than 50 million attempts of online scams and solicitations, spam, identity mining and fake profiles for their clients. All of this happens behind the scenes to keep the site and its customers safe.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Dating Security on E! True Hollywood Stories.  Disclosures

 

Get Digitally Secure before it’s Mandatory

For the past decade, much of banking has taken place online, after hundreds of years of traditional banking. Banks have streamlined their processes, but must also cope with fraud. With banks absorbing billions in losses, consumers also pay.

In a recent survey of 1,000 U.S. residents, 60% responded that dealing with fraud is the banks’ responsibility, while only 6% believed that responsibility rests with consumers. 48% said they were concerned about the risk of fraud, and 14% had fallen victim to fraud in the last two years.

Advances in technology have made banking more convenient but have also outpaced consumers’ security intelligence. It is possible to secure systems against most cybercrime but that level of security often proves too inconvenient for consumers. As long as banks continue absorbing losses from fraud, consumers remain blissfully ignorant of the consequences of inadequate security.

Meanwhile, other countries take different approaches. South Korea has introduced a “Zombie PC Prevention Bill,” which makes installing and using security software mandatory for all citizens. A New Zealand law reserves the government’s right to confirm that personal computers are adequately protected.

Protect your computer by setting its operating system to automatically update critical security patches. Always run antivirus software and set virus definitions to update automatically. Use a protected wireless network and make sure your firewall is protecting both incoming and outgoing traffic.

Never click links within the body of an email. Instead, go to your favorites menu or type the address into the address bar. And be sure to check your online bank statements frequently.

You can find more tips from JustAskGemalto on how to bank safely online here.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. Disclosures

 

Epsilon Breach Will Impact Consumers for Years

This week consumers are receiving messages from trusted companies such as 1-800-Flowers, Chase, Hilton HHonors and others, letting them know that their e-mail addresses have been exposed due to the recent Epsilon data breach.  This provides a perfect opportunity for cybercriminals, who may try to take advantage of the breach to send out phishing e-mails designed to steal user names and passwords.  Since consumers are receiving legitimate e-mails, they may be less suspicious of the phishing  or spear phishing ones.

Generally when a credit card is compromised a new number and card is issued making the breach a forgotten inconvenience. However when a Social Security number is breached, the victim can feel the effects for decades. Email addresses fall in the middle because consumers have the ability to change them, but often weigh the pros and cons and keep them for convenience sake.  This is what makes getting phished a higher probability.

McAfee Labs believe scammers will probably wait until they figure out how best to turn their scams into money, and may wait until the news cycle dies down.  That’s why it is important for consumers to stay vigilant for a period of time…really for the entire time you posses a hacked email address.

Here are some tips for consumers to stay safe:

– Consider ditching your compromised address and starting new.

– Be aware that companies will never ask you for credit card information or other personal information in email.  If you are being asked to provide that information, it’s a scam.
– If you are suspicious of an email, go directly to the Web site of the company that purportedly sent it and don’t follow links in the email as those may be fraudulent. Call the company’s number listed on their Web site, not the number in the email as that may be a fake
– Consider unsubscribing from email communications and re-subscribing using a new email address for commercial communications. That way you know that messages that land in that new inbox are more likely to be genuine as the new address wasn’t part of the breach

– Use the latest security software, including Web security features to protect you from going to malicious Web sites such as phishing sites

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing the Epsilon breach for McAfee on Fox News. (Disclosures)

Google Adds Security to Search

The Internet can be a dangerous neighborhood, and safety precautions are a necessity. . IBM Internet Security Systems blocked 5,000 SQL injections every day in the first two quarters of 2008. By midyear, the number had grown to 25,000 a day. By late fall, attacks climbed to 450,000 daily. The US government servers and sites are targeted 60 million times a day, or 1.8 billion times per month.

While the government fights to protect itself, you and I are on our own, and most civilians are completely unprepared for an attack.

In the University of Cincinnati’s Journal of Homeland Security and Emergency Management, the authors write, “The general population must be engaged as active security providers, not simply beneficiaries of security policy, because their practices often create the threats to which government responds.” In other words, citizens need to take personal responsibility and start acting securely, rather than expecting it to all be done for them.

But Google is lending a helpful hand.

In December, they posted the following announcement on the Google blog:

“Today we’ve added a new notification to our search results that helps people know when a site may have been hacked. We’ve provided notices for malware for years, which also involve a separate warning page. Now we’re expanding the search results notifications to help people avoid sites that may have been compromised and altered by a third party, typically for spam. When a user visits a site, we want her to be confident the information on that site comes from the original publisher.”

