5 Mandatory Steps For Protecting Data

Chris Dougherty
VirtualThreat Contributing Writer

Every day we hear news reports in the mainstream media about social network hacking, malware, malicious account takeovers and protecting data. It doesn’t matter if you are the average Joe Blow or a huge corporation like Burger King, everyone is being targeted these days.

Cyber criminals are searching for everything from your banking and financial info to your email, Facebook and and other social networking passwords. Luckily there are technologies and a few simple practices that can help you stay safer online, as well as offline.

Here are 5 Mandatory Steps that you should follow for protecting data from hacking and eavesdroppers…

1. IMPORTANT: Use Strong Encryption To Protect Your Files

Encryption is the process of encoding a message, or any other data, in such a way that eavesdroppers or hackers cannot read it, but authorized parties can. Today there are many options that provide both software and hardware encryption solutions for protecting your data.

TrueCrypt is a free open source software that provides automatic, real-time (on-the-fly) and transparent data encryption. With TrueCrypt you can encrypt a single partition or an entire storage device such as USB flash drive or hard drive.

The safest way to use TrueCrypt is to encrypt the entire storage device or hard drive. At a bare minimum, the partition or drive where Windows is installed should be encrypted.

DataLocker DL3 Encrypted Drive

For those of you who don’t want to install software, there are also several military-grade storage devices that provide hardware-based encryption for data protection. By doing a simple search on Google I was able to find the following 6 options that provide strong hardware-based encryption:

1. DataLocker DL3 1TB
2. Aegis Padlock 3.0 1TB
3. ThinkPad USB 3.0 1TB
4. Buslink CipherShield 1TB
5. Kanguru Defender 1TB
6. Imation (IronKey) Defender H100 1TB

A couple of weeks ago I was able to personally review the DataLocker DL3 encrypted hard drive and I really liked the fact that it was so incredibly easy to use. It also had a lot of cool features like the touch screen display and self destruct mechanism. As DataLocker put it so eloquently, this encrypted hard drive is “Simply Secure”.

* Save 10% on your purchase of any DataLocker Encrypted Drive by using the coupon code “VTHREAT10″ (without quotes) on the DataLocker website

Regardless of which encryption solution you decide to use, it is important to remember that this is a mandatory first step in securing your data from prying eyes.

2. CRITICAL: Create A Bulletproof Password

The next step towards reducing the threat of online identity theft should come in the form of a very secure password. The majority of account hacks reported each day are do to the use of insecure passwords. Hackers often make use of automated software and huge word dictionaries in order to brute force account passwords. Using the 15 tips below, you should create a very strong, unique password for every site that you visit on the Internet.

A strong password:

1. has 15 or more characters
2. has uppercase letters
3. has lowercase letters
4. has numbers
5. has symbols, such as ~ ` ! @ # $ % ^ & * ( ) _ – = + [ ] { } | ; : ‘ ” , . < > \ / ?
6. is not like your previous passwords
7. is not your name
8. is not your government ID number
9. is not your birthday or that of a family member
10. is not your login or user name
11. is not your friend’s name
12. is not your family member’s name
13. is not your pet’s name
14. is not a common name
15. is not a dictionary word

If you have a hard time coming up with a strong password on your own, you can always use a password generator like the iPassword Generator or the free secure password generator found at PasswordsGenerator.net.

Once you have created your password you should store it on an encrypted hard drive to keep it safe. This is the single best way to limit your exposure to online account takeovers and hackers.

Where appropriate, you might consider using a two-factor authentication mechanism like Duo:Security or Google’s 2-step validation as an added layer of security.

Hide Your Password From Prying Eyes

3. CRUCIAL: Hide Your Password From Prying Eyes

Once you have created a strong password you will need to keep it in a secure place away from prying eyes.

The simplest answer, while managing to achieve at least some acceptable level of security, is to create a password list and store it on an encrypted storage device.

A better answer is to install password management software like LastPass or KeePass on your encrypted drive. Both of these applications are free and they allow you to store all of your passwords in a single encrypted database.

LastPass runs natively on all major platforms including Windows, Mac and Linux. KeePass is geared primarily for Windows users, however the developer’s website claims it has also been tested on Wine. Wine is a compatibility layer that allows you to run Windows applications on Linux, BSD, Solaris and Mac OS X.

The combination of an encrypted hard drive AND password management software provides the best solution for keeping your password list safe from hackers and eavesdroppers.

4. URGENT: Install Security Software on Smartphones, Tablets and Computers

Cyber criminals are now using various strains of malware, spyware and malicious links to steal your information. Any device that is connected to the internet is a potential attack vector for these types of attacks. In addition, hackers are increasingly using social networks to lead you to websites where they can install malicious software on your devices.

I personally use Lookout Mobile Security software to keep my smartphone safe from malware and other malicious apps. Lookout provides real-time protection for smartphones and tablets running both Android and Apple iOS software (iPhone, iPad, etc). An additional version is also available for the Amazon Kindle Fire HD device.

Facebook is another popular attack vector for hackers. You can use the ESET Social Media Scanner to scan your Facebook account, as well as the timelines of your friends, for malware and links to malicious websites. The ESET Social Media Scanner application also offers an option to scan your local computer for signs of malware. I strongly advise that users run this additional security feature to be certain their computer is safe from threats.

ESET Smart Security 6 is another application worth mentioning for protecting data from hackers. This one software provides all-in-one internet security and comes with an Anti-Theft feature and the Social Media Scanner. There is also a similar version for Mac users called ESET Cyber Security.

Save 25% on ESET Smart Security 6

Prey Project Anti-Theft Software

One other important piece of security software that I thought I should recommend is called Prey. The Prey Project was developed as an open source anti-theft solution for laptops, phones & tablets and is used by people all around the world. According to the Prey Project website, “Prey lets you keep track of your laptop, phone and tablet whenever stolen or missing — easily and all in one place. It’s lightweight, open source software that gives you full and remote control, 24/7.”

I personally use Prey on all of my electronic devices and love it. I know a friend-of-a-friend, who has Prey installed, that actually was able to recover his laptop after it was stolen while he was living in Costa Rica.

5. ESSENTIAL: Use A Locked-Down Environment For Online Shopping, Banking and Filing Taxes

The best way to stay safe while shopping online and performing financial transactions is to create a secure operating environment. You can build a custom environment yourself by installing various software on an encrypted drive or you can use a solution that provides out-of-the-box protection.

Either way, the goal is to open a new window on your desktop that instantly provides a secure environment for browsing the web and reading web-based email.

Building A Custom Environment:

In order to build a custom environment on an encrypted drive I would suggest installing the latest version of Portable VirtualBox and then downloading your favorite Live CD operating system image to the drive. I had a DataLocker DL3 encrypted hard drive laying around so I decided to create my environment on that.

Portable VirtualBox is a software program that allows you to run Virtual Machines (VMs) on any USB storage device or hard drive. A Live CD is an operating system that runs entirely from memory and typically never writes files to your local hard drive. Each time the Live CD is restarted, it erases all traces and starts up with a fresh environment.

Once Portable VirtualBox is installed and running on the encrypted drive, you can create a new virtual machine with a virtual CD-ROM device attached to the Live CD image file. I personally like to use the latest version of Ubuntu for the Live CD, but you can use your favorite.

Once you have created your virtual machine in Portable VirtualBox you can simply start the machine, wait for it to boot up, and then open a browser to surf the web. Once you are finished browsing the web or checking your email, you can simply close the virtual machine to erase all tracks.

Any malware that you accidentally downloaded during your browsing session would be automatically erased once the virtual machine was shut down or restarted. It is important to note however that any files, bookmarks or configuration changes made while working in the virtual machine will also be lost when the machine is shut down.

Kanguru Defender DualTrust

Out-of-the-Box Solutions:

There are several ready-made solutions that provide a secure browsing environment while shopping, banking and reading email online. Two alternatives that I found were the Encrypt Stick 3-in-1 Digital Privacy Software and the Kanguru Defender DualTrust security device.

Encrypt Stick runs on any USB flash drive, installs in seconds, and turns your flash drive into your own Digital Privacy Manager (DPM). The Encrypt Stick developers claim that the software protects your web browsing experience, your passwords and your private files. The software comes with both free and paid options and includes versions that run on Windows and Mac computers.

The Kanguru Defender DualTrust is an all-in-one software and hardware solution that provides encrypted storage as well as secure web browsing. If you are concerned about malware, viruses or spyware on your PC, then this is a great solution for you.

According to the Kanguru website, “The Kanguru Defender DualTrust™ provides complete confidence to pay online bills, do your banking, make purchases and browse online in a safe and secure environment. It opens up a secure, protected browser session, isolating itself from vulnerabilities that could potentially “trace your steps“ in an ordinary browser window. ”

Simply plug in the Defender DualTrust, create a secure password and the device will boot to a secure web browsing environment. Once you unplug the device, the Defender DualTrust leaves no trace of your session behind.

