Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.

This Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.

Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.

Browser-based traffic that’s encrypted gets intercepted, unscrambled and recrypted to one’s browser by a man-in-the-middle attack. Due to the trusted root CA, the user’s browser will not show any warnings that there’s something very fishy going on (i.e., an attack).

The private key of the Superfish software can be easily recovered. This enables a hacker to produce certificates for any website that’s trusted by a system that has the Superfish adware installed.

The hacker can then replicate websites, or spoof them, without the user ever knowing it because the browser won’t know it. The type of attack is called SSL spoofing.

Many Lenovo users, hence, have the perspective of, “How DARE Lenovo preinstall this software?!” Lenovo has received harsh backlash and has claimed they’ve discontinued these installations. But this doesn’t reverse the vulnerability of the PCs that already have the adware.

To find out if your Lenovo has this adware, see if it has an HTTP GET request to superfish.aistcdn.com. And then if it does, uninstall it, along with the root CA certificate—don’t just uninstall the adware only; that certificate is what gets the hackers in.

The Microsoft Windows certificate store, and the Firefox and Thunderbird certificate stores, can guide you in managing and deleting certificates.

Right now, the best thing to do is head to this site: https://lastpass.com/superfish/ and then this site: https://filippo.io/Badfish/ to confirm your device doent have the superfish. If both check out OK, you’re good.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. 

Just when you think it was safe to believe your Social Security number can’t get stolen…news breaks of the Anthem data breach. Over 80,000,000 patient records were compromised, including SSNs and home addresses. Like a meteor striking the earth, a disastrous ripple effect is underway, with patients getting hit up with phishing e-mails.

If you ever suspect your SSN has been stolen, some suggest contacting the IRS and Social Security Administration and notify them of your situation. The thief can do bad things with your number, but if you contact these agencies, can you really protect yourself from that? I’m not sure these agencies can really do anything based on the volume of fraud happening today.

So what should you do to guard against ID theft while you’re still ahead?

Your credit report should have a fraud alert placed on it. This way, lenders and creditors will be stricter about identifying you as the authentic applicant. Thus, a thief will probably flunk these extra steps. Contact either Equifax, Experian or Transunion and they’ll place the 90-day fraud alert. You can also ask for an extension. Consider re-establishing the fraud alert every 90 days. The fraud alert will net you a copy of your credit report. Examine it carefully.

Watch your credit like a hawk. If nothing happens during those 90 days, this doesn’t mean you’re in the clear. A thief may act after 90 days, or, just as a baseline good practice, you should still always monitor your credit. Self-monitoring your credit involves either buying your credit report as often as you’d like or getting it free, quarterly at AnnualCreditReport.com.

Credit freeze. A more secure measure is to freeze your credit, but this means you too can’t do anything like apply for a refinance on your house until it’s “thawed”. But if you don’t foresee needing to do that or open new lines of credit in the near future, then you’ll get more peace of mind with a credit freeze.

If an unforeseen need to apply for a loan surfaces, you can unfreeze your credit. Just keep good notes regarding the user/pass and web address to quickly thaw your credit. A credit freeze/thaw requires a one-time fee of $5-$15.00. Cheap and effective.

Identity theft protection. This is a no brainer. For $100-$300 annually for an individual or family of 4, your identity is being monitored 24/7 by professionals who will also restore your identity in the event of loss. Check with the companies Terms of Service and their features/benefits to determine what the will and will not protect against.

Be smart. Though some hackers are amazingly ingenious and subtle with their schemes, other tricks are so obvious that it’s astounding that anyone who’s smart enough to use a computer could fall for them.

A college degreed professional can be so caught up in the latest trash or tragic news about a very high profile celebrity that they could be lured right into the palm of a ruthless scammer: The bait is a link to an exclusive interview with the celebrity’s mother. Hah! Click the link, and you’ll become the mouse in a trap.

• Never click links inside e-mails, even if it seems that the sender is from someone you know.
• Don’t even bother opening e-mails with sensationalistic subject lines like “Exclusive Video of Bruce Jenner in Mini Skirt.”
• When using various online accounts, see if they offer two-factor authentication; then use it.
• Use different passwords for all of your accounts, and make them long and unique, not “123Kitty.”
• Use antivirus and anti-malware and keep them updated; also use a firewall.
• Shred all personal documents before putting them in the rubbish.

Never give out your SSN except for job applications, loan applications, credit card applications and other “big stuff.”

