Equifax Data Breach Protection Tips

,

How to Protect Yourself from the Equifax Data Breach

Equifax, one of the three major consumer credit reporting agencies disclosed that hackers compromised Social Security and driver’s license numbers as well as names, birthdates, addresses and some credit cards on more than 143 million Americans. If you have a credit profile, you were probably affected.

Credit reporting companies collect and sell vast troves of consumer data from your buying habits to your credit worthiness, making this quite possibly the most destructive data security breach in history. By hacking Equifax, the criminals were able to get all of your personally identifying information in a one-stop shop. This is the third major cybersecurity breach at Equifax since 2015, demonstrating that they continue to place profits over consumer protection. Ultimately, their negligence will erode their margins, their credibility and their position as one of the big three.

But that isn’t your concern – your concern is protecting yourself and your family from the abuse of that stolen information that will happen over the next 3 years.

Minimize Your Risk from the Equifax Data Breach

  1. Assume that your identity has been compromised. Don’t take a chance that you are one of the very few adult American’s that aren’t affected. It’s not time to panic, it’s time to act.
  2. If you want to see the spin that Equifax is putting on the story, visit their website. Here’s how the story usually develops: 1. They announce the breach and say that fraud hasn’t been detected 2. A few days later when you aren’t paying attention, they retract that statement because fraud is happening, 3. Sometime after that they admit that more people, more identity and more fraud took place than originally thought. They encourage you to sign up for their free monitoring (which you should do), but it does nothing to actually prevent identity theft, it just might help you catch it when it happens.
  3. I recommend placing a verbal password on all of your bank accounts and credit cards so that criminals can’t use the information they have from the breach to socially engineer their way into your accounts. Call your banks and credit card companies and request a “call-in” password be placed on your account.
  4. Begin monitoring your bank, credit card and credit accounts on a regular basis. Consider watching this video and then setting up account alerts to make this process easier.
  5. Visit AnnualCreditReport.com to get your credit report from the three credit reporting bureaus to see if there are any newly established, fraudulent accounts set up. DON’T JUST CHECK EQUIFAX, AS THE CRIMINALS HAVE ENOUGH OF YOUR DATA TO ABUSE YOUR CREDIT THROUGH ALL THREE BUREAUS.
  6. MOST IMPORTANTLY, FREEZE YOUR CREDIT. The video above walks you through why this is such an important step. Some websites and cybersecurity experts will tell you to simply place a fraud alert on your three credit profiles. I am telling you that this isn’t strong enough to protect your credit. Freezing your credit puts a password on your credit profile, so that criminals can’t apply for credit in your name (unless they steal your password too). Here are the credit freeze websites and phone numbers for each bureau. Equifax is being overwhelmed by requests, so be patient and keep trying. Even if it doesn’t happen today, you need to Freeze Your Credit!

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348credit-freeze
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

John Sileo is an an award-winning author and keynote speaker on cybersecurity. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Trump Russia Investigation Update: Did Campaign HELP Russians Plot Disinformation Strategy?

Honestly, we don’t know yet. There was a time when our voting preferences, our political leanings, our policy choices were our own business. Now they are someone else’s business, quite literally. There are so many stories coming out about Donald Trump’s connections to and collusion with the Russians that it is getting hard to keep these accusations straight. Here’s the latest:

Trump Russia Investigation Update

The key word is help. As in, actively provide information that the Russians may not have been able to discover on their own. “Help” is not a synonym for encourage, appreciate or enjoy.

