Dierckx & Associates

Risk Management, Legal & Financial Investigations, Forensic Services, Christchurch New Zealand

Web 2.0 Security

		Thursday, 11 October 07 - 01:46 PM (GMT) By John ML Dierckx in Information Security

Although enterprises are increasingly using Web 2.0 tools, many have not adopted security measures to protect themselves against the security threats that can come from using the technology, concludes a recent Secure Computing study.

Secure Computing's Ken Rutsky notes that while many enterprises are using antivirus software and firewalls, these security measures are inadequate to deal with Web 2.0 threats. This is because Web 2.0 applications use code written in Ajax and JavaScript, which makes them behave in ways that traditional security technologies cannot cope with, says Symantec's Alfred Huger. Huger notes that Ajax blurs the lines between the Web and the applications on a user's desktop. When those lines are blurred security products are not always calibrated to catch threats as they might have before. To make matters worse, black hat hackers are growing increasingly knowledgeable in how to take advantage of Web 2.0 vulnerabilities, Huger says

What enterprises need is a real-time ability to scan and evaluate Web traffic, asserted Adam Swidler, senior marketing manager for Postini in San Carlos, Calif..

See complete article here

Fake Ebay and PayPal emails targetted by new security measures

		Saturday, 06 October 07 - 03:53 AM (GMT) By John ML Dierckx in Information Security

The industry seems to be beefing up against phishing according to this BBC newsflash.

Fake Ebay and Paypal e-mails which are used to con users out of money are being targeted by a secure mail system.

The online auction site and web pay service are working with Yahoo to use the firm's anti-phishing technology.

The firms are supporting the emerging standard known as domain keys, which block fake e-mails by validating the sender with a digital signature.

Spammers hide their identity by using a false, or spoofed, address in the millions of messages they send out.

 

Cashing In On Stolen Information & Online Networking

		Tuesday, 25 September 07 - 04:23 AM (GMT) By John ML Dierckx in Information Security

In a recent article in PC World, the sales of confidential and personal information was discussed. Bank Account details score highest on the list of for sale stolen information according to a survey by Symantec.

Bank account details go for prices of up to US$400, while credit card details sell for between $0.50 and $5, e-mail passwords from $1 to $350 each, and e-mail addresses from $2 to $4 per megabyte, according to Symantec's Internet Security Threat Report, which covers the first half of the year.

Internet crime appears to become serious business. Just recently a tape was stolen from the back of a car. No not just a music cassette tape, a back up tape, holding the information of around 500 employees. Now with these prices that is a nice return.

According to the experts we should not just think about  the lonely developer of malicious code: no organised gangs and are working hard on the development of ever more sophisticated code and ways to spread their net nasties.

Social and Business Networks as a Profiling Tool
It is not always a straight attack. Very similar to the good old fashioned hacking process these data thieves utilise profiling as one of the steps in the data theft process. They utilise the many possibilities offered by popular networking sites such as Myspace and Facebook.

All these sites are very keen on protecting your sensitive data. But it is the users themselves that are sharing sensitive information freely. Have you checked what you are sharing with the world lately. On many networking sites there are lovely discussions about quantity v quality. Some people basically accept all connections and one of them could be just the one that needs your personal information.

Am I saying connect only to those you know? No not necessarily but a little bit of screening never hurts. More importantly, you might  want to think about what you are actually sharing  online.

A good example is some of the gift options on for instance Facebook. You pay a set amount using your credit card and you can send nice little gifts to your friends. But do you actually know who you are paying for these virtual gifts. These networks and all the applications that are developed for it are not necessarily focussed on security.

Or have you Googled yourself lately. You'd be surprised about what can be found out about yourself just online alone.

So... here's the simple message: think about what you share.Does the world need to know your date of birth? Your physical address, your phone number, your  marital status  and the names and birth dates of your children and your wife or husband? Your interests, your work address and work phone, who your friends are and where they live and work.

There can be good reasons to share these details with another party but consider this when the need arises and not just for convenience sake share these details with the whole world.

With specific personal details, the hacker can construct a profile and on the basis of that personalised e-mails that lure victims to either click on an attachment containing malicious software or visit a phishing site.

By all means keep up your networking activity, but a quick look around and you will be amazed what you can find out about people. And if you as an amateur can, just imagine what pro's can do if they are after your information.

I have been following recent discussions on "cashing in on on line networking". Strangely enough this was not discussed.

E-cards: Risky Niceties

		Wednesday, 22 August 07 - 01:49 PM (GMT) By John ML Dierckx in Information Security

You've got a card from "a mate/a friend/a neighbor/a  family member.  I bet you all received at least one of these lately.

E-cards are a fast, inexpensive and creative way to send greetings to friends and relative. However,  they are also an effective and efficient tool for scammers who want to trick people into downloading viruses, spyware, Trojans and more.

Some scammers actually ