Posts

Yes, Macs Can get Malware

So Macs can be infected with malware. Who would have ever thought? The malware at issue here is the dreaded ransomware. Ransomware scrambles up your files, and the hacker at the helm says he’ll give you the cyber “key” in exchange for a handsome payment.

6DRansomware historically has primarily impacted Windows users, but recently it got into OS X—its latest version, Transmission.

  • The virus cyber-incubates for three days.
  • Then with a Tor client, it connects to an Internet server and locks vulnerable files.
  • The cyber key costs $400.
  • Nevertheless, this attack, which doesn’t happen as easily as, say, being lured into clicking a malicious video, is easily spotted.
  • Apple quickly mitigated the problem before anyone’s data had a chance to get encrypted by the virus and held hostage for the bitcoin payment.
  • In summary, Macs are not immune to ransomware, but the circumstances under which the user is victimized are unique and rigid.
  • To avoid the crush of a ransomware attack, regularly back up your data!

It’s time to take precautionary measures, while at the same time, not allowing anxiety to creep in every time you use your device.

  • Be careful when downloading applications.
  • Never run apps that are unfamiliar to Apple. Go to System Preferences, then Security and Privacy, then General.
  • You will see three safety levels. Now, you should never download an app from a third-party vendor. One of the safety levels is called Mac App Store. If you choose this one, all the apps you get will only come from the Mac app store, meaning they will have been given the green light by Apple.
  • To widen the app selection, you can choose Mac App Store with identified developers. This will allow you to get applications created by developers whom Apple has endorsed. However, this doesn’t mean it’s as secure as the Mac App Store choice, because the identified developers’ product was not tested for security by Apple—but at least Apple will block it if it’s infected.

Updates

  • Never put off tomorrow what you can update today. Download updates the moment you are cued to do so.
  • Go into the App Store, hit Updates and then Update All to make sure you’re caught up on updates.
  • To avoid this hassle in the future, put your settings on automatic updates: System Preferences, App Store, Download newly available updates in the background.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Security Appreciation lacking

What’s it gonna take for companies to crack down on their cybersecurity? What’s holding them back? Why do we keep hearing about one company data breach after another?

1SWell, there’s just not enough IT talent going around. The irony is that most company higher-ups admit that cybersecurity is very important and can even name specific situations that could compromise security, such as

having multiple vendors vs. only a single vendor; not having quality-level encryption in place; allowing employees to bring their own mobile devices to work and use them there for business; and having employees use cloud services for business.

Many even admit that they lack confidence in preventing a sophisticated malware onslaught and are worried about spear phishing attacks.

So as you can see, the understanding is out there, but then it kind of fizzles after that point: Businesses are not investing enough in beefing up their cybersecurity structure.

Let’s first begin with signs that a computer has been infected with malware:

  • It runs ridiculously slow.
  • Messages being sent from your e-mail—behind your back by some unknown entity.
  • Programs opening and closing on their own.

What can businesses (and people at home or traveling) do to enhance cybersecurity?

  • Regularly back up all data.
  • All devices should have security software and a firewall, and these should be regularly updated.
  • Got an e-mail from your boss or company SEO with instructions to open an attachment or click a link? Check with that person first—by phone—to verify they sent you the attachment or link. Otherwise, this may be a spear phishing attempt: The hacker is posing as someone you normally defer to, to get you to reveal sensitive information.
  • Mandate ongoing security training for employees. Include staged phishing e-mails to see who bites the bait. Find out why they bit and retrain them.
  • Never open e-mails with subject lines telling you an account has been suspended; that you won a prize; inherited money; your shipment failed; you owe the IRS; etc. Scammers use dramatic subject lines to get people to open these e-mails and then click on malicious links or open attachments that download viruses.
  • Install a virtual private network before you use public Wi-Fi.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

11 Ways to Mitigate Insider Security Threats

Companies are constantly attacked by hackers, but what if those attacks come from the inside? More companies than ever before are dealing with insider security threats.Here are 11 steps that all organizations should take to mitigate these threats and protect important company data:11D

