Posts

What is Cookiejacking?

“Cookiejacking” may sound like someone taking a bite out of that delicious chocolate chip cookie you were planning to have after lunch, but it is actually an online security risk that could lead to your personal information falling into the hands of a cybercriminal.

2DBut to understand this risk, you first need to know about Internet cookies. An Internet cookie is a small text file that gets stored on your computer or mobile hard disk from a website that you have previously visited, so the next time you’re on that site, it alerts the site that you’re back.

The cookie holds information such as an identifier the site assigns to you, and any preferences or personal information you may have shared with that website, such as your name and email address. Cookies are the reason why you may see a message that says “Welcome back, John” when you revisit a website.

Now that you know what an Internet cookie is, you can better understand cookiejacking. This is when your device’s cookies are stolen, potentially giving thieves access to the information they hold.

This can be problematic when the cookies stored on your computer contain sensitive and personal data, such as your bank login information and social media account passwords. A cybercriminal could use the stolen information to access your accounts or impersonate you.

Of course, clicking on links in malicious emails or on risky websites increases the odds that you could fall victim to cookiejacking, so the more dangerous clicking you do, the more at risk you are.

How do you avoid cookiejacking?

Here are a few simple tips to help you avoid falling victim to this security concern:

  • Be careful where you click—Especially when playing games on social networks since this could be a trap set by a cookiejacker; all of your clicking will enable the thief to steal your cookies. Also be wary of links in emails, text messages and instant messages, especially if they’re from people you don’t know personally.
  • Use a safe search tool—Utilize a free browser plug-in, like McAfee® SiteAdvisor® that warns you if you are going to a risky site. For Android users, this feature is available as part of the free McAfee Mobile Security.
  • Consider using private browsing mode—The private browsing mode prevents access to cookie files already saved on your device, but more importantly, it stores cookies for the active session in memory. This means that a page crafted for cookiejacking cannot access older cookies nor active ones, because there is no path to them.
  • Install comprehensive security on all your devices—Make sure you protect all your devices with security like McAfee LiveSafe™ service that includes anti-malware, anti-spam, anti-phishing and a firewall so that you are less likely to be a click-jacking victim.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

7 Safety tips on the Mobile Internet

It’s time to know all the ways you can make sure you’re safe when in mobile space to prevent identity theft.
1W

  1. It’s 10 pm; do know where the malware is? Malware is stealthy and hides in places you least expect, like search engines, tech-related sites, entertainment sites and web ads. Malware can even be waiting for you when you download what seems to be an innocent app for your favorite game. In fact, gaming and gambling sites are common targets, as are search engines—and these threats aren’t going to disappear too soon. Install antivirus especially on Android phones.
  2. Beware of peeping toms. That is, someone peering over your shoulder to catch you typing in a password. Mobile devices don’t mask passwords with those big dots like a laptop or desktop will. That snooping thief is hoping to get a glimpse of your password. Consider sitting against a wall when using your mobile in public. Cover your device with your other hand when entering PINs
  3. Click with discretion. The mobile webscape is replete with juicy-looking items to click: promotions, ads, weblinks…and it’s pretty much impossible to tell the legit ones from the fraudulent ones. Even the URL can’t indicate this. Scam offers can look legit and trick you into clicks. Don’t let the menagerie of all that stuff to click on overwhelm you. Don’t visit anyplace you’re not sure of.
  4. Don’t get reeled in by phishing e-mails. What should you do if you get an e-mail from eBay or something like that, requesting you click a link to update your credit card information because suspension of your account is imminent? Don’t open. Delete.
  5. Credit card companies, the IRS, banks, etc., will never contact you via e-mail and request your private information. Other scams take the form of announcements you’ve won money, your password has been compromised, or some other emotional message. Make a habit of never even opening these.
  6. Stay with app stores. The mobile webscape is cluttered with enticing offers of free downloads. A minority are fraudulent and it’s impossible to tell which are which. Never download from mobile-only sites or those crammed with ads. Download only from app stores you trust.
  7. No “Jailbreaking or “rooting”. These terms refer to installing software that will break down the walled gardens of your iPhone or Android. Once you do this you oprn the devices up to malware.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Using your Mobile to protect you from criminals

The Good:

5WYour mobile phone number is almost as good as your fingerprint: very unique to you, and as a second factor authentication device via text message, acts as access control through which to access certain web sites.