I think I will try the Kanguru Defender DualTrust this year when filing my taxes online. Maybe you should too.

In Summary:

Whether you are an average internet user who simply uses the web to check email and shop online, or you are a corporate or government user accessing sensitive information, you need to take a few extra security measures in order to protect data from hackers and eavesdroppers.

The 5 steps listed above should be put in place right away in order to get you started on the right path to achieving the highest level of data security while online.

- – -

About the author…

Chris Dougherty is a grey hat hacker and online security expert. Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

Anonymous Hackers Target CEOs in Operation Wall Street

Chris Dougherty
VirtualThreat Contributing Writer

Anonymous hackers have launched ‘Operation Wall Street’, a new protest started by the loosely organized hactivist collective against the US government, Wall Street and the financial services industry.

The operation is a call to all Anonymous “members” and citizens of the world and seeks justice for the “innocent and exploited people being forced into homelessness” because of the “crimes of Goldman Sachs and other firms who have indulged in sinister and criminal practices.”

The official proposal for the operation calls for a release of the the Dox on the “CEOs & any and all executives of Goldman Sachs, AIG, Wells Fargo, Chase, Meryl Lynch, and any other guilty party”. The goal of Operation Wall Street is to spread the personal information of those responsible for the crimes to the people who have lost their homes and had their lives destroyed.

According to links that began appearing on Twitter on March 2nd, Anonymous has already released 4.6 gigabytes of data providing the personal information of Wall Street CEOs and other high level executives.

Operation Wall Street releases 4.6GB of data.

Last week the group calling themselves the “Anonymous Intelligence Agency“, or Par:AnoIA, released 14 gigabytes of information implicating Bank of America and others in a massive spying operation. Anonymous claims the data dump proves that Bank of America contracted at least one private intelligence firm to spy on numerous private citizens including hackers and social activists.

The following statement was released on the Anonymous public relations website:

“It is no longer tolerable that these men and women get to live in luxury and lawlessness while innocent people are pushed into poverty and people who fight for freedom are prosecuted and demonized.

They must be stopped … OPERATION WALL STREET, must be launched.

We promise not to hurt you once we release your information but we cannot hold the people you screwed over responsible for their actions once they know who you are and where you live. You are not free to escape the consequences of your actions, no one is.

We are Anonymous, We are Legion, We do not Forgive, We do not Forget.

Expect Us.”

What are your thoughts on the Anonymous attack on Wall Street? Let us know in the comments below.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

McDonald’s Innocent in McHacking of Burger King Twitter Account

Jason Sickles
Yahoo News

Don’t blame the Hamburglar.

Burger King’s official Twitter account was McHacked about noon EST on Monday and changed to resemble their rival. The pranksters swapped the page’s profile image to include a photo of McDonald’s iconic golden arches and rewrote the account description to claim Burger King, “Just got sold to McDonald’s because the whopper flopped …”

Some vulgar messages were also tweeted and retweeted before Burger King bosses could get Twitter to freeze the account about an hour into the ordeal.

Burger King’s chief competition quickly claimed they were not the culprits.

“We empathize with our @BurgerKing counterparts. Rest assured, we had nothing to do with the hacking.” - @McDonalds

The pranksters fired off tweets like “if I catch you at wendys, we’re fightin!” before the breached account was suspended, the Associated Press reported.

Other messages reportedly contained racial epithets, curse words and references to drug use.

Burger King told the AP it plans to post a statement on Facebook later Monday to apologize, especially for the offensive posts. The company said it hopes to have the Twitter account back up soon.

Meanwhile, the twittersphere seemed to enjoy the lunchtime levity.

“The fact that @BurgerKing got hacked and turned into a @McDonalds feed is pretty funny. Never know what is going to happen in social media” - @ryancworkman

“Somebody needs to tell Burger King that ‘whopper123′ isn’t a secure password.” -@flibblesan

Latest Facebook Hacking Attack Investigated By FBI

Times of India

WASHINGTON: The US Federal Bureau of Investigation is collaborating in the investigation of a “sophisticated Facebook hacking attack” by hackers on Facebook last month, which, according to the social network, has not compromised users’ data.

The daily San Francisco Chronicle said Saturday that the FBI is working with Facebook to determine the origin of last month’s hacker attack that hit the computers of some workers at the California company.

According to the newspaper, the social network said that “malware was installed on laptops used by Facebook employees when they visited a mobile developer’s web site”.

“As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day,” Facebook said Friday on its blog.

“We are working continuously and closely with our own internal engineering teams, with security teams at other companies, and with law enforcement authorities to learn everything we can about the attack, and how to prevent similar incidents in the future,” Facebook said.

The attack on Facebook came soon after Twitter said early this month that data of 250,000 users had been obtained by hackers, and that this operation “was not the work of amateurs, and we do not believe it was an isolated incident”.

Chinese Hackers Target Bloomberg Journalists in Latest Media Attack

Adam Taylor
Business Insider

In next week’s Businessweek cover story, investigative reporters Dune Lawrence and Michael Riley take a deep dive on Chinese hackers, coming up with some fascinating details.

It’s a big story given the recent accusations about Chinese hackers that have come from the New York Times and other news outlets, and Lawrence and Riley provide perhaps the most detailed account of the mechanics of the hacking.

The pair profile malware expert Joe Stewart as he follows the traces left by hackers, eventually reaching one suspected hacker, who just happens to be a teacher at the People’s Liberation Army’s Information Engineering University.

One of the most interesting details in the story comes from a sidebar however, where Lawrence reveals that while writing this cover story her laptop crashed. When she rebooted it she found a banner at the top of her Gmail in-box reading: “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.”

For journalists who covers China, such a warning may be all too familiar — Business Insider reporters have been given the warning too.

The Chinese government has been steadfast in it’s denials of any involvement in the hacks, with state media both criticizing the US for the accusations and reporting that it is the victim of hacks too.

However, this wouldn’t be the first time that Bloomberg reporters have faced intimidation after a controversial article on China. According to at least once source, reporters faced death threats after last year’s huge article on Xi Jinping’s finances.

DataLocker DL3 Secure Encrypted Hard Drive

Chris Dougherty
VirtualThreat Contributor

The DataLocker DL3 portable encrypted hard drive is a ready-to-use solution that  provides data security and peace of mind in the event of equipment loss or theft.

DataLocker, Inc. is a provider of hardware encrypted storage devices. From their headquarters in Overland Park, Kansas they have provided their secure hard drives to a variety of clients including government agencies, military personnel, educational institutions, Fortune 500 companies and individuals just like you.

Jay Kim, President and founder of DataLocker,  recently got in touch and sent me one of their DataLocker DL3 portable encrypted hard drives in hopes that I would take it out for a spin. I have been checking it out in detail over the last week and I have to say I am really impressed with the ease of use and superb feature set that this drive delivers.

Once the drive is unpacked from the box and in your hands, you immediately get the impression that this is a high quality and secure hard drive. The shock and drop resistant enclosure is a solid, yet light weight, brushed metal design that includes a removable silicone protective guard. The unit weighs in at only 9 ounces and leaves a small footprint measuring a mere 4.73″ x 3.15″ x .91″ (120mm x 80mm x 23mm). I found that I can easily fit the DataLocker DL3 drive in my front jeans pocket while I’m on the move and could most likely use a screen protector from a comparably sized smartphone display in order to keep the touch screen from getting scratched up.

DataLocker DL3 Encrypted hard drive features.

The DataLocker DL3 portable encrypted hard drive comes packed with some serious security features including a 256-bit hardware-based AES (XTS mode) encryption engine. However DataLocker didn’t stop there, they added additional key features including:

• Automated Self-Destruct Mode (for mitigating brute force password hacking)
• Adjustable number of failed login attempts to trigger Self-Destruct Mode
• Rapid Secure Wipe (rapid key zeroization, deletes drive contents with the push of a button)
• Creation of an unencrypted read-only partition, recognized as a virtual CD-ROM (VCD)
• Built-in keypad randomization (avoid ‘Shoulder Surfing’ and fingerprint lifting)
• Alpha-numeric password support plus the # and * characters
• Adjustable minimum password length from 6-15 characters
• Optional RFID based 2 factor authentication
• FIPS 140-2 Validation

You won’t need to install any software or drivers as all encryption and management functionality is performed at the hardware level. The drive is also compatible with all major platforms including Windows, Mac and Linux systems.

The DataLocker DL3 connects to your computer via a Super Speed USB 3.0 interface and it even includes the required cable. You won’t be needing any external power supply as the drive gets it power from the USB interface.

Once the drive is connected to your computer you are immediately presented with a user-friendly, multilingual interface that can be accessed easily using the patented touch screen display. The digital alpha-numeric keypad makes you feel like you are accessing some high-tech piece of equipment from a James Bond movie.

The first time you use the device you’ll need to enter the setup menu so you can change the admin password from the default of “000000″. Initially the drive is configured for a 6 character password, however the password length can easily be adjusted from the setup menu.  While in the menu, you can also enable a separate ‘User’ password. The User account has read/write access but does not allow access to the admin Setup menu. Once the password has been updated you can simply back out of the menu and click the “Connect” icon to start using the drive.

