Posts

IT Guys get duped Pretty Girl on Social Media

Defenses of a U.S. government agency were duped by an experimental scam created by security experts.

9DThe “scam” involved Emily Williams, a fictitious attractive woman with a credible online identity (including a real photo that was allowed by a real woman), posing as a new hire at the targeted agency.

Within 15 hours, the fake Emily had 55 LinkedIn connections and 60 for Facebook, with the targeted agency’s employees and contractors. Job offers came, along with offers from men at the agency to assist her with her new job.

Around Christmastime the security experts placed a link on Emily’s social media profiles linking to a Christmas card site they created.

Visitations to this site led to a chain of events culminating in the security team stealing highly sensitive information from the agency. Partner companies with the agency were also compromised.

The experimenters got what they sought within one week. The penetration scam was then done on credit card companies, banks and healthcare organizations with very similar results.

An authentic attacker could have easily compromised any of the partner companies, then attacked the agency through them, making the assault more difficult to detect.

Recap: The scam began from the ground up, inflating Emily’s social network till it enabled the attack team to suck in security personnel and executives. Most of the people who assisted Emily were men. A similar experiment using a fake male profile had no success.

Preventing getting suckered into Social Media Scams

  • For agencies and other organizations, social engineering awareness training is crucial, and must be done constantly, not the typical annually.
  • Suspicious behavior should always be questioned.
  • Suspicious behavior should be reported to the human relations department instead of shared on social networks.
  • Work devices should not be used for personal activities.
  • Access to various types of data should be protected with separate and strong passwords.
  • The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
  • Learn from this. Reverse engineer this same scenario in your own life or organization to see how this might happen to you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Tips to avoid ‘deadly’ social media

The vacant 5,000 square foot house next door to this kicking victim was on sale, and he had agreed with the realtor to keep an eye on it. Some kids got wind of this vacancy and put out a Facebook invitation to a Halloween rave party there.

1DHe called 9-1-1 and the police broke up the party. However, kids kept arriving because the Facebook notice was still up. A mob of perhaps 60 kids was brewing at the end of the street.

The victim-to-be began chatting with the realtor’s partner—in front of the rave house. The realtor then approached a kid and was assaulted. Our victim intervened without much thought, got blindsided by one thug, then kicked by several kids to the ground.

Hindsight is 20/20

The victim, only after the beating, realized that he should have:

  • Fled to his house and called the police.
  • Remained outside and called the police (not as safe as above, but a lot better than jumping into a fight)

However, these weren’t the best options. The best option would have been this victim calling the police to come back when the mob was forming.

  • The victim could have taken pictures of these kids (with his Nokia 1020) before any of the rumbling began.

Conclusion

  1. Avoid mobs at all costs.
  2. If someone is attacked, call the police and take pictures.
  3. Do not jump in to break up a fight. Three scrawny but very angry punks can take down a much bigger well-meaning solitary person.
  4. If you do get attacked, go ballistic—and target the gang’s leader.
  5. Sprint to safety first chance you get.
  6. Warn your kids about the dangers of raves.
  7. Check out the “crime radar” of your neighborhood with this new tool.

 

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Social Media A Big Risk To Banks

For more than a decade criminals have been attacking online banking successfully by one upping security professionals their and clients by creating viruses to bypass existing security measures.

In response security companies offer new technologies to fight new threats and federal regulators have continually updated their compliance rules in response to existing vulnerabilities.

However one variable that technology has yet to fully fix is the human element. Sure many of the existing security technologies help protect the consumer and bank from human error like downloading a virus or social engineering tricks like clicking an infected link and alert us to a phish email. But no technology or even security or privacy policy can prevent someone from exposing all their life’s details on a social media site.

When criminals target an organization like a bank they start by looking for vulnerabilities in the network infrastructure. Beyond that they target the employees of a bank and their customers using the information provided on the corporate site, and via social media.

Once they gather enough information about their target they use that data to circumvent all the security technologies meant to prevent a user from downloading a virus or social engineering tricks like clicking an infected link and alert us to a phish email.

This is where banks need to step it up and incorporate complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Why Your Employer Needs Social in the Workplace

Social media is the fifth form of mainstream media. It encompasses all media, making it the king of all media. At this point, most people know how to use social media and how to navigate the various websites. But many employers are still on the fence.

Hootsuites’ CEO says, “The world’s top brands—like Pepsi, Virgin, NHL and American Express—[are] now embracing [social media] company-wide.”

MarketingDonut reports, “One of the simplest ways to convince your boss that social media is the future is [by] showing how much profit [the company] can make. Show how your competitors are using social content to attract potential clients, showing the strengths and weaknesses of their campaigns. Use your website analytics to monitor the flow of visitors to your website from Facebook, Twitter or organically, and how many convert to leads or sales.”

And social isn’t just for business-to-consumer communications. It’s also great for connecting employees too. SHRM reports, “Social networking platforms may allow organizations to improve communication and productivity by disseminating information among different groups of employees in a more efficient manner, resulting in increased productivity.”

