Posts

Most Toxic Superhero 2014

It’s a bird! It’s a plane! It’s Superman! Yes, this superhero might be the epitome of courage, justice, and strength, but he might also be the biggest threat to you online.

We’ve entered a new age of superheroes. No longer are they just pictures in a comic book. They are now accessible on computers, game console devices, and mobile devices. Superheroes like Captain America, Thor, and Spiderman star on the silver screen. The Green Arrow and The Flash have their own television shows. Videos like Batkid and the Spiderman dad went viral on YouTube (and consequently, melted our hearts).

This is great news to comic publishers like Marvel and DC Comics. Unfortunately, it’s also good news to hackers and scammers too. Cybercriminals know that search engines (like Google, Yahoo! and Bing) can also be used for criminal means. Therefore, they use popular search terms to draw victims in like celebrity gossip, holidays, viral hits, and…you guessed it…superheroes.

McAfee just released a study on the Most Toxic Superheroes that analyzed what superhero search led to the most risky websites using McAfee® SiteAdvisor® site ratings. And the Man of Steel topped the list. The study determined that searching “Superman,” “Superman and free torrent download,” “Superman and watch,” “Superman and free app,” and “Superman and online,” yields a 16.5% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware.

This year the Most Toxic Superheroes are:

superhero

Here are some things you can do to protect yourself:

  • Be suspicious: If a search turns up a link to free content or too-good-to-be-true offers, be wary
  • Double-check the web address: Look for misspellings or other clues that the site you are going to may not be safe (for more on this, read my blog on typosquatting)
  • Search safely: Use a web safety advisor, such as McAfee SiteAdvisor that displays a red, yellow, or green ratings in search results, alerting you to potential risky sites before you click on them
  • Protect yourself: Use comprehensive security software on all your devices, like McAfee LiveSafe™ service, to protect yourself against the latest threats

Want to know more? Join the discussion on Twitter using hashtag #toxicsuperhero.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Malware at all time High

Malware is everywhere and isn’t about to disappear. The latest PandaLabs report says that last year alone, of all the malware that ever existed, cyber crooks created and distributed 20 percent of that. Malware comes in the form of Trojans, worms, viruses, adware/spyware and miscellaneous, with Trojans leading the pack.

6DRansomware seems to be gunning for the top spot, though, with a recent resurgence.

What about 2014? The 2013 Annual Security Report anticipates that the Internet of Things and Android devices will head the headlines (Android continues to be a favorite target of cyber criminals).

PandaLabs foresees that Android will get socked by hundreds of thousands of new malware strains. In 2013, criminals unleashed over two million new malware threats for Android.

Another area of attack is social media, and in 2013, even large companies, movie stars and politicians were affected.

The Trojan is a true warrior, in that it’s responsible for three-quarters of attacks, says PandaLabs. There was a huge leap in the number of circulating viruses as well, and is attributed to basically two virus families: Xpiro and Sality, says Luis Corrons, the technical director for PandaLabs.

Sality has been around for quite some time, but Xpiro is the new virus on the block, and can infiltrate “executable files on 32-bit and 64-bit systems,” says Corrons.

We’re in the midst of the malware plague; never mind the Bubonic plague. The whole planet is under attack, but some countries more so than others. China is the most infected, along with Turkey and Ecuador: 54.03, 42.15 and 40.35 percent of compromised personal computers, respectively.

Of the 10 least harmed countries, nine are in Europe; the other is Japan. For Sweden, Norway and Finland, the percentage of infected personal computers is 20.28 percent, 21.13 percent and 21.22 percent, respectively.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Spyware sold on the Open Market

You’ve heard of spyware, right? Spyware comes in the form of a virus and as a commercially available and legal software. It’s illegal for a stranger (or even someone you know, unless they own the device, and you just use it) to install spyware on your computer or smartphone and spy on you.

2WHowever, many parents—perhaps you yourself—use this very same technology to keep tabs on their kids’ computer and smartphone activities. And it’s perfectly legal to do so. It’s referred to as domestic surveillance. And frankly, if you have a 12 year old daughter with a mobile phone, it’s not a bad idea to know what she’s up to and who she’s chatting with. If you have a 14 year old boy you definitely want to know what he’s up to because I was 14 once and dang, I was up to no good!

