Scam of the day – Mary 19, 2017 – WiFi networks at Mar-a-Lago vulnerable

A recent report by ProPublica and Gizmodo has found security vulnerabilities in the WiFi networks at Mar-a-Lago, the resort often visited by President Trump as well as a number of other Trump destinations including the Trump National Golf Club in New Jersey, Trump International Hotel in Washington D.C. and Trump National Golf Club in Virginia.  According to the report, “Our inspections found weak and open WiFi networks, wireless printers without passwords, servers with outdated and vulnerable software and unencrypted login pages to back-end databases containing sensitive information.”  As would be expected the White House is not commenting on this report other than to indicate that these locations follow cybersecurity best practices.  However, the important lesson to us all is to remind us that public WiFi is never secure. However, with some precautions it can be made safer.

TIPS

Whatever electronic device you are using to connect to a WiFi network, whether it is a computer, laptop, tablet or smartphone should be equipped with security software.  In addition, you should use encryption software so that your communications are encoded.  You also should go to your settings and turn off sharing.  In addition, you should make sure that your firewall is current and turned on.  Finally, and perhaps most importantly, you should consider using a Virtual Private Network (VPN) which enables you to send your communications through a separate and secure private network even while you are on a public network.

Scam of the day – April 10, 2017 – Dallas Emergency warning system hacked

Last Friday night the city of Dallas’ emergency warning system was hacked causing all of its 156 emergency sirens to blare throughout the night and into Saturday warning.  As could be imagined, there was substantial panic and concern by local residents.  This warning siren could also be heard as another loud warning as to the vulnerability of much of our national infrastructure to attacks by hackers with more harmful intentions.  Last year there were almost 300 cyberattacks on critical infrastructure including the electrical grid.  Due to the Intenet connectiveness of so much of our critical infrastructure including our energy system, transportation systems and even financial services, the country continues to be vulnerable to cyberattacks.

TIPS

While improvements have been made in essential cybersecurity, much remains to be done as detailed in numerous reports in recent years by the Government Accountability Office (GAO).  In particular, companies and governmental agencies should be improving their ability to identify cyberthreats and implement continuing processes for securely configuring computer systems, applications, workstations, servers and network devices.  It also is important to patch vulnerable systems and replace unsupported software.  Sharing of information between government and business must be an essential element of any cybersecurity programs.

Scam of the day – February 12, 2017 – Data breach at InterContinental Hotels

InterContinental Hotels became the latest hotel chain to disclose that it had been hacked by cybercriminals stealing credit card and debit card information, joining Kimpton Hotels, Marriot Hotels, Hyatt Hotels, Trump Hotels, Hilton, Mandarin Oriental and White Lodging which all suffered data breaches during the past year.  Trump Hotels was hacked twice in the last year.

According to a statement released by InterContinental, credit card and debit card processing equipment was infected with malware at restaurants and bars at their hotels between August and December of 2016. The full extent of the data breach has not yet been determined.  For a list of the affected restaurants, you can go to this link. https://www.ihg.com/content/us/en/customer-care/protecting-our-guests

It is not known yet whether the data breach is related to the hacking by the Russian organized crime group Carbanak, that, as reported recently by Brian Krebs managed to install malware into the credit and debit card processing equipment manufactured by MICROS used in hotels around the world.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at the bars and restaurants at the InterContinental hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, InterContinental and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

 

October 9, 2016 – Steve Weisman’s latest column from USA Today

October is National Cyber Security Awareness month.  Cyber security is something about which we should all be aware.  Here is a link to my latest column from USA Today in which I discuss some simple steps you can take to increase your cyber security.

http://www.usatoday.com/story/money/columnist/2016/10/08/keep-mind-cyber-security-awareness-month/88872396/

Scam of the day – September 11, 2016 – New malware attacking online banking app

Many people find that doing their banking through their mobile devices is quick, efficient and convenient.  Unfortunately, it also carries with it risk of cybercriminals hacking the smartphones and other mobile devices used by their victims to gain access to their victims’ bank accounts and steal their money. In my Scam of the day for June 3, 2016 I gave a number of tips about how to do your online and mobile banking more safely.  Cybersecurity, however, is a never ending process and a few days ago, researchers at cybersecurity company Kaspersky Lab announced it had discovered a new form of malware used to steal banking information and credit card information from the smartphones of Android users that can override the new security features Android had installed in the Android OS version 6 specifically to combat this type of threat and other similar threats.

The new malware which is a modification of the Gugi banking malware starts, as with so many attacks by luring the victim into clicking on a link in a legitimate appearing text message that results in the initial downloading of the malware.  Once it is downloaded, however, the malware creates a display on your screen indicating the need for additional rights to work with graphics and windows.  If the victim clicks on the only link provided, another screen asks them to authorize app overlay and then other permissions. If the victim realizes what is going on and does not provide the requested permissions, the malware blocks the entire smartphone.  The only way to fix the problem at this point is to reboot the smartphone in safe mode and attempt to remove the malware, which  is difficult to do.

If the malware does get fully installed with all of the permissions it requires, it enables the cybercriminal to take total control of the victim’s electronic banking and can readily empty his or her accounts.

