Posts Tagged: ‘hackers’

Scam of the day – June 30, 2014 – Even hackers use weak passwords

June 29, 2014 Posted by Steven Weisman, Esq.

I am constantly warning people to use complex, distinct passwords for all of their online accounts in order to prevent the passwords from being stolen and deciphered when encrypted.  The easiest passwords for an identity thief to decipher are those that use any word in the English language or passwords less than twelve characters.  A complex password should also mix small letter, capital letters, figures and symbols for maximum protection.  However, many people do not do this and are at great risk of identity theft because of their lack of prudence in choosing a password.  These people should feel a little better about themselves, however, because a recent study by computer security company Avast found that even the hackers don’t generally use strong passwords.  According to Avast only about 10% of hackers use difficult to decipher passwords, with the average hacker password only six characters long.  In fact, the most popular password for hackers, was “hack.”

TIPS

Just because hackers don’t take enough precautions to protect themselves does not mean that you should neglect having a strong password.  You should have a separate password for all of your online accounts so if your password for one account falls into the hands of an identity thief, your entire online life is not threatened.  You should also change your passwords about every six months.  Creating an easy to remember, but complex password is not very difficult.  Start with a phrase, such as “AVeryComplexPassword” and then add a some numbers and symbols, such as “AVeryComplexPassword1**.”  You can then personalize it to a particular account by adding an abbreviation for that account at the end.  For example, your password for Amazon could be “AVeryComplexPassword1**Ama.”  Easy to remember and hard to break.

Scam of the day – June 26, 2014 – Hedge funds hacked

June 26, 2014 Posted by Steven Weisman, Esq.

Hedge funds are aggressively managed investment portfolios that are largely unregulated.   They generally are used by only the wealthiest of people.  They also have become a ripe target for hackers who, according to a recent report by computer security firm BAE System, have been hacking into the computers of these funds and causing financial harm in a multitude of ways.  According to BAE, one unnamed hedge fund lost millions of dollars after hackers managed to infiltrate their computers through simple spear phishing tactics by which the hackers tricked hedge fund employees into clicking on links in infected emails that downloaded malware into the hedge fund’s computers that enabled the hackers to learn about impending trades and then delay the trades while the hackers traded first based upon the stolen information.   Another way that the hedge funds have been attacked is through the ransomware  program Cryptolocker, about which I warned you repeatedly since November of 2013.  Cryptolocker is a type of malware that infects the computer of the unwary victim and encrypts all of the victim’s data making it unusable unless they pay a ransom to the criminal hacker.

TIPS

The financial industry as a whole has not taken sufficient security precautions and steps to protect themselves and our economy from the attacks of scammers, hackers and identity thieves.  Just because you have not heard of many of these hackings as much as with high profile hackings of Target and other companies is very much because quite often the companies do not disclose that they have been hacked.  The hedge fund industry’s sophisticated digital trading systems have become attractive targets to hackers and the hedge fund industry has not taken the necessary security steps to protect the integrity of their business from attack.  Unfortunately, this type of crime is something that is going to get worse before it gets better.  Whenever you are investing your money with a company, you should first inquire as to the security steps taken by the company.

Scam of the day – June 1, 2014 – Stoners need not apply – at least not yet

June 1, 2014 Posted by Steven Weisman, Esq.

The FBI takes cybercrime seriously as do many law enforcement agencies and companies around the world.  In a creative move to enhance its cybersecurity, British banks began hiring hackers to hack into their banks in an effort to learn where the vulnerabilities of their security systems are and how to correct those flaws.  Similarly, the FBI is reaching out to hire young hackers to come work for the FBI to help combat cybercrime and black hat hacking.  However, in a recent speech to the White Collar Crime Institute, FBI Director, James B. Comey spoke about the difficulty of finding hackers who meet the FBI requirement of not having smoked marijuana for the preceding three years.  Director Comey acknowledges that this presents a problem to the bureau when it comes to hiring knowledgeable hackers.  According to Comey, “I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview.”  Comey did say, however, that the FBI is considering changing its drug policy in the future, which would help tremendously in hiring the knowledgeable hackers it desires.

TIPS

If the FBI maintains its present drug policy, it stands little chance of hiring sufficient new agents to combat the serious cybercrimes of today.  With the laws and public perception of marijuana use dramatically changing, hopefully the FBI will make the necessary changes to its drug policy to enable it to hire the new agents it needs.

Scam of the day – April 21, 2014 – IRS misses Windows XP deadline

April 21, 2014 Posted by Steven Weisman, Esq.

