Posts

10 Tips to Keep Your Data Private Online

The Internet has become an essential tool for most of us and a part of our everyday lives. We rely on it to send/receive emails, post/share photos and messages on social networking sites, shop for clothes, search for information, etc. But how do all these online activities affect your privacy?

2PYour online privacy depends on your ability to control both the amount of personal information that you provide and who has access to that information. Unfortunately, some of us are too casual and careless with how we manage our personal information and activities online. This leaves us vulnerable to identity theft and invasion of our privacy, both from legitimate and illegitimate sources.

That’s because your personal information, including your email address, phone number and Social Security number and other personally identifiable information, is worth a lot of money. The bad guys will use it to steal from you and businesses want to know as much about you as possible so they can sell you more products and services or serve you ads that are highly relevant to your demographics and preferences.

So take these simple steps to protect your valuable personal information:

  1. Be careful what you share and post online. Remember, don’t post or share anything that you wouldn’t want shared publically, even if you think you’re just sending it to one person.
  2. Don’t freely give out personal information online any more than you would to a stranger on the street. Keep personal information (such as your hometown, birth date with year and phone number) off social networks.
  3. Don’t send any sensitive information when connecting over public Wi-Fi (e.g. don’t do banking or shop online)
  4. Use private browsing mode on your Internet browser or at least turn off your browser cookies.
  5. Never reply to spam or unknown messages, whether by email, text, IM or social networking posts from people you don’t know—especially if it’s for an offer that sounds too good to be true.
  6. Only friend or connect with people online you know in real life.
  7. Make sure when you’re providing any personal information online that the site uses encryption (look for https:// in the URL) and check to see how they are using your personal data in their privacy policy.
  8. Be aware of location services with your smartphone or tablet. Turn off the GPS on your mobile device’s camera and only allow
  9. Routinely update your social media privacy settings to ensure your profile is appropriately protected and also make sure to change your passwords on your accounts at least 3x a year.
  10. 10. Make sure all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that provides not only antivirus, anti-spyware, anti-phishing, anti-spam and a firewall, but also protects your data and identity on your PCs, Macs, smartphones and tablets.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

McAfee Labs 2014 Predictions

As we wind down the year, it’s a time to reflect, but also to look forward. Some of us may be thinking about resolutions and what we need to do in the upcoming year—exercise more, eat better, have better work/life balance, etc. Others of us will be thinking about how we’re going to ring in the New Year.

This time of year the McAfee Labs™ team is busy looking at what the new threats are going to be and what are new trends they expect to see. Today they released their 2014 Threat Predictions, and here’s what they believe will be in store for us:

Mobile Malware

While this is not new, this category of malware is growing like wildfire and McAfee Labs sees no slow down on this in 2014. And besides continued growth in this category (mostly on the Android platform), they believe that some  types of mobile attacks will become prevalent.

One of these growing attacks is ransomware targeting mobile devices. Once the cybercriminal has control of your device, they will hold your data “hostage” until you pay money (whether that’s conventional or virtual, like Bitcoin) to the perpetrator. But as with traditional ransomware, there’s no guarantee that you really will get your data back.

Other mobile tactics that will increase include exploiting the use of the Near Field Communications (NFC) feature (this lets consumers simply “tap and pay,” or make purchases using close-range wireless communications), now on many Android devices, to corrupt valid apps and steal data without being detected.

Virtual Currencies

While the growth of Bitcoin and other virtual currencies is helping promote economic activity, it also provides cybercriminals using ransomware attacks with a perfect system to collect money from their victims. Historically, payments made from ransomware have been subject to law enforcement actions via the payment processors, but since virtual currency is not regulated and anonymous, this makes it much easier for the hackers to get away with their attacks.

Attacks via Social Networking Sites

We’ve already seen the use of social networks to spread malware and phishing attacks. With the large number of users on Facebook, Twitter, Instagram and the likes, the use of these sites to deliver attacks will continue to grow.

In 2014, McAfee Labs also expects to see attacks that leverage specific features of these social networking sites, like Facebook’s open graph. These features will be exploited to find out more information about your friends, location or personal info and then be used for phishing or real-world crimes.

The other form of social attacks in 2014 will be what McAfee Labs calls “false flag” attacks. These attacks trick consumers by using an “urgent” request to reset one’s password. If you fall for this, your username and password will be stolen, paving the way for collection of your personal information and friend information by the hacker.

