The Massive U.S. Capitol Attack We’re Ignoring

https://www.youtube.com/watch?v=dIdPk25c93M’ format=’16-9′ width=’16’ height=’9′ custom_class=” av_uid=’av-mo9up3′

Capitol Attack Could Go Way Beyond a Physical Breach

When Trump supporters occupied the US Capitol last week, hundreds of rioters gained unrestricted access to the offices of our Representatives and Senators . You can see one such invader sitting here in House Speaker Nancy Pelosi’s office. But we have to ask ourselves, did the breach stop there?

What we see in these images is not just a physical petentration of the very symbol of our democracy, but potentially a coordinated cyberbreach as well. In addition to ransacked filing cabinets, exposed desktops and confidential documents waiting to be shredded, it’s nearly certain that laptops were stolen, mobile devices pocketed and malware-enabled USB devices plugged into the same computers that run our government. From years of studying organized crime, let me assure you that any mob that has so premeditated an attack that they bring chemical agents and pipe bombs to the riot, has likely planned a corresponding cyber intrusion as well. In fact, physical destruction in corporate cybercrime is often just a diversionary tactic to keep investigators from focusing on a far more damaging digital takeover.

What if the rioters had access to and were reading all of the emails between Congress and the Capitol Police prior to the inauguration? What if they have the ability to freeze congressional computers during an impeachment procedure or transitional handoff?

As the FBI and Secret Service investigate members of the seditious mob attempting insurrection on American soil, I implore them to not forget the hallowed DIGITAL ground that underlies our legislative branch of government – and our way of life.

Twitter Hack Reminds Us That David Can Still Fell Goliath

twitter_hack_david

The twitter hack began as a quiet scheme to steal and sell unusual user names, which carry high currency in gamer and hacker circles.

But as the day wore on, the attack took over dozens of accounts belonging to corporations like Apple and celebrities like Joe Biden, Barack Obama, Bill Gates, Elon Musk and Kanye West. The hackers used the celebrity access to appeal to their followers for funds:

twitter hack of Joe Biden's accountAt least $180,000 worth of Bitcoin flowed into the hackers’ accounts.

By the time the hackers were done, they had broken into 130 accounts and dramatically exposed gaping holes in Twitter’s security.

What organized Goliath cybercrime ring was responsible?

Seventeen-year-old Florida resident, Graham Ivan Clark (David, for the purpose of this metaphor).

From the affidavit:

Graham Ivan Clark, 17  without authorization gain [sic] access to Twitter Inc.’s Customer Service Portal. Clark used social engineering to convince a Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal.

Clark then accessed the Twitter accounts of prominent individuals, including VP Joe Biden, former President Barack Obama and business [sic] such as Apple and Coinbase. Clark then posted on their Twitter accounts a communication that if Bitcoins are sent to accounts they will be doubled and returned to the victim. 

Despite the hackers’ cleverness, their plan quickly fell apart, according to court documents. They left hints about their real identities and scrambled to hide the money they’d made once the hack became public. Their mistakes allowed law enforcement to quickly track them down.

If Twitter, a company that spends millions on security ever year, can be hacked by a 17-year-old, so can your organization. But it wasn’t the technology that was hacked, it was the people. 

It is no surprise that the twitter hackers used the same tool that leads to a majority of damaging corporate breaches: social engineering. Twitter says that a few employees were targeted in a phone spear phishing attack, which suggests that hackers called Twitter employees while posing as members of the Twitter’s security team, and got them to reveal the credentials they use to access internal systems.

Once inside the system, they had free rein to do anything they wanted with any Twitter account. The next time this breach happens, the criminals will be more organized, and will use their access to launch a much more devious, lucrative scheme.

I hope Twitter invests as readily in their security awareness training and social engineering defenses as they do on their technology. And I hope you do as well, as it’s no fun to be beaten by David.

John Sileo is a cybersecurity expert, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and around the world and is the CEO of The Sileo Group, a technology think tank based in Colorado

Don’t Be Naive: Obama/Biden “Twitter Hack” Not What It Seemed

 

I’m betting that the recent Twitter hack of prominent political and celebrity Twitter accounts was politically motivated and nation-state operated. But that’s not what “the investigators” say. And that false narrative could have massive implications for your privacy. Here’s the background in a nutshell:

Approximately 130 high-profile Twitter accounts were hacked on July 15 in what the company is calling a “coordinated social engineering attack”.  Victims included politicians like Barack Obama and Joe Biden, heads of mega companies like Tesla CEO Elon Musk, Amazon CEO Jeff Bezos and Microsoft CEO Bill Gates, and company accounts like Apple and Uber. Ironically, Donald Trump’s account has “extra security” protecting it from access, which begs the question, why don’t we all get added security if it’s possible?

Using various angles (“feeling grateful”, “giving back to my fans”…), hackers posted tweets on the compromised accounts saying that if followers sent Bitcoin to a wallet address then they would receive double the amount in return. No one falls for those scams anymore, right? At least 363 transactions occurred and the account received more than $118,000 in just a few hours. 

Investigators believe the people behind the twitter hack appear to have come from the “OG” community, a group interested in original, short Twitter handles such as @a, @b or @c, for instance. It is thought that they worked with at least one Twitter employee to gain access to an internal tool that allows staff to change email addresses associated with accounts; the hackers were able to reset the passwords of 45 of the accounts. The OG Community is not known to be tied to any nation state and their motivation is supposedly a mix of financial gain, hacker bragging rights, and disruption. So let me get this straight:

Experts are saying that cybercriminals got their hands on the Twitter accounts of 45 of the most powerful people on the planet and the best they could come up with was a tired Bitcoin scheme that made them $118,000? That’s pocket change to cybercriminals, and might be the lamest attribution for a hack I’ve ever heard. 

The key words above are “The OG Community is not known to be tied to any nation state” which is exactly why a nation-state like Russia would use technological tools like TOR’s Onion Router and trumped up OG user accounts to hide behind a plausible, alternative hacking group that would take the attention off of the real motivation. I can’t tell you how many historical cyberattacks I have seen that have been digitally disguised behind a highly-attractive alternative reality. 

Here is a fundamental law of cyberattacks: Hacker attribution (who actually performed the hack) and hacker motivation (why the hack was performed), is an exceptionally difficult puzzle to solve, and often manipulates outsiders in exactly the opposite direction. 

Twitter says no passwords were stolen, but they have not yet been able to confirm whether direct messages were compromised. I’m guessing that it will come out down the road that both passwords and direct messages were compromised. That’s how the corporate publicity machine works: the first message claims little damage and the truth comes out subsequently when we have all stopped paying attention (e.g., Target, Equifax, Marriott…).

So What Was the Point of the Twitter Hack – $118,000? NOT!

Clearly, nation-states don’t need $118,000 in Bitcoin, right? The twitter hack was simply a dry run for political disinformation attacks, cyber blackmail and campaign IP eavesdropping that will manifest closer to our presidential election. Nation-states that have a horse in the U.S. presidential race were testing the waters and covering their tracks by pointing to a plausible alternative explanation.

Yes, this hack raises questions about Twitter’s ability to secure its service against election interference and misinformation ahead of the U.S. presidential election, but those questions have existed for at least four years now. It also threatens the confidentiality and privacy of direct messages sent through Twitter; incredibly powerful information in the race for power. Politicians, business leaders and individuals alike should migrate their private messages to apps like Signal or even the less secure but better than Twitter option of Apple Messages. 

John Sileo is a cybersecurity expert, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and around the world and is the CEO of The Sileo Group, a technology think tank based in Colorado

Cybersecurity Experts Fight for Your Encryption Rights

Cybersecurity experts and privacy advocates like myself are stepping up to protect strong encryption standards, which are facing an all-out legislative assault from the current administration and the Senate. But we need the help of business leaders like yourself to maintain the privacy of your data. Here is an excellent excerpt from Joseph Marks of The Washington Post:

The bill, called the Lawful Access to Encrypted Data Act, is the harshest among a number of efforts to weaken encryption across the Justice Department and Congress.

It would effectively require tech companies to weaken access to their secure systems to ensure law enforcement with a warrant can track terrorists, sexual predators and other criminals. But that would also make it far easier for cybercriminals and adversary nations to hack into troves of government, financial and health records,“ (emphasis mine).

C-level executives, board members, business managers and entrepreneurs, here is what I have learned from 15 years in this business: you can either listen to and evaluate the overwhelming consensus of cybersecurity experts before the damage is done, or you can attempt to recover once it is too late. Most leaders choose to pay attention to these topics only after they have been directly affected, which is a far costlier and more painful path. If I were advising your board or executive leadership team, I would recommend that you contact your Senator and Representative and swing as much weight as possible to dissuade this bill from passing.

Nothing is more important than catching criminals and protecting our children, but this bill is a wolf masquerading in sheep’s clothing.