There are many clever apps that can monitor your kids’ online activities. Depending on their features these apps can do anything you order them to upon installation, including track where your children are in physical space, monitor their text messages, videos and photos sent and received, calls made and received and sometimes even the websites they visit. For parents, this may provide a significant degree of insight and peace of mind.

There are two versions: One lets the user know it’s running by showing an icon, and one that, while running, does not let the user know it (the second version is great for parents—but also precisely what a criminal wants).

Outside of parental monitoring, this kind of technology is considered “spyware,” though the vendors who promote these applications market them as smart ways of remotely watching over your kids.

You can clearly see how this kind of app can be abused: installed on, for instance, an ex-lover’s device. You can see those worms slithering out of that opened can. However, parameters regarding what’s legit and what’s illegal with these kinds of apps have not been universally spelled out—they are somewhat blurred.

But case-by-case incidents are making marks, such as the former U.S. sheriff who was given a probationary sentence because he installed one of these apps on his wife’s work computer to spy on her.

Protection from Spyware

Apps such as described above can be installed remotely, not just directly. You can protect your device as follows:

  • Androids have many more options for spyware whereas iPhones, unless jailbroken do not.
  • It’s crucial for your device to have some kind of spyware protection. Most antivirus programs will recognize spyware.
  • Never click on a link in an e-mail or text, as it can direct you to a malicious download.
  • Never separate from your device when you’re in public; never let anyone use it. If they claim they need to make a call due to an emergency, you can make the call.
  • Your mobile should require a password for access. A password-protected phone makes spyware installation difficult.
  • If your phone has seemingly developed a mind of its own, or it’s “behaving” oddly lately, this probably means it’s been possessed by spyware. If you believe your phone’s been bugged with spyware, then reinstall its operating system. Simply confer with the device’s user manual. Or, call the carrier’s customer service for instructions.
  • If you are considering installing spyware on someone’s device, consider the legality of your actions first, determine if the installation is one that involves an open and honest conversation or will be done covertly and then consider this: just because you can, doesn’t mean you should. Think about what you are doing and the repercussions it may have.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Do You Know What Your Kids Are Hiding?

Many of you as parents may think, “not much” when asked this question. But in reality, it’s probably a lot more than you think. So it should come as no surprise to anyone that McAfee’s 2013 study, Digital Deception: Exploring the Online Disconnect between Parents and Kidswhich examines the online habits and interests of tweens, teens, and young adults, finds there is a significant disconnect between what they do online and what their parents believe they do.

The phrase “liar liar, pants on fire” comes to mind when I hear this topic and the phrase applies to both parents and kids. Parents are lying to themselves if they think they know what their kids are doing online, since 80% said they would not know how to find out what their kids are doing online and 62% do not think that their kids can get into deep trouble online. As for our kids, let’s face it – kids sometimes lie. The study found that 69% of kids say that they know how to hide what they do online from their parents and disturbingly 44% of them cleared their browser history or used private browsing sessions to hide their activity from their parents.

While youth understand the Internet is dangerous, they still engage in risky (and sometimes illegal) behavior. Not only are they hiding this activity from their parents in a variety of ways, but almost half (46%) admit that they would change their behavior if they knew their parents were paying attention.

86% of youth believe that social sites are safe and are aware that sharing personal details online carry risk, yet kids admit to posting personal information such as their email addresses (50%) and phone numbers (32%)

48% have viewed content they know their parents would disapprove of

29% of teens and college aged youth have accessed pirated music or movies online

Adding to this problem is how clueless parents are regarding technology and their kids’ online lives. 54% of kids say their parents don’t have time to check up on the kids’ online behavior and 42% say their parents don’t care what the kids do online. And even worse, only 17% of parents believe that the online world is as dangerous as the offline world and almost 74% of parents just admit defeat and claim that they do not have the time or energy to keep up with their kids and simply hope for the best.

So how do you bridge this divide?
Parents, you must stay in-the-know. Since your kids have grown up in an online world, they may be more online savvy than you, but giving up isn’t an option. You must challenge yourselves to become familiar with the complexities of the online universe and stay educated on the various devices your kids are using to go online.

Here are some things you can do as parents to get more tech savvy:

Get device savvy: Whether you’re using a laptop, desktop, Mac, tablet, mobile, wired Internet, wireless, or software, learn it. No excuses. No more, “My kids know more than I do,” or “All I know how to do is push that button-thingy.” Take the time to learn enough about the devices your kids are using.

