Hacker group Shadow Brokers released data that appears to show that the NSA penetrated deep into the finance infrastructure of the Middle East. The published documents, if legitimate, show how U.S. intelligence compromised elements of the global banking system by hacking into Dubai’s EastNets, which oversees payments in the global SWIFT transaction system for dozens of client banks in the Middle East. The leak includes detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen and the Palestinian territories. Also included in the data dump are fresh hacking tools, this time targeting a slew of Windows versions. SWIFT has been increasingly targeted by hackers seeking to redirect millions of dollars from banks around the world, with recent efforts in India, Ecuador and Bangladesh. Security researchers pointed to clues that an $81 million Bangladesh bank theft via SWIFT may have been the work of the North Korean government. But the Shadow Brokers’ latest leak offers new evidence that the NSA also has compromised SWIFT, most likely for silent espionage.
A man who assumed the identity of a baby who died in 1972 was arrested on charges of Social Security fraud and aggravated identity theft after the child’s aunt discovered the ruse through Ancestry.com.
Prosecutors said Jon Vincent stole Nathan Laskoski’s identity after escaping from a halfway house in March 1996 and used his new name to start another life. Vincent had been convicted of indecency with a child. The real Nathan Laskoski died at age 2 months in 1972. Authorities said Vincent first obtained a Social Security card as Laskoski in 1996. He held jobs, received a driver’s license and married and divorced as Laskoski.
When Nathan’s aunt did a search on Ancestry.com, a genealogy website, his name came up as a “green” leaf on the website, meaning public records showed he was alive. The aunt told Nathan’s mother, who did more research and learned that someone had obtained a Social Security card under her son’s name. Nathan’s mother also found public marriage and divorce records, and filed an identity theft complaint with the Social Security Administration.
America got mail this weekend, about 30 emails, according to reports. They were written as recently as last year by then-Governor Mike Pence and sent from his personal AOL account. While this is a political story, it is not about politics. It’s about a nationwide problem.
The emails, released to the Indianapolis Star in response to a public records request, include state business. The revelation is that Pence used his private email account to conduct business — an account we now know categorically was not secure from the prying eyes of hackers since, per various reports, it sent out emails saying Pence had been robbed overseas and was in need of money to get back home, a classic email scam you’ve no doubt heard of.
Pence's Email Problems
The emails released by the Indy Star were addressed to Pence’s chief of staff and also his homeland security officer. As such, they open a window into Pence’s tenure as governor where there shouldn’t be one. Emails discussed political issues — like the resettlement of Syrian refugees — and other sensitive matters.
The news immediately resulted in public parades of schadenfreude on the left. After all, former Secretary of State Hillary Clinton arguably lost the election because of the same issue. But while there is plenty to make fun of here, there really is very little in the way of relevance between the two email stories.
While there have been more detailed tales of the tape between the two stories, you only need to know that former Secretary of State Clinton did something, that while legal, was strongly discouraged by her employer, the State Department, and what Pence did was under no such strictures — a sentiment Pence and his press secretary echoed in statements to the press. (Pence could not be reached for comment by Credit.com.)
What Pence & Clinton Have in Common With You
This latest email snafu is about control, but not over the flow of information, secrets or privileged access to information. It’s actually about an alarming lack of control. That lack of control has to be laid at the feet of information security experts who are tasked with keeping us safe.
We can do amazing things in the realm of coding, but somehow a fix to the phishing pandemic continues to elude us. The main reason for this is at least understandable: It’s a crime that preys on human nature — something that can’t be (reliably) coded.
Vice President Pence did what millions of us do every day. He clicked on a link in a phishing email, the victim of garden-variety social engineering. In doing so, he did us a favor, though it’s doubtful he will get much credit for it. He highlighted an area where our nation needs to do way more. Phishing is a national epidemic, and we all need to worry about it. If leaders of the free world can fall for this scam, so can you.
What's Phishing and How Can I Avoid It?
Phishing emails spoof legitimate companies or contacts in an attempt to get the recipient to click on a fraudster’s link. As I wrote about in my book, Swiped, you can probably spot a phishing email in your sleep, and you would no sooner click on a link in an email about suspicious activity on your bank account than you would leave your wallet in a crosswalk in Times Square.
