Posts

Hire an Ethical Hacker NOW!

You might think it’s crazy to actually hire a hacker, but if you don’t have an ethical hacker on your security team, you could be playing a dangerous game.

Ethical hackers are called “white hat hackers” and are legal hackers, that help businesses find security problems in their networks. Developer and security teams, who build out codes, should have a white hat hacker on their side. This way, they will know from the start if the code is vulnerable. This is also known as “application security”.

How Important are Ethical Hackers?

How important is this? It’s so important that even the largest companies in the world are using this practice. Take Microsoft, for instance. They host a competition for white hat hackers, and challenge them to find any bugs present in their codes. This is called a “bounty”. On participant, was able to bypass every single security measure that Microsoft had in place. Can you imagine what would happen if he was one of the bad guys?

This type of security solution should be the first line of defense for your company, as they expose the risks that your company might have. Additionally, many companies used white hat hackers to ensure that they are complying with legal standards, such as HIPAA.

Wouldn’t Security Audits Work?

A security audit is basically a checklist for what a network has and doesn’t have in place. There’s not rubber on the road. Ethical hacking is a real world test. A security audit isn’t. The job of a white hat hacker is to find as many holes in the code as possible, and then report them back to the company. Another benefit of using an ethical hacker is that the information they provide helps to enhance the detection quality of products. An audit probably wouldn’t find this information.

What Does it Mean For Your Company?

Before anything, it’s important that you realize that an ethical hacker can help you and your business. A strong security program must focus on both the security of the code and the program’s security as it runs. This is where an ethical hacker will be most beneficial. Of course, it’s best to get the coding right the first time, but mistakes happen, and this is where a white hat hacker can make a huge difference.

So, the next time you talk about staffing, remember to bring up the addition of a white hat hacker. It could be the difference between keeping your data safe or being the victim of a real hacker.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Hacker for hire a rising Trend

Hackers and wannabe hackers can easily purchase cheap tools of the trade online. The security firm Dell SecureWorks Inc. confirms this in their latest report and adds that underground markets for hackers, including those from Russia, is thriving.

11DThe “Dark Web” is the go-to place for hackers looking for guidance and tools like malware. Yes, you can buy malware. If you don’t want to be the hacker, you can hire a hacker.

There’s any number of reasons why a non-techy person would want to hire a hacker. Maybe that person wants to make money and thus hires a hacker to create a phishing campaign that generates lots of credit card numbers and other personal data for the hacker’s client to then open credit lines in victims’ names.

Maybe another client wants revenge on an ex-lover, their current boss or neighbor; they hire a hacker to crack into the target’s Facebook account, and then the client is able to log in, impersonate the victim and post comments and images that will make the victim look frightfully bad.

Dell SecureWorks Inc., also found:

  • For $129 a hacker will steal e-mails from personal Yahoo or Gmail accounts.
  • For business accounts, however, hackers want $500 per e-mail.
  • Wannabe hackers can buy phishing tutorials as well as other tutorials for $20 to $40.
  • Gee, for just $5 to $10, you can buy a Trojan virus that you can infiltrate someone’s computer with and control it—even if you’re a thousand miles away.

So booming is the hacker for hire and hacker-in-training industry, that these cybercriminals even offer customer service. Makes you wonder why hackers are selling their knowledge, tools and providing customer service, if they can make so much more money just hacking.

Well, maybe deep down inside, these crooks have a kind heart and want to help out people, even if it means helping them commit crimes. Another explanation is ego; they’re so good at what they do that they want to share their knowledge, albeit for a fee.

What else is for sale on the Dark Web? Stolen hotel points and frequent flyer accounts. Buyers can use these to get gift cards on legitimate sites, says the report from Dell SecureWorks Inc.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Hackers don’t play well with Kids’ Toys

No company is immune from hackers—even a toy company. Hong Kong based VTech got hit by a hacker recently. This company makes techy educational toys for kids, and its database got breached.

11DCustomers go to the Learning Lodge store and download content to their children’s VTech devices. The devices for downloading to are a tablet, watch and action camera.

