Posts

TeamViewer Clients Victims of other Hack Attacks

Get an account with TeamViewer, and you will have a software package that enables remote control, online meetings, desktop sharing and other functions between computers.

9DBut recently, customers of TeamViewer have reported remote takedowns of their computers that resulted in different forms of monetary theft, such as bank accounts being cleaned out.

The cyber thieves controlled the victims’ computers via their TeamViewer accounts. Customers would witness their mouse arrow suddenly moving beyond their control.

The infiltration, though, did not occur on TeamViewer’s end, insists the company. Instead, the software company called users “careless” because they reused their TeamViewer passwords on other sites like LinkedIn, reports an article at theregister.co.uk. The company has since apologized. Frankly, I agree with TeamViewer. Careless password reuse is one of the main reasons why so much fraud is occurring.

The stream of support tickets from customers prompted TeamViewer to implement two new security checks which will warn customers via e-mail of suspicious login attempts to their TeamViewer account and ask their permission to allow this or not.

Another safeguard newly in place will be that of the company checking the GPS of login attempts, plus requiring a password reset when anybody tries to log in from a new location.

Some customers have been critical that the release of these new security features took too long, since the reports of the hacking began a few weeks prior to the finalization of these new features.

As mentioned, the origin of these hacks is apparently the reuse of TeamViewer passwords on other sites that were then hacked. TeamViewer managed to get ahold of the leaked passwords, and also leaked e-mail addresses, that were all the cyber crooks needed to remotely hijack the computers.

However, some victims reported that they never reused their password and even had two-factor authentication. Further, some victims are placing blame on the company for the breaches.

The company is taking the breach seriously and wants its affected customers to upload their log files. TeamViewer especially wants to hear from customers with two-factor authentication who were compromised.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Can Two-Factor Authentication actually fail?

You’ve probably read many times that two-factor authentication is a superb extra layer of protection against a thief hacking into your accounts, because gaining access requires entering a One Time Passcode (OTP)—sent via text or voice—into a login field. In other words, no phone, no access.

7WBut CAN a hacker get the phone? Ask Deray McKesson, an activist with Black Lives Matter. Hackers got his phone.

Now, this doesn’t mean they busted into his home while he was napping and took his phone. Rather, the thief took control of his mobile account.

The thief rerouted McKesson’s text messages – to a different SIM card that the mobile carrier, Verizon, had issued to the thief. This is how the criminal got the two-factor code. Next thing, the imposter was in McKesson’s Twitter and e-mail accounts.

So though two-factor is a pretty well-padded extra layer of protection, it can be circumvented.

“Someone called Verizon impersonating me,” tweeted McKesson on June 10. The crook got a different SIM this way. The flaw isn’t the two-factor system. In this case it was Verizon, allowing this to happen just too easily.

“Today I learned that it is rather easy for someone to call the provider & change your SIM,” says a subsequent tweet. Though Verizon does require the last four digits of the user’s SSN to get a new SIM card, this isn’t enough to filter out imposters, as we see here. McKesson further tweeted he was “not sure” how the imposter knew those last four digits, but that “they knew it.”

Verizon has since implemented additional safeguards.

So what really happened? How did someone get McKesson’s SSN? Did he reveal it somewhere where he didn’t have to? And then the wrong person saw it? Was he tricked into revealing it through a phishing e-mail?

Nevertheless, here’s what to do:

  • Set up a secondary code on your phone’s account.
  • This is a personal identification number that an imposter would have to reveal before any changes were made to the account—even if he gave out your entire SSN to the mobile company rep.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

10 Ways to Protect your WordPress Site or Blog from Hackers

As much as you try, the unfortunate truth is that hackers are going to try to attack and access your WordPress website or blog, whether you like it or not. So, it is up to you to make sure you make the hacker’s job as difficult as possible. Here are some tips:

2D1. Use Plugins

One way to make your WordPress account less appealing is to use security plugins. These vary in quality, and you might have to purchase some of them, too. Just make sure to do some research before buying them, and when you do, only buy them from a trusted marketplace.