I did find one element of the user interface to be slightly confusing. Immediately after I ejected the drive from the Windows system tray and selected the  Disconnect icon on the the drive itself I was presented with a screen that says “Data Secured” and has a Connect icon. I pushed the “Connect” icon expecting that I would instantly reconnect or be presented with a password prompt, however instead I was then presented with the typical Startup screen that says “Start” and has an image of a finger. Once the Start icon is clicked the screen that follows finally allows me the choice of re-connecting the drive or entering the setup menu. It seems reasonable to me that once Disconnect is clicked you should just bypass the ‘Data Secured’ Connect screen and just go straight to the DataLocker Start screen with the image of the finger. It’s not a big deal, the current process just has an extra unnecessary step in my opinion.

The DataLocker DL3 encrypted hard drive also comes with a variety of storage capacities and speed options, ranging from 500GB and 1TB drives to 128GB and 256GB solid-state drives (SSD). The solid-state drive option, combined with the USB 3.0 interface, provides super fast file transfers that should meet most anyone’s requirements.

You can find the DataLocker DL3 User Manual, free helpful utilities and other information on the DataLocker download page: http://www.datalocker.com/support/downloads-firmware-and-manuals.html.

DataLocker DL3 Plug-n-Play Security

The DataLocker DL3  encrypted hard drive has a variety of use case scenarios. Of course there are the obvious ones like simply storing your personal documents, videos and images on it or maybe distributing it to mobile employees to keep sensitive company documents protected in case of loss or theft.

More covert types might appreciate the fact that they can potentially create a secure, disposable operating system environment on the DataLocker DL3. You would only need to install virtualization software like VMWare or VirtualBox on to the drive, along with your favorite virtual machine images like Whonix and Backtrack.  In the event of a compromise, you  would simply wipe the entire environment, along with all traces, by pushing the ‘Zeroize Drive’ button in the setup menu. This is an important feature to take note of because, according to a federal judge in Colorado, encryption keys and passwords are no longer protected under the 5th Amendment. So it would seem that destruction of the encrypted file system is the next best alternative in such a case.

- – - – - – - – - – - – - – - – - -

Summary:

If you are looking for an easy way to secure your data in the event of loss or theft the DataLocker DL3 portable encrypted hard drive offers everything you could need. Although more expensive than some of it’s competitors, you shouldn’t let the price scare you away as the DataLocker DL3 offers a huge set of premium features that I have’t seen with any other drive. With its slick exterior design and high-tech touch screen interface I consider it to be the ’007 Aston Martin’ of encrypted hard drives.

DataLocker DL3: The 007 Aston Martin of Encrypted Hard Drives

DATALOCKER DL3 Portable Encrypted Hard Drive:

• Pros: Lots of security features, touch screen display, user-friendly interface, compact size, rugged enclosure, can use it out of the box.
• Cons: Price, confusing menu navigation after Disconnecting drive.

You can find out more about the DataLocker DL3 encrypted hard drive by visiting the official DataLocker website at: http://www.datalocker.com/products/datalocker-dl3.html

VirtualThreat.com subscribers get 10% off any DataLocker encrypted hard drive order by using the following coupon code during checkout on the DataLocker.com website.

Coupon code = VTHREAT10

——

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

6 Military Grade Solutions For Keeping Your Data Safe

Chris Dougherty
VirtualThreat Contributor

#OpLastResort : Anonymous Hackers Release Data for 4000 US Bank Officials

Jeb Boone
Global Post

Anonymous hackers released user and personal information belonging to 4,000 US community bank executives, in an escalation in their online battle against the US Department of Justice.

Anonymous released the security credentials for over 4,000 US bank executives on Monday, posting their user account information, passwords and personal information online as part of OpLastResort.

OpLastResort is an Anonymous operation calling for sweeping reforms of the US criminal justice system.

Anonymous claimed that the bank executives’ information was taken from networks associated with the US Federal Reserve.

The dox – or release of personal information online – was posted as a spreadsheet on a domain belonging to the Alabama Criminal Justice Information center: http://acjic.alabama.gov. To publish the spreadsheet, the hackers gained access to the domain and added “oops we did it again” to the URL.

Banks listed in the dox included a large number of small community banks. Lacking the security infrastructure of larger national banks, local banks are more vulnerable to security breaches and cyberattacks.

“Now we have your attention America: Anonymous’s Superbowl Commercial 4k banker d0x via the FED,” tweeted the OpLastResort account, including the URL containing the spreadsheet.

The URL and spreadsheet have since been removed from the domain but the spreadsheet is still available online.

ZDnet noted one Reddit user called several of the phone numbers contained in the spreadsheet.

“OK, I called a few of them. What must be so problematic for the Federal Reserve is not the information so much as this file was stolen from their computers at all. The ramifications of that kind of loss of control is severe,” the user said.

The Huffington Post contacted the Federal Reserve concerning a potential security breach but their spokesman declined to comment on Anonymous’ claims and did not confirm whether a statement on the incident was forthcoming.

OpLastResort was launched following the suicide of Reddit co-founder Aaron Swartz last month. Swartz was indicted for wire fraud, computer fraud, unlawfully obtaining information from a protected computer and recklessly damaging a protected computer by a federal grand jury in 2011 after he allegedly downloaded large amounts of data from the JSTOR journal database.

Prosecutors claimed Swartz acted with the intention of sharing the vast number of documents on peer-to-peer sharing websites.

Anonymous, other web freedom activists and Swartz’s family believe that the aggressiveness with which Swartz was prosecuted contributed to his suicide.

Another cause the Anons behind OpLastResort are pushing is to ensure that Jeremy Hammond’s prosecution and incarceration is carried out fairly and impartially. Hammond was arrested in March of 2012 in connection with the organization’s hack against the global intelligence firm Stratfor.

Hammond was denied bail and remains in prison. Anonymous claims he was moved into solitary confinement recently in retaliation for the hacker collective’s cyberattacks against the US Department of Justice.

Members of the collective involved with OpLastResort have stated that Hammond’s move to solitary confinement is a “dangerous escalation in the conflict”.

SNOPA Bill Reintroduced To Protect Your Privacy Online

Chris Dougherty
VirtualThreat Contributing Writer

You may soon have legal recourse in the fight to protect your privacy online.  If a new bill finds its way into law, social networking users might soon be able to make a federal case out of employers asking to snoop through their online accounts.

Members of Congress, Rep. Jan Schakowsky (D-IL), Rep. Eliot Engel (D-NY) and Rep. Michael Grimm (R-NY) have reintroduced legislation that protects the personal information of social networking users from the prying eyes of employers and educational institutions.  The Social Networking Online Protection Act (SNOPA), protects employees, students, job applicants and prospective students from being compelled to provide usernames,  passwords and other personal information required to access accounts on sites like Facebook, Twitter and MySpace.

SNOPA was originally introduced to Congress in April, 2012 by Engel and Schakowsky.  In response, Senators Charles E. Schumer (D-NY) and Richard Blumenthal (D-CT) urged the Justice Department to investigate whether such a practice violates the Stored Communications Act or the Computer Fraud and Abuse Act.

Privacy, with regard to social networking sites, has been a topic of considerable debate for the past few years, in the meantime users will continue to suffer as a result. Last year, 14 states, including California, Delaware, and Maryland, all enacted legislation similar to SNOPA.  However the practice has yet to be adopted at the federal level.

Rep. Engel was quoted as saying, “We must draw the line somewhere and define what is private.  No one would feel comfortable going to a public place and giving out their username and passwords to total strangers.”

Rep. Schakowsky said “The American people deserve the right to keep their personal accounts private.  No one should have to worry that their personal account information, including passwords, can be required by an employer or educational institution, and if this legislation is signed into law, no one will face that possibility.”

SNOPA applies specifically to sites like Facebook, however the bill would also provide protection for email and other user-generated content.  In addition to prohibiting employers and educational institutions from requiring access to account information, they would also be barred from disciplining, discriminating, or denying employment to individuals refusing to volunteer such information.

“While social media may seem like public outlet, an individual’s login information is private.  When employers and universities require access to personal usernames and passwords, they are crossing a line that violates personal privacy” Rep. Grimm said.

Rep. Schakowsky went on to say, “Privacy is a basic right that all Americans share, and one that we should act to protect; this legislation sets boundaries.  No one seeking an educational or job opportunity should have to worry that their personal password information will be required as a condition of enrollment or employment.”

For now, SNOPA awaits review by the House Education and Workforce Committee. In the meantime several other members of Congress, including Rep. Paul Tonko (D-NY), Rep. Keith Ellison (D-MN) and Rep. Chellie Pingree (D-ME), are already jumping on board to support the bill.

