Sunday, September 03, 2006

We take identity theft seriously, but our banks are dragging their feet

http://observer.guardian.co.uk/cash/story/0,,1863652,00.html
"We take identity theft seriously, but our banks are dragging their feet"

"Readers feel that administrative errors by lenders are at least partly to blame for rising credit card fraud"
Lisa Bachelor
Sunday September 3, 2006
The Observer

"Credit card holders need to be extra vigilant about fraud on accounts they no longer use. Cash has learnt of a number of recent cases where banks have continued to send out cards and Pins even after being informed that the card holder has moved."

Comment: Should consumers or credit card holders be responsible for this problem? The title of the article says "adminitrative erros by the lender." Hmmmm...

Friday, August 18, 2006

Passport Perks

Last month, a man who was shipped to Cyprus after being saved from
Lebanon was seen on CBC television waving and thanking his Canadian
passport. That image was also carried across other media channels
to both sides of the hot debate that was to come.

It was all in part of the mass evacuation of possibly over 16,000
Canadian passport holders while Israel pounded Lebanon for weeks.
By comparison, the U.S. evacuated roughly 15,000 citizens.

Under heavy media criticism and pressure, Canada committed to
spare no expense to get its people out - regardless if they've
decided to permanently live in Lebanon. Of course, some evacuees
still weren't satisfied over what was done for them. It's different
with first-hand experience.

Besides the enormous effort to evacuate 16,000 people from a
country of shelled out transportation infrastructure, the press
failed to mention security screening.

Who cares about customs screening when you have to rush 16,000 to
safety? It's not like shipping in a few fugitives or terrorists
with stolen Canadian passports matters when you have to get people
out.

Besides, who's counting after a hundred people jumped the gate
while you're checking papers - if you're one of the few government
workers watching the post half a world away?

Security aside, a debate simmers today over the perks that should
go with having a passport. Should citizens get a free (taxpayer
paid) ride out of a foreign country - even if the citizens
permanently live in the foreign country?

Well, now the tab's been placed on the taxpayer's table, and the
total appears as high as 100 million dollars. That's more than the
70 million the U.S. spent to extract its citizens. With that much
money being spent, some countries need to think carefully over its
free ticket policies.

I'm sure it's a complex issue, but $100 million seems like a lot
of money when I'm already giving up to 6 months of a year's worth
of pay to the government tax department.

Personally, I believe it's a tragedy when innocent people are
caught in the middle of such conflicts, but those who got out of
this conflict alive should thank the perk that came with their
passport - as a minimum.

But that's my rant, and I'm sticking to it. Now excuse me while I
rush out to renew my passport.

Thursday, August 10, 2006

Wichita Eagle | 08/06/2006 | Feds press banks to fortify security

Wichita Eagle | 08/06/2006 | Feds press banks to fortify security: "Federal regulators are pushing banks and other financial institutions to make their Internet banking systems more secure.
They're specifically focused on identity theft. Last month, federal regulators announced a proposed rule for banks, financial institutions and credit card companies to develop an identity theft prevention program for new and existing customer accounts.
More pressing is a rule announced last year that requires banks and financial institutions to have in place at the end of this year a beefed-up system of ensuring a customer's identity when using Internet banking systems.
It's something that industry officials said could cost banks tens of thousands or hundreds of thousands of dollars to implement.
'As an industry we have to have the ultimate protection,' said Steve Carr, president of Community Bank of Wichita, which has $37 million in assets.
'If it costs extra money, we'll spend it. We don't like it, but that's what we have to do.'"

Comment: Note the banker saying "we don't like it" to spending money on beefing up security. "But that's what we have to do" is a must if it's federally mandated by law. Duh! It just shows business aren't in the business of protecting identities or providing good security - unless they're forced to.

The Chetek Alert

The Chetek Alert: "Chetek senior citizens received a new weapon in the fight against identity theft Monday, Aug. 7, as Wisconsin Attorney General Peg Lautenschlager and Barron County Sheriff Tom Richie presented a paper shredder to Chris Fritz of the Chetek Senior Center."

Comment: Look out! Everybody down! She's got a shredder! Take that you identity thief! It's just too bad this weapon only took out one identity thief among so many others who are impervious to the shredder of mass destruction.

The Anatomy of Computer Hacking Over The Internet - Part 4

The Anatomy of Computer Hacking Over The Internet - Part 4

In past three issues, we talked about the three stages of Internet
hacking: reconnaissance, research, and attack.

