Bits and Bytes – Blurbs Concerning Information Security

Microsoft has released a fix for some of the flaws in Internet Explorer. The release originally scheduled for October 10 was pushed up due to the rash of computer takeovers. If you have not already updated your Microsoft system, doing so may avoid a nasty round of attacks similar to the ones mentioned above.



The Transportation Security Administration has announced it will charge a $30 frequent traveler’s fee for people interested in going through an express lane at airport security. The original fee was expected to be over $100. Information Security Education, LLC has been certified by Social Security Administration and Department of Homeland Security to check valid work statuses. We will also be pursuing the ability to provide expedited TSA screening. Watch for further announcements.



The U.S. Commerce Department has lost 1,137 laptop computers since 2001. Almost half of these computers were the responsibility of the Census Bureau. At least 246 of the machines contained personal information, but the Census Bureau was unable to determine the number of people affected. The government states that no personal information from these devices has been used improperly. Since, officials can’t even figure out whose data was lost, how can they assure the public’s safety.



Personal computer users should consider making a recovery partition. A partition is an area of your hard drive set aside as if it were a separate hard drive. This area will enable you to recover your PC in a short amount of time. Several software vendors have products available including Symantec's Norton PartitionMagic 8.0 and Norton Ghost. You should evaluate your need and make sure you have a proper recovery partition.

Credit Card Firms Fining Merchants

Mastercard, Visa, Dicover and American Express all require merchants to discard credit card information as soon as they receive an authorization for a charge. The company and authorization number are all that is required for a merchant to receive payment.



Last weekend ushered in a new era in the credit card industry, as Visa joined Mastercard in imposing penalties from $10,000 to $100,000 for failure to keep transactions secure. The credit providers are not assessing merchants directly, but invoking the penalties on the companies that process the transactions. It will be up to these middlemen to collect from the individual merchants.



At this point, the program is being aimed at large merchandisers who violate the terms of their credit cards agreements. Neither card company would comment as to who the biggest offenders were other than indicating that such vendors are responsible for more than six million deals a year. Visa noted that only twenty of 334 merchants were non-compliant. This pool of sellers represent almost half of all Visa’s transactions.



Mastercard would not detail how many merchants violated the card agreement. Chris Tom, chief risk officer would only say, “We are not levying fines for noncompliance. We are levying them for non-cooperation.”



In a related development, Visa has not met its own security deadlines. The company had set a goal of completion by January 1, 2006, but did gain auditor’s approval in September only nine months behind schedule.

Health Study Participant Info Stolen

Participants in a University of Iowa study on maternal and child health have had their Social Security Numbers exposed. The research program had over 14,500 contributors. The university has sent warnings to all involved.



The people concerned have been part of the study from 1995 to the present. The computers caught up in this mess were issued to professors in the psychology and psychiatry departments.



It appears that the attack was initiated outside the college campus and surveyed all campus computers looking for unlocked systems. Law enforcement likened the action to a person walking down a hallway and checking door knobs to see which if any were unlocked.



The operation apparently was intended to seek space to store illegally obtained copyrighted materials such as music and video.

New “Trojan Horse” Attacks Security Shield

Banks and other businesses accepting financial transactions over the web have developed a way for the user to simply use the mouse instead of keyboard to enter PINs or credit card information. This avoids the effect of any keystroke loggers that might be installed on the PC without the user’s knowledge.



A Spanish company called Hispasec Systems has now discovered a “Trojan Horse” that infiltrates the targeted computer and captures the screen images of computer users. This software can follow the mouse movements of a displayed keypad making it simple to steal both PINs and credit card numbers.



The clandestine software is downloaded unwittingly by surfers who do not realize they may pay dearly for that free software. They may also be downloaded when users respond to spam links.



Security software makers are not yet able to defend against this new threat. Hispasec tested more than 30 anti-virus programs with only six showing any protection against this threat.



Some banks and financial institutions are using these “virtual keyboards” as a solution to government requirements to secure their online systems. Unfortunately, this is another example of the criminal element working hard to learn how to pick the latest lock. It is a vicious circle, with the good guys only able to keep a step ahead of the bad, at best.

Hackers Attack Applications

Symantec Inc. the company which produces the Norton line of security products has determined that computer hackers are targeting the applications that are used on home computers in a larger proportion than other computer related attacks such as phishing. This means that programs like Internet Explorer, Firefox, Microsoft Office and other programs are being infiltrated to gain access to personal information (more in a later article).



