Posts

Should You Use Facebook to Login to Websites?

Have you ever used Facebook to sign onto another site? Many of us do this pretty blindly simply because it is very convenient. But, this convenience could come at a cost.

You know the drill. You go to a website and it says “Log In With Facebook.” or Google. Usually, it just takes a couple of clicks and no logging in with other usernames or passwords. However, when you do this, Facebook essentially becomes your online identity. This means that anyone who knows these credentials have access to your preferences, posts, and most importantly, your personal information. What’s more is that you might be unknowingly giving permission to a third party to access your profile, view your online activities, and get information about your friends.

What Can You Do About It?

There are some things that you can do to keep yourself safe. First, of course, you should have a different username and password for all accounts. Make sure your passwords are strong and consider using a password manager. This helps to create strong passwords and keeps them safe for you.

If you play games, do quizzes, or other things on a social media platform, make sure that only necessary apps are connected. Stop connecting other apps.

You should also take some time to look at the settings you have set up for your social media accounts. Adjust them to make sure you are protected. Finally, make sure that you are logging out of your social media account when you are done with it. If you log into your social media account on your tablet or mobile phone, make sure that the lock screen is on before putting it away. Also, of course, make sure that you have a strong passcode on your device.

Control Your Data

Now is the time to take control of your data. When you choose to use a social media site to link with third-party services, apps, and sites, the social sites say that it will enhance your experience for the better. It also can make your online time more productive. At the same time, however, it can open you up to exposure, and even be an open door for hackers. It is important to understand what type of permission you are giving these apps when you click “Log in with Facebook.” Finally, if you are a parent, you should make sure that you understand what your kids are doing on social media, and take a look at what type of permission your kids have given to third-parties.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

These are the Bigtime Hackers

Hackers with big skills and a big ego will be drawn to Facebook and Twitter as their targets. But they’ll also target dozens of other companies, reports an article on arstechnica.com.

11DOne group in particular stands out as the attackers, using zero-day exploits. They are known as Wild Neutron and Morpho, says the article, and have been active possibly since 2011, burrowing their way into various businesses: healthcare, pharmaceutical, technology.

It’s been speculated that the hackers want the inside information of these companies for financial gain. They’ve been at it for three or four years; we can assume they’ve been successful.

Researchers believe that these hackers have begun using a valid digital certificate that is issued to Acer Incorporated to bypass code-signing requirements that are built into modern operating systems, explains the arstechnica.com report.

Experts also have identified use of some kind of “unknown Flash Player exploit,” meaning that the hackers are using possibly a third zero-day exploit.

The report goes on to explain that recently, Reuters reported on a hacking group that allegedly busted into corporate e-mail accounts to get their hands on sensitive information for financial gain.

You’re probably wondering how these big companies could be so vulnerable, or how it is that hackers can figure out a password and username. Well, it doesn’t really work that way. A company may use passwords that, according to a password analyzer, would take nine million years to crack.

So hackers rely on the gullibility and security un-awareness of employees to bust in. They can send employees an e-mail, disguised to look like it’s from a company executive or CEO, that tricks the employee into either revealing passwords and usernames, or clicking on a malicious link that downloads a virus, giving the hacker access to the company system’s stored data. It’s like removing a dozen locks from the steel chamber door to let in the big bad wolf.

The security firms interviewed estimate that a minimum of 49 companies have been attacked by the hacking ring’s surveillance malware. The cybercriminals have, in at least one instance, got into a company’s physical security information management system.

The arstechnica.com article notes that this consists of swipe card access, HVAC, CCTV and other building security. This would allow the hackers to surveil employees, visually following them around.

This hacking group is smart. They don’t reuse e-mail addresses; they pay hosting services with bitcoins; they use multi-staged control/command networks that have encrypted virtual machines to foil forensics detectives. The only good news is that the group’s well-documented code suggests it’s a small band of hackers, not some giant one.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Hackers for Hire both Good and Bad

Ever see those public bulletin boards with all the business cards on them? Don’t be surprised if you spot one that says “Hacker•for•Hire.” These are hackers who will, for a nice juicy fee, hack into your wife’s Facebook account to see if she’s cheating on you.

4DHowever, there’s at least one hackmaking site that matches hackers to clients who want to infiltrate a network for personal gain or even revenge. The site, Hacker’s List, is a good idea, certainly not the first of its kind; the site’s founders (who wish to remain anonymous) get a piece of the pie for each completed job. Kind of sounds like one of those freelance job sites where someone bids on a posted job. The client must put the payment in escrow prior to the job being carried out. This pretty much guarantees payment to the hacker.