Fact is Internet hackers want what's on your computer. They want
to see what's there, maybe do something with what you've stored
there, or perhaps take control of your computer for them to use it
as they please.

It's also easy to find other computers on the Internet. And
breaking into one belonging to a clueless soul isn't hard either.

Worried? You bet you should be if you haven't done anything about
it yet!

I'm going to give you some basic info to get you started on
protecting yourself... but it's up to you to act now - if you
haven't yet.

I call it the common approach to layered security.

Put layers on layers of defensive measures around your personal
computer - like a fortified castle - so you're not exposed if one
layer fails.

The security layers are also cumalitive in effect.

If one security layer is only 50% effective, 1 hacker out every 2
would get through. But when you combine two different security
layers that are 50% effective each, the number goes down to a
hacker out every 4 getting through. Add another security later of
effectiveness, and the number drops down to 1 of every eight
hackers... and so on.

In oversimplified terms, two different security layers that are
50% effective each are 75% effective combined.

Using the fortified castle as an analogy, intruders had to
penetrate several layers of defenses to get inside a castle during
the middle ages.

The intruders first faced the archers' arrows while crossing open
fields surrounding the castle. Then they had to get over a
surrounding moat. Once over the moat, they needed to break through
thick solid gates or climb over tall rock stone walls - all the
while the defenders dumped scalding hot oil and rock onto the
attackers. And inside the outer wall, the attackers might face yet
another wall and more defenders.

The defender's goal was to reduce the number of attackers at each
defense layer - until the remaining number of attackers came down
to a manageable level.

And the same goal goes for good security practice today.

Now while you can't immerse hackers in scathing hot oil or
ventilate them with arrows (as much as you might like to), you can
easily and cheaply put up similar barriers to keep intruders out.

Here's how:

1) Create a security perimeter with a separate "firewall." Look at
this layer as the open field and moat in the fortified castle
analogy.

These "firewalls" are stand-alone hardware devices in nature.

I suggest having these because they're less likely to shut off
accidently like software "firewalls." And the separate firewall
provides an extra layer of security removed from your personal
computer.

Hardware "firewalls" have also come down to more affordable price
levels - as low as under $70.

Commerically available "firewalls" barely existed when when I
created my first web site (about the same time Microsoft put up its
first web site). Firewalls back then did a simalar job as personal
firewalls today, but sold for tens and hundreds of thousand dollars.

So price shouldn't be an issue especially if you're connected to
the Internet with an "always on" high-speed line.

The ideal way to setup these firewalls is to allow outbound
connections to the Internet, and disallow inbound connections from
the Internet.

If you must allow inbound connections, you're on your own... No.
Seriously, managing inbound connections requires more attention,
which goes beyond the basics we're talking about here.

Depending on reader demand, I might cover this in a future issue.

I use a Netgear router firewall for my personal Internet
connection, but you have many choices depending on your needs.

Note: If you're using telphone dial-up Internet service, you can
worry less about this type of firewall security. You're likely to
be assigned a new Internet address each time you dial-up for
Internet service. You're a moving target with dial-up service, and
the hacker doesn't have as much time (or connection speed) to do
his work while you're online. Plus if you have the next layer of
security I'm about to
talk about, it gets even tougher for the hacker.

2) Create a second security layer of security with a PC-based
"firewall." This layer can be viewed as the stone wall in the
fortified castle analogy.

These PC-based software firewalls do the same thing as the
hardware firewalls - but it sits on your computer. Once the hacker
gets through this layer, he's inside your computer. You're also
exposed if the software firewall accidentily shuts down.

Other methods can lock down your computer without firewalls, but
I'm keeping it simple here. Personal firewalls have become a
standard. Even Microsoft gives away a free version with Windows XP
today.

If you don't have one yet, get one right away! Even if you use the
free Windows XP SP2 package, Internet security software is a
personal computer necessity.

A couples weeks ago, Denise P, a fellow Canadian PMI reader asked
which Internet Security package I recommend. Thank you for asking
Denise.

It had been a while since I last looked, and the players in the
market have changed quite a bit. I was surprised to find
yesterday's top players had fallen behind, or were no longer
favored among reviews.

Of all the Internet security software packages I looked at, I
recommend PC-Cillin Internet Security 2006 today. You can get more
details on this package at the following link.
http://www.amazon.com/exec/obidos/redirect?link_code=ur2&tag=protec
myinfoc-20&camp=1789&creative=9325&path=tg%2Fdetail%2F-
%2FB000BJLN10%2Fqid%3D1132883656%2Fsr%3D8-
2%2Fref%3Dpd_bbs_2%3Fv%3Dglance%2526s%3Dsoftware%2526n%3D507846

I suggest integrated security packages primarily for performance
and anti-aggravation reasons. I've found mixing and matching
security software drags down desktop computer performance. And
some won't play with each other. Avoid this unless you like
tinkering with your computer.