What do you think of this legislation?  Let me know by leaving your comments below.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

Chinese Hackers Attack NY Times Over Wen Investigation

Chris Dougherty
VirtualThreat Contributing Writer

Over the past four months, Chinese hackers have penetrated computers belonging to the New York Times and its staff. The hackers appeared to be intent on hunting down and identifying newspaper sources involved in the investigation of a top Chinese leader. China’s Defense Ministry is denying any involvement in the attacks.

Fox News: “Chinese law forbids hacking and any other actions that damage Internet security,” the Defense Ministry said in a statement. “The Chinese military has never supported any hacking activities. Cyber-attacks are characterized by being cross-national and anonymous. To accuse the Chinese military of launching cyber-attacks without firm evidence is not professional and also groundless.”

Experts investigating the breach said that the attacks used the same techniques as other recent high profile  attacks originating from China. It appears the hackers used phishing techniques in order to inject the paper’s computer systems with a strain of malware that has been used by the Chinese before on other targets.

The infrastructure used by the hackers consisted of a complex network of university computers in both China and the U.S. The attackers used the hijacked computers as a form of proxy in order to hide their tracks.  According to experts closely associated with the case, this network was used previously by the Chinese military to attack U.S. Defense Department contractors.

The September attacks on the New York Times seemed to have been initiated as a result of an investigation into the financial affairs of the family of Chinese Premier, Wen Jiabao. The family has apparently built a fortune, with questionable origins, worth over $2 billion.

During the continued 4 month cyber attack, the hackers were able to successfully crack the passwords of all NY Times employees.  Once compromised, the stolen passwords allowed the hackers to gain access to more than 50 personal laptops belonging to staff members.

At this point it is unclear what information the attackers were able to steal while they had access to the paper’s computer systems. Fox News reported that “none of the Times’ customer data was compromised and that information about the investigation into the Wen family remained protected, though it left unclear what data or communications the infiltrators accessed.”

Mandiant, the security firm investigating the case, stated that after months of investigation they are still unsure how the hackers initially infiltrated the Times’ computer systems, however the investigation is still ongoing.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

How Cyber Criminals Are Exploiting Our Swipe-n-Go Society

Chris Dougherty
VirtualThreat Contributing Writer

Curtis Abernathy, a small business owner in Arizona, never expected to be caught up as the victim of an international ring of cyber criminals stealing identities online.  But that’s exactly what happened last week when he received a call from Bank of America’s security office.

The bank’s security team took notice after Abernathy used his debit/credit card at a local convenience store in Arizona, then an hour or so later there were two charges on the same card at retail stores in California.  According to the bank staff, the thieves walked in to Nordstrom Fashion Island (Store #333) at 901 Newport Center Drive in Newport Beach, California and used a physical credit card bearing the same name and account number as Abernathy’s. The Nordstrom store is located right across the street from the Newport Country Club, it appears our thieves have expensive taste.

The cyber criminals had stolen Abernathy’s identity, printed credit cards bearing his name and account number, and then went on to purchase medium value items so as not to raise the suspicion of store clerks. It was as easy as walking up to the cashier, swiping the credit/debit card pad, signing and walking away. The items they purchased with the stolen credit card will most likely end up on sites like Craig’s List or Ebay where the thieves can wash the money and cash out.

In total the thieves took Abernathy for $360.00 before the bank noticed. He was one of the lucky ones, chances are hundreds or even thousands of people have been victims of similar fraud campaigns.  As is the case with most banks these days, Bank of America has a zero-liability policy with regard to fraudulent credit card charges, so Abernathy will immediately get the money deposited back into his account. For him this was both a learning experience and a major inconvenience.

Unfortunately, all of the players are somewhat complacent in this type of crime. The attackers are aware of this vulnerability and they will exploit it to its fullest potential in order to plunder our bank accounts.

We as customers love all that is quick and convenient. We use online and mobile banking apps even though the media tells us about stolen accounts all the time, we download screen savers and cool games that might be infected with malware, and we open links and attachments in emails that appear to come from our friends, family and coworkers.

The majority of stores these days have installed customer-facing debit and credit card PIN pads so that we can swipe our cards and go along our merry way as quickly as possible.  Everyone hates a long line, from the clerks to the pissed off customer at the end of the line.  Some stores have self-service checkout lanes to hurry the process along even more.

The problem with all of this is, while it may be quicker and more convenient, there are many serious flaws in the process.

Think about how often you get asked for an ID when making a purchase using your credit or debit card through a customer-facing PIN pad these days.  I’d bet it’s not nearly as often as you think. Beyond the obvious, what if an attacker has found a way to rig the point-of-sale (POS) system itself, or maybe they’ve hacked your ATM? How many of us feel safer because our virus protection software tells us that our computer is clean? What about the malware that they haven’t discovered yet or what if they infect your smart phone instead?

In December, VirtualThreat.com ran a story about Facebook assisting the U.S. Federal authorities in order to arrest hackers responsible for stealing over $850 Million over a period of two years.  There have also been recent reports of hackers in Iran and Russia attacking U.S. bank accounts through advanced botnets.

The thing is, these aren’t street fraudsters that are perpetrating these crimes.  The majority of the heists can be traced to large organized criminal networks, terrorists and sometimes even governments. And all the while the banks are under reporting cyber crimes in order to protect their reputations.

Cyber criminals typically have 3 primary techniques that they use in order to steal your credit card information or identity.

1. Phishing
   Wikipedia – “Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware.

   Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.”

2. Malware
   Wikipedia – “Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, spyware, adware and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.”
3. Credit Card Skimmers
   Wikipedia – “Skimming is the theft of credit card information used in an otherwise legitimate transaction. The thief can procure a victim’s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victims’ credit card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim’s credit card out of their immediate view. The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security Code which is not present on the magnetic strip. Call centers are another area where skimming can easily occur. Skimming can also occur at merchants such as gas stations when a third-party card-reading device is installed either out­side or inside a fuel dispenser or other card-swiping terminal. This device allows a thief to capture a customer’s cred­it and debit card information, including their PIN, with each card swipe.

   Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user’s PIN at the same time. This method is being used very frequently in many parts of the world, including South America, Argentina, and Europe. Another technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them when operated, but records or transmits the keylog of the PIN entered by wireless. The device or group of devices illicitly installed on an ATM are also colloquially known as a “skimmer”. Recently-made ATMs now often run a picture of what the slot and keypad are supposed to look like as a background, so that consumers can identify foreign devices attached.”

I hope that you don’t become the next victim of credit card fraud or identity theft. However, the odds are that you, or someone that you know, will unwittingly become a target at some point in the future. Hackers are generally indiscriminate about their targets and hit huge groups of accounts in a single campaign, often netting the criminals 10′s of millions of dollars. With the increasingly rapid growth of technology, we as consumers need to stay informed about the threats that await us.

If you have been the victim of cyber crime please contact the FBI through their Cyber Crimes website right away.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

Hacked Security Cameras Are Wide Open To Attackers

Kyle Wagner
Gizmodo.com

Hacked Security Cameras Are Wide Open To Attackers.  Apparently security cameras are even less secure than we thought. Eighteen popular brands of cameras have been found to have serious flaws in their own security, leaving at least 58,000 unsecured, open-to-basically-anyone security cams out there.

Security firm Rapid7 discovered how the widespread flaw is after reading a blog post by someLuser, detailing the failings of one company, Swann. In short, the flaw allows anyone connected to a specific port full access to the DVR functions of the cameras. Rapid7 applied the same code used on Swann to other major camera companies, and turned up this list of vulnerable manufacturers:

Swann, Lorex, URMET, KGuard, Defender, DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000

The flaws have only been tested through a scan of their code, not actual spying, but Rapid7 is confident it would work on all listed companies’ cameras. Anyone with a system made by one of those companies would have to wait for a firmware update to come out addressing the flaw.

We’ve known about unsecured net-connected gear—security cameras in particular—for a while. Last summer it came out that three of the most popular brands were vulnerable to a similar attack, and there’s even a map to look in on a bunch of unsecured feeds. Not to mention the almost 90,000 unsecured printers around the world, which could just start spitting out just about anything at any given moment. So this is concerning—deeply so—but only one more step down a path we were already walking.

Experts Say Facebook Hackers May Be Infecting Your Computer

John Brandon
Fox News

‘Red October’ Spy Network Goes Dark Hours After Being Exposed

Chris Dougherty
VirtualThreat Contributing Writer

The command and control servers behind the ‘Red October’ espionage network started shutting down only hours after the campaign was exposed by Kapersky Lab last week.

The Red October malware campaign targeted governments, embassies and scientific organizations around the world. According to researchers at Kapersky Lab, the spy network had been gathering data and intelligence from mobile devices, computer systems and network equipment for the last five years.

See related article: http://www.virtualthreat.com/2013/01/15/operation-red-october-is-spying-on-governments-worldwide/

The malware, and the complex network design behind it, is rumored to rival the infrastructure of the Flame virus.  The Red October malware contains 1,000 separate modules in 30 categories, allowing an attacker the ability to serve unique combinations of payloads to their targets based on the victim’s specific computer configuration and profile.