2. Choose The Right Password and Change It Often

When choosing a password for your account, make sure it is a minimum of 8 characters, and mix it up with letters, numbers and symbols. Also, change your password about every 2-3 months.

3. Change Your Defaults

Also, make sure that you are changing the default user name and password that you are given for your hosting account.  It’s best, in fact, if you change any detail that you are allowed to change, simply because you don’t know how secure your host’s servers are.

4. Only Choose Secure Hosting

Use a secure hosting company. There is no better tip that that. If you go with a free package, understand that you will get what you pay for.

5. Install All Updates

Make sure you are installing any updates you get from WordPress. These often contain security features that can protect you.

6. Consider Hosting Company Security Options

Many good hosting companies offer security options for their clients, and if you have this option, do it. Just make sure you are not paying too much, and look for coupon codes, if possible.

7. Delete What You Are Not Using

If you have unused images or plugins in your account, delete them. They waste space and can put your account and site at risk.

8. Back Up Everything

Your best defense against hackers is to make sure you are backing up everything, and do it often. You can delete any old backups to save space.

9. Watch the Powers You Give Contributors

Though it might be tempting to allow authorized contributors to post their own blogs and articles, don’t give them any more access to your site than you have to.

10. Use Security suites

There are a variety of web based security products designed to proactively monitor your site and block unauthorized activity. Check out Cloudbric. This all-inclusive solution helps in preventing web attacks including DDoS, while also providing SSL and CDN services.

Robert Siciliano is a personal privacy, security and identity theft expert to Cloudbric discussing identity theft prevention. Disclosures.

Craigslist Rental Scams in Your Town

Craigslist is one of my favorite sites on the Internet, though I admittedly have a love/hate relationship with it. One reason I love it is because of the deals and variety of items and services available, but I hate it because some of the people who use it are scammers and the site has some major security issues.

9DOnce, I listed a property on on Craigslist for rent. Scammers relisted the property for a third of the asking price. People came to my home and would knock on my door to see the property, even after the listing had expired.

Here’s how scammers work on Craigslist:

The scammer will copy and paste the ad and then pose as the homeowner who is overseas on business. To generate traffic, the scammer will list the ad for less than it is being asked. When a person responds to the ad, the scammer then tells them they can rent the property out, they simply need to forward the first month’s rent overseas. More people fall for this than you would believe.

How did I thwart this crime? I continuously scanned Craigslist for my ad to see if it was being posted. When I found any similar ads, I would email the information to abuse@craigslist.com, and the company would take the post down. However, the scammer also was on top of it, and kept posting the ad again.

So how can you protect yourself from these scams?

  • Use common sense, pay attention and be smart.
  • Be careful about who you are contacting and who contacts you.
  • Try to deal locally when possible and always meet in person in a safe location.
  • Do not engage in any online monetary transaction that requires you to send money to a stranger after they send money to you. This is a scam.
  • Do not disclose financial information, Social Security numbers or any account information.

Personal Security Tips:

Always Use Craigslist With Caution – People have been robbed, scammed, burglarized and even killed by using Craigslist. You must be careful about who you contact as you don’t know what everyone’s true motivation is.

Work With a Friend – If possible, meet the person with a friend or family member. There is strength in numbers.

Get ID Info Before Meeting – You also want to make sure that you get the person’s name and phone number before meeting them. Call them to verify the number, and tell them that your brother, who is a cop, will have his cruiser there when you meet, so they should not be alarmed.

Stay As Aware As Possible – There is always risk when meeting a stranger, but staying aware can help to keep you from getting into a bad situation.

Trust Your Instincts – Do not discount any negative feelings you may have about the meeting, and cancel it if necessary.

Wear the Right Things – Do not wear anything provocative or expensive, nor should you wear loose fitting clothing or scarves, as attackers can grab onto them easily. Wear good shoes that you can run in.

