Research was published yesterday coming out of Carnegie Mellon University that states that the number of potential combinations of what your social security number could be is limited based on publicly available information such as your birth place and date.
This is significant because places like financial and educational institutions (among others) frequently use the SSN as either a method of verifying who you are over the phone or as a method of authentication on web sites greatly increasing risk of identity theft. As a side note, organizations like the American Health Information Management Association (AHIMA) published an article back in 2006 recommending against using SSNs as an identifer in systems that contain health care data.
According to the research, you "could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts". In the instances where the first 5 digits of a 9 digit SSN could be identified in the first attempt, this narrows the number of possibilities of what your SSN could be down to only 10,000, which is essentially the same as being able to determine someone's 4-digit PIN. Trivial by today's technology standards. Since the Social Security Administration's Death Master File can be purchased online for about $7,000 (if you live in the US, Canada, or Mexico; about $15,000 otherwise) according to Steve Goldsby's blog this cost could easily be recouped after only a few identity thefts. This is pretty good ROI for cyber criminals despite the up front cost.
Be on the lookout this morning for a phishing scam floating around Facebook asking you to visit http://areps.at, a domain registered only a few days ago to someone named Andrew Morov out of Russia. (UPDATE 5/21/2009 11:30am MST - According to this CNet article, the domain bests.at is also being used for this scam, registered to the same person as areps.at)
personname: Andrey Morov
organization:
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code: 105425
city: Moscow
country: Russland
phone: +74956211281
fax-no: +74956211281
e-mail: ******@nameclub.at
nic-hdl: AM5009456-NICAT
changed: 20090515 15:23:43
source: AT-DOM
Visiting this site will also infect your Facebook profile and cause messages to be sent to your friends inviting them to also visit. Below is a screen shot illustrating the contents of the message you may receive from an infected friend.
If you do receive any of these, contact the person who sent it to you and ask them to change their password ASAP. If you believe that you might have fallen victim to this scam, change your own profile password before whoever has hijacked your account changes it for you and locks you out of your own account!
Last week Heartland Payment Systems Inc reported a data breach of over 100 million credit card numbers and cardholder names. Monster.com is now also reporting a compromise of passwords, user IDs, names, email addresses, and other PII of an undisclosed number of accounts and is advising all of its users to change their passwords immediately. It's too bad that most of monster.com's users only regularly access their accounts when they are actually looking for a job which means that many may never get the message or take the time to update their password. This leaves a lot of accounts as wide open opportunities for identity and data theft.
Combine all of this news with this report on CNN Money that over 71,400 jobs were lost today alone (when I last looked at the report it was 68,000 so the number is getting larger as the day wears on!) and we have a dangerous cocktail for fraud and fraud victims!
So, it is a given that there will be more (and already has been) fraudulent activity related to the monster.com and Heartland breaches. The bigger problem that comes out of this is that we now have over 71,400 people now trying to figure out how they are going to support their families and themselves while they look for new employment.
These newly unemployed job seekers are now prime targets for cyber crime. Whether it be stock pump and dump scams, fraudulent IRS refunds, phony job announcements (work at home opportunities appearing to come from monster.com?), or "make a quick buck" schemes, people in vulnerable positions are frequently the most likely victims of criminal activity. As such, it is important for everyone to be more diligent than ever in trying to separate the wheat from the chaff as it relates to any kind of "too good to be true" offer. Good social engineering preys on weaknesses and stresses a potential victim's urge to "act now". During times of unemployment or uncertainty your inherent ability to judge is clouded and irrational decisions are often made resulting in more complicated problems. Be educated, be aware, and be diligent. Don't be a victim.
Happy "Cyber Monday" - what is widely considered to be the official start of the online shopping season. After eating too much turkey, gravy, mashed potatoes, and stuffing on Thursday (and probably Friday, Saturday, and Sunday too!), then spending way too much time in line for Black Friday shopping deals that probably weren't worth getting up at 3am for, today is the first day back at work after the long holiday weekend. As such, today is also the day that many people start buying presents online.
According to comScore, spending on Cyber Monday has historically reflected overall holiday season spending. The question that I have though, "Is Cyber Monday relevant anymore?" Many retailers now offer the option, even on Black Friday, to order items via their web site to get the same deals. So, many of the specials that people were standing in line for on Friday could have been purchased online, at home, in your pajamas.
From a security perspective, Cyber Monday is the start of a season where we attempt to educate users as much as possible as it relates to being aware of the "too good to be true" deals that may arrive in your inbox and have typically offered a couple of pointers to keep yourself safe online:
-- Shop only with vendors that you already know and trust. Don't give your credit card information away to someone that you don't already have some kind of pre-existing shopping relationship with.