However, best practices often fly out the window when it comes to salacious material about our favorite celebrities. Think about it this way: As you wander in the darker alleys and backstreets of the internet, where the risks should outweigh all other considerations, are you willing to forego sensible web behavior when the likely outcome will be catastrophic?
The main threat is malware. You can expect it to wind up on your computer if you decide to search the less safe parts of the internet for material that was never meant for your eyes anyway.
It may be something simple, like code that turns your computer into a spam distribution center, or a more serious app that will record your keystrokes (including when you log in to your bank, email, social networking, brokerage accounts, or the gubernatorial back office). There’s no way to know what you’re getting yourself into. The best course of action is to use your imagination — or possibly even your sense of what should be off-limits. Malware leads to identity theft and worse.
If you tend to chase breaking news stories and like to download the ephemera related to them (eyewitness photographs, blog posts), you may want to do a malware scan of your computer.
As a matter of fact, this kind of scanning should be a part of your habit of monitoring your various points of contact with the outside world — your attackable surface — regularly for signs of intrusion. (You can also monitor two of your free credit scores for foul play every two weeks on Credit.com.)
The lack of cybersecurity acumen manifested in the phishing of a governor should serve as a cautionary tale for everyone. Unless you are never off your guard, it’s highly likely that you will get scammed. The solution to the phishing pandemic is nowhere in sight. Be careful because the light at the end of the tunnel could well be the headlight of a bullet train.
Adam Levin is chairman and founder of CyberScout and Credit.com, where this article originally appeared. It is an Op/Ed contribution and does not necessarily represent the views of the company or its partners.
Spring has begun, which means open season on travelers who aren’t well-versed in the various scams waiting for them on the seamier side of paradise. While the scams abound, being forewarned is forearmed.
Here are some typical scams that can ruin your vacation, drawn from my book Swiped: How to Protect Yourself in a World Filled with Scammers, Phishers, and Identity Thieves.
One seldom publicized use of social media (at least in crime circles) involves monitoring posted photographs for clues about where you live and what you have that’s worth stealing. In addition to providing a visual inventory, photographs can contain hidden information called geotags that allow a thief to pinpoint the location of your home. If you post pictures while you’re on vacation, you might as well display a flashing neon sign saying, “Rob me.” Rather than sharing your adventure in real time, it is far safer to relive the memories with everyone you know when you return. If you simply can’t resist the urge, at the very least tighten your privacy settings so that you strictly limit who can see these posts.
You receive a letter informing you that you have a chance to cash in on a big win: free airline tickets. There have been several attempts to contact you about the tickets (you won them through a sweepstakes you have never heard of, in which you were automatically enrolled), and you’re going to lose them if you don’t contact the travel agency or cruise line immediately. The letter provides a toll-free number to call. You call it and there are … well, certain requirements (like providing a credit card or Social Security number). Meeting those obligations will cost you far more than the alleged free tickets. (Fallen for this one? Be sure to check your credit for warning signs of identity theft. You can view two of your credit scores for free, with updates every two weeks, on Credit.com.)
Your plane gets in late, you can’t get a taxi and by the time you arrive at your hotel all you want to do is take a shower and go to bed. About an hour after checking in, the phone in your room rings. It’s the front desk calling to tell you that the credit card you gave them was declined. “Can you please read me your credit card number again? Or, if you would prefer, you can give me another credit card.” If this happens, in lieu of readily handing over your digits, take a trip to hotel lobby to confirm whether there is an actual issue.,
When you check into your hotel, you see flyers in the lobby or under your door for a pizza joint. It’s late and you’re starving, so you call the number on the flyer. Someone answers exactly the way you expect they will. You place your order. They ask for your credit card number, which you immediately provide because your mind is on the pie and not your personally identifiable information. Several hours later, you’re still waiting. And starving. Unfortunately, the only one getting fed is the thief — and your credit card is for dinner.
A thief finds a rental property online and uses the details to create his own website and listing. They’ll even have bogus five-star reviews from fake renters, and it will be particularly affordable, possibly due to a one-day-only internet sale. You book the listing and pay either by credit card or wire transfer, and you get ready to pack your bags.