SMS two factor authentication as it’s know is the sending of unique one time pass codes that turns your mobile phone into a recipient of a onetime password or “OTP”. Generally there’s no software to install and it’s just a matter of registering your device with the website. OTPs are sent to smartphones upon entering your username, than a password or after you click a button on the site requesting the SMS OTP

A fraudster trying to infiltrate your account would need not only your password and user name, but would also need to physically have your phone. This is a great layer of security. SMS two factor authentication can be used with site like Facebook, Twitter, your bank, Gmail, Paypal and others.

Web sites link your mobile number with your account for your protection. So next time an online company wants to send you a “code” via your smartphone, don’t get annoyed; feel secure instead, because that’s how the company knows you are you. In fact, companies will likely brand you as a highly suspicious user if you refuse to include your mobile device’s number as part of your registration.

The Bad:

Keep your guard up because fraudsters won’t be stopped from trying to succeed at their plans, however, and they know that the smartphone poses unique vulnerabilities to the user. For instance, people are more likely to click on a malicious e-mail link because the phone’s small screen makes it harder to detect suspicious web site addresses. Criminals are forever trying to get passwords and hack into accounts and wreak havoc. As technology continues to evolve in favor of the honest user, so does the technology of crime.

Your role is to always try to stay one step ahead of the criminals. There are ways you can protect yourself and never let crooks get ahead of you:

  • Never use the same password for more than one account or web site, even though it’s more convenient to have one password for multiple sites. Every app and web site should have a unique password.
  • Every access point you encounter should be safeguarded with a WiFi VPN service such as Hotspot Shield VPN that encrypts your wireless internet and surfing activities. This way, when you peruse cyberspace at hotels, airports and coffee houses, all of your activities are protected from hijackers.
  • Ignore password request e-mails or security alerts, especially on your smartphone, as they are almost always fraudulent.
  • Do you know if your phone (or iPad) is uploading your private data to cyberspace? Find out by installing an app security scanner.
  • Never use third-party apps on your device (or “jailbreak” it). Never let your kids use your phone, either.
  • Your device should be kept up to date with the latest operating system. System updates usually include security enhancements.
  • When installing Android apps, read their security notices. Understand how your sensitive data will be exposed with these apps—before you hit “Okay.”

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

10 Tips to Keep Your Data Private Online

The Internet has become an essential tool for most of us and a part of our everyday lives. We rely on it to send/receive emails, post/share photos and messages on social networking sites, shop for clothes, search for information, etc. But how do all these online activities affect your privacy?

2PYour online privacy depends on your ability to control both the amount of personal information that you provide and who has access to that information. Unfortunately, some of us are too casual and careless with how we manage our personal information and activities online. This leaves us vulnerable to identity theft and invasion of our privacy, both from legitimate and illegitimate sources.

That’s because your personal information, including your email address, phone number and Social Security number and other personally identifiable information, is worth a lot of money. The bad guys will use it to steal from you and businesses want to know as much about you as possible so they can sell you more products and services or serve you ads that are highly relevant to your demographics and preferences.

So take these simple steps to protect your valuable personal information:

  1. Be careful what you share and post online. Remember, don’t post or share anything that you wouldn’t want shared publically, even if you think you’re just sending it to one person.
  2. Don’t freely give out personal information online any more than you would to a stranger on the street. Keep personal information (such as your hometown, birth date with year and phone number) off social networks.
  3. Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
  4. Use private browsing mode on your Internet browser or at least turn off your browser cookies.
  5. Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
  6. Only friend or connect with people online you know in real life.
  7. Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
  8. Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow
  9. Routinely update your social media privacy settings to ensure your profile is appropriately protected and also make sure to change your passwords on your accounts at least 3x a year.
  10. 10. Make sure all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that provides not only antivirus, anti-spyware, anti-phishing, anti-spam and a firewall, but also protects your data and identity on your PCs, Macs, smartphones and tablets.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

McAfee Labs 2014 Predictions

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threat Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some  types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.

2014ThreatPredictions

Here’s some security resolutions to help you stay safe online in 2014:

  • Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
  • Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
  • Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
  • Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
  • Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
  • Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Protection For Your Shiny New Devices

After Santa heads back to the North Pole, there will be many new devices in the hands of good girls and boys that will be targeted by criminals. With the enjoyment of these cool devices should come top-notch protection for them, as they can be vulnerable to a number of malicious threats.

5WLaptop or PC

What should your security software include?

  • A two-way firewall: monitors the activity on your devices making sure nothing bad is coming in (like unauthorized access) and nothing good is leaving (like your data).
  • Anti-virus software: protects your devices from malicious keyloggers and other badware.
  • Anti-phishing software: watches your browser and email for suspicious inbox activity.
  • Anti-spyware software: keep your PC spyware free.
  • Safe search capacities: McAfees SiteAdvisor plugs into your browser and tells you what websites are good and which are suspicious.

