So you’ve clicked on a link that now seems very suspicious. You’re concerned that the bad guys may be in control of your computing device. Or perhaps you’ve typed some account information into a web form , and you’re having second thoughts about the authenticity of the form.

Recovering will require work. Here are three things you can do if you believe you’ve fallen prey to a phishing scam delivered by e-mail, a social media posting or even a phone call, according to Adam Levin, Chairman of IDentity Theft 911.

Update and scan: If you have clicked on or downloaded anything that might infect your system, then make sure you install or update anti-virus software and run a full scan of your system. Here is helpful guidance from ID Theft 911.

 Contact credit agencies. If you have disclosed any personal information or you’re worried your account may have been accessed, you can place an alert with any one of the three major credit bureaus signals to potential creditors that you could be a victim of identity theft.

 Update account logons. If you have reason to believe that any of your email or social media accounts are compromised make sure you change the passwords immediately. See tips here.

USA NOW

By Jim Reavis

For several years, it has seemed as though computers have played a role in virtually every part of our lives. However, we stand upon the precipice of a truly profound explosion in the growth of computing. From iPhones to tablets to self-driving cars (!) to the electrical grid, conservative projections peg the number of Internet-connected devices to rise from 8 billion today to over 100 billion by 2020

Controlling these devices and managing our information are the massive server farms at Amazon, Google, Microsoft and elsewhere, creating a global compute utility called cloud computing, or more simply, the Cloud, which is expanding at a similar pace. It is impossible to predict all of the good and bad that will result from this massive growth, but it is possible to orient ourselves around a technology-friendly, global point of view to manage the problems as they emerge.

Cloud Security Alliance (CSA), an international not-for-profit organization with over 44,000 members, is building an ecosystem to create trust and confidence in the cloud based upon vendor-neutral best practices research conducted by a global constituency.

Like a utility, the Cloud is always on and available. Also like a utility, nations around the world are scrambling to understand how to regulate the Cloud. While much of this is well meaning and some of it is quite good, it is simply impossible to adequately govern an entity that is changing itself by the nanosecond by regulations alone.

Cloud certainly needs to be governed by the rule law, even though the problem of writing technology-friendly laws that do not become obsolete will become increasingly difficult. The desire to make these massive data centers that potentially store everything about us accountable to the citizens is certainly laudable. CSA believes that a major part of the solution lies in the words that US Supreme Court Justice Louis Brandeis wrote exactly 100 years ago in pursuit of greater transparency in the United States, “sunlight is said to be the best of disinfectants”.

One of the fascinating changes in our consumption of news is how fast events get reported in social media or Twitter. While they are often forums for incorrect information initially, the weight of the community seems to always get it right in the end. We think this dynamic and transparent force is the ideal means to help police the cloud.

CSA created a voluntary program for cloud providers called STAR, which stands for the Security, Trust and Assurance Registry (www.cloudsecurityalliance.org/star). All we ask is that cloud providers publish their compliance to our security best practices and publish this information in our registry for all to see. While still in its infancy, we have many of the major cloud providers already listed.

Many relayed to us that they sweated this process out more than a typical audit, because they knew the information would be made public. Indeed, the legal counsel at some cloud providers has prevented their appearance in this voluntary registry entirely over concerns about the liability of public disclosure. Public pressure will make that a losing proposition.

We think that curating social media’s response to how cloud providers use STAR to post changes in security practices, privacy policies, user terms and conditions is an ideal way to police the cloud in real time instead of waiting for the next government action. We can learn from the community and use it directly to issue new guidance that is appropriate and timely.

Massive cloud providers have potential for great power. To see government regulation as the only check to that power is misguided. Let’s tap into the potential of the community. Not only do we see this as effective, but it is the right thing to do. Consumers have a right to some of Justice Brandeis’ “sunlight” shining on the cloud providers that hold so much of our personal information.

Phishers rely on social engineering to trick Internet users into quickly clicking on a tainted attachment or infected web link.