2014ThreatPredictions

Here’s some security resolutions to help you stay safe online in 2014:

  • Strengthen your passwords: If you’re still using easy to remember passwords that include your home address and pet’s name, it’s time to get serious about creating strong passwords that are at least eight characters long, and a combination of numbers, letters and symbols. Don’t include any personal information that can be guessed by hackers.
  • Don’t open or click on suspicious emails, text or links: By simply opening an email with a piece of ransomware within it you could be leaving your devices vulnerable to hijacking.
  • Be aware when downloading apps: Since apps are the main way mobile malware is spread today, make sure to do your research before downloading any app and only download from reputable app stores.
  • Limit your use of NFC, Wi-Fi and Bluetooth: If your phone has NFC capabilities, you may be unaware of default settings. Turning this feature off, as well as turning off Bluetooth and Wi-Fi connections, will not only help you save battery life on your devices, but prevent attacks from hackers looking to exploit your wireless connections.
  • Check your bank statements and mobile charges regularly: This way, you can discover and report any suspicious charges
  • Install comprehensive security on all your devices: With the growing amount of threats that we’re seeing, you want to make sure that your all your devices (not just your PC) are protected. Consider installing security software such as McAfee LiveSafe™ service that protects your data, identity and all your devices (PCs, Macs, smartphones and tablets).

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Protection For Your Shiny New Devices

After Santa heads back to the North Pole, there will be many new devices in the hands of good girls and boys that will be targeted by criminals. With the enjoyment of these cool devices should come top-notch protection for them, as they can be vulnerable to a number of malicious threats.

5WLaptop or PC

What should your security software include?

  • A two-way firewall: monitors the activity on your devices making sure nothing bad is coming in (like unauthorized access) and nothing good is leaving (like your data).
  • Anti-virus software: protects your devices from malicious keyloggers and other badware.
  • Anti-phishing software: watches your browser and email for suspicious inbox activity.
  • Anti-spyware software: keep your PC spyware free.
  • Safe search capacities: McAfees SiteAdvisor plugs into your browser and tells you what websites are good and which are suspicious.

Go further with wireless network protection, anti-spam, anti-theft protection and parental controls.

Free software is not recommended, as it provides only basic protection and you’ll likely end up purchasing more anyways.

Make sure you have a subscription to software that’s automatically renewed every year so that you don’t forget. This is after you figure out whether or not your new device’s protection software is on a trial basis.

Smartphone or tablet

  • Be leery of third-party apps you install on your mobile phone, since malicious apps are the main threat.
    • Download apps only from reputable app stores.
    • Read reviews and make sure you know what information the app requests prior to download.
  • Use mobile security software that includes:
    • Anti-virus and malware protection
    • Anti-theft
    • App protection
    • Web protection
    • Call and text filtering
  • Turn off automatic connections to Bluetooth and Wi-Fi unless you’re using them.
  • Apply app and operating system updates.
  • Never store account numbers, passwords, etc., on your phone or tablet
    • Do not have your apps set to automatically.
  • Apple products are at highest threat; install security software that’s been designed just for the Mac.
  • Never leave your phone or tablet unattended.

Gaming or entertainment device

These devices are vulnerable to many of the same attacks that PCs are, since they’re connected to the Internet.

  • Create backups of your games.
  • Make sure you understand the built-in parental controls.
  • Never store personal information on this device.
  • Connect it only to a secure Wi-Fi network.
  • Use a secure, encrypted USB drive that will muddle up your information to make it unreadable to thieves.
  • Purchase security software to protect the portable hard drive; and set a password.
  • Employ technologies for protecting your information.
  • Never leave the USB drive unattended.

The most important thing to remember is “don’t worry about it” but definitely do something about it. Once you invest in your devices security go play, have fun and be smart about what you do online.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Why Should You Shop on Sites with Trustmarks?

With the holiday season in full swing, this is a busy time for a lot of us with parties, gift buying and possibly even figuring out travel arrangements. With all there is to do, many of us will turn to online shopping to help beat the crowds, find deals and not have to worry about what time we shop.

mcaWhile online shopping may be convenient, we also need to exercise some caution. After all, there are websites that are set up to sell fake or pirated digital downloads that can carry viruses or malware along with the product you thought you purchased legally. But there are also a lot of honest people who run legitimate e-commerce sites and care about the privacy and security of their customers.

