Posts

Infrastructures under attack

It’s been stated more than once that WWIII will most likely be cyber-based, such as dismantling a country’s entire infrastructure via cyber weapons. And don’t think for a moment this doesn’t mean murdering people.

4DA report at bits.blogs.nytimes.com notes that foreign hackers have cracked into the U.S. Department of Energy’s networks 150 times; they’ve stolen blueprints and source code to our power grid as well. Some say they have the capability to shut down the U.S.

The bits.blogs.nytimes.com article goes on to say that cyber warfare could result in death by the masses, e.g., water supply contamination of major cities, crashing airplanes by hacking into air traffic control systems, and derailing passenger trains. So it’s no longer who has the most nuclear missiles.

The list of successful hacks is endless, including that of a thousand energy companies in North America and Europe and numerous gas pipeline companies. The U.S.’s biggest threats come from Russia and China.

So why haven’t they shut down our grid and blown up furnaces at hundreds of energy companies? Maybe because they don’t have the ability just yet or maybe because they don’t want to awaken a sleeping giant. To put it less ominously, they don’t want to rock the boat of diplomatic and business relations with the U.S.

Well then, what about other nations who hate the U.S. so much that there’s no boat to be rocked in the first place? The skills to pull off a power grid deactivation or air traffic control infiltration by enemies such as Iran or Islamic militants are several years off.

On the other hand, such enemies don’t have much to lose by attacking, and this is worrisome. It is these groups we must worry about. They’re behind alright, but they’re trying hard to catch up to Russia and China. For now, we can breathe easy, but there’s enough going on to get the attention of Homeland Security and other government entities.

Recent attacks show that these bad guys in foreign lands are getting better at causing mayhem. At the same time, the U.S.’s cyber security isn’t anything to brag about, being that very recently, some white hat hackers had tested out the defenses of the Snohomish County Public Utility District in Washington State. They infiltrated it within 22 minutes.

Another weak point in our defenses is the component of pinning down the source of major hacking incidents. So if WWIII becomes real, the U.S. won’t necessarily know where the attack came from.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How to avoid Online Fundraising Scams

You’ve probably heard of the gofundme.com site, where all sorts of stories are posted of people seeking donations. Some are tragic, others are trite. You may be touched by a particular story, perhaps one in which an entire family is killed in a house fire.

9DYou click the “Donate Now” button and donate $50. So just how do you know that family who died in the fire really existed?

Gofundme.com and similar sites are loaded with “campaigns,” just tons of them. Think of the logistics involved if these sites hired people to verify every campaign. This would require enormous amounts of time and a lot of people and expense.

People don’t think. They just assume every campaign is for real. Do you realize how easy it is to start a campaign? Gofundme.com, for instance, only requires that you have a Facebook account with a valid-looking profile picture of the campaign starter, and at least 10 Facebook friends (last I checked, anyways).

  • Who at Gofundme.com and similar sites verifies that the profile picture is that of the campaign starter?
  • Who at these sites verifies that the “friends” are legitimate, vs. all phony accounts or “friends” purchased from seedy overseas companies that create fake profiles?
  • Even if the avatar and friends are for real, how do these crowdfunding sites confirm the authenticity of the campaigns?

It’s all based on the honor system. You take their word for it, though some campaigns are high profile cases. People have given money to fake campaigns. How can you prevent getting conned?

  • Check the news to see if the campaign story really happened. But a house fire in a small town doesn’t always hit the Internet. Nor is it newsworthy that some housewife is trying to raise money to buy her disabled son a set of golf clubs. So stay with campaign stories that you know have occurred.
  • But again, a scammer could take a real story, pretend to know a victim and scam donators. So see if there’s a legitimate pathway to donate to the real people involved in the story, such as through their local police department.
  • Stick to reputable charity sites. Offline, never give money solicited over the phone.
  • Be leery of charity solicitations for very high profile cases, as these attract scammers.
  • If donations are solicited by snail mail, check the Better Business Bureau. Any scammer could create a legitimate sounding name: “American Association for Autistic Children.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Beware of these 10 Nasty Scams

Let’s look at the top 10 scams (random order).

9DCharity

  • A fraudster claims to represent a charitable organization.
  • Such scams can operate ring-style, such as one out in Colorado some years ago in which women wearing crisp white dresses that resembled the dresses nurses used to wear, and also wearing white caps (like a nurse), solicited motorists for money by walking around at stoplights holding out tin cans that had a label on them like “Help Fight Drugs.” Many people were fooled by the white outfits and labeled cans.
  • Check out the legitimacy of the organization at bbb.org or charitynavigator.org.

