Posts

Google Docs Phishing Attack is a New, Dangerous Way to Hook You

,

Every day, millions of people are targeted with phishing emails, convincing emails that look like they are coming from legitimate friends or trusted corporations but contain malware embedded in links or attachments. It’s so common that it hardly even makes the news anymore. However, Google was the latest target and it’s big news.

Why? Because this was an usually sophisticated email scam appearing in Google’s own system, rather than in a fake website. A phishing attack usually only involves a malicious link within an email. In this case, however, the scam combined a phishing attack and a worm, using a deceptive email to get people to open the door to malicious code that then “wormed its way” into their messaging programs to spread itself to others.

In other words, someone created a malicious app in the system itself. It impersonated Google Docs—a cloud-based platform for sharing and editing documents—by telling a user that a contact had shared an online document with them via email. After clicking that link, users were sent to an actual Google web address, which then asked for authorization to run the app. That action resulted in sending the same emails to everyone in their contacts.

Because the request came from someone the user trusted (a friend or contact whose account had been taken over) and because the link directed to a trusted source, it made it exceptionally difficult to identify it for the phishing scam it was. This takes phishing detection to a whole new level.

The campaign affected more than one million people, fewer than a tenth of a percent of Gmail users, and was stopped within an hour. “We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts,” Google said in a statement. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”

From here, see my notes about what to do if a victim and how to beware in the future and add your closing.

 

Roomba Selling, I Mean Sharing our Home Data?

What a difference a word makes. On July 24, Reuters published a story about an interview with Colin Angle, the CEO of iRobot Corp. They are the makers of Roomba, the popular robotic vacuum. In the interview, Angle excitedly talked about all the benefits that could come from using the data Roomba collects (think the dimensions of a room as well as distances between sofas, tables, lamps and other home furnishings) to share with other Smart Technology such as home lighting, thermostats and security cameras. The rest of the article went on to talk about market competition, potential future developments, stock prices, and, oh yeah, a brief nod to security concerns.

When asked about those concerns, Angle said iRobot would not be sharing data without its customers’ permission, but he expressed confidence most would give their consent in order to access the smart home functions.

The problem though is that the writer did not use the word “share”. Instead, he used the word “sell”—as in iRobot would be selling our data to the likes of Amazon, Apple and Google. (You won’t find that in the article now as Reuters printed a retraction a few days later—after privacy advocates went crazy!)

When Angle was questioned by others about this policy, he made it as clear as could be:

“First things first, iRobot will never sell your data. Our mission is to help you keep a cleaner home and, in time, to help the smart home and the devices in it work better. There’s no doubt that a robot can help your home be smarter. It’s the data it collects to do its job, and the trusted relationship between you, your robot and iRobot, that is critical for that to happen. Information that is shared needs to be controlled by the customer and not as a data asset of a corporation to exploit. That is how data is handled by iRobot today. Customers have control over sharing it. I want to make very clear that this is how data will be handled in the future.”

While Reuters might have misinterpreted Angle’s comments when it came to the selling of the data – the supply of the data available to potentially provide to companies is not in question. The debate turns from outrage at a company invading our privacy to the very real need to take a good look at our own practices and what we are (knowingly or not) allowing companies to do with our data. We have to be willing to take control of our data:
– limit what we give away
– change our defaults so as to not “permit” companies to share what is collected
– speak up against and, if needed, boycott the products that don’t meet our privacy demands.

Likewise, this is a call to businesses to take responsibility for using data to their advantage but only if they have transparently let their customers know how it is being used and giving them the control (not just through changing default settings!)

Ready for your closing…and do you still want to use this somewhere?
The ironic thing is that we give away ten times as much about ourselves on FB and don’t think twice about it. Opinions really change when they threaten to get inside our homes, not just our friends.

Beware Disaster Scams in the Wake of Hurricane Harvey

Identity thieves prey on those who are most vulnerable. You may be in the process of cleaning up your lives, but predators running disaster scams may want to clean up on you by stealing your valuable private information.