In an interview with Costin Raiu, of the Kaspersky Lab GReAT Team,  Raiu said “since Monday, when the first report of the campaign came out, hosting providers and domain owners have been shutting down servers used to help run the campaign”.

“It’s clear that the infrastructure is being shut down. This time it’s being shut down for good,” Raiu said. “It’s not only the registrars killing the domains, and the hosting providers killing the command-and-control servers, but perhaps the attackers shutting down the whole operation.”

One of Red October’s strengths is a command and control (C&C) infrastructure that employs multiple layers of computers and domain names acting as proxies to hide the core functionality of the network.  Raiu was quoted as describing the network design as “an onion with multiple skins”, communicating to a control server at the center that collects all of the stolen information.

Raiu went on to say that the majority of the servers and domains shut down so far only represent the first level of the threat, essentially the proxy layer.  He also speculated that the malware controllers may simply let the operation go dormant for a while until the heat is off. However it seems likely that the attackers would reappear in the near future using updated malware, domains and control servers.

Red October is a large and comprehensive attack framework that was designed to enable attackers to conduct long-term operations against their chosen targets. It’s likely that researchers haven’t even scratched the surface with regard to the complexities involved in this campaign.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

Fatal Cyber-Attacks ‘are Possible and Plausible’

James Hayes
The Institute of Engineering and Technology

Corey Nachreiner, director of security strategy at security management firm WatchGuard Technologies, argues that the accelerated proliferation of both networked devices and online threats over the next 12 months will create a ‘perfect storm’ of vulnerable connected systems that, if targeted, could increase the chances of a ‘fatal malfunction’.

Networked road vehicles, Internet-ready medical devices, and intelligent buildings are among the emerging connected physical domains that will start to be targeted in 2013 by cyber criminals, hacktivists, pranksters, and other ‘malicious actors’ – including nation states –Nachreiner believes.

“Our lives become more dependent on computing devices every day,” he said.

“They are increasingly embedded in the infrastructure that provides us with energy and water.

“And all the time we are actively engaged in connecting all these devices together.

“Yet some of our most critical systems now suffer from fundamental vulnerabilities.”

Nachreiner warns that with more connected computer components embedded in cars, phones, TVs, navigation aids, and even medical devices, “digitally-dealt death is not only possible, it is plausible… though I hope that I am wrong”.

He also points out that technology now exists for roadside hackers to interfere with satnav tools, causing drivers to make life-threatening driving decisions, for instance, or even hack into automotive systems and cause airbags to inflate.

Medical systems themselves are also becoming increasingly connected through to public networks, which introduces another range of vulnerabilities, says Nachreiner:

“Recently, a researcher [at the Breakpoint conference, Melbourne] even showed how to wirelessly deliver an 830V shock to an insecure pacemaker”.

Other scenarios include intelligent buildings, where unauthorised online access to control systems for lifts and escalators could result in people being trapped when in need of urgent medical treatment, or critically injured due to sudden motion stoppages.

“We are connecting around the ‘air gaps’ that used to protect things like industrial control systems, in-building transport mechanisms, and medical systems,” Nachreiner explains.

“Despite the risks, security is often still an afterthought when innovative technical systems are being developed.”

Nachreiner is calling for a more regulated approach to software development, to ensure that insecure coding results in financial penalties for those responsible for flawed software.

Chinese Hackers To Blame For One Third of Global Cyberattacks

Michelle Florcruz
International Business Times

Though the story of computer network attacks by Communist spies sounds like a plot line from a Hollywood action film, a new report has found that one-third of cyberattacks actually originate in China.

According to Akamai Technologies (NASDAQ: AKAM), a digital technology platform developer, China accounted for 33 percent of cyberattack traffic all over the world during the third quarter of 2012, taking the top spot. China was the No. 1 source of cyberattacks in the previous quarter as well, but doubled its percentage of attacks.

Following China is the U.S., accounting for 13 percent of cyberattacks in Q3 2012, and Russia, with 4.7 percent. Both percentages changed little from the previous quarter, with a 1 percent increase for the U.S. and a 1.6 percent decrease for Russia.

The surge of cyberattacks coming from China since 2011 is not really surprising, considering its history of corporate espionage through network attacks.

Last year, Bloomberg reported on a boom of Chinese corporate espionage. Though not all cyberattacks coming from China are necessarily on corporations, nor do they always mean to spy, there have been several publicized cases of Chinese citizens being accused of spying on U.S. companies.

In 2010, Google (NASDAQ: GOOG) accused China of executing an attack against the company’s internal network. According to Wired.com, the hackers were seeking source codes from not only Google, but Adobe and several other companies. According to Dmitri Alperovitch, vice president of threat research for antivirus and Internet security company McAfee, that attack was unprecedented.

“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” he said. “It’s totally changing the threat model.”

Not all Chinese breaches are in the form of Internet-based attacks. In 2011, a growing wind turbine company in China, Sinovel, abruptly stopped using its U.S.-based turbine-controller software provider, American Superconductor (NASDAQ:AMSC). This was a surprise to the U.S. company, but what had happened did not become apparent until an investigation into a software glitch with a Sinovel turbine in the Gobi desert revealed that Sinovel was using a stolen version of AMSC software. Perhaps more damaging, Sinovel now had access to AMSC’s proprietary source code. Sinovel was caught red-handed, but others, like the Google hackers, are more successful.

Last year, Aviation Week wrote about Chinese spies allegedly hacking into secure conference calls at Lockheed Martin (NYSE:LMT), one of the largest U.S. defense contractors, and stealing information about communication and antenna systems for the ultra-advanced, stealthy F-35 jets. As a result, Lockheed Martin was forced to redesign the parts after the discovery that they had been compromised, setting back production.

China’s cyberattack capabilities are definitely not underestimated by its global competitors. The data from Akamai confirms the U.S. government’s often-mentioned assumption that China is the most threatening force in cyberspace for American interests. According to a report by Bloomberg News, the U.S.-China Economic and Security Review Commission believes “China’s persistence, combined with notable advancements in exploitation activities over the past year, poses growing challenges to information systems and their users.”

And James Clapper, U.S. Director of National Intelligence, was quoted by the BBC describing China’s cyberwarfare advancement as a “formidable concern.”

Feds Say Cyber Crime Ring Targeted U.S. Bank Accounts

Andrew Tangel
LA Times

A cyber crime case brought by U.S. prosecutors in New York may add to the fears of anyone who banks online.

The charges against three foreign nationals — a Russian, a Latvian and a Romanian — allege they were involved in creating and distributing a computer virus that infected more than 40,000 computers in the United States in an effort to steal customers’ bank-account data and other information. The so-called Gozi virus led to the theft of unspecified millions of dollars, court documents say.

U.S. Atty. Preet Bharara, the top federal prosecutor in Manhattan, is scheduled to hold a news conference Wednesday to discuss the case. In recent speeches and interviews, Bharara has sounded an alarm over growing cyber threats.

The virus initially was used to target European banks but starting in 2010 it was used to go after U.S. accounts, including some at a “large financial institution headquartered in Manhattan”, according to court papers.

A Dutch computer server tied to the alleged scheme contained more than 3,000 user names for accounts at seven U.S. banks, prosecutors say.

The virus infected about 190 NASA computers between 2007 and 2012, court documents say. Extracted data allegedly included log-in information for a NASA email account, Web browsing histories and Google chat messages.

The alleged scheme is separate from an onslaught of cyber attacks last year against U.S. banking websites that were said to have been orchestrated by an online hacking group based in the Middle East.

Hacked ‘iPhone Sexting App’: Texting Naked Photos is a Bad Idea

Dominique Mosbergen
The Huffington Post

iPhone Sexting App May Not Be Secure As You Think…

There are a few good reasons why sending incriminating pictures, naked or otherwise, over the photo and video app Snapchat may not be such a great idea.

Other than concerns about bullying and underage sexting, it’s becoming increasingly clear that Snapchat messages, once thought to be super secure because of their extremely short lifespan, are not quite as fleeting as previously believed. In recent months, at least two security loopholes, which would allow recipients to save Snapchat images or clips for keeps, were discovered and made public. This week, a third Snapchat “hack” was revealed.

Touted as the “iPhone sexting app,” Snapchat — which, Forbes reports, is used mainly by young people between the ages of 13 and 24 — has been touted as a “consequence-free” photo- and video-sharing platform, allowing users to send files that self-destruct after 10 seconds or less, upon being opened by the recipient.

But this new Snapchat “hack,” unveiled by web designer and college student Raj Virand first reported on by TechCrunch, is said to allow users to “easily save screenshots of ‘snaps’ in a few simple steps, with no more than Snapchat and your multitasking bar.” These screenshots can apparently be taken secretly, without the sender finding out.

According to TechCrunch, this is how it works:

• While viewing a SnapChat photo, take a screenshot by pressing the home and power button at the same time, while making sure to continue holding on the screen in order to ensure that the picture gets captured.