John Sileo is a cybersecurity expert, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences around the world and is the CEO of The Sileo Group, a technology think tank based in Colorado

iPhone Security Crash Course: 13 Hacker-proofing Tips

 

iPhone Security In the Mid/Post-Pandemic World

We are no longer just addicted to our iPhones; we are officially in a committed relationship, thanks to the pandemic. We mobile office from them, bank from them, attend doctor’s appointments, kids’ classes and Zoom happy hours from them. And in the midst of all of this critical and effective use, we are dropping our guard when it comes to iPhone security. 

But there is good news! Changing your default privacy and security settings keeps you from being shark bait (because hackers usually go for the easy kill). Even for iPhone users, who often mistakenly believe that all security is taken care of by Apple. Spoiler – it’s not. Smartphone security takes mindful tweaks on your part – even if Apple does a good job of rooting out malicious apps. Here is a short description of what steps I would take first to to defend your phone (other than never losing it). 

Too much reading? Check out the webinar – in less than an hour I’ll walk you through HOW to do it all for less $ than an Apple dongle!

smartphone privacy

iphone Security Webinar: Wednesday, June 24 @ 1pm ET

Cost: $29

Register: Sileo.com/webinar

Course Description: iPhone Security – See Below (Note: Android OS will not be covered)

 

The Lucky 13 –  iPhone Security & Privacy Tweaks   

  1. Prune Your Apps. You have far more apps on your phone than you use regularly. Outdated and extraneous apps are a backdoor into your privacy. Delete those you don’t use often (Apple can help automate this) and reinstall when needed. Before you install a new app, find trusted reviews online to determine the company’s privacy and security record.
  2. Auto-Update Your iOS. Turn on automatic updates for your iOS operating system so that security patches are installed immediately upon release. This protects you from something called zero-day exploits, which I will explain as I demo how to turn this on during the webinar). Safari is part of the operating system, and just as vulnerable to hacking  as on your computer, making these updates even more critical.
  3. Hide Your Location. Your flashlight app (not  the Apple one) may be spying on you.Third-party apps often request access to iPhone features and data they don’t really need, like your location, camera, contacts, and microphone. Turn off location sharing on most apps, and set it to “Only While Using App” on most of the rest. Bring your app-specific location questions to the webinar.
  4. Hide Your Contacts, Photos & Conversations. Many apps have access to your contacts, calendar, photos, Bluetooth, microphone, camera and health data. Customize these settings to only allow access to apps that you trust or that have to have access to work.
  5. Robustify Your iPhone Passcode. Four digits is not enough! Six-digit numeric codes are still vulnerable to cybercriminals. Even if you conveniently unlock your iPhone with a thumbprint or facial recognition, the passcode behind the biometric is what gives it all of its strength! Lengthening codes is a bit confusing, so I will save it for the online demonstration.
  6. Password Manage Your Online Accounts. Mobile password aggregators help you create unique, long and strong passwords for all of your online accounts. The iPhone integrates with many common password managers to make logging in to critical sites faster and safer than the old fashioned way. Happy to make “endorsement-free” product recommendations if you need them.
  7. Double Your Passcodes. When you turn on two-step logins (aka, two-factor authentication), a hacker’s ability to break into your online accounts plummets. Having a passcode you know (the one you memorize to get into your phone) and a passcode you have (from a passcode authenticator app or text message), makes you exponentially safer. Enable this on every cloud service you use, from email to banking, health sites and business logins to social media. And make sure you turn it on for iCloud, which stores a backup of everything on your phone.
  8. Backup Your Phone. Whether you back up to a physical computer or to iCloud, this is the best way to recover from ransomware or a lost, stolen or hacker-scrambled phone.
  9. Stop Brute Force Logins. If you’re worried about your device falling into the wrong hands, you can prevent an attacker from brute-force break-ins using the “erase data” option. This automatically deletes all data on your phone after 10 consecutive failed login attempts. Just don’t ever forget your code, and be careful that your kids don’t erase your data by entering the wrong code too many times!
  10. Shut Down Eavesdropping Advertisers. Many websites use cross-site tracking to monitor your surfing habits so that marketing companies and advertisers can push products and services tailored to your interests. This can be turned off in Safari for iOS. It is also possible to block pop-ups, enable fake website warnings, disable location-based and interest-based ads and switch from Google’s search engine to a more private source like DuckDuckGo.
  11. Enable Location Tracking and Wiping
  12. Secure Your Free Wi-Fi Hotspots (VPN)
  13. Disable Creepy Photograph Tracking

If you are looking for a bit of hand/phone holding, join my webinar, where I will walk you through HOW to implement all 13 iPhone Security Steps.