As we learned from Hurricane Katrina and Superstorm Sandy, one of the most despicable side effects of a natural disaster is the massive increase in reported cases of identity theft in the affected areas. Thieves take advantage of those who are vulnerable, and those who have suffered flooding, wind damage and the effects of the storm are more vulnerable than ever. Imagine how devastating it would it be to apply for a line of credit to help your family recover from the storm only to find out that your entire net worth now belongs to a thief.

Here are some of the highest priority actions for victims of Hurricane Harvey to take once they have taken care of their immediate safety needs.

Secure your personal information immediately.  Clean-up crews will be heading to the area. MOST are good-hearted volunteers, but some are coming with the intent of looking for physical clues to help them steal identities.  In your distress, you may not even know what to think of.  Be sure you’ve accounted for:

  • Social Security cards, statements or related documents
  • Birth certificates, passports and drivers licenses
  • Wallets, purses, checkbooks and boxes of extra checks
  • All financial records, including bank, brokerage, mortgage, credit card, and insurance
  • All digital devices containing sensitive information, including laptops, computers, smartphones, iPads, etc.

Beware of people offering “help” falsely using recognized names like FEMA or Red Cross.  Organizations like this will never contact you; the only time they ask for money or any personal information is after you have contacted them.  The key here is to be skeptical if anyone is asking for your personal information, even as part of emergency relief. Ask enough questions that you can verify who they are, their intentions and their credibility. Do not just give away information in exchange for a promise (e.g., “This is how you will get a reimbursement from the government”). Make sure they are who they say they are.

As a side note, for those of you who are not disaster victims but want to help, the same rule applies: you should contact the agencies.  Don’t fall for phone solicitations or pleas via email that may lead you to fraudulent websites. One key to look for is “.org” that most non-profits use rather than “.com” in the address.

Beware of fly-by-night contractors offering cheap or quick repairs.  To protect yourself, check on the business.  Make sure they have a permanent business address, carry insurance, and have been in operation for more than a year.  Very importantly, get a written contract before you give out any money!

Place a Fraud Alert on Your Credit File. Immediately place a Fraud Alert with all three credit-reporting bureaus (listed below). This is only a temporary solution, but a necessary step. Once the water has receded, consider freezing your credit.

Order & Monitor Your Credit History. By law, you are entitled to one free report from each agency once a year. The easiest way to get a report is to visit AnnualCreditReport.com or call 1-877-322-8228. You can also request your first report when you are placing a Fraud Alert on your account in Step 1, above. Review your credit report for signs of theft or fraud. If you discover irregularities (accounts you never opened, loans that aren’t yours, credit cards you don’t recognize), contact the credit bureau immediately to report fraud, as well as the company listed in the credit report.

Monitor Your Statements Online. Half of the battle in minimizing identity theft is catching it quickly after it happens. Online bank, credit card and brokerage statements will allow those with Internet access to monitor and detect suspicious transactions on a daily basis. If you have access to the Internet, check your bank, credit card and investment statements to make sure that you recognize every transaction.

Resist the temptation to click on photos from questionable sites.  We are a society that thrives on sensationalized images.  However, some of those dramatic photos we want to know more about are infected with malware.  Stick to legitimate news sites and be especially wary of links on social media sites.

Remember to make safety a priority in every area of your life as you work your way through this trying time.  Our hearts are with you.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Cyber Security Experts: NotPetya isn’t Ransomware – It’s Cyber Warfare

CYBER SECURITY EXPERTS SCREAM: IT’S NOT ABOUT MONEY, IT’S ABOUT INFLUENCE!

What will it take for the world to believe that cyber warfare, like the latest NotPetya Attack, is real and it is HERE NOW?

Will it take your company ceasing operations for the day, as hundreds of companies in at least 64 countries were forced to do?

Will it take your long-awaited surgery being cancelled, as occurred for many patients at Heritage Valley Health Systems in Pittsburgh?

Or will it ultimately take people dying (think power grids, airport operations, nuclear power plants being controlled) before everyone takes notice?

We read the headlines: another ransomware attack has hit– blah, blah, blah. It almost gets annoying hearing about them! Until you really think of the implications above. Yes, this time it mostly affected Ukraine, but someday, it will be YOU AND ME!