Without getting too political (because after all, this is a cyber security blog), here are the basics of the Trump-Russia Investigation from a cyber security perspective:

  1. The Trump campaign had possession of a huge amount of information about American voters from Cambridge Analytica, the data mining firm hired to help collect and use social media information to identify and persuade voters to vote (or not vote), through an activity known as political micro-targeting.
  2. Jared Kushner, the president’s son-in-law and now a senior adviser in the White House, was head of digital strategy during the campaign, meaning he was overseeing this effort to micro-target voters.
  3. The Russians unleashed bots, or robotic commands, that swept across the Internet and picked up fake news stories or harshly critical news stories about Hillary Clinton and disseminated them across the United States. By Election Day, these bots had delivered critical and phony news about the Democratic presidential nominee to the Twitter and Facebook accounts of millions of voters.
  4. Some investigators suspect the Russians micro-targeted voters in swing states, even in key precincts where Trump’s digital team and Republican operatives were spotting unexpected weakness in voter support for Hillary Clinton.

So the question is this: Did the Trump campaign, using what we assume to be lawfully-obtained micro-targeted voter intelligence, give access to the Russians so that they could point harmful disinformation campaigns at those vulnerable  jurisdictions?

Many top security analysts doubt Russian operatives could have independently “known where to specifically target … to which high-impact states and districts in those states.” As Virginia Sen. Mark Warner said recently, “I get the fact that the Russian intel services could figure out how to manipulate and use the bots. Whether they could know how to target states and levels of voters that the Democrats weren’t even aware (of) really raises some questions … How did they know to go to that level of detail in those kinds of jurisdictions?”

And that is Senator Mark Warner’s mistake – that the micro-targeting had to be so specific that it only hit potential Trump voters in certain jurisdictions. It did not. The campaigns could have been aimed at every person in that state, let alone the jurisdiction, only touching the opinions of those who were ready to hear the message. A phishing campaign isn’t sent only to those people in an organization most vulnerable to that type of social engineering – it is sent to everyone, and the most vulnerable are the only ones that respond. Similarly, it was good enough for Russia to cast their anti-Hillary message in the general vicinity of the target; there was no need for a bullseye to render the disinformation campaign to be effective. Those who received the message but were slightly outside of the voter profile or geographical jurisdiction simply recognized it for what it was, false news. The rest were unethically influenced.

But we don’t know yet if there is a connection between the micro-targeting big data purchased by the campaign and the Russian botnet disinformation attack.  We do know, however, that Russia attempted to influence the outcome of the election – and that is what we as cyber security experts, must focus on. 

Either way – collusion or not – the implications against our privacy (let alone the political ramifications of foreign entities influencing our election process) are huge. Remember, the Trump campaign had obtained this huge volume of information on every voter, maybe as much as 500 points of data from what kind of food do they eat to what are their attitudes about health care reform or climate change. And yes, I’m sure the Democrats had much of the same information and probably didn’t “play fair” either. The point is that we have gotten so far beyond just accepting that our personal information is readily available and easily manipulated that no one is even bringing up that part of the story.

We, America, have been lulled into allowing everyone else – corporations, our government, even foreign nations – to have more access to our data footprint than even we do. 

John Sileo is an an award-winning author and keynote speaker on cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Is Russian Hacking of U.S. Nuclear Power Plants a Reality?

New Evidence Points to Russian Hacking of U.S. Power Grid

Russian hacking of the United States’ power grid isn’t just probable, it is already happening.

Hackers recently breached at least a dozen U.S. power plants, including the Wolf Creek nuclear facility in Kansas. It appears they were searching for vulnerabilities in the electrical grid, likely to be exploited at a later, more critical time. In a related case, hackers also recently infiltrated an unidentified company that makes control systems for equipment used in the power industry. Although none of the security teams analyzing the breaches have linked the work to a particular hacking team or country, the chief suspect is Russia. Why are they the primary suspect? Because Russian hackers have previously taken down parts of the electrical grid in Ukraine across several attacks and seem to be testing more and more advanced methods.

An analysis of one of the tools used by the hackers had the stolen credentials of a plant employee, a senior engineer – likely from a spear-phishing campaign. There have been similar campaigns from the same hackers against targets in Ireland and Turkey as well as “watering hole” attacks meant to infect victims with malware based on their predictable and routine visits to certain websites.

Spend a minute imagining the destruction of a foreign nation or terrorist bringing down a portion of the U.S. electrical grid during the freezing cold of winter, near the control tower for an airport or just prior to launching a military invasion (see what happened in Ukraine).

Here’s the most important thing you need to understand – what has been launched so far are NOT ATTACKS, but preliminary tests. The Russians (or whoever is behind these “penetration tests”) want to know our vulnerabilities before they need to exploit them. They are merely testing the waters, so the absence of a serious event is definitely NOT proof that their efforts are not working. In fact, that is the mistake that many businesses make about cyber security – they wait until AFTER a successful attack on their data to become believers in the need for prevention.

In this case, as in many, the hacker’s first beta strikes are aimed at non-critical business networks – that’s how they come to learn the “language” of that particular power provider. Once they know the patterns, prejudices and back doors of these systems, they begin applying what they’ve learned to mission-critical operational systems. THAT’S HOW THEY TURN OFF THE LIGHTS, ONE TINY STEP AT A TIME.

And that is also the window in which we must solve our weaknesses. The metaphorical shot has been fired across the bow – we KNOW that someone is hacking into our nuclear power grid. But the bomb hasn’t yet landed in one of our neighborhoods. What are you doing to prevent “lights out” in your business? Organizations that have a Best Practice Cyber Security Plan already know how to avoid the dark. 

 

John Sileo is an an award-winning author and keynote speaker on security awareness training and cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. His body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Cyber Security Experts: NotPetya isn’t Ransomware – It’s Cyber Warfare

CYBER SECURITY EXPERTS SCREAM: IT’S NOT ABOUT MONEY, IT’S ABOUT INFLUENCE!

What will it take for the world to believe that cyber warfare, like the latest NotPetya Attack, is real and it is HERE NOW?

Will it take your company ceasing operations for the day, as hundreds of companies in at least 64 countries were forced to do?

Will it take your long-awaited surgery being cancelled, as occurred for many patients at Heritage Valley Health Systems in Pittsburgh?

Or will it ultimately take people dying (think power grids, airport operations, nuclear power plants being controlled) before everyone takes notice?

We read the headlines: another ransomware attack has hit– blah, blah, blah. It almost gets annoying hearing about them! Until you really think of the implications above. Yes, this time it mostly affected Ukraine, but someday, it will be YOU AND ME!

So, back to a brief recap in case you are one of the people who skipped the headlines. (Hopefully I’ve scared you just a little bit now so you’ll care to read on)

  • On Tuesday, May 27, 2017, an attack was launched which at first appeared to be a follow up to the WannaCry ransomware attack.
  • Ukraine was the main target (the attack appeared to have been intended to hit the day before a holiday marking the adoption in 1996 of Ukraine’s first Constitution after its break from the Soviet Union) but it quickly spread to other countries, even a few in Russia (which came through fairly unscathed…hmmm)
  • At first, ransomware notices appeared, but researchers soon determined those were probably a smokescreen to hide the fact that this is cyber warfare, not a new version of Petya that spread in 2016. Matt Suiche from Comae Technologies notes:”We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”

So it’s cyber warfare, not ransomware—what does that mean?

  • NotPetya is a destructive disk wiper – THEY DON’T CARE ABOUT THE MONEY, BUT ABOUT DESTRUCTION AND DISRUPTION. It is more an instrument of war than of finance.
  • It does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same; you never get a chance to recover your files.
  • It is used for political purposes and for their destructive effects, not for monetary gain.

Could it have been prevented?
YES, YES, YES!

Microsoft released patches related to these known vulnerabilities in MARCH! Obviously, some companies and individuals chose not to deploy these fixes, because they continue to think that they won’t pay the price (or they just aren’t paying attention). Attacks like this prey upon KNOWN VULNERABILITIES that could have and should have been solved last year. A good patch-management protocol would have eliminated the threat from your organization, period.

 

Cyber security experts like myself suggest the following steps to ensure you are as prepared as possible against future attacks:

  • Enforce effective password protection or implement password management software to ease the convenience burden
  • Segment your network so that all areas are not connected all the time. When one area goes down, you haven’t lost your entire computing footprint.
  • Define your critical data and know where it lives (servers, cloud, laptops, databases, mobile devices, workstations, etc.)
  • Apply security patches religiously and regularly according to a well-though out roll-out plan that minimizes downtime
  • Implement multi-factor authentication for employee logins
  • Have commercial-grade backups so that if you have to restore your entire data organization, it can be done quickly and effectively. Test your backup protocol annually to make sure it works when needed.
  • Ensure that you have a firewall between you and the internet (preferably configured to default deny everything but legitimate traffic)
  • Keep anti-virus, 3rd-party spam filters and intrusion detection software up-to-date as well as workplace applications
  • Provide memorable security awareness training regularly for your employees

Listen, I’m telling you now that next time, it will be your data that is locked up, and at that point it will be too late, unless you have taken the steps above (and others) to defend the data that pays your check every week.

John Sileo is an an award-winning author and keynote speaker on the human element of cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Investigate Russian Hacking for Security, Not Politics (and get on with governing)

Our national security depends on cyber security, and Russian hacking threatens those defenses. Every day that I come to work, I see an erosion of traditional power structures at the hands of increasing cyber threats. The hacking of Yahoo by Russian operatives and the DNC are two such examples that have potentially shifted the balance of power from our marketplace and political sphere into the hands of Vladimir Putin, Russian cyber criminals and anyone piggybacking on their technology. Now that Roger Stone, an administration advisor, has admitted to contact with the DNC hacker (Guccifer 2.0), the ties are too direct to ignore. But we shouldn’t be doing this for purely political reasons, we should be doing it to clear our President and his administration of wrongdoing so that they can go on about governing the country and implementing their vision. 

If we don’t investigate the potential Russian hacking of the DNC with a thoroughness similar or better than the Yahoo hack, we are as much as admitting defeat in the cyber realm and simultaneously suggesting a coverup for political expediency. This isn’t about a single politician, this is about an entire political system. Cyber IS the new warfare, and we as a nation can acknowledge it now or after it is generally too late (which is what most corporations do). We don’t just need to get to the bottom of administration involvement, we need to get to the bottom of how Russian has inserted itself firmly in the midst of our democracy via hacking, trolling and kompromat (a Russian term for compromised materials, like hacked emails and tax records). 

Here are my recommendations for proceeding to have a neutral investigation of the charges so that we can clear our President and move on to discovering the source or our weakness: 

  1. Name a bipartisan select committee to investigate the alleged Russian hacking of our presidential election and President Trump’s ties to Russia. As they say, sunlight is the best disinfectant, and I’m certain that the administration has nothing to hide. But doing nothing sends exactly the opposite message – one of coverups and collusion for the sake of an election. 
  2. Since both Intelligence Committee Chairmen, Senator Burr and Representative Nunes, have close ties to President Trump, their involvement gives the appearance of bias. Taking a page from the book of Attorney General Sessions, both should recuse themselves from the investigation to eliminate all accusations of impropriety. 
  3. Appoint a well-respected Republican to chair the investigation so that it will be neutral, aggressive and fair. This is the only way to quiet the suspicion of corruption. Again, since the administration has nothing to fear, this is the only way to make the findings credible. To have colluded with Russia in any way would have been political suicide, so let’s prove this conversation false once and for all. 
  4. As part of it’s process, the committee would be wise to review Trump’s tax returns (in a confidential, non-public setting) to dispel any beliefs about his business or financial ties to Russia (of which he has assured us there are none) and extinguish two myths with a single stroke. 
  5. Commission an external, forensic cyber-penetration test to determine where the weaknesses lie within our cyber security so that loopholes can be closed before the next attack. This MUST be an external audit because there is too much at stake to leave this to governmental IT teams just trying to keep their jobs. Like students grading their own papers without oversight, unscrutinized self-assessments are necessarily faulty assessments. 

The end game of this investigation should be apolitical and focused on righting the cyber weaknesses inherent in our national cyber infrastructure.

John Sileo is the award-winning author of Privacy Means Profit (Wiley & Sons), a cyber security expert and a keynote speaker on all topics involving cyber security training. Contact him directly here.

Happy About the Election Hacking of Your Presidential Vote?

Election Hacking Confirmed: The NSA, CIA and FBI have universally concluded that Russian President Vladimir Putin interfered with and  quite possibly changed the outcome of our Presidential election. Regardless of who you voted for, your vote has been hacked. If you are a Clinton supporter, you face the prospect of your candidate having lost the election due to manipulation. If you are a Trump supporter, it’s possible that our future President’s mandate and credibility have been significantly undermined and eroded.

This is a major loss for both sides of the political spectrum – it is a massive loss for America as voiced by politicians both Republican and Democrat. In case you haven’t had time to keep up with the findings of the Director of National Intelligence, here are the nuts and bolts of what the NSA, CIA and FBI agreed on unanimously and with high confidence (a nearly unprecedented occurrence in intelligence history).

As quoted or summarized from the non-partisan report:

  • “Putin ordered an influence campaign aimed at the US presidential election” in order to “undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.”
  • “Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton.”
  • Putin held a grudge against Clinton because he publicly blamed her for inciting mass protests against his regime in late 2011 and early 2012.
  • “Putin publicly pointed to the Panama Papers disclosure [which implicated many of his wealthy friends and political supporters] and the Olympic doping scandal [which embarrassed him publicly] as US-directed efforts to defame Russia.” [Explanatory emphasis mine]. The hacking of the US election is seen to be a retaliatory effort against those and other perceived slights against his leadership.
  • “Russian intelligence services collected [information] against the US primary campaigns, think tanks, and lobbying groups they viewed as likely to shape future US policies.”
  • The GRU [Russian military intelligence] used fake media outlets like DCLeaks.com to disseminate hacked emails from the DNC, Colin Powell and John Podesta [Clinton’s campaign manager] in a massive traditional media and social media campaign aimed at undermining the Clinton candidacy.
  • Russian media hailed President-elect Trump’s victory as vindication of Putin’s advocacy of global populist movements – the theme of Putin’s annual conference for Western academics in October 2016 – and the latest example of Western liberalism’s collapse.

Trump has continued to downplay and even deny Russia’s role in influencing the election, despite overwhelming evidence from every American intelligence agency. Can you blame him? For Trump to give Russia or Putin credit would be to undermine his own legitimacy and claim to the presidency. After all, who wants to feel like they won the election as a byproduct of someone else cheating on their behalf?

This is where we get to see what Congress is made of. Will they bury the story to protect their new leader and risk the stability and credibility of our country? If not, Putin will have achieved his ultimate goal – significantly weakening our democracy.

Can Size of Trump’s Hands Explain DNC Hack?

Not unlike the purported size of his hands, Donald Trump has a rather small file of publicly known information compared to those who have been in the political spotlight for many years. That could be one of the motivating factors behind the recent hacking of the Democratic National Committee. While the size of Trump’s hands has little to do with any serious conversation, it does remind us that foreign nation states are highly motivated to collect the private information of powerful people. 

The DNC revealed recently that two groups had gained access to their information; one (dubbed Cozy Bear) had been monitoring the committee’s emails and chats for as long as a year. The other, “Fancy Bear”, hacked into the DNC in April to get opposition research files and was able to gain access to all of the DNC’s research staff computers.

The DNC said that no financial, donor or personal information appears to have been accessed or taken, suggesting that the breach was traditional espionage, not the work of criminal hackers. They suspect hackers used spearphishing emails to gain access. The DNC, who became aware of a possible beach after noticing “unusual network activity”, immediately contacted CrowdStrike to shut down the intrusion. CrowdStrike attributes the hack to Russian government hackers (although an individual calling himself Guccifer 2.0 has claimed responsibility and even released supposed documents). The two groups have hacked government agencies, tech companies, defense contractors, energy and manufacturing firms, and universities in the United States, Canada and Europe as well as in Asia. Cozy Bear, for instance, compromised the unclassified email systems of the White House, State Department and Joint Chiefs of Staff in 2014.

The Why Behind the DNC Hack

Naturally, other countries have a keen interest in the U.S. presidential election because they will have to deal with the particular policies, strengths and weaknesses of a potential future president. The emails and chats they’ve been able to observe probably contained very informative strategy and analysis.

As for the information on Trump, which was largely news stories, court documents and video clips that anyone could gather, what makes it so valuable is due to the fact that he has one of the shortest political resumes of any modern presidential candidate. The DNC has spent the better part of a year gathering research going back years on Trump. Rather than spend their own time aggregating data on trump, the hackers simply stole from the DNC.

Foreign governments would want to know, for example, about Trump’s foreign investments in order to understand how he would deal with countries where he has those investments should he be elected.  They may also want to know about his style of negotiating.

As the Presidential Election nears and the rhetoric ramps up, expect to see additional breaches of political data. The DNC Hack is a perfect example of politically motivated cyber espionage that has nothing to do with financial gain. Has your organization identified and protected its critical information assets? Failing to do so might allow your risk to get out of hand. 

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Zuckerberg Hacked: How Not to Be Like Mark

,

Mark Zuckerberg Hacked Because of Weak Passwords

It seems Mark Zuckerberg might be a little lazy, or a little stupid, or at the very least a little embarrassed. The undisputed king of social media has had two of his social media accounts hacked. Granted, it was not his Facebook account—just his Pinterest and Twitter accounts, the latter of which he hasn’t used since 2012. A Saudi Arabian hacker team named OurMine has taken credit for the attack, claiming they got his password from the recent dump of information obtained in the LinkedIn data breach from 2012.

Let’s see where Mr. Zuckerberg went wrong by using the safe password development tips (in bold below) from his very own creation: Facebook.

Make sure your password is unique, but memorable enough that you don’t forget it. Supposedly, Zuckerberg’s password was “dadada”.

Don’t use a password that you use on other sites – if one site gets hacked and your password is stolen, hackers will often try it on other sites. Clearly, he used it on at least three sites.

Don’t share your password with anyone. If you think someone else has it, you should change it. When LinkedIn was hacked four years ago, he evidently did not change it on the other sites.

Instead of picking on him further, let’s talk about how this applies to someone really important: you and me.

While Mr. Zuckerberg has had to eat a little humble pie, he likely won’t suffer any serious damage from this incident. Others, however, aren’t so lucky. More than 100 users of TeamViewer, a German software company whose software gives users remote access to computer desktops, have had accounts taken over since the LinkedIn data was made public. The criminals then used TeamViewer to authorize transactions through Amazon or PayPal. The company believes the activity is linked to the recent rash of data disclosures.

There is also the strong possibility that users of LinkedIn may be more likely to use those same passwords in their professional lives. That could expose users’ business data or allow hackers to take over accounts at job or travel sites.

I am constantly amazed by the corporations that I speak to that haven’t yet instilled strong password habits among their employees. They spend hugely on intrusion detection, but don’t take the time or minuscule investment required to solve what I call a gatekeeper flaw. Employees are the gatekeepers of your valuable data, and if they don’t protect it with strong passwords, no amount of security software will cover this inexcusable and easily solvable mistake. 

How are you training your people on strong passwords? 