Webinar: iPhone Security Crash Course: 13 Ways to Keep Hackers & Advertisers Out

Every website you visit, location you frequent and app you use on your iPhone can be tracked, hacked and abused. By default, your smartphone is open to cellular providers, digital advertisers and cybercriminals. Until, of course, you proactively take steps to minimize how your private data is being captured, shared and sold. 

In this iPhone-specific workshop, John will perform a live demonstration of 13 critical iphone security and privacy settings. Bring your iPhone to the webinar, as you will be actively changing settings during the presentation. 

Smartphone Privacy & iPhone Security Tools Covered Will Include:

  1. App pruning and vetting
  2. Operating system patches and automatic updates
  3. Limiting location tracking performed by Apps
  4. Keeping hackers out of contacts, photos and voice recordings
  5. Hack-proof passwords (almost)
  6. Implementing a password manager
  7. Turning on two-step logins on vital online accounts
  8. How to back up your phone in case of loss or ransomware
  9. Eliminating brute-force logins
  10. Disabling advertising tracking and sharing
  11. Enabling location tracking and wiping in case of loss
  12. Installing and utilizing a VPN to protect Wi-Fi usage
  13. How to disable creepy photo location tracking
    If time permits:
  14. Evaluating of the Pros/Cons of biometric passwords (fingerprints and facial recognition)
  15. A discussion on the security of Apple Pay and Wallet options
  16. Banking and investing vulnerabilities on you smartphone

By the end of this webinar, your iPhone will be 99% more secure than the average smartphone user. Time for Q&A with John will be provided at the end of the demonstration.

Zoom Security in 7 Steps (Video + Graphic)

https://www.youtube.com/watch?v=CTDjDCiI9Hc’ format=’16-9′ width=’16’ height=’9′ custom_class=” av_uid=’av-mo9up3

Since this video was recorded, Zoom has issued several security updates. Learn more at the Zoom Security web page and don’t forget to update to the latest version!

Zoom Security Transcript:

Hey, everybody. It’s good to see you back again. Today we’re going to talk about seven steps you can take to lock down your Zoom Security. At this point I have heard from clients everything from seeing naked people showing up in their webinars, incredibly embarrassing, bad for the brand. I’ve seen hacked Zoom accounts. I have seen whiteboards and presentations that have been shared with racial epithets, with everything terrible under the sun.

So, I thought I’d give you some ways to lock your Zoom video conference down. Here we go. I’m just going to show you right on the screen so that you can set these up either as we go or right afterwards. First of all, you’ll notice on the zoom interfaces, which I’m showing you here, that there is now a security tab. It allows you to lock your meeting, so that once you have everybody in that you want and you don’t want a Zoom bomber, somebody who comes in not wearing clothes or shares their screen, you can lock the meeting, so that nobody else can get in. Super important that you use that right there, so I’m going to lock my meeting. Nobody else at this point can get in.

Secondly, you can have a waiting room so that nobody can talk to each other until you come in. This is great for teachers or if you don’t want people discussing anything before the meeting starts before you as the controller of the meeting beginning it. This one’s super important and I’m going to show you how to set these up as your defaults in the second part here, but sharing your screen, this allows the participants to share their screen. We don’t want that on unless you really want them to share because this is how they share everything from the whiteboard where they write … What I’ve seen is is nasty racial epithets on it, or they share their PowerPoint presentation with stuff that you don’t want to see.

So, we do not want them to share the screen by default. Again, we’ll set that up in a minute, but you can turn it on and off here. You can turn chat on and off and renaming themselves. This means that if you kick somebody out, they can rename themselves and come back. So we’re going to take a look at how to change all of those things in your default settings. That’s what’s so important here. So let’s go to the default settings.

The easiest way to set up your defaults for Zoom security is when you start scheduling the meeting, you do it in that interface. So let’s say that we were going to schedule a new meeting here in our software. You bring the software up, the first thing you need to know is you want to generate a meeting ID automatically. You don’t to use your personal meeting ID because once that ID is out, once people know it, it’s on social media or whatever, anybody can join that personal meeting ID. I rarely use this feature unless it’s just for a quick meeting. You’ll also want to start requiring a password on every one of these. This is what keeps your video conference encrypted, it’s what keeps unwanted people out because they don’t have the password. So, we would go ahead and schedule that. I’m not going to do it at this point because I’m on a meeting right now.