As you are setting up social media as an effective tool, you must consider the security implications.

  • Implement policies. Without some type of policy in place to regulate employee access and guidelines for appropriate behavior, social media could be problematic. Teach employees effective use by providing training on proper use—including, especially, what not do, too.
  • Limit social networks. In my own research, I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure.
  • Train IT personnel. Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
  • Maintain updated security. Whether you’re using hardware or software, anti-virus or critical security patches, make sure you are up to date.
  • Lock down settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
  • Register your company name and all your officers at every social media site. You can do this manually or by using a very cost-effective service called Knowem.com.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Social Media Security Risks for Small Business

For more than a decade, cyber criminals have launched countless attacks on banks’ online infrastructure, successfully one-upping security professionals and their clients by creating viruses that bypass existing security measures.

In response, computer security companies have continuously updated their technologies to address new cyber threats.

However, one major variable that technology cannot control is the human element. Sure, many of existing computer security technologies help protect consumers, banks and small businesses from human errors like accidentally downloading a virus, or social engineering tricks designed to fool targets into clicking infected links, by warning users about potentially dangerous webpages and phishing emails. But no computer security technology or privacy policy can prevent people and employees from exposing all their lives’ details on social media websites.

When internet criminals target an organization, they start by looking for vulnerabilities in the network’s infrastructure. Beyond that, they target a business’s employees and customers by using information freely provided on the corporate site and collected through social media.

Once they have gathered enough information about a target, hackers use that data to circumvent all the IT security technologies meant to protect users. Below are some things you can do as a small business owner to reduce your social media security risks.

Implement IT Security Policies.

Social media is a great platform for connecting with existing and potential clients. However, without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network. Teach effective use by provide training on proper use and especially what not do too.

Train IT Personnel.

Effective online security policies begin from the top down. Those responsible for managing technology need to be fully up to speed with social media security risks.

Maintain UpdatedITSecurity.

Whether hardware or software, anti-virus or critical IT security patches make sure your business network is up to date.

Lock Down Online Privacy Settings.

Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave your computer security wide open for attack.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

What Happens to Your Profile After You Die?

If you were hit by a bus, and passed on to whatever heaven might exist, would you care about your Facebook page? Probably not. But your loved ones more than likely would. Things like email, websites, and social media profiles are considered “digital assets,” which may have some monetary value, but for the most part offer sentimental value to the family of the deceased.

I went to high school with a darling young woman who passed away at far too young an age. Her Facebook page sees a lot of activity. Not a day goes by that someone doesn’t make use of this forum to leave a message telling her they love her. It’s quite nice to visit her page and witness this outpouring of affection.

When Facebook is informed that a profile’s owner has passed away, the account is memorialized, which means that nobody can access or edit the account, nor can any new friends be accepted, but people can still post messages and comments.

However, the inability to access an account might pose a burden to the family of the deceased, who might wish to learn more about their loved one or need administrative abilities in order to access crucial information, alert loved ones, or even finalize the deceased’s affairs.

The Associated Press reports, “Now lawmakers and attorneys in at least two states are considering proposals that would require Facebook and other social networks to grant access to loved ones when a family member dies, essentially making the site contents part of a person’s digital estate. The issue is growing increasingly important as people record more thoughts and experiences online and more disputes break out over that material.”

Facebook currently provides an online form that can be used to report a user’s death. “If prior consent is obtained from or decreed by the deceased or mandated by law,” Facebook will provide the family of the deceased with a download of all account data.

Though you may not particularly care to acknowledge it, now might be a good time to instruct a trusted friend or family member on how to access your various social media assets in the event that something bad should happen.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Holiday Phishers Use Social Media

Every social media website in existence depends on advertising for its survival, to some extent. Criminals exploit this by mimicking these familiar platforms when sending millions of phishing emails designed to entice users into clicking malicious links or visiting spoofed websites that resemble legitimate social media. They also create pages within popular social media that are infected with malware, or malicious links designed to infect the PCs of anyone who clicks.

McAfee has exposed numerous Christmas-related scams. To avoid being snared in a holiday phisher’s net, beware of:

  • Promotional scams and contests: Scammers know that contests and free offers make attractive lures, and have sprinkled Facebook with phony promotions aimed at gathering personal information.
  • Holiday phishing scams: Since people tend to be busy and distracted during the holiday season, phishers incorporate holiday themes into their emails and social media messages, hoping to trick recipients into revealing personal details.
  • Coupon scams: When accepting an offer for an online coupon code, you may be asked to provide personal information, including credit card details, passwords, and other financial data.
  • “It Gift” scams: When a particular gift is hot, sellers tend to mark up the price. Scammers also like to advertise popular gifts on rogue websites and social networks, despite not actually having these items to sell.

 

Awareness is the key. If you can see a potential scam coming and behave proactively, you won’t get hooked.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto, and he is running the Boston Marathon in April 2012 to support Miles for Miracles for Children’s Hospital Boston.

Cybercriminals Target Senior Citizens

Cyber scams happen to the young and the old, the rich and the poor. It doesn’t matter how good or bad your credit is, or whether or not you have a credit card. Cybercriminals target everyone, regardless of how much or how little you rely on a computer.