The computer user goes about his business using his/her browser to surf the Internet. While cruising the Information Superhighway, one goes to a site that seems really cool, with great videos, music or interactive games. While downloading the special software to use these (usually free) items you also get a special present, an attachment to your browser, or productivity software that will log your keystrokes and look for items like online banking or credit card numbers.



It doesn’t matter which browser you use, you are at risk. A simple look at three of the most popular internet browsers shows that Mozilla’s Firefox contains 47 flaws that allow access to your system. Internet Explorer is no angel with 38 bugs. Even Apple’s Safari was documented as having 12 faults.



Security software manufacturers can only protect users from attacks they know about. This is usually done after the invasion has already caused damage. The door to your system is through the browser and it is those developers who need to partner more closely with security vendors to close the holes.



Most computer users can also protect themselves by not downloading items that they have not completely checked out as being safe. Symantec and other security software sites do offer help in understanding whether or not the sites you are interested in are legitimate. Another tip, simply Google the software you are interested in, and you will usually find both good and bad info. I suggest reading both.

More Fallout in H-P Case

The trials and tribulations of the actions in the boardroom at Hewlett-Packard have continued to escalate. Patricia Dunn moved up her exit from the board and was summoned to a Congressional hearing where she denied that she had knowledge of the escapades which occurred. The House of Representatives is now considering enhanced penalties for ‘pretexting.” Representative Edward Markey of Massachusetts is leading this effort.



Mark Hurd the current CEO is also being asked the question, “What did you know and when did you know it?” These questions seem to be obvious whenever scandal is involved. Mr. Hurd and his counsel’s responses seem to be shifting, both in when he was made of aware of the actions and his involvement in the process. It is unfortunate that one of America’s most respected companies (until now) has placed itself in this position.



In addition to company’s actions, Cingular is now suing CAS Agency of Atlanta and its primary Charles Kelly over gaining access to cell phone records. Dawn Kawamoto, a reporter for CNET, who reported the original story was one victim whose information had been purloined. Verizon and Vodaphone have also filed legal proceedings related to the case.



In a related action, the Federal Trade Commission has settled with Integrity Security & Investigation Services for marketing services that allow consumers to gather information on other’s phone records. The agreement provides for ISIS to cease its illegal activities as well as “disgorge ill-gotten gains derived from alleged violations.”



The big question here is whether additional legislation is required when laws already exist? It seems enforcement is lacking. Congress is considering new laws that place more responsibility on the telephone companies to protect customer data. We have seen enforcement responsibility pushed to the private sector in banking and now communications. What good does it do to continue to pass laws that are simply ignored? Let’s prosecute offenders even if they are corporate execs.



By the way, the phone companies, which have armies of lobbyists in Washington are opposed to accepting the enforcement provisions. Can you guess how this might end?

Bits and Bytes – Blurbs Concerning Information Security

Identity thieves used hundreds of stolen credit card numbers to buy tickets to Barbara Streisand’s latest concert tour. These tickets have been voided by the vendor, but that won’t help the people who will think the have purchased legitimate tickets. The winners here are the crooks and the losers are those who buy tickets for the performance through unauthorized sources.



A recent survey allowed some scary statistics to be released. Only 25% of companies report security breaches to law enforcement. Four of five businesses do security audits. More than half of IT shops surveyed spend two percent or less of their IT budget on security. Most companies still have to make an ROI case for expenditures. Most of the respondents, 71% do not carry cyber-security insurance.



Banks, the targets of phishing schemes are becoming a helpful partner in computer protection. Financial institutions are starting to offer security tools to their online users. Many organizations will subsidize the purchase price, encouraging customers to protect their digital assets. Depositories will be required to use two factor identification by the first of next year, which is another incentive to persuade patrons to use affiliated products. Large conglomerates are working with Internet Service Providers to develop secure access methods.



A new device can be used to test computer systems for vulnerability to hackers. The pen-sized tester can be slipped into your pocket as you walk through the target area. The object can be set to try 150 different computer exploits. This new tool is intended for corporate security teams to conduct audits, but it is available to others who are willing to pay $3,000 for it.



A second Veteran’s Administration computer containing personal information was stolen from Unisys, a contractor. The computer has been recovered and the temp who stole the unit has been charged. The government agency does not believe the thief intended to steal personal data.

Wireless Access Points Can Fool You

A recent test at O’Hare International Airport found that more than 90% of the wireless access points were not sponsored by the airport. Many of these sites advertised “Free Wi-Fi.”



The security group doing the study concluded that at least 80% were peer-to-peer networks. These are personal computers that are set up to allow Internet access to others. While you are using these portals to the information superhighway, your keystrokes can be monitored or collected.