• After taking the screenshot, the photo won’t show on the screen and you will be brought back to your list of snaps.
• Before the photo expires, double tap the home button to bring up the multitasking bar. Once you’ve brought that up, SnapChat won’t recognize your screenshot.

To learn more about this “hack,” visit TechCrunch here.

Two months ago, Buzzfeed’s Katie Heaney pointed out that photos sent via the iPhone app could be easily retained by taking a screenshot of a “snap” before it self-destructs. However, Heaney noted at the time that the photo’s sender would be notified of the screenshot, though this could not prevent the recipient from saving the photo on his or her phone.

Then, in December, another Buzzfeed writer, Katie Notopoulos, found a security flaw in the app that makes it relatively easy for users to save received videos – and this time, Notopoulos explained, it can be achieved without the sender ever finding out. In short, the clips can be accessed using either iExplorer or iFunBox, then saved via temporary files stored on iPhones and other iOS devices. (The app’s Android version had a similar flaw that has since been fixed.)

After Notopoulos discovered Snapchat’s video-saving flaw, she asked Evan Spiegel, the app’s founder, if the company was aware of the loophole.

“The people who most enjoy using Snapchat are those who embrace the spirit and intent of the service. There will always be ways to reverse engineer technology products — but that spoils the fun,” he said.

Despite Snapchat’s obvious flaws, TechCrunch’s Rip Empson argues that impermanent messaging is likely here for the long haul.

“The ephemeral message is here to stay, whether a feature or a billion dollar business,” he writes, pointing out that Snapchat clones, such as the Facebook’s Poke app, are already cropping up.

Do you or would you ever use Snapchat? Are you concerned by this latest security loophole? Tell us in the comments below.

Anonymous ‘Might Well Be the Most Powerful Organization on Earth’

Catherine Solyom
NationalPost

Anonymous hackers have keys to the kingdom … The world needs to be concerned.

Christopher Doyon, a.k.a. Commander X, sits atop a hillside in an undisclosed location in Canada, watching a reporter and photographer make their way along a narrow path to join him, away from the prying eyes of law enforcement.

It’s been a few weeks of encrypted emails back and forth, working out the security protocol to follow for interviewing Doyon, one of the brains behind Anonymous, now a fugitive from the FBI.

Doyon, who readily admits taking part in some of the highest-profile hacktivist attacks on websites last year — from Tunisia to Orlando, Sony to PayPal — was arrested in September for a comparatively minor assault on the county website of Santa Cruz, Calif., where he was living, in retaliation for the town forcibly removing a homeless encampment on the courthouse steps.

The “virtual sit-in” lasted half an hour. For that, Doyon is facing 15 years in jail.

Or at least he was facing 15 years in jail, until he crossed the border into Canada in February to avoid prosecution, using what he calls the new “underground railroad” and a network of safe houses across the country.

Thanks to his indictment, Doyon is one of the few Anonymous members whose real name is now publicly known.

But as the leader of the People’s Liberation Front — a hacker group allied with Anonymous — and the second-most wanted information activist after WikiLeaks’ Julian Assange, he prefers not to show his face, and instead dons the ubiquitous Guy Fawkes mask, to wear with his Sunday best: a sweatshirt with the Anonymous calling card, “We do not forgive … We do not forget.”

Terrorists to some, heroes to others, the jury is still out on Anonymous’s true nature. Known for its robust defence of Internet freedom – and the right to remain anonymous — Anonymous came in first place in Time Magazine’s 2012 online poll on the most influential person in the world.

Fox News, on the other hand, has branded the hackers “domestic terrorists,” a role Anonymous has been cast to play in the latest Call of Duty Black Ops II, in which Anonymous appears as the enemy who takes control of unmanned drones in the not-too-distant future. (That creative decision may have put Activision, the creator of the video-game series, at the top of the Anonymous hit list.) For its part, much of what Anonymous does and says about itself, in the far reaches of the Internet, cannot be verified. Nor do all Anons agree on who they are as a group, and where they are going.

— — — — —

Q: As strictly an online army of hackers, how powerful is Anonymous?
A: Anonymous is kind of like the big buff kid in school who had really bad self-esteem then all of a sudden one day he punched someone in the face and went, “Holy s— I’m really strong!” Scientology (one of Anonymous’s first targets) was the punch in the face where Anonymous began to realize how incredibly powerful they are. There’s a really good argument at this point that we might well be the most powerful organization on Earth. The entire world right now is run by information. Our entire world is being controlled and operated by tiny invisible 1s and 0s that are flashing through the air and flashing through the wires around us. So if that’s what controls our world, ask yourself who controls the 1s and the 0s? It’s the geeks and computer hackers of the world.

Q: What does it mean to be a leader of a leaderless organization?
A: We don’t sit around and elect a president but that doesn’t mean there aren’t leaders within Anonymous. Naturally Commander X or Barrett Brown or Peter Fein, whether they have names or are still anonymous, they take a leadership role and are looked up to. The average Anon is not like me, working 12 hours a day dedicating their life to this. He’s an IT guy or a cable installer with a few hours to spare and he wants to be told what to do. It takes organizers to get things done. Anyone in Anon can be a spokesperson but my ability to speak is based on how much what I say squares with the consensus of the collective.

Q: It seems like there’s a war going on between hacktivists or information activists and law enforcement. (At least 40 alleged members of Anonymous have been arrested around the world in the last year.) Who do you think is winning right now?
A: I think it’s a stalemate at the moment. I think eventually we’ll win. I’ve always believed that right will always prevail. But at the moment the arrests have had a chilling effect on the movement. For a 30-minute online protest I’m facing 15 years in a penitentiary. For the moment that’s the only indictment against me but I expect there will be more. And it’s not just about the potential penalty but it’s the trial itself for which they delivered a terabyte of discovery. That’s about 150,000 pages for a 30-minute protest. That means my trial will be two years long and during that time I’m under strict surveillance by the FBI. I can’t access Twitter, Facebook or IRCs (Internet Relay Chats)– I can’t contact any known member of Anonymous – who are about 50,000 people around the world.

So basically it shuts me down as an activist. Even if I prevail in court, I’m still shut down for two years. Well, I’m unwilling to do that – and that’s why I’m Canada. In Syria and Tunisia, Libya, Egypt in Nigeria in the Ivory Coast, we have saved so many lives I can’t even count – activists and journalists and bloggers and people who come to us to keep themselves safe in these extremely hostile environments – and I’m unwilling to lay that kind of work down.

Q: Now that you’re in Canada for the foreseeable future, do you feel relatively safe?
A: Yes. We have a lot of contacts in the Canadian government. We were well prepared when I came here, we have an underground railway, and safe houses in Canada. We might be wrong, but our understanding is that the Canadian government is about equally concerned with Anonymous and the United States. Their approach will be: “Step lively, don’t stay long, and you’ll be fine.” So we’re in negotiation with several countries in Europe to try to get a permanent political asylum situation set up for myself as well as for any other Anons and information activists who might need it. … It’s too bad Canada will not find the political courage to protect information activists from America like they did in the ‘60s with the draft dodgers. That’s the reality of it, but they will probably not actively seek to track me down.

Q: Do you think the general public is not concerned enough with online surveillance or real-life surveillance?
A: I think the general public is beginning to learn the value of information. To give an example, for a very long time nobody in the U.S. or the world was allowed to know the number of civilian casualties in Afghanistan or Iraq. There were wild guesses and they were all over the ballpark figures, until a young army private named Bradley Manning had the courage to steal that information from the U.S. government and release it. Now we know that despite their smart munitions and all their high-technology they have somehow managed to accidentally kill 150,000 civilians in two countries. … As these kinds of startling facts come out, the public will begin to realize the value of the information and they will realize that the activists are risking everything for that information to be public.

Q: What do you say to people who believe Anons are just cyber-terrorists?
A: Basically I decline the semantic argument. If you want to call me a terrorist, I have no problem with that. But I would ask you, “Who is it that’s terrified?” If it’s the bad guys who are terrified, I’m really super OK with that. If it’s the average person, the people out in the world we are trying to help who are scared of us, I’d ask them to educate themselves, to do some research on what it is we do and lose that fear. We’re fighting for the people, we are fighting, as Occupy likes to say, for the 99%. It’s the 1% people who are wrecking our planet who should be quite terrified. If to them we are terrorists, then they probably got that right.

“Information terrorist” – what a funny concept. That you could terrorize someone with information. But who’s terrorized? Is it the common people reading the newspaper and learning what their government is doing in their name? They’re not terrorized – they’re perfectly satisfied with that situation. It’s the people trying to hide these secrets, who are trying to hide these crimes. The funny thing is every email database that I’ve ever been a part of stealing, from Pres. Assad to Stratfor security, every email database, every single one has had crimes in it. Not one time that I’ve broken into a corporation or a government, and found their emails and thought, “Oh my God, these people are perfectly innocent people, I made a mistake.”

