Posts

How to pwn Anyone

Define Pwn: Pwn is a slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival. And when it’s done by hacking email, the person is effectively pwned. No matter how “private” you are on the Internet, no matter how infrequently you post on your Facebook page—even if you don’t have a Facebook account—your life can be hacked into as long as you own just one password—and the ability to be tricked.

11DSuch was the case of Patsy Walsh, reports an article at bits.blogs.nytimes.com. She gave a few white hat hackers permission to try to hack into her life, and they accomplished this in under two hours, without even entering her house. She figured it would be next to impossible because she had no smart gadgets in the home and rarely posted on her Facebook page.

The “ethical” hackers, part of a security start-up, quickly found Walsh’s Facebook page (which presumably contained personal information such as her town, since there’s many “Patsy Walsh” accounts).

The scarcely posted-to account, however, revealed that she had liked a particular webpage. Based on that information, the hackers phished her and she took the bait, giving up a password, which happened to be for many of her accounts.

The good guy hackers were then invited into her home where they easily obtained her garage door opener code with the brute force attack, but even scarier, cracked into her DirecTV service because it didn’t have a password. Such a breach means that the hacker could control the TV remotely: Running a porn movie while the homeowner’s grandmother is visiting.

They also found Walsh’s passwords tacked onto her computer’s router. The exposed passwords allowed them to get into Walsh’s and her daughter’s e-mail accounts. From that point they got ahold of Walsh’s Social Security number, PayPal account, insurance information and power of attorney form.

She was probably thinking, “Well of course! They’re professional hackers and I let them inside!” But the hackers also discovered that there were about 20 malicious programs running on her computer. Their recommendations to Walsh:

  • New garage door opener
  • Password for DirecTV
  • Password manager to create unique passwords for all of her accounts
  • Security software always kept updated
  • Two-step authentication when offered
  • A nice lecture on phishing attacks

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Is that Viral Story real?

The Internet has almost as many videos as there are stars in the heavens. And you know that some have to be hoaxes. Sometimes it’s obvious, while other times it’s easy to be fooled. For example, the hoax of the “angel” intercepting a truck just about to run over a bicyclist is obviously fake. Isn’t it?

1DBut what about the video of the man cut in half by a bus while riding a bicycle, lying on the ground, staring at his intestines, talking for a full five minutes, while his pelvis and legs lie catty-corner to him? That video looks eerily real.

And so did the enormously viral one of the Syrian refugees holding the ISIS flags and assaulting German police officers.

There are free, non-techy ways to check if a video or image is a fake, from an article at gizmodo.com:

“Reverse Image”

Simply right-click an image, and a selection box will appear. Click “Search Google for this image.” Different sources for the same image will appear, but this won’t necessarily rule out a hoax.

For example, multiple links to the man cut in half appear, and the dates of postings differ, but there’s no way to rule out a hoax based on just this information.

However, suppose there’s a photo of a female ghost crashing a funeral photo. A reverse image search shows that ghost’s face as identical to the image of a mommy blogger on her blog; it’s safe to assume the ghost image is a hoax (aren’t they all?).

YouTube DataViewer

Go to YouTube DataViewer. Plug in the suspect video’s URL. Any associated thumbnail image plus upload time will be extracted. You now can find the earliest upload and see if anything is suspicious. Alongside that you can do a reverse image on the thumbnails and see what you get.

FotoForensics

FotoForensics can detect photoshopping or digital manipulation. If you want to pursue a video, you’ll need to plug in the URL of a still shot, like the ones you see after a video has ended that clutter up the video space. FotoForensics uses a tool called ELA, and you’ll have to do some reading on it before understanding how it works.

WolframAlpha

WolframAlpha can look at weather conditions at a certain time and location, such as “weather in Davie, Florida at (time) and (date). So if the weather in a suspect image with a date and location doesn’t match what Wolfram turns up, consider it a fake.

Jeffrey’s Exif Viewer

Images taken with smartphones and digital cameras contain tons of data called EXIF, including date, time and location of image shoot. See if the date, time and location don’t jive with what the suspect image conveys. Jeffrey’s Exif Viewer is one such EXIF reader.

Google Street ViewGoogle Earth and Wikimapia are tools for mapping out the truth, such as matching up landmarks and landscapes.