  1. Always encrypt your data If you want to minimize the impact of an insider threat, always encrypt data. Not all employees need access to all data and encryption adds another layer of protection.
  2. Know the different types of insider threatsThere are different types of insider threats. Some are malicious, and some are simply due to negligence. Malicious threats may be identified by employee behavior, such as attempting to hoard data. In this case, additional security controls can be an effective solution.
  3. Do background checks before hiringBefore you hire a new employee, make sure you are doing background checks. Not only will this show any suspicious history, it can stop you from hiring any criminals or those associated with your competitors. Personality tests can also red flag the propensity for malicious behavior.
  4. Educate your staffEducating your staff on best practices for network security is imperative. It is much easier for employees to use this information if they are aware of the consequences of negligent behavior.
  5. Use monitoring solutionsThere are monitoring solutions that you can use, such as application, identity and device data, which can be an invaluable resource for tracking down the source of any insider attack.
  6. Use proper termination practicesJust as you want to be careful when hiring new employees, when terminating employees, you also must use proper practices. This includes revoking access to networks and paying attention to employee actions on the network in the days before they leave.
  7. Go beyond the IT departmentThough your IT department is a valuable resource, it cannot be your only defense against insider threats. Make sure you are using a number of programs and several departments to form a team against the possibility of threats.
  8. Consider access controlsAccess controls may help to deter both malicious and negligent threats. This also makes it more difficult to access data.
  9. Have checks and balances for all staff and systemsIt is also important to ensure there are checks and balances in place, i.e. having more than one person with access to a system, tracking that usage and banning shared usernames and passwords.
  10. Analyze network logsYou should collect, store and regularly analyze all of your network logs, and make sure it’s known that you do this. This will show the staff that you are watching what they are doing, making them less likely to attempt an insider attack.
  11. Back up your data Employees may be malicious or more likely they make big mistakes. And when they do, you’d sleep better at night knowing you have redundant, secure cloud based backup to keep your business up and running.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. See him discussing identity theft prevention.Disclosures.

Pay attention to your IoT Device Security

Wow cool! A device that lets you know, via Internet, when your milk is beginning to sour! And a connected thermostat—turning the heat up remotely an hour before you get home to save money…and “smart” fitness monitors, baby monitors, watches…

6DSlow down. Don’t buy a single smart device until you ask yourself these 10 questions. And frankly, there’s a lot of effort in some of these questions. But, security isn’t always easy. Check it out.

  • Was the company ever hacked? Google this to find out.
  • If so, did the company try to hide it from their customers?
  • Review the privacy policies and ask the company to clarify anything—and of course, if they don’t or are reluctant…hmmm…not good. Don’t buy a device that collects data from vendors that fail to explain data security and privacy.
  • Does the product have excellent customer support?
  • Is it hard to get a live person? Is there no phone contact, only some blank e-mail form? Easily accessible customer support is very important and very telling of the product’s security level.
  • Does the product have vulnerabilities that can make it easy for a hacker to get into? You’ll need to do a little digging for this information on industry and government websites.
  • Does the product get cues for regular updates? The manufacturer can answer this. Consider not buying the device if there are no automatic updates.
  • Does the product’s firmware also automatically update? If not, not good.
  • Is the Wi-Fi, that the device will be connected to, secure? Ideally it should be WPA2 and have a virtual private network for encryption.
  • Will you be able to control access to the product? Can others access it? If you can’t control access and/or its default settings can’t be changed…then be very leery.
  • What data does the device collect, and why?
  • Can data on the device traverse to another device?
  • Ask the gadget’s maker how many open ports it has. Fewer open ports means a lower chance of malware slithering in.
  • Is stored data encrypted (scrambled)? If the maker can’t or won’t answer this, that’s a bad sign.
  • Ask the manufacturer how the device lets you know its batteries are low.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Keep Accountant happy and Thieves out

Are you a shredder? I hope so. No identity thief on this planet is going to want to attempt to reconstruct cross-shredded documents.

Computer crime conceptSo what, then, should you make a habit of shredding?

  • All financial documents and information, including financial information you’ve jotted on a Post-it note.
  • Credit card receipts unless you want to file these away for end-of-month calculations, but ultimately, you have your monthly statements so you will not have use for them anyways.
  • Old property tax statements (keep the most current one). But any other tax documents you should retain.
  • Voided checks.
  • Most things with your Social Security number on it that aren’t tax related.
  • Any other piece of paper that has your or a family member’s personal information on it, including envelopes with your address. Never assume “that’s not enough” for a skilled identity thief to use.
  • Ask your accountant what they think.

Now, what kind of shredder should you get for your home or office? There are all kinds of makes and models out there.

  • Do not buy a “strip” shredder that simply slices thin strips in one direction. Identity thieves will actually take the time to reconstruct these.
  • Buy a “cross-cut” shredder. The pieces are sliced and diced too small for an identity thief to want to struggle to tape back together.
  • We can go one step further, in case you are wondering if anyone would actually take the time to lay out all those cross-cut fragments and reassemble them: Buy a micro-cut device. The pieces, as the name suggests, are tiny.
  • Read the features for that micro-shredder, as some models are more heavy-duty than others.
  • You may not want to purchase a machine online; at least you will want to see the various makes and models in person first.
  • But if you can’t locate the type of shredder that you’d like from a brick-and-mortar retailer, then of course, there are plenty online to choose from.

