Tag Archive for: Hacking

Trump Russia Investigation Update: Did Campaign HELP Russians Plot Disinformation Strategy?

Honestly, we don’t know yet. There was a time when our voting preferences, our political leanings, our policy choices were our own business. Now they are someone else’s business, quite literally. There are so many stories coming out about Donald Trump’s connections to and collusion with the Russians that it is getting hard to keep these accusations straight. Here’s the latest:

Trump Russia Investigation Update

The key word is help. As in, actively provide information that the Russians may not have been able to discover on their own. “Help” is not a synonym for encourage, appreciate or enjoy.

Without getting too political (because after all, this is a cyber security blog), here are the basics of the Trump-Russia Investigation from a cyber security perspective:

  1. The Trump campaign had possession of a huge amount of information about American voters from Cambridge Analytica, the data mining firm hired to help collect and use social media information to identify and persuade voters to vote (or not vote), through an activity known as political micro-targeting.
  2. Jared Kushner, the president’s son-in-law and now a senior adviser in the White House, was head of digital strategy during the campaign, meaning he was overseeing this effort to micro-target voters.
  3. The Russians unleashed bots, or robotic commands, that swept across the Internet and picked up fake news stories or harshly critical news stories about Hillary Clinton and disseminated them across the United States. By Election Day, these bots had delivered critical and phony news about the Democratic presidential nominee to the Twitter and Facebook accounts of millions of voters.
  4. Some investigators suspect the Russians micro-targeted voters in swing states, even in key precincts where Trump’s digital team and Republican operatives were spotting unexpected weakness in voter support for Hillary Clinton.

So the question is this: Did the Trump campaign, using what we assume to be lawfully-obtained micro-targeted voter intelligence, give access to the Russians so that they could point harmful disinformation campaigns at those vulnerable  jurisdictions?

Many top security analysts doubt Russian operatives could have independently “known where to specifically target … to which high-impact states and districts in those states.” As Virginia Sen. Mark Warner said recently, “I get the fact that the Russian intel services could figure out how to manipulate and use the bots. Whether they could know how to target states and levels of voters that the Democrats weren’t even aware (of) really raises some questions … How did they know to go to that level of detail in those kinds of jurisdictions?”

And that is Senator Mark Warner’s mistake – that the micro-targeting had to be so specific that it only hit potential Trump voters in certain jurisdictions. It did not. The campaigns could have been aimed at every person in that state, let alone the jurisdiction, only touching the opinions of those who were ready to hear the message. A phishing campaign isn’t sent only to those people in an organization most vulnerable to that type of social engineering – it is sent to everyone, and the most vulnerable are the only ones that respond. Similarly, it was good enough for Russia to cast their anti-Hillary message in the general vicinity of the target; there was no need for a bullseye to render the disinformation campaign to be effective. Those who received the message but were slightly outside of the voter profile or geographical jurisdiction simply recognized it for what it was, false news. The rest were unethically influenced.

But we don’t know yet if there is a connection between the micro-targeting big data purchased by the campaign and the Russian botnet disinformation attack.  We do know, however, that Russia attempted to influence the outcome of the election – and that is what we as cyber security experts, must focus on. 

Either way – collusion or not – the implications against our privacy (let alone the political ramifications of foreign entities influencing our election process) are huge. Remember, the Trump campaign had obtained this huge volume of information on every voter, maybe as much as 500 points of data from what kind of food do they eat to what are their attitudes about health care reform or climate change. And yes, I’m sure the Democrats had much of the same information and probably didn’t “play fair” either. The point is that we have gotten so far beyond just accepting that our personal information is readily available and easily manipulated that no one is even bringing up that part of the story.

We, America, have been lulled into allowing everyone else – corporations, our government, even foreign nations – to have more access to our data footprint than even we do. 