So, back to a brief recap in case you are one of the people who skipped the headlines. (Hopefully I’ve scared you just a little bit now so you’ll care to read on)

  • On Tuesday, May 27, 2017, an attack was launched which at first appeared to be a follow up to the WannaCry ransomware attack.
  • Ukraine was the main target (the attack appeared to have been intended to hit the day before a holiday marking the adoption in 1996 of Ukraine’s first Constitution after its break from the Soviet Union) but it quickly spread to other countries, even a few in Russia (which came through fairly unscathed…hmmm)
  • At first, ransomware notices appeared, but researchers soon determined those were probably a smokescreen to hide the fact that this is cyber warfare, not a new version of Petya that spread in 2016. Matt Suiche from Comae Technologies notes: “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”

So it’s cyber warfare, not ransomware—what does that mean?

  • NotPetya is a destructive disk wiper – THEY DON’T CARE ABOUT THE MONEY, BUT ABOUT DESTRUCTION AND DISRUPTION. It is more an instrument of war than of finance.
  • It does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same; you never get a chance to recover your files.
  • It is used for political purposes and for their destructive effects, not for monetary gain.

Could it have been prevented?
YES, YES, YES!

Microsoft released patches related to these known vulnerabilities in MARCH! Obviously, some companies and individuals chose not to deploy these fixes, because they continue to think that they won’t pay the price (or they just aren’t paying attention). Attacks like this prey upon KNOWN VULNERABILITIES that could have and should have been solved last year. A good patch-management protocol would have eliminated the threat from your organization, period.

Cyber security experts like myself suggest the following steps to ensure you are as prepared as possible against future attacks:

  • Enforce effective password protection or implement password management software to ease the convenience burden
  • Segment your network so that all areas are not connected all the time. When one area goes down, you haven’t lost your entire computing footprint.
  • Define your critical data and know where it lives (servers, cloud, laptops, databases, mobile devices, workstations, etc.)
  • Apply security patches religiously and regularly according to a well-thought out roll-out plan that minimizes downtime
  • Implement multi-factor authentication for employee logins
  • Have commercial-grade backups so that if you have to restore your entire data organization, it can be done quickly and effectively. Test your backup protocol annually to make sure it works when needed.
  • Ensure that you have a firewall between you and the internet (preferably configured to default deny everything but legitimate traffic)
  • Keep anti-virus, 3rd-party spam filters and intrusion detection software up-to-date as well as workplace applications
  • Provide memorable security awareness training regularly for your employees

Listen, I’m telling you now that next time, it will be your data that is locked up, and at that point it will be too late, unless you have taken the steps above (and others) to defend the data that pays your check every week.

John Sileo is an an award-winning author and keynote speaker on the human element of cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Internet Providers Lose Right to Sell Your Privacy (But Facebook & Google Still Can)

“There is a basic truth: It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information.” 

These were the words of Tom Wheeler, the chairman of the F.C.C., when it was announced that Federal regulators have approved new broadband privacy rules that require internet service providers like Comcast and Verizon to ask for customers’ permission before using or sharing much of their data. He went on to say that the information used “should be the consumers’ choice, not the choice of some corporate algorithm.”

Privacy groups were, of course, thrilled with the new rules, which move the United States closer to the stricter policies in European nations.  The industries that depend on online user data were not quite as happy, with the Association of National Advertisers labeling the regulations “unprecedented, misguided, counterproductive, and potentially extremely harmful.”

What does all of this really mean for consumers?

• A broadband provider has to ask a customer’s permission before it can tell an advertiser exactly where that customer is by tracking her phone and what interests she has gleaned from the websites she’s visited on it and the apps she’s used.

• Major broadband providers will have about one year to make the changes required by the new rules. After that, users will be notified of new privacy options through email or dialogue boxes on websites.

• The F.C.C. rules apply only to their broadband businesses.

• After the rules are in effect, broadband providers will immediately stop collecting sensitive data, including Social Security numbers and health data, unless a customer gives permission.

• For some less-private data, like names and addresses, there’s a more lenient approach. As with any online service, you should assume that broadband providers can use that information and you should “opt-out” of letting them do so.

• One “down side” to consider is that there is a chance that the removal of ads that allow for free and cheaper web services will result in those prices being passed on to consumers.

