Identity Theft Goes to the Dogs

I liked this version of the story (from the Network Computing folks: http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=201201512):

"For Afonwen Welch Fusilier, some crook had pilched the info and reposted it claiming Afonwen was his pooch--and the proud papa of a litter of purebreds.

"The fruit of Afonwen's canine loins would not come cheap, and the perp was offering the phantom pups for approximately $2,400 (£1,000) to dog enthusiasts and anyone interested. Fortunately, someone alerted Lynne, who in turn flagged the authorities and posted a warning to anyone who was considering contacting the thief."

Heh.

Trusting Voting Machines

The California Secretary of State office reviewed electronic voting machines. The results are not good ... the review team found flaws in every machine they tested.

The "full monty" is here: http://www.sos.ca.gov/elections/elections_vsr.htm . Lots of PDF files to go through with lots of details.

Watching your VV's and W's

Have you been to the vvindowsupdate.com site lately?

I purposely didn't make that into a link. Look closely at the site name. Then consider that perhaps that isn't a good web site to access.

There's a lot of similarly-named web sites being registered, all useing two "v' characters in place of a 'w'. That would be the first step in creating a malware-laden site that will be referenced in some spam email.

The same technique could be used for the letter 'L' (and several other letters) .... what character is this: 1 ? What site is this : we1comebank.com ?

Always be careful about clicking on links in emails. Type in the address, don't click.

Updates R Us

Lots of updates lately, in addition to the usual monthly Microsoft releases.

Updates for Adobe Flash Player, Apple's QuickTime, Mozilla (Firefox, et.al.), Sun Java, and more. Not all of the updates will get installed automatically. You might want to look for the "Get Latest Updates" for your programs. Sometimes those links are found in the Help menu of the program.

Security Policies Ignored at TSA

So your company has initiated several good computer security policies. You've got encryption, there's web and email filtering, firewalls, and more.

Are the users paying attention? Are they following the policies and procedures? Got any way to verify compliance? Anyone looking at the logs?

Ask the folks at TSA (those friendly folks that won't let you have more than 3 ounces of liquids on an airplane, but will put all of that dangerous liquids in a trash can a few steps away ... but that's another post).

Anyway, it seems that TSA has a policy to encrypt sensitive data on all hard drives on laptops and portable devices. And then they found that a hard drive was missing last May. The hard drive contained bank and payroll information for 100,000 employees.

Article here: http://www.star-telegram.com/464/story/170815.html

What's Your Compliance?

Phishing Test

Can you be fooled by a phisherman? The McAfee folks have a test for you. It looks simple, but it's really hard.

Start here: http://www.siteadvisor.com/quizzes/phishing_0707/ . A hint: look very closely at the samples.

I consider myself pretty knowledgeable about phishing scams and evil sites. I did get 8 out of 10 correct. They did call me a "safety guru ... Nice work! Your practically clairvoyant knowledge of the Web allows you to spot even the most realistic looking spoofed sites. We're impressed!"

How did you do?

Boeing InfoInsecurity

The Seattle Post Intelligencer had a series of five articles about problems with Boeing's computer security.

Interesting reading. Especially if you compare what Boeing does with what your company does. Does your company have similar problems? Has anyone even thought of these problems?

Here's the links:


Computer security faults put Boeing at risk
http://seattlepi.nwsource.com/business/323923_boeing17.html

Boeing has been stung by a security lapse before
http://seattlepi.nwsource.com/business/323910_boeingrice17.html

Boeing responses to questions: Round two
http://seattlepi.nwsource.com/business/323842_boeingqa217.html

Boeing responses to questions: Round one
http://seattlepi.nwsource.com/business/323843_boeingqa117.html

Businesses say accounting reform costly, onerous:
http://seattlepi.nwsource.com/business/323905_sox17.html

Click OK For Malware

Here's an interesting theory for cyber attackers: When trying to install an evil program, just create a box on the screen with an "OK" button. "The user will click on "OK" because that makes the box go away."

That's the opinion of one security researcher called "Simple Nomad" (aka Mark Loveless). He explains his theory in an interesting article on the "Dark Reading" security web site.