And you’ll notice up here in the corner that there is a settings button. That’s where we want to go to set our defaults. When you do that, it brings up a bunch of choices. I’m not going to go through settings that don’t have to do with security or privacy. I’m going to just talk about the ones that have to do with privacy. So down here in the profile section, if you click on view advanced features, that will bring you up. I’m going to close that out now, that will bring you into the settings portion of your online account. And this is where we change all of the default settings. Now understand, Zoom is doing a lot of work to increase security, to have better encryption, which right now is weak and to lock down security. But until then you’re going to have to really pay attention to these default settings.

I turned my host video off from the start because I want to make sure that I know when I’m on that screen and being recorded. I turn it on when I am ready. Okay. Down here, use personal meeting ID when scheduling a meeting. Again, I turn this off by default. I do it for an instant meeting as well. I don’t like to use that generic address. Once it’s out there, anybody can Zoom bomb, they can join, just knowing that address. This is a really important one. Only authenticated users can join the meetings. There’s different ways that you can define down here what an authenticated user is. It could be somebody who has the right email address, it could be somebody based on the fact that they have a Zoom account or not. So this is an important one for security. And the same goes for joining from a web client, you want to make sure that they are an authenticated user, that they have a legitimate Zoom account, not just joining from the outside.

Right here, require a password when scheduling new meetings or instant meetings. That should be turned on by default. You will be using a password. That makes it more encrypted and that keeps unwanted users out. I also require passwords when joining by phone because it’s the same thing. You don’t want somebody calling in on a generic number and being able to disrupt your meeting. This one here, requiring cryption for third party endpoints. This is good unless you’re using YouTube to do live broadcasting. If you try and turn that on and you’re broadcasting to YouTube in a live stream, it will not work because YouTube does not work with that form of of encryption. So, if you’re not live broadcasting to Facebook or YouTube or other, you can turn that on, which improves your Zoom security.

Okay, file transfer. I turn that off unless I’m in a meeting where I’m definitely going to transfer documents because if somebody gets on that is not meant to be there, a cyber criminal or a hacker, they can transfer malware using that file transfer capability. So in general, I keep that turned off and I turn it on when I need to transfer a file. This one’s really important. Screen-sharing, who can share? I turn it on because I want to share my screen, but I also note that I’m the only one that can share the screen, not all of the participants. And then in the individual meeting or webinar, I can say, Hey, this particular user can share their screen.” I control that access. This is where Zoom bombing happens, people when screen-sharing is left open, they share photos, videos, presentations that you definitely do not want to be seeing.

So you want to control that. So you turn on screen sharing, but you turn it on for the host only. You can also disable desktop and screen sharing for users. One more tool that lets you totally lock it down. I, of course, do allow some sharing of that so I don’t completely disable it. You don’t probably want to share annotation or whiteboard or remote control of the system. You can do that again on an individual basis when you need it, but setting that as the default allows anybody that’s in your meeting or your conference to share the whiteboard or the annotating services.

This is good here, identify guest participants in the meeting. So, if you didn’t invite somebody but they’re on, they will appear in a separate participant list, so that you know that you’ve got people that you weren’t expecting there. You can either leave them on or you can cut them off.

Let’s go back up to the top real quickly and I want to show you here in the recording section as opposed to the meeting section a couple of best practices. You can give participants the permission to record locally. This is a good privacy setting. You don’t necessarily want everybody to be able to record locally, so I give that out on a very limited basis and understand anytime you record something it will be shared. So, if you’ve got a private board of directors meeting, if you’re discussing intellectual property, if you’re having a conversation or video of any time, you probably do not want that to be recorded. One other thing is I like to record on the local computer, not in the cloud. This takes away some of the ability for Zoom to be able to scan and share or advertise based on the content of your meetings.

Believe it or not, when you sign their data use policy, you are giving them the right to scan what you leave in the cloud. So, I always use a modern enough computer that I can save it right to my hard drive. And finally, the recording disclaimer, this asks participants for their consent when recording. This is a best practice. People need to know that they’re being recorded.

One last thing that I want to go through is what happens if somebody is Zoom bombing, somebody comes into your conference unwanted. I recommend always having a cohost. If you’re doing a webinar or an important meeting, somebody who can watch over, for example, the participant list. So that if somebody came up here that you didn’t want, you could simply click on them. Because I’m the cohost, you can’t do this, but you could click on more, you could have that person forced out of the meeting, to leave the meeting.

It’s a great way if somebody’s causing trouble, but it’s hard to do when you’re actually the one giving the webinar like I am right now to both monitor that, monitor the chat. That’s why I always recommend that you have a cohost along.