TIPS

Along with the basic online and mobile banking precautions I urged you to take in my Scam of the day for June 3, 2016, you can protect yourself from the Gugi malware by never just automatically giving rights and permissions when an app requests you to do so.  Always evaluate why the app would need such permissions.

As always, the two most important things to do to protect yourself from any cybersecurity threat to your mobile phone is to follow my advice of “trust me, you can’t trust anyone” and never click on links regardless of who appears to be sending them until you have absolutely confirmed that the links are legitimate.  Also, make sure you that you not only have security software on all of your mobile devices, but that you keep the security software updated with the latest security patches as soon as they are available.

Scam of the day – August 16, 2016 – More hotel data breaches

Yesterday, HEI Hotels and Resorts, a company that manages hotels operating under  brand names such as Marriott, Hyatt and InterContinental, announced that 20 of its hotels suffered a data breach that resulted in hackers stealing customer names, credit and debit card account numbers, expiration dates and three digit verification codes for tens of thousands of transactions going back as far as March of 2015.

It is not known yet whether the data breach is related to the hacking by the Russian organized crime group Carbanak, that, as reported recently by Brian Krebs managed to install malware into the credit and debit card processing equipment manufactured by MICROS used in hotels around the world.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at HEI’s hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Kimpton and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Here is a link to which you can go to find out which hotels were affected by the data breach and when the data was compromised.  http://www.heihotels.com/list-of-properties

Scam of the day – August 10, 2016 – Apple now paying bounties to white hat hackers

I have reported to you many times about the “bug bounty” programs used by private companies such as Google and Facebook as well as, more recently, the Department of Defense which offers a “bug bounty” to vetted hackers who are able to identify vulnerabilities in their web pages and computer networks. Private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal, black hat hackers, who identified vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.

Now Apple, which had long resisted paying bounties to people finding the worms in their Apples recently announced that it will pay $25,000 to people who find vulnerabilities in its digital compartments and into its customers’ data, $50,000 for identifying bugs enabling hackers to gain access into iCloud data and a whopping $100,000 to anyone who finds vulnerabilities in Apple’s firmware.

TIPS

Bug bounties are a positive strategy for businesses and  government to enhance cybersecurity.  Not long ago Facebook paid a bounty to a ten year old Finnish boy.  Although the ten year old white hat hacker used his talents for good, the fact that a ten year old boy has the technological sophistication to identify and exploit vulnerabilities in commonly used software programs must give us all a bit of  concern.  As for us as individuals, the best things we can do to protect our own cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.

Scam of the day – June 15, 2016 – SEC fines Morgan Stanley a million dollars over a data breach

For over a year, the Securities and Exchange Commission (FTC) has been actively enforcing the “Safeguards Rule” requiring investment advisers to implement policies and procedures to protect the privacy and security of the information of their clients.  In 2015, R. T. Jones Capital Equities Management paid $75,000 to settle SEC charges related to the theft of customer information in a data breach.  Now Morgan Stanley Smith Barney has just agreed to pay a million dollars to settle charges that it did not have proper policies and procedures in place to protect customer information resulting in the hacking of 730,000 customer accounts and theft of information including names, phone numbers, addresses, account numbers, account balances and securities holdings.

TIPS

Regardless of how careful you are about protecting your personal information, you are only as safe and secure as the places that have your personal information with the weakest security. Therefore it is critical whenever you do business with a company that will have sensitive personal information of yours that you inquire as the commitment to security of the company and what it does to protect your data.  In this particular data breach while the information itself should not directly result in identity theft, this type of information is often gathered by cybercriminals who use it to craft carefully worded and targeted spear phishing emails that lure their victims into either trusting the email and providing personal information used by the cybercriminals for purposes of identity theft or luring the victims into clicking on malware infested links in the emails that will enable the cybercriminal to steal all of the information from your computer and use it to make you a victim of identity theft.

Scam of the day – May 7, 2016 – Facebook pays $10,000 bounty to 10 year old white hat hacker

I have reported a number of times about the “bug bounty” programs used by private companies such as Google and Facebook as well as, more recently, the Department of Defense in which is  now offering a “bug bounty” to vetted hackers who are able to identify vulnerabilities in their web pages and computer networks. Private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal black hat hackers, who identified vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has recently announced that it has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.

Now Facebook has announced that it has paid a $10,000 bounty to a ten year old boy from Finland who found a security flaw that enabled him to delete comments posted on Instagram accounts.  The boy has become the youngest white hat hacker to ever receive a bounty from Facebook which has paid 4.3 million dollars to white hat hackers through its bounty program.

TIPS

Bug bounties are a positive strategy for businesses and  government to enhance cybersecurity.  Although the ten year old white hat hacker used his talents for good, the fact that a ten year old boy has the technological sophistication to identify and exploit vulnerabilities in commonly used software programs must give us all a bit of  concern.  As for us as individuals, the best things we can do to protect our own cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.

Scam of the day – April 23, 2016 – Google doubles bounty for white hat hackers

Last month, I advised you about the new  “bug bounty” program announced by the Department of Defense in which it is offering a “bug bounty” to vetted hackers who are able to identify vulnerabilities in its web pages and computer networks.  However, private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal black hat hackers, who identified vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has recently announced that it has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.

TIPS

This is a positive strategy for businesses and  government to follow to enhance cybersecurity.  As for we as individuals, the best things we can do to protect our cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.