• Online ad giants, including Google, Facebook and other web companies, are not subject to the new regulations as the F.C.C. does not have jurisdiction over web companies. So Google does not have to explicitly ask people permission first to gather web-browsing habits, for example.

• AT&T, Verizon and Comcast will also still be able to gather consumers’ digital data, though not as easily as before. They will also still be able to purchase data from brokers.

Jay Stanley, senior policy analyst with the American Civil Liberties Union (ACLU) summed it up pretty clearly:  “Just as telephone companies are not allowed to listen in to our calls or sell information about who we talk to, our internet providers shouldn’t be allowed to monitor our internet usage for profit.”

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Zuckerberg Hacked: How Not to Be Like Mark

,

Mark Zuckerberg Hacked Because of Weak Passwords

It seems Mark Zuckerberg might be a little lazy, or a little stupid, or at the very least a little embarrassed. The undisputed king of social media has had two of his social media accounts hacked. Granted, it was not his Facebook account—just his Pinterest and Twitter accounts, the latter of which he hasn’t used since 2012. A Saudi Arabian hacker team named OurMine has taken credit for the attack, claiming they got his password from the recent dump of information obtained in the LinkedIn data breach from 2012.

Let’s see where Mr. Zuckerberg went wrong by using the safe password development tips (in bold below) from his very own creation: Facebook.

Make sure your password is unique, but memorable enough that you don’t forget it. Supposedly, Zuckerberg’s password was “dadada”.

Don’t use a password that you use on other sites – if one site gets hacked and your password is stolen, hackers will often try it on other sites. Clearly, he used it on at least three sites.

Don’t share your password with anyone. If you think someone else has it, you should change it. When LinkedIn was hacked four years ago, he evidently did not change it on the other sites.

Instead of picking on him further, let’s talk about how this applies to someone really important: you and me.

While Mr. Zuckerberg has had to eat a little humble pie, he likely won’t suffer any serious damage from this incident. Others, however, aren’t so lucky. More than 100 users of TeamViewer, a German software company whose software gives users remote access to computer desktops, have had accounts taken over since the LinkedIn data was made public. The criminals then used TeamViewer to authorize transactions through Amazon or PayPal. The company believes the activity is linked to the recent rash of data disclosures.

There is also the strong possibility that users of LinkedIn may be more likely to use those same passwords in their professional lives. That could expose users’ business data or allow hackers to take over accounts at job or travel sites.

I am constantly amazed by the corporations that I speak to that haven’t yet instilled strong password habits among their employees. They spend hugely on intrusion detection, but don’t take the time or minuscule investment required to solve what I call a gatekeeper flaw. Employees are the gatekeepers of your valuable data, and if they don’t protect it with strong passwords, no amount of security software will cover this inexcusable and easily solvable mistake. 

How are you training your people on strong passwords? 

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Some Simple Steps to Social Media Privacy

When was the last time you checked your privacy settings on your social media profiles? Being aware of the information you share is a critical step in securing your online identity. Below we’ve outlined some of the top social media sites and what you can do today to help keep your personal information safe.

FACEBOOK Social Media Privacy

Click the padlock icon in the upper right corner of Facebook, and run a Privacy
Checkup. This will walk you through three simple steps:

  • Who you share status updates with
  • A list of the apps that are connected to your Facebook page
  • How personal information from your profile is shared.

As a rule of thumb, we recommend your Facebook Privacy setting be set to “Friends Only” to avoid sharing your information with strangers. You can confirm that all of your future posts will be visible to “Friends Only” by reselecting the padlock and clicking “Who can see my stuff?” then select “What do other people see on my timeline” and review the differences between your public and friends only profile. Oh, and don’t post anything stupid!

TWITTER Social Media Privacy

Click on your profile picture. Select settings. From here you will see about 15 areas on the left-hand side. It’s worth it to take the time to go through each of them and select what works for you. We especially recommend spending time in the “Security and Privacy” section where you should:

  • Enable login verification. Yes, it’s an extra step to access your account, but it provides increased protection against unauthorized access of your account.
  • Require personal information whenever a password reset request is made. It’s not foolproof, but this setting will at least force a hacker to find out your associated email address or phone number if they attempt to reset your password.
  • Determine how private you want your tweets to be. You can limit who (if anybody) is allowed to tag you in photos and limit your posts to just those you follow.
  • Turn off the option called “Add a location to my Tweets”.
  • Uncheck the options that allow others to find you via email address or phone number.
  • Finally, go to the Apps section and check out which third-party apps you’ve allowed access to your Twitter account (and in some cases, post on your behalf) and revoke access to anything that seems unfamiliar or anything that you know you don’t use anymore.