All right. Summary. You need to lock your meeting. You need to have passwords. Don’t use that personal meeting ID. Have it be customized for every single one and go in and change those defaults. Read through them. If you don’t understand something, Zoom walks through it on their site, they have videos on it makes it much easier to go through and customize those settings. Start by locking everything down, practice with it, and then back into your preferred settings. I just don’t want you getting out there and having a meeting on something that’s confidential in private that then gets out to to the public.

All right, thank you so much. I hope this helped out. Let me know what you want to see next time. Please like us. Pass us on. Share us. That’s how we let people know what we’re doing. Take care.

zoom security 10 tips

Cybersecurity for Your Home or Virtual Office

Cybersecurity Virtual Office Key Links from the Webinar:

ZOOM Sileo Security Video
Password Managers Review
Data Backup Physical/Cloud Backup 
ZOOM Security & Privacy Page

There is something great to be learned about cybersecurity from this pandemic. Preparing for a crisis before it happens is far less expensive than recovering after it happens. The U.S. saved several billions of dollars cutting corners on pandemic preparation, and it’s now estimated that coronavirus will cost the world more than $300 Trillion when the economy is factored in – not to mention the death toll.

Smart preparation beats recovery every time. The same is true for cybersecurity where optimism grows out of preparation. Proper cyber hygiene, just like washing your hands for a full 20 seconds, is both mildly inconvenient and wildly effective. And we need it more than ever, because cybercriminals are taking advantage of the chaos. Going remote increases the exposure of company data exponentially, especially because we had so little time to prepare.

This outline focuses primarily on solopreneurs and small businesses as I have held out some of the more technically detailed information on how larger enterprises can further protect their remote workforce. In this time when so much is outside of our control there’s actually a great deal within our control when it comes to cyber security.

7 Cybersecurity Threats in Your Remote Workplace

I’ve put together the 7 threats that I feel, from having observed thousands of organizations with remote workers, are the FIRST you should address. This is not an exhaustive list, but a great place to start.

Threat #1 – Zoom Videoconferencing – Rapid adoption has meant little security

  1. I received a call from a client who told me two things had happened 1) They discovered that a competitor was lurking on a video BOD meeting and 2) When they discovered it, the user screen-shared porn, called “Zoom bombing”. Had this been a call between business and client, it would have been devastating.
  2. It is imperative that you consider the privacy and security implications of Zoom before you use it for sensitive or critical meetings: https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
  3. This article from the NY Attorney General about Zoom privacy practices has good information https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html
  4. To learn to use Zoom, please visit Mike Domitrz’s recorded webinar on the topic: https://www.youtube.com/watch?v=aVKbnQJrrjg&feature=youtu.be

Threat #2 – You and Your Kids – People, not technology, introduce the greatest risk into your systems

  1. Coronavirus scams started the day the epidemic was announced, let’s focus on…
  2. Phishing emails are a hackers best friend. Consent to download crimeware or upload logins
  3. These scams follow the headlines, especially a crisis (can be by text, phone or SM adv)
  4. Solutions:
    • Recognize the coronavirus scams
    • Click Hygiene – pause for 20 seconds before you click – Too good to be true, too bad to be real, too dramatic to be worth your time, then ignore it
    • The Hover Technique – expectations vs. reality
    • 3rd-Party Spam Filters (corporate tip – block it at the Gateway)
    • Train your kids, as anyone on your network can download malware and spread it elsewhere

Threat #3 – Cyber Blackmail – Cheapest tool hacker has is to lockup data & demand a ransom

  1. Ransomware – byproduct of phishing
  2. Worms its way to other devices – Home offices, kids click habits are biggest culprit
  3. 3-2-1 Backup Plan – iDrive https://www.pcmag.com/reviews/idrive

Threat #4 – Game of Knowns – 95% of vulnerabilities are known

  1. Outdated & Unpatched Operating Systems and software (Windows 7 Question – Bruce)
  2. No centralized firewall to protect whole network (not just yours) DSL Router
  3. Unprotected WiFi – Change Default PW, WPA2+, SSID Masking, MAC-specific addresng
  4. Unencrypted computers, laptops and mobile devices (BitLocker & File Vault) LIABILITY
  5. Wide open Remote Access Protocol
  6. Unprotected, wide-open WiFi
  7. SOLUTION: have an IT professional configure all of the above for you – working @ home, spend the money to prevent it up front. You can learn all of this, but devil in details.