3) Take precautions when you let anything inside your security
perimeter.

This deals with allowing outside connections or files into your
computer. There are many ways in, and I'll talk about this in
upcoming issues of PMI. For now, the best protection is not to
allow outside connections or files into your computer if not
necessary.

4) Update your software

Don't run unsupported and out-of-date software.

Some people call this patching. Other call it upgrading. In any
case, keep your software up-to-date.

People make software and people make mistakes. Because of this,
software have flaws... flaws that allow people to make the software
do things that weren't intended - like giving control of your
computer to hackers.

Don't buy into the argument that only Microsoft makes software
with security flaws. All commercial software have flaws, so be
vigilant.

Make sure people who make the software you buy fix their flaws.

Microsoft has done a great job with their Windows auto-update
feature. Use this feature if possible.

You can also manually update your software, but I don't recommend
this if you run a lot of software. It's a pain, and you should know
your risks if you decide to ignore what should be done.

By following the layered approach to security, you remove a vast
majority of Internet hacking attacks. The remote hacker can't do
much if your computer won't accept incoming connections. The
hacker can scan all he wants but he's not going to find much to
attack. He's likely to move on to
find easier targets.

The four recommended security layers here won't protect you 100%,
but it's a start starting point.

In future PMI issues, I'll cover other attacks and ways to defend
against them.

Sunday, July 23, 2006

Anatomy of Computer Hacking Over The Internet - Part 3

In last two issue, I talked about the first two stages of Internet
hacking: reconnaissance and research.

Now comes the fun part - the attack.

The wily hacker's looked over the doorways, rattled door knobs,
and poked and prodded the target computer for weaknesses. He's also
done his homework on all the info he's collected.

He's back with toolbox this visit. If his homework revealed no
one's at home and no one's watching, he got it easy. He can bang
away with a sledge hammer without dropping a single sweat of worry.

But before we getting into what the wily hacker's digging for,
let's look at sample of steps he took to get to this point.

I'm going to pick on Linux Desktop OS just to be different.
Microsoft Window has its flaws and most people run the software,
but Linux security flaws don't get enough spotlight attention. We
can't let Microsoft steal the whole show can we?

Suppose the hacker's scanned the Internet for computers running
"telnet," a command line program that runs on "port" 23.
Remember the past discussion about "ports" and "address?"

Internet addresses are like street address to each computer
(host), and ports are like suite numbers at an apartment at that
street address. Computer programs communicate over the Internet
using "ports."

After his Internet scan, the hacker looks into who and what's at
all the addresses that responded on the target port.
He'll check if Telnet is running on the target computer.

Linux includes telnet by default, so an inexperienced computer
user will unknowingly run this software by default. And generally,
people who run unprotected telnet don't know good computer
security, and they tend to leave the gates wide open. Easy picking!

I like telnet because it's quick and easy to use. Every Unix-based
system administrator or network technician used telnet at some
point in time: however, that's ending. Security professionals don't
like telnet for its weaknesses. There are better choices. But
that's for another time. Telnet simply allows one to log into a
computer and run programs remotely just by typing in commands
lines... no mouse... no Windows... just a black screen and a
blinking command prompt.

Here's the nice thing for the hacker -- it's a freebee if the
target computer is running telnet and its owner is using default
settings, and has used a simple password like say... "password." As
the younger crowd would say -- the victim's been "owned!"

But even before the target computer's "owned," the hacker might
look into who the Internet address belongs to. The hacker might
even find out which version of software the target is running, so
other weaknesses can be found and used later.

The bottom line is the hacker's broken into the victim's computer,
and he's free to roam through files or do whatever. This is the
attack. Sometimes, the hacker simply takes over the computer, and
plants stuff for a later attack on another computer. This is where
it gets real neat. Imagine some stranger using your computer to rob
an online bank or to bring down and government computer system.
It's happened before. Knock knock... FBI... we have a search warrant.

Telnet's just one example of how a hacker can break into a
computer on the Internet. Thousands of security vunerablities exist
today - and many new ones become publicly known all the time.

According to the Common Vulnerabilities and Exposures (CVE), a
security standards web site, 11,454 publicly known software
security flaws alone exist today. But that's not all Microsoft
either. Software security flaws don't even include threats like
computer viruses or misconfigured software.