Most of the disguised access points masked their own MAC address, so as to be more difficult to identify. A MAC address is the like a serial number on the networking device. It can be used to determine manufacturer and in some cases even the computer involved.



Most newer laptops are set up to connect to the strongest signal. The user can open its wireless LAN area and sometimes determine whether the connection is from a legitimate provider. Otherwise, the computer that resides between you and the authorized provider can collect any information that is transmitted in either direction.



Many of these operators are trying to collect usernames and passwords to gain access to the legitimate users resources. These resources may be e-mail, corporate networks or even online financial transactions.

Ten Steps to Protect Laptops

The following ten steps can help protect your laptops from falling into the wrong hands:



1. Use visual deterrents such as cable locks wrapped around a desk to discourage someone from taking the machine. You can even use these in hotel rooms and conference rooms.

2. Avoid leaving unsecured portable devices unattended. This rule applies to home as well as office.

3. Use simple inconspicuous carrying cases. Some cases scream “Laptop inside!”

4. Use complex alphanumeric passwords. Complex passwords usually use at least 3 of 4 tactics: Uppercase alpha, Lowercase alpha, Numbers, and Special characers.

5. Use anti-virus, anti-spyware, firewalls and encryption programs on all portable computers. Make sure any file that contains sensitive data is also encrypted. It makes no sense to have the software if it’s not used.

6. Back up all valuable data, especially before you take the machine out of the office. Sometimes it is expedient to make two copies and place them in separate buildings.

7. Understand the dangers of introducing pirated software or downloading files to your device. These items often carry malicious code and could be used to enlist your machine in a robot network.

8. Pay attention to news reports of changing theft schemes. By knowing how your enemy works, you can better protect yourself. This includes understanding phishing and SPAM attempts.

9. Use asset tracking and recovery software, which in some cases can locate your PC in a manner similar to having LoJack on an automobile.

10. Use advanced data protection tools, such as requiring a login to the company network before you can decrypt sensitive files. This way stolen computers would be denied the access needed to view important files.



By following these steps you will reduce your chances of becoming a headline.

Wireless Computers at High Risk

Placing a wireless card on your computer puts it at higher risk for downloaded malware. In most cases there is not a simple way to disable the device when in use.



The computer is turned on, and then signals are sent into the air seeking an Internet connection. Should there be a bad guy in the general vicinity, he would recognize a system making a connection. Should the culprit have the right software, he would be able to take total control of the box.



This vulnerability applies to both Windows and Apple computers. A demonstration was made by David Maynor and Jon Ellich on August 2. For purposes of effect they used an Apple MacBook.



The pair did not release into the public domain, the code showing everyone how to commit this act. They blamed the opening on wireless protocols called 802.11. Another item of concern are device drivers that tell the computer hardware how to communicate with the wireless card.



In a related press release Intel alerted users of Centrino mobile technology of the potential of attack. The Centrino problem allowed computers in the general wi-fi area to grab complete control of the operating system. A patch has been released.



I believe that any laptop used in the open should be used only for innocuous purposes and systems should be cleaned of sensitive data before allowed in public.

Personal Website Provider Dumps Service

Facebook, one of many sites that hosts personal websites, began a new service “News Feed” which tells people who are on your friends list about changes that occur in your online profile.



The new feature allows members to notify all of their contacts upon changes, so the user can invite friends to events, announce a birth, etc. Members immediately saw only the negative by protesting the service. Over 600,000 users complained to the host.



Facebook and other personal website providers offer a service that allows a person to tell the world anything they wish. Once a post is made, it is virtually open to anybody with internet access. Facebook is a little more secure since it limits membership to certain groups like students of a specific institution or employees of a company.



Whenever a person wants others to know more, they make a post. This is a change to the individual’s site. Usually, the site owner is proud of the items shown or they probably wouldn’t have placed it on the internet.



I offer a simple solution in response to the complaints. Do not put negative items on your personal website.

Actions Cause Resignations

Hewlett-Packard was concerned about leaks coming from its board meetings. The company’s non-executive chairman Patricia Dunn apparently directed an operation to find out the source of the leaks. The way the investigation was conducted may have been illegal.



The source of the problem is an outside investigation firm hired by H-P, Security Outsourcing Solutions, of Boston found out who was providing details of meetings by gathering telephone records of board members without their permission or knowledge. The process known as “pretexting” occurs when an investigator calls the phone provider and PRETENDS to be the person whose records are about to be viewed. The imposter is then given online access to phone records.