Here’s the problem: When the time comes and you show up for your vacation, that’s not your condo. It’s not just a matter of bait and switch, where the gorgeous property on the website doesn’t exactly live up to reality. In this case, the property is very real and even very beautiful … but you didn’t rent it. There may even be another family staying in it that week. You now find yourself on vacation with nowhere to sleep, and your scammer is nowhere to be found.
If the person can’t answer questions accurately — or takes too long to answer, which indicates that they’re also doing an online search —that could be a red flag. It is possible that the rental agent is located in another city, but someone in his or her offices should have at least laid eyes on the property and be able give you an idea of the answers.
Tip: Whenever you’re booking a rental property — for any reason, not just a beach getaway — there’s a sneaky little trick you can use to verify the authenticity of the listing and the property. Instead of emailing, call the person on the phone, but first do an online search for other businesses in the area surrounding the property, then ask the listing agent some specific questions that you’ve already figured out the answers to. How far is it to the nearest beach access? Where is the nearest restaurant with a kids’ menu? How far are we from an emergency room in case someone in our group gets hurt?
Keypad overlay devices, ATM skimmers (you can see one in action here) with a pinhole camera — there are many versions. Sometimes skimmers and the hardware associated with them can be spotted (if you know what you’re looking for and it’s one of the skimmers you can detect, for instance, by banging on the ATM machine or trying to shake the user-interface module), but often it’s impossible to detect a skimmer scam. When you’re out having fun, by definition you are distracted and understandably off guard. Try to remember that even in the midst of the time of your life there are bad guys out there intent on a major buzzkill. And monitor your bank statements carefully so you spot any fraud that may have occurred.
Not all Wi-Fi is created equal, and it’s not all secure. If you’re not sure about a Wi-Fi connection, be careful about what you do online. Do your banking and bill paying on your secure home network, and let your time off truly be downtime so that you don’t end up having a downer of a vacation. You can go here to learn more tips for better internet safety.
Imagine losing all the photos, videos, messages, and documents you’ve stored on your computer. How much money would you be willing to pay to get it all back? Ransomware is malware that infects your computer, locks it, and demands payment for unlocking it. And the number of new ransomware has been at least doubling each year since 2013.
Here’s our quick guide to ransomware – what it’s all about, and five top tips on how you can prevent becoming a victim of ransomware.
What does ransomware do?
Crypto-ransomware encrypts the files on a computer, essentially scrambling the contents of the file so that you can’t access it without a decryption key that can correctly unscramble it. A ransom is demanded in exchange for the decryption key. Once the malware has infected one computer, it can spread to others in the network, making it impossible to carry out normal operations. The ransom fee is usually around $300 to $500 for a computer, and payment is often demanded in Bitcoins, a virtual currency that is difficult to trace.
How can ransomware infect your computer?
You may encounter ransomware in a number of ways: as email attachments, malicious links, or via exploit kits. You can be exposed to exploit kits when you visit a compromised website, click a compromised ad on an otherwise good website or you are redirected onto a malicious site. The exploit kit tests your computer for any exploitable flaws or vulnerabilities, which are common in outdated software. If it finds an opening, the exploit kit downloads and installs the ransomware onto your machine. This can happen completely without your knowledge.
How can you get your files back?
F-Secure advises against paying the ransom. While doing so is one way to regain control of your computer and data, the real remediation begins before you ever get hit – by taking regular backups. That way, if you do get attacked, you can relax – and restore everything from the backups. Furthermore, even though most ransomware has returned control, this may not always be the case. You may end up paying and still being left without control.
If your files have been hijacked and you don’t have backups, it’s worth going online and seeing if there is a decryption tool for the ransomware that you’ve been hit with. This list is a good start, although decryption tools are typically only available for early versions. And keep in mind that attackers update their approach and use ransomware that doesn’t have a decryption tool available.
The only way to truly beat ransomware is to never be infected by it.
Here are F-Secure’s Top 5 tips to keep your devices clear of ransomware:
Posted by: DQINDIA Online
When it comes to cell phones in America, the numbers tell the story.