-- Avoid clicking on what appear to be links to legitimate web sites in an email or IM. If you want to go to the Land's End web site to shop, go to the URL directly. The link may actually go to a look-alike site setup solely to steal information.
-- Ensure that web sites that are accepting credit card information and/or that you have to log into have SSL encryption on the pages that are processing this data. This should be a given and a standard nowadays, but the lack of existence of encryption of your sensitive data should be your first red flag that your business should likely be taken elsewhere.
-- Look for seals from organizations from privacy enforcement organizations like TrustE and BBBOnline. Although this isn't a guarantee that their site cannot be compromised, cooperation with these organizations means that they do not ask for sensitive information like social security number without explicitly explaining in their Privacy Policy why they are collecting it. So you can at least be certain going in why you are being asked for something that you wouldn't normally provide. You can then make an informed decision as to whether you want to take your business to another merchant.
These tips are not just important for Cyber Monday though. They are relevant to the entire holiday season and for the entire year. Sometimes with the rush and hurry to find the best deals for that must-have gift we let our guards down or think that it is too inconvenient to go through some of these extra steps. The question then comes down to, whether you want to take a few extra minutes to make educated decisions about who you are giving your credit card data to now or risk spending a lot more time trying to clean up an avoidable mess later.
Here's to a fun, safe, and secure holiday season. Cheers! :)
CAPTCHAs - Completely Automated Public Turing test to tell Computers and Humans Apart.
In other words, an attempt at verification that a human is filling out a web form as opposed to an automated agent/bot.
Or, in other other words, a test that has become almost impossible for humans to even pass due to the increased levels of obfuscation being put into the tests themselves.
Usually CAPTCHAs are done via some kind of image where the user types in the contents of said image into a text box at the end of a web form. If the user's guess is correct, then the form is successfully submitted, and whatever follow up action that is supposed to happen afterward is performed (e.g. successful signup to a mailing list, comment post to a blog, etc).
The problem is that in an effort to make these CAPTCHA images more and more difficult for software to break down to allow bots to bypass them, they have also been made very difficult for humans, those who are supposed to be able to read them, to figure out.
Take the following image that I was presented with on Facebook, a popular social networking site, this morning:
Are you kidding me?
Obviously the second word is "mountains", but I challenge even the most competent forensic experts to tell me what the first word is supposed to be.
Despite it's fallibilities, I can understand as a technical person the need to have technologies like this in place. As a technical community, we need to make sure that we aren't making our products and systems impossible to use "in the name of security." Users will only accept a certain amount of inconvenience before they go find solutions that are simpler to use while still providing acceptable levels of security.
Hardly a day goes by anymore where there isn't some sort of breach of confidential data. Whether it is the exposure of almost 40,000 Social Security Numbers of Georgetown University alumni, faculty, and staff or the theft of 35,000 records of current and former customers of T. Rowe Price, or even the well documented theft of over 45M credit and debit card numbers from TJX, data theft is rampant and we still haven't learned our lesson.
No matter how much education you do on security best practices and even if 99.99% of your company follows those practices, it only takes one person making one mistake to cause a potential breach. Although some data breaches are the result of large scale infrastructure weaknesses, a large number of them are also the result of the indiscretion of one person. One person who didn't properly secure an open PC or who didn't properly secure a hard drive with sensitive data can cause the loss of millions of records which can result in untold numbers of identity thefts!
We've said this before, but I absolutely believe it to be 100% true: protect your personal information and monitor your bank accounts and credit cards like the data has already been compromised (because it likely has. The real question is whether or not someone is going to use YOURS). As with many things in life, early detection gives you the best possibility of recovery. You may not be able to prevent damage to your credit or reputation from happening, but there is a lot we can do to mitigate it once it happens.
For everyone in the United States, I hope you and your families had a wonderful Thanksgiving holiday. For those outside the US, I hope you had a productive second half of last week.
And so the holiday shopping season has begun. The Black Friday early morning deals are over. I didn't go out this year, but did last year and have to admit, it was kind of fun despite the chaos.
Last year I went to a Kohl's department store in search of a kitchen mixer that my wife really wanted (it was on sale from $300 down to about $160). So, I got to the store about an hour before it opened and the foyer area was already packed. I was still able to find a little space to squeeze in though which was nice because it was pretty darn cold outside. Anyway, 5am came, the doors opened and the mad rush began. The hot item was a personal DVD player which was on sale (after rebates) for about $50, down about 75% or so from its' regular price. There was a huge display of boxes of DVD players about 50 feet from the door and as soon as the doors opened people ran towards them like they were going to get an opportunity to touch their favorite rock musician. It was almost cartoon-like watching not only people fighting over these boxes, but watching the boxes fly all over the place as people tried to grab them. It truly was something to behold. Thankfully most people weren't there for the mixers so I was in and out of the store in about 7 minutes. Not bad to save $140!
Anyway, I digress...
Coming up on Monday is the single largest *online* shopping day of the year, thusly named Cyber Monday. On Cyber Monday (November 27th) 2006 people spent $608M online according to comScore Networks. That was a 26% increase over the 2005 number of $484M. The 2007 number is expected to be higher than the 2006 number, but perhaps not as much of an increase because of the economic ups and downs of the past year.
Why is this a security issue? Many people will be doing not only their Cyber Monday shopping, but also a good amount of their total holiday online shopping from their computers at work, taking advantage of faster online connections than they have at home. Depending on who you read the percentages range anywhere from 45% to 75% of people will do some amount of online holiday shopping while at work.
Online safety should be of paramount concern during the holiday season. With numbers like $608M in one day of online spending looking them in the face, that is too large a number for criminals to not try to get a piece of the action on. As aware as you need to be of threats on the internet (like phishing) during the other 47 weeks of the year, the 5+ of the holiday season present the biggest risk of fraud.
To help, here are some tips to follow during the holiday shopping rush (they really aren't any different than the rest of the year, but require extra diligence during the holidays because people are often in a rush to buy items quickly and easily online and don't always pay attention to the warning signs):
-- Shop only at retailers you know and trust, just like you would do if you were shopping in the local mall. Also, if you want to visit that retailers web site, type their URL directly into your browser. Don't follow links from email marketing email as that email could direct you to a fraudulent site setup to look like the real one.
-- Look for security indicators. All legitimate security retailers should protect your confidential information (even your login to their site) with encryption. Make sure that not only does the little padlock that indicates encryption appear in your browser window, but that the site that the security certificate is registered to matches the site that you are expecting to be buying from. If it doesn't, then assume that to be suspicious.
-- Do not shop from public Wi-Fi hotspots. Many of these networks either employ no encryption of your data or very weak encryption leaving you open for potential identity theft.
-- Do not use a computer that you are not familiar with/public computers to do your online shopping. Web browsers often store information entered onto web forms within their memory for easy reuse later. Someone could easily walk up to one of these available computers, go to a couple of common shopping sites and start writing down whatever information they can find.
Holiday shopping is supposed to be a fun time of year, but it also can be very hectic and stressful at the same time. As such, make sure that in your haste to find the best deals and the right gifts you also keep sensible browsing and shopping habits in mind. For all of the conveniences and speed that the web brings to holiday shopping, it also brings many potential risks.
Be safe! Have fun! Have a great holiday season!
How at risk are you to be a victim of identity theft?
According to the folks over the Privacy Rights Clearinghouse approximately 165 million data records of U.S. residents have been exposed due to security breaches since January, 2005. In 2007 there have been 278 breaches reported which account for over 75 million records.
Keep in mind that these numbers are for *reported* breaches by companies who are required to report such incidents. This only represents a small percentage of the number of businesses out there who might have your personally identifiable information.
Even if we take the 165M records number as being accurate, this means that we are all roughly at about a 50% risk of having our identities stolen as a result of these breaches! Granted, the information obtained could vary greatly from a hacker only obtaining your name and email address all the way to exposure of credit card numbers and your social security number. Both types are just as dangerous though. For example, if a hacker only obtains your name and email address they could use that information to send legitimate looking phishing messages to your inbox in an effort to get the rest of what they want.
So, what to do if you believe that your identity might have been stolen? Privacy Rights Clearinghouse has a comprehensive guide posted on their website which discusses not only how to pro actively stay on top of your credit (I would also recommend the Identity Theft Resource Center, but also things that you can do to prevent further damage from being done once your information does end up in the wrong hands.
One of the most important things to remember is that just because your data might have been compromised does not mean that you will be a victim of identity theft. Unfortunately, there is little that you can do to prevent this sort of thing from happening, but it is important, however to remain diligent in order to minimize how it will affect you.
Another part of my role here at MX Logic in addition to being in charge of our Threat Research group is that of our security officer. This includes not only security education, but also implementation and enforcement of our internal security policies and procedures.
One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.
So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?
There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.
These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?
Let's discuss some best practices that companies can use when implementing a work from home policy:
-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.
-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).
-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.
-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.
As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.
|
