Bluesnarfing is a thing and it could cost you big

MARINE CORPS LOGISTICS BASE BARSTOW, CA, UNITED STATES

11.26.2019

Story by Keith Hayes 

Marine Corps Logistics Base Barstow

✔ ✗ Subscribe

7

Protecting the information on your smartphone, tablet, and computer, has become vital in today’s ever more connected world, and cyber security experts from Marine Corps Logistics Base Barstow, California, have some sage advice on how to keep your devices safe from hacking.

“Phishing attempts come from emails sent by hackers trying to get personal identifiable information from the user,” said Dr. Michael Simko, MCLBB’s Information Technology officer with the base’s Communications Department.

Those phishing attempts are one of the reasons regular cyber security training is mandatory for all base employees, he said.

“Another form of hacking or social engineering is done via a phone. It’s called ‘vishing,’ or voice phishing,” Simko said.

“Somebody calls you claiming to be from the base’s IT department,” he explained. “They try to get personal information from you such as passwords, birthdate, etcetera, that they can steal and then post on the Dark web to sell.” The Dark web is an area of the internet not accessible by normal web browsers we often use, primarily accessed by criminals and law enforcement.

The scammer tries to create trust with the potential victim by claiming to be from a department or building aboard base that you might be aware of but truly does not know any of the people who work there.

“One of the most prevalent vishing calls come from someone claiming to be from the Social Security Administration; another is from the Internal Revenue Service saying you owe them money,” Simko said.

He said employees aboard base have received calls from the IT department asking for all kinds of personal information. “S-6 has the majority of your computer information already but may commonly request your IP Address or computer name to more quickly assist you in resolving your IT issue. We will never ask for your personal information or information pertaining to your work environment.” If you believe a call is a vishing attempt, ask the caller for their supervisor’s number and call that number to verify that the call is a legitimate one.

“We get about 20 to 30 vishing attempts each year aboard base,” said Victor Bencomo, Cyber Security Manager with S-6 Communications. “Report any vishing attempts, or any other computer fraud attempts, to suspicious@usmc.mil. That email address is hosted by MCCOG (Marine Corps Cyber Operations Group) to keep track of vishing and phishing attacks and helps devise strategies against identified and advanced persistent threats.”

“You can also report the vishing or phishing attempts to the Communication Department’s Cyber Network Defense system at mclbb_cnd@usmc.mil,” Simko added.

Phishing attempts made through the base’s email system are increasing as well, Bencomo said. “Make sure the email comes from a legitimate Department of Defense source by checking the digital signature icon on the left side of the unopened email.”

The digital signature icon is in the form of a red ribbon. “Scammers may be able to spoof (fake) the digital email address, but they can never spoof the digital signature on that email,” he said. “When you click that red ribbon, it tells you that the email came from a legitimate DoD source.”

“In addition, when you go to an online seller website, make sure the little padlock icon is at the top next to the website address,” Simko said. “That indicates the site is secure and legitimate.”

The IT officer also recommends you don’t store any of your payment information on the site either, which is often done to speed up future transactions. “If they hack that site, all of your financial information is readily available,” he said.

“Try to avoid using your debit card also because all of your banking information is contained in that card affording nefarious actors direct access to your bank account,” Simko cautioned.

Credit cards, on the other hand, have several different layers of protection to verify the seller’s information and if that card number is stolen, it’s linked only to that line of credit, not your banking account routing and account numbers.

Bencomo said there has been an increase in fraudulent Veteran job sites online. These illegal sites steal information when job seekers fill out the application.

Smartphones, tablets and other computer devices are incredibly convenient, Simko added, but when in public places such as stores, malls, airports, and coffee shops, hackers can use Bluesnarfing and Bluejacking to steal information through a phone’s Bluetooth feature.

“Bluetooth is an older technology used to sync Up headphones, earbuds, wireless speakers, smartwatches, etc. to your phone,” Simko said. “Hackers can tap into your phone through the Bluetooth feature and steal your contacts, credit card numbers and other data. They can even activate your speaker and camera on the phone.”

Turning off Bluetooth in public places is recommended, as the older technology is easily hackable. It is not recommended to use free Wi-Fi in coffee shops, hotels, etc. When you have no choice download and use a Virtual Private Network from your phone or computer.

“A VPN encrypts all of the data on your phone to prevent hackers from reading that data,” Simko said. “There are many free VPN apps available which can also encrypt your SMS (short message service) texts as well. A great paid VPN I would recommend for computer use at home is Private Internet Access.”

Near Field Communication (NFC) is a short-range wireless connectivity feature on cell phones which uses magnetic field induction to enable communication between devices when they're touched together, or brought within a few centimeters of each other.

“NFC also allows hackers to use a ‘proximity reader’ to scan your cards, including your CAC (Common Access Card) and steal information while the cards are in your wallet or purse,” Bencomo said.

To protect your cards from being scanned, Bencomo recommends keeping them in RFID blocking sleeves until you take them out of your wallet or purse to make a purchase. Radio Frequency Identification blocking sleeves prevent cards from being scanned by proximity readers.

Public Wi-Fi systems available at hotels, coffee shops and many other places, allow customers internet connectivity for free, but they also present real safety challenges for a user’s phone or computer. “For instance if you’re at a hotel using their free Wi-Fi service,” Simko said, “you don’t actually know if the Wi-Fi is coming from the hotel or someone who has set up a Rogue Access Point (RAP), also known as a Wi-Fi Pineapple,” Bencomo stated, “that look exactly like the hotel’s legitimate Wi-Fi access point. The RAP starts pulling all of the data from your phone when you connect to it.”

Black Friday deals and specials coming up the day after Thanksgiving also offer an incredible opportunity to save big on normally big-ticket items, Simko said, but they also can lure consumers into dropping their guard and computer security, in order to get those deals.

“Slow down,” he cautioned. “Take the time to analyze whether you’re on a legitimate website so you don’t give out information that could compromise your bank account and other personally identifiable information that could be used to steal your identity.”

“What it comes down to is being a savvy consumer,” Bencomo concluded. “Cell phones and computers offer incredible windows to opportunity, but today the data they contain needs to be protected as much as possible from abuse and misuse.”