So, did your ex really take a trip to Paris, as she stands there with the Eiffel Tower behind her? And is her new beau for real, or was he “shopped” in off of a male fitness model site?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Eight security tips for travelers with laptop

These days, who doesn’t travel with their laptop? But commonality doesn’t make it inherently safe for your sensitive information that’s stored in the device. In fact, traveling with your laptop is inherently unsecure.

1DWhether you’re traveling for business or to visit family this holiday season, here are some ways to protect your laptop and your personal data:

  • Get a cable lock for your laptop. It’s a great way to deter a potential thief, especially if there are lots of people around.
  • Register with an anti-theft service to track your laptop should it get stolen or “lost.”
  • Carry your laptop in a bag that’s made specifically for these devices. If it’s awkward for you to carry a suitcase in one hand while the laptop bag is slung over the opposite shoulder, consider packing the laptop with lots of tight padding in your suitcase. (But only if the suitcase will be a carry-on that you’ll be gently handling.) This way it’ll be invisible to thieves.
  • If you go with the special laptop bag, don’t leave it unattended while you make a trip to the bathroom or food court. The same goes for a carry-on suitcase. Either belonging should be with you at all times.
  • Whenever you leave your hotel room, hang the “Do Not Disturb” sign. You never know what hotel employee would be tempted to get into your laptop should they enter your room upon thinking nobody’s in it.
  • Never let a stranger use your laptop, even if that stranger looks innocent. The need to protect your sensitive data is more important than the feelings of a stranger.
  • And back up your data—before the trip. Cloud backup such as Carbonite will update your data based on custom settings as frequently as you require.
  • If you absolutely must conduct personal or sensitive online transactions on a public Wi-Fi, use a virtual private network (VPN), as this will scramble your transaction and make it worthless to hackers snooping data streams. One of these snoopers could be sitting in the same coffee house or hotel lobby as you are. Or, they can be a thousand miles away.

Robert Siciliano is a personal privacy, security and identity theft expert to Carbonite discussing identity theft prevention. Disclosures.

Infrastructures under attack

It’s been stated more than once that WWIII will most likely be cyber-based, such as dismantling a country’s entire infrastructure via cyber weapons. And don’t think for a moment this doesn’t mean murdering people.

4DA report at bits.blogs.nytimes.com notes that foreign hackers have cracked into the U.S. Department of Energy’s networks 150 times; they’ve stolen blueprints and source code to our power grid as well. Some say they have the capability to shut down the U.S.

The bits.blogs.nytimes.com article goes on to say that cyber warfare could result in death by the masses, e.g., water supply contamination of major cities, crashing airplanes by hacking into air traffic control systems, and derailing passenger trains. So it’s no longer who has the most nuclear missiles.

The list of successful hacks is endless, including that of a thousand energy companies in North America and Europe and numerous gas pipeline companies. The U.S.’s biggest threats come from Russia and China.

So why haven’t they shut down our grid and blown up furnaces at hundreds of energy companies? Maybe because they don’t have the ability just yet or maybe because they don’t want to awaken a sleeping giant. To put it less ominously, they don’t want to rock the boat of diplomatic and business relations with the U.S.

Well then, what about other nations who hate the U.S. so much that there’s no boat to be rocked in the first place? The skills to pull off a power grid deactivation or air traffic control infiltration by enemies such as Iran or Islamic militants are several years off.

On the other hand, such enemies don’t have much to lose by attacking, and this is worrisome. It is these groups we must worry about. They’re behind alright, but they’re trying hard to catch up to Russia and China. For now, we can breathe easy, but there’s enough going on to get the attention of Homeland Security and other government entities.

Recent attacks show that these bad guys in foreign lands are getting better at causing mayhem. At the same time, the U.S.’s cyber security isn’t anything to brag about, being that very recently, some white hat hackers had tested out the defenses of the Snohomish County Public Utility District in Washington State. They infiltrated it within 22 minutes.

Another weak point in our defenses is the component of pinning down the source of major hacking incidents. So if WWIII becomes real, the U.S. won’t necessarily know where the attack came from.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How to avoid Online Fundraising Scams

You’ve probably heard of the gofundme.com site, where all sorts of stories are posted of people seeking donations. Some are tragic, others are trite. You may be touched by a particular story, perhaps one in which an entire family is killed in a house fire.

9DYou click the “Donate Now” button and donate $50. So just how do you know that family who died in the fire really existed?

Gofundme.com and similar sites are loaded with “campaigns,” just tons of them. Think of the logistics involved if these sites hired people to verify every campaign. This would require enormous amounts of time and a lot of people and expense.