Oh, and don’t post anything stupid!

INSTAGRAM Social Media Privacy

The default setting on Instagram is public, which means that anyone can see the pictures you post. If you don’t want to share your private photos with everyone, you can easily make your Instagram account private by following the steps below. NOTE: you must use your smartphone to change your profile settings; it does not work from the website.

  • Tap on your profile icon (picture of person), then the gear icon* to the right of your name.
  • Select Private Account. Now only people you approve can see your photos and videos.
  • Spend some time considering which linked accounts you want to keep and who can push notifications to you.

*Icons differ slightly depending on your smartphone. Visit the Instagram site for specifics and for more in depth controls.

Oh, and don’t post anything stupid!

SNAPCHAT Social Media Privacy

Snapchat’s settings are really basic, but there’s one setting that can help a lot: If you don’t want just anybody sending you photos or videos, make sure you’re using the default setting to only accept incoming pictures from “My Friends.”  By default, only users you add to your friends list can send you Snaps. If a Snapchatter you haven’t added as a friend tries to send you a Snap, you’ll receive a notification that they added you, but you will not receive the Snap they sent unless you add them to your friends list.  Here are some other easy tips for this site:

  • If you want to change who can send you snaps or view your story, click the snapchat icon and then the gear (settings) icon in the top right hand corner. Scroll down to the “Who can…” section and make your selections.
  • Like all services, make sure you have a strong and unique password.
  • Remember, there are ways to do a screen capture to save and recover images, so no one should develop a false sense of “security” about that.

In other words, (all together now) don’t post anything stupid!

A Final Tip: The privacy settings for social media sites change frequently. Check in at least once a month to ensure your privacy settings are still as secure as possible and no changes have been made.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Panama Papers a Lesson in Cyber Security

Whether data breach or insider leak, Panama Papers Cyber Security lessons still the same.

By now, you’ve heard about the leaked papers from a Panamanian law firm implicating world leaders, sports figures and celebrities alike in a scheme to shelter massive wealth in off-shore corporations (if not, see the NYTimes summary below for relevant links). At this point it is still unclear whether the 11.5 million records were obtained through hacking or leaked from someone inside of the Panamanian law firm.

But from a cyber security perspective, the lessons are nearly identical either way. At issue here is the massive centralization of data that makes either breach or leakage not only inevitable, but rather convenient. World leaders and executives alike must have a sense of deja vu from the leakage of the NSA documents by Edward Snowden several years ago. From a security perspective, it is baffling in both cases that one individual would have access to such a trove of data. This suggests that the records were not properly segmented, encrypted or subjected to user-level access permissions.

Now, it’s possible that the administrator in charge of the law firm’s computer network facilitated the breach (remember, someone with SysAdmin access always has the keys to everything when it comes to data), but I highly doubt it, as this is easily monitored and punishable. We may never know exactly how this breach transpired, but there are several lessons you can absolutely take from the Panama Papers:

  1. Segmentation. If the critical data inside of your organization is not segmented or divided across different digital locations, it’s like keeping all of your gold under the same mattress.
  2. Encryption. In the event that the Panama Papers were obtained by a hacker, this suggests that the data was not properly encrypted to keep out prying eyes. Most businesses still only have a partial encryption strategy on their data (either at rest or in transit) and this lack of an end-to-end encryption solution is what dooms them to breach.
  3. User-Level Permissions. We don’t know how the Panama Papers were accessed, but if we learn from Edward Snowden, the amount of global digital access you give to your employees makes a huge difference. A contractor like Snowden probably should have never had permission to access so much information across such a wide spectrum. He was only a contractor – imagine what a true insider could have accessed.
  4. Monitoring. Any organization that has implemented a secure firewall can monitor how much data is leaving their servers. More sophisticated software lets many companies know exactly what data is leaving the premises and exactly who is responsible. But both of these cases require human intervention to read the warning signs and take action. Target knew that their POS system was being breached, but no one acted on the red flags.

