April, 2013
Feature
Inspection News and Views from the American Society of Home Inspectors



Cyber Security for the Home Inspector

RICK BUNZEL

coverimage.jpg

A hacker buys a list of names and passwords from a recent LinkedIn® security breach. He scans the names to find his victim, a small businessman with little security but financial assets. He finds Gary, a home inspector in Omaha, Nebraska. Gary's LinkedIn profile says that home inspection is his second career, as he retired from a large Fortune 500 company. Gary's LinkedIn profile displays his email account, and so the hacker logs into the email account and tries the same password as the LinkedIn account.


Sure enough, the password works. He combs through the email, identifying Gary's Bank of America, Paypal and Smith Barney Investment accounts. The hacker now has a target from which he knows he can get $50,000 to $100,000 without leaving his computer. He sends an email that looks like it's from Smith Barney, but really it contains a malicious program that covertly captures all of Gary's logins and passwords for the next week. On a Friday afternoon, the hacker springs into action and starts transferring money out of Gary's account.

Unbeknownst to Gary, his phone numbers have been forwarded to another phone number the hacker has set up through Google Voice. The hacker has changed the passwords on Gary's email accounts so he can't see the transaction alerts that his bank and Smith Barney are sending him. Within a few hours, the money has been transferred to a series of banks and then out of the country.

As a last step, the hacker crashes Gary's computer to cover his tracks. It takes several days for Gary to find out the financial damage that occurred in a few hours.
Bloomberg Business Week estimates that online banking fraud costs businesses $370 million a year.

People think, "It'll never happen to me," but these are incredibly talented hackers or cybercriminals, and most small businesspeople are not computer experts. Larger corporations employ full-time Information Technology (IT) professionals to implement advanced security measures; smaller companies do not because of cost constraints, thereby making themselves vulnerable. As bigger companies tighten their computer security, cybercriminals are looking for easier targets. In many cases, that will be the medium to small business that has not invested in network or computer security beyond basic virus software.

According to a recent survey conducted by Visa and the National Cyber Security Alliance, more than 85 percent of small business owners believe their companies are less of a target for cybercrime than large companies.

Cybercriminals are cracking into the online bank accounts of small businesses at an unprecedented rate. Banks are failing to take proactive steps to protect their small business customers, and, as a result, many small businesses need to look for banks with more protection. You may want to talk to your banker about what protection is in place. Larger banks such as Chase, Bank of America and Wells Fargo have more mature pattern-recognition and monitoring capabilities. Just like the major credit card companies, banks should have automated systems to detect anomalous activity in accounts, but because these systems are expensive, many banks still rely on laborious manual processes. If a bank uses third-party processors to handle transactions, as almost all but the largest do, business owners should confirm that the processors' practices are equally secure.

What you can do

Your computer

I recommend a multi-layered approach to protecting your computer, which includes the following:

• Keep all your software up-to-date automatically.

I use a program called Personal Software Inspector from Secunia (www.secunia.com). Patch My PC (free version) (www.patchmypc.net) is another good program that will keep your software fully updated.

• Use good security software that is automatically patched and updated.

I use Microsoft Security Essentials, but Norton, PC tools, McAfee, avast! or AVG all are good products if kept up-to-date. Many of them have free versions that work well, but may exclude certain bells and whistle features.

• Use a good independent virus scanner.

There always are new threats that may slip through your present defenses. When my computer slows down or gets redirected to a suspicious web page, I pull out Spybot Search and Destroy (www.safer-networking.org). This virus scanner is independent and the definitions are updated regularly. Malwarebytes Anti-malware (www.malwarebytes.org) is another virus scanner program used by the pros to detect problems that most often slip right by the anti-virus security.

• Use a firewall.

I run Zone Alarm as my firewall. Zone Alarm is a two-way firewall that analyzes traffic in and out of your computer. When a malicious program tries to send information out of your computer, Zone Alarm will alert you.

• Update your browsers

I use the latest version of browsers such as Google Chrome because they are more secure. Typically, the default Internet Explorer is targeted by hackers.

• Have Internet access policies for your employees

If you have employees, you should have policies that stipulate how and when employees can access the Internet.

• Implement automated and secure backup plans.

Have a system in place that backs up your computers to another location. We have a backup server on our network but there are services that allow you to back up to a third-party service. Carbonite, Mozy and CrashPlan are all services that, for a small fee, will handle your backups. Some of these services will also back up tablets and SmartPhones.