It has been six years since Microsoft informed its customers that it would no longer support the Windows XP operating system, thus giving its users plenty of time to install a newer operating system, such as Windows 7.  Without continuing technical support, the Windows XP operating system will be dramatically vulnerable to hackers exposing flaws in the program to the detriment of stubborn people still using this program.  This is not a matter of Microsoft being greedy.  It is merely a reflection of the fact that Windows XP is too old in terms of computer software and just like after a while it becomes advisable to buy a new car instead of pouring money into repairs for an old car, it is prudent to move to another and better operating system.  It is unfortunate that many banks in the world that use Windows XP to operate ATMs and many government agencies that also use Windows XP failed to act before the April 8, 2014 deadline for Microsoft no longer providing updates.  What many of these companies and the IRS (yes, the IRS) are now doing is paying for short term support of Windows XP until they make the change over to a newer operating system.  The failure to act in a timely manner is  needlessly costing these companies and government agencies large amounts of money.  If they had merely acted in a timely manner, they would not have to be paying for these emergency services.  In a Congressional hearing last week numbers between $500,000 and $30 million dollars were tossed about as the additional cost incurred by the IRS due to their lateness in acting.  This is inexcusable.  Hackers have already been taking advantage of vulnerabilities in Windows XP to steal from ATMs and there is concern in some circles that government agencies such as the IRS may find problems due to their delay in updating their operating systems.

TIPS

Here is a warning to banks and government agencies including the IRS:  Microsoft has indicated that it will no longer do security updates for Windows 7 in January of 2020.  Don’t make the same mistake twice.

What do you think will happen?

Scam of the day – March 29, 2014 – Microsoft warns of danger in .rtf files

March 29, 2014 Posted by Steven Weisman, Esq.

Microsoft has issued a warning to people not to open files with the rtf extension due to a vulnerability that Microsoft has just discovered that could enable a hacker to send you an email with an .rtf file attached that if you download will enable the hacker to take control of your computer.  At the moment, although Microsoft has discovered the problem, they do not have a solution so they are advising people not to open such files and to consider disabling the opening of .rtf files.  RTF is an acronym for rich text format files which is a file format Microsoft developed for use with Word software.

TIPS

Microsoft has released a security advisory with more details about this threat and what you can do to reduce the danger. Here is a link to Microsoft’s security advisory about this problem: http://technet.microsoft.com/en-us/security/advisory/2953095.  For now, the best course of action is to totally avoid rtf files.

Scam of the day – March 10, 2014 – Netflix phishing scam

March 9, 2014 Posted by Steven Weisman, Esq.

Phishing is the term for a scam where you are lured to a phony website and either induced into providing personal information to what you think is a legitimate company or even a government agency or persuaded to click on what appears to be a legitimate link only to learn that by clicking on the link, you unwittingly download keystroke logging malware that will steal all of the information from your computer, smartphone, tablet or other device.  In either situation, the end result is the same.  You end up a victim of identity theft.  Recently a phony, but very good looking copy of a Netflix website was found on the Internet.  The URL for the website did have the word “Netflix” in it, but it also had a number of apparently random characters also in the URL which to a careful viewer would have been a sufficient tip off that this is a scam.  On the website was a message to call an 800 support telephone number.  If you call the number, you are told that your Netflix account has been shut down because it had been illegally accessed by hackers.  You are then told to enable the “support” team to have access to your computer or other device in in order to remotely download necessary security software to protect your account in the future.  Instead of security software, what is installed remotely is a keystroke logging malware program that enables the scammers to steal all of the information from your device and use it to make you a victim of identity theft.  In addition, the support team also asks for a photo of the customer’s identification and a credit card, which is readily able to be done using the victim’s computer or phone camera, which was actually able to be enabled through software already downloaded unwittingly by the customer.  In closing, the phony support team tells the customer that the customer will be charged as much as $400 for the security update, however, in his or her case, they will offer a discounted rate.

TIPS

This particular scam is no longer being done.  The phony website has been taken down.  However, it is a typical type of phishing scam that you must take great care to avoid.  Identity thieves are quite adept at creating legitimate looking websites that appear to be those of legitimate companies or even governmental agencies.  Whenever you go to a website for a company or agency with which you do business, make sure that you have the correct URL.  Double check it.  In this case, a savvy consumer would also know that Netflix does not supply security software.  In any event, never provide personal information, click on links or download attachments unless you are absolutely sure that you are dealing with a legitimate company that has a real reason for your information.  Although this particular scam is now down, you can expect the same pattern to repeat itself time and time again.

Scam of the day – February 24, 2014 – University of Maryland data breach

February 24, 2014 Posted by Steven Weisman, Esq.

A few days ago the University of Maryland disclosed that personal information of more than 300,000 students, faculty and other university employees connected with the university since 1998 was stolen by computer hackers.  In a statement disclosing the data theft, the university said that computer and data security was “a very high priority” the university which is hard to understand because of the lax security that led to the data theft.  Included in the compromised data were names, Social Security numbers, birth dates and other information for all faculty, staff, students and university personnel issued a university identification since 1998.  This information is a veritable treasure trove for hackers who, armed with this information, use it to for purposes of identity theft.  The University of Maryland is by no means alone when it comes to being hacked.  Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Rhode Island,  the University of Arizona, Marquette and more than 50 other colleges and universities have been the victims of data breaches in the last couple of years.  The reason for targeting universities and colleges is simple.  Generally they maintain tremendous amounts of personal information and their record for data security is not good.  Colleges and universities have much personal information that is often easily accessible within the school’s computer systems.  Too often schools have permitted the information to be on unencrypted laptops and flash drives.   In addition many schools do not have sufficient security programs in place to limit access to personal information, which the universities keep in their computers long after it is necessary to be kept, such as Social Security numbers for students who have long since graduated.