People don’t think. They just assume every campaign is for real. Do you realize how easy it is to start a campaign? Gofundme.com, for instance, only requires that you have a Facebook account with a valid-looking profile picture of the campaign starter, and at least 10 Facebook friends (last I checked, anyways).

  • Who at Gofundme.com and similar sites verifies that the profile picture is that of the campaign starter?
  • Who at these sites verifies that the “friends” are legitimate, vs. all phony accounts or “friends” purchased from seedy overseas companies that create fake profiles?
  • Even if the avatar and friends are for real, how do these crowdfunding sites confirm the authenticity of the campaigns?

It’s all based on the honor system. You take their word for it, though some campaigns are high profile cases. People have given money to fake campaigns. How can you prevent getting conned?

  • Check the news to see if the campaign story really happened. But a house fire in a small town doesn’t always hit the Internet. Nor is it newsworthy that some housewife is trying to raise money to buy her disabled son a set of golf clubs. So stay with campaign stories that you know have occurred.
  • But again, a scammer could take a real story, pretend to know a victim and scam donators. So see if there’s a legitimate pathway to donate to the real people involved in the story, such as through their local police department.
  • Stick to reputable charity sites. Offline, never give money solicited over the phone.
  • Be leery of charity solicitations for very high profile cases, as these attract scammers.
  • If donations are solicited by snail mail, check the Better Business Bureau. Any scammer could create a legitimate sounding name: “American Association for Autistic Children.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to prevent your Pics from being lifted: Part 1 of 2

You need not be a celebrity or some big wig to suffer the devastating fallout of your online images (and videos) being stolen or used without your permission.

10DSo how does someone steal your image or use it without your permission?

Hacking

  • Hacking is one way, especially if passwords are weak and the answers to security questions can easily be figured out (e.g., “Name of your first pet,” and on your Facebook page there’s a picture of you: “My very first dog, Snickers”).
  • Malware can be installed on your device if the operating system, browser or security software is out of date.
  • But hackers may also get into a cloud service depending on their and your level of security.

Cloud Services

  • In 2014, the images of celebrities and others were stolen from their iCloud accounts. At the time, two factor authentication was not available to consumers.
  • Apple did not take responsibility, claiming that the hackers guessed the passwords of the victims. This is entirely possible as many use the same passwords for multiple accounts. It is reported that Jennifer Lawrence’s and Kate Upton’s passwords really were123qwe and Password1, respectively.

Social Media

  • Got a pretty avatar for your Facebook page? Do you realize how easy it is for someone to “Save image as…”?
  • Yup, someone could right-click on your provocative image, save it and use it for some sex site.
  • And it’s not just images of adults being stolen. Images of children have been stolen and posted on porn sites.
  • Stolen photos are not always racy. A stolen image could be of an innocent child smiling with her hands on her cheeks.
  • The thief doesn’t necessarily post his loot on porn or sex sites. It could be for any service or product. But the point is: Your image is being used without your authorization.

Sexting

  • Kids and teens and of course adults are sending sexually explicit images of each other via smartphone. These photos can end up anywhere.
  • Applications exist that destroy the image moments after it appears to the sender.
  • These applications can be circumvented! Thus, the rule should be never, ever, ever send photos via smartphone that you would not want your fragile great-grandmother or your employer to view.

How can you protect your digital life?

  • Long, strong passwords—unique for every single account
  • Change your passwords regularly.
  • Firewall and up-to-date antivirus software
  • Make sure the answers to your security questions can’t be found online.
  • If any of your accounts have an option for two-factor authentication, then use it.
  • Never open attachments unless you’re expecting them.
  • Never click links inside e-mails unless you’re expecting them.

Stay tuned to Part 2 of How to prevent your Pics from being lifted to learn more.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Dust off your digital devices inside and out

Hackers know small companies are more vulnerable to data breaches due to limited resources. Cybersecurity should always be a high priority. But when a company’s IT staff consists of maybe 1-2 people who are provided limited budgets and are constantly solving other tech problems, the focus on security suffers. And hackers aren’t the only problem. One significantly overlooked part of the security process “cleaning” the IT infrastructure.

