Bits and Bytes – Blurbs Concerning Information Security

McAfee recently announced it has made its 200,000th known patch for malware (software with an evil intent). McAfee, one of the top three providers of security software noted the threshold was passed 60% more quickly than when the 100,000th piece of code was discovered. This indicates the bad guys are working very hard to stay ahead of the good guys.



The government’s auditor, General Accounting Office (GAO), has conducted an audit on FEMA’s practices of assisting victims of natural disasters. The emergency organization issued $2,000 debit cards to most anyone who asked. The audit showed the records kept on the recipients included false addresses, invalid SSNs and fake names. The GAO has not put a final number on the losses.



Automatic Data Processing (ADP) claimed it was tricked into exposing thousands of investors’ personal information. Fidelity Investments, Merrill Lynch & Co. and Morgan Stanley all indicated customer data was affected. The details of the prank were not released. More than 150,000 individuals were put at risk for identity theft.



Microsoft has suggested users of Window’s popular Office software not download any Office type files from any source, even if the sender is known. A piece of malicious software called “zero-day attack” may be embedded into any of the Office application files including PowerPoint. Microsoft is working on the problem and expects a fix to be released by August 8. Examples of files that should be avoided are any Word documents, Excel spreadsheets, Access databases or PowerPoint presentations.



A recently discovered hole in McAfee’s software security programs could have allowed an attacker total access to a subscriber’s computer system. McAfee was beginning to work on a fix for the problem when it discovered the software had already been corrected through a normal update. It is great when we are smarter than we thought.

Be Careful About Personal Websites

Many people take on a whole new persona on the web. They create personal websites showing themselves to be party animals in search of hedonistic pleasures. Unfortunately, once the information is available on the Web, it is out for public consumption, even if the actions are not true.



Younger people like to pretend they are more gregarious than reality would indicate in order to impress members of the opposite sex. One thing most do not even consider is that potential employers can also find these braggadocios remarks that may not endear them to a positive hiring outcome.



Even more of a problem is the removal of these sites. A recent report in “The Wall Street Journal” followed the trials and tribulations of Craig Pratt as he attempted to correct his online image. The biggest problem he had to overcome was the removal of his MySpace account. Only after several attempts did that happen.



Personal site owners also need to monitor the sites for postings by others. Your friends may leave messages about the next rave which may also be read by a potential boss. You may even show up to work and co-workers might inquire as to why they weren’t invited. Remember everything you post is open to everyone and that you should always portray yourself in the most positive way.

Different Approaches to Protection

Every person who owns or uses a personal computer should take steps to avoid the heartbreak of being hacked. There are basically three tools that should be a first step toward defending your computer. These three pieces look at your system and remove or prevent bad acts from occurring. Required programs are firewalls, anti-virus protection and spyware removal tools.



Three different approaches can be taken to acquire the necessary tools. The first is to simply buy an all-in-one package which includes all three products from a single vendor. Among the advantages are the package may cost less than the individual components, you can load the entire suite of programs in one pass, the software works well together, and you only have one vendor to deal with should you have a problem.



Disadvantages of this strategy include a single-minded way of looking at the potential threats (sometimes hackers can skeak around this methodology), and should you find that you don’t like one piece of the product, you will then have to find a replacement that works with your existing parts.



The second approach is to buy what you consider to be the best product for each threat. The advantages of this approach include the ability to include some software that is free, and that you can have the best defense available at the time.



Disadvantages are: it is usually more expensive, it takes multiple installs, and some of the software may not run with other types of software (incompatibility).



The third line of attack is to load up on free software. The largest advantage is cost. Disadvantages are many in that tech support is often unavailable, many of the products will not work together (each thinks the other is a virus), and for-profit companies tend to update the freebie last leaving customers exposed in the mean time.


Great products are available, even in the free category, but the customer should be aware of the pitfalls before jumping head first into the installs. I’ve found that the adage: “You get what you pay for” can apply to protection software. The major players all sell packages and individual pieces so the customer has more choice.

New Software Detects Intruders

Spectraguard Enteprise 5.0 allows businesses to monitor their own airspace. Wireless networks are becoming necessary in our busy and mobile world. This software can find where the connection is originating from and send an alert to information security personnel.



The product allows the business to register legitimate wireless products, then monitors the networked area for devices that are not registered. If it sees such a connection attempt, the software uses a decision tree to decide whether the access is of a friendly nature.



The package may even send a signal to the offending computer confirming a network connection. At this point the network software simply denies any activity while the information security personnel is alerted of the location of the suspect device. This is intended to hold the perpetrator in a range that can be easily inspected by personnel.



Spectragaurd Enterprise 5.0 received a very good rating from “eWeek Labs.” The solution is probably a little expensive for small businesses, but it would be an asset to larger or large volume data processors.

Xerox Protects Copiers

Recent newsletters have addressed employee schemes to steal customer or confidential data. I haven’t touched on a very low tech manner of theft, where the employee simply copies the information on the office copier and walks out the door. This was how an administrative assistant at Coca-Cola was able to pilfer a secret formula that was later offered to rival Pepsi.



Xerox, one of the larger players in the copier, scanner, and fax world, announced it has implemented many security measures. The first enables the person who is making a copy to destroy data temporarily stored on a hard disk while the copying process continues. Thus, confidential information is rendered useless should an unauthorized person try to copy the machine’s memory.



A second feature, dubbed Internal Auditron, limits access to certain types of functions a client can use at the copier. For example, employee A may be allowed to fax documents under 5 pages twice a week, while employee B may not be able to fax at all, but is allowed copying access for 20 page documents that automatically shred after the task is completed. If an employee has a legitimate need for increased usage they must be granted permission from the administrator.