So, how can you tell if a site is safe and protects your personal information? Well, one indicator of a safe site is one that displays a trustmark. A trustmark is a seal, logo, insignia or other icon that is usually placed on the site (often on the checkout/cart page) to show that the merchant is making an effort to protect you from cybercriminals and online fraudsters who might be out to distribute malware or collect your personal and financial data for the purposes of identity theft. There are a wide variety of trustmarks that indicate various levels of protection.

To better understand trustmarks, and how to use them, follow these simple tips:

  • Don’t just trust it; verify it! Trustmark providers usually provide a live link with their trust seal or icon that allows you to verify the trustmark and whether it is up to date. Don’t just look at the icon and assume that it is legitimate—click to make sure
  • Not all protection is the same. It’s best to conduct your own research on a trustmark to find out what it really means.  Look for regular audits, recent updates and other indications that it provides protection and security for your personal data.
  • Universal protection doesn’t exist. No single trustmark can guarantee protection against anything and everything. Be skeptical and do additional research if you encounter this claim.
  •  Details, details, details. Read the fine print on both the merchant’s and the trustmark provider’s sites. Prominent placement of a privacy policy might look secure, but what level of security and privacy does that policy really offer you?

Legitimate trustmarks can be helpful tools that let you connect with confidence when shopping online. Just remember to take the time to learn a little about the trustmarks you come across so you can make informed decisions about which sites to do business with in the future. For more tips on safe shopping this holiday season, read this blog or download McAfee’s eguide.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Internet Privacy Tools for Online Safety

Drug dealers, child pornographers, terrorists and criminal hackers, are often sharing the same Internet privacy tools as law enforcement, domestic violence victims and citizens of oppressive governments who most likely use a “darknet” which is an anonymous secret internet designed to cover their tracks and protect them from internet surveillance. The “darknet” is used by both good and bad people with various intentions.

These internet security tools are designed to work like a private tunnel through the internet.

And then there’s the government funded “Tor” project. The Boston Globe reports “Tor stands for ‘the onion routing’ project, initiated by the US Naval Research Laboratory in the 1990s to camouflage government communications by sending messages through a system of computers. The project was expanded in 2001 by two Massachusetts Institute of Technology students who made the technology more accessible to civilians.”

Government officials say they support the project because it provides potentially life-saving online safety and privacy for the people who need it most.  “Tor is a publicly available tool. It is used by activists and bloggers, by average US citizens protecting against identity theft, and by military and law enforcement officers conducting investigations and intelligence gathering,’’ a State Department spokesman said.

Just because internet privacy tools can be used for bad reasons by bad people doesn’t mean they are bad. A baseball bat can be used for bad reasons too.

For someone who is a victim of a stalker or domestic violence, a privacy tool like this can be a lifesaver.

 

Robert Siciliano personal and home security specialist toHome Security Source discussing ADT Pulse on Fox News. Disclosures

5 Digital New Year’s Resolutions For Parents

McAfee recently distributed a press release and the line that caught my eye was, “Now is the time for parents to model good behavior and etiquette.”  it This wasn’t something you’d normally expect to see from a major security company, so intrigued, I read on.

Instruction in etiquette and good behavior is something we could all probably use a little more of. And when I read McAfee’s “5 New Year’s Resolutions,” I realized that even though I have young children, I ought to brush up on some digital etiquette myself. It’s not too late to do your resolutions or start news ones or just brush up on your online safety.

McAfee suggests that parents begin the New Year with resolutions that address their own behavior, so they can model best practices for kids and teens:

When I’m with my children, I pledge not to spend more than 10% of the time on my phone or computer.
Adults spend about 3.5 hours day perusing the Internet or staring at their cell phone each day, according to estimates from eMarketer. This year, make a promise to give your full attention to your children, and develop a plan to limit your use of electronic devices.

I will not communicate with my children via text when they are in the house.
One downside of technology is that fewer people actually speak to one another. A Kaiser study found that children in grades 7-12 spend an average of 1.5 hours a day sending or receiving texts.

I will not give my child access to an Internet browser on a smartphone or tablet that is not safe for them to use.
It’s important for parents to shield children from cyber-danger by filtering explicit content on smartphones and tablets via applications such as McAfee Family Protection or McAfee Safe Eyessoftware. This software can prevent children from establishing or accessing social networking accounts, limit Internet use, and block inappropriate websites or messenger chats.