E-mail

  • You receive an e-mail that seems to be from a legitimate company, like your bank, the IRS, UPS, etc. In the message is a link that you click. You just downloaded a virus.
  • Never click links inside e-mails. Contact the company by phone.

Cell Phone

  • Your cell phone rings once. You don’t recognize the number. You call back. You then get charged about $20. Whatever happens after a connection is made, you’ll also be charged a high fee per minute.
  • Ignore one-ring calls. If it’s important they’ll call back.

Credit Card Fraud

  • Ever see a tiny charge on your credit card but have no idea what it was for? It’s probably by a crook.
  • Always report even the smallest charges if they’re unfamiliar.

Sob Story

  • You get an e-mail that seems to be from someone you know. They’re overseas, got mugged, sob sob…and need you to wire them money.
  • Don’t send them a penny; it’s a scam.

Sweepstakes and Lottery

  • “You’ve Won!” shouts your new e-mail. So you click the link in the e-mail to claim your prize—which is a nice fat virus that infects your computer.
  • Run like the wind if the message tells you that you need to pay a fee to claim your winnings.

Jury Duty

  • Your phone rings. You answer. The caller tells you that you’ll be subject to fines because you didn’t show up for jury duty. But relax, you can avoid the fines by providing personal information or paying a fee.
  • Courts have better things to do than to call people who missed jury duty (do you realize how many calls that would be?!).
  • Though failing to report for jury duty does have consequences, the action is never initiated via phone.

Computer Lockout

  • You turn on your computer and see a message stating the device is locked.
  • To unlock it, you’re told to provide sensitive information.
  • Contact your security software provider or a local geek.

WiFi Hacking

  • You connect to free WiFi thinking your secure. But waiting in the wings is a hacker to sniff out your data.
  • Always use a VPN such as Hotspot Shield to encrypt your data over free WiFi.

Home Improvement

  • Someone appears at your door wearing a workman’s outfit and offers to do a job for a dirt cheap fee. They want the money upfront and will return later to do the work, or some variant of this.
  • Stick with bonded, insured, reputable companies. Refer to Angie’s List or the BBB.

Health Care

  • Someone calls you offering to help you sign up for health care.
  • Hang up; it’s a crook because government officials don’t do this.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

How to keep a Clean Online Presence

At any given time, someone, somewhere, is probably googling you. This could be a former classmate, a neighbor, someone you’re trying to do business with, a relative, who knows?

1PAre you confident that whatever they find will be information that’s truly representative of you? Maybe if you have a really common name, it may be lost in cyber muddle, but the more unusual your name is (or how the first name is spelled), the easier it will be to find you. If you want a clean online presence, there are things you can do.

  • Search yourself on Facebook, Twitter, LinkedIn, etc.
  • Google yourself and see what comes up within the first two pages of results. Make sure you’re logged out of Google or other browser you’re searching on. The results can be different vs being logged in.
  • Log back in and search your name again to see how the results look.

But how do you get rid of negative information and make yourself look better?

If you’re the creator of negative information, it’s a cinch. Just go into your Facebook account or wherever the unflattering information is, and delete it. Also adjust the settings for privacy, such as limiting post or image visibility to select visitors.

  • Search engines. Ask the search engine to remove the page result. For Google go here. For Bing go here.
  • Google+. Hide what you don’t want others to see. Check out the privacy settings.
  • LinkedIn. Make sure your profile is updated.
  • Twitter. Make the account private to prevent retweets. If you’re new to Twitter, think very carefully before you tweet, as tweets really do get around.
  • In addition to these tactics, try online reputation management firms. They aren’t cheap, but they work, mostly.
  • Go through all of your account profiles and upgrade them. Make them crisp, clear and free of fluff or anything that doesn’t flatter you. Add information that makes you more impressive. And use a good photo for your profile or avatar. Really, some Facebook profile pictures are ridiculous and unflattering, some not even making any sense.
  • Replace racy or otherwise negative images of you with more respectable ones. Or just delete them, period, like endless selfies that shout, “Ooh, look at me in this one!”
  • Be very careful what photos you put up on Facebook and Instagram. If you’re soliciting for donations, don’t have a photo of you eating lobster.
  • Sign up with a nameplate site like about.me, seelio or flavors.me where you can say good things about yourself and list your skills.
  • Get your own domain, even if you think your name is taken (use a variation), then use a reliable hosting company and put up your work.
  • Link all of these accounts so that visitors to one will be driven to the others.
  • Sign up with services to show your skills such as YouTube and Vimeo. See what’s out there for your various talents (e.g., Flickr for photographers).
  • Follow the cardinal rule: Don’t put anything in cyberspace that you wouldn’t want to reveal to 50,000 people at the coliseum.
  • Oh, drinking and posting don’t mix. Just don’t. Stop it. Really.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

How Hackers use LinkedIn to Scam

Hackers love LinkedIn because it links them in—straight through the portal of the targeted company. Geez, how much easier could this be, what with all the publically-exposed e-mail addresses of key players (and also worker bees) in big companies that someone wants to hack.