Here's the link: http://www.darkreading.com/document.asp?doc_id=129122&WT.svl=cmpnews1_1

So, the question is: how many users will click OK?

Computer Repair Data Theft Risk

If your computer dies, and you take it to the repair center, what are your chances that your private information will stay private?

Think about what you have on your computer's hard drive. All those MP3 files. Your pictures (perhaps some really private pictures). Your bank account information. Got a spreadsheet with your passwords? Or one with your credit card numbers? How about Quicken data? Not to mention the 'adult' material that might be there.

There is legal precedent that requires the tech to report any child 'pron' that might be found while working on your computer.

But what about the tech that grabs your private/personal/adult information for his/her own use? How about the guy on the "geek squad" that copies your private /personal pictures to his USB drive?

It happens: take a look at this video from The Consumerist: http://consumerist.com/consumer/investigations/video-consumerist-catches-geek-squad-stealing-porn-from-customers-computer-271963.php . The video clearly shows the tech copying files.

And the followup information there is interesting, as is the similar info here: http://consumerist.com/consumer/interviews/why-computer-repair-techs-steal-porn-from-your-computer-276527.php .

What to do? Here's some ideas:
- Encryption. Put your confidential stuff, whatever it is, in the encrypted folders.

- Back it your confidential data to CD/DVD.

- Perhaps even do a "Boot and Nuke" (full overwrite erase) of your hard drive.

- Or even take out the hard drive before you send your computer for repair.

- Store all your data on a USB hard drive (you can even buy a little kit to convert a hard drive to a USB drive. And encrypt that.

Be careful with your data.

More Credit Card Fraud - Robin Hood Style

If you are a credit card thief, how do you tell if a stolen credit card number is valid?

There are programs that will analyze the number to make sure the number is OK. But how do you make sure the card is usable?

How about making an on-line donation of a few dollars to a charitable organization? Although the credit card companies look for anomalous transactions (do you normally buy products from a retail store in NYC?), an on-line transaction to the national Red Cross (for example) might not hit the credit card fraud radar.

Symantec reports they've seen this kind of activity. See this article from Network World: http://www.networkworld.com/news/2007/070607-credit-card-thieves.html .

Do you watch your credit card transactions? How often?

The next time you hit the ATM, get the last 10 transactions on your account. Don't wait for your monthly statement, and then learn that your available credit has suddenly gone down to zero.

Credit Cards for Terrorists

Interesting article from Brian Krebs of the Washington Post about how stolen credit cards were used by three guys to fund terrorist activities.

They got the card numbers with phishing attacks and Trojan Horse programs (keystroke loggers, etc). Then they used the credit card accounts to pay for their web hosting services, GPS devices, night vision goggles, pre-paid cell phones and airplane tickets. Over US$3.5 million was charged on those stolen cards.

The article is here: http://www.washingtonpost.com/wp-dyn/content/article/2007/07/05/AR2007070501945_pf.html .

Now think about this other story, also from Mr. Krebs: the US Secret Service arrested six people in Florida for "running an organized credit card counterfeiting ring that netted more than 200,000 stolen account numbers." They bought these card numbers from cyber crooks in Eastern Europe. They then made the counterfeit cards, complete with security features, and sold them for about $15 each. According to the feds, frauds and losses amounted to more than US$75 million. (Link is http://blog.washingtonpost.com/securityfix/2007/07/florida_counterfeit_credit_car.html .)

How secure is your computer? Watch for some hints here.

PDF Pump and Dumps Spam/Scam Mail

Have you noticed a few more 'pump and dump' spam messages in your inbox? Noticed that they are pdf-based? ("Pump and dump" spam tells you about the latest 'hot buy' of some obscure stock. What they don't tell you is that the spammer will be making money on the temporary upswing of the stock due to victim's buys, and the stock price will quickly drop down so you will lose your investment.)

Turns out that spammers are using pdf-based messages, since they are easily made, but harder to block because the characters are distorted a bit in the message.

More info about the spam messages here: http://www.avertlabs.com/research/blog/index.php/2007/06/26/pdf-spam-outbreak/ . And some 'pump and dump' basics here: http://www.investopedia.com/ask/answers/05/061205.asp .

As with all spam, the best practice is to just hit the delete key.