So get yourself a shredder on your next shopping trip; you will be so glad you did.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Career Criminal goes down

A sharp nine-year-old girl has a biting message to a 51-year-old man, according to an article on myfoxboston.com:

1G“You deserve to stay in jail because you break into peoples houses. Stop breaking into peoples houses and do something with your life.”

This advice was directed to Pedro Gomez, whom police are labeling a career criminal. According to investigators, he attempted to break into over a dozen houses—all within the span of hours.

One of the failed attempts occurred to a house where the nine-year-old was at at the time. Gomez’s floundering break-in attempts occurred in Shrewsbury, Mass. I’m not so sure he’s a true “career criminal,” because he certainly didn’t do things like a prolific burglar would. This sounds more like random, haphazard, desperate, non-calculated attempts to bust into the nearest homes.

Pedro even apparently stacked patio furniture up against windows in one of his break-in attempts.

There are different kinds of robbers, and one of them is that of the unskilled kind who breaks into homes to get whatever cash or small sellable items he could get his hands on to support his next drug fix. This could very well be the type of criminal that Gomez is.

Gomez tripped an alarm when he tried to get in through a slider type of door, continues the myfoxboston.com article. It was there that the police caught up with him. The report says that he had already broken into houses in three other towns.

Though he didn’t exactly hang his head upon being arrested, he will have plenty of time in prison to reflect upon the advice of the nine-year-old girl.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

How to pwn Anyone

Define Pwn: Pwn is a slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival. And when it’s done by hacking email, the person is effectively pwned. No matter how “private” you are on the Internet, no matter how infrequently you post on your Facebook page—even if you don’t have a Facebook account—your life can be hacked into as long as you own just one password—and the ability to be tricked.

11DSuch was the case of Patsy Walsh, reports an article at bits.blogs.nytimes.com. She gave a few white hat hackers permission to try to hack into her life, and they accomplished this in under two hours, without even entering her house. She figured it would be next to impossible because she had no smart gadgets in the home and rarely posted on her Facebook page.

The “ethical” hackers, part of a security start-up, quickly found Walsh’s Facebook page (which presumably contained personal information such as her town, since there’s many “Patsy Walsh” accounts).

The scarcely posted-to account, however, revealed that she had liked a particular webpage. Based on that information, the hackers phished her and she took the bait, giving up a password, which happened to be for many of her accounts.

The good guy hackers were then invited into her home where they easily obtained her garage door opener code with the brute force attack, but even scarier, cracked into her DirecTV service because it didn’t have a password. Such a breach means that the hacker could control the TV remotely: Running a porn movie while the homeowner’s grandmother is visiting.

They also found Walsh’s passwords tacked onto her computer’s router. The exposed passwords allowed them to get into Walsh’s and her daughter’s e-mail accounts. From that point they got ahold of Walsh’s Social Security number, PayPal account, insurance information and power of attorney form.

She was probably thinking, “Well of course! They’re professional hackers and I let them inside!” But the hackers also discovered that there were about 20 malicious programs running on her computer. Their recommendations to Walsh:

  • New garage door opener
  • Password for DirecTV
  • Password manager to create unique passwords for all of her accounts
  • Security software always kept updated
  • Two-step authentication when offered
  • A nice lecture on phishing attacks

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Is that Viral Story real?

The Internet has almost as many videos as there are stars in the heavens. And you know that some have to be hoaxes. Sometimes it’s obvious, while other times it’s easy to be fooled. For example, the hoax of the “angel” intercepting a truck just about to run over a bicyclist is obviously fake. Isn’t it?

1DBut what about the video of the man cut in half by a bus while riding a bicycle, lying on the ground, staring at his intestines, talking for a full five minutes, while his pelvis and legs lie catty-corner to him? That video looks eerily real.

And so did the enormously viral one of the Syrian refugees holding the ISIS flags and assaulting German police officers.

There are free, non-techy ways to check if a video or image is a fake, from an article at gizmodo.com:

“Reverse Image”

Simply right-click an image, and a selection box will appear. Click “Search Google for this image.” Different sources for the same image will appear, but this won’t necessarily rule out a hoax.

For example, multiple links to the man cut in half appear, and the dates of postings differ, but there’s no way to rule out a hoax based on just this information.

However, suppose there’s a photo of a female ghost crashing a funeral photo. A reverse image search shows that ghost’s face as identical to the image of a mommy blogger on her blog; it’s safe to assume the ghost image is a hoax (aren’t they all?).

YouTube DataViewer

Go to YouTube DataViewer. Plug in the suspect video’s URL. Any associated thumbnail image plus upload time will be extracted. You now can find the earliest upload and see if anything is suspicious. Alongside that you can do a reverse image on the thumbnails and see what you get.

FotoForensics

FotoForensics can detect photoshopping or digital manipulation. If you want to pursue a video, you’ll need to plug in the URL of a still shot, like the ones you see after a video has ended that clutter up the video space. FotoForensics uses a tool called ELA, and you’ll have to do some reading on it before understanding how it works.