These days, it is hard to pick up a newspaper or go online and not see a story about a recent data breach. No other example highlights the severity of these types of hacks than the Sony breach late last year.

While a lot of information, including creative materials, financials and even full feature-length movies were released – some of the most hurtful pieces of information were the personal emails of Sony executives. This information was truly personal.

You have a right to privacy, but it’s not going to happen in cyberspace. Want total privacy? Stay offline. Of course, that’s not realistic today. So the next recourse, then, is to be careful with your information and that includes everything from downloading free things and clicking “I agree” without reading what you’re approving, to being aware of whom else is viewing your information.

This takes me to the story of a white hat hacker—a good guy—who posed as a part-time or temporary employee for eight businesses in the U.S.. Note that the businesses were aware and approved this study. His experiment was to hack into sensitive data by blatantly snooping around computers and desks; grabbing piles of documents labeled confidential; and taking photos with his smartphone of sensitive information on computer screens.

The results were that “visual hacking” can occur in less than 15 minutes; it usually goes unnoticed; and if an employee does intervene, it’s not before the hacker has already obtained some information. The 3M Visual Hacking Experiment conducted by the Ponemon Institute shed light on the reality of visual hacking:

• Visual hacking is real: In nearly nine out of ten attempts (88 percent), a white hat hacker was able to visually hack sensitive company information, such as employee access and login credentials, that could potentially put a company at risk for a much larger data breach. On average, five pieces of information were visually hacked per trial.
• Devices are vulnerable: The majority (53%) of information was visually hacked directly off of computer screens
• Visual hacking generally goes unnoticed: In 70 percent of incidences, employees did not stop the white hat hacker, even when a phone was being used to take a picture of data displayed on screen.

From login credentials to company directories to confidential financial figures – data that can be visually hacked is vast and what a hacker can do with that information is even more limitless.

One way to prevent people from handing over the proverbial “keys to the kingdom” through an unwanted visual hack is to get equipped with the right tools, including privacy filters. 3M offers its ePrivacy Filter software, which when paired up with the traditional 3M Privacy Filter, allows you to protect your visual privacy from nearly every angle.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. 

Does your wallet contain enough information about you for someone to steal your identity and commit crimes under your name? That’s what happened to Jessamyn Lovell when Erin Hart stole her wallet in 2011.

Hart shoplifted, checked into hotels and rented cars in Lovell’s name. Of all the nerve.

Lovell tracked Hart down and documented this in “Dear Erin Hart,” a photo project. Lovell couldn’t find the heartless Hart on her own, so she hired a private investigator. Turns out Hart was sitting in jail on numerous charges. Hart served eight months and upon exiting the city lockup, was photographed by Lovell.

That was just the start of stalking Hart. Lovell, the PI and two of his assistants followed the thief around all day, taking pictures of her doing ordinary things like buying cigarettes and shopping at a thrift store. The trail disintegrated after she entered an alley.

Lovell had a chance to confront Hart, but opted not to, concerned that it could turn ugly. But the several thousand dollars that this 2013 venture cost Lovell was worth it.

The following year Lovell, with the PI’s help, found Hart again. And in September 2014, Lovell opened her show at SF Camerawork—the very location of the wallet theft. Lovell is writing a book and hopes to have it out in March this year.

Lovell has also gone as far as sending an e-mail to Hart (via her probation officer), asking for Hart to respond, but Hart has not.

“I just wanted her to know that she impacted a real person,” Lovell says in an article on wired.com.

Lovell actually feels some degree of connection with her identity theif because she grew up poor and figures that Hart is hard up for money (though Hart certainly didn’t need to waste what little money she had on cigarettes). Nevertheless, she has no desire to try to make friends with Hart.

If you’ve ever watched virtually any spy flick or James Bond movie you’re familiar with “bugs” – those little dime-sized metallic things that the bad guys would secretly stick under someone’s desk to record any conversation in the room—picked up by a receiver in their car. Or, the phone was “tapped” – the device was inside the receiver.

How primitive! Because these days, all of your computer, mobile, tablet and online activities can be “bugged” – without someone ever coming into your home or office—remote spying—done with spyware. They know what you’re posting to Facebook, what videos you’re watching, what secrets you’re telling or hiding—anything and everything. They may even be watching YOU as you type or recording your keystrokes.