The anonymity built into the Internet continues to be leveraged by phishers with two primary motives. You have the garden-variety Walmart scammers, out to make a quick buck, and spreading phishing lure indiscriminately. Then there are the nation state-backed spies who go through elaborate lengths to corrupt the computers of specific individuals at targeted organizations.

Global losses from phishing in 2012 hit a record $1.5 billion, 22 percent increase over 2011, according to RSA 2013 Fraud Report. The total number of phishing attacks in 2012 was 59 percent higher than in 2011, reports RSA.

Meanwhile, the number of phishing sites disguised as social networking sites has grown by 125 percent, reports Symantec in its 2013 Internet Security Report.

This week, Visa and the Consumer Federation of America (CFA) announced a new public awareness campaign, “Slam the Door on Phishing Scams,” to help plug the dike. What’s clear is that consumers continue to bear the largest burden for avoiding phishing hooks. LastWatchdog asked Jennifer Fischer, Visa’s Head of Americas Payment System Security, to explain why.

LW: Why has phishing persisted at such a sustained high level?

 Fischer: As technology has evolved, so have criminals. Phishing scams originally perpetrated by mail or phone are moving to newer channels. Email phishing is prevalent, and increasingly scammers are also using social media and text messages to reach consumers. Scammers are also getting more sophisticated. Phishes don’t necessarily have the tell-tale misspellings or bad grammar that used to give them away, so people may fall victim to them more.

LW: To what degree has usage of social media and mobile devices increased the burden on consumers to become more vigilant?

 Fischer: There is no doubt that advances in technology have opened opportunities for criminals to reach consumers. But the Internet can also make it easier for consumers to monitor their accounts through online statements and tools like transaction alerts, which can help consumers to quickly flag unusual financial activity.

LWMany phishing scams make use of the existing payment card infrastructure. What more could the payment processing industry being doing more to curtail phishing scams?

Fischer: Consumers are being targeted directly through their devices, so it is important to make them aware of the trends and the steps they can take to help keep their information secure. Industry partnership is also important. The payments industry must continue working closely with anti-phishing organizations and law enforcement to track trends and successfully shut down these types of attacks.

LW:Anything else?

Fischer: Posting personal information could be an invitation for scammers to target your payment accounts. One of those dangers is “spear phishing,” a tactic where scammers will try to determine which bank or credit card company you use before sending their bogus emails. This targeting—or “spearing”—increases the apparent legitimacy of the request, making the phishing harder to spot by the consumer. So before posting, pause to consider the sensitivity of the information you’re making public.

The U.S. Departmentof Homeland Security’s National Cyber Security Division has updated its standing alert, specifically recommending that IT organizations implement ways to detect propagation of viruses like Shamoon. LastWatchdog  asked Gord Boyce, ForeScout Technologies’ CEO, to frame the go-forward concerns:

 CT: Why does concern remain heightened about Shamoon?

 Boyce: A decade ago, we used to see viruses that were destructive like Shamoon. But by 2004, the people who write viruses shifted their intentions from notoriety to profit. Since then, most viruses have been designed to remain undetected and unobtrusive. The viruses quietly do their work, such as using your computer to send hundreds of spam messages without your knowledge. Shamoon is a huge departure.

 LW: Is there a consensus about who likely was responsible?

 Boyce: No. Most security experts believe that the author of Shamoon was politically motivated. Strong anti-American sentiment was evident within the Shamoon code. For example, there was an image of a burning American flag. Some say that the author of the virus intended to send a message to the Saudi government for supporting controversial American foreign policy in the Middle East.

LW: Should the public be concerned that Shamoon’s creators/controllers are likely still active?

 Boyce: Yes. After a terrorist event that makes an apparent change in the threat landscape, it is natural and prudent to have a heightened awareness and to exercise defense procedures designed to reduce the risk of a similar event. Shamoon is highly destructive and an organization infected with this type of malware could experience operational impacts including loss of intellectual property and disruption of critical systems.

LW: What about copycats?

Boyce: Computer forensic experts who have inspected the Shamoon code have stated that Shamoon was not an especially difficult virus to create, so copycat viruses are quite possible.

 LW: How would you summarize the go-forward concerns?