The lowest of the lowlifes, however, tend to prey upon the weak and uninformed. And all too often, that means children or elderly.

Senior citizens are in a unique position because they often have money in the bank, plus access to additional lines of credit. They are less likely to be frequent Internet users, relative to younger generations, and are therefore less likely to be aware of the many scams that may be targeting them.

Many common scams take place using the telephone rather than the Internet, such as “grandparent scams,” in which victims receive calls from their supposed grandchildren, requesting money.

Online, beware of social media and dating scams. Not everyone who contacts you online is your friend, so be cautious before sharing personal information. Never, under any circumstances, should you send money on the basis an online relationship.

You’re most likely heard the term “phishing,” and have certainly received a fake email at some point. But scammers are getting better at creating targeted, personalized emails that include your name, email address, and even stolen account numbers. Never click any links within an email. Instead, go to your favorites menu or manually type the address into the address bar. If you suspect that an email might not be legitimate, hit delete.

Scammers are constantly searching for the information they need to take over your existing accounts, either by hacking into your own personal computer or by stealing data from your bank, credit card company, a government agency, or any other institution that keeps personal data on file. To prevent account takeover, keep your antivirus software updated, and pay close attention to all your bank statements. Refute any unauthorized transactions right away.

Bad guys love your Social Security number, because they can use it to open new credit accounts in your name. You’ve probably disclosed your Social Security number hundreds of times in your life, and can’t avoid disclosing it in the future. But you can protect yourself with identity theft protection and a credit freeze.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

Device Intelligence Helps Stop Scammers Targeting Social Media Sites

We’ve heard this story before, but unfortunately it happens over and over again. Social media and dating sites are overrun with criminals who pose as legitimate, upstanding individuals, but are really wolves in sheep’s clothing.

In Florida, a man named Martin Kahl met a 51-year-old woman and they developed an online romance. A quick search for the name “Martin Kahl” turns up many men with the same name and no obvious signs of trouble.

This particular Martin Kahl told his online girlfriend that he would soon be working in Nigeria (red flag) on a construction project, but a short time later he informed her that the job had fallen through. He cried poverty and asked her to send him money, which she did.

(If there are people in your life who might be prone to falling for a scam like this, please reel them in immediately. Any of their financial transactions ought to require a cosignatory.)

Anyway, during their affair, Kahl claimed he had been arrested (red flag) on some bogus charge, and requested that the woman bail him out to the tune of $4,000, which she most likely paid via money wire transfer (red flag).

All told, she sent the scammer at least $15,000 during their relationship. Sadly, social media sites can do more to protect their users, and should take advantage of information that readily exists for them to use — the known reputations on over 650 million devices in iovation’s device reputation knowledge base. Computers that are new to these social networks dealing with scammers and spammers are rarely new to iovation.  They have seen these devices on retail, financial, gaming or other dating sites and will help social sites know in real-time, whether to trust them.

In the case above, the phone numbers used in the scam were traced overseas. The computer or other device the scammer used to go online could surely also have been traced overseas and could have been flagged for many things:  hiding behind a proxy, creating too many new accounts in the social network, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.  Scammers in countries such as Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, or Malaysia conduct many of these scams, spending their days targeting consumers in the developed world.

Social media sites could protect users by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Dating Security on E! True Hollywood Stories.  Disclosures

Social Networking Security Awareness

One in five online consumers has been a victim of cybercrime in the past two years. Social networking is a direct link to the problem. While social networks allow you to keep in touch with family and friends, there are issues to be concerned about.

Most concerns revolve around online reputation management, identity theft, or physical security issues. Social networking creates a risk of posting content that will be damaging to yourself, your profile being hacked or your credentials being compromised, or inviting burglars to your home by publicizing your whereabouts.

Facebook faces a security challenge that few companies, or even governments, have ever faced: protecting more than 500 million users of a service that is under constant attack. I’m a huge proponent of “personal responsibility,” and that means that you are ultimately responsible for protecting yourself.

Keep your guard up. Cybercriminals target Facebook frequently. Every time you click on a link, you should be aware of the risks.

Be careful about making personal information public. Sharing your mother’s name, your pet’s name, or your boyfriend’s name, for example, provides criminals with clues to guess your passwords.

Technology can help make social networking more secure. The most common threats to Facebook users are links to spam and malware sent from compromised accounts. Consumers must be sure to have an active security software subscription, and not to let it lapse.

Get a complimentary antivirus software subscription from McAfee. Simply “like” McAfee’s Facebook page, go to “McAfee 4 Free,” and choose your country from the dropdown menu to download a six-month subscription to McAfee’s AntiVirus Plus software. The software protects users’ PCs from online threats, viruses, spyware, other malware, and includes the award-winning SiteAdvisor website rating technology. After the six-month McAfee AntiVirus Plus subscription period, Facebook users may be eligible for special discount subscription pricing.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss hackers hacking social media on Fox Boston. (Disclosures)