Since most Xerox machines are network enabled, a username and password may be required, and usage by each employee reported and monitored. Many of the machines have capability to log in at the copier for added convenience.



Xerox is also touting removable hard drives so employees can keep information in their possession throughout the copying process then removing the hard drive and storing it in a secure location (locked cabinet). PINs can be required before the machine can be used may be effective as well.



Even though we don’t often think of a copier as a tool for information theft, it is good to know the manufacturers are making product improvements with increased security measures.

Term of the Day: “Vishing”

Computer users are becoming very familiar with “phishing,” an act of receiving an e-mail that seems to be from a legitimate source. The recipient is lead to believe there is a problem with their bank account as represented by the fake document. The victim is then asked to click on a link which asks for personal or private information.



The anti-fraud command center reports it has shuttered more than 10,000 phishing attacks. This large number can be multiplied by $1,200 (the average amount lost to a phishing attack). You can see phishing is still a major though declining problem.



We aren’t safe for long, because of the introduction of “vishing.” Vishing shares some similarity to phishing in that is originates from an e-mail sent to the intended target. The e-mail claims there is a problem with the e-mail respondent’s account. Rather than responding by e-mail, the message directs the intended mark to call a telephone number. The caller is then sent through an automated voice prompted system that requests information such as card number, PIN number, and even Social Security Number.



People need to be aware that this next big identity theft problem exists and has been somewhat effective. Most banks will call you directly if there is a problem with your account rather than notifying you by e-mail. They will never ask for a PIN number or your Social Security Number unless you are initiating a new account.



Be careful and you will avoid being among the first to be swindled by this new twist on a very effective scam.

Bits and Bytes – Blurbs Concerning Information Security

In another breach of data entrusted to our government, personal private information on all fliers of the Navy and Marines for the past twenty years was posted on a website available to the general public. The release was blamed on human error (surprise). This is the fifth exposure of military personnel information in the last six months. Government often sets the rules; it is past time for them to play by the rules.



Speaking of government information exposure, employees at the IRS have been caught prying through personal tax records. Over the past eight years, the Treasury Department has investigated more than 3,700 cases of unauthorized access to personal tax records. Over 1,600 of these have resulted in “adverse personnel actions” and 126 IRS employees have been criminally prosecuted. Some of the breaches are simply financial voyeurism; some were used for personal financial gain. Given the current climate, I wonder if the IRS conducts pre-employment background checks.



A consortium of government agencies, corporations and universities started a research center to study Identity Fraud. After several years of billions of dollars in losses the center will begin its study based at Utica College. The Center for Identity Management and Information Protection (CIMIP) will be funded by grants and corporate donations of about $500,000. This amounts to about 1% of the annual loss. I visited the website, but as of yet they have not posted any announcement of any work being done.



The cost of a single data breach has reached $5 million. The costs include notification, legal fees and credit monitoring fees. Even though the costs are extreme, it seems we are observing as many major losses as we have in the recent past. I still think accountability has to be established and enforced. The VA employee who took home information on 26.5 million veterans is on paid leave pending dismissal hearings, along with one of his superiors, and another supervisor resigned. Company policies need to be explicit, upper management must be involved and accountability needs to be placed high in the organization before we will see significant reductions. We saw conformance with environmental laws and corporate governance only after legislation required accountability.



The recent arrest of three people trying to sell trade secrets developed at Coca-Cola to rival Pepsi revealed that two of the people involved had prior criminal records. This perhaps shows another reason to check out employees and potential employees, including personal web sites. Information Security Education, LLC can help you in this search.

Identity Theft Web Crew Jailed

The Shadowcrew website was shut down in October 2004. Members of this online gang were rounded up in one of the most synchronized raids in recorded history. Twenty-one people were arrested in the United States and dozens overseas. Prison sentences are now being handed down to these miscreants.



Eighteen participants have pled guilty for their roles. Among them was Andrew Montovani, who co-founded the group, entered a guilty plea in November, 2005. At 24 years of age, he was sentenced by U.S. District Judge William Martini to two years and eight months behind bars. He was also ordered to pay $5,000 in fines.



This seems like a small sentence for the leader of a group of online thieves responsible for the theft of personal data on more than 18 million people. The data was purloined mainly through phishing activities. Phishing receives the results of sending fraudulent e-mails to which unsuspecting victims reply, revealing private personal information.



In total, the sentences ranged from three years probation to two and a half years in prison for seven more members of this mob. Shadowcrew was responsible for more than $4 million in damages over a two year period prior to being shut down by the Secret Service.

Companies Place Responsibility on Employees

In the wake of huge increases in lost and stolen personal computers which contain personal private information of customers and employees, companies are updating policies concerning the use of laptop computers. The new rules include limiting who can remove data from the workplace as well as specialized training.



Information Security Education, LLC was conceived to help in this area. Having trained college students in the area of information security, I discovered that companies both large and small were not following even the most basic rules of data protection. It is heartening that some large organizations are beginning to pursue stiff policies.



Should employees be found in violation of the new policies, they will be disciplined up to and including termination of employment. I believe in a no tolerance policy and would recommend dismissal on the first offense. An employee who shows a reckless attitude toward sensitive data will show a callous disregard for other rules.



Some health care providers are even reconsidering the use of Palm Pilots and BlackBerrys. The companies are prohibiting employees from uploading and downloading data from the employer’s network. This is a first step, but companies should consider disabling USB ports on computers and even prohibitions on MP3 players in the workplace.



A single USB drive can store up to 2 gigabytes of information. The tiny “thumb” drive can be concealed in a pocket without detection. It only takes seconds to download files to the devices and out the door they go. Companies of all sizes need to be very careful about the way data is handled.