4DAn article on blog.sungardas.com was written by a white-hatter (his job is to try to hack his clients’ systems so that they know how to make them more impenetrable to the bad guys). The author says he’d make a beeline to LinkedIn if he became a black-hatter.

In addition to all of those revealed e-mail addresses, the hacker could also learn (without hacking, of course) what a business’s e-mail structure is. He can then compile a list of employees for his social engineering attacks. (Can you just see him watering at the mouth over this—like putting a sizzling steak in front of a dog.)

A phishing campaign could trick the targets into giving up crucial information—essentially handing the company key to the hacker. The crook, however, knows better than to pull this stunt on IT employees. But fertile territory includes employees in the marketing, accounting and customer service departments.

Maybe you’ve read that every professional these days absolutely should have a LinkedIn account. You can bet that every hacker agrees!

Companies need to come up with a way to prevent hackers from sneaking into their network via that bastion of essentiality known as LinkedIn.

The penetration-tester, in his article recommends that businesses do the following:

Social engineering training. Workers must be aggressively trained in how to sniff out a phishy-smelling e-mail. No corners should be cut with this training program, which should include ongoing staged attacks.

A statement clarifying communication about security information. To help prevent employees from giving out sensitive information to the wrong people, the company must figure out how communication will be conducted, then get it down on paper. For example, “E-mails from our company will never ask you to reveal your username and password.”

Definitive reporting process for suspicious activity. Employees need to have, on paper again, specific instructions in how to report suspicious activity, such as a questionable e-mail. These instructions should be simple and to the point.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Very effective Social Engineering Scams

It’s amazing how ingenious cybercriminals are, but the victims also need to take some responsibility for falling for these ruses, especially when the victim is a business that has failed to train its employees in cybersecurity measures.

10DRansomware

The stuff of science fiction is here: Who would have ever thought there’d ever be a such thing as criminals remotely stealing someone’s personal information (word processing files, any kind of image, etc.), scrambling it up via encryption, then demanding ransom in exchange for the remote “key” to “unlock” the encryption?

Payment is remotely by Bitcoin which can’t be traced. The payment is usually at least $500 and escalates the longer the victim waits.

The virus that poisons a computer to steal someone’s files is called ransomware, a type of malicious software (in this case, “Cryptolocker” and “CryptoDefense”). But how does this virus get into your computer in the first place?

It’s called social engineering: tricking users into allowing their computer to be infected, or duping them into revealing personal information.

Often, a phishing e-mail is used: It has an attention-getting subject line that entices the user to open it. The message contains a link. They click the link, and a virus is downloaded. Or, the link takes them to a site which then downloads the virus.

These e-mails, sometimes designed to look like they’re from the company the user works for, often go to workplace computers where employees get tricked. These kinds of attacks are lucrative to their instigators.

Funeral Fraud

If you wanted to notify a relative or friend that a mutually dear person has left this earth…would you send an e-mail or phone that person? Seems to me that heavy news like this would warrant a phone call and voice interaction.

So if you ever receive an e-mail from a funeral home indicating that a dear one to you has passed, and to click a link to the funeral home to learn details about the burial ceremony…consider this a scam.

Because if you click the funeral site link, you’ll either get redirected to the crook’s server because he’s already created an infected funeral looking site ahead of time. This is where a virus will be downloaded to your computer.

Vishing Credit Card Scam

You get a phone call. An automated voice identifies itself as your credit card company (they’ll say “credit card company” rather than the specific name). It then says something like, “We are investigating what appears to be a fraudulent charge on your card.”

They’ll ask if you made a particular purchase lately, then to hit 1 for yes and 2 for no. If you hit no, you’re told to enter your credit card number, three-digit security code and expiration date. You just fed a thief all he (or she) needs in order to go on an online or on-phone spending spree.

Ever order something via phone and all you had to give up was the credit card number, expiration date and security code? This trick is also aimed at employees. The calls come from an automated machine that generates thousands of these calls.

Healthcare Record Scam

You receive an e-mail that appears to be from your employer or healthcare provider that you get through work. This may come to you on your home computer or the one you use at work. The e-mail is an announcement of some enticing change in your healthcare plan.