It’s too late for Mossack Fonseca to go back and right these cyber security wrongs. For you, it’s not too late.

Panama Papers Quoted Directly from the NYTimes.com:

The leaks from the Panamanian law firm, Mossack Fonseca, involve more than 11.5 million documents, nearly 215,000 companies and 14,153 clients of the firm, according to the German newspaper Süddeutsche Zeitung, which got the information and shared it with some other media outlets and the International Consortium of Investigative Journalists, a nonprofit group.

They began reporting Sunday on the leaks, now known as the Panama Papers, which have implicated a range of politicians, celebrities and sports figures, including close associates of President Vladimir V. Putin of Russia, President Petro O. Poroshenko of Ukraine, Prime Minister Nawaz Sharif of Pakistan, current and former members of China’s ruling Politburo and FIFA, the worldwide association for soccer.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Apple vs FBI: Why the iPhone Backdoor is a Necessary Fight

Apple vs FBI: Building a backdoor into the iPhone is like burning the haystack… 

I’ve been asked almost 100 times since Apple rejected the FBI’s request to break into the iPhone of the San Bernadino killers which side I support. I am a firm believer that the most complex problems (this is one of them) deserve the simplest explanations. Here is the simplest way that I can walk you through the argument:

  • If your immediate response, like many, is to side with Apple – “Don’t hack into your own operating system, it set’s a bad precedent” – then you have a good strong natural reflex when it comes to privacy. But don’t stop your thinking after your first reaction or thought, as it might be incomplete, because…
  • This is an intricate and nuanced balance between 1) personal privacy (don’t allow Apple or the FBI access into this particular phone), 2) public privacy (once Apple makes an exception for this case, the FBI (or Apple) could potentially open the iPhone in all cases), 3) security (by building in a backdoor for legitimate purposes, you will be opening it for hackers as well) and 4) national security (without access to this info, other terrorists might go undetected).
  • If it were your family member that had been murdered, you would probably agree that law enforcement should have every tool at their disposal to track down the murderers or criminals, and privacy be damned. You would also note that…
  • There are thousands of precedents for the FBI to obtain search warrants into suspects homes, emails, phone calls and the like. Ask yourself why this request is any different.
  • It’s a slippery slope. First the iPhone, then your encrypted password protection software, private Facebook history – you name it. The FBI’s solution is roughly the equivalent of giving the government a key to every home in America and letting them decide when to use it. By applying a broad brush stroke (build a backdoor into the security of every iPhone) when a fine-tipped pencil would be more than adequate (learning more about a single case – the San Bernardino killers and their connections), you forever  lose control of the master key. As was put so eloquently in an article by Wired (I cite this particular article because I agree with it), “Apple is not being asked to unlock an iPhone; it’s being asked to create software that would help the FBI unlock it.” To me, those are two completely different requests.
  • A backdoor would give law enforcement an additional tool to solve tens or hundreds of crimes, but in the meantime endangering the data of nearly a billion users. If Apple complies, what happens when China asks Apple to unlock a phone based on the earlier precedent – does Apple hand over information that could lead to political persecution? In other words…

Building a backdoor into the iPhone is the equivalent of burning the haystack to find a needle. You simply have to ask yourself honestly if the needle is worth the ashes. 