But recently, this gateway store was attacked.

Some customers’ private information—now in the hands of the hacker—may put them at risk for being victims of identity theft or even a crime against their children. The customer database is comprised of people from many countries including the U.S., UK, Canada, China, Latin America, France and Australia.

The hacker anonymously contacted the company to reveal what was stolen: customers’ names, their kids’ names and birthdates, passwords, e-mail addresses, IP addresses, home addresses and even their secret question. And we all know that hackers have been known to find the answer to a secret question by perusing the potential victim’s Facebook posts!

At least credit card information wasn’t leaked.

But imagine how unnerving it is to know that someone out there has your mailing address, IP address, children’s names and birthdates. Oh, and it doesn’t stop there. The hacker revealed that photos of kids were also leaked.

Customers were notified and since, VTech has made changes to the attacked website in the name of preventing another breach, though it’s not publically known what those changes were.

Many toys and gadgets for kids are connected to the Internet. But don’t let fear of data breaches stop you from buying educational devices for your kids. Today’s connected toys offer a whole new educational experience.

  • Google the gadget to see if it was ever hacked or has “vulnerabilities.”
  • Immediately scan the product once purchased.
  • The toy should be connected only to a secure Wi-Fi network.
  • Keep its software and firmware updated regularly.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Meet the FBI’s most wanted Hackers

Want to earn up to $4.2 million? Then find the hackers on the FBI’s most wanted list. Or at least give the FBI information leading to their arrest and/or conviction. These snakes have stolen hundreds of millions of dollars. Here is the list from the hackernews.com:

Evgeniy Mikhailovich Bogachev (reward: $3 million)

  • Ironically, one of his aliases is one of the most common (and thus easily cracked) passwords: lucky12345.
  • He’s the brains behind the GameOver Zeus botnet and CryptoLocker Ransomware.
  • Over a million computers were infected with this malware, causing nearly $100 million in losses.

Nicolae Popescu (reward: $1 million)

  • From Romania, Popescu tricked Americans with fraudulent auction posts on various websites.
  • AutoTrader.com, Cars.com and eBay were some of these sites.
  • He was selling cars that didn’t exist. (Please, people, never, ever send money for something as grand as a car unless you have proof it exists—which includes actually test driving it!)
  • Hundreds of people sent money without ever seeing more than an ad for the cars. If you think that’s bad, it gets worse: Some of the victims handed over their money for private planes and yachts! Nearly 800 people didn’t have on their thinking caps, but this doesn’t make Popescu’s deed any less obscene.

Alexsey Belan (reward: $100,000)

  • Belan breached the cybersecurity systems of three big U.S. based e-commerce sites.
  • He then tried to sell all of these stolen databases, which included passwords.

Peteris Sahurovs (reward: $50,000)

  • His crime involved creating and selling malware by putting ads up on various websites.
  • These advertisements forced users to buy the phony antivirus software that the ads pitched.
  • If the user declined the purchase, their desktop would be bombarded with phony security alerts and pop-ups.
  • This crook from Latvia collected over $2 million with the scheme.

Shailesh Kumar Jain (reward: $50,000)

  • Despite the name, Jain is a U.S. citizen.
  • He scored $100 million in less than two years.
  • He should have quit while he was ahead (maybe after the first $10 mil?), but he just couldn’t earn enough, so he kept hacking away at unsuspecting Internet users.

With fraudulent e-mails and pop-up ads, he tricked users into thinking their computers were infected with malware, and then sold them his fake antivirus software packages for $30 to $70. Do the math: Can you imagine how many people got rooked?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Hackers for Hire both Good and Bad

Ever see those public bulletin boards with all the business cards on them? Don’t be surprised if you spot one that says “Hacker•for•Hire.” These are hackers who will, for a nice juicy fee, hack into your wife’s Facebook account to see if she’s cheating on you.

4DHowever, there’s at least one hackmaking site that matches hackers to clients who want to infiltrate a network for personal gain or even revenge. The site, Hacker’s List, is a good idea, certainly not the first of its kind; the site’s founders (who wish to remain anonymous) get a piece of the pie for each completed job. Kind of sounds like one of those freelance job sites where someone bids on a posted job. The client must put the payment in escrow prior to the job being carried out. This pretty much guarantees payment to the hacker.