Spyware companies sell the technology and it’s legal to purchase. Spyware ranges from $40 to $200 a month. Based on their sales, it’s feasible that millions of Internet users are being spied on.

Selling spyware is perfectly legal, as mentioned, even though this can get into the wrong hands. But it’s akin to the legal sales and use of knives. In the wrong hands, even a butter knife could be a dangerous weapon.

Though some spyware devices must be installed physically on the target’s device (e.g., wife installing on her husband’s device, employer installing on employee device, parent on child’s device), some devices can be installed remotely.

This isn’t as techy as you think. The spyware companies want to make money, so they’ve made it easy to install and use their products. Parents wanting to know what’s going on with their teenagers are drawn to this technology. So are psycho-stalkers.

Spyware is a big hit with people wanting to find out if their spouse or significant other is cheating on them, and many even focus on this in their ads. Another demographic that’s drawn to spyware are employers who want to see what their employees are up to.

But let’s not forget that a thief could spy on someone to get their credit card number, passwords and other crucial information and then use it to drain their bank accounts, max out their credit card or open a new credit card under their name and go wild with it.

Spyware can also be used to eavesdrop on phone calls after the snooper (or stalker) puts the app in the phone. There are cases in which abusive men did just this to their partner’s phone after the partner fled from them, then tracked them down and committed violence against them. So should spyware be banned? Well, it goes back to the butter knife analogy.

Spyware gets away with legality because of its strong legitimacy in terms of parents keeping an eye on their kids, and employers monitoring employees whom they think are goofing off on the job. However, an employer can take it further and “follow” where the employee goes on lunch break or to see if they went to that big basketball game when they called in sick.

That’s pushing it, but it can go even further: The spyware customer could intercept phone calls, text messages and anything else the unsuspecting target does on their smartphone. However, even though spyware came out in the mid ‘90s, there have been only three prosecutions. If it’s ever outlawed, parents will go berserk.

How many times have you read about something horrible that a teenager did, that was somehow connected to their online activities, and you thought, “Where were the parents when all this was going on? Weren’t they monitoring their kid’s online activities? Didn’t the parents care what their child was doing online?” Etc., etc.?

If these parents had had one of these spyware programs, maybe they would have nipped their kids’ problems in the bud and prevented tragedy. But don’t let these cases fool you: Parents make up a large percentage of spyware customers.

Critics of spyware won’t back down, including legislators, and maybe that’s why some companies are requiring customers to identify themselves as parents or employers in order to use their applications. This sounds more like defensive TOS, since anyone can claim they’re a parent or workplace supervisor without having to prove it. What’s a company really going to do…send out a private investigator to see if the new user really DOES have a teenager?

Now that you know more about spyware, how can you prevent someone from bugging your phone or computer? Keep your devices locked. Never leave your phone where someone can get to it.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. 

It’s amazing how ingenious cybercriminals are, but the victims also need to take some responsibility for falling for these ruses, especially when the victim is a business that has failed to train its employees in cybersecurity measures.

Ransomware

The stuff of science fiction is here: Who would have ever thought there’d ever be a such thing as criminals remotely stealing someone’s personal information (word processing files, any kind of image, etc.), scrambling it up via encryption, then demanding ransom in exchange for the remote “key” to “unlock” the encryption?

Payment is remotely by Bitcoin which can’t be traced. The payment is usually at least $500 and escalates the longer the victim waits.

The virus that poisons a computer to steal someone’s files is called ransomware, a type of malicious software (in this case, “Cryptolocker” and “CryptoDefense”). But how does this virus get into your computer in the first place?

It’s called social engineering: tricking users into allowing their computer to be infected, or duping them into revealing personal information.

Often, a phishing e-mail is used: It has an attention-getting subject line that entices the user to open it. The message contains a link. They click the link, and a virus is downloaded. Or, the link takes them to a site which then downloads the virus.

These e-mails, sometimes designed to look like they’re from the company the user works for, often go to workplace computers where employees get tricked. These kinds of attacks are lucrative to their instigators.

Funeral Fraud

If you wanted to notify a relative or friend that a mutually dear person has left this earth…would you send an e-mail or phone that person? Seems to me that heavy news like this would warrant a phone call and voice interaction.

So if you ever receive an e-mail from a funeral home indicating that a dear one to you has passed, and to click a link to the funeral home to learn details about the burial ceremony…consider this a scam.

Because if you click the funeral site link, you’ll either get redirected to the crook’s server because he’s already created an infected funeral looking site ahead of time. This is where a virus will be downloaded to your computer.

Vishing Credit Card Scam

You get a phone call. An automated voice identifies itself as your credit card company (they’ll say “credit card company” rather than the specific name). It then says something like, “We are investigating what appears to be a fraudulent charge on your card.”

They’ll ask if you made a particular purchase lately, then to hit 1 for yes and 2 for no. If you hit no, you’re told to enter your credit card number, three-digit security code and expiration date. You just fed a thief all he (or she) needs in order to go on an online or on-phone spending spree.

Ever order something via phone and all you had to give up was the credit card number, expiration date and security code? This trick is also aimed at employees. The calls come from an automated machine that generates thousands of these calls.

Healthcare Record Scam

You receive an e-mail that appears to be from your employer or healthcare provider that you get through work. This may come to you on your home computer or the one you use at work. The e-mail is an announcement of some enticing change in your healthcare plan.

The message may reference something personal about you such as marital status, income or number of dependents. When enough of these e-mails are pumped out with automated software, the personal situation of many recipients will square off with those identified in the e-mail, such as income and number of children. The user is then lured into clicking a link in the e-mail, and once that click is made…malware is released.

Facebook Company Group Scam

Scammers will scan Facebook and LinkedIn seeking out employees of a particular company and create a group. This groups purpose is for information gathering so scammers can penetrate a company’s facility or website. Once all the groups member join, the scammers will pose various innocuous questions and start palatable discussions that make everyone feel comfortable.

Over time scammers will direct these discussions to leak bits of data that allow criminals to enter a facility under a stolen identity or to contact specific employees who have advanced access to computer systems in an attempt to get usernames and passwords.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. 

Privacy used to mean changing clothes behind a partition. Nowadays, say “privacy” and people are likely to think in terms of cyberspace. Stay connected, and you risk losing your privacy.

Even if you’re not connected, don’t even own a computer or smartphone, information about you can still be out there on the Internet, such as a listing for your address and phone number or a way for someone to get it with a small fee if you live in owner-occupied property.

An article on wired.com points out that the Internet of Things (IoT) is a privacy killer. But it’s also more than that. The evolution of technology forces us to redefine how we perceive our lives, says the article. Even an invention as primitive as the steam engine caused a rethinking among people. But whereas the steam engine was a slap, the IoT is a sledgehammer.

And the Internet of Things is only just beginning. Wired.com notes that the combination of the World Wide Web, big data, social identity, the cloud and more are all poised to erupt into something huge, and it won’t give us time to prepare.

The IoT will infiltrate the tiniest and most remote pockets of the planet, inescapable, impacting all who have a pulse, literally. It’s not like the steam engine in which, soon after its invention, many people were afraid to ride the train because they believed that God did not intend for humans to travel so fast, and thus, these folks easily avoided boarding the train.

We won’t be able to avoid the IoT. It won’t be a station we walk up to and then decide we don’t want to get on. We will be, as wired.com says, living inside the Internet. We’re too addicted to technology not to. Kids can’t imagine living without their smartphones. When their grandparents were kids, the only thing they felt needy for was an umbrella on a rainy day. You don’t miss what you can’t conceive of.

With the IoT slowly dissolving us, like a snake swallowing a giant rat and slowly dissolving it (certainly you’ve seen those unsightly images—you know what I’m talking about), our privacy will be dissolved along with us.

Strangers already can figure out what things we like to shop for without ever communicating to us. Your health habits, eating habits, dating habits…all the data that makes you YOU is continuously being shagged by Big Data. “Privacy” may one day become one of those words, like “oil lamp,” that’s no longer in use because by then, it will be such a far-removed concept.

Imagine living in a house made entirely of see-through structures, so that no matter where you are in it, people on the outside can see what you’re doing. There’s no brick, no aluminum, drywall or wood—just all some transparent material. That’s the Internet of Things.

Ways to shield your privacy:

Use a browser that has an “incognito” mode or privacy plug-in.

Use a VPN to mask your IP address and encrypt your data. Knowledge of where you’ve visited can be used against you by insurance companies and lawyers, to say the least; you just never know what can happen when something out there knows your every online move.

Turn of GPS location for photos. iPhone and other devices saves the location where you took the shots, which is no secret once you post the photos on FB, Twitter, Instagram, etc. Shutting down location based apps will help here too.