Companies should consider encryption of any sensitive data and require a connection to the owner’s network to decode any of the data. The process will require some costs and perhaps slow the process, but the value gained is far greater than the public mistrust created by a large data loss.


As an employee you should know your employer’s policies about working with confidential files outside the workplace. Take only the data needed, not entire files. It is your responsibility to make sure the information is encrypted and remains so. Do not use publicly accessible computers to peruse sensitive information, this includes copiers in public areas. Always log off and shut down your workstation before leaving your office for any length of time. Use locking and tracking devices on portable computing devices.

Can Buying T-Bills Online be Dangerous?

According to a recent study, the government website which sells Treasury Bills online failed to take basic computer security steps. The site www.treasurydirect.gov sold $8 billion of the securities in the first half of its fiscal year.



Online investment sites Morningstar and Savings-Bond-Advisor.com have complained about this lack of security. Addresses, usernames, and passwords can be changed without the knowledge of the investor. Currently, private financial investment firms are required to send address change information to both the old and new address. Transactions must be followed up by at least an e-mail to the original e-mail account of the owner. This move helps an investor verify that a transaction is indeed legitimate and was initiated by the proper person.



Given the vast increase of online fraud, the Treasury Department should follow the same requirements as the private sector. In the past year fraudulent online checking account transactions have increased a whopping 104%. By not automatically notifying accountholders of changes, the government site may become a favorite target. The treasury site is susceptible to large scale phishing operations or watch keystroke logger programs.



Investors may print copies of transactions at the time of purchase, but no e-mail confirmation is sent. By simply sending a confirmation, the chance of fraud is reduced. Investors would also feel more comfortable with this procedure.

Employees Sue over ID Numbers

Nine employees of Union Pacific Railroad have filed suit against their employer claiming the business put them at risk of Identity Theft. The employees claim the rail carrier, by using Social Security Number (SSN) as a computer search criteria, had exposed private personal information.



Many companies find it easier to use SSNs as an identifier, since it was already being used to file quarterly tax payments. Many insurance companies did the same, and many hospitals used the number for medical records. The health industry regulated by HIPAA is obligated to change this identifier. Most health insurance companies have complied by the January 1, 2006 deadline.



Even though Union Pacific does not use SSNs as an employee identification number, when an employee searches the company database for work schedules or insurance information, the number is required as a password to gain access.



The transportation company did disclose to its 30,000 employees the theft of personal computer from an employee’s home. The computer contained employee data including SSN. The company notified employees and retirees, offering to pay for one year of a credit monitoring service.



Social Security Number is considered by identity thieves to be the Holy Grail, as the crook can gain complete access to the victim’s financial history, and apply for new credit posing as the individual. The employees contend that the company should only use SSN for tax purposes.



This lawsuit may just be the beginning of many as some companies, schools, and health care facilities still use SSN as the primary identifier. Every consumer should review all identification material and ask any provider that uses SSN to find an alternative unique identifier.

Beware of Cashier’s Checks

There was a time when a bank’s cashier check was as good as cash. This may no longer be the case. Recent events of cashier check and money order fraud are on the rise. Consumers and small business owners should be wary of the scheme detailed below.



I have had a couple of specific cases brought to my attention in the past month. The first involved a person who was trying to sell a timeshare. The buyer claimed to have received a sum of money either from lawsuit or other means. That person was then just going to have the total amount deposited into a bank and a single cashier check cut for the amount of the settlement. The cashier check would be made out to the seller of the time share. Since the amount was more than the agreed purchase price, the seller would send the buyer a check for the balance.



Fortunately, the person offering the timeshare thought there might be something amiss and called me. I walked through the situation and discussed the possibility of cashier check fraud. I did some research and found that even though a bank may accept a cashier check as a deposit to your account, the bank can later reclaim funds from your account, leaving you with the loss of both the merchandise and the amount of the refund. The lone exception to this rule is if the cashier check is accepted by the bank it is drawn on.



I explained this to the vacation spot owner. Upon receiving the document he called the issuing bank which happened to have a branch in his hometown to make sure he could cash the check. After the financial institution verified that funds were available, the check recipient went to the bank to cash the check. The bank immediately identified the document as fraudulent and refused to honor the transaction. The good news was the person was prepared for the result before it happened and did not transfer title of the timeshare or write the check for the excess of the proceeds.



The second instanced occurred when a local professional received a money order for future services. Enclosed was a letter explaining that the individual was to be traveling to the area and wished to have services performed while in the area. Any excess funds could simply be forwarded to a third party by return mail. The professional had never heard of such a request, and decided to investigate. She found the money order was a forgery and contacted the FBI.



If you have a big ticket item you wish to sell, or services that you provide, you need to be skeptical of any person who offers to send you a money order or cashier check in excess of the amount of the purchase. You should also take great care when dealing with anyone through the Internet or e-mail. Make sure you can verify the person’s address or phone number. You can do that by looking up the person’s phone number on Google or the name through whitepages.com. This helps establish the individual has a permanent residence to which law enforcement can respond.



If you do obtain a cashier check in payment, request it to be in the amount of the transaction only. If the check can be cashed at a branch of the issuing bank, then the obligation falls on the bank, otherwise the cashing bank will come back to you if the instrument is false. You should expect to show two forms of ID and file a document that goes to federal officials. In the event of fraud, investigators will start their work with you. Keep all documentation including e-mails of such transactions. Computer forensic experts do an excellent job of tracing the origin of electronic communications.



Remember, if something sounds a little out of the normal, it probably is.