You can see an example of a search result notification here. Clicking the “This site may be compromised” warning brings you to an article with more information, and clicking the result itself brings you to the target website, as usual.

My observation has always been if a person decides to use the Internet, they should take some basic courses via your local adult education offering and read up about how to log in securely . New scams pop up every day, and one has to be aware of their options.

Thanks, Google, for lending a hand.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online banking security on CBS Boston. Disclosures

McAfees 10 Tips To Secure New Devices and Guard Against Cybercrime in 2011

Here are some practical tips from McAfee to ensure optimal Internet safety and security in 2011:

Be aware that threats aimed at mobile phones are growing – Use software that backs up smart devices and use strong discretion when storing, saving or editing personal information on your smartphone or device. Don’t keep all of your personal passwords on your device, and avoid using it to store financial information like credit card and bank account numbers.

Keep in mind that gaming and entertainment devices are now Internet-connected – Many people don’t realize that their new gaming console may represent another port of entry for cybercrooks into their household. Some Internet TV applications can expose personal information, so be sure to install anti-virus software, two-way firewalls, anti-spyware, anti-phishing, and safe search capabilities, just as you would on a PC. Block free browser access via these devices and use parental controls wherever possible to ensure the safety of children who play interactive games.

Use technologies to protect information on USBs – Secure USB sticks by encrypting information, making it unreadable to someone who has taken or found it. In addition, install security software to protect portable hard drive devices and never leave such devices unattended.

Make sure that you are using a comprehensive security software platform for your PC– Free point solutions may work well for specific concerns and known threats, but it won’t protect you against emerging threats and is usually only being offered to get you to buy more comprehensive software. Ensure that it is comprehensive – meaning it has anti-virus with cloud computing, a two-way firewall, anti-spyware, anti-phishing and safe search capabilities.

Invest in identity theft protectionYour identity is you’re your most valuable asset. And with all your information contained and transmitted on your devices you need comprehensive coverage to protect you from identity thieves.

Make sure to transfer your PC best practices to all of your Internet-connected devices If you have an Apple device, Apple’s MobileMe service is available, providing tools for synching, backing up and securing data. Consider installing security software for new Internet connected devices such as smartphones, and make sure the device’s Wi-Fi is connected to a secure network.

Pay attention to your children’s online activities Communicate with children about cybercrimes, monitor their web activity and consider keeping the family computer in a common space to minimize their exposure to inappropriate content. For additional advice on child safety, visit the McAfee Family Internet Safety Center at www.mcafee.com/family and 10-Step Internet Safety Plan For Your Family.

Search and shop safely Before submitting credit card numbers or other personal information, always read the online vendor’s privacy and security policy. Consider using a trusted website safety advisor, such as McAfee® SiteAdvisor® software, included in all of McAfee consumer security suites, to determine which ecommerce sites are safe. Also, look for the McAfee SECURE™ trustmark before heading to the check-out counter.

Back up critical information Guard against data loss by utilizing a regular back-up software program to ensure that all critical information and personal files are safe in case of emergency.

STOP. THINK. CONNECT. is the first-ever coordinated message to help all digital citizens stay safer and more secure online. The message was created by an unprecedented coalition of private companies, nonprofits and government organizations

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Facebook Beefs Up Your Security

It is obvious to many that Facebook has got the message and is becoming more responsible for their users security. For a few months now I have enjoyed a security feature they implemented that allows you to say in control of your logins.

Login notifications: This feature sends you an email or text telling you someone has just logged into your account.

To set up and enable notifications

1. go to “Account” upper right hand corner

2. in the drop down menu to “Account Settings”

3. in the main menu go to “Account Security”

4. click “Yes” next to “Would you like to receive notifications from new devices”

5. the same can be done with text messages if you have your mobile plugged into Facebook. But don’t have your mobile displayed on your page publically.

6. Log out then log back in and it will ask you to identify the computer.

One time passwords: This makes it safer to use public computers in places like hotels, cafes or airports. If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.

Simply text “otp” (that’s O T P for ‘One Time Password’) to 32665 on your mobile phone (U.S. only), and you’ll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you’ll need a mobile phone number in your account.

Remote logout: the ability to sign out of Facebook remotely is now available to everyone. These session controls can be useful if you log into Facebook from a friend’s phone or computer and then forget to sign out. From your Account Settings, you can check if you’re still logged in on other devices and remotely log out.

Under the Account Security section of your Account Settings page you’ll see all of your active sessions, along with information about each session.

Robert Siciliano personal security expert to ADT Home Security Source discussing social media Facebook scammers on CNN. Disclosures.