Q: What do you think of the student protests in Quebec?
A: Wherever I go, especially in the last two years, I have found protests. I had no idea this was going on in Canada and the day I arrived in Montreal I was in a coffee house downtown on the corner of Ste. Catherine and St. Hubert. And there was a protest right there at that park across the street. The entire intersection became inflamed, I watched police absolutely brutalize these kids, spraying can after can of tear gas, launching off pop-bang grenades, tear gas grenades, and the worse thing I saw these kids do, one of them threw a snowball, and one of them threw an orange rubber cone at these cops. I mean these cops are in full body armour for God’s sake, that’s not violence. But what was done to these kids was so violent that the coffee shop manager locked us all into the coffee shop. Locked the doors while all around us, literally in these glass windows all around us, we watched the kids get beaten down. Wherever I go whether Oakland, San Francisco, Montreal, everywhere I go I see the same stuff. I see people rising up demanding justice and these brutal, paramilitary police departments being used to crush them and sure, I get involved.

Q: Anonymous started out as online pranksters but has gotten a whole lot more serious in the last two years. What happened?
A: I believe Egypt was really a turning point for us emotionally in Anonymous. Obviously there was always that sort of prankster edge to us. But people often ask me, “Why are you so mean nowadays?” It started in Egypt – when you work for days to set up live video feeds and the first thing you watch through those feeds is people killing your friends with machine guns – that becomes personal. And then it’s not just Egypt, it’s Libya, Tunisia, over and over again these Freedom Ops are really what gave us a sort of take-no prisoners attitude. We get to know these people. It may not be the same as you and I sitting here, but when you Skype with people and spend hours and hours talking with them on IRC (Internet Relay Chat) and they share their hopes and their dreams with you for their country, their future, when they tell you how they’re risking their lives so their children can have a better future in some far-off land, you bond with those people and they become your friends and family.

Q. What’s next for Anonymous?
A: Right now we have access to every classified database in the U.S. government. It’s a matter of when we leak the contents of those databases, not if. You know how we got access? We didn’t hack them. The access was given to us by the people who run the systems. The five-star general (and) the Secretary of Defence who sit in the cushy plush offices at the top of the Pentagon don’t run anything anymore. It’s the pimply-faced kid in the basement who controls the whole game, and Bradley Manning proved that. The fact he had the 250,000 cables that were released effectively cut the power of the U.S. State Department in half. The Afghan war diaries and the Iran war diaries effectively cut the political clout of the U.S. Department of Defence in half. All because of one guy who had enough balls to slip a CD in an envelope and mail it to somebody.

Now people are leaking to Anonymous and they’re not coming to us with this document or that document or a CD, they’re coming to us with keys to the kingdom, they’re giving us the passwords and usernames to whole secure databases that we now have free reign over. … The world needs to be concerned.

U.S. Cyber Command Plans To Increase Workforce By 15%

Amber Corrin
FCW.com

The Air Force plans to increase its Cyber Command workforce by 15 percent in 2014, according to the Defense Department.

Gen. William Shelton, commander of Air Force Space Command, said he expects to receive orders next year from U.S. Cyber Command’s leadership to hire roughly 1,000 cyber specialists, mostly civilians. They would be added to the current 6,000-strong cyber workforce at the 24th Air Force, which is the service’s subordinate component to Cyber Command.

“Cyber Command is in the midst of determining how they are going to operate across all the geographic combatant commands as well as internal to the United States,” Shelton said in a DOD release. “It looks like we will be tapped for well over 1,000 additional people into the cyber business, so you can see [cyber] is starting to take root.”

The hiring will be contingent on the availability of funds in the budget and is expected to happen over a two-year period. Shelton said he will lobby DOD leaders to prioritize cyber capabilities as they determine how to cut budgets, but he acknowledged that the ongoing fiscal uncertainty presents a variety of challenges.

“There will be strong advocates coming from other functional areas within the United States military as well,” he said. “So it’s going to be literally the strategy that we adopt based on the budget authority that will be available, and then you let the chips fall from there.”

However, because there is no current appropriations bill for fiscal 2013, the uncertain fiscal situation affects planning for future budgets, he said.

The Air Force’s focus on cyber is in keeping with an ongoing evolution of capabilities and new realities in national defense. In November 2012, Air Force CIO Lt. Gen. Michael Basla noted the growing emphasis on cyber training and the cyber workforce as the military determines how best to operate in an increasingly complex domain.

“We see an increase in the demand signal, and we have to address how to respond to that demand signal,” Basla said. “There’s a daisy chain to that: It’s recruiting the right folks, training the right folks; it is positioning those folks in the right positions to accomplish the tasks handed to us. And it is properly equipping those folks with the capabilities they need. What I see is…this is one of those areas we said we cannot afford to take reductions and may in fact be one of the growth areas in a very tight budget environment.”

3 Simple Methods Hackers Use to Compromise Your Facebook Account

Chris Dougherty
Virtual Threat Contributing Writer

Facebook accounts are an often overlooked gateway into an individual’s personal life.   We, as social networking users, have few reservations about posting our photos, location, plans to travel, private outbursts, and information regarding friends, family and work.  We include names, phone numbers, email addresses, GPS coordinates and the list goes on and on.  But you ask “What’s to worry?  After all, I am only posting this information for friends and family to see, right?”.  The simple answer is no. Facebook hackers want your information.

The truth is that many of your friends’ and family’s accounts are being hacked every day.  By successfully compromising your Facebook account an attacker has unlimited access to a wealth of information about you, your friends and your family.  In addition, if a hacker gets your Facebook password, I think it’s reasonable to assume that he could then take over your email accounts, bank accounts, and other private information as well.  The following 3 Methods of Facebook Hacking are something that everyone should make themselves aware of.  When you have learned the attacker’s methods you can begin to protect the information that you so freely give out on the internet.

1. Social Engineering:
Generally the first thing a hacker will do is to find a way directly to your inner circle.  One way an attacker might start is by  ”friending” some of your closest friends, family and coworkers on Facebook.   Once enough mutual “friends” are built up, they will eventually work their way up to sending you a friend request.  It may appear to come from a name that you know, or perhaps some curious account with a hot profile picture to grab your attention.  Either way, you look at all of your mutual friends and you click “Confirm” on the friend request, allowing the attacker access to a gold mine of information.Once the attacker is on your “friends” list he can see all of your photos,  friends and family that you talk to the most, your daily activities and more.  In addition, he may be able to access your email address, phone number, the schools you went to, and where you currently work.

Armed with this information the hacker can now move on to the next level of attack, attempting to access your login details and other private information.The lesson to be learned here is “Don’t accept friends requests unless you’re darned sure you actually know the person on the other end”.  Either confirm the friend request by phone, by sending a private Facebook message asking for some specific details, or by only adding friends where you have initiated the friend request.

2. Brute Force:
Once the hacker has gained access to the names of your cats and dogs, children’s names, birthdays, etc he will begin the process to brute force your Facebook password.  This means he will make repeated attempts to log in to your account using a list of words and variations taken from the information you post to your account.  If the information gleaned from your profile, posts and photos does not yield a hit, he will move on using automated applications and dictionary files to attempt to crack the password.  There are a bunch of tools that claim to do this automatically, one only has to perform a quick Google search to find a page full of options.

A potential user of brute force applications can find unlimited tutorials on sites like YouTube.  With the availability of tools like this, I suspect anyone with a keyboard has the potential to get your password if you aren’t careful.  However, if you use long passwords, consisting of numbers, upper and lower case letters plus a special character (e.g.- %,$,!,@), I think you should be a bit safer from these brute force types of attacks.

3. Phishing:
According to Wikipedia, “Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.”In layman terms this means phishing is the act of a hacker creating a clone of a well known website login page, such as Facebook or your bank, with the hopes of tricking you into inputting your username and password on the page.   Once you type your information into the login form, and click the submit button, your name and password are added to a database or sent to a fake email address controlled by the hacker.

A hacker can use any of several methods to grab your Facebook information through phishing techniques.  The easiest way is to create a fake Facebook login page, put it on a free hosting service and then send you an email or Facebook post with a link to the page.  The problem with this method is the fact that the domain name in the link and your browser address bar should be a dead giveaway as shown in the image above.

Another, more popular method is to use a technique called “tab nabbing“.  Tab nabbing is an exploit where an attacker sends you a link to a regular looking web page such as a game or a video.  When you switch to another tab in your browser, the original page does a quick refresh to a fake Facebook, bank or email login page.  The tab-nabbing exploit takes advantage of user trust and inattention to detail in regard to tabs.  Many internet users don’t bother to look at the URL of a tab they’ve already been on.  Here is a video example showing how a simple tab-nabbing attack works.

When attempting to compromise the account of a more experienced internet user, hackers may utilize a combination of tools for a more sophisticated attack. Some of these tools include ettercap and the Social Engineer Toolkit’s Credential Harvester.  With this type of attack the hacker can manipulate your DNS configuration, the service that translates domain names to IP addresses.  Once your DNS has been changed all of your internet requests to www.facebook.com will go to a server under the attacker’s control.  This type of attack is very difficult to identify because the actual domain name Facebook.com will appear in your internet browser address bar.