I have written numerous articles about this practice over the past year including stories about phone companies suing those who use this ploy. The latest was about A T & T suing to find out who was gaining permission without approval (Vol. II No. 6, September 6 , 2006).



Federal officials have started an investigation into the company’s actions, which could lead to three-year prison terms on each count as well as $10,000 in fines. The California Attorney General’s office has already stated they have enough evidence to file charges in that state.



A Hewlett-Packard attorney and outside counsel both assured the board members that the probe was legal. The outside counsel, now says he relied on the company’s legal counsel.



Ms. Dunn has since resigned from her chairmanship. Two other board members have left, one removed and the other resigned in protest. Mark Hurd, CEO of H-P, has assumed the chair in the interim.

Bits and Bytes – Blurbs Concerning Information Security

AT&T, Co. formerly known as Southwestern Bell, which also owns Cingular, revealed that 18,000 to 19,000 customers’ credit card and personal information were breached when a server was hacked by an outsider. The company is offering credit-monitoring services to those affected. The telephone giant is reviewing its security policy. A spokesperson claimed the organization stressed its commitment “to weeding out and punishing the violators.”



The Agriculture Department reported another data breach as a laptop computer and printed reports containing private data were stolen from a parked car of an employee in Kansas. It is just another example of lax treatment of government data. This is the third breach attributed to the Agriculture Department this year. The Veteran’s Administration is running a close second at two incidents.



A Dubuque, Iowa man will spend six months in prison for stealing mail that he was to deliver. Scott Meiner pled guilty to two counts of theft of U.S. Mail. He will also be required to pay a $2,000 fine and $1,202 in restitution. He was working as a highway contract rural mail carrier at the time of his offense.



AOL’s new software release 9.0 has been labeled “badware” by StopBadWare.org. The organization run by The Berkman Center and Oxford Internet Institute receives advise from the Consumers Union. It is funded by Google, Sun Microsystems and Lenovo (Formerly IBM PC division). The major problem is that software is loaded without the computer owner’s consent. The software could affect system performance.



It’s not a total victory, but anti-virus software producers have claimed that worms may be on the way out. Remember when we used worms for fishing and not phishing. We may soon be able to go back to the good old days. The good guys do keep getting better.

You Can Now Relakks!

A new service based in Sweden, intends to use the country’s privacy umbrella to prevent exposure of private information. The infant company was launched as a response to AOL’s recent exposure of searches of more than 650,000 clients.



Labs2 Group based in Lund, Sweden offers Relakks which costs five euros –about $6.50 a month. It provides encryption as well as legal protections to hide customer’s credit information. They delete credit card data as soon as the transaction is complete. This is totally in compliance with the service agreement of most plastic providers. The customer must resubmit their card information each month, but it is a very safe and effective method of protecting information.



People who are involved with promoting violence and child pornography will still be tracked as Sweden’s law is tight, but not absolute.



At least two-thirds of the current 21,000 customers are based in the United States. This is a reflection of the concern about exposure of personal data. It could also indicate the number of people who may have a reason to hide information.



Although many may feel this new service is a great way to regain peace of mind, it is my guess that few will use it in the long term.



I think the authorities in both countries will raise an eyebrow should traffic increase substantially. Global law enforcement compacts will probably be changed so that at least official investigating agencies will have greater access.

AT & T Goes After Data Brokers

AT & T has filed a suit to identify data brokers who used fraudulent means to gain access to customer phone records. The company claims that more than 25 different brokers used the ploy to dupe the phone giant into granting access.



These data brokers would then sell the information to clients. Many offered this service to check up on suspected cheating spouses and other investigative purposes without obtaining a court order. Unfortunately, it is illegal to engage in this sport.



Since no defendants were specifically named, the company can now use discovery powers to subpoena data sellers’ records. The plaintiff will use computer records to reconstruct the movements of those who violated the law.



AT & T froze online access to phone records which precluded web access not only to the perpetrators, but also some 2,500 customers. The court action seeks an injunction to cease the phone record mining. The Complainant also seeks monetary damages. We will keep an eye on this case.

Major Worldwide Dragnet Nets Scammers

Authorities busted 565 individuals responsible for scamming Americans out of more than $1 billion. Most of these scams played on our sense of greed.



Many of the culprits were in West Africa running variations on the Nigerian scam. The fraud claims to have money in another country, and tries to get the victim to work with a fictitious attorney. The counselor claims to be able to help spirit the money to the victim. There is never any money that comes toward the mark.