Bits and Bytes – Blurbs Concerning Information Security

All 26.5 million veterans whose information was lost due to a theft of a laptop and other equipment from an analyst’s home on May 3 are eligible for credit monitoring provided by the government. If you are affected, you should be receiving information on enrollment soon or contact your VA representative. If someone else is paying for it, credit monitoring may be worthwhile. Another way to Protect Your Good Name would be to purchase a copy of my book by the same name (unfortunately, the VA will not pick up the cost of the book).



Technology allows us to check on our pets when they are in a kennel, watch our children at daycare and even visit patients in the hospital. A new use of the same technology allows people to attend funerals over the Internet. I’m not sure how secure the virtual attendance systems are, but be sure the bad guys are trying to figure out how to use the same to take advantage of you or your personal information.



An employee of Equifax, one of three companies which provide credit reports on all Americans, lost his laptop computer which contained personal information on 2,500 of the 4,600 Equifax employees in Atlanta. The employee was disciplined for violating company policy (although we don’t know if he was fired).



An employee of ING Financial Services lost a laptop computer containing the data of 13,000 current and former District of Columbia employees. The computer contained personal information including Social Security Number. Again, no word on whether the employee is still with ING, after violating its security policy.



Over 1.3 million borrowers from the Texas Guaranteed Student Loan Corp. have had their personal information compromised. The data was stored on equipment that was reported missing. The equipment had been sent to a contractor, Hummingbird, Ltd. of Toronto. A Hummingbird employee downloaded and decrypted the information. No specific information was given on what type of equipment was lost (any guesses of laptop).

Thief Called “Classic Manipulator”

When Judge Linda Reade sentenced Julie Raim in May, she called Raim a “classic manipulator” who had enough chances. Raim pleaded guilty of embezzling $87,332 from her employer. This was not Raim’s first brush with the law.



Raim had stolen wedding gifts in the past and was twice convicted of stealing from the same employer in Florida.



Reade sentenced Raim to the maximum recommended sentence of only two years and nine months and ordered Raim to repay the money she stole. When released she will be on supervised probation for three years. She will not be allowed to work in any job where she could be tempted to steal more money.



Had her employer requested a background check prior to offering her employment, they could have avoided the financial cost, the adverse publicity, and loss of customer confidence. Information Security Education, LLC is starting to do background checks for less than the cost of one hour of an attorney’s time. Isn’t that a small price to pay protect your company from a possible $87,000 loss? Call Steve at 319-210-0684 for more information on this protective measure.

How Private is Private Data?

In the wake of the disclosure that NSA programs gather data from telephone companies for data mining purposes (the communications companies supposedly provide the government with call data including the numbers called from and to, as well as the date and time), a national uproar ensued, and Congressional hearings are being conducted.



It seems that no information about the account holder is passed along in the general disclosures. The government may obtain a subpoena by showing probable cause (which can be easily done by providing call numbers, date, time of day and length of call, if the other number had already been linked to criminal activity) compelling the provider to complete the puzzle with accountholder personal data.



Never mind that some enterprising companies have been selling this information over the Internet for about a year, and consumers have not voiced as loud an outrage. As a matter of fact, law enforcement has been paying data brokers for this information without need of a search warrant. Among the data broker customers are the Department of Homeland Security, the Justice Department (which includes the FBI), as well as municipal police departments nationwide.



Last week in a Senate Judiciary hearing, the Chairman and Chief Executive of AT&T, Ed Whitacre was questioned by Senator Arlen Specter of Pennsylvania. Whitacre continually replied, “The privacy of our customers is utmost [in importance] and we follow the law." When pressed on the issue, Whitacre continued to simply state, “We follow the law.” Specter even raised the possibility that the communications executive was in contempt of Congress.



During the same few days, AT&T announced it would change its privacy policy claiming that all personal data collected by the company during its normal operations becomes property of the telecom, and the business will use the information as it sees fit, including providing such information to law enforcement officials. The additional statement reads, “While your account information may be personal to you, these records are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others or respond to legal process.”



Expect more companies to watch the results of this change and probably join AT&T in claiming that personal data is company property.

Are Outside Auditing Firms Helpful?

Ernst & Young is considered to be one of the best and largest accounting firms in the country. They conduct audits on many of the Fortune 500 companies to assure the investing public they are placing their money in good hands. But are companies like Ernst & Young concerned about the privacy of customer data?



In January, an Ernst & Young employee lost a laptop computer containing information on thousands of current and former IBM employees. The PC was stolen from the employee’s car. The employee handled tax issues for IBM employees who worked overseas. The information included names, dates of birth, genders, family sizes, SSNs and tax identifiers. Notification letters were not sent out until two months after the theft.



In February of this year, four Ernst & Young employees meeting in a conference room, had their laptops stolen (that’s right all four) when they left for lunch. Among the client information lost in the incident was data from Sun Microsystems, including social security numbers of employees even the president Scott McNealy. Cisco employees were also affected by this theft. It was later reported that Nokia employees were also involved. The same theft also left 38,000 BP employees vulnerable. It took only five minutes for thieves to jack the computers from the conference room, all captured on security cameras, but the thieves were never caught.



On May 3, this year another Ernst & Young employee lost a portable computer containing information on 243,000 customers of Hotels.com. This would be the third major loss of portable computers by the same “Big Four” accounting firm in less than six months. The most disconcerting revelation here is that the accounting firm also performs audits of companies to make sure that they are following policies and procedures to protect the financial health of the client.



Many companies depend on their accounting firms to advise them of best practices for information security. After three major data losses in six months, Ernst & Young has lost credibility on this subject. In addition, each of the incidents can be cited as direct violations of E & Y’s own security policies. The fate of employees involved in these disclosures has been available. Again, employees who constantly violate security standards are not only responsible for lost data, but for the lost confidence of customers. It was not very long ago when Arthur Anderson advised companies on accounting strategies that led to the collapse of large firms (Enron, Worldcom, McLoedUSA among others), which eventually led to the collapse of Arthur Anderson which no longer exists. Will Ernst & Young suffer the same fate as a result of the actions of a few employees who fail to value customer data or the rules that protect such information.