6 Simple Steps To Keep Your Account Safe:

• When logging in to your Facebook account, always double check the URL in your browser’s address bar
• Use long, complicated passwords that utilize upper and lower case letters, numbers, and special characters
• Do not post personal information to your Facebook profile (e.g.- phone numbers, email address, etc)
• Review and adjust your privacy settings, in both your browser and your Facebook account, on a regular basis
• Only allow people on your “Friends” list that you have personally sent a friend request to, do not accept blind requests!
• If you do accept a friend request from someone, make certain that you have verified the person on the other end using some other means.

The internet brings convenience, business growth, and the opportunity to share your thoughts and memories with friends and family.  It also allows an attacker unlimited access to your life and private information.  By following a few simple guidelines, you can keep yourself  a bit safer on social networking sites like Facebook.com:

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

Operation “Red October” is Spying on Governments Worldwide

Chris Dougherty
VirtualThreat.com, Contributing Writer

Kaspersky Lab has uncovered a cyber espionage campaign that is targeting diplomatic and government agencies around the world.  The campaign has been dubbed “Rocra”, short for “Red October”.

As of this writing the malware at the heart of the attack is actively sending data to several command and control (C&C) servers.  According to domain registration details,  the campaign has been operational since 2007.  The creators of the malware have also designed a complex distributed network that rivals the infrastructure of the recent Stuxnet and Flame campaigns.

“Red October” has successfully infiltrated computer networks at government embassies, military installations and scientific research facilities. Researchers say that the malware is gathering intelligence not only from computers, but also from mobile devices and networking equipment.

The attackers are using spear-phishing techniques tailored to specific victims in eight primary categories:

1. Government
2. Diplomatic / embassies
3. Research institutions
4. Trade and commerce
5. Nuclear / energy research
6. Oil and gas companies
7. Aerospace
8. Military

Kapersky said hundreds of victims have already been identified worldwide, mostly in Eastern Europe, but there are also reports from Asia, North America and Western European countries.

According to researchers, the data collected so far does not suggest that Operation “Red October” is a nation-sponsored cyber attack.   In contrast, the Flame and Stuxnet campaigns were reportedly a joint U.S.-Israeli operation launched in order to stop Iran’s nuclear program.

Kaspersky suggests that the initial exploits used in “Red October” were recycled from earlier work developed by Chinese hackers.  However, the malware modules responsible for scanning networks and collecting data appear to have been created by Russian-speaking operatives.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.

M.I.T. Hackers Pay Tribute to Reddit Co-Founder Aaron Swartz

Nicole Perlroth
NYTimes Bits Blog

Anonymous, the loose collective of hackers, attacked the Web site of the Massachusetts Institute of Technology on Sunday, in a tribute to Aaron Swartz, the 26-year-old technology programmer who killed himself on Friday.

Mr. Swartz, a passionate advocate for the freedom of information, helped create Reddit and RSS technology, and was something of an “Internet folk hero.”  At time of his death, Mr. Swartz was being prosecuted for using M.I.T.’s computers to gain access to millions of scholarly articles from Jstor, a subscription-only service for distributing literary journals. If convicted, Mr. Swartz faced up to 35 years in prison and millions of dollars in fines — a steep punishment that Mr. Swartz’s family and supporters say contributed to his death.

“Aaron’s death is not simply a personal tragedy,” Mr. Swartz’s family and partner said in a statement. ”It is the product of a criminal justice system rife with intimidation and prosecutorial overreach. Decisions made by officials in the Massachusetts U.S. attorney’s office and at M.I.T. contributed to his death.”

On Sunday evening, M.I.T.’s president, L. Rafael Reif said that he had appointed an M.I.T. professor to investigate the university’s role in Mr. Swartz’s case and death.

By then, hackers had already begun a campaign that they called #OpAaronSwartz and rendered the M.I.T. site inaccessible using a distributed denial of service, or DDoS, attack, in which people flood a site with data requests until it collapses from the load. The hackers announced the campaign through a Twitter account associated with Anonymous.

TANGO DOWN – mit.edu and doj.gov #Anonymous#OpAaronSwartz Knowledge is not a crime!! Please RT!!!

— AnonOps (@anonopsofficial) January 14, 2013

Late Sunday, the site was back online. The Justice Department’s Web site, at justice.gov, was operational late Sunday.

Elsewhere on the Web, others paid a more peaceful tribute, setting up a memorial Web site where friends and supporters could post their own remembrances.

Academics paid tribute as well, posting links on Twitter to copyright-protected articles with the hashtag #pdftribute. By Sunday evening, a site set up to collect their material included more than 1,500 links to academic and research articles.

Hackers Pay Big Money to Use New Exploit Kit

John Lister
InfoPackets

The group behind a collection of ‘premium’ hacking tools is apparently charging hackers $10,000 a month for permission to use their exploit kit. The proceeds are helping fund rewards for anyone who shares information with the hackers about previously unknown software vulnerabilities.

According to security firm Sophos, the ‘premium’ hacking kit is the work of a group called ‘Paunch.’ This is the same group that previously offered hackers a set of tools known as the Blackhole kit, which users could access only after paying a $1,500 per year rental fee. (Source: sophos.com)

The Blackhole kit was (and is) used by cyber-criminals who have already gained unauthorized access to a legitimate website. The kit allows them to spread malicious software onto the computers of unsuspecting people who visit the hacked website.

Depending on the malicious software to be spread, the hackers would then be able to steal information from victims’ computers or use the compromised computers’ resources as ‘botnets‘ to carry out larger-scale online attacks.

$10K Hacker Kit Fee a Good Value For Some Cyber-Criminals

The Paunch group has now released a highly sophisticated package of hacking tools known as ‘Cool Exploit.’ The group is asking an astounding $10,000 per month from each hacker who wants to use the kit.

Most security experts believe anyone paying that fee is a professional hacker intent on making a serious profit through cyber-crime.

In fact, one Paunch customer is said to have made around $30,000 a day by using the Cool Exploit kit to spread “ransomware,” software that infects a victim’s machine and then threatens to delete files unless the victim pays the hacker responsible for the infection. (Source: theregister.co.uk)

Hackers Rewarded for Finding Software Security Flaws

The people behind the ‘Cool Exploit’ kit are reportedly using the huge fees they are charging to pay for information about major software security vulnerabilities, including zero-day flaws (security flaws in software that its developers don’t yet know about).

Information about such flaws is particularly prized by hackers, because they can carry out a scam using the new flaw before anyone can patch (and thereby protect) their computer systems.

Some experts worry that the Paunch fund will help turn amateur hackers into professional cybercriminals. In some scenarios, the fund could result in bidding wars between legitimate software developers and hackers, both seeking software vulnerability information, but for widely different purposes.

Al-Qaeda Linked to New York Phone Hacking Scams

Chris Dougherty
VirtualThreat Contributing Writer

Hackers with ties to Al-Qaeda terrorist cells in Somalia and the Philippines are targeting New York small businesses using international phone hacking scams.  The scams are costing the companies hundreds of thousands of dollars in phone charges each month.

Senator Charles Schumer (D-NY) said that the hacker group has a connection to Syracuse and it is currently under investigation by Federal and local law enforcement authorities, however the group’s members have not yet been apprehended.  He went on to say that so far 26 New York businesses have come forward to report that they’ve been victims of the phone hacking scams.

One local business, Best Cleaners, received a $150k bill from their phone company for connecting over 9000 overseas calls.  The company is currently fighting a legal battle against the phone service provider to challenge the validity of those charges.

Schumer said the Al-Qaeda hackers may be using the phone hacking scams to make large amounts of money, or simply to communicate using inconspicuous numbers.  Either way, he says the situation needs more investigation.

The hackers gain access to the phone number’s configuration through voicemail interfaces,  typically due to the use of weak passwords.  Once the accounts are breached the attackers can then set up call forwarding to international toll numbers under the hacker’s control.

Once call forwarding has been configured, the hackers use automated scripts to make thousands of calls to the hacked numbers.  This results in high charges being made to the owner’s account, charges that may go unnoticed for as many as 30 days after the fraudulent calls were made.

Voicemail users should take the following steps in order to keep their accounts safe from phone hacking scams:

1. Use a complex voicemail access code and/or password, DO NOT use the ‘default’ access code or password that comes with the system.
2. Change your access code and password frequently.
3. If you don’t make international calls, block these call types from your phone system.

It is important to note that phone hacking scams like the one discussed in this article are not restricted to businesses located in New York.  Several other cases have been reported by individuals and businesses in other U.S. and international locations.

Schumer urges individuals and small businesses to pay special attention to their phone bills to look for fraudulent charges and activity.

About the author…

Chris Dougherty is a grey hat hacker and online security expert.  Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.

This article is offered under Creative Commons license. It’s okay to republish it anywhere as long as attribution bio is included and all links remain intact.