Boyce: Organizations have to assume copycat similar attacks might take place and protect against them. The concern is that from a single computer the virus infection can spread internally from computer to computer. And perimeter defenses like firewalls and network intrusion prevention cannot prevent the spread. Organizations need to upgrade their internal network defenses to ensure even previously unknown malware cannot spread undetected.

 LW: Anything else?

 Boyce: Traditional measures such as antivirus are not enough to prevent 100 percent of fast-spreading infections. The main thrust of cyberthreats is continuously shifting inside organizational networks; IT security needs to follow suit, and deploy technologies that effectively address those threats over their internal network.

By Gurbaksh Chahal

The hallowed halls of social media are no longer safe. Not when the operators of botnets like Chameleon are able to systematically steal $6 million per month from advertisers in the form of payments received for clicks from infected PCs, not real consumers.

Similarly, highly publicized hacking hoaxes that bedeviled the Twitter accounts of Burger King and Jeep demonstrate just how vulnerable brands can be on social media.

And then there is pixeljacking. This refers to the introduction of malicious code that highjacks consumer web browsers so as to push fake Internet traffic through that identity.

This type of fraudulent traffic poses a threat to consumer privacy and wreaks havoc on advertisers and agencies that rely on accurate ad data to run their businesses.

At latest count, RadiumOne has verified over 1,000 distinct domains used by botnet operators involved in “pixeljacking.” We estimate the existence of over 10,000 such sites across the web. This relates to a potential fraud spend of $324 Million each year, about 5.4% of all display ad spend.

With a virtually unlimited supply of online ads to choose from, nefarious hackers have the potential to inflict greater losses for specific brands as well as the industry as a whole, driving up the cost of display advertising. Not to mention the loss of credibility that occurs when visible security threats like Twitter hacks are targeted at specific brands.

The use of social media as a platform to inflict damage and emphasis on the advertising industry as a target is unique. We are living in a time where there are now dunes of important data that can easily be accessed and used against us if it falls into the wrong hands. The complexity, frequency and scope of hacking attacks have increased exponentially as both business and technology collide in the digital age.

The good news is, there are ways of preventing these forms of attacks. Recently, the advertising tech industry has been abuzz, searching for new ways to address this drastic rise in online security and privacy threats. One approach to solve this problem would be to introduce human challenge and response tests like Captcha in order to ensure that real people are responsible for clicking on ads and driving traffic.

With the alarming progression of computer hacking and virus creation, consumers and the advertising industry at large must understand the potential exposure, and arm themselves with actionable steps to combat impression fraud

The Gulf Breeze, Fla.-based messaging security firm found “RedKit” to be one of the most prevalent malicious programs circulating on websites in April.

RedKit and a similar tool, the so-called “Blackhole” exploit kit, have emerged as a cybercriminal’s indispensible Swiss Army knife. CyberTruth earlier reported on analysis from firewall vendor, Palo Alto Networks, revealing that the vast majority of malware seeping into company networks arrives via drive-by download.

So now, we’ve asked AppRiver senior analyst Fred Touchette to drill down on how exploit kits, like RedKit and Blackhole, are helping cybercriminals circulate nasty infections all over the Internet.

LW: What makes exploit kits so worrisome?

 Touchette: An exploit kit is essentially a software package that makes the exploitation of vulnerable websites simple for cyber criminals. They’re easy to configure, and automated. You just click a button. The user needs very little technical knowledge. And if he requires some help, some toolkit authors even offer a one-year support license included in the price of the kit.

 LW: What’s distinctive about kits such as Blackhole and RedKit?

Touchette: The prevalence of these kits is what sets them apart from other threats. The kits remain effective over and over again. The ease of their use in addition to their effectiveness means we also end up seeing large botnets being created as a result.

LW: What are the bad guys who use exploit kits typically after?

 Tocuhette: The goal of these attacks is to make or steal money. They cast a net and drag in whatever is found. They’ll take all of the identities and bank account information they can get their hands on. It’s important to realize that Web threats are real and the need to stay protected makes good sense.