Around 78 percent of adults say they own a cell phone, and use them for everything from texting to banking, shopping and everything in between, CBS2’s Chris Wragge reported.
Collectively, Americans use up to 9.6 trillion megabytes of data, spend 2.9 million minutes talking on the phone, and send up to 1.9 trillion text messages.
“The current phone of today is more powerful than the laptop of eight years ago,” Dr. Anthony Serapiglia, Asst. Professor of Computing and Information Systems at St. Vincent College, said.
But when you give away your old cell phone, you may be handing over a lot of your personal information — even if you think you’ve cleared your phone.
“It is a treasure trove for identity theft,” Serapiglia said.
At St. Vincent College, Serapiglia and his students examined old cell phones to see if they could uncover any information left behind.
“We found a lot of text messages, conversations, personal items, even Snapchat — things that you think are going to be gone,” Serapiglia said.
One damaged iPhone turned out to be filled with illegal activity.
“It had text messages of drug deals, prostitution and gambling,” Serapiglia said, “It was as plain as day and clear as a bell, even including pictures.”
Serapiglia was also able to extract data from another old cell phone that revealed photos from the previous user. With a simple Google and Facebook search, Serapiglia was able to piece together the previous owner’s name, birthday, address and even the previous owner’s wife’s name.
“Thieves are trying to build a story around you so that they can impersonate you, so they can open accounts in your name,” Serapiglia said.
Using software available to anyone, Serapiglia and his students scanned phones purchased from Goodwill. All of the phones were sold in bulk online. Of the 80 phones they purchased, 47 of them had useful information.
So before you ever give your phone away or trade it in, there are steps you can take to try to wipe it clean.
“For most people, a simple factory reset will take care of the problem,” Serapiglia said.
And before you do that, be sure to remove your phone’s SIM or SD card and encrypt your data.
Clearing your phone of information should take you around five minutes.
Source: CBS News
But plans rarely survive first contact with the enemy. That is why it’s important to stress test your incident response plan to identify weaknesses while time is on your side.
Studies show that a swift response to a security incident retains customer trust—and saves costs. Breaches contained within 30 days of discovery cost an average of $2.7 million, according to the Ponemon Institute. If it takes more than 30 days to contain the breach, the average cost increases to $3.6 million.
But speed can’t be mandated by the plan. For this reason, plans should be stress-tested on a semi-annual or annual basis, as if you were experiencing an active data breach.
You’re more likely to encounter ransomware via a phishing email than a dedicated nation-state penetrating your firewall. As such, focus your stress test on the scenarios that are most likely and threaten the worst potential consequences.
By the time you work your way down to less-likely and less-costly threats, you’ll already have covered the common elements of your response. Knowing how to adapt your plan to a specific threat is an expertise unto itself; one that won’t emerge naturally in the planning phase.
By the time Target alerted its customers about its historic breach in December 2013, several days already had passed. The delay impacted consumer faith and the retailer’s bottom line, and was a consequence of Target’s leadership treating the breach as a purely technical issue.
Nontechnical staff, such as legal, public relations and human resources, should participate in stress-test activities, too. Try to strike a balance between internal staff, who may be more familiar with the company, and external specialists, who have expertise and can take on extra work.
The true benefit of a stress test is the analysis following the experience. The whole point is to make improvements to your plan by responding to what went wrong and reinforcing what went right.
Your breach response plan should include time for the incident response team to reflect and discuss the exercise. Additionally, ensure that any of the team’s recommendations are reviewed and implemented within a specified timeframe.
The benefits of organizing and testing your incident response plan could far outweigh the costs. Factor in the peace of mind your C-suite and response team will gain when they feel confident in their plan, and we believe you’ll arrive at a compelling argument to place stress tests near the top of your to-do list.
For more information on Commercial Breach Readiness services or a free initial Breach Risk Consultation, contact FreedomID @ (888) 820-5959.
Article contributed by Eric Hodges, Third Certainty, Inc
Spring temperatures and budding plants are starting to edge out the worst of the winter weather, so now is the time to spring clean … your mobile device.
The very first step is to remove apps you never use. Your phone may run slower due to these old downloads, and they may even be wasting your battery life. Don’t worry, depending on the brand of phone and where you downloaded the app, they’ll typically still be sitting there in case you decide to reinstall them.