Threat #5 – Cloud Hacking – We’ve pivoted to cloud computing and ignored the storm of cybercrime

  1. Setup 2-Step Logins (2 Factor Authentication)
  2. Enable a VPN
  3. Use a Password Manager Like Keeper, Dashlane or LastPass (https://www.pcmag.com/picks/the-best-password-managers)
  4. Dropbox is NOT a secure enough platform for PII or sensitive data
  5. Bad Communication – We email, transfer & store sensitive docs in plain sight
  6. Don’t email documents with sensitive info unless they are encrypted. PDF/Winzip/TrueCrypt (Use the portal with your financial provider)
  7. Messaging: Signal; Apple Messages (Not What’sApp, Facebook Messenger or Droid)

Threat #6 – Stupid Smartphones – The supercomputers in our pockets are a security afterthought

  1. Walk through EVERY Privacy and Security Setting on your smartphone. Period. If you don’t understand the setting, Google it.

Threat #7 – The “Squirrel” After this Class – Action distraction is the primary cause of breach

  1. Even when people have a checklist of what to do, the often don’t take action until after the breach, after the pandemic.

This is a broad outline of a starter course in protecting your virtual office. To customize a virtual webinar like this one to your organization, contact John directly on the number below.

About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. John specializes in making security engaging so that it sticks. Contact him directly on 303.777.3221

 

 

Coronavirus Cyberscam Alert: Protect Your Digital Health and Safety During a Pandemic.

Hey, this is a bit of a solemn and serious post today. First of all, my heart goes out to all of those communities, families, people that are battling with Coronavirus. Just like our physical health, we have to also pay attention to our digital, or cyber health, and how we watch out for all of the disinformation that is out there. Listen, cybercriminals will always exploit the headlines. They will always take advantage of our fears and our ignorance, whether it’s for product sales, whether it’s just to make us panic or whatever the motivation. My daughter, the reason that prompted this, was a feeling of, as a dad, my daughter texted me and said, “Hey, there’s a student, I have just seen that a student is being pulled out of class, out of their dorm by people in hazmat suits.”

Well, of course, that was a social media post. It made its way all the way around the campus and was absolutely false. So I want to just let you know some of the schemes and scams that we have seen, make you aware of them so that you’re listening and that you act differently. First of all, there is just massive disinformation out there right now. There are hoaxes, there are rumors, and you need to be extra skeptical at the moment. One example, there are government advisories out there that aren’t actually being issued by governments. They are false, they are fake, they have nothing to do, for whatever reason, people are putting those out there. There are bogus home remedies of how you can solve the Coronavirus, which there’s no vaccine yet and probably won’t be for 12 to 18 months. Of course, there are home remedies like washing your hands that are legitimate.

There are products meant to defraud you, pills that you can buy, masks that don’t actually work. You have to be really careful that what you’re buying is actually legitimate. And on top of that, there’s price gouging. So masks that are going for hundreds of dollars on Amazon that you don’t probably actually need, hand sanitizer that has run out at your local store. Think before you spend all of the money on this because there are many other answers. There are a ton of fraudulent emails that scam you into clicking on Covid-19 type alerts, an alert in your hometown from your school system, a remote work policy from your work. It may not actually be your work. False test results we have seen. Covid test results. Of course, you probably haven’t been tested, but you’re tempted to click on those links. We’ve seen a bunch of videos, social media, blog posts, fake articles that spread disinformation, a lot of it about voting and the voting that we’re going through right now and polling places, politics, and so forth.

So watch all of that. This is essentially the weaponization of information. It happens all the time. It happens in the corporate world, it happens in the government, and now it’s happening around the health system because it’s in the news. So just like good hygiene, physical hygiene, washing your hands, there are cyber hygiene tips that will help you protect yourself. Number one, if you don’t recognize an email or a text, if you weren’t expecting it, don’t click on it. Don’t respond to it. It’s probably not legitimate. If you can’t verify that it’s from your work, from your kid’s school, from the government, do not believe it until you verify it. Same advice for social media. Articles, videos. Don’t believe it until you verify with a source that you trust, that you go to over and over again. Do that before you take the action that they’re talking about because most of these right now is not legitimate.

So sources like the CDC, the World Health Organization, your local news if you trust it, or the paper that you trust. Finally, if you have questions, ask an expert. Don’t count on what you see in the media necessarily, what you see on the internet, especially on the internet, as being totally legitimate until you verify. The point is, just like with cybercrime, those who think before they react with this Covid and vice versa, those who think about their digital settings and what they’re doing online and email and text and on those devices, those are the ones who prepare in advance for that, that avoid the worst outcomes. Listen, thanks so much. Sorry, it’s such a serious topic, but it’s really important that you protect both your physical health and your digital health. Thanks so much and stay safe.