“I’m From the Government and I’m Here To Help You”

This may be the busiest year yet for inadvertent personal information disclosures by our federal government. It isn’t even the end of June and the U.S. government is averaging one major data exposure per month. Since most federal agencies have large collections of personal data, we, the consuming public should raise our voices to our elected leaders to take the problem seriously.



In February, the Department of Agriculture, while complying with a Freedom of Information Act request, disclosed information on 350,000 people, including personal data such as Social Security Number. The root of the problem was traced to an employee in the department not following established privacy policies.



Things rocked along fairly well until May, when a Veteran’s Administration employee took a laptop and external hard drive home, against the VA’s security policy. The equipment was stolen from his home, affecting 26.5 million veterans, not only disclosing identification information, but in many cases also medical information. The employee was placed on administrative leave.



June has brought three major data losses. The first occurred when an IRS agent lost a laptop computer while on a commercial airline flight. The lost laptop contained tax records of 291 taxpayers. Then the Department of Agriculture (sound familiar) announced a hacker had infiltrated their computer systems to gain access to 25,000 employee records. Most recently, a Federal Trade Commission employee took home a laptop computer with personal data, which was stolen from his vehicle.



If you look closely at the items above you will notice that all but one instance was directly attributed to an individual employee who had not followed established security guidelines. The other instance can probably be traced to information security personnel who did not follow proper monitoring of security systems.



Most data loss can be traced to employees. In many cases, this would not be the first time the employee violated a policy or acted in an untoward manner. Business and government need to find out as much as they can about an individual before they are hired. The best way to do this chore is to conduct a pre-employment background check. An extensive search will include criminal and sexual offender records, a credit report, social security number verification and web sites. Information Security Education, LLC is pleased to announce the addition of these services. Call us at 319-210-0684 for more information

Another Case For Shredding

Most Americans receive many offers for new credit cards each year. Most of us simply tear up the solicitation and go on our merry way. Is this action the most effective to deter someone from digging the torn application from the trash and apply for credit in your name?



Rob Cockerham had this question in his mind when he decided to conduct an experiment. He tore a credit card solicitation into many pieces and then taped the application together. He then changed the address on the form to his father’s home. Finally, he sent the completed request to the credit card issuer.



In a matter of weeks he received a call from his father, telling him that a thick envelope had been delivered by mail. Sure enough the envelope had a new credit card enclosed. Mr. Cockerham then notified the credit card issuer of the experiment.



The ABC Program 20/20 became aware of this trial and approached Chase bank, the credit provider in question. Chase claims the procedures have been updated and that the customer would not be held liable for any monetary loss. However, the victim would have the time consuming hassle of correcting his credit report.



You can verify and follow the plight of Rob Cockerham at www.cockeyed.com. This experiment shows once again the importance of shredding all unwanted solicitations that arrive at your home. If you do not want to shred, then simply collect items that should be shred and drive them once a month to your nearest certified document destruction service provider. They will assure that your junk mail is not used by identity thieves.

Bits and Bytes – Blurbs Concerning Information Security

The FTC, BBB and NAID are working together to have a National Shred Day. This would be a single day on which Document Destruction companies would offer free services for consumers. Watch this space for more information.



A laptop computer belonging to an Aetna employee was stolen from his parked car. The computer contained information on 38,000 people. The individuals affected have been notified. Aetna is paying for credit monitoring services for those who may be vulnerable.



Earthlink has won a contract to establish a wi-fi network in Philadelphia. The contract calls for 22 free hotspots. Earthlink will charge most users around $20 a month for access to the network. Low income people will be able to receive services for a reduced rate. Earthlink will not charge the city, instead the company pays a fee to the city for the rights to provide the service and free accounts to city employees. Earthlink is also working on a project to establish wi-fi in San Francisco.



Notary Publics often attest a person’s signature on legal documents. Now the National Notaries Association is pushing an e-notary technology that allows special cryptography to be used as a manner of online notarization. People who are already Notary Publics can apply online to be an e-Notary for a fee of $24.95.



NextSentry has developed software used by law enforcement to track down online predators. The company is using similar technology for corporate security organizations to track employees that are violating company security policies. The main use will be to make sure sensitive information (customer data and company secrets) aren’t being sent outside the business.

Yahoo Instant Messenger Attacked

Yahoo Instant Messenger is one of the highest volume messaging systems in the world. Users of this system are being duped into loading a worm believing it is a “safety” browser.



The worm called yhoo32.explr once loaded tries to send itself to people on the user’s buddy list (a list of people who are monitored for their online availability to chat). The program hijacks your home browser page and attempts to influence the user to go to a website that downloads spyware onto the PC. One of the programs looks like Internet Explorer even using a fake logo.



The virus also starts a guitar music loop whenever the PC is started. The music cannot be stopped and the infecting website becomes the person’s home page.



It appears that due to the sophistication of the attack, it is part of an organized computer crime gang. Should you be afflicted by this virus, let us know, we have some free software that will allow you to eliminate the problem.

Company Stops Distributing Rootkits

ContextPlus has stopped distributing software that contained rootkits. I have done stories on rootkits in previous issues. Basically, a rootkit attaches to the operating system and allows a third party to collect information from your PC.



ContextPlus is an adware company. According to their website, they no longer guarantee the product or quality of customer information. The company has been the target of many class-action suits. It is illegal to use a PC you do not own without permission. The business is among those in a class-action suit mentioned later in this newsletter involving Yahoo!



