National Preparedness Month is happening right now. It’s the perfect time to take action for you and your community. It’s all about making plans to remain safe, and when disasters do strike, to keep communications going. September 30th is the culmination of NPM, with the National PrepareAthon! Day.

If a burglar sees your Facebook status that you are traveling on vacation and then enters your house, and takes $10,000 worth of valuables, it’s safe to say you as the homeowner facilitated the theft. This is no different than leaving your doors unlocked when you head to the store. This lack of attention to security is why crime often happens.

These lapses in judgement are akin to how human error enables data breaches. Even worse, for a small business, employee behavior accounts for a significant number of hacking incidents – and the costs of data breaches are tremendous.

A study from CompTIA says that human error is the foundation of 52 percent of data breaches. The CompTIA report also says that some of the human error is committed by IT staff. Funnily enough, it also points out that typically, businesses rank human error pretty low on the priority list of potential problems.

Some important things to remember:

• Security awareness training is crucial for employees.
• A strong incident response system must be in place.
• Appointing a CISO (chief information security officer) will also help.

The high price of human error can include lost or stolen mobile devices, slow notification of a data breach, a weak security structure and response plan, and lack of a CISO. To avoid these and protect your business, you should:

• Implement an aggressive security awareness training program for employees
• Develop a data breach response plan
• Implement strong authentication practices
• Use encryption
• Implement a data loss identification system

And all companies should take note of the following safeguards:

• Vigorously train employees in safety awareness that pertains to the “bring your own device” policy. Many data breaches occur when someone conducts business on their personal mobile device.
• Security awareness training isn’t just about telling employees the facts. It also should include staged attempts at a data breach (by hired white hackers) to see who takes the bait. This also includes staged attempts by people posing as vendors or other executives trying to gain access to sensitive information.
• Back up all data on a frequent basis, ideally on a local drive in combination with a cloud service.
• Computers should be replaced every two to three years. This will make it easier for businesses because the computers at this point will still be functioning.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use. To learn more about preparing your small business against the common accidents of everyday life, download Carbonite’s e-book, “5 Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. 

It sounds almost like science fiction, even in this cyber age: A thief hacks into your computer and encrypts your files, meaning, scrambles the information so you can’t make sense of any of it. He demands you pay him a big fat payment to “unlock” the encryption or to give you the “key,” which is contained on the thief’s remote server.

You are being held ransom. The FBI’s Internet Crime Complaint Center has sent out a warning to both the common Internet user and businesspeople about this ransomware, says an article on arstechnica.com.

And if you think this is one helluva dirty trick, it can be worse: The thief gets your payment, but you don’t get the cyber key.

The article says that the biggest ransomware threat is the CryptoWall. The FBI’s IC3 has received reports from 992 victims of this ransomware, but it’s estimated that there are many more victims who have not notified the IC3 (would you or your friends necessarily know to do this?) and instead just paid the ransom—or didn’t, resigning to never being able to access their files again.

In addition to the ransom cost, there are also the costs associated with cleaning up the mess, and the fallout especially hits businesses, because they suffer lost productivity and having to pay IT services.

The arstechnica.com article quotes Stu Sjouwerman, CEO of KnowBe4, a security training company: “CryptoWall 3.0 is the most advanced crypto-ransom malware at the moment.”

According to the IC3, there are $18 million in losses associated with CryptoWall, but remember, that’s only what has been reported. Many businesses do not notify the FBI of breaches: the ransom payment as well as the heavy cost of impaired productivity.

How does an individual or business avoid getting sucked into this trap? The FBI offers the following recommendations:

• Back up all of your data on a regular basis.
• Protect all of your devices with antivirus software and a firewall—from reputable companies.
• Keep your security software updated.
• Clicking on a malicious website could download ransomware; therefore, you should enable pop-up blockers that will prevent these dangerous clicks.
• Do not visit suspicious websites.
• Avoid clicking on links inside e-mails.
• Protect your WiFi connection. A criminal can insert a virus on your device while on unencrypted WiFi. Use a VPN, a virtual private network encrypts your data over free WiFi.
• Avoid opening attachments that come from strangers or people for whom it would be out of character for them to send you an attachment or who’d have absolutely no reason to. This includes the IRS, UPS, Microsoft, Walmart, etc.
• CryptoWall can still make its way into your device if you’ve clicked on a malicious ad that’s on a legitimate website, says the arstechnica.com article. Here is where an updated antivirus software program would come into play to detect the malware.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. 

Darkode anyone? Not anymore. This underground bad hackers’ forum was recently demolished by the FBI, says a report on www.justice.gov. The dozen hackers associated with Darkode are facing criminal charges.

Though there are about 800 of such forums, Darkode was among the worst (or shall I say “best”?), presenting a serious threat to worldwide computers. Gone is Darkode’s ventures of buying, selling and trading malware, and exchanging hacking strategies—to actually carry out crimes, not just fun brainstorming.

The dismantling of Darkode comes as a result of infiltration also by the efforts of law enforcement representing 20 countries including Australia, Colombia, Canada, Germany, Latvia, Denmark, Finland, Romania, Nigeria, Sweden and the UK. This is the biggest bust of a black hat forum to date.