Another posse of criminals wrapped up in the sweep targeted non-English speakers who were promised credit cards for deposits. Needless to say the cards never arrived and the recent immigrants were unable to contact the source of the crime.



A third area of misdeed was international lotteries. In this scam, the injured party was conned into paying taxes for supposed winnings in a foreign lottery. Sometimes the unfortunates were even mailed fake cashier’s checks. This newsletter discussed these instruments on July 12, 2006 in Volume II, Number 2.



Operation Global Con took more than 14 months to culminate in arrests. This was “the largest enforcement operation of its kind.” The authorities have netted 61 convictions and 139 arrests in the United States. Another 426 people were arrested in Canada, Costa Rica, the Netherlands and Spain.



The action comes on the heels of another lottery scam broken up by U.S. and Costa Rican authorities.

Banks See Yet Another Rule Change

The FFIEC is a group of federal agencies that work together to regulate financial institutions. Last year the assembly decided that financial institutions must use additional means to confirm the identity of customers who use online banking systems. That rule goes into effect at the end of this year.



The set of regulators has taken further aim on identity theft by developing a list of activities that signal possible identity theft. The pattern of transactions, which I am reluctant to present in this format, raise so-called “red flags.”



Financial institutions will be required to verify the legitimacy of the acts. If the true ownership cannot be established the transaction should be terminated. This shifts some responsibility back to the banking organization, but can be quicker than calling in law enforcement.



Financial groups have 60 days to comment on this proposed rule before it can be enacted.



On the bright side, several software companies have developed systems that look for the questionable deeds and alert appropriate personnel. Hopefully, the cost is affordable for all sizes of providers.

What To Do About That Cellphone

Many people continue to upgrade to the latest and greatest cell phone technology. The newest models feature GPS, camera, MP3 and by the way you can make phone calls. How you dispose of the old phone is now causing some concern.



People are trying to recoup some of their investment by selling the old equipment on sites like e-bay. Unfortunately, the information on the unused devices can open a window into your past. A study of some recent purchases found the contact list in tact. In addition, text messages were available including discussions of love affairs.



In the most egregious error, a former corporate executive left the plans for a major business expansion on his portable communication device. Many credit card numbers and ATM PIN numbers were also discovered. This type of disposal could lead to more than embarrassment; it could lead to financial loss. In most cases the loss is self-inflicted.



The safest thing you can do is either destroy your old phone. Also, all features except dialing 911 are blocked if you donate it to a group that will set it up as an emergency device for someone who cannot afford a cell phone. You can also protect yourself by only saving data to a removable memory card and remove the card before selling the phone. Most current models have this feature. You can learn more by reading the owner’s manual.



Should you sell your cell phone to another party, you are putting your call list at risk as well as your personal information. You might even lose a few friends.

Bits and Bytes – Blurbs Concerning Information Security

Jayson Harris of Davenport, Iowa was sentenced to 21 months in prison for his phishing expedition. We have followed his case since his arrest. You may remember that he used a fake MSN e-mail to convince people to reveal their personal information. The scam was foiled when the mother of a Microsoft employee forwarded the e-mail to her son. Microsoft sued Harris and won a large financial judgment. This should be the last we hear from Harris for at least a while.



Old Mutual Capital, Inc. reported the theft of a laptop computer placing 6,500 investors’ personal information at risk. Account numbers and Social Security Numbers are included in the data on the equipment. Just another shining example of being able to learn from the unfortunate experiences of our competitors. In 2006, Ameriprise and Fidelity have both reported stolen units. Recommendations have been made, but companies are either not implementing or adhering to security policies.



Barely two months after the loss of computer equipment containing personal information on 26.5 million veterans, the Veteran’s Administration reported the loss of another portable device. Data in the latest event was not encrypted or password protected. The government agency did announce afterward that they will encrypt information in the future. This embarrassment is a glaring example of your tax dollars at work.



A new phone scam is making the rounds. The caller claims that Medicare is issuing new cards and the operator must confirm your personal information. The potential thief then asks for your Social Security Number, name and address. Should you receive such a call, simply hang up MEDICARE IS NOT ISSUING NEW CARDS!



Vanguard is implementing technology that is being used by some of the largest banks. The investment company is beginning to track the habits of its online customers to detect fraudulent or suspicious activity. Banks are required to implement such tactical measures by the end of the year, but no such demand is made of investment companies. I applaud Vanguard for its proactive action.

Social Engineers Biggest Threat

With all of the engineering fields in the professional world, you should be very aware of the one that poses the biggest threat to your finances. The job of social engineer is practiced by people intent on gaining your confidence. We used to call these people confidence men or simply con men.