ContextPlus is registered to owners in France and Poland. It is not known if the company is legitimate in any way.



The two programs most commonly placed on PCs are Apropos and PeopleOnPage. They are considered very advanced and are not detected by anti-virus or anti-spyware programs. You can do a search for these programs by typing the file names in a search of your computer (find Search from the Start Menu), should the search find the files you should delete them.



These programs collect information on the user’s browsing habits. Keystrokes can be logged and information is then transferred back to ContextPlus.

New York Judge Ruling Affects Computer Security

An administrative law judge in New York has ruled that an education department worker was unfairly punished for surfing the web on company time. The judge’s opinion calls Internet play the same as reading a newspaper or accepting a personal phone call, in that it did not adversely affect the employee’s work.



Companies have instituted policies for workplace computers limiting personal access to protect the business from outside threats (viruses, Trojans and spyware). This ruling could cause many companies networks to be used as transfer points for malware.



Conscientious employees already know the damage that can be caused by unintended actions. In the last issue of this newsletter, I wrote about a study that found highly ranked search results contained spyware. An inexperienced employee surfing on a company computer can easily download this type of trouble.



So far, the ruling only affects New York public employees, but it will be looked at as a precedent in future employer-employee disputes.



Private companies need to establish and train employees on proper use policies. The Internet can be a valuable tool for employees, but is can also be a terrible disruption if used improperly. I get calls and e-mails almost weekly from people who have downloaded programs that have had unintended side effects.

Logan International Tests ID Technology

Logan International Airport in Boston will test Radio Frequency Identification tags that will track both baggage and passengers. The system is designed to assure that passenger and luggage are traveling on the same plane.



As the passenger checks in at a self-service kiosk, his/her picture will be taken and tags will be printed as both boarding passes and luggage tags. Both will contain passenger profiles and photographs.



The passenger can then be tracked as they through the airport including boarding the flight. Their luggage will also be tracked. If a passenger fails to show up for the flight and leaves the premises, the baggage can be removed from the aircraft.



Boston Engineering is the firm conducting the tests. They believe the system can be used to increase air travel security. The tags can be read from as far away as 100 meters (about a football field).

Online Poker Players Lose More Than Rake

Poker players who use online sites to play their favorite game may be losing more than money. The house takes a small amount from each poker pot called a “rake.” Players have decided to keep track of the amount of money that is being raked by online poker sites.



Players who have downloaded a Rakeback calculation application, may have also downloaded a Trojan virus that tracks usernames and passwords. The information can then be sent to the server that controls the downloads. A person then can use the login information to play poker on these sites as if they are the player with the Trojan program.



The act of an imposter can costs legitimate players as losses are added to the legitimate online accounts. Of course wins are also added to the accounts, but many more players lose than win. An abuser can even empty one account into another.



The program called RBCalc.exe is the problem. It was distributed by Check Raised of San Jose. RBCalc.exe also loads a file called Backdoor.Win32.Small.Ia. Users should look for both files and delete them.



This might be a good time for online poker player to re-examine the safety of playing online poker. Although no wide scale enforcement is currently underway, online gambling in the United States is not legal. There is also a bill winding its way through Congress which would make payment to online gambling sites by credit card a crime.



Since the servers which process the bets are not on U.S. soil, it is very difficult to slow the growth of online gambling. Most operators of these companies are being sought by American law enforcement. Since the activity is legal in the countries the servers reside, no extradition will take place. A few years ago, one gambling site operator returned to the U.S. to attend his father’s funeral and was arrested, but that is another story for another newsletter.

Bits and Bytes – Blurbs Concerning Information Security

Symantec looked at three donated PCs to see if information had been removed. They found sensitive information including Social Security Numbers on the donated devices. Every person retiring a PC should make sure that data files are not only deleted, but written over. You can find programs on the web that write binary zeroes in every byte of a computer’s hard drive. The most popular ones are at download.com. You should always read the program description to make sure that the data will not be able to be recovered.



Gartner Group, the Boston area consulting firm, sees a consolidation in the anit-virus market. They claim that too many vendors offering similar products without differentiation will lead to companies combining. Since most users already have some form of the software installed, sales of new packages will slow. Consumers who are happy with the services they are using will simply buy upgrades, which are cheaper than new. The reduction of suppliers will lead to some confusion as customers will be forced into new products. This merging may led to slightly higher prices for consumers, as there will be fewer providers.



EMC has developed a product to be used as a virtual tape shredder. Some companies have replaced tape backups with disk backups called virtual tapes. The new offering will allow users to completely erase and remove these virtual tapes.



Not only are men the majority of perpetrators of computer mayhem, they are also most likely to be the victim. Men lose approximately $1.83 for every $1 that women lose to computer scams. Almost two-third of all victims are male. The most common scam involved Super Bowl tickets. California, Florida and New York had the highest rates of consumer complaints, but Alaska had the highest per capita statistic.



A new Trojan virus targets Microsoft Word. You can check you PC by doing a search for the following files: Trojan.Mdropper.H. or Backdoor.Ginwui. The attack is only aimed at Microsoft Word.



Yahoo! is being sued because its pay-per-click subsidiary allows companies that download software including spyware to use its service. The user clicks on an ad and software is automatically downloaded to the requesting computer. The suit was brought by an anti-spyware activist named Ben Edelman. Yahoo! stands by its practice. We will continue to report the progress of this suit.

Intel Increases Security

Intel, the maker of Pentium chips, has announced a new product that will help users secure their personal computers. The new vPro series chip allows owners to become more proactive in the fight against computer intruders.



vPro will include dual-core processing which allows security applications such as firewalls, anit-virus and anti-spyware programs to run on the background processor. This will allow the PC to run at faster speeds for normal processing, such as Office applications.