WolframAlpha

WolframAlpha can look at weather conditions at a certain time and location, such as “weather in Davie, Florida at (time) and (date). So if the weather in a suspect image with a date and location doesn’t match what Wolfram turns up, consider it a fake.

Jeffrey’s Exif Viewer

Images taken with smartphones and digital cameras contain tons of data called EXIF, including date, time and location of image shoot. See if the date, time and location don’t jive with what the suspect image conveys. Jeffrey’s Exif Viewer is one such EXIF reader.

Google Street ViewGoogle Earth and Wikimapia are tools for mapping out the truth, such as matching up landmarks and landscapes.

So, did your ex really take a trip to Paris, as she stands there with the Eiffel Tower behind her? And is her new beau for real, or was he “shopped” in off of a male fitness model site?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Eight security tips for travelers with laptop

These days, who doesn’t travel with their laptop? But commonality doesn’t make it inherently safe for your sensitive information that’s stored in the device. In fact, traveling with your laptop is inherently unsecure.

1DWhether you’re traveling for business or to visit family this holiday season, here are some ways to protect your laptop and your personal data:

  • Get a cable lock for your laptop. It’s a great way to deter a potential thief, especially if there are lots of people around.
  • Register with an anti-theft service to track your laptop should it get stolen or “lost.”
  • Carry your laptop in a bag that’s made specifically for these devices. If it’s awkward for you to carry a suitcase in one hand while the laptop bag is slung over the opposite shoulder, consider packing the laptop with lots of tight padding in your suitcase. (But only if the suitcase will be a carry-on that you’ll be gently handling.) This way it’ll be invisible to thieves.
  • If you go with the special laptop bag, don’t leave it unattended while you make a trip to the bathroom or food court. The same goes for a carry-on suitcase. Either belonging should be with you at all times.
  • Whenever you leave your hotel room, hang the “Do Not Disturb” sign. You never know what hotel employee would be tempted to get into your laptop should they enter your room upon thinking nobody’s in it.
  • Never let a stranger use your laptop, even if that stranger looks innocent. The need to protect your sensitive data is more important than the feelings of a stranger.
  • And back up your data—before the trip. Cloud backup such as Carbonite will update your data based on custom settings as frequently as you require.
  • If you absolutely must conduct personal or sensitive online transactions on a public Wi-Fi, use a virtual private network (VPN), as this will scramble your transaction and make it worthless to hackers snooping data streams. One of these snoopers could be sitting in the same coffee house or hotel lobby as you are. Or, they can be a thousand miles away.

Robert Siciliano is a personal privacy, security and identity theft expert to Carbonite discussing identity theft prevention. Disclosures.

Infrastructures under attack

It’s been stated more than once that WWIII will most likely be cyber-based, such as dismantling a country’s entire infrastructure via cyber weapons. And don’t think for a moment this doesn’t mean murdering people.

4DA report at bits.blogs.nytimes.com notes that foreign hackers have cracked into the U.S. Department of Energy’s networks 150 times; they’ve stolen blueprints and source code to our power grid as well. Some say they have the capability to shut down the U.S.

The bits.blogs.nytimes.com article goes on to say that cyber warfare could result in death by the masses, e.g., water supply contamination of major cities, crashing airplanes by hacking into air traffic control systems, and derailing passenger trains. So it’s no longer who has the most nuclear missiles.

The list of successful hacks is endless, including that of a thousand energy companies in North America and Europe and numerous gas pipeline companies. The U.S.’s biggest threats come from Russia and China.

So why haven’t they shut down our grid and blown up furnaces at hundreds of energy companies? Maybe because they don’t have the ability just yet or maybe because they don’t want to awaken a sleeping giant. To put it less ominously, they don’t want to rock the boat of diplomatic and business relations with the U.S.

Well then, what about other nations who hate the U.S. so much that there’s no boat to be rocked in the first place? The skills to pull off a power grid deactivation or air traffic control infiltration by enemies such as Iran or Islamic militants are several years off.

On the other hand, such enemies don’t have much to lose by attacking, and this is worrisome. It is these groups we must worry about. They’re behind alright, but they’re trying hard to catch up to Russia and China. For now, we can breathe easy, but there’s enough going on to get the attention of Homeland Security and other government entities.

Recent attacks show that these bad guys in foreign lands are getting better at causing mayhem. At the same time, the U.S.’s cyber security isn’t anything to brag about, being that very recently, some white hat hackers had tested out the defenses of the Snohomish County Public Utility District in Washington State. They infiltrated it within 22 minutes.

Another weak point in our defenses is the component of pinning down the source of major hacking incidents. So if WWIII becomes real, the U.S. won’t necessarily know where the attack came from.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.