Go further with wireless network protection, anti-spam, anti-theft protection and parental controls.

Free software is not recommended, as it provides only basic protection and you’ll likely end up purchasing more anyways.

Make sure you have a subscription to software that’s automatically renewed every year so that you don’t forget. This is after you figure out whether or not your new device’s protection software is on a trial basis.

Smartphone or tablet

  • Be leery of third-party apps you install on your mobile phone, since malicious apps are the main threat.
    • Download apps only from reputable app stores.
    • Read reviews and make sure you know what information the app requests prior to download.
  • Use mobile security software that includes:
    • Anti-virus and malware protection
    • Anti-theft
    • App protection
    • Web protection
    • Call and text filtering
  • Turn off automatic connections to Bluetooth and Wi-Fi unless you’re using them.
  • Apply app and operating system updates.
  • Never store account numbers, passwords, etc., on your phone or tablet
    • Do not have your apps set to automatically.
  • Apple products are at highest threat; install security software that’s been designed just for the Mac.
  • Never leave your phone or tablet unattended.

Gaming or entertainment device

These devices are vulnerable to many of the same attacks that PCs are, since they’re connected to the Internet.

  • Create backups of your games.
  • Make sure you understand the built-in parental controls.
  • Never store personal information on this device.
  • Connect it only to a secure Wi-Fi network.
  • Use a secure, encrypted USB drive that will muddle up your information to make it unreadable to thieves.
  • Purchase security software to protect the portable hard drive; and set a password.
  • Employ technologies for protecting your information.
  • Never leave the USB drive unattended.

The most important thing to remember is “don’t worry about it” but definitely do something about it. Once you invest in your devices security go play, have fun and be smart about what you do online.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

7 tips to a secure mobile device

Have you ever received an email like this…I did: “Robert, last night I was at a concert and I must have dropped my phone because I lost it. But then something awful happened. My friends knew I was with my other friend, and she got a call wondering if I was OK. Apparently whoever found or stole my mobile posted all my naked pictures to Facebook. I’ve finally got access to Facebook and I’ve deleted most of them, but it’s been a harrowing experience.”

5W

There are just so many things wrong with this. It’s amazing to me how lazy some people can be with their mobile security—especially if their devices have, ahem, “private” information on them.

  1. Passwords: Mobiles need to be password protected and automatically locked after one minute. A four- to six-letter/number password is sufficient.
  2. Erase on too many password attempts: Enable the option for when someone tries to enter a password in excess of 10 tries, the device erases the data. If you have kids, you may not want to activate the erase option.
  3. Lock/locate/wipe software: Many devices have a feature that allows users to locate the device in the event it’s lost or stolen. And added bonus is it allows you to lock it down (it should already be locked after one minute!) and erases the data remotely.
  4. Security software: Know that mobiles are targeted by virus writers in the same way PCs are. While there are millions of viruses targeting PCs, there still tens of thousands targeting mobiles.
  5. Wireless security: The 3/4G connection on your devices is relatively secure—but the WiFi is definitely not, especially on a public WiFi network. Hotspot Shield VPN is an excellent option to protect your data on an unsecured network.
  6. Update your operating system: Whenever you get a notification that an updated version of your OS is available, it’s often because there was a security vulnerability discovered. Download the update ASAP.
  7. Beware of SMiShing: Whenever you receive text messages to access an account, update your OS or offering cheap goods, be suspect. Really, if you aren’t expecting the text, hit delete.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

How Secure is My Mobile Carrier’s Network?

The National Security Agency (NSA) prescribes security regulations covering operating practices, including the transmission, handling and distribution of signals intelligence (internet, phone, etc.) and communications security material under control of the NSA’s director. The NSA acts as the national manager for national security and answers to the secretary of defense and the director of national intelligence.

The NSA uses the Android operating system with double encryption for voice communications and a unique routing scheme for 3G wireless communications. You’ve got to figure that if their people are communicating with the president of the United States, then they need to be on a secure, protected network. But you, on the other hand, aren’t the NSA and don’t really need that.

While there is no such thing as 100 percent secure, your mobile carrier’s wireless is pretty much as secure as it can be due to the way it is setup, and the security technology is built into the way the network communicates with the hardware in your mobile device. There are numerous encryption methods, keys and authentication tools designed to identify each user and provide a secure channel of communication.

Mobile broadband (your carrier’s network, which you use to send and receive data over 3G/4G) has a degree of encryption that has been cracked before—hence the reason why the NSA uses double encryption—but the necessary hardware isn’t widely available to criminals. Researchers have demonstrated how the system can be hacked, but it’s still more secure than other options—particularly WiFi, which is unsecured.