Any time you plug your computer on the Internet, you take on risk.
The question you must answer is how much risk you wish to accept.

In the final installment of Anatomy of Computer Hacking Over The
Internet, I'll talk about ways to minimizing risk on the Internet.

Friday, July 21, 2006

Medicare beneficiaries target of latest identity theft scheme

At least seven people in Idaho with Medicare have been the target of a scheme that tries to steal personal information from seniors and people with disabilities.

Scammers using the so-called “$299 Ring” scheme will call Medicare beneficiaries and say they will provide a new Medicare card for a fee, according to the Idaho Commission on Aging. The new card is reported to cover vision and dental insurance.

Many scammers now are asking for more than $299 for the fake card, commission officials said. Some have asked for $379, $350 or $365. They also request bank account information to withdraw the funds automatically.

Federal law enforcement officials said they have received 250 reports nationwide of attempts to steal Medicare beneficiaries’ funds. At least seven attempts were reported in Idaho.

Scammers have used the names of fictitious companies that sounds authentic, such as Pharma Corp., National Medical Office, Medicare National Office and National Medicare.

Comment: It's terrible that fraud perpetrators prey on the weak and uninformed. Like any crime, perpetrators will go after easy targets first.

This particular case can be classed as business identity theft, as the scammers use the ruse they represent known firms when contacting the victims.


Henry
Protect-My-Info.com

Wednesday, July 19, 2006

Ill. Attorney General Holds Identity Theft Summit, State Ranks 10th Nationally

Ill. Attorney General Holds Identity Theft Summit, State Ranks 10th Nationally: "Illinois Attorney General Lisa Madigan recently convened the first-ever Illinois Identity Theft Summit. The goal of the summit was to bring representatives from law enforcement, the court system, government, business and consumer advocacy groups together to brainstorm about how to provide better services to victims of identity theft and develop more effective strategies for preventing the fastest growing crime in the nation.
Speaking at the summit, Madigan also detailed for the first time the current results of her Identity Theft Hotline, which has been in operation since February of this year. The Hotline is a dedicated resource with advocates on hand to assist victims through every stage of the recovery process. Since February of this year, the hotline has handled nearly 3,000 requests for assistance. "

Comment: It's stupid when the right hand has no idea what the left is doing. The federal government already has an identity theft hotline. Why waste more tax payer money???

A hotline isn't what's needed. Fix the cause not the symptoms.

Henry
Protect-My-Info.com

Thursday, July 13, 2006

Anatomy of Computer Hacking Over The Internet - Part Deux

Anatomy of Computer Hacking Over The Internet - Part Deux

Just to pick up on a long forgetten past blog post, I talked about reconnaissance in Internet hacking.

Using the analogy of an apartment, the street address is similar
to your computer's Internet address. And your Internet software
programs have "ports" like apartment suite numbers. I then compared
a hacker's reconnaissance to a stranger rattling apartment door
knobs to find weaknesses.

Today we'll look at what happens after the wily hacker's finished
scanning for possible target computers. He's got addresses, and
he's identified open ports at those addresses. Now he must gather
more information about his potential target.

He's like a stranger who has a list of possible addresses and
apartment suites to burlarize.

But before he does anything... he must do some homework.

After scanning the Internet, the hacker might probe the responsive
addresses some more -- more door rattling.

He's looking for clues about the software running on that target
computer. Even better if he can find out which make, model and
version is running. That way he just has to look up public
information about the software's known flaws. It's worse when the
hacker has his own private tricks to exploit software -- but those
type are less common.

The hacker might even dig into who owns that address, to find out
how juicy the target might be. He wants to know what might be
inside the computer. Any information is good for hacker.

Going back to the apartment analogy, the stranger's wandered the
apartment block to look for suites to break into. He takes notes
about the weaknesses at each door. He'll want to know... is there a
big dog inside? What sort of frame, hinge and lock is on the door?
Are there any signs of alarm systems? What type of alarm? Where are
the getaway exits? And on and on.

He then researches everything from who lives in the suite to
weaknesses around the suites. Then when he knows enough to exploit
the weaknesses, he returns with the right break-in tools... for the
attack.

Before he's back, you might not even notice he's been around - but
you can take protective steps, which I'll discuss after Part 3.

Meanwhile, stay tuned for the next issue when we explore Part 3
of The Anatomy of Computer Hacking Over The Internet.

Have wonderful Thankgiving holiday (if you're down south of the
border).

Until next time, be smart and stay safe.

== Henry Tom