TIPS

The schools have got to start giving more than lip service to their commitment to data security. Data breach prevention systems should be implemented that include, but not be limited to updated firewalls, limited access to personal information, purging of unnecessary information  and encryption.  Personal information should not be as open and available as they presently are at this time at many universities.  if you are someone who is a victim of the University of Maryland’s data breach, you should contact the University and accept its offer of a year’s free credit monitoring.  You also should consider putting a credit freeze on your credit report because monitoring only tells you that you have become a victim of identity theft after the fact, a credit freeze can protect you from becoming a victim in many instances.  For information about credit freezes, click on the link on the right hand side of the page where it indicates, “credit freezes.”

Scam of the day – December 26, 2013 – Debit card PINs may have been compromised in Target hacking

December 26, 2013 Posted by Steven Weisman, Esq.

Although at the present time, Target continues to maintain that although 40 million debit and credit card numbers were stolen in the recent second largest retail hacking in American history, the all important PINs for the debit cards that were part of the hacking were not stolen, reports continue to indicate that PINs were indeed among the information taken by the hackers, but that the PINs were encrypted.  Target may be playing semantics with the public by saying that “no unencrypted PIN data was accessed” and that there presently there is no evidence that PINs have been compromised for the hacked debit cards.  It may well be that encrypted PINs among the data stolen.  If so, there should be real concern on the part of debit card holders whose information was compromised because sophisticated hackers have shown the ability to crack encryption of PINs in the past.

TIPS

As I have often advised in the past, retail purchases are much safer when done with a credit card than with a debit card.  If fraudulent charges are made to a person’s credit card, federal law limits the amount of liability to the card holder to no more than $50 and most banks don’t even hold the card holder responsible for any fraudulent charges, however with debit cards, the amount of liability that attaches to the debit card user if he or she does not notice the fraud within two days rises to $500 and if the fraud goes undiscovered for 60 days, there is absolutely no limit on the amount of liability of the debit card holder.  A hacked debit card holder risks losing his or her entire bank account.  And even if he or she does notice the fraudulent activity immediately, the bank account to which the debit card is tied is frozen while the bank investigates the fraud.  Don’t use a debit card for any other use other than as an ATM card.  If you have used your debit card at Target during the affected period of November 27th and December 15th, you should check the activity on your bank account to which the card is tied daily online to look for unauthorized activity and if you find any, report it immediately to your bank.

Scam of the day – November 14, 2013 – Latest software security updates

November 14, 2013 Posted by Steven Weisman, Esq.

As a regular part of Scamicide, I make sure that you are informed as to the latest security updates and patches issued by the manufacturers of the software that we all use.  The Department of Homeland Security ranks the threats posed by the various vulnerabilities discovered in the software that we all use.  Obviously those vulnerabilities ranked high merit our immediate attention because scammers, hackers and identity thieves exploit these vulnerabilities to make us victims of their schemes.  However, even the threats ranked at lower levels still warrant our attention because these vulnerabilities also can be exploited by criminals to our detriment.  Time is of the essence because security patches and updates are always issued in response to vulnerabilities already discovered and taken advantage of by wrongdoers so it is important to download the necessary updates and patches as soon as possible.  Some people are rightly concerned when they learn about security patches and updates as to whether they are indeed legitimate, which is why I provide the links to security updates and patches upon which you can rely.

TIPS

Here is the link to the Department of Homeland Security’s latest list of important software security patches and updates.  Check it out and install those updates and patches that relate to the software that you use.  https://www.us-cert.gov/ncas/bulletins/SB13-315

Let your friends know about these important updates and urge them to read Scamicide on a regular basis in order to be kept up to date with all the latest developments regarding scams and identity theft.

Scam of the day – August 18, 2013 – Urgent Microsoft security updates – How to prevent identity theft

August 17, 2013 Posted by Steven Weisman, Esq.

Identity thieves and hackers are constantly working to discover and exploit vulnerabilities in the various computer software that we use in our computers, laptops, tablets, smartphones and other portable devices  to make you a victim of online identity theft therefore it is extremely important that as flaws are discovered and patches for these flaws issued that you download the necessary security patches as soon as possible.  Identity thieves and hackers rely on the fact that many people do not keep their security software up to date and exploit this fact.  Recently Microsoft has issued new security patches for discovered vulnerabilities in various Windows programs that millions of people use.  The United States Computer Emergency Readiness Team, which is a part of the Department of Homeland Security regularly issues alerts regarding software patches you need to install and recently they issued such an alert for Windows software.

TIPS

Here is a link to the Security Advisory issued by the United States Computer Emergency Readiness Team which, in turn, provides secure links that you can trust that will take you to the necessary Microsoft security downloads.  https://www.us-cert.gov/ncas/current-activity/2013/08/15/Microsoft-Releases-Security-Advisory