The new chip contains a security processing area that people can use to run programs that monitor network traffic looking for unusual activity. Snort is a free application that consumers can use to watch such network activity.



Symantec, the maker of Norton products, has jumped on board developing software that will use the new features. Many consumers tend to skimp on security protections because they make PCs run slower.



Intel also claims the new chip will include a 40% increase in processing speed using less power.



Although the initial release of this chip may be a little expensive, those who use their PCs for business should consider the upgrade. If you wait awhile the price will certainly come down.

Search May Find Spyware

A recent study by McAfee, Inc., the virus and spyware protection company, found search results often pointed to sites which downloaded spyware to the target computer. The sites usually showed up in the top five results either as paid advertisements or in the free portion of the search.



Typically, the results were found when searches were conducted by computer users trying to find free programs and services. Some of the activities already considered illegal, such as downloading music for free, are often laced with malware. Many of these misguided actions prosper because so many people are trying to beat the system.



In almost two-thirds of searches for free screensavers, sites that contain spyware were listed at the top.



Bearshare, Limewire, and free ringtones are the most obvious areas where spyware appears. Some recording artists, in particular Madonna, have placed spyware on music sharing sites to discourage illegal downloads.



Consumers should be aware of the activity on your home computer. If you have children, especially teenagers, talk to them about the damage that can be done by spyware, viruses and Trojans. If your computer is invaded by such malware, Information Security Education, can help clean it up.

IRS Rules Harmful to Consumers

Consumers who use tax preparation services may have put their identities at risk. New rules allow tax preparers to sell information to third parties. Most of the time third parties simply target these customers for products and services, but others may try to use the personal information for identity theft.



Taxpayers are required to provide Social Security Numbers (Taxpayer ID) and the amount of money you make, in order to produce a tax return. By examining this data, companies can determine whether you are a good credit risk (a gold mine for identity thieves), and important for marketers of credit cards.



The rules allow electronic signatures to provide consent for the processing and release of data. Consumers must be provided with procedures similar to the privacy policies of credit granting institutions. The client is allowed to opt out of information sharing (highly recommended).



Tax preparation companies are required to inform the taxpayer how the information will be shared.



As with sharing of any personal information, be it personal, medical of financial, the wise consumer should always read the privacy policy and follow the instructions to opt out of information sharing.

SEC warns of “Autosurf” Scam

The Securities and Exchange Commission has issued a warning to consumers involving “Autosurf” businesses. These businesses claim the computer user will make money by surfing the web and clicking on banner ads.



Most of these companies, most notably 12DailyPro, promise customers large returns if they join the program. The new member can sign up for free, but cannot collect for their activities unless they upgrad to a paid membership. The company would then claim to need more and higher fees to guarantee subscribers a larger return.



12DailyPro is accused of deceiving more than 300,000 people out of $50 million. The SEC claims the company was nothing more than a Ponzi or pyramid scheme.



Charis Johnson, the operator of 12DailyPro, first claimed her business practices were legitimate, but later agreed to an asset freeze proposal. Johnson funneled money through PayPal, an E-bay subsidiary. PayPal claimed that the businesses looked legitimate to them.



Other “Autosurf” businesses are NetInvestAutosurf.com and 123eTraffic. Consumers should be very wary of any “Get Rich Quick” scheme by following the adage, “If it sounds to good to be true, it probably

Millions of Veterans Identities Stolen

A data analyst for the Veterans Administration took home a laptop computer containing personal information on more than 26.5 million veterans. The computer was later stolen from his home making it the second single largest loss of personal information. The information on these veterans contained name and Social Security Number, enough information for an identity thief to apply for credit under assumed names.



Policies at the Veterans Administration do not allow workers to take sensitive personal information on clients off the government premises. The data analyst has been placed on administrative leave. I believe that he should be charged as an accessory to the theft, by intentionally violating government policies, he permitted the data to be in a place where it could be easily stolen. Should the information be used in identity theft, the analyst should also be charged in those crimes. By making the punishment actually tie to the original act, the consequences may deter others from knowingly careless behavior.



The fact that employees have so little concern for the information with which they are entrusted is very disturbing. I have reported on more than a dozen similar instances in the past year.



Authorities think the burglary was simply a random act. The intruder may not know the value of items stolen, as there have been many thefts in the neighborhood where the employee lives.



The VA has mailed letters to all affected individuals with instructions on ways to check and monitor their credit records. Additional protection for any vet would be a copy of my book.



Veterans as well as any other person are entitled to a copy of their credit report once a year from each of the credit reporting agencies. Everyone should develop a strategy of checking credit reports every four months by rotating the free credit reports among the reporting agencies. You can obtain a free credit report at www.annualcreditreport.com.

Bits and Bytes – Blurbs Concerning Information Security

Tina Stroud of Cedar Rapids was charged with opening two accounts in the name of a former roommate. One of the accounts involved a cell phone. With many high school graduates heading to college soon, this is a good time to teach young adults the importance of keeping personal information private. My book Protect Your Good Name! (From IDentity Theft) makes a great graduation gift. Consider giving it to anyone you feel needs this important information.



Soccer fans should beware of a virus currently circulating. It masquerades as an Excel spreadsheet to help the user track teams participating in the World Cup Soccer matches. Once the machine is infected, the virus sends itself to people in the user’s e-mail address book. Two versions exist at this time, can check your computer files by conducting a search for either “XF97/Yagnuul-A” or “Troj/Haxdoor-IN.”



I have received several e-mails in the past week about a jury duty scam. The intended victim receives a phone call claiming the person failed to show for jury duty. The caller will then want to verify the identity of the potential juror by asking for Social Security Number or threatening the person with jail unless given either SSN or a credit card number. I first reported this scam in the November 2, 2005 newsletter. It is making another round.



