Posts

Security Expert Hacks In-Flight Entertainment? 5 Cyber Lessons for Leaders

Did security expert Chris Roberts of Denver actually HACK INTO AND STEER AN AIRCRAFT from the inflight entertainment panel at his seat, as reported first by Wired?

Probably not. Though I did meet him at a conference of cybersecurity experts and he appeared to know his stuff. But it almost doesn’t matter, because the lessons we take away from it is the same. Here’s what I do know:

  • I’ve seen ethical white-hat hackers (the good guys) penetrate mission-critical corporate networks through the unlikeliest of devices, including photocopiers, vending machines, surveillance cameras, thermostats and industrial control systems.
  • In most of these cases, the breached organization vehemently (and incorrectly) assert that these devices were not connected to their “real” network. Further analysis shows that they were. Will the airlines claim the same?
  • I’ve seen a driverless car hacked and started from a mobile phone.
  • I’ve seen a pacemaker remotely accessed by a hacker and set to induce a deadly heart rate.
  • I’ve seen home networks breached through a video game console, a baby monitor and a garage door opener.

 Here’ s ultimately what matters: If it’s networked, it’s hackable.

The minute you hook a device to a network (whether that be the internet, an internal intranet, WiFi hotspots or any other network), it becomes hackable. Remote access is a wonderful tool of convenience and efficiency – it lets us work from other locations. But remote access also opens up digital doors to criminals who want to steal from other locations. In other words, the TV at your seat could be connected to the pilot’s controls.

Even if any security expert did execute the hack, we will likely never know. But that doesn’t lessen our responsibility to learn and apply something to our businesses (steps that many airlines are currently reviewing themselves):

  • Compartmentalize your network. Don’t connect non-critical systems (in-flight entertainment, guest WiFi, thermostats, networked appliances) to mission critical data (flight controls, customer information, employee records, sensitive intellectual property). Instead, host them on separate networks with separate usernames, passwords and access controls.
  • Implement User-Level Access. Only a very few authorized individuals should have access to the servers and computers that house your private information. Classify your data into Top Secret, Confidential, Internal and Public (if it’s good enough for James Bond, it’s good enough for you) and apply your user-level access settings to those classifications (e.g., only C-Level executives get Top Secret access.
  • Firewall the bad guys out. A firewall that is configured to Default Deny will restrict all access by default and only allow a few legitimate users who appear on a “white-list” to access the most valuable information). This limits most hackers’ backdoor access (and is when they will turn to social engineering to gain access – another lesson for another time).
  • Utilize communication encryption. Mobile access that is not encrypted (hidden from illegitimate users by scrambling the message) is like broadcasting your bank account number over the radio – everyone else is listening.
  • Closely monitor intrusions. No matter what steps you take, if you organization is being targeted, eventually you will be breached. Therefore, the greatest security is resiliency: detecting the intrusion (a human being has to be watching the monitoring system to do this), expelling the intruder before real damage is done and leaning from and resolving your previous mistakes.

Finally, and most importantly, make sure that you train your humans on the proper usage of the previous 5 steps! This is actually where most security fails, as the WEAKEST LINK IN CYBER SECURITY IS HUMAN ARROGANCE, IGNORANCE AND INACTION.

Right now, you have a chance to keep a hacker from changing the course of your vessel, be it airplane or corporation. If you don’t have the personal knowhow or internal resources to get it done right, hire the right team to do it for you

John Sileo speaks internationally on cyber security and identity defense. He specializes in making security engaging, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Book him for your next conference on 800.258.8076.

Inheritance Scam: Detection Questions You Should Ask!

,

The so-called “Inheritance Scam” is resurfacing in Colorado, but it has a new look.

No longer do you simply receive an email claiming to be from the representative of a long-lost relative. The new format involves what security experts call the “Accomplice Ploy” in which the thieves attempt to engage you through a long series of queries (one method) reaching out to you as if they know who you might be.