After you’ve cleaned out the apps you don’t need, it’s time to head over to the settings menu and make sure you’re running your apps safely and efficiently. Check to see if you’ve given permission to run or refresh in the background, and turn that off for each one that doesn’t need it. If any of your apps have permission to post on social media on your behalf or to access your contacts list for some reason, it’s good practice to confirm whether they should or not.
The next step is to check out their security. Many users don’t realize that some of those great free apps you downloaded are actually privacy sponges, soaking up things like your photos or your contacts list. A report from WIRED magazine highlighted the possibility of dangerous flashlight apps; they found one that was capable of tracking your location, sending out information about you, and much more, but it’s important to note that it doesn’t mean it does these things, only that it can.
While you’re securing your device and cleaning out the virtual nooks and crannies, make sure you have a strong passcode enabled on your device. Using “1234” for example, is not recommended. Instead, your code should be an easy-to-remember combination of characters, but one that isn’t easily guessed or watched by someone standing near you. Keeping others out of your device if it’s lost or stolen can make a world of difference when it comes to protecting your identifying information, your finances, and more.
Finally, give your phone, tablet, and any headphones or styluses you use a thorough de-germing. Wipe down the outside of the case and the screen according to the manufacturer’s directions, take off the case and get into the corners where gunk can build up, and make sure your headphones are clean and in good working order.
A stunning number of Americans say they’ve been victimized by a digital crime, like credit card fraud (41 percent). But even more say they write their passwords down on a piece of paper (49 percent).
Bob Sullivan, veteran journalist and a founding member of msnbc.com
In fact, Americans have a lot of bad digital habits. Some 41 percent say they have given their password to a friend or family member (you shouldn’t); 39 percent use the same password across their accounts (you really shouldn’t); 28 percent don’t bother putting a lock screen on their smartphones (that’s a terrible idea); and nearly one in five say their main tool for keeping track of passwords is … paper.
The data comes from a new Pew Research Center survey that labels these unsafe folks “password challenged.”
More about the challenged: Some 39 percent of Americans say they have a hard time keeping track of passwords—and 25 percent say they use less secure passwords because they are easier to remember.
Fear’s there; action isn’t
It’s not that people aren’t scared. Most expect bad things to happen. Most Americans anticipate major cyber attacks in the next five years on the nation’s public infrastructure (70 percent) or banking and financial systems (66 percent), Pew said.
And it’s not because bad things haven’t already happened. Really bad things. To a lot of people.
But this might be the most stunning find of all in the Pew report: “Americans who have personally experienced a major data breach are generally no more likely than average to take additional means to secure their passwords.”
I’d call this a clear example of something sociologists call “learned helplessness.”
Many feel security steps are futile
I’ve seen findings like this before in the related world of privacy. Most folks want more privacy, but feel helpless in their efforts to get it, and have no idea what to do to get it. Security has a similar problem. It’s not clear what people can do to keep their online accounts safer, other than not falling for phishing attacks. Many times, consumers are victims and there wasn’t anything they could have done—as when there is a large-scale database hack from a previously reputable website.
Understood in that light, it’s rational for consumers to go on and live their lives without the ongoing hassle of remembering 12-character passwords. Why make your day-to-day life harder if, in the end, you aren’t safer anyway?
Then there’s this: Perhaps the world’s foremost security writer has been suggesting that people write their passwords down on a piece of paper for years. Really.
Bad advice heeded
“People can no longer remember passwords good enough to reliably defend against dictionary attacks and are much more secure if they choose a password too complicated to remember and then write it down,” security expert Bruce Schneier wrote back in 2005. “We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.”
I’m going to go out on a limb and say that most people who admitted using paper in Pew’s study aren’t doing so in order to use a highly complex password. (I wish Pew had asked that question). So if that’s you, at least use your paper trick to enhance your personal security. In the end, what the world needs is to finally move away from user/password combinations as the way we secure everything. And on that front, the Pew study offers a tiny bit of hope. Slightly more than half (52 percent) say they use two-step authentication on at least some of their online accounts. And that is a step in the right direction.