4HIT staff being and small business owners must keep on top of:

  • Networked systems
  • PC and mobile hardware
  • Multiple device software
  • Local and cloud data

The best way to manage the “cleaning” process is to keep a checklist and break the workload down into small bites. Complete the following tasks to clean up your business’s digital life and add layers of protection:

  • Rule #1: Automatically back up your data before, after and always. No matter what you are doing to your devices, make sure they are backed up.
  • Use automatically updated security tools including anti-virus, anti-spyware, and firewall software.
  • Use a virtual private network for public Wi-Fi activity. Check to see if the VPN auto-updates.
  • Take an inventory of your e-mail files. Depending on the nature of a business, it may be prudent to keep everything backed up for years. In other cases, consider deleting useless messages. Create folders for messages pertaining to certain topics. Delete old folders, etc.
  • Go through all of your devices’ programs and uninstall the ones you’ll never use.
  • Carefully sift through all of your files and get rid of useless ones.
  • Separate out media so that there are files specifically for images, video, docs, etc.
  • Integrate desktop icons that have a commonality. For instance you may have several related to a certain product or service you provide. Create a main folder and put all of these in it. Icon clutter may slow boot-up time and makes things look and feel, well, cluttered.
  • Take a look at all your passwords. Replace the crackable ones with long and strong ones. An easily crackable password: contains real words or proper names; has keyboard sequences; has a limited variety of characters. If you have a ton of passwords, use a password manager.
  • Have multiple backups for your data including on premise and cloud storage.
  • Defragment your hard drive.
  • Reinstall your operating system. Of course, first make sure all your data is backed up beforehand.
  • Operating systems pick up temporary files over time, slowing the computer and making it vulnerable. The free CCleaner tool will clean up your system’s registry.
  • Install program updates. Your OS should automatically do this, but check just to be safe.
  • Review the privacy settings of social media accounts to make sure you’re not sharing information with more people than you’d like.
  • Make sure your business is protected by a security alarm system that includes video surveillance. Hackers get the spotlight, but we can’t forget about the common burglar.

The prevention tactics above apply to businesses and really, everyone. Be sure to train your employees on proactive security and inform them about tricks that cyber thieves use. For more information visit: http://www.dhs.gov/national-cyber-security-awareness-month. If you’re looking for a secure backup solution, check out Carbonite. Sign up before the end of October and receive two free bonus months when you enter code “CYBERAWARE” at checkout.

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures.

How to Stop Sharing Your Location Information

The Internet helps us connect and share with people around the world, but there are some people with whom you definitely shouldn’t be sharing your information. Although it’s not pleasant to think about, it’s not just friends and family that can see your online posts, bad guys can too, including criminals and even sex offenders.

7WSo, when you take a photo of your kids in your backyard, know that if you post that picture on social media, a predator can potentially obtain the GPS coordinates of where that picture was shot.

This is because every time you take a picture, technical data is created and stored along with the image. This is called “EXIF data”, or exchangeable image file format. When this data includes location information, such as the exact GPS coordinates of where the photo was taken, the image is then “geotagged.”

The good news is you can view the EXIF data, and remove it to prevent predators from getting your location information. EXIF data will always be added to the storage of every picture you take; there’s no way to prevent this. But you can delete it.

Here’s how to prevent strangers from seeing your location information:

  • Select the image on your computer and right-hand click on it.
  • Select “properties.” You’ll find all the data here.
  • Go to the location, or EXIF data.
  • At the end of all the information you’ll see “Remove Properties and Personal Information.” This will wipe out the coordinates.
  • You should go through this process before posting photos online, because once they’re online, you can’t control who sees this information.
  • However, it will still be worth your while to strip this data from photos already posted online. For all you know, tomorrow is the day that a bad guy reads your location information, so today is the day to delete it.

Some people’s social media pages have an endless scroll of personal photos, including pictures of their children and teens. Be very selective of what you post online, and always delete the EXIF data before posting.

Save the pictures you don’t post for a hardcopy photo album. That way you’ll dramatically cut down on the time spent eradicating your location information, while increasing your online security.

Here’s some more tips to use location services safely:

  • Turn off the GPS function on your smartphone camera or digital camera. This is important if you are going to be sharing your images online. Instructions on how to turn off geotagging will vary, but we suggest referring to your phone or camera’s manual for further instructions on how to adjust this feature. You also might want to consider only letting certain apps (like maps) use your location data on your mobile device.
  • Check your privacy settings on social networks and photo sharing sites. Make sure that you are only sharing information with friends and family. Also, make sure that you only accept people into your network that you know in real life.
  • Be aware of the fact that the information you share on one social network may be linked to another.For instance, a photo you post to Twitter may automatically post to your Facebook profile. Because of this, it’s important that you check the privacy settings on all your accounts.
  • Finally, be careful about what images you’re sharing and when you are sharing them.Rather than uploading a picture that reveals your location the moment you take it, wait until you get home to upload it.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Mother Nature can ruin your business: Get ready for natural disasters now

September is almost over. This means National Preparedness Month is nearing its end. Nevertheless, you must be prepared all year long to stay safe. National Preparedness Month culminates September 30th with National PrepareAthon Day.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294In the boxing ring, if you focus on the knockout punches too much, the quick sharp jabs are what may bring you down. This is how some businesses approach their security. They put too much emphasis on preventing that mountainous data breach, while smaller everyday threats sneak by.