John Sileo is an an award-winning author and keynote speaker on cyber security, data privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Panama Papers a Lesson in Cyber Security

Whether data breach or insider leak, Panama Papers Cyber Security lessons still the same.

By now, you’ve heard about the leaked papers from a Panamanian law firm implicating world leaders, sports figures and celebrities alike in a scheme to shelter massive wealth in off-shore corporations (if not, see the NYTimes summary below for relevant links). At this point it is still unclear whether the 11.5 million records were obtained through hacking or leaked from someone inside of the Panamanian law firm.

But from a cyber security perspective, the lessons are nearly identical either way. At issue here is the massive centralization of data that makes either breach or leakage not only inevitable, but rather convenient. World leaders and executives alike must have a sense of deja vu from the leakage of the NSA documents by Edward Snowden several years ago. From a security perspective, it is baffling in both cases that one individual would have access to such a trove of data. This suggests that the records were not properly segmented, encrypted or subjected to user-level access permissions.

Now, it’s possible that the administrator in charge of the law firm’s computer network facilitated the breach (remember, someone with SysAdmin access always has the keys to everything when it comes to data), but I highly doubt it, as this is easily monitored and punishable. We may never know exactly how this breach transpired, but there are several lessons you can absolutely take from the Panama Papers:

  1. Segmentation. If the critical data inside of your organization is not segmented or divided across different digital locations, it’s like keeping all of your gold under the same mattress.
  2. Encryption. In the event that the Panama Papers were obtained by a hacker, this suggests that the data was not properly encrypted to keep out prying eyes. Most businesses still only have a partial encryption strategy on their data (either at rest or in transit) and this lack of an end-to-end encryption solution is what dooms them to breach.
  3. User-Level Permissions. We don’t know how the Panama Papers were accessed, but if we learn from Edward Snowden, the amount of global digital access you give to your employees makes a huge difference. A contractor like Snowden probably should have never had permission to access so much information across such a wide spectrum. He was only a contractor – imagine what a true insider could have accessed.
  4. Monitoring. Any organization that has implemented a secure firewall can monitor how much data is leaving their servers. More sophisticated software lets many companies know exactly what data is leaving the premises and exactly who is responsible. But both of these cases require human intervention to read the warning signs and take action. Target knew that their POS system was being breached, but no one acted on the red flags.

It’s too late for Mossack Fonseca to go back and right these cyber security wrongs. For you, it’s not too late.

Panama Papers Quoted Directly from the NYTimes.com:

The leaks from the Panamanian law firm, Mossack Fonseca, involve more than 11.5 million documents, nearly 215,000 companies and 14,153 clients of the firm, according to the German newspaper Süddeutsche Zeitung, which got the information and shared it with some other media outlets and the International Consortium of Investigative Journalists, a nonprofit group.

They began reporting Sunday on the leaks, now known as the Panama Papers, which have implicated a range of politicians, celebrities and sports figures, including close associates of President Vladimir V. Putin of Russia, President Petro O. Poroshenko of Ukraine, Prime Minister Nawaz Sharif of Pakistan, current and former members of China’s ruling Politburo and FIFA, the worldwide association for soccer.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Ransomware: Cyber Security Expert's Next Big Threat

Ransomware: A Vital Course on the Next Big Cyber Threat

Ransomware is pretty much exactly what it sounds like: it holds your computer or mobile phone hostage and blackmails you into paying a ransom. It is a type of malware that prevents or limits users from accessing their system and forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems or to get their data back.

It’s been around since about 2005, but earlier this year, the FBI issued an alert warning that all types of ransomware are on the rise. Individuals, businesses, government agencies, academic institutions, and even law enforcement agents have all been victims.

Crowti (also known as Cryptowall), and FakeBsod are currently the two most prevalent ransomware families. These two families were detected on more than 850,000 PCs running Microsoft security software between June and November 2015. Another to take note of is known as Fessleak, which attacks Adobe Flash flaws. It is a “malvertising” trend that pushes fileless exploit into memory and uses local system files to extract and write malware to disk from memory.

How Ransomware Paralyzes Your Computing

There are different types of ransomware. However, all of them will prevent you from using your computer normally, and they will all ask you to do something (pay a ransom) before you gain access to your data. Ransomware will:

  • Lock your desktop or smartphone and change the password or PIN code
  • Encrypt important files so you can’t use them (photos, taxes, financials, My Documents, etc.)
  • Restrict your access to management or system tools (that would allow you to clean the computer)
  • Disable input devices like your mouse and keyboard
  • Stop certain apps from running (like your anti-virus software)
  • Use your webcam to take a picture of you and display it on screen or on a social network
  • Display offensive or embarrassing images
  • Play an audio file to scare you (i.e. “The FBI has blocked your computer for a violation of Federal law.”)

Common Ransomware Demands

  • Generally they demand money in order to unlock your system. Usually, they demand payment through an anonymous payment system like Bitcoin or Green Dot cards, and promise to give you the key if you pay the ransom in time (for example, $17,000 to be paid within 72 hours was the demand given to the Hollywood Presbyterian Hospital, which had all of it’s life-critical medical records frozen)
  • Sometimes the ransomware shows a “warning from the software company” telling you that you need to buy a new license to unlock your system. Other times, ransomware will claim you have done something illegal with your computer, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your computer and files.

How to Prevent Ransomware Blackmail

The best way to avoid downloading malware is to practice good computer security habits:

  • Create an offsite backup of your files. Seriously, right now. And make it automatic, so that it happens at least once a day. An external hard drive is one option, but be sure to disconnect it from the computer when you are not actively backing up files. If your back-up device is connected to your computer when ransomware strikes, the program will try to encrypt those files, too. If you have a secure cloud back service that encrypts your files before sending, consider using that as an offsite backup.
  • Don’t click on links or open attachments in an email unless you know who sent it and what it is. Instead type the URL of the site you want directly into your browser. Then log in to your account, or navigate to the information you need.
  • Make sure your software is up-to-date.
  • Don’t download software from untrusted sources.
  • Minimize “drive-by” downloads by making sure your browser’s security setting is high enough to detect unauthorized downloads. For example, use at least the “medium” setting in Internet Explorer.
  • Don’t open “double extension” files. Sometimes hackers try to make files look harmless by using .pdf or .jpeg in the file name. It might look like this: not_malware.pdf.exe. This file is NOT a PDF file. It’s an EXE file, and the double extension means it’s probably a virus.
  • Install and use an up-to-date antivirus solution.
  • Ensure you have smart screen (in Internet Explorer) turned on.
  • Have a pop-up blocker running in your web browser.

If you Become a Victim of Ransomware

  • Stop work! TURN OFF YOUR COMPUTER! Shut down your entire network, if possible until help arrives. You can do this by turning off your switches or routers inside of your premises. Ask your IT professional before taking this step if you think that you might be interrupting service.
  • Contact an IT Security firm that can visit your office (or home) in person. Handling this type of problem over the internet is not advised, as it could exacerbate your problem.
  • If you have an offsite backup of your data, have the IT Security firm reinstall your backup and clean it of any ransomware before putting the data and computers back on the network.
  • Alert other people on your network, as any work completed after infection will be overwritten when the backup is restored.

There is conflicting advice regarding paying ransom. Truly, there is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again. Paying the ransom could also make you a target for more malware. On the other hand, if you have not backed up your files, you may have little choice. Almost 90% of the companies that we have studied as victims of ransomware end up paying the ransom to have their systems unlocked – but only about 50% of them ever receive the unlocking code promised. It’s a gamble, but if you don’t have an off-site backup, it’s probably one you are going to need to take.

John Sileo is an an award-winning author, recognized expert and keynote speaker on cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.