Stay in Communication – Make sure someone you know, such as a spouse or family member, knows where you are and when you will be back. Try to have them on the phone during the meeting.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Before you die, do This

“Nobody likes to do it, but it has to be done.” You’ve heard that before. This time, it applies to 26 documents that you should have all bundled up in a folder that trusted family members have access to (someplace where fire and water won’t damage them). But first let’s go over some details about what should be in that bundle.

1PEssential Documents

  • Your will: Some say not a copy, but the original, accompanied by instructions. Supplying everyone in your will a copy is also advised by others.
  • A completed power of attorney form that your benefactors have access to, should you become rendered impaired.
  • Complete list of loans you’ve made to others, and debts.
  • Proof of ownership of the following if you have them: owned property/housing, vehicles, cemetery plots, savings bonds, stock certificates, brokerage/escrow mortgage accounts and partnership/corporate operating agreements.
  • Last three years’ of tax returns might seem excessive, but if you can, do it.

Bank Accounts

  • Name of bank and phone number, account numbers, online login information
  • Register a family member or spouse’s name with the bank; have them sign the registration document to allow them access to your accounts.
  • A list of safe deposit boxes if you have them

Retirement List

  • Pensions
  • Annuities
  • IRAs
  • 401ks

Medical

  • Power of attorney form. If you become incapacited, who will make medical care decisions for you? This should also be IN your will.
  • Choose your POA attorney while you’re of sound mind.
  • Have it spelled out how you’d like to be treated in the event of incapacitation (and this includes what should be done if you end up in a persistent vegetative state). Who pulls the plug?

Marriage & Divorce

  • Does your spouse know where your marriage license is?
  • If you’re divorced, make sure there are documents spelling out child support, alimony and any property settlements and financial divisions. To avoid disputes, include bank account numbers for the appropriate settlements.
  • Keep copies of life insurance documents.
  • Last but not least is the qualified domestic-relations order, that can prove your spouse got a share of your retirement accounts.

Life Insurance

  • Family members should have copies of life insurance documents and contact information for the carrier.

In a Nutshell, the Top 26

  1. Marriage license
  2. Divorce papers
  3. Living will (what should be done if you’re alive but incapacitated)
  4. Personal/family medical history
  5. Authorization to release medical care information
  6. Durable healthcare POA
  7. Do-not-resuscitate (DNR) order
  8. Tax returns
  9. Housing, land and cemetery deeds
  10. Escrow mortgage accounts
  11. Proof of loans made and owed debts
  12. Titles for vehicles
  13. Stock certificates, savings bonds and brokerage accounts
  14. Partnerships and corporate operating agreements
  15. Life insurance policies
  16. IRAs
  17. 401ks
  18. Pension documents
  19. Annuity contracts
  20. Bank account list
  21. List of bank usernames and passwords
  22. Safe-deposit box list
  23. Will
  24. Letter of instruction for the will
  25. Trust documents
  26. Updated passwords document for all your critical accounts.

Do you have docs you think should be on this list? Please provide in the comments.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Why You should file your Tax Return Yesterday

Someone else might file your taxes if you don’t get to it. And they won’t be doing it as a favor; they’ll be doing it to steal your identity.

9DHere’s how it works:

  • Cyber thieves send fraudulent e-mails to a business’s employees.
  • The e-mails are designed to look like they came from the big wigs at the company.
  • As a result, the targeted employees are tricked into revealing sensitive data about the company’s employees.
  • The crooks end up with all this valuable data—enough to file phony tax returns.
  • This ploy, called spear phishing, has already occurred to major companies.

Recently, the Mansueto Ventures company was hit by a spear phishing attack that singled out the employee payroll data. The hacker/s got ahold of the following employee information: Social Security number, name, address and income.

Employees have been notified, but how many of those employees have not yet filed their income tax returns? Of those, how many will be victims of identity theft because a hacker filed a tax return in their name as a result of obtaining the payroll data?