Your network

• If you have WiFi access on your network, make sure that you are using WPA or WPA2.

• Have a password that incorporates at least 8 letters and numbers.

• Have rules for employees who access your network from their home or a mobile device.

Offsite access to your network opens a door to your systems. Trojans that reside on one machine can travel through a network. If you must have employees access your network from outside the office, use a VPN (virtual provide network).

• If your router has a firewall option, make sure it is enabled.

Your smartphone or tablet

For a long time, Apple device owners believed they were immune to viruses and Trojans. As these devices increased in popularity, they became a target. The same goes for Android-based phones and tablets. It pays to keep your devices updated with the latest operating system patches. Avast & Avira are two anti-virus software developers that currently offer protection for smartphones.

Awareness

Phishing, a method of capturing confidential information over the Internet, mainly takes place by using emails that appear to be coming from a trusted website source. Below is a phishing link that supposedly is from Microsoft.

 phishing_3.jpg

Image: Microsoft does not send out notices of an update or that your machine is out of date. Also notice the typos in the email. These are obvious signs of a phishing attempt.

 phishing_2.jpg

Image: Here is an email supposedly from FedEx, but a closer look at the sender shows a different address and the 'Bcc' line is to another person. The tag says, "Get postal receipt," something that FedEx would never say.

Things to do for employee awareness and email protection:

• Ignore suspicious email that seeks confidential personal business information.

• If a caller starts soliciting information about your company, ask to return their call and do a Google search to establish if they are legitimate or not.

• Never give financial, credit or debit card information in response to emails.

• If you get a request for information within an email, go directly to the website; do not click on the link.

Passwords

We have been creating passwords for years. Most of us chose names, places or birthdays for our passwords. Hackers know this and will use readily available information to crack your passwords. Hackers also crack passwords with a program that uses a dictionary of words against your passwords. If your password is a word or phrase, the program most likely will guess it, as even an older PC computer running a cracking program can "test" thousands of words per minute.

I did a quick check of the number of online logins I have and stopped counting at 60. This doesn't include my banking, grocery store or debit cards. Like most people, I used to stick to one or two passwords for the accounts I could select myself. Now, I have different passwords for all financial accounts. Another weakness in online passwords is the challenge or the reset button. Most password challenges ask for a mother's name, first pet or car. Rather than giving a standard answer, come up with an unusual answer that would be difficult to guess. Do not use your main email account for your password recovery as this may be the one that was hijacked originally.

To keep all of these logins organized and secure, I use a password manager called LastPass. It's web-based and works on my iPhone, Android Tablet and PC. Once I enter the master password, LastPass will provide the passwords automatically and even creates new, strong passwords for me. Now, there are programs from Kaspersky, Norton and RoboForm. I've created three categories of passwords: High-, Medium- and Low-Risk. Basically, anything containing financial data would be considered high-risk. Conversely, if a shopping website wants me to create an account, then I will use a simpler, low-risk password.

I recommend:

• Use a password manager.

• Don't use the same password for multiple sites.

• Use strong passwords for high-risk sites.

• Change your password for high-risk accounts regularly, especially if an employee leaves the company or you change bookkeepers.

• Have a special email account that the password reset goes to.

• Do not use standard responses to the challenge questions.

Have a plan

So what should you do if you suspect you have been hacked? You better have a plan to protect your financial assets. Have a hard-copy list of all the financial institutions, account numbers and phone numbers. Once the institutions have been notified and your finances are safe, then you have to locate the entry point and determine how much of your network has been infected. You may have to call in experts to do this, and this would not be the high school kid who normally takes care of things. Find someone who has experience and who specializes in this type of damage control for a living. In many cases, this expert also will restore your data to ensure that the infectious code is not re-introduced onto your network. Let me warn you: it will not be cheap.

Summary

It's not going to be a question of 'if' your computers will be targeted, but 'when'! I get phishing emails on a daily basis, which with the click of the mouse will launch a Trojan program. As you read this, there are computers looking for networks that are easy to penetrate. Be aware of your network and don't be the easy target. Talk to your bank about your online account security and follow its recommendations. If you suspect your online identity has been compromised, move quickly to limit losses or damage.


References
http://news.cnet.com/8301-1009_3-57506159-83/apples-ios-and-android-are-new-favorite-malware-victims/
• 2010 NCSA/Visa Inc. Small Business Study: http://www.staysafeonline.org/download/datasets/2015/2010_Full_Small_Business_Study_FINAL11%2023_0.pdf
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/