These folks prey on our nature to trust. It is a normal reaction to believe the best in people and we really want to live in a world where people honestly deal with one another. Unfortunately, that basic trust is the key for a social engineer to ply his trade.



Many of these artists seem to take a special interest in you personally. They will ask about your family and try to gain specific knowledge. The best practitioners appear to be trustworthy enough to watch your children. Be very careful of strangers prying into your personal life. These sly people will convince you that they are helping you, when in fact you will be sorry for your kindness.



Among recent examples of social engineering that have surfaced are people who try to send excess payment for products or services you provide, and ask that you just refund the difference. Callers who try to help with jury duty problems, or Medicare issues should set off a red light. People who contact you through e-mail claiming to know long lost relatives who have left you a fortune are also suspect.



T assist you, these frauds may offer to do home repairs or run errands. They may also claim they have found a winning lotto ticket, or some other valuable item and invite you to split any reward.



Frank Abagnale was probably the best social engineer in history. Should you wish to learn more about this occupation I suggest you either read the book, Catch Me If You Can, or watch the movie of the same name. You should be able to find about 100 very good examples of this practice. You will also enjoy the irony of trusting a crook.

Colleges In Need of Remedial Education

Since January 2005, 76 schools have reported 109 computer breaches. Yes, some of the institutions have had more than one experience with this problem.



Employers depend on our higher education system to produce the future players in the U.S. economy. It is somewhat discouraging that they are also producing opportunities for the exposure of private personal information. It is estimate that as many as one-third of all data exposures occur on college-owned computer equipment.



In parallel, the Department of Education is requiring increased reporting of individual student progress, which requires the school to collect enhanced data. Some institutions still use Social Security Numbers as students’ ID. I have been touting a change from this procedure for more than five years. I have worked with colleges on strategies for change.



Some of the problem is attributed to decentralized responsibility for student data. Teachers carry laptops with student data. Department heads, admissions, recruitment and placement offices also handle personal information. There are usually no campus-wide security procedures, so the data may be exposed in a variety of ways. Donors, students, patrons of bookstores, recruits, and employee information has been exposed.

Is Web Search Data Private?

The federal government asked web search providers to save the information for a 90-day period as provided for in the 1986 Stored Communications Act. This request led to yet another uproar over privacy rights. The original request did not ask for names to be attached to the data, but were interested in mining the data for phrases that might be used by terrorism suspects, child pornographers and drug smugglers.



It was suggested by USA Today that AOL, Yahoo! and Microsoft provided limited information while Google loudly protested and refused to comply. This space is not large enough to debate the pros and cons of such requests, so I leave that discussion to those among you who wish to do so in private.



The administration wanted to extend the period to two years. Remember the law is on the books and has been for twenty years. As with fraud, forgery, and counterfeiting, law enforcement has shifted a part of the job to the private sector.



Then a funny thing happened on the way to the debate, AOL exposed data collected from searches of 650,000 users. The results are probably what you might expect, millions of searches, most in search of free stuff. The word “sex” was 17th on the list. Large scale searches for child porn, explosives, and drugs do not exist.



Everyone who uses a device connected to the Internet should know the following: Your searches are not private! (by law they have been saved for a 90-day period for the past 20 years) You are not anonymous! (every request on the Internet can be traced) If it is illegal in the physical world, it is probably illegal in the cyber world. (child porn, drug smuggling and gambling online within the United States)



Most people are decent and law abiding. That is the reason we don’t need more police than civilians. Just as computers have allowed business to increase volume at incredible speed, the same factors have been used by people who wish to break laws.

Laptops Offer More Security

Laptops manufactured by Dell, H-P, Lenovo (formerly IBM), Toshiba, and others are adding devices to protect laptops from losing their lode of information. These innovations allow employees to travel with laptops without the risk of losing valuable customer or employee data.



Gateway, Toshiba, and Lenovo have introduced fingerprint scanners that can be required to gain access to websites. These devices reside on the laptop themselves so no additional equipment is needed. The owner of the device can require a fingerprint to be scanned before the computer can even be used. This simple $50 addition can protect millions of dollars of data.



H-P introduced a smart card reader that prevents the use of the machine until the card, presumable carried by the user is inserted into the computer.



Some Toshiba devices require the mobile worker to insert a key and turn a switch before the power can be applied. This is an approach similar to putting a key in the ignition switch of an automobile.



Software developers have produced products which can remotely erase hard drives is a laptop is lost or stolen. Others have developed GPS tracking systems to search for lost or stolen devices.