Again, get to your tax preparer ASAP, or if you normally file the return yourself, what are you waiting for?

Seagate is another company that got spear phished. The W-2 forms of its employees got into the hands of the thief or thieves. Apparently, the data of several thousand employees was stolen.

All it takes is one employee to get suckered into clicking the wrong e-mail. It’s possible for these e-mails to really, truly look like they came from a major decision maker from inside the company. A skilled hacker will carefully construct an e-mail that mimics company e-mail, complete with logo and company colors, and even the full name of the person he’s pretending to be. The e-mail may even address its recipient by name.

How does the thief get this information? It may all begin with the information he finds on a LinkedIn profile. Other bits and pieces may have been gathered off of Facebook or an online article about the person he’s impersonating, right down to that person’s nickname, making the fake e-mail look even more authentic, signing off with that person’s odd nickname.

Have you filed your tax return yet?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

What’s the best Antivirus for You

There are so many things to consider when it’s time to purchase antivirus software, but don’t let all the options overwhelm you. Take your time and don’t get too fixated on every little detail. Some systems will definitely conform more to your needs than others. But many people simply go with what seems to be the most popular or reputable antivirus company.

6DKnow this: A reputable company will have a warranty and offer refunds, and will also include with the service a phone-based technical support.

That said, if you have kids, you’ll want a software that provides parental monitoring. Such software can do many things including tracking the websites your kids are visiting.

Or, if you’re leery of anything related to “the cloud,” you’ll want the so-called installation software rather than cloud-based: You download this, install it and it goes to work. BUT, the clouds fine. Stop worrying.

Another variable is if you’re looking to protect a business network rather than a home network, as some antivirus plans are designed more for one or the other. Yes, there’s a difference.

For instance, a program that’s designed for a business will respond very quickly to data breaches at any time. Another program might be formulated more to fit the individual who deals with large amounts of very sensitive data, whether at the workplace or at home.

Another factor to consider is the type of device you want protected. Is it a Mac? A PC? A cell phone? In the world of antivirus software, one size does not fit all.

There’s really a lot of companies out there providing antivirus software. Before you commit to any one particular service, make sure you’ve already drawn up what your specific needs are for cyber protection. For instance, you may need a service that provides the entire gamut: You have children; you run a business out of your home; you deal daily with very sensitive data.

Cybersecurity is relatively inexpensive, and payment plans are flexible. A common plan is to pay a yearly subscription. Others are a one-time payment. Some companies offer different packages at different prices.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Security Appreciation lacking

What’s it gonna take for companies to crack down on their cybersecurity? What’s holding them back? Why do we keep hearing about one company data breach after another?

1SWell, there’s just not enough IT talent going around. The irony is that most company higher-ups admit that cybersecurity is very important and can even name specific situations that could compromise security, such as

having multiple vendors vs. only a single vendor; not having quality-level encryption in place; allowing employees to bring their own mobile devices to work and use them there for business; and having employees use cloud services for business.

Many even admit that they lack confidence in preventing a sophisticated malware onslaught and are worried about spear phishing attacks.

So as you can see, the understanding is out there, but then it kind of fizzles after that point: Businesses are not investing enough in beefing up their cybersecurity structure.

Let’s first begin with signs that a computer has been infected with malware:

  • It runs ridiculously slow.
  • Messages being sent from your e-mail—behind your back by some unknown entity.
  • Programs opening and closing on their own.

What can businesses (and people at home or traveling) do to enhance cybersecurity?