Get social: One of the best ways to get savvy is to get social. By using your devices to communicate with the people in your life, you inevitably learn the hardware and software. Keep in mind that “getting social” doesn’t entail exposing all your deepest, darkest secrets, or even telling the world you just ate a tuna sandwich, but it is a good way to learn a key method that your kids communicate.

Manage your/their online reputation: Whether you are socially active or not, whether you have a website or not, there are plenty of websites that know who you are, that are either discussing you or listing your information in some fashion. Google yourself and your kids to see what’s being said. Teaching your kids what is and is not appropriate online is a must these days. And as a good rule of thumb, you should teach your kids that things posted online stays there forever.

Get secure: There are more ways to scam people online than ever before. Your security intelligence is constantly being challenged, and your hardware and software are constant targets. Invest in comprehensive security solutions that include antivirus, but also protects your kids, identity and data for ALL your devices like McAfee LiveSafe.

Or you can be like me and tell your kids that once they turn 10 they will be locked in a box in my basement until they turn 30. Just kidding (maybe). But seriously, parents – it’s time to make this a priority, for you and your kids. For more information, click here or follow McAfee on Facebook and on Twitter at @McAfeeConsumer.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  (Disclosures)

Safe Banking On Your Mobile Device

Mobile banking has experienced rapid growth over the last three years, in the U.S., more than doubling from 5% of online adults in 2007 to 12% by June 2010. Furthermore, Forrester predicts that one in five–or 50 million–U.S. adults will be using mobile banking by 2015.

However, identity theft is a major concern and studies show that many Americans are still uncomfortable with mobile banking, citing security as a top concern. In fact, 35% of US online adults said that they do not use their device to do banking for this reason.

Responding to these concerns, banks have been working to improve mobile security by offering a consistent sign-on experience for both their online and mobile channels, including multi-factor authentication programs for mobile.

While banks are trying to do their part, users have to take additional steps to make sure that their mobile data is protected. Consumer Reports estimates that almost 30% of Americans that use their phones for banking, accessing medical records, and storing other sensitive data, do not take precautions to secure their phones.

So, here are some tips for mobile bankers of all ages to keep you safe while banking on the go:

Connect to your bank’s mobile site or app securely by making sure that your wireless network is secure. Never send sensitive information over an unsecured wireless network, such as in a hotel or café.

Download your bank’s mobile application, so you can be sure you are visiting the real bank every time, not a copycat site.

Configure your device to auto-lock after a period of time.

Don’t store data you can’t afford to lose on an insecure device.

Use mobile security protection like McAfee Mobile Security™ that offers layers of protection including: antitheft, antivirus, antispyware, antiphishing and app protection.

Robert Siciliano is an Online Security Evangelist to  McAfee. See him discuss mobile phone spyware on Good Morning America(Disclosures)

Social Networking Security Awareness

One in five online consumers has been a victim of cybercrime in the past two years. Social networking is a direct link to the problem. While social networks allow you to keep in touch with family and friends, there are issues to be concerned about.

Most concerns revolve around online reputation management, identity theft, or physical security issues. Social networking creates a risk of posting content that will be damaging to yourself, your profile being hacked or your credentials being compromised, or inviting burglars to your home by publicizing your whereabouts.

Facebook faces a security challenge that few companies, or even governments, have ever faced: protecting more than 500 million users of a service that is under constant attack. I’m a huge proponent of “personal responsibility,” and that means that you are ultimately responsible for protecting yourself.

Keep your guard up. Cybercriminals target Facebook frequently. Every time you click on a link, you should be aware of the risks.

Be careful about making personal information public. Sharing your mother’s name, your pet’s name, or your boyfriend’s name, for example, provides criminals with clues to guess your passwords.

Technology can help make social networking more secure. The most common threats to Facebook users are links to spam and malware sent from compromised accounts. Consumers must be sure to have an active security software subscription, and not to let it lapse.

Get a complimentary antivirus software subscription from McAfee. Simply “like” McAfee’s Facebook page, go to “McAfee 4 Free,” and choose your country from the dropdown menu to download a six-month subscription to McAfee’s AntiVirus Plus software. The software protects users’ PCs from online threats, viruses, spyware, other malware, and includes the award-winning SiteAdvisor website rating technology. After the six-month McAfee AntiVirus Plus subscription period, Facebook users may be eligible for special discount subscription pricing.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss hackers hacking social media on Fox Boston. (Disclosures)

Choosing an Enterprise eBanking Security Solution

In Gemalto’s eBanking Security Guide, a question is asked: “Banking is changing, are you?”