Perhaps the simplest of solutions is to password protect files. Another easy solution is to encrypt data on transportable units, requiring the user to log onto the main network to access the key which makes the data readable. Had these two steps been implemented and followed over the past couple of years, 60 million records may not have been lost.

Employers Add Another Benefit

Employers are beginning to offer their staff identity theft protection services. Companies have learned that workers who have been victimized by this crime spend company time clearing their name. Several providers offer products to help personnel complete the many steps which have to be taken. Although some actions can only be done by the victim, these services can help speed the time to completion.



It is estimated that a person can spend up to 18 months and over $2,000 to clear their credit report after an incident of identity theft. By offering the services, a company may instill more loyalty from the employee. Of course, I might suggest providing employees with a copy of my book, Protect Your Good Name! (From IDentity Theft) for each employee or at least the opportunity to buy one. The book is an easy read and contains many suggestions to prevent the attack as well as resolving the problem should it occur. It is also a far less expensive tack.



My company, Information Security Education, LLC also offers training session for employees, and clients. The basic courses can be done in as little as two hours and cover protection around the home, personal computers and protecting your business. I have conducted these course for individuals, community groups, colleges and private companies. The rates are reasonable and the comments have been very good.



Information Security Education, LLC can also work with your business in the prevention of information theft. Identity thieves have exposed more than 60 million private personal records since February, 2005. Educating employees as the importance of privacy was cited by The Wall Street Journal as the single greatest item in prevention.



If you are an employer, you may consider this benefit as a way to promote goodwill. If you are an employee feel free to share this information with your employer. The more people who are informed about the issue the better chance we have to prevent it.

Bits and Bytes – Blurbs Concerning Information Security

Since February 2005, more than 90 million people have been the object of personal information exposure. The result of 243 data losses involving colleges, government agencies, private companies, investment firms and even auditors, have left one in three Americans potential victims of Identity Theft. Consumers should expect tighter controls from organizations that obtain private personal information in order to conduct business.



Online activities may benefit from a new service which verifies that a actually is who they say they are. The operation uses publicly available web databases such as Google, to confirm identities. This verification technique is also being used by some online stores, but the results may not be totally effective. People with common names may be confused with others unless unique identifiers are used. Better verification resources are background checks which delve into court records, sex offender registries and credit reports.



If you use McAfee Internet Suite, you should go to the McAfee site to make sure you have the latest version. McAfee software is known to have holes that can be compromised by hackers. McAfee has delivered a patch, but it does no good unless consumers put it on their PCs.



Authentium, a new company has developed software to secure transactions (mostly online financial) from hackers and spyware. The product called “VirtualATM” closes all other programs that are running on the user’s computer and creates a virtual private network in which to work.



CS Stars of Amarillo, Texas lost a computer containing records of more than half a million New York state workers. The state notified people whose information was lost by letter. The company handles New York Worker’s Compensation claims. The FBI is involved with the investigation.

Vacationing Tips

Vacations are a great time to explore new places, try new things and generally recharge your batteries. In this last part of Summer, I want to give you some tips if you consider taking your computer with you. The first and most vital tip is “DON’T.” We have become addicted to the electric appliance, but if there is any way to avoid taking it on the road, find it. You will be much more refreshed when you return.



However, not everyone can break the addiction. I want to pass along some suggestion if you must take along your inanimate friend. The first and most obvious is to have up-to-date firewalls, anti-virus and spyware protection. This should also be done at home at least once a week. On vacation you will most likely be seeking free or low cost internet access. These network hotspots have little or no security and might be a point of presence for computer hackers.



Make sure you have backed up your files. Place the back up in a safe, secure location at or near your home. In case of computer loss, damage, or sabotage, you will be able to recover your precious data. You will also want to remove critical personal files from your computer and any USB drives making the trip. Should you work for a company and have detailed customer information, eliminate it before your trip.



You should password protect your equipment. This will slow or stop a thief from accessing your files. Although it may seem obvious, please don’t put your equipment in a checked bag. Your checked bag will go through x-ray machines, be tossed around and handled by people who look for treasures. The risk of damage or theft increases whenever you are not in possession of your equipment.



In a separate place, keep a list of online sites to which you are registered. Should your computer be lost or stolen, call these organizations and cancel the accounts. Otherwise, the bad guy can simply log on to your machine and click into your accounts. Many online merchants keep you credit card on file for convenience, but a thief considers this point and click profit.



Enjoy the Summer, take up a new hobby, get a tan and by all means get away from the real ball and chain (your computer).