John Sileo is an an award-winning author and keynote speaker on cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Baby Cam Hacked: What You Can Do To Protect Yourself and Your Children

The story about the Texas parents who were terrified when their child’s video baby monitor was hacked struck me at first as a minor incident when viewed in the whole scheme of the world of hackers.  After all, it is a rare event, no one was hurt, no threats were overtly made, and the child herself even slept through the event.  But when I read more about it, I became increasingly bothered by the fact that I was not initially bothered by it!  I mean, is that the creepiest of all feelings, to know that a stranger is watching your kids?

Here’s the summary for those who missed the story.  Marc and Lauren Gilbert were in another room when they heard strange sounds coming from their daughter’s monitor.  When they went into her room to investigate, they realized it was a strange man’s voice coming through the monitor and saying disturbing things, even using the child’s name, which could be seen above her bed.  The child, who was born deaf and had her cochlear implants turned off, slept through the entire incident.  Gilbert immediately disconnected the device, which was hooked up to the home’s wireless Internet system.

It is believed the webcam system, Foscam wireless camera, was compromised.  In April, a study was released revealing potential vulnerabilities; in it the researchers said the camera would be susceptible to “remote Internet monitoring from anywhere in the world” and that thousands of Foscam cameras in the U.S. were vulnerable.  A glaring flaw (which has since been “fixed” by a firmware update in June) is that users were not encouraged to have strong passwords and were not prompted to change from the default admin password.  Gilbert said he did take basic security precautions, including passwords for his router and the IP cam, as well as having a firewall enabled.

For an interview with Fox and Friends, they asked me to consider the following questions.  I’d like to share my answers with you in case you missed it.

How easy is it to hack a baby monitor?

It’s probably an apt cliché to say it’s as easy as taking candy from a baby. Just like with any device, an iPhone, laptop, home Wi-Fi, it’s only as secure as you make it. If you’ve taken no steps, it’s relatively easy to hack. You don’t make the problem go away by ignoring it.

Why would someone do this?

Some do it for the challenge, some for the thrill of controlling other people’s lives, and unfortunately, others do it because they are sick individuals that want to watch what you do in the privacy of your home.

Is this one of the more scary cases of hacking a household device you’ve seen?

This one hits close to home because it takes advantage of our kids, but I’ve seen pacemakers turned off, blood pumps shut down, brakes applied in cars, and all of it done remotely by outsiders who are never even seen. If the device is connected to a network, I guarantee you it can be hacked, and in most cases, you never know the bad guys are in control.

How can we avoid this type of hacking of our personal devices, whether it’s a video baby monitor, an iPhone or a pacemaker?  

The good news is that’s it’s the same steps you probably already take on your other devices, like laptops, smartphones and iPads:

  1. Buy Digital. Only buy a digital monitor that is password protected, not an analog version that operates on an open radio frequency.
  2. Change Default Passwords. During setup, change the factory defaults on the monitor so that the password is long, strong and device specific. This case we are talking about probably had a default password in place, making it easy to hack.
  3. Firewall Your Privacy. Install a firewall between your Internet connection and ALL devices to keep the peeping Toms out. Hire a professional to set it up properly.
  4. Lock Down Wi-Fi. Make sure your Wi-Fi network is locked down properly with WPA2+ encryption and SSID masking so it can’t be hacked.
  5. Turn Devices Off. If you are not using the device, turn it off, as hackers can more easily crack devices that are up 24/7.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

How Secure is Your Gmail, Hotmail, YahooMail?

I just finished an interview with Esquire magazine about the security of webmail applications like Gmail, Windows Live Hotmail and YahooMail. Rebecca Joy, who interviewed me on behalf of Esquire, wanted to know in the wake of the Rupert Murdoch phone-hacking scandal, how secure our photos and messages are when we choose to use free webmail programs.

The simple answer? Not very secure. Just ask Vanessa Hudgens (nude photos), Sarah Palin (complete takeover of her email account) and the scores of celebrities and power figures who have been victimized by email hacking.

Think of using webmail (or any web-based software, including Facebook, Twitter, Google Docs, etc.) as checking into a hotel room. Unlike a house, where you have tighter control over your possessions, the same is not true of a hotel. While you definitely own the items you bring into a hotel room (laptop, smartphone, wallet, passport, client files), you don’t have nearly as much control as to how they are accessed (maids, managers, social engineers who know how to gain access to your room). In short, by using webmail to communicate, you are exchanging convenience for control.