The site began operation in November. Imagine the possibilities, like business people getting a complete list of their competitors’ clients, customers, prices and trade secrets. And yes, a college student could hire a hacker for changing a grade. Makes you kind of wish you were skilled at hacking; what a freaking easy way to make a lot of money.

Is a site like this legal? After all, cracking into someone’s personal or business account is illegal. The site has a lengthy terms of service that requires agreement from users, including agreeing not to use the service for illegal activity. The verdict isn’t out if Hacker’s List is an illegal enterprise, and further complicating this is that many of the job posters are probably outside the U.S.

Hacker’s List was carefully developed, and that includes the founders having sought legal counsel to make sure they don’t get in trouble.

Hiring hackers can easily occur beyond an organized website where jobs are posted and bid on. And there’s no sign of this industry slowing down. The line of demarcation between good hackers and bad is broad and blurry, beginning with legitimate businesses hiring hackers to analyze the companies’ networks for any vulnerabilities.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Goodguy Hacker Selling Bad Guy hacks

Makes you wonder what these guys would have accomplished had they been born during the Renaissance…case in point: Kevin Mitnick, whose genius was so impressive as a cyber criminal (he hacked into IBM, Motorola, Sun Microsystems and other big-name outfits), that after serving prison time, he was hired as a good guy to help security teams develop penetration-proof systems.

4DBut Mitnick is now onto another venture: Absolute Zero Day Exploit Exchange. Mitnick wants to sell zero-day exploits (targeted surveillance), for at least a hundred grand each. In a wired.com article, for which Mitnick was interviewed, he states: “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.” He has not revealed how much he’s sold or to whom.

But Mitnick says they aren’t necessarily government related. For example, a buyer might be a penetration tester. He says he doesn’t want to help government agencies go around spying. Why would he want to assist the very people who locked him up in prison?

It’s anyone’s guess who’d be willing to shell out $100,000 for one of these tools (which would be used to garner information about bugs in the system that have not been addressed by security patches). After all, giants like Facebook pay only tens of thousands of dollars for this kind of tool.

Mitnick isn’t the only entrepreneur in the selling of secret hacking techniques; it’s already been going on. One of the skepticisms of this venture is just whom the buyer might be. Mitnick says he’ll carefully screen his buyers.

Though what Mitnick is doing is legal, it still snags attention because of his past. This guy was once the most wanted cyber criminal in the world, having made a career of hacking from his teens to early 30s, finally getting captured in 1995.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

When a Good Guy Steals Your Identity

Chris Roberts is a hacker. But not a black hat hacker, like the bad guys you may associate with the term. He’s a white hat hacker, or an ethical hacker, and no, that isn’t an oxymoron. Chris is the kind of guy you definitely want on your team, because if he weren’t, he’d be your worst nightmare.

I had the opportunity to meet up with him at the McAfee Focus 2010 event. His appearance fits the hacker stereotype: he’s tall and lanky, with a Viking beard and, I’m pretty sure, some tattoos. And he carries around a bag of tricks that could probably take down the Pentagon. He’s got every sort of gadget that could be used to sniff, spy, and hack.

Companies hire Chris to determine what their weaknesses are, and how vulnerable they are to a potential attack.

NetworkWorld profiled Chris, and, in the article, he brought attention to the fact that many people assume they won’t be targeted by identity thieves because they don’t have money, or status, or even good credit:

“So many people look at themselves or the companies they work for and think… Why would somebody want something from me? I don’t have any money or anything anyone would want… While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal.”

No kidding.

Your Social Security number, which represents your total identity, is always valuable to a criminal. Because our system lacks full accountability when it comes to identification, anyone can use your data to pose as you.

Until the day comes, if it ever does, that we are effectively identified and authenticated, we will always be vulnerable to imposter fraud and identity theft.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first and provides live access to fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss credit and debit card fraud on CNBC. (Disclosures)