The site began operation in November. Imagine the possibilities, like business people getting a complete list of their competitors’ clients, customers, prices and trade secrets. And yes, a college student could hire a hacker for changing a grade. Makes you kind of wish you were skilled at hacking; what a freaking easy way to make a lot of money.

Is a site like this legal? After all, cracking into someone’s personal or business account is illegal. The site has a lengthy terms of service that requires agreement from users, including agreeing not to use the service for illegal activity. The verdict isn’t out if Hacker’s List is an illegal enterprise, and further complicating this is that many of the job posters are probably outside the U.S.

Hacker’s List was carefully developed, and that includes the founders having sought legal counsel to make sure they don’t get in trouble.

Hiring hackers can easily occur beyond an organized website where jobs are posted and bid on. And there’s no sign of this industry slowing down. The line of demarcation between good hackers and bad is broad and blurry, beginning with legitimate businesses hiring hackers to analyze the companies’ networks for any vulnerabilities.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Are All Hackers Bad?

The word hacker has a pretty negative connotation. It brings to mind other words like cybercriminal, thief, and malicious. It’s easy to see why hacker has a bad rep. The news is full of stories about hackers stealing data from large companies and the government. Hackers are the bad guys.

But are they?11D

Tesla just recently announced they are hiring hackers to find and fix security holes in the Model S car. Google started a league of hackers called “Project Zero” to track down security flaws in their software. Companies like Facebook and others sponsor hack-a-thons, where anyone is invited to try and crack their systems, all the time. Why would these companies want to hire or incentivize hackers?

The truth is not all hackers are the same. Here are the different kinds of hackers:

  • White hat hackers: Also known as “ethical hackers,” these hackers use their skills to make the Internet a safer place. Some white hat hackers do this for fun and then report the information to companies or sites they have broken into so the companies and sites can be fixed. It is these white hat hackers that Tesla is hiring they can find any security holes in their Internet-enabled cars before the bad hackers find and exploit them.
  • Gray hat hackers: These are the guys in the middle. They sometimes act legally, sometimes not. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits. An example of gray hat hackers is hacktivists—who hack to bring attention to a political agenda or social cause. Anonymous, a predominant hacktivist group, recently took down multiple Israeli websites in protest of the Gaza crisis.
  • Black hat hackers: These are the bad guys that give the word hacker its negative connotation. These hackers are committing crimes…and they know it. They are looking to exploit companies or you and your devices for their financial gain.

So the next time you hear the word hacker, don’t automatically assume it’s a bad thing. Hacking can used for good and evil, it all depends on the hacker’s intent.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Facebook + Hackers – Privacy = You Lose

I’m as sick of writing about it as you are sick of reading about it. But because Facebook has become a societal juggernaut: a massive inexorable force that seems to crush everything in its way, we need to discuss it because it’s messing with lots of functions of society.

We should all now know that whatever you post on Facebook is not private. You may think it is, but it isn’t. Even though you may have gone through all kinds of privacy settings and locked down your profile, Facebook has changed them up internally so many times that they may have defaulted to something far less private then what you previously set.

Furthermore, no matter how private you have set them to, if you friend someone who you don’t know (like that human resource officer), they see what’s “private” and anyone on the “inside” can easily replicate anything you post to the world.

The activist groups waging what amounts to an undeclared war against the social-networking site for the last year, complete with no fewer than three letters to federal regulators claiming Facebook’s actions are illegal said that they’re hardly ready to declare a truce.

Attacks targeting Facebook users will continue, and they could easily become even more dangerous. Computerworld reports “There are limitations to what Facebook can do to stop this,” said Patrik Runald, a U.K.-based researcher for Websense Security Labs. “I wouldn’t be surprised to see another attack this weekend. Clearly, they work.”

Websense has identified more than 100 variations of the same Facebook attack app used in the two attacks, all identical except for the API keys that Facebook requires.

What does this mean to you?

For crying out loud stop telling the world you hate your boss, neighbor, students’ teachers, or spouse and you’d like to boil a bunny on the stove to teach them a lesson. I guarantee even if you are kidding, someone won’t like it. What you say/do/post, lasts forever.

Stop playing the stupid 3rd party games. When you answer “25 questions about whatever” that data goes straight into the hands of some entity that you would never have volunteered it to.

Make sure you PC is secured. Keep your operating system up to date with security patches and anti-virus and don’t download anything from any email you receive or click links in the body of any email. Once you start messing with these files you become a Petri dish spreading a virus.

Robert Siciliano personal security expert to Home Security Source discussing Facebook scams on CNN.