Banking is a changing business. Since the early 1980’s banking has been going digital and moving online. During the last 10 years, we’ve seen a major shift in the services offered and the behavior of customers.

Gemalto’s Senior Vice President of online banking, Hakan Nordfjell, says, “Secure and convenient eBanking is a key factor in the future of banking.”

The convenience of online banking is what makes it so vulnerable to security threats. And in order to prevent fraud, online banking security must be convenient.

Recent technological advances have been vast and rapid. But after 15 years, online banking remains relatively immature, and this immaturity is reflected in a sometimes-inadequate security posture. You’re ebank is part of your business strategy, ebanking has security issues, therefore security should be a part of your business strategy too.

The security solution you choose should not merely function: it should contribute to realizing that strategy. You might want to offer other online security services remotely associated with people being able to identify themselves. Address change notifications, contract signing and more.

Experience shows that a reliable security solution opens up new business opportunities.

Today we worry about malware, spyware, root kits, phishing, social engineering, and a multitude of scams resulting in account takeover, new account fraud, and identity theft. It’s been less than a decade since the widespread use of broadband Internet took online commerce mainstream, and losses resulting from cyber fraud have already topped a trillion dollars.

Enterprises under siege by criminal hackers need qualified professionals to help plan and develop online banking solutions and to ensure that client information is secure.

These professionals know that most security problems are easily solved, but solutions often sacrifice a certain degree of user friendliness. Securing a system as thoroughly as possible would place unreasonable expectations on customers, demanding that they jump through too many hoops to make a purchase.

The ideal system design finds a happy medium, and incorporates functionality, appearance, and scalability.

When launching any security solution, explain to your customers why the change is necessary, and strive to make changes appealing for users. Be sure that your customer support is adequately prepared. Provide clear information and, if possible, allow customers to select which device to use.

When choosing a security solution for your business, consider a resource that offers more than standalone security technology. A real solution takes future needs and potential threats into account, and, crucially, offers a positive user experience.

Visit www.ebankingsecurity.net to learn how to enhance the security of your online banking system.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

 

Check Your Password Security

Passwords are the bane of the security community. We are forced to rely on them, while knowing they’re only as secure as our operating systems, which can be compromised by spyware and malware. There are a number of common techniques used to crack passwords.

Dictionary attacks: These rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “1234567,” “12345678,” “123456789,” “princess,” “qwerty,” and “abc123.” Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research.

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

There are a number of ways to create more secure passwords. One option is to create passwords based on a formula, using a familiar name or word, plus a familiar number, plus the first four words of the website where that password will be used. Mix in a combination of upper and lowercase letters, and you have a secure password. Using this formula, your Bank of America password could be “Dog7Bank,” for example. (Add one capital letter and an asterisk to your password, and it can add a couple of centuries to the time it would take for a password cracking program to come up with it.)

Password managers can also help generate and store secure passwords. Some people like Lastpass. Another incredibly efficient and secure service is Roboform, which has a “Generate” tab in its browser toolbar that creates passwords that can’t be guessed, like “ChF95udk.” All your passwords are backed up on a secure encrypted server and can sync on multiple PCs.

It is just as important is to make sure your PC is free of malicious programs like spyware and keylogging software. Beware of RATs, or Remote Access Trojans, which can capture every keystroke typed, take a snapshot of your screen, and even take rolling video of your screen with a webcam. But what’s most damaging is the possibility of a RAT gaining full access to your files, including any passwords being stored by a password manager.

Use antivirus and anti-spyware software and firewalls, and set up your PC to require administrative rights in order to install any new software.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers using social engineering to hack email on Fox News. Disclosures

Strong Passwords Aren’t Enough

I’ve said it before, use upper and lower case, use number and letter combinations and when possible, if the website allows it, use special characters. It has been documented that “Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”

It is great advice to strengthen your passwords. It is just as important is to make sure your PC is free of malicious programs such as spyware and key-loggers.  Beware of RATS a.k.a “Remote Access Trojans.” RAT’s can capture every keystroke typed, take a snapshot of your screen and even take rolling video of your screen via a webcam. But what’s most damaging is RATs gaining full access to your files and if you use a password manager they have access to that as well.