I will be prepared to have a “texting intervention” if my teen’s thumbs begin to look like tiny body-builders.
Texting may be a quick and easy way to interact with others, but the impersonal nature of the communication and frequency of use can cause problems.

I will have “the talk” with my kids, to discuss what they are doing and with whom they are connecting online.
Children often lack an understanding of online dangers, or they may lack the maturity to make appropriate decisions.

By modeling good behavior and ensuring that children’s experiences on Internet-connected devices is a safe and healthy one, parents can ensure a 2012 that is free of digital drama.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Trust: A Rare Commodity Online

People lie when they set up online dating profiles, they lie when they put up fake social media profiles, and they lie to the innocent victims of their scams.

Banks and retailers know better than anyone that people lie. There are countless scenarios and justifications, but people who lie invariably do it in order to get something.

In general, we strive to be a kind and civil species. We trust by default. We want to be helpful and accommodating. We don’t want to believe that people lie, but they do.

Dishonesty poses a challenge to banks and retailers in the form of theft. Theft is a big problem on the Internet, and any online business knows that they can’t afford to trust you, regardless of how honest you may be.

The Federal Financial Institutions Examination Council recently instructed both retailers and banks to enhance their security procedures, in response to the increasingly creative lies concocted by scammers.

One of those FFIEC recommendations involves incorporating complex device identification. This means that banks and retailers should adopt technology that actually recognizes and analyzes the PCs, smartphones, and tablets being used to access their websites. Once the device is identified, knowing the device’s reputation is where it really gets interesting. Is it acting suspicious or is it a known device that has been used in a fraud ring, in money laundering, or has been attempting account takeovers?  Knowing the device’s reputation lets businesses know ahead of time who they can trust online.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

 

Judge Says Its OK to Post Social Security Numbers Online

B.J. Ostergren is a proud Virginian. She’s known as “The Virginia Watchdog,” but I like to call her “The Pit Bull of Personal Privacy.” She is relentless in her efforts to protect citizens’ privacy, and her primary concern is the posting of personal information online. To make this point, she finds politicians’ personal information, usually Social Security numbers, on their own states’ websites, and republishes that information online.

Publicly appointed government employees known as Clerks of Courts, County Clerks, or Registrars are responsible for handling and managing public records, including birth, death, marriage, court, property, and business filings for municipalities. Every state, city, and town has its own set of regulations determining how data is collected and made available to the public.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information maintained in systems of records by federal agencies.

Over the years, many have interpreted this law to allow public information, including Social Security numbers, to be posted online. I’ve seen Social Security numbers for Jeb Bush, Colin Powell, former CIA Director Porter Goss, Troy Aiken, and Donald Trump, all published on the Internet.

Ostergren so embarrassed the Virginia lawmakers that they passed a law known by some as the “anti-B.J. law,” prohibiting her from doing what public officials have been doing for years.

United States District Court Judge Robert E. Payne signed an order overturning the anti-B.J. law, ruling that privacy advocate B.J. Ostergren may post public records that contain Social Security Numbers on her website, despite a 2008 Virginia law prohibiting the dissemination of such information.

While two wrongs generally don’t make a right, one has to see the irony in this case. And if Ostergren’s actions create awareness that ultimately leads to all Social Security numbers being redacted, then this wrong is right.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

Grandmother Taken for $5400 in Online Dating Scam

All my life, I’ve been waiting for someone to give me a million dollars in diamonds, which have been willed to me by my long-lost Somalian stepfather, who’s supposedly the third generation dictator under the humble Mr. George Kinneus the Third. Or something like that.

If you receive an offer resembling that one, run for the hills.

This is what happened to the 55-year-old grandmother in New Zealand, who was simply looking for love online. She was checking out her prospects on Match.com, the most popular dating site. The grandmother got a “wink,” which is like a “poke” on Facebook, from “kiwibloke25.” According to his profile, “kiwibloke25” was a 55-year-old man seeking a serious relationship with a woman between 49 and 68 years old.

In his first message, he told the grandmother that she “[seemed] to be the type of person he [was] looking for,” and gave her his personal email address. Soon they were exchanging emails and talking on the phone. The man shared numerous intimate details about his life.