5 Possible Solutions in the Apple vs. FBI iPhone Backdoor Case

  1. Let it go. Sometimes you don’t have all of the evidence in a criminal case. Whether the murder weapon cannot be found or the iPhone data cannot be obtained, the case is resolved in other ways. The NSA (as exposed by Edward Snowden) has done nothing to engender our trust in government organizations collecting and using data on American citizens. They abused their powers of data collection in that case, so we all wonder why it would be any different in this case.
  2. Stop pretending that Apple can build a one-time backdoor. Encryption doesn’t work that way. Security doesn’t work that way. The minute you tinker, the entire house of cards falls and exposure becomes the rule, not the exception. If the information on the phone is important enough, at least admit you are willing to put the data of a billion people at risk.
  3. Upgrade your hackers at the FBI. I’ve had several white-hats hackers suggest that the iPhone can be cracked. Hackers are sometimes a cocky bunch (that’s what makes them good, by the way), but I’ve seen them hack almost every device possible with a creativity that would make Picasso proud, so I wouldn’t put it past them.
  4. Take this conversation off line. Ultimately, I think this question will be decided in back rooms where the public doesn’t get to see the answer (we are, in fact, a representative democracy where much of what happens does so behind closed doors). And frankly, I think it should be. There is too little awareness of the complexities we are dealing with here, and the emotional responses that we all have are only getting in the way.
  5. Do something, Congress! There are thousands of similar cases to be decided in the future and very little in the way of legislation to guide the way. Most of the laws being quoted in this case go back a half a century. Congress should catch up with technology and set some guidelines and oversight on the privacy vs. security question. We are a smart enough society to allow for gray areas in between a media that immortalizes black and white.

I believe that Apple is doing the right thing in standing their ground an not creating a system-wide backdoor into the iPhone. I also believe that the FBI is doing the right thing in trying to obtain every piece of information they can to resolve a past or future crime. This should not include a systemic hack of the iPhone or any computer system. The strength of our democracy is in the tension that exists between those two stances and the system of checks and balances that keep either position from being extreme.

I guarantee you that there is a way to set down the paint brush and pick up the pencil – to create a solution that impacts one phone, not millions – and that it is possible to balance public privacy with national security. It may not pertain to this particular case, but it will to all of those future cases waiting to happen. In the end, isn’t that what we all want? If you agree, write your Congressperson and ask them create laws that address the current privacy/security confusion.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Don’t Get Hooked With Phishing Scams

,

Common Phishing Scenarios:

“Your account has been suspended” or “We suspect fraudulent activity on your account” or “You’ve won a contest” or “We owe you a refund”

If you’ve ever received an email, voicemail or text with a message like one of the above, you know how visceral your reaction can be. And chances are very high that the message is a fake.

Just as fishing is one of the oldest occupations around, phishing is one of the oldest scams around. Ever since email was invented, thieves have been phishing to get your information by cleverly impersonating a business or an acquaintance. They hope to trick you into giving out your personal information or opening a link or an attachment that downloads malware onto your computer so that they can gain access all of your data.

Even though it’s been around for a while, it still works with alarming regularity. Almost 90% of all corporate data breach is the result of a phishing attack.  The ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month.  It’s always good to have a refresher of how to prevent getting hooked!

What to look for:

  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but may contain a mismatched URL (may vary in spelling like Annazon.com) or the URL contains a misleading domain name. (.com vs. .net). Use the hover technique to verify legitimacy.
  • Beware if you receive unsolicited (or out of character) phone calls, visits, or email messages often with an urgent request or threatening punitive action if you don’t respond.
  • Think twice if a company that seems legitimate asks you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Remember–legitimate companies don’t ask you to send sensitive information through insecure channels.

How to prevent/avoid phishing (It’s a lot, but every single tip matters!)

  • Never open email from an untrusted source and don’t open unexpected email attachments or instant message download links.
  • Don’t trust links in an email. Right click on the link to make sure it’s valid. Better yet, type in the real website address into a web browser.
  • Never give out personal or financial information upon email request.
  • Look carefully at the web address.
  • Be suspicious of unsolicited phone calls, visits, or email messages.
  • Don’t call company phone numbers in emails or instant messages. Check a reliable source such as a phone book or credit card statement.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Only provide personal or financial information through an organization’s website if you typed in the web address yourself and you see signals that the site is secure, like a URL that begins https (the “s” stands for secure). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
  • Report phishing email to reportphishing@antiphishing.org

There is also SMiShing (fraud through SMS on your phone), Vishing (fraudulent voice calls) and Spear Phishing (customized email that appears to be from an individual or business that you know). As soon as a new method of communication is invented, I guarantee the fraudsters will be using it, so there will be a new term for that, too!

One of the most profitable steps you can take inside of your organization is training your people to detect phishing scams. They are a hacker’s first and favorite tool to separate you and your data.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.