Those smaller threats may be difficult to get at, and they can knock you out for good. A company may have all eyes on that Russian hacking ring, a fire or hurricane. But threats come in all flavors.

A business just can’t use all its artillery against the “big” threats, because this will create non-flexible tactics that unravel in the face of an unexpected threat.

Unless company leaders are psychic, they can’t anticipate every possible threat. But being narrowly focused is no good, either. Here are some tips on how to widen that focus and plan for disaster:

  • Certainly, gear up for the “big” threats like natural disasters and brick-and-mortar crimes. This includes having insurance plans, conducting evacuation training, and implementing additional protection like smoke detectors and fire extinguishers.
  • Create a list of as many possible threats you can think of. If you can conceive it, it probably can happen.
  • Come up with a backup location should your primary office location be rendered inoperable.
  • Create a core response team for any kind of disasters, and see to it that the members are easy to reach. Have a secondary team in place in case anyone in the primary core can’t function.
  • Establish post-disaster communication plans for employees, customers/clients and vendors. Have a list of backup vendors.
  • Create security plans that are flexible rather than rigid, and make sure they are regularly updated.
  • Back up all data. Have an onsite data backup as well as cloud backup.
  • Replace computers every 2-3 years. But don’t wait that long if the following symptoms of a croaking computer occur: odd noises during boot-up; things taking way too long; a blue screen.

The preparation and prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use. To learn more about preparing your small business for disasters, download Carbonite’s e-book, “Five Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures.

7 Ways to protect Yourself Online

The biggest mistake that you can make to threaten your online safety is to treat the online world different—as far as your private information—than you would treat the physical world. In other words, if someone walked up to you and said, “Hi, can you please provide me with your name, address, birth date, home phone, cell phone, email, usernames, passowords all your friends names and all their contact info?” I think not.

9DWhat sane person would pass out cards with their Social Security number, birth date, full name, home address and bank account information to every stranger they walk past on the street? But essentially, that’s what many people do online.

Here are seven risky online behaviors:

  • Posting photos. As innocent as this sounds, photos of children have been known to get stolen and posted on child porn sites. Right click, save image as, then save to desktop; that’s all it takes. Does this mean never post photos of your kids? No. But save the picture of your naked two-year-old girl in the bathtub for your desktop. And don’t post vacation photos until after you return home.
  • Another thing about photos: Don’t post pictures of yourself engaging in activities that could come back to haunt you in some way. For example, you post a picture of yourself smoking while at a picnic. You apply for new health insurance and say you’re a nonsmoker. The insurance company might decide to view your social media pictures to catch you in the act.
  • Sounds innocent: You let your kids use your computer. But even if there are parental controls in place, your kids can still unknowingly let in a virus. Then you sit down to do some online banking…and the hacker whose virus is in your computer will then have your login credentials and bank account numbers, plus everything else. Ideally, you use a designated computer only for conducting sensitive online transactions.
  • A hacker sends (via bot) out 10,000 e-mails that are made to look like they’re from UPS. Out of 10,000 random recipients, chances are that a good number of them are waiting any day for a UPS shipment. This could be you. Will you open the e-mail and click on the link inside it? If you do, you’ll likely download a virus. This is a phishing scam. Contact the company by phone to verify the e-mail’s legitimacy. Better yet, just never click on the doggone links.
  • Do you know your apps? They most certainly know you—way too much, too. Applications for your phone can do the following: read your phone’s ID, continuously track your location, run your other applications, know your SIM card number and know your account number. Before downloading an app, find out what it can find out about you.
  • Don’t take silly online quizzes. Whoever’s behind them might just want to get as much information on you as possible with the idea of committing identity theft. Got some extra time? Read a book or do a crossword puzzle.
  • Never conduct business transactions using free Wi-Fi unless you have a virtual private network. Otherwise, anyone can cyber-see what you’re doing.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.