Standalone, unprotected WiFi is far from NSA-grade secure and requires additional encryption for anyone at any level to be protected. On WiFi, at a minimum, use a secure virtual private network (VPN) such as the free Hotspot Shield VPN proxy that protects your identity by ensuring that all web transactions (shopping, filling out forms, downloads, etc.) are secured through HTTPS.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

 

How Mobiles Have Become a Big Target for Corporate Networks

Mobile was born with the consumer market in mind. As mobile has developed for consumer use over the past 20-something years, security hasn’t been much of a priority. Now, with a variety of different operating systems and millions of applications, security on mobiles has become a significant problem—especially in a corporate setting. Criminals know that by targeting an employee’s wireless device, they have a good chance of getting onto the corporate network.

The LastWatchdog.com reports, “New research…shows that an estimated one million high-risk Android applications will get introduced into corporate networks this year. Another recent study analyzed two million currently available Android apps, from both third parties and the Google Play store, classifying 293,091 as outright malicious and an additional 150,203 as high risk. When you factor in iOS, Windows Mobile, BlackBerry and…other mobile platforms, the IT landscape is no longer centered on securing an exclusively Windows-based ecosystem.”

Protect yourself (and your employer) by refraining from clicking links in text messages, emails or unfamiliar webpages displayed on your phone’s browser. Set your mobile phone to lock automatically and unlock only when you enter a PIN. Consider investing in a service that locates a lost phone, locks it and, if necessary, wipes the data as well as restores that data on a new phone. Keep your phone’s operating system updated with the latest patches and invest in antivirus protection for your phone.

Use a free VPN service such as Hotspot Shield VPN, to protect your entire web surfing session. Hotspot Shield secures your connection, no matter what kind of wireless you are using—whether you’re at home or in public, on wired or wireless internet. Hotspot Shield does this by ensuring that all web transactions are secured through HTTPS. It also offers an iPhone and Android version.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Mobile Security Myths

Mobile computing is the new frontier of personal technology. Whether you are on a phone or tablet, if you have a carrier connection, you are mobile.

Today, most of us can’t live without our mobile devices. We live in an always on, always connected world. While this is convenient in many ways, it also brings about new security risks that many people don’t think about.

For example, most of us know that we need to use security software on our PCs. But how many of us know to use security on our mobile devices? Mobile devices are our most personal computers, yet they open the door to many vulnerabilities that don’t exist on a traditional PC.

Here’s some fact vs. fiction around mobile devices:

Mobile Myth #1: The best way to locate my lost phone is by calling it.

False. While “Call Me Maybe” may be your theme song, and this is sometimes a viable option, it’s much easier to use security software that lets you locate your phone by GPS or make it “scream” so you can find it (this is much louder than your ring tone). You can also display a message on your lost phone if anyone does find it, so you can tell them how to get in touch with you.

Mobile Myth #2: It’s ok to have my apps automatically log in to my accounts if I have my phone protected with a PIN.

False. Even though a PIN is a good start, this is not complete protection. Hackers are often able to guess PIN codes and also have programs to help them quickly figure out your 4 digit combination. Make sure you use a PIN that is not 1111 or 1234 and that you do not set your apps or mobile browser to use the “remember me” function. If your phone falls into the wrong hands, that gives the person easy access to your accounts.

Mobile Myth #3: Phishing is just for PC users.

False. In fact, one study showed that mobile users are 3x more vulnerable to phishing scams than PC users. Hackers can use phishing attempts via email (if you access your email via your phone or tablet) but also via text and social media apps. Also, it is much harder to tell if links are “real” in a mobile browser or email, so you should use mobile security software that warns you if you are going to a malicious site.

These are just a few mobile myths that exist out there. To really test your mobile knowledge, play ourMobile Mythbusters quiz on Facebook, where you can also enter to win great prizes like a Galaxy tablet, Kindle Fire, or a copy of my e-book “99 Things You Wish You Knew Before Your Mobile Device Was Hacked,” all with a 1-year subscription to McAfee Mobile Security.

Capture

In addition, share you’re your mobile myths with @McAfeeConsumer using the hashtag #MobileMyths to help debunk mobile security myths and protect yourself and others. Top tweeters will win a copy of McAfee All Access or McAfee Mobile Security.

And if you’re going to be at Mobile World Congress, stop by to visit McAfee and see our product demos. We’re in the Intel booth in Hall 3, Stand C34. You may even get a small gift if you show that you’ve liked McAfee on Facebook or followed us on Twitter when you come see the people in the red shirts!

 

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)