Posts

Leaky WiFi leaks App data

Recently a settlement was obtained between 2 companies with the FTC. The charge was that these organizations failed to secure their mobile apps, which put consumer’s private data at risk.

5WThe FTC says that these companies disabled the SSL certificate validation. This default process confirms that an application’s communications are secure.

Because the SSL was disabled, the apps were made prone to cyber attacks, in which crooks could steal data like SSNs, home addresses and credit card information.

These attacks are the man-in-the-middle type and are a particular threat to unprotected public Wi-Fi (hotels, coffee houses, etc.).

If you use your mobile on an unguarded network, a crook can get in between you and the site you want to visit, and pose as you and communicate with the intended site. Posing as you, he can then manipulate your data. The scoundrel can also make your mobile visit a fraudulent site that you think is legitimate and lure you into entering personal information.

A website is secure if the site address begins with “https.” However, the smartphone’s small browser discourages users from checking this. And crooks know this.

Of particular interest to criminals is texting between banks and companies that utilize a one-time password. The crook can intercept this transaction and gain access to sensitive data. He can actually redirect an intended wire transfer to his account.

All of this can be avoided by avoiding online financial transactions with a mobile device on public Wi-Fi. Don’t even visit your bank’s site. Also don’t send personal information via e-mail on public Wi-Fi. If you must conduct mobile transactions in public, buy a Wi-Fi device, get a VPN like Hotspot Shield or use your carrier’s 3G or 4G network.

Finally, install anti-malware programs on your mobile, especially if it’s an Android. Don’t just sit back and assume that the app makers, app sellers and other businesses are going to take care of all of this for you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Lies You tell Yourself about Your Wifi

…think again, even if most of your wireless network activities revolve around your personal and family life. There are seven lies about wireless protection; have you fallen prey to any of them?

1W#1 “I’m protected with my password.”

Even an amateur hacker can get past a password. Don’t think that WEP (wired equivalent privacy) can keep out hackers. It’s outdated. Its encryption abilities are flawed. Avoid WEP. Use WPA or WPA2. If you are on a free Wifi get Hotspot Shield VPN which protects your entire wireless session.

#2 “My ISP set up my wireless network, so it must be safe.”

Do you really think that big stupid cable company that’s can’t get a simple customer service call right really has your back? Many ISPs and equipment makers often use WEP as default protection—even big ISPs. Technicians who install your service usually do not automatically install a stronger encryption technology, and you end up getting hacked.

Nevertheless, ISPs and equipment manufacturers are slowly coming around to realizing this problem. More recent wireless gateways and also routers are using WPA for the default. If you have WEP, you may need to change it manually. Don’t assume you automatically have WPA. Find out if you have WEP or WPA. If your router is old, you may need to buy a new one to get WPA.

#3 “Breaking into my wireless is too expensive and difficult.”

Not anymore. A determined hacker can use a plain ‘ol laptop to crack long passwords. Tools are available for free or just a few bucks to do all the dirty work. All Mr Hacker needs to get going is to download free tools to carry out the deed.

#4 “Nobody wants to bother hassling around trying to break into my wireless; it’s not worth it.”

It may seem complicated to you, but not to an experienced hacker. Give him just 5-10 minutes and your wireless network could be in his hands. Even a beginner hacker could crack through your network in under an hour, courtesy of online tutorials. You need superb protection, not just good.

#5 “My credits no good, I’m small potatoes. Nobody is paying attention to me. I’m safe.”

A bored hacker who wants some fun doesn’t care if your data is highly sensitive government information or your kid’s soccer team standings. Just knowing he busted into your private life is enough to thrill him.

#6 “I have firewalls and my computer is patched.”

A “man-in-the-middle” attack can gain a hacker invasion of your communications. This type of attack is stealthy and slick, bypassing the victim’s human radar.

#7 “I’ll see a hacker in front of my house and stop him.”

No, you won’t. Your wireless boundaries don’t stop at your front door; they can extend to neighboring space, meaning that your signal “bleeds” out—horizontally and even vertically. Savvy users know they can stretch the bleed into a few blocks’ distance via cheap antennas. So down your street your attacker may be sitting inconspicuously in his car.

Hopefully your awareness of these lies you tell yourself has prompted you to take measures to upgrade your wireless network’s security with the right design and implementation.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

How To Stop Criminal Hackers In Their Tracks

Do you offer free WiFi? Put these three safeguards in place to protect your customers and your business.

3DOn a recent trip from Boston to New York on an Acela Express train, I was writing blogs and doing some research using Amtrak’s free wireless Internet. “Free” usually translates to “unsecured,” which means a criminal hacker with the right hardware and software could have sniffed out my wireless communications and grabbed my data. That same hacker, depending on my device’s firewall, setup and sharing settings, might also have been able to access my drive and files and even plant a virus on my device.

But I wasn’t worried because I use a virtual private network software that allows me to surf on an unsecured connection.

Amtrak also knows its free wireless is risky for its users, so before you can use it, you have to agree to the terms and conditions of the Wi-Fi’s use that indemnify Amtrak.

Protecting Your Business

Free wireless is everywhere, because Wi-Fi brings in customers and is a great tool to help create customer loyalty as well. Numerous merchants, including hotels, coffee joints, fast food places and numerous others with a storefront, offer free Wi-Fi to attract people and increase sales.

But it has its downsides, too. If you’re offering it in your place of business, you need to understand that your access point can be used for criminal activity—and to hack your own business, too.

So what are criminals looking for? Criminals connect to free Wi-Fi for:

  • Pirating music, movies and software via P2P programs. This criminal activity costs the recording and motion picture industries billions of dollars every year. The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) are cracking down on any IP address associated with illegal downloading and will come after your business too.
  • Child pornography. Law enforcement spends lots of time in chatrooms posing as vulnerable kids, chatting it up with pedophiles who buy sell and trade in child pornography. If your IP address is used for this purpose, you will get a knock on the door with a battering ram.
  • Criminal hacking. Bad-guy hackers look for vulnerabilities in others’ devices when using free Wi-Fi networks. They steal keystrokes, usernames, passwords and account info, and install spyware and viruses.

You’re not powerless against these hackers. These three safeguards are the first hurdles you can put in place to secure your company’s Wi-Fi:

1. Use a web proxy/filter. IT security vendors sell software that filters out or blocks known websites and prevents the sharing of P2P files. For more details on what kind of information can be accessed, search “internet access control software” to find a suitable vendor.

2. Add an agreeable use policy. There are numerous phrases a small business can incorporate into an agreeable guest use policy. You may want to include such language as “User agrees not to …”

  • Willfully, without authorization, gain access to any computer, software, program, documentation or property contained in any computer or network, including obtaining the password(s) of other persons. Intercepting or attempting to intercept or otherwise monitor any communications not explicitly intended for him or her without authorization is prohibited.
  • Make, distribute and/or use unauthorized duplicates of copyrighted material, including software applications, proprietary data and information technology resources. This includes the sharing of entertainment (e.g., music, movies, video games) files in violation of copyright law.

You may want to search for and read other business’s agreeable use policies in order to help you compose your own. And be sure to have your lawyer or legal department review it before you begin having customers agree to it.

3. Implement a secure Wi-Fi. Wi-Fi that requires users to log in with a username and password to charge even a dollar will then have their credit card number on file. This would mostly eliminate any anonymity, thus preventing numerous e-crimes.

Don’t think for a second something bad can’t happen to your business. Performing due diligence, knowing your options and implementing these barriers will keep both you and your customers from legal troubles and from getting hacked.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

WiFi Security Truths and Falsehoods

Security truths evolve—meaning, they change, and you must keep up with this, particularly with wireless security. Advice for wireless security can quickly become outdated. There are actually three big wireless security myths swirling around.

3W#1. Limit the IP address pool to restrict number of devices that can connect.

Even if your cable company tech recommends this, it’s no good. The unfounded idea is that when the range of allowable IP addresses is limited, this makes it hard for hackers to connect. However, the size of the pool doesn’t matter because hackers can just determine which IP addresses are open and use those.

#2. Hide your network’s SSID to conceal it from hackers.

Nope, this won’t work either. Wireless routers broadcast their service set identifiers (SSIDs); your device shows these so you can see which Wi-Fi options are in range. The idea is to hide your network’s SSID to prevent hackers passing by from using them.

However, most devices today see networks even if the SSID is concealed. An apparently unavailable SSID won’t stop a hacker. If you think there’s no harm in blocking the SSID nevertheless, think again: Hiding it may make your network more appealing to the criminal, kind of like hiding the cookie jar—something must be pretty rewarding in there.

#3. Enable MAC address filtering to select who can connect.

Sounds like a plan, but it isn’t: Using router settings to enter the MAC (media access control) address of every device that connects to your network; entering the MAC address will permit only users with these addresses to gain access to your router, thereby keeping hackers off-limits.

But forget this hassle because all a hacker need do is analyze a network, identify allowable MAC addresses, and he’s in.

Security that actually works

  • Go for encryption—and the best, at that—for your router. The best currently is WPA2. Coupled with a strong password, this is a winning security plan. A strong password has at least 12 characters combining letters (upper and lower case), numbers and symbols. Get new hardware if your router doesn’t support WPA2.
  • VPN—a virtual private network such as Hotspot Shield VPN provides private communication over a public network. Transmissions of sensitive data will be private, such as between you (at home) and your employer.
  • VPN again, but this time, one you can use for when you’re using your device in unprotected public realms such as an airport or coffee shop. Using your device in public makes your data vulnerable to hijacking. This type of VPN protects you from hackers and other voyeurs from peeping in on your web surfing activities, credit card information, messages, etc.

Protect all your web surfing activities with a VPN, which secures your connection not only at home but in public (wired and wireless). Your identity is protected with a free proxy by providing HTTPS to secure all of your online transactions.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Small Business Protect Your Wifi

With Wi-Fi, your data is literally in the air, up for grabs by anyone with the right tools. It needs protection from nearby users who may want to freeload off you (which can slow you down) or…hijack your accounts. You need encryption.

1WEspecially when you’re connected in airports, hotels, coffee shops, etc., almost always the connection is not secure.

Wi-Fi Security Options

Varying security levels are provided by WEP, WPA and WPA2. WEP is not secure. WPA provides moderate protection. WPA2 is the best. But you can use both WPA and WPA2. Use the “personal mode” (for one or two users) of WPA/WPA2 with a long, non-dictionary word passphrase.

For more than a few users, the “enterprise mode” is suitable, but requires a server. It has stronger security than personal, and each Wi-Fi user has his or her own password and username. Enterprise prevents snooping and hijacking among your organization’s employees.

Personal: To enable personal mode WPA2 on a wireless router, create a passphrase on access points or the wireless router. Type the IP address of each AP or router into a web browser to log into the control panel of each AP or router. Then enable WPA2-Personal with encryption/cypher type by finding the wireless security settings. Create a non-dictionary-word long passphrase—which is required to connect to the Wi-Fi.

Enterprise: You need a RADIUS server to get WPA/WPA2-Enterprise going. A hosted service will set up the server if you can’t. Some APs have built-in RADIUS servers. After the RADIUS server is all set up, input a password (shared secret), etc., for each AP or router. Input usernames and PWs for your organization’s Wi-Fi users into the RADIUS server.

Configure each AP or router with authentication and security settings. Log into the control panel of each AP or router by typing its IP address. Find the wireless security settings; enable the enterprise WPA2 (“WPA2”). Enter the IP address; input the password (shared secret). Users can now connect.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Another Reason To Secure Your WiFi

Sounds crazy but in every presentation I do I stress the importance of making sure your wireless connection is secured to prevent sex offender neighbors or whackos parked in front of your home or business from surfing for child porn and downloading it to your PC or theirs via your internet connection.

The AP reports in Buffalo NY “Lying on his family room floor with assault weapons trained on him, shouts of “pedophile!” and “pornographer!” stinging like his fresh cuts and bruises, the Buffalo homeowner didn’t need long to figure out the reason for the early morning wake-up call from a swarm of federal agents.”

Guys wireless got jacked by a child pornographer.

Once a predator uses your Internet connection to go to into the bowels of the web, your Internet Protocol (IP) address, which is connected to your ISP billing address, is now considered one that is owned by a criminal. If law enforcement happens to be chatting with that person, who’s using your Internet connection to trade lurid child porn, then someone may eventually knock on your door at 3 AM with a battering ram. Hackers can use a virus to crack your network and gain remote control access, and then store child porn on your hard drive.

This is the kind of “breach” that can cost you thousands in legal fees, your marriage, relationships, your job, and your standing in society.

Anyone using an open unsecured network risks exposing their data or having it used as a portal for committing crimes over the web. There are many ways  for a bad guy to see who’s connected on wireless and to gain access to their information.

When setting up a wireless router, there are two suggested security protocol options. WiFi Protected Access (WPA and WPA2) which is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy.

Follow your routers instructions to set up its security or find yourself a 14 year old to do it for you.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Hacking Wireless for Identity Theft

The ability to connect wirelessly has a lot to do with the indispensability of the Internet in our daily lives. Wireless Internet is available in our homes, offices, cafes, restaurants, parks, hotels, airports, cars, and even airplanes. The mobility factor allows us to work anytime, anywhere, on numerous devices. “Being connected” is at an all-time high.

Wireless Internet is amazing. But is it safe?

The short answer is: no. Wi-Fi was born to be convenient, not secure. Unsecured, unprotected wireless is everywhere. When a device connects to unprotected Wi-Fi, all the data stored on that device is available to a hacker with the proper sniffing tools.

The longer answer is: it depends on what kind of wireless we’re talking about. I’m going to speak in generalizations, since most of this is debatable and at this point, there are no absolutes when it comes to wireless security. So here we go.

Free, unsecured Wi-Fi is the least secure. Any Wi-Fi connection, whether in public, at home, or in the office, that is shared with anyone with any wireless device, lacks encryption of the data packets streaming from the connected devices.

A simple Firefox add-on called Firesheep can allow anyone with a Firefox browser to sniff out other devices using the same Internet connection, and to spy on their browser activity. Even if the victim’s login is encrypted, once they visit an unencrypted site, their data becomes vulnerable.

Home or office Wi-Fi with a WEP encryption is slightly more secure. Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security. But WEP has been cracked, hacked, and decimated.

Home or office Wi-Fi with a WPA encryption is better. Wi-Fi Protected Access is a certification program that was created in response to several serious weaknesses researchers found in WEP, the previous system. WPA and WPA2 are tougher to crack, but not impossible.

Mobile Broadband has a degree of encryption that has been cracked, but the necessary hardware isn’t widely deployed by criminals. Researchers have demonstrated how the system can be hacked, but it’s still more secure than other options.

For the most security, use WPA2 wireless Internet from a home or office environment that isn’t internally shared. If you must go online while traveling, use your carrier’s mobile broadband and forgo the hotel or café’s free wireless.
Identity theft can happen to anyone, regardless of how they connect to the Internet.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet