Posts

Safe Online Shopping on Cyber Monday

It’s almost Cyber Monday, so tell me something – why do you shop online? Because it’s super convenient? Or because you get better pricing? Maybe it’s because you’re allergic to hand-to-hand combat on Black Friday? I’m a huge fan of shopping online to save time, money and brain cells. But if you have bad surfing hygiene, you’re just asking identity thieves to go on a shopping spree with your money. And it’s so easy to avoid if you know how. Which you’re about to.

Thanks for joining me here on Sileo on Security, where we believe there’s no need to fear online shopping if you surf wisely. I want to share nine habits with you over the next three episodes that will keep your digital shopping cart safer than the real thing.

The first habit is just common sense. Please, stick to reputable websites with a proven track record. If you haven’t used the site in the past or if it isn’t a recognizable brand like Amazon, research before you buy! If you shop there in person, you’re probably safe online. When you buy only based on price, you generally get what you pay for. Cheap products, shipping charges, MALWARE! Also be careful about imposter websites with URLs that look almost exactly like the real one.

Next, always LOOK for the LOCK. If your browser doesn’t show a padlock in the URL bar and doesn’t start with the address HTTPS://, don’t fill out ANY forms or send ANY information via that website. The S in the address stands for secure, and everything else is just faking it! [No “S”, No $]

Third – you may get sick of hearing me say this one, but it’s so important to use strong passwords on all of your internet accounts. The easiest way for a hacker to spend your money is to crack your account because your password is your dog’s name, a word in the dictionary or something thieves can find on your MySpace profile. You don’t still have a MySpace profile?

Your One-Minute Mission today is quick and easy. Log in to the ecommerce websites you shop on most often – so for me, in order, I’d go to Amazon, Zappos, DaintyCandles.com, PayPal – you know, the usual suspects. Once you login, make your password longer and stronger than it already is. Just doing this, occasionally changing your passwords, makes thieves work a whole lot harder for those candles.

And then, as you always do, make sure that you tune in for the next episode of SOS, where I’ll give you intermediate steps to protect your online identity.

All of us at The Sileo Group wish you a happy and healthy holiday season!

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Ransomware: Cyber Security Expert’s Next Big Threat

Ransomware: A Vital Course on the Next Big Cyber Threat

Ransomware is pretty much exactly what it sounds like: it holds your computer or mobile phone hostage and blackmails you into paying a ransom. It is a type of malware that prevents or limits users from accessing their system and forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems or to get their data back.

It’s been around since about 2005, but earlier this year, the FBI issued an alert warning that all types of ransomware are on the rise. Individuals, businesses, government agencies, academic institutions, and even law enforcement agents have all been victims.

Crowti (also known as Cryptowall), and FakeBsod are currently the two most prevalent ransomware families. These two families were detected on more than 850,000 PCs running Microsoft security software between June and November 2015. Another to take note of is known as Fessleak, which attacks Adobe Flash flaws. It is a “malvertising” trend that pushes fileless exploit into memory and uses local system files to extract and write malware to disk from memory.

How Ransomware Paralyzes Your Computing

There are different types of ransomware. However, all of them will prevent you from using your computer normally, and they will all ask you to do something (pay a ransom) before you gain access to your data. Ransomware will:

  • Lock your desktop or smartphone and change the password or PIN code
  • Encrypt important files so you can’t use them (photos, taxes, financials, My Documents, etc.)
  • Restrict your access to management or system tools (that would allow you to clean the computer)
  • Disable input devices like your mouse and keyboard
  • Stop certain apps from running (like your anti-virus software)
  • Use your webcam to take a picture of you and display it on screen or on a social network
  • Display offensive or embarrassing images
  • Play an audio file to scare you (i.e. “The FBI has blocked your computer for a violation of Federal law.”)

Common Ransomware Demands

  • Generally they demand money in order to unlock your system. Usually, they demand payment through an anonymous payment system like Bitcoin or Green Dot cards, and promise to give you the key if you pay the ransom in time (for example, $17,000 to be paid within 72 hours was the demand given to the Hollywood Presbyterian Hospital, which had all of it’s life-critical medical records frozen)
  • Sometimes the ransomware shows a “warning from the software company” telling you that you need to buy a new license to unlock your system. Other times, ransomware will claim you have done something illegal with your computer, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your computer and files.

How to Prevent Ransomware Blackmail

The best way to avoid downloading malware is to practice good computer security habits:

  • Create an offsite backup of your files. Seriously, right now. And make it automatic, so that it happens at least once a day. An external hard drive is one option, but be sure to disconnect it from the computer when you are not actively backing up files. If your back-up device is connected to your computer when ransomware strikes, the program will try to encrypt those files, too. If you have a secure cloud back service that encrypts your files before sending, consider using that as an offsite backup.
  • Don’t click on links or open attachments in an email unless you know who sent it and what it is. Instead type the URL of the site you want directly into your browser. Then log in to your account, or navigate to the information you need.
  • Make sure your software is up-to-date.
  • Don’t download software from untrusted sources.
  • Minimize “drive-by” downloads by making sure your browser’s security setting is high enough to detect unauthorized downloads. For example, use at least the “medium” setting in Internet Explorer.
  • Don’t open “double extension” files. Sometimes hackers try to make files look harmless by using .pdf or .jpeg in the file name. It might look like this: not_malware.pdf.exe. This file is NOT a PDF file. It’s an EXE file, and the double extension means it’s probably a virus.
  • Install and use an up-to-date antivirus solution.
  • Ensure you have smart screen (in Internet Explorer) turned on.
  • Have a pop-up blocker running in your web browser.

If you Become a Victim of Ransomware

  • Stop work! TURN OFF YOUR COMPUTER! Shut down your entire network, if possible until help arrives. You can do this by turning off your switches or routers inside of your premises. Ask your IT professional before taking this step if you think that you might be interrupting service.
  • Contact an IT Security firm that can visit your office (or home) in person. Handling this type of problem over the internet is not advised, as it could exacerbate your problem.
  • If you have an offsite backup of your data, have the IT Security firm reinstall your backup and clean it of any ransomware before putting the data and computers back on the network.
  • Alert other people on your network, as any work completed after infection will be overwritten when the backup is restored.

There is conflicting advice regarding paying ransom. Truly, there is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again. Paying the ransom could also make you a target for more malware. On the other hand, if you have not backed up your files, you may have little choice. Almost 90% of the companies that we have studied as victims of ransomware end up paying the ransom to have their systems unlocked – but only about 50% of them ever receive the unlocking code promised. It’s a gamble, but if you don’t have an off-site backup, it’s probably one you are going to need to take.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Apple vs FBI: Why the iPhone Backdoor is a Necessary Fight

Apple vs FBI: Building a backdoor into the iPhone is like burning the haystack… 

I’ve been asked almost 100 times since Apple rejected the FBI’s request to break into the iPhone of the San Bernadino killers which side I support. I am a firm believer that the most complex problems (this is one of them) deserve the simplest explanations. Here is the simplest way that I can walk you through the argument:

  • If your immediate response, like many, is to side with Apple – “Don’t hack into your own operating system, it set’s a bad precedent” – then you have a good strong natural reflex when it comes to privacy. But don’t stop your thinking after your first reaction or thought, as it might be incomplete, because…
  • This is an intricate and nuanced balance between 1) personal privacy (don’t allow Apple or the FBI access into this particular phone), 2) public privacy (once Apple makes an exception for this case, the FBI (or Apple) could potentially open the iPhone in all cases), 3) security (by building in a backdoor for legitimate purposes, you will be opening it for hackers as well) and 4) national security (without access to this info, other terrorists might go undetected).
  • If it were your family member that had been murdered, you would probably agree that law enforcement should have every tool at their disposal to track down the murderers or criminals, and privacy be damned. You would also note that…
  • There are thousands of precedents for the FBI to obtain search warrants into suspects homes, emails, phone calls and the like. Ask yourself why this request is any different.
  • It’s a slippery slope. First the iPhone, then your encrypted password protection software, private Facebook history – you name it. The FBI’s solution is roughly the equivalent of giving the government a key to every home in America and letting them decide when to use it. By applying a broad brush stroke (build a backdoor into the security of every iPhone) when a fine-tipped pencil would be more than adequate (learning more about a single case – the San Bernardino killers and their connections), you forever  lose control of the master key. As was put so eloquently in an article by Wired (I cite this particular article because I agree with it), “Apple is not being asked to unlock an iPhone; it’s being asked to create software that would help the FBI unlock it.” To me, those are two completely different requests.
  • A backdoor would give law enforcement an additional tool to solve tens or hundreds of crimes, but in the meantime endangering the data of nearly a billion users. If Apple complies, what happens when China asks Apple to unlock a phone based on the earlier precedent – does Apple hand over information that could lead to political persecution? In other words…

Building a backdoor into the iPhone is the equivalent of burning the haystack to find a needle. You simply have to ask yourself honestly if the needle is worth the ashes. 

5 Possible Solutions in the Apple vs. FBI iPhone Backdoor Case

  1. Let it go. Sometimes you don’t have all of the evidence in a criminal case. Whether the murder weapon cannot be found or the iPhone data cannot be obtained, the case is resolved in other ways. The NSA (as exposed by Edward Snowden) has done nothing to engender our trust in government organizations collecting and using data on American citizens. They abused their powers of data collection in that case, so we all wonder why it would be any different in this case.
  2. Stop pretending that Apple can build a one-time backdoor. Encryption doesn’t work that way. Security doesn’t work that way. The minute you tinker, the entire house of cards falls and exposure becomes the rule, not the exception. If the information on the phone is important enough, at least admit you are willing to put the data of a billion people at risk.
  3. Upgrade your hackers at the FBI. I’ve had several white-hats hackers suggest that the iPhone can be cracked. Hackers are sometimes a cocky bunch (that’s what makes them good, by the way), but I’ve seen them hack almost every device possible with a creativity that would make Picasso proud, so I wouldn’t put it past them.
  4. Take this conversation off line. Ultimately, I think this question will be decided in back rooms where the public doesn’t get to see the answer (we are, in fact, a representative democracy where much of what happens does so behind closed doors). And frankly, I think it should be. There is too little awareness of the complexities we are dealing with here, and the emotional responses that we all have are only getting in the way.
  5. Do something, Congress! There are thousands of similar cases to be decided in the future and very little in the way of legislation to guide the way. Most of the laws being quoted in this case go back a half a century. Congress should catch up with technology and set some guidelines and oversight on the privacy vs. security question. We are a smart enough society to allow for gray areas in between a media that immortalizes black and white.

I believe that Apple is doing the right thing in standing their ground an not creating a system-wide backdoor into the iPhone. I also believe that the FBI is doing the right thing in trying to obtain every piece of information they can to resolve a past or future crime. This should not include a systemic hack of the iPhone or any computer system. The strength of our democracy is in the tension that exists between those two stances and the system of checks and balances that keep either position from being extreme.

I guarantee you that there is a way to set down the paint brush and pick up the pencil – to create a solution that impacts one phone, not millions – and that it is possible to balance public privacy with national security. It may not pertain to this particular case, but it will to all of those future cases waiting to happen. In the end, isn’t that what we all want? If you agree, write your Congressperson and ask them create laws that address the current privacy/security confusion.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

The Ashley Madison Hack: An Affair to Remember FOREVER

, ,

Come on, admit it. Don’t you feel just a little satisfaction watching 37 million adulterers exposed in the Ashley Madison hack? “They do kind of deserve to be cheated just a bit for being cheaters,” someone in one of my keynote speeches commented.

In this case, the hackers weren’t seeking money, they were seeking revenge. Their goal was to get Ashley Madison to shut down the site because they said it wasn’t living up to it’s own privacy policy (they weren’t). But to side with the hackers is a bit like saying it’s okay to pepper spray customers to keep them from going into a store you’re morally opposed to. In other words,  be careful when you condone the use of customers as pawns to fuel change. You just might be the next customer to become a victim, and your data could be just as sensitive (your medical records, divorce proceedings, kids’ geographical location or your online video viewing habits).

I, like many others, have a hard time feeling sorry for the consequences of the stupid and poor choices some have made. It’s not like the victims of the Ashley Madison hack are in the same category as the innocent mom who shopped for holiday presents at Target, or the senior citizen who had their Social Security number breached due to Anthem’s careless cyber security.

However, as someone committed to protecting moms and senior citizens and everyone else from experiencing the blowback from thieves, exploiters and liars, I just can’t stay away from this one. Because even non-users are ultimately effected by the Ashley Madison hack. 

How the Ashley Madison Hack Affects Non-Users Like You

  1. This hack has continued with the precedent set by the Sony hackers because they not only stole the information, but they are blackmailing the company by threatening to make the data public unless the company accedes to their demands (stopping the release of “The Interview” or shutting Ashley Madison down). And the blackmail often works, meaning that this trend will continue!
  2. Besides the effect of having divorce lawyers calling their Maserati dealer to order a new car, this has allegedly led to suicides and to the resignation of Noel Biderman, the chief executive officer of Avid Life Media Inc., the company behind Ashley Madison. After major breaches (Sony, Target, OPM, Ashley Madison), the highest executive becomes the sacrificial lamb.
  3. In addition to the database of users’ names, addresses and the type of extramarital arrangement they were looking for, hackers have also gotten information on 9,693,860 credit and debit card transactions conducted on the site since 2008, opening the doors wide for identity theftI can almost guarantee that this will affect someone in your life.
  4. Cyber extortion has erupted because Ashley Madison has gone on the offensive and offered a bounty for the “capture” of the enemy. The site is offering a reward of $500,000 for information that leads to the successful arrest and prosecution of the people who stole and leaked its data. This sets an alarming precedent of the weaponization of consumer information and the resulting retaliation.
  5. Perhaps the scariest consequence of all is that after the hackers followed through on their threat to make the information public (after AM officials called the hack bogus), enterprising coders created online tools that allowed anyone to easily search the breached Ashley Madison data to see if their friends, family, partners and spouses used the website. That almost guarantees that the breach data will be used to commit fraud (many times breached data is recovered before it is exposed on the open market).

If you are thinking, “serves them all right”, just realize that next time it might be your employer’s or bank’s website. It could be your doctor, your hospital or political organization. It could be the data from your child’s school. And it could be an affair you will never forget.

John Sileo is an an award-winning author and keynote speaker on cyber security, identity theft, internet privacy, and fraud. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Is Home Depot Data Breach an Example of the “New Normal”?

,

Home Depot Data Breach Exposes Our Growing Complacency

When Target suffered a data breach back in December of 2013, you couldn’t look at a news source without seeing a new story about it.  Yet when the Home Depot data breach was revealed recently, it received almost a ho-hum reception in the news.  This, even though, it was the biggest data breach in retailing history and has compromised 56 million of its customers’ credit cards!  It seems we have come to expect these data breaches to the point where we have become almost complacent.

Consumers, like the companies that breach our data, have become apocalyptic zombies, staring unquestioningly forward as we are attacked from all sides.

Even scarier is that it appears the retailer itself had become complacent. Former members of Home Depot’s cyber security team said the company was slow to respond to early threats and only belatedly took action.  It used outdated Symantec antivirus software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers. These are security oversights that most companies eliminated 5 years ago!

Another issue is that Home Depot performed vulnerability scans irregularly and often scanned only a small number of stores.  The former employees say that more than a dozen systems handling customer information were not assessed.  Home Depot has defended its actions saying that they have complied with industry standards since 2009 and those standards included an exception from scanning store systems that are separated from larger corporate networks.

This brings up a great point: Compliance with laws doesn’t equate to security for customers. And customers leave because of security breach – they could care less about compliance mumbo jumbo.

Yet another smudge on their record is they hired a security engineer, Ricky Joe Mitchell, who had been fired from his previous job.  In April, he was sentenced to four months in prison for disabling the computers for a month at that former employer.

After the Target breach, Home Depot brought experts in from Voltage Security, a data security company that introduced enhanced encryption that scrambled payment information the moment a card was swiped in some of its stores.  However, by that time it was too late; hackers had been stealing millions of customers’ card information and had gone unnoticed for months. The rollout of the company’s new encryption was not completed until last week.

Home Depot has just become a perfect case study of all of the ways that a corporation can fail to protect itself from breach. They make Target look like rocket scientists. In the meantime, those of us who are customers continue to pay their price for their ignorance and inability to take responsibility for their data.

John Sileo is an an award-winning author and keynote speaker on cyber security and data breach. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Cyber Security Webinar: What You Absolutely, Positively Need to Know (10/3/13)

, ,
register.jpg

Register Now for Deluxe/Sileo’s Free Cyber Security Webinar

On October 3, 2013 at 1pm ET, Deluxe and data privacy expert John Sileo will present a FREE Cyber Security Webinar – What You Absolutely, Positively Need to Know.

A 2012 survey by the highly respected Ponemon Institute found that 55% of small businesses had experienced at least one data breach in 2012. At the heart of this massive data loss is lax cyber security: an overly broad term that will no longer intimidate you after this webinar. Technology has evolved so quickly that many businesses and individuals find themselves behind the digital curve and overwhelmed by the prospect of protecting the very data that underlies their wealth. While in this state, decision makers tend to shut down, make excuses and assume that there is no reasonable, inexpensive way to protect themselves and their business. That assumption is not only wrong, it is dangerous.

This Webinar is designed to get you over the all-or-nothing hump when it comes to securing your cyber assets. In other words, you don’t have to “do everything” to be safe and you don’t have to spend profusely to get the job done well. Wise investment in the right places is both effective and critical.

In this FREE Deluxe Webinar, Cyber Security:. What You Absolutely, Positively Need to Know, you will learn changes you must make to protect 7 critical areas:

  • The human element. All security begins with the decisions we make. The best technology in the world is useless if it is used incorrectly.
  • Inside your network. Protection begins with the computing fabric, routers, hardware and firewalls, that support your network.
  • On your computer. This is where attention to detail makes the difference – at the point where business transactions take place across many devices.
  • As you go mobile. Before the decade is out, every type of data will be accessed from mobile devices. Prepare or beware.
  • When connecting wirelessly. An outgrowth of the mobile movement, secure connectivity over Wi-Fi, Bluetooth and other technologies is imperative to the privacy of your mission critical communications.
  • While transacting online. How you surf and what tools you utilize to navigate eCommerce safely make all the difference in the world.
  • In the cloud.With great power comes risk and responsibility. Informed decisions count as you migrate to web-based software to power your business.

register.jpg

John Sileo is a keynote speaker on identity theft, cyber security, online privacy and internet reputation. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. Recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Congress Fails to Limit NSA Surveillance Using Patriot Act Loophole

,

NSA Surveillance includes the collection of your phone and email records for the sake of detecting and disrupting terrorism. The practice has proven effective, but the scope of the data collected (every phone call and email available, even if you are innocent) has raised eyebrows.

Congress, in a rare show of bipartisan agreement, may be leaning toward limiting the amount of data the NSA can collect.

Rep. Justin Amash, R-Mich., backed by Rep. John Conyers, D-Mich., put forth an amendment that would restrict the NSA’s ability to collect data under the Patriot Act on people not connected to an ongoing investigation.  The action was initiated after Edward Snowden, a government contract worker, leaked highly classified data to the media, revealing that the NSA has secretly collected phone and email records on millions of Americans without their knowledge or consent.

The bipartisan support was counterbalanced by a bipartisan effort to defeat it, with both House Speaker John Boehner and House Democratic Leader Nancy Pelosi opposing it.  In the end, the amendment to a defense spending bill was narrowly defeated by a vote of 217-205.

Still, the close vote may be indicative of a changing viewpoint in Washington: that NSA Surveillance should have oversight.  As Rep. Jim Himes, D-Conn., an Intelligence Committee member stated, “I think as more and more people come to understand the breadth of the authorizations that the NSA and other intelligence agencies have, they start to get a little worried about the encroachment on their privacy, and that’s absolutely fair.”

Himes stressed that the NSA is not out of bounds with their actions. “They are acting pursuant to very clear authority under Section 215 of the Patriot Act,” Himes said.   (215 provides authority for the surveillance programs.) But, he said, “that law is too broadly worded and being interpreted a little broadly.”

When the Patriot Act was introduced, there was an implicit understanding that the bill would come with a sunset period. In other words, the Act would be rolled back as the threat diminished. That rollback has never really taken place, and the NSA continues to exploit our short term memories by utilizing 215 to gather more information than the average American, heck, the average Congressperson, would be comfortable with. Once power is given, it’s exceptionally difficult to take it back. But Congress may be moving in the right direction.

Will Adams, Amash’s press secretary pointed out, “It was the first time that either house of Congress has gone on the record concerning NSA’s blanket surveillance since the NSA leaks started coming out.” He continued, “We got 205 votes despite the fact that we were up against the entire establishment in Washington…The civil liberties of Americans is not a partisan issue.”

Bill sponsor Conyers said in a statement to reporters, “This discussion is going to be examined continually … as long as we have this many members in the House of Representatives that are saying it’s ok to collect all the records you want just as long as you make sure you don’t let it go anywhere else. That is the beginning of the wrong direction in a democratic society.”

Despite the defeat, the debate has led to talk of cutting funding and denying the NSA the authority to continue its data collection. Talk in Washington, however, seems to be fairly cheap. Rep. James Sensenbrenner, R-Wis., cautioned the administration that if it “continues to turn a deaf ear to the American public’s outcry, Section 215 will not have the necessary support to be reauthorized in 2015.”  He further stated, “The proper balance between privacy and security has been lost.”

I’m not suggesting that the entire NSA program be scrapped, I’m simply asking for more transparency as to what is being gathered, and a certain assurance that private data is only being collected and retained on suspects actually under suspicion, not on every American citizen.

John Sileo is a cyber security keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.