RAT’s covertly monitor a PC generally without the user’s knowledge. RAT’s are a criminal hackers dream and are the key ingredient in spyware. Common RAT’s are the LANRev Trojan and “Backdoor Orifice”.

Installing RAT’s can be done by full onsite access to the machine or remotely when the user opens an infected attachment, clicking links in a popup, installing a permissioned toolbar or any other software you think is clean. More ways include picking up a thumb-drive you find on the street or in a parking lot then plugging it in, and even buying off the shelf peripherals like a digital picture frame or extra hard drive that’s infected from the factory. The bad guys can also trick a person when playing a game as seen here in this YouTube video.

An unprotected PC is the path of least resistance.  Use anti-virus and anti-spyware. Run it automatically and often.

A PC not fully controlled by you is vulnerable. Use administrative access to lock down a PC preventing installation of anything.

Many people leave their PC on all day long. Consider shutting it down when not in use.

Robert Siciliano personal security expert to Home Security Source discussing Digital picture frames with built in viruses on Fox News. Disclosures.

Most People Don’t Understand Cyber Threats

Robert Siciliano Identity Theft Expert

Michael Chertoff, who ran the Department of Homeland Security from 2005 to 2009, says there’s a reason that computer security isn’t up to the threat posed by cyber criminals: Doing it right is too complicated for most people.

“You have to offer people solutions that they are comfortable with,” he said.

Cybercrime is a huge problem that the majority of people who have a connection to the internet aren’t prepared to deal with.

While securing ones PC isn’t a daunting task once you understand the process. For most people, protecting ones PC is beyond the capacity of most computer users. The main issue is that the companies that develop this technology aren’t effective at explaining how things work in simple terms.

Educating users on the terminology is like learning a second language and for most people is near impossible due to life’s existing constraints. Which means technology companies have to do a better job of providing solutions that people are comfortable with that require little or no additional skills.

Here is an attempt at increasing your security vocabulary:

1. Run Windows Update: Or it may be called “Microsoft Update” on your PC. This is a free update to your operating system that Microsoft provides. There are two ways to access this. Either click “Start” then “All Programs”, scroll up the menu and look for the link “Windows Update or Microsoft Update.” Click on it. Your browser (Internet Explorer) by default will launch taking you right to Microsoft’s Windows Update web page and will begin the process of looking at your PC and checking to see what security patches you don’t have. Follow the prompts and click “Express” and let it lead you in the direction it wants. The goal here is for XP to end up with “Service Pack 3” installed. Or go to “Control Panel” and seek out “Security Center.” And click “Turn on Automatic Updates” and let Microsoft do this automatically. In Vista the process is similar and your goal is “Service Pack 1.

2. Install Anti-Virus: Most PCs come with bundled anti-virus that runs for free for 6 months to a year. Then you just re-up the license. If you don’t, then every day that the anti-virus isn’t updated, is another opportunity for criminal hackers to turn your PC into a Zombie that allows your computer to be a Slave sending out more viruses to other PCs and turning your PC into a Spambot selling Viagra.

3. Install Spyware Removal Software: Most anti-virus providers define spyware as a virus now. However, it is best to run a spyware removal program monthly to make sure your PC is rid of software that may allow a criminal hacker to remotely monitor you’re keystrokes, websites visited and the data on your PC.

4. Run Firefox: Microsoft’s Internet Explorer is clunky and the most hacked software on the planet. Mozillas Firefox is less hacked and more secure. Maintain the default settings keep the pop-up blockers and phishing filters on.

5. Secure Your Wireless: If you are running an unsecured wireless connection at home or the office, anyone can jump on your network from 300-500 feet away and access your files. Serious. The router has instruction on how to set up WEP or WPA security. WPA is more secure. If this is a foreign language to you, then hire someone or get your 15 year old to do it.

6. Install a Firewall: Microsoft’s operating system comes with a built in firewall. But it is not very secure. Go with a 3rd party firewall that is prepackaged with anti-virus software.

7. Use Strong Passwords: Little yellow stickys on your monitor with your passwords isn’t good. Use upper case, lower case, alpha-numeric passwords that you change up every 6 months.

Robert Siciliano personal security expert to Home Security Source discussing hacked email on Fox News.