The message may reference something personal about you such as marital status, income or number of dependents. When enough of these e-mails are pumped out with automated software, the personal situation of many recipients will square off with those identified in the e-mail, such as income and number of children. The user is then lured into clicking a link in the e-mail, and once that click is made…malware is released.

Facebook Company Group Scam

Scammers will scan Facebook and LinkedIn seeking out employees of a particular company and create a group. This groups purpose is for information gathering so scammers can penetrate a company’s facility or website. Once all the groups member join, the scammers will pose various innocuous questions and start palatable discussions that make everyone feel comfortable.

Over time scammers will direct these discussions to leak bits of data that allow criminals to enter a facility under a stolen identity or to contact specific employees who have advanced access to computer systems in an attempt to get usernames and passwords.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

10 Skeevy Scams to watch

You may think you’re not dumb enough to fall for scams, but consider that someone you care deeply about is naïve enough to be conned. Besides, some scams are so clever that even those who think they’re scam-proof have actually been taken for a ride.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294Sometimes fraudsters pose as an authority figure. Some claim you won a prize, while others claim you’re in trouble. Some even claim they’re a family member (needing money) and have figured out a way to convince you of this.

Some scams are done via e-mail, while others involve a phone call or snail mail. One common ploy is for the crook to pose as a rep from the electric company and threaten to shut off your electricity unless you pay a delinquent bill. Of course, the payment must be in the form of a reloadable debit card. People will actually give these cards to the “rep,” without calling the company to confirm the situation.

A big tip-off to a scam is that you’re told you won a prize or have been hired for employment—but must send money to get the prize or be trained for the employment.

Some scams are so very obvious, but still, people get taken, like those ridiculous e-mails claiming you inherited a windfall from some deceased prince named Gharbakhaji Naoombuule. But people actually fall for these, not considering that this same e-mail was sent to 10,000 others.

Top 10 Scams

  • Caller ID spoofing. Has your phone ever rung and you saw your phone number and name in the caller ID screen? How can your own phone be calling you? It’s a scam. Ignore it. If you pick up you’ll hear an offer for lower credit card rates. You’ll be told to press 1 to opt out—but you should not even be on that long to hear this option; you should have hung up the second you heard the credit card offer. Anyways, pressing 1 indicates your number is legitimate; it’s then sold to scammers. Caller ID spoofing is also perfect for scammers posing as the police, government agency, corporations etc all with the intention to get you to part with your money.
  • Mystery shopping. Though mystery shopping is a legitimate enterprise, scammers take advantage of this and mail out checks (phony) before the “shopping” is done. A legitimate company will never do this. They also get victims to give up credit card data to pay for getting a job!
  • Calls about unpaid taxes. Always hang up, regardless of threatening nature to pay up or else. The IRS always uses snail mail to notify people of unpaid taxes.
  • Puppy scam. You find a website offering purebred puppies at very low prices or even for free, but you’re told you must pay for shipping or transfer fees (wire transfer) to get your puppy. The money is gone and you never get your puppy.
  • You get a call from someone claiming to have found buyers for your timeshare. You receive a contract, but are told you must pay funds to cover some fees. The contract is phony.
  • Tech support. Someone calls you claiming your computer needs servicing. They’ll fix it after you give them your credit card information. Legitimate geeks don’t call people; you must call them.
  • Postcard survey. Out of the blue you’re told you’ve won a gift card, or, just take a brief survey to get one. Go along with this and soon you’ll be asked to provide your credit card number. Don’t bother. You’ll get no gift card while the crook gets your credit card information.
  • A notice says you’ve won a big fat prize. To claim it, just pay some fees. Yeah, right. Never pay fees to collect a prize!
  • You’re told you’re eligible for a grant or have been awarded one, but must first pay processing fees. Federal grants don’t require fees.
  • Subscription renewal notice. The notice says you can renew for a lower rate. Check to see if the notice was sent by the publication itself or some third party (the crook).

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Feds warn of more Online Predators

What goes on in the home life of a 14-year-old girl such that she feels there’s nothing better to do than send nude photos of herself to a man whom she’s been corresponding with online? Though this goes well-beyond the parents not bothering to find out what their kids do online, another huge issue is the proliferation of online predators.

2WAnd for parents who DO care enough to monitor their kids’ cyber activities, here’s some unsettling news: A 2013 survey called  Digital Deception: Exploring the Online Disconnect between Parents and Kids revealed that 69 percent of the young respondents reported they knew how to conceal their online activities from their parents. The study also showed that 80 percent of the parent-respondents said they wouldn’t even know how to figure out what their kids’ online activities were. Conclusion: Parents are clueless.

This makes it easier for predators to find victims. There’s the case of a girl who, at age 13, sent an image of herself to a 26 year old man who for the next five years cyber-harassed her, demanding more images. The girl was driven to two suicide attempts and finally alerted authorities who found him.

Another predator tricked a 15-year-old into sending him photos who turned out to be a 50 year old man. They do this by sending photos of younger cuter boys around the same age as their victim females. Parent need to have ongoing dialog with their kids that this is going on everyday somewhere and “it can happen to you too”

These act can often be prevented which once again, brings to mind what kind of parenting or lack of parenting is going on. Though parents can’t monitor their kids’ activities every second, something has to be said about why a young person’s life would be so empty that they end up sending out nude photos of themselves—even if the victim thinks the recipient is the same age!

What Parents Should Do

  • Educate kids about online predators
  • Educate yourself about online predators
  • Warn kids about never sending images into cyber space
  • Make sure kids understand that they will never be shamed for reporting a perilous situation
  • Tell kids that no matter how aggressive or threatening a cyber predator seems to be, they ultimately don’t have that much power; they’re ground meat once the authorities find them.
  • The less time kids spend tinkering around on the Internet, the less likely they’ll meet up with a predator. Get your kids involved in confidence-building activities that develop independent thinking skills and assertiveness.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

10 Tips to avoid Scams when traveling

Vacationers and tourists provide a vast feeding ground for all sorts of crooks: from the simple pick-pocketing specialist to the hotel room burglar to the e-thief: credit card skimming and computer crimes. You can even have your identity stolen while sunning on that white beach.

9DAvoid Traveling Scams with These Tips

  • Don’t post your vacation or other travel plans on social media. Thieves peruse social media to see who will be out of town and when.
  • Protection begins before the trip. Put a vacation hold on your snail mail.
  • Beware of hotel room scams. A person posing as front desk staff will call random hotel rooms to sucker travelers into giving up their credit card number. Never give private information over the hotel phone.
  • When using public Wi-Fi, encrypt your activities so that hackers can’t pluck them out of the air.
  • Always know where your mobile phone is, and have it protected with a password.
  • Must you always pay with a credit or debit card? Cold cash can’t be hacked into. But I still prefer credit over debit cards (and even cash).
  • Don’t withdraw more cash than you need. Don’t take out wads of high bills because you “might” spend a lot of money. And use an ATM at a bank, not a public kiosk.
  • When you do use a card (credit, not debit!), do not let the server or sales clerk walk out of your sight with it. You just never know who might be an “inside” thief.
  • As soon as you can upon returning from traveling, check your credit card statements for suspicious activity.
  • Leave the expensive jewelry, handbags, etc. at home. A thief has a lot of interest in a well-dressed person who acts like a tourist. If you want everyone to see how exorbitantly styled you are, you’ll have to include muggers and other thieves in that group.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

How The Internet of Things can go very wrong

The Internet—one of history’s greatest inventions—is also one of history’s greatest platforms for crime. Here are ways things can go very wrong with the Internet of Things.

2DMed-hacking. Researchers have hacked many medical devices. Though it apparently hasn’t happened in the real world, yet, but it looks like it’s only a matter of time before medical equipment becomes hacked, such as automatic insulin pumps and pacemakers. The FDA is quite new to looking into this potential.

Sauna house. It’s possible for a hacker, if not currently, then in the near future, to get into your connected thermostat and kick it up to 120 degrees. Yes, it’s great to control the thermostat when you’re away from home…but someone else who has too much time on his hands might think that’s great, too!

Smartphones. Maybe one day it will be smarter to go back to the dumb phone. At least a dumb phone can’t be used by a hacker to turn things upside down for you, such as getting ahold of your financial account numbers or sensitive photos.

Your printer can get hacked. Someone could remotely bust into it and view your documents. A crook can infect your home printer with a Trojan to not only spy, but install malware. And if your printer is potentially a target for hackers, imagine what else around your house could be, such as your router and any other gadget that’s connected to the Internet.

From carjack to car-hack. A connected car can be hacked via its wireless enabled radio, with commands then going to the steering wheel or brakes. Know any computer geniuses who hate you and know your car is connected?

Satellite airline equipment is vulnerable to malicious invasions; this has potential repercussions to the communications involving airplanes and ships. This kind of hacking can go as far as tricking a plane to redirect its course.

The TSA carry-on baggage scanner can be hacked into and then used to get weapons past TSA checkpoints. There’s even a feature that can show fake images on the X-ray screen.

So, don’t worry about any of this. But DO something about it. At a minimum lock down your wireless with encryption. Routers come with WPA/2 security and it should be activated. Otherwise deploy antivirus, antispyware, antiphishing and a firewall.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.