LW: What else is important about how website-borne infections are evolving?

 Tocuhette: The big take away is that most attacks are specific to the initial “drive-by” attack. Exploited websites redirect your browser to a second, and sometimes third, website where the initial exploit resides and attempts to take over the victim’s computer. The best way to contain these attacks is to recognize such malicious redirects and shut them down before a victim’s browser is able to make it to the point where the malware is delivered.

 LW: What should the average Internet user understand about website – borne threats?

 Touchette: It’s important to realize that most of these attacks are automated and capable of seeking out vulnerable websites, exploit them and use them to spread malware. It’s not just the back alley websites where malware is kept anymore; it can reside on every day, seemingly innocuous sites. In fact, even reputable sites accidentally serve up malicious software from time to time. That’s why it is important to use a layered security approach and remain vigilant while online

“This book fills a gap for employees who manage IT security and risk” said Marios Damianides, past international president of ISACA and a partner at Ernst & Young. “There are only a few books that provide a practical roadmap for waging the constant battle needed to deal with cyberattacks. This book is a must-read for the executive and the professional alike.”

The book written on the premise that hackers relentlessly pursue intellectual property, as most companies continue to rely on outdated defenses.

Responding to Targeted Cyberattacks is the second installment in a cybersecurity series from ISACA, which counts as members some 100,000 information security, assurance, risk and governance professionals world wide. The book is available at no charge to members of ISACA; non-members can purchase a print or electronic version at www.isaca.org/cyberattacks.

The first installment, Advanced Persistent Threat Awareness Study Results, recounted the results of a survey of more than 1,500 security professionals. It found 94% of respondents believe that advanced cyberattacks represent a credible threat to national security and economic stability.

By Jarno Limnél

The most tantalizing targets for America’s cyber adversaries will not be government or military institutions, however, they will be critical infrastructure like utilities and transport networks in major metro areas. So it’s fair to say that the average citizen has plenty of reason to follow the federal government’s actions in this domain.

It is a positive step that the Cyber Command in Washington intends to hire 4,000 new recruits, quintupling its current force. Yet it remains a mystery as to what roles these recruits will have and the operations they might conduct. There are a number of compelling reasons why more transparency is desperately needed.

First and foremost is the need for America to flex its muscles.

It is important to accept that in cyber warfare, offense is typically a step or two ahead of defense. There is no such thing as a cast iron defense strategy when new threats and exploits emerge continually.

It is therefore essential that the U.S. candidly communicates the ferocious power of its offensive capabilities as a deterrent. Akin to the scenario of mutually assured destruction at the hands of nuclear weapons during the cold war, the threat of vastly destructive retaliatory capabilities is a powerful deterrent for prospective cyber enemies.

Another reason for an open approach is the danger of mistaken identity. Due to the intricate workings of the cyber threat landscape, misconstrued actions and intent is all too common, and can have drastic consequences. If wrongly suspected of a cyber attack due to ignorance about its capabilities, America could see retaliation from a major world power based on an attack that the U.S. cyber force didn’t even perpetrate.

Finally, a prospective cyber attack might be more pertinently compared to September 11 than to Pearl Harbor because the impact is likely to be felt by civilians. Cyber warfare shifts the military paradigm to make civilian targets a priority over military. Cyber attacks have the potential to bring down critical infrastructure with terrifying ease, crippling water and power supplies, causing the maximum amount of damage to a nation or region. Imagine the entirety of the New York City without power or water for a week or longer. Are people resilient enough to cope with that eventuality?

With this in mind, it becomes clear that, more than ever, behind the scenes operations of the Department of Defense in Washington have huge import for the civilian population across the country, particularly in major metropolitan hubs. It is easy to see why the public might want to pay close attention to the country’s cyber warfare strategy.

About the essayist: Jarno Limnell is a Doctor of Military Sciences and Director of Cyber Security at network security vendor Stonesoft. He studies the global threat landscape and is an expert on international security politics.