Exchanges like these lure unsuspecting victims into scammers’ traps. In this case, “kiwibloke25” claimed to have been robbed by Somalian gangsters while traveling through Dubai, and asked his victim for $5400 to cover the duty on some diamonds he had supposedly purchased. She wired him the money but became suspicious when he asked for more, to pay for a company to securely transfer the diamonds back to New Zealand. She then discovered that “kiwibloke25,” as she thought she knew him, never existed at all.

If you use an online dating service, be on guard for scams. Stick to legitimate, well-known websites, and get referrals from friends who have successfully met romantic partners online. But never let your guard down.

When creating your dating profile, never post personal information, including your middle name, full address, phone number or entire birth date.

To vet potential dates, look for information about them elsewhere online, and confirm that it matches the information in their online dating profiles.

If a potential date asks for a loan or any financial information, report them to the dating website immediately.

Dating sites could protect users by incorporating device identification, device reputation and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360.  It has been recognized over the past few years for “Best New Technology” used by the internet dating industry. This service is established and has protected over 2 billion online dating activities for its clients and has flagged 2.7 million of those identified as scams and solicitations, spam, identity mining/phishing, profile representation and other abuses.  Stopping scams and abusive behavior upfront greatly helps online dating sites not only protect their brand reputation, but most importantly protect their active members.

According to Industry Consultant, Mark Brooks, “The dating industry uses three lines of defense against scammers and abuse: automated software defense, user flagging and customer/abuse teams. iovation’s technology has enabled many dating sites to work together to beat scammers.”

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Stories. (Disclosures)

Canadian Charged in Ticket Scams – Auction Sites Need to Step Up Fraud Prevention Techniques

Online classified advertising site scams are typically conducted by scammers in countries such as Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, or Malaysia, who spend their days targeting consumers in the developed world.

Scammer grammar and general awkwardness make these scams relatively easy to detect. But when a scammer is local, the ruse becomes more insidious and effective.

The Toronto Sun reports that a man in Hamilton, Ontario faces “60 charges for allegedly selling thousands of dollars worth of non-existent tickets to concerts and sporting events, mostly at venues in Toronto.” The suspect “allegedly used Craigslist to sell tickets to pop concerts like Lady Gaga, Taylor Swift and Justin Bieber, or sporting events like Wrestlemania.”

As in most Craigslist scams, the perpetrator had the victims wire money to him, and in this case it was to a local account, which reduced suspicions. He told victims they would get a shipping confirmation number once the money was received, but of course, this was entirely bogus.

At the top of every post, Craigslist reminds you, “Avoid scams and fraud by dealing locally!” But they may not consider that scammers can deal locally, too. My suggestion is to always meet the seller with cash in hand, or simply buy tickets directly from the venue or venue’s website.

Craigslist and auction sites could better protect end users and prevent the majority of these scams by using readily available and proven fraud detection tools on the market. They could easily round up accounts opened by scammers by tracking them back to the computers, tablets and smart phones that opened them up in the first place by using device reputation management. And when those computers try to open more accounts under more stolen identities, the accounts are automatically denied upfront—at the “account creation” stage.

Craigslist could easily employ customized business rules to identify high-risk activity such as those offered by iovation’s ReputationManager 360 anti-fraud service.  For example, if someone posted a local offer, iovation could expose to the business when users are hiding behind proxies to make them appear as if they were in the local region.  If they are selling a used car supposedly in Irvine, California and they are going through the work to mask their IP and make it “look” like they are in Irvine, but their real IP is exposing that they are in Ghana, wouldn’t that be a red flag?  When this happens, the business could automatically deny the attempt in a fraction of a second, or at a minimum send it to a review queue so that fraud analysts can take a closer look before exposing a scammers’ offer to the public.

In general, with today’s sophisticated fraud prevention technologies and techniques, scammer accounts could and should easily be stopped at the front door (while attempting to set up a new account) — before ads are placed, before ads are read by the public, and before tens to hundreds of visitors act on the ad by engaging in conversation with a cyber criminal who wants to steal their money.

Imagine the scale of bad accounts that could be shut down instantly.  Sophisticated fraud rings could be identified within the business’s network and thousands of fraudulent accounts shut down, making Craigslist and other auction sites a much safer place for the public to look for desired products and services.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scambaiting on Fox News. (Disclosures)