  • Regularly back up all data.
  • All devices should have security software and a firewall, and these should be regularly updated.
  • Got an e-mail from your boss or company SEO with instructions to open an attachment or click a link? Check with that person first—by phone—to verify they sent you the attachment or link. Otherwise, this may be a spear phishing attempt: The hacker is posing as someone you normally defer to, to get you to reveal sensitive information.
  • Mandate ongoing security training for employees. Include staged phishing e-mails to see who bites the bait. Find out why they bit and retrain them.
  • Never open e-mails with subject lines telling you an account has been suspended; that you won a prize; inherited money; your shipment failed; you owe the IRS; etc. Scammers use dramatic subject lines to get people to open these e-mails and then click on malicious links or open attachments that download viruses.
  • Install a virtual private network before you use public Wi-Fi.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How Parents can de-motivate Sexting in their Teens

Whatever the appeal of sexting is to kids (attention), it’s definitely there, and won’t be going away too soon. Of all the things that teens can do in their daily lives, why spend time sexting?4D

  • To feel cool
  • To get a crush’s attention
  • To make a relationship seem more serious
  • To harass the recipient
  • Peer pressure
  • ATTENTION, SHOCK, AWE, SEX.

Before the advent of sexting, teens talked sex and even shared racy photos with each other. But the old-fashioned way meant that the only viewers were the people with the teen.

Sexting, on the other hand, means that the communication—including naked images—can spread to thousands of people like wildfire. Privacy is zero. Furthermore, it’s illegal for teens to sext.

Just how bad can it get?

Well, if teen Jesse Logan were still alive, we could ask her how it felt when her classmates harassed her after her nude image got out to other students after she merely sent it to her boyfriend. Unfortunately, she killed herself over this.

I’m sure she wouldn’t have sent him the photo had she known of the wide-reaching potential of sexting. Can we blame her for not anticipating the school-wide circulation of her photo? Whose responsibility is it to teach kids this stuff? Maybe even her parents were in the dark; not all adults are savvy about the dangers of cyberspace.

Calling All Parents…

  • Sit down with your child and talk. Choose a good time to do this. Maybe include their favorite snack. But just get it done. Be pre-emptive. Don’t wait for a bad sexting situation to arise.
  • Collect real-life stories of teen sexting incidents gone horrible and share them with your child.
  • Instruct them to immediately delete any sexual content that’s sent to them.
  • Explain how the Internet works and how easy it is for sext content to “get out there.”
  • Recognize that the peer pressure to sext is similar to the peer pressure to drink and smoke. Don’t just tell your kids what not to do. Role play with them. Recruit an older teen to do some staged pressuring. See how your child responds. Does your child stammer and find it difficult to vocalize resistance? Are they at a loss for words? Is their body language mousy? If the answer is “yes” to these, you have a big job to get done fast.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

How to protect your network from malicious insiders

You may be putting your company at risk simply by hiring a new employee. Why? Because that person could have a hidden, malicious agenda.

11DThis is known as an inside threat, and it means that someone within your organization is planning or conducting activities meant to harm the company.

There is a pattern that most insider threats use: The first step is to gain access to the company’s system. Once they have access to the network, they will investigate it and seek out any vulnerable areas. The malicious insider then sets up a workstation to control the scheme and spread the destruction.

What type of destruction can you expect? The hacker could introduce malware or they could steal or delete critical information, all of which can be damaging to your business. Fortunately, there are ways to protect business from these types of hacks.

Most companies protect their IT systems with firewalls, anti-virus programs, data backup software and even spyware-scanning technology. The problem is that these technologies only work when hackers are trying to get information from the outside.

One way to protect against insider threats is to ensure that employees can only access the data necessary to do their jobs. You should look at the flow of data throughout the organization to determine how information is shared and where it becomes vulnerable to theft or other security breaches. Then work with each department to implement the proper security controls.

The process of preventing data loss begins with discovering the data, classifying it, and then deciding how much risk your company may face if the data gets out. Some of the tools and procedures you may want to consider for protection include:

  • System-wide encryption
  • Password management
  • Device recognition
  • Access controls
  • Data disposal

It’s important to create security policies and procedures that are easy for employees to understand. The more transparent these policies are, the more effective your departments will be when communicating what they want and need.

How can you mitigate insider threats? Tune into the Carbonite webinar that I’ll be hosting live on Wednesday, March 15th at 11 am ET, to learn how. Register here: http://go.carbonite.com/security-threat/blog

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.