By Julie Myhre

Ravi Bhatia of Highly Relevant in Los Angeles opines that the only way to truly protect your identity on social media is to not use it. That said, here are seven ways to protect your identity on social media:

Keep your personal information private: It is always better to omit information about yourself rather than include it on your social media. Just because there is an option to include your current city doesn’t mean you have to. Instead, opt to include a generalized version of that information or no information at all. For example, San Francisco Bay Area is a general option for Burlingame, CA. It still gives some information, but makes it a little more difficult to figure out your zip code or home address.

 Set strict privacy settings: Go into the settings for your Facebook, Twitter, Google+, Pinterest, Instagram and Linkedin, and edit your privacy settings. Make sure you make all of your personal information — such as your birthday, current location, workplace, etc. — private or visible to only your friends. When your privacy settings are more lenient, you’re giving strangers easy access to all of your information.

 Never tag or post your specific location: Tagging or posting your specific location is an exciting feature, but not everyone needs to know where you are at all times. It makes you and your home vulnerable, especially if your profile is public. It’s fun to let your social media friends know that you’re at Disneyland with your sister, however you’re also letting everyone know that you’re more than 100 miles away from your home, which makes it available for break-ins.

Know your friends/connections: It’s important not to make you or your information vulnerable to people who you have never met before in real life. Steven J.J. Weisman — lawyer, author and professor at Bentley University — said that befriending people that you don’t know makes it easier for them to take the information on your social media and use it to find more information about you.

Don’t just add someone as a friend because they wanted to add you. There is such thing as a “decline” button, and you should use it every now and then. If someone adds you, and you’re unsure of who they are, you can always add them, then unfriend, unfollow, unconnect, etc. if you realize they’re a stranger.

 Always log out of your social media: This is especially true when you’re using a public computer at a library or hotel. The reality is that we all have some private information on our social media — even if it’s only our name and a photo — and you don’t want to give someone easy access to your identity.

Use strong passwords: Passwords are one of the keys to protecting your identity, so make them effective. Check out this blog post to learn how to choose a secure password.

Use an Internet security software suite: This software protects your identity when you’re surfing the web or using social media. Weisman said that sometimes you will open a link or download a file included in messages from “friends,” and, without your knowledge, the link or file contains a keystroke malware program that can steal all your personal information from your computer. “You trusted the message because it came from a ‘friend,’” he said.

A way to prevent this from happening is to get anti-virus software that prevents, detects and removes malware to keep your identity safe. Most Internet security software suites come with identity theft protection features like anti-keylogging, secure environments or encrypted password protection.

What’s more, kids are accessing instant messaging and computer game at a much younger age than just a few years ago.

At the extreme, 3.45% of kids covered in BitDefender’s analysis used Instant Messaging to chat with friends while 2 percent of computer game addicts were just 5-years-old.

Bitdefender correlated results of an online survey of parents with data compiled from its parental control services, such as which sites parents choose to block, and which sites children access regularly.

Almost a quarter of the kids accounted for in the study had at least one social network account at age 12, while 17 per cent were social media users at 10.

The Bucharest-based antivirus firm found that children lie about their age when creating social network profiles, especially on Facebook, where they are supposed to be least 13.

“Kids nowadays are acting like young adults online – just give them an Internet-connected device and they will find a way to things parents would like to ban forever,” says Bitdefender Chief Security Strategist Catalin Cosoi.

Almost a quarter of the kids accounted for in the study had at least one social network account at age 12, while 17 per cent were social media users at 10.

The survey found that gaming, hacking and so-called “hate” websites, where youngsters are free to use profanity and express disdain, are hot destinations for kids and teens.

“Kids lie about their age to get access to something they want to explore, in this case a social network,” says Dr. Jo Webber, CEO of Virtual Piggy, a website that enables kids to manage and spend money within a parent-controlled environment. “It’s no different than my generation lying about age to get cigarettes or into a bar.”

Webber points out that this generation of children were born into an Internet-centric society.

“The Internet is a huge system that houses good and bad,” Webber opines. “Parents need to stay involved with their children and be ready to explain things that their children may stumble upon.”

Child safety experts call for parents to educate their offspring how dangerous giving out personal information can be, and enforce usage rules.