Here are the five most common ways you lose control:

  1. The password on your email account is easy to guess (less than 13 characters, fail to use alpha-numeric-symbol-upper-lower-case, don’t change it often) and someone easily hacks into your webmail account, giving them access to your mail, photos, contacts, etc.
  2. Someone inside of the webmail company is given a huge incentive to leak your private information (tabloids that want access to a celebrity’s photos and are willing to pay hundreds of thousands for it).
  3. You populate your password reminder questions (What high school did you go to?) with the correct answers instead of using an answer that is not easily found on your Facebook, LinkedIn or Classmates.com profile.
  4. You fail to log out of your webmail while on a public computer (hotel business center, school, library, acquaintances house), allowing them to log back in to your email account using the autosaved username and password (which by default tends to stay on a system for up to two weeks).
  5. You continue to deny the fact that when you store your information in places that you don’t own, you have very little actual control.

If you are sending sensitive information of any sort (text, photos, identity, videos or otherwise), don’t use webmail or social networking to send it. Use a mail program that resides on your own computer and encrypt the sensitive contents using a program like PGP. That gives you a much stronger form of protection than ignorantly exposing your information for all to see.

John Sileo is the award winning author of Privacy Means Profit and a professional speaker on data security, privacy, identity theft and social networking exposure.

 

Information Offense – How Google Plays

Google recently offered $20,000 to the first person who could hack their web browser, Chrome. Without question, a hacker will crack it and prove that their browser isn’t as mighty as they might think.

So why waste the money?

In that question, ‘why waste the money?’ lies one of the root causes of all data theft inside of organizations. Google’s $20,000 investment is far from a waste of money. Consider:

  1. The average breach inside of an organization costs $6.75 million in recover costs (Ponemon Study). $20,000 up front to define weak points is a minuscule investment.
  2. Chrome is at the center of Google’s strategic initiatives in search, cloud computing, Google Docs, Gmail, displacing Microsoft IE and mobile OS platforms – in other words, it is a very valuable asset, so Google is putting their money where their money is (protecting their profits).
  3. By offering up $20,000 to have it hacked IN ADVANCE of successful malicious attacks (which are certain to come), Google is spending very little to have the entire hacker community beta test the security of their product.

I would bet that there will be tens or hundreds of successful hacks into their browser, all of which will be fixed by the next time they commission a hack.

Anticipating the inevitable attacks and investing in advance to minimize the chances and resulting costs of a breach is a perfect example of Information Offense. Instead of waiting for your data to be compromised (defense), you take far less costly steps up front to deflate the risk. Only the most enlightened leaders I work with inside of corporations understand the value of spending a little bit on security now to reap huge benefits (in the form of avoided losses) down the road.

Too many leaders are so focused on the revenue side of the model (most of them are from a sales background) that they lack the depth of seeing the entire picture – the long-term health and profitability of the company. You know the saying… an ounce of prevention being worth a pound of cure. Just think of the ounce being loose change and the pound being solid gold.

Marshall Goldsmith, the executive coach, nails the behavior behind this phenomenon in his book, What Got You Here Won’t Get You There,

Avoiding mistakes is one of those unseen, unheralded achievements that are not allowed to take up our time and thought. And yet… many times, avoiding a bad deal can affect the bottom line more significantly than scoring a big sale… That’s the funny thing about stopping some behavior. It gets no attention, but it can be as crucial as everything else we do combined.”

Listen to Google and Mr. Goldsmith, and avoid the mistakes before you make them by asking yourself this simple question: How can I refocus my efforts and resources on playing offense rather than defense?

John Sileo’s motivational keynote speeches train organizations to play aggressive information offense before the attack, whether that is identity theft, data breach, cyber crime, social networking exposure or human fraud. Learn more at www.ThinkLikeASpy.com or call him directly on 800.258.8076.