MSNBC has reported that services charging a monthly fee to protect your identity are not worth the cost. The report cited actions consumers should take on their own to reduce personal vulnerability. My book Protect Your Good Name! (From IDentity Theft) contains all of suggestions in the news article and much more. The retail cost of the book is $19.95 as opposed to $120 per year for these services. I reported on these services in the September 21, 2005 newsletter, noting that some homeowner’s insurance policies may provide adequate coverage for as little as $25 annually, making the book a bargain.



Microsoft has touted its new operating system Vista as being the most secure it has ever created. The Yankee Group has tested the product, listing doubts. The consultants don’t attack the software itself, but claim it is unwieldy. They believe its complexity will encourage users to search for other alternatives to secure company computers.



Apple Computers have celebrated the fact their systems have been largely untouched by the increasing number of attacks. Unfortunately, virus writers have stepped up attacks on the Mac. In the last three years, the number of different infections aimed at the machine has increased faster than the rate for PC users. This may be attributed to the ratio of malware already in place. In the past Mac users thought they had safe computers, but in reality, the criminals have been focused on PCs because there are simply more of them. With so many security companies honing in on solution for PCs, the bad guys are aiming for new and fertile fields to ply their trade.

Prison Awaits 20-Year-Old

Jenson James Ancheta will be spending his early adulthood behind bars. The 20-year-old was sentenced to 57 months in federal prison for operating a robot network which he rented to spammers. This is the longest sentence to date for such abuse.



Ancheta also used his network to spawn attacks on web-based businesses. He would set a synchronized time for thousands of computers to send multiple requests to the target computers. The servers would soon be overwhelmed and shut down.



After serving his prison time, Ancheta will be on three years of supervised probation. In addition, he was ordered to pay the U.S. Naval Air Warfare Center in China Lake, California, $15,000 in restitution for damages caused. He will forfeit $60,000 in illicit gains.



The original indictment contained 17 counts accusing him of controlling more than 500,000 computers. Ancheta pled guilty.



During sentencing U.S. District Judge Gary Klausner told the convict, "Your worst enemy is your own intellectual arrogance that somehow the world cannot touch you on this."



I originally reported on Ancheta’s arrest in the December 1, 2005 newsletter, noting that he claimed not to know how many computers he controlled.

Helder Still Being Held

Luke Helder is still in custody in a medical facility in Rochester, Minnesota. You may remember him as the mailbox bomber who placed 17 pipe bombs in private mailboxes on a cross country spree.



I cited his actions as an example of why mailboxes are not only an unsafe place for your personal data, but can be potentially dangerous. Several people were maimed during the May, 2002 crime wave.



Helder is considered incompetent to stand trial at this time. He is diagnosed with a number of separate illnesses.



I chronicle his escapade in my book. Since that time many instances of pipe bombs and other dangerous articles placed in mailboxes have been reported. I list ways to protect yourself from such dangers in my book. The first step is to either remove that tin box or replace it with a locking mailbox.

Hacker To Be Extradited

Gary McKinnon, 40 of Great Britain will be coming to the United States, but instead of a vacation he will be facing charges of breaking into military computers. He could spend up to 70 years in one of our fine correctional resorts and be fined up to $1.75 million.



McKinnon’s antics include accessing 97 government computers including some at the Pentagon, Army, Navy and NASA. His is considered the “biggest military hack of all time.” Government officials claim over $700,000 in damages occurred.



The Brit, who used the screen name “Solo,” admitted to gaining access to the computers but denied causing any damage. He fought extradition claiming to be "already hung and quartered over there" declaring he could not get a fair trial.



The year-long attack started in February, 2002, causing great concern in the wake of the attacks of September 11, 2001.



McKinnon claims he was able to gain access to military computers without even entering a password. The intruder simply claimed to be researching the existence of UFOs. Security analysts say the attacks have underscored the lack of security on some of the most valuable computer systems in our government.

Spyware Seller Fined

Sanford Wallace was ordered by the U.S. District Court in New Hampshire to pay $4 million in fines for planting spyware on computers. The case, the first such pursuit by the FTC, was filed in 2004.



Wallace’s scam started with pop-up ads that would imply the targeted PC had been infected with spyware. When the user clicked the ad, spyware would be downloaded to the computer. Pop-up ads would then circulate through the computer aggravating the owner.



A second ad would guarantee to remove the infection by simply buying a program either called “Spy Deleter” or “Spy Wiper.” Purchasers were charged $30 per copy.



Wallace and his company SmartBot.net are barred from spreading spyware.



Consumers should check their computers by doing a file search for the existence of either of the programs. A civil suit will probably be filed soon on behalf of computer owners to recover money taken in the scam.

Data Sellers Charged

Five companies are being charged by the Federal Trade Commission for “pretexting,” gaining access to private data (telephone records and credit card statements) under false pretenses.



AccuSearch operating as Abika.com, 77 Investigations, CEO Group operating as Check Em Out, Information Search, and Integrity Search & Investigation Services are accused of unfair trade practices. The businesses advertised the services as a way for spouses to investigate suspected unfaithfulness. The information was being sold anyone to who paid the fee.



The FTC maintains that the services offered by these companies amounted to disclosing non-public personal information. The Internet allowed these providers to expand their reach worldwide.



The practice has gotten the attention of Congress, but the glacial pace of legislative reform caused any action to fall to the FTC.



FTC officials have filed charges against individuals employed by these companies who actually pretended to be cell phone and credit customers, asking for copies of detailed billing records.



Private investigators, law enforcement and others legitimately use the above services to track movements of people under surveillance.