Are Hackers Targeting Your Association? Here’s How to Stop Them.

 

Are hackers targeting your association?

The recent revelation that Chinese hackers penetrated the internal computer network of the National Association of Manufacturers (NAM) last summer should be a clarion call to all associations: They are coming for you. 

The suspected Chinese hackers ramped up their efforts to steal information in the days surrounding a meeting between NAM President Jay Timmons and President Trump this past summer. While we don’t know what data was stolen, the incident took place during intense trade negotiations, as US and Chinese government officials began to hash out details of a potential deal.

The primary motivating factor behind the hacking of trade associations is simple: INFLUENCE. The fact that NAM is an influential group that’s helped shape Trump’s trade policy made them an attractive target for the Chinese, who undoubtedly leveraged inside information to gain an upper hand in the talks. 

While the NAM hack is notable for its ties to the executive branch and high-stakes negotiations, the fact is that associations of all sizes and political influence are potential targets of hackers such as nation-states, foreign businesses or individual cybercriminals. In other words, you don’t need to have political or lobbying connections to be an attractive hacking target. Your member list, industry-specific intellectual property, employee data, digital connections to influencers, and banking and financial information are all just as attractive to cybercriminals and cyberextortionists as your political relationships. 

Over the past decade, numerous associations have been hacked: In May, the National Association of Realtors reported on a number of hacks of state associations and advised their members to beef up cybersecurity. Earlier hacks include (ironically) the Intelligence and National Security Alliance, the Fraternal Order of Police and the US Chamber of Commerce.

It’s not a matter of if your association will be hacked, but when

The World Economic Forum’s 2019 Global Risks Report ranked cyberattacks as the number one risk in North America. And with good reason. Data breaches alone are predicted to cost $5 trillion globally by 2024; in just the first nine months of this year, 7.9 billion records were exposed in North America. Associations haven’t traditionally been a large part of those statistics, which is exactly what makes them ripe for future picking. Lack of direct threats tends to breed complacency and lack of proactive protections.

Protecting your association from hackers and cybercriminals

As an industry association, in addition to advocating for your members, you have two vital responsibilities:

  1. Protecting your member data, financial details and intellectual property from cybercrime 
  2. Educating your members about protecting their organizations against those same evil forces

Here are the first steps you can take to fulfill both responsibilities:

  • Commission an External Cyber Penetration Test to expose your specific and known vulnerabilities
  • Educate your internal employees to detect and deter social engineering tactics like phishing, ransomware and deepfake videos
  • Prepare a data breach response plan in case you are successfully attacked. This should include a list of executive responsibilities, a public relations strategy, legal response and methods of communicating with the breach response team (remember, your email and texts and mobile devices can be compromised in a breach)
  • Educate your association members about cybersecurity best practices at your next annual event

Your reputation as an association depends on many factors. One of the most overlooked of those is the reputational damage done by a cyber breach incident, especially if member data is compromised. Take steps to manage your risk and defend your data — before it’s too late. 

About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. John specializes in making security engaging for association and corporate audiences. Contact him directly on 303.777.3221. 

 

 

Small Business Cybersecurity: 5 Steps to Stop Cybercrime 

Small Business Cybersecurity Gone Terribly Wrong 

On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a special agent from the economic crimes unit at the district attorney’s office—ready to charge me for electronically embezzling (hacking) $298,000 from my small business customers. The DA’s office had enough digital DNA to put me in jail for a decade. 

I was the victim of cybercrime, and I should have known better. You see, earlier that year my personal identity was stolen by cybercriminals out of my trash and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.

The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my small business, which is how I ended up losing it. 

Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business and two years fighting to stay out of jail. 

The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs) precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of  small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.” 

Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average. 

In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.

5 Small Business Cybersecurity Strategies

In my experience, good entrepreneurs begin with the following steps:

Identify All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.

Evaluate Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work. 

Assign Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.

Measure Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etcetera—with which to keep a pulse on your data defense. 

Repeat Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year. 

The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident; my case dragged on for two years, during which I spent every day fighting to keep myself out of jail. 

In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients; he used my identity to commit his cyber crimes. He exploited my trust and then he cut the rope and let me take the fall. 

And I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again. 

About Cyber security Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training to small businesses as well as large organizations. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University.