Fake Virus Notice Downloads Real Virus

An e-mail making the rounds recently claims to be from Microsoft, warning you to take action against a new virus. If you were to click on the link, you will actually download a virus on your computer allowing the hacker access to your computer.



The link actually looks like it goes to Microsoft, but it actually sends you to a site in Romania. Many computer problems are linked to Eastern Europe, but the originator could actually be located next door.



This particular attack requests you go to http://update.microsoft.go.ro. The last few letters give us insight as to the destination of a site. The letters “ro” indicate Romania.



If you are a Microsoft user, simply ask for automatic updates. This will require your computer to periodically check Microsoft’s database. If updates are available you will be notified by your web browser that the download is available. Microsoft does not send e-mails touting problems. In fact, Microsoft is very secretive about its software problems.

Cartoon Not So Funny

A comic strip called “Retail” recently ran a joke about Identity Theft. In the strip a customer tries to pay for a purchase with a credit card. The customer had not signed the card, and explained to the clerk he was taking steps to reduce identity theft.



The customer explained that by presenting an unsigned card the clerk would be prompted to ask for a photo ID to make sure he was indeed the cardholder. The points out that although the customer’s scheme may be good in theory, any thief with a pen could simply need to sign the back of the card in order to use it.



This comic caused me to chuckle at first, but then I realized the point is not publicized enough. If you are carrying credit cards that do not contain your signature, sign them immediately. Handwriting does vary among individuals and thieves would need painstaking hours to try and match your signature. You may wish to write “See Photo ID” on the card as well, but remember identity thieves are very good at making false credentials.



Sometimes the joke carries a point; don’t just laugh them off.

Are Empty E-Mails a Threat

A new phenomenon is occurring on the web. People are receiving e-mails from famous, but long dead authors. The interesting aspect is that the e-mails once opened are empty. This activity has most computer users scratching their heads.



Empty e-mails can be a forewarning of many types of scams. The first and most obvious use of these transactions is to gather legitimate e-mail addresses that are stored and sold to spamming operations. Each legitimate e-mail can be sold for two to ten cents.



A second reason for this e-mail storm could be a test of zombie networks. A zombie network is formed by a hacker or group of hackers that download programs on PCs without the authorization of the computer owner. The network is then placed into service by the network commander, mailing millions of bogus e-mails to unsuspecting users around the world through the captured PCs.



The third reason these empty e-mails may be to expand zombie networks. Programs may have been developed to automatically load malware when the empty e-mail is opened. This threat has been mentioned before, but not fully documented.



In any event, you should be very careful of items landing in you inbox. If you do not know the sender of a message or the subject line seems bogus, simply delete it without opening. Although some spam carries instructions to unsubscribe, my advice to not even respond. By answering in any manner you have verified a valid e-mail address. This action could simply increase the amount of unwanted e-mail received, or may even wreak more havoc with your PC.



Another important point is that the subject line often will show “Re:” or “Fwd:” in the subject line. If the e-mail is from someone you know and contains either of these items in the subject line, be sure that you know the original e-mail address which the reply references. In a forwarded e-mail, make sure the message is one you are expecting before opening.

Add Another Tool to Your PC

I have touted that personal computer users should have an arsenal of defense mechanisms on their desktops. Anti-Virus, Firewall and Anti-Spyware programs are available at nominal cost and provide excellent protection for PCs. Unfortunately, the threats continue to change as the bad guys change the ways they invade your computer. Major security vendors are trotting out new tools they claim will prevent you from unknowingly downloading fraudulent software.



Microsoft enters the mix by allowing computer users employing Internet Explorer 7 to set an option to turn off “Active X controls.” The Active X area allows commands which enable specialized web processes have also been proven vulnerable to hackers who download their spyware without the user’s knowledge. IE 7 is free.



Symantec is offering a product dubbed “Norton Confidential” which can be downloaded free during the test phase. One of the most respected names in computer security, Symantec maintains their software will actually prevent spyware from stealing your personal information. Symantec expcects the package to fetch from $40 to $50 when distributed for sale.



Another well-known security vendor, McAfee, approaches the problem from a different angle. Their software tracks websites which are known to download spyware and warns the user before a download from a questionable website. The package called “SiteAdvisor” is free to download.



Check Point Software Technologies the makers of ZoneAlarm are adding a feature to its “Internet Security Suite 6.5” which will monitor black market sites, and notify you if your personal information is listed for sale. The package sells for $69.



Given the rise of spyware which reports personal information back to crooks, you should consider adding one of these tools to your supply of protection software.