We have developed five questions you should ask about any email or phone call you suspect might be a scam. They are called the 5 indicators of the inheritance scam:

Sileo’s Scam-Detection Questions

1. Were you expecting a windfall?

2. Is it too good to be true?

3. Are you being rushed/threatened?

4. Do they ask for secrecy?

5. Do they request more information?

If you can answer yes to any of these, put up your guard!  Because so many Americans are facing financial problems, an inheritance scam holds a special appeal. When first introduced, the scammers behind the emails were earning more than a million dollars a month.  Don’t let them get any of yours!

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Screen Shot 2014-08-22 at 7.56.16 AM

SCAM ALERT: Target Texting Scam

, , ,

SCAM ALERT! There is a Target texting scam going around. The text looks similar to the one in the picture to the left, and generally says you’ve won a $1,000 gift card if you simply click on the link and collect the money. When you click on the link, it takes you to a Target-looking site that a criminal has set up to collect your private information. The information is then used to steal your identity. In other cases, clicking on the link installs a small piece of malware that takes control of your phone and forwards your private information to the criminals.

Where do the criminals get my mobile phone number to text me in the first place?

  1. They purchase it off of black-market sites on the internet
  2. You give your mobile number away to enter contests, vote on reality shows, etc.
  3. You post it on your Facebook profile for everyone to see
  4. Data hijackers hack into databases containing millions of mobile numbers
  5. Most likely, the thieves simply use a computer to automatically generate a text to every potential mobile phone number possible (a computer can make about a million guesses a second).
What can I do to protect myself and my phone?
  • If you receive a text from any number you don’t know, don’t open it, forward it or respond to it
  • Instead, immediately delete the text (or email)
  • If you accidentally click on the link, never fill out a form giving more of your information
  • Place yourself on the national DO NOT CALL list.
  • Stop sharing your mobile phone number except in crucial situations and with trusted contacts
  • Remember when you text to vote or to receive more information, enter sweepstakes or take surveys via text, they are harvesting your phone number.
  • Resist the urge to post your mobile number on your Facebook wall or profile

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust. He is CEO of The Sileo Group, which helps organizations protect their mission-critical privacy. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation  or watch him on Anderson Cooper, 60 Minutes or Fox Business.

Gadgets Attract Thieves at Starbucks – Privacy Project Episode #01

, , , ,

On this episode of Privacy Project, John confronts a coffee drinker about leaving their laptop totally alone as they talked outside on the phone at Starbucks.

America’s top Privacy & Identity Theft Speaker John Sileo has appeared on 60 Minutes, Anderson Cooper, Fox & in front of audiences including the Department of Defense, Pfizer, Homeland Security and hundreds of corporations and associations of all sizes. His high-content, humorous, audience-interactive style delivers all of the expertise with lots of entertainment. Come ready to laugh and learn about this mission-critical, bottom-line enhancing topic.

John Sileo is an award-winning author and keynote speaker on the dark art of deception (identity theft, fraud training, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust.

Is Your Wireless Carrier Tracking Your Surfing Habits (Maybe)

,

Oh what your mobile phone carrier knows and tracks about you! A one-page document from the Justice Department‘s cybercrime division shows how cell phone companies record and retain your call and surfing activity (calls, text messages, web surfing and approximate location). Here’s a summary of how each company retains your information (full details in the image below):

  • Verizon Wireless – rolling one-year records of cell tower usage & what phone accessed what web site
  • AT&T / Cingular – ongoing records of cell tower usage since July of 2008
  • T-Mobile USA – doesn’t keep any data on Web browsing activity
  • Sprint Nextel’s Virgin Mobile – 3 month record of text content
  • Other than Virgin Mobile and Verizon, none of the carriers keep texts but they keep records of who visited a particular web site.
  • Verizon keeps some information for up to a year that can be used to ascertain if a particular phone visited a particular Web site
  • Sprint Nextel’s Virgin Mobile keeps the text content of text messages for three months. Verizon keeps it for three to five days. None of the other carriers keep texts at all, but they keep records of who texted who for more than a year.
  • AT&T keeps up to seven years of records of who texts who — and when, but not the message content. Virgin Mobile keeps that data for two to three months.

Readily available via a simple Internet search, this document shows how cellphone companies in the U.S. treat data about their subscribers’ cell phone use.

Bring privacy and security expert John Sileo in to scare the care into your next audience. Identity theft, data breach, social media exposure and human manipulation keynote training.