Here is the cyber smut list from the www.justice.gov article:

• J. Gudmunds, 27. He created a botnet that stole data on 200 million occasions.
• M. Culbertson, 20. He’s the brains behind Dendroid, malware for sale on Darkode that was supposed to steal and control data from Google Android. Clever name, too: “Dend” refers to branching out (as in neuronal dendrites).
• E. Crocker, 29. He’s the mastermind behind a Facebook spreader that infected the computers of FB users, converting them to bots.
• N. Ahmed, P. Fleitz and D. Watts, 27, 31 and 28, respectively. They’re behind the spam that sent out millions of e-mails intended to bypass spam filters of cell phones.
• M. Saifuddin, 29. He tried to transfer credit card numbers to other Darkode members.
• D. Placek, 27. He allegedly created Darkode and sold malware on it.
• M. Skorjanc, F. Ruiz and M. Leniqi, 28, 36 and 34, respectively. They’ve been charged with conspiracy to commit wire and bank fraud, racketeering conspiracy and conspiracy to commit computer fraud and extortion.
• Rory Stephen Guidry. He reportedly sold botnets on Darkode.

The article points out that all of these wrongdoings are accusations at this point, and that these defendants are presumed innocent until proven guilty.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Some of us remember college dorm days, when students were envied if they had their own typewriter. These days, college students must have a personal laptop computer, and a smartphone, and their lives revolve around these connected devices.  Such dependency should be proactively protected from loss or theft.  Campus security now means more than just being beware of who might be hiding in the bushes at night.

When you send your college kid off into the world, you want them to be prepared for life’s curveballs, and unfortunately, the occasional criminal too. How prepared are they? How prepared are you? Do you or they know that if they leave their GPS service on, some creep could be “following” them? Are they aware of how to lock down their devices to prevent identity theft?

For cybersecurity and personal security, college students should:

• Disable the GPS option on mobile apps unless the app is specifically meant to track for personal security reasons.
• Be very cautious about the personal information they share such as home address, dorm address, phone number and e-mail.
• Enable privacy settings on social media accounts.
• Learn how to manage cyberbullying.
• Realize that they are favored targets of identity thieves and often don’t realize they’ve been had.

How might students get hacked and how can they prevent it?

• They can fall for a scam via a campus job board, the institution’s e-mail system, off-campus public Wi-Fi or on social media. Be aware of what you click on.
• It’s easy for devices to be stolen; never leave devices alone whether it’s in the library or a café.
• Shoulder surfing: Someone peers over their shoulder in the study lounge or outside on a bench to see what’s on their computer screen. A privacy filter will make shoulder surfing difficult.
• Be careful when buying a used device (which can be infected) and simply taking it as is. Wipe it clean and start fresh with the installation of a new operating systems.
• If you’re not using your devices, consider keeping them in a lockbox or a hidden place instead of exposed in a shared living space like a dorm.
• All devices should have a password protected screen lock.
• Data should be backed up every day. Imagine how you’d feel if you lost that term paper you’ve been slaving over!
• Get a password manager, which will create strong, complex passwords unique to every account. And you won’t have to remember them.
• Avoid jailbreaking your smartphone, as this increases its hackability.
• Avoid using public Wi-Fi for transactions involving money or sensitive information, since hackers could easily snoop on the data transmissions. A virtual private network (VPN) will prevent snooping by encrypting transactions.

All devices should have security software that should be updated automatically. Virus scans should be done every day, or at least no less frequently than once a week.

It is September and it’s National Preparedness Month—a great time to get involved in the safety of your community. Make plans to stay safe, and this includes maintaining ongoing communications. National Preparedness Month culminates September 30th with National PrepareAthon! Day.

I learned in high school biology class that one of the things that distinguishes life forms from inanimate objects is that living things replicate. Therefore, a computer virus is, well, alive; it replicates itself. It’s alive enough to cause billions of dollars of destruction from the time it attacks a computer network until the disaster is cleaned up.

But just what is a computer virus?

Not only does this nasty program file duplicate itself, but it can spread to other computers without human involvement.

Unlike a virus with DNA, a tech virus usually doesn’t produce symptoms to give you an early warning. But it’s hell-bent on harming your network for financial gain.

Though a virus is malicious, it may impersonate something harmless, which is why the user lets it in. One type of virus is spyware— which allows your computer to run smoothly as always, while the spyware enables criminals to watch your login activities.

Though viruses often corrupt in secret, others can produce symptoms including:

• Computer programs and smartphone applications open and close spontaneously.
• Computer runs very slowly for no apparent reason.
• Someone you know emails you about the global email you recently sent out promoting a product you have nothing to do with.

You can protect yourself or your business from a virus in the following ways:

• A malment is a common way to let a virus into your computer. This is a malicious attachment that, when clicked, downloads the virus. The email message tricks employees into clicking that attachment. Unless it’s been confirmed by the sender that you’ll be receiving an attachment shortly, never open attachments. Or at a minimum, scan them with antivirus software.
• Never open an attachment sent out of the blue by the IRS, company bank, credit union, medical carrier, etc.
• Apply the above rules to links inside emails. A “phishing” email is designed to look legitimate, like it came from the bank. Click on the link and a virus is released. Or, the link takes you to a site that convinces you to update some login credentials—letting the hacker know your personal information.
• Never use public Wi-Fi unless you have a VPN (virtual private network) encryption software.
• All devices should have continually updated security software including a firewall.
• Browser and operating system as well should be updated with the latest versions.
• Prevent unauthorized installations by setting up administrative rights.
• Employees, from the ground to the top, should be aggressively trained in these measures as well as bring-your-own-device protocols.
• Back up your data. Why? Because when all else fails and your data and devices have been destroyed by malware, a cloud backup allows you to not only recover all your data, but it helps you sleep at night.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained in how malware works and other tricks that cyber thieves use. To learn more about preparing your small business against viruses, download Carbonite’s e-book, “5 Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. 

Hackers with big skills and a big ego will be drawn to Facebook and Twitter as their targets. But they’ll also target dozens of other companies, reports an article on arstechnica.com.

One group in particular stands out as the attackers, using zero-day exploits. They are known as Wild Neutron and Morpho, says the article, and have been active possibly since 2011, burrowing their way into various businesses: healthcare, pharmaceutical, technology.

It’s been speculated that the hackers want the inside information of these companies for financial gain. They’ve been at it for three or four years; we can assume they’ve been successful.

Researchers believe that these hackers have begun using a valid digital certificate that is issued to Acer Incorporated to bypass code-signing requirements that are built into modern operating systems, explains the arstechnica.com report.

Experts also have identified use of some kind of “unknown Flash Player exploit,” meaning that the hackers are using possibly a third zero-day exploit.

The report goes on to explain that recently, Reuters reported on a hacking group that allegedly busted into corporate e-mail accounts to get their hands on sensitive information for financial gain.

You’re probably wondering how these big companies could be so vulnerable, or how it is that hackers can figure out a password and username. Well, it doesn’t really work that way. A company may use passwords that, according to a password analyzer, would take nine million years to crack.

So hackers rely on the gullibility and security un-awareness of employees to bust in. They can send employees an e-mail, disguised to look like it’s from a company executive or CEO, that tricks the employee into either revealing passwords and usernames, or clicking on a malicious link that downloads a virus, giving the hacker access to the company system’s stored data. It’s like removing a dozen locks from the steel chamber door to let in the big bad wolf.

The security firms interviewed estimate that a minimum of 49 companies have been attacked by the hacking ring’s surveillance malware. The cybercriminals have, in at least one instance, got into a company’s physical security information management system.

The arstechnica.com article notes that this consists of swipe card access, HVAC, CCTV and other building security. This would allow the hackers to surveil employees, visually following them around.

This hacking group is smart. They don’t reuse e-mail addresses; they pay hosting services with bitcoins; they use multi-staged control/command networks that have encrypted virtual machines to foil forensics detectives. The only good news is that the group’s well-documented code suggests it’s a small band of hackers, not some giant one.

You’re sitting on your front porch. You see a stranger walking towards your property. You have no idea whom he is. But he’s nicely dressed. He asks to come inside your house and look through your bank account records, view your checkbook routing number and account number, and jot down the 16-digit numbers of your credit cards. Hey, he also wants to write down all your passwords.

You say, “Sure! Come on in!”

Is this something you’d be crazy enough to do? Of course not!

But it’s possible that you’ve already done it! That’s right: You’ve freely given out usernames, passwords and other information in response to an e-mail asking for this information.

A common scam is for a crook to send out thousands of “phishing” e-mails. These are designed to look like the sender is your bank, UPS, Microsoft, PayPal, Facebook, etc.

The message lures the recipient into clicking a link that either leads to a page where they then are tricked into entering sensitive information or that link is infected and downloads malware to the users’ device.

The cybercriminal then has enough of your information to raid your PayPal or bank account and open up a new line of credit—in your name.

The message typically says that the account holder’s account is about to be suspended or deactivated due to (fill in the blank; crooks name a variety of reasons), and that to avoid this, the account holder must immediately re-enter login information or something like that.

Sometimes a phishing e-mail is an announcement that the recipient has won a big prize and must fill out a form to collect it. Look for emails from FedEx or UPS requiring you to click a link. This link may be infected.

Aside from the ridiculousness of some subject lines (e.g., “You’ve Won!” or “Urgent: Your Account Is in Danger of Being Deactivated”), many phishing e-mails look legitimate.

If you receive an e-mail from a company that services you in any way, simply phone them before you click on any link. If you click any of the links you could end up with malware.

Watch this video to learn about how to avoid phishing:

Save yourself the time and just call the company. But you don’t even have to do that. Just ignore these e-mails; delete them. Nobody ever got in trouble for doing this. If a legitimate company wants your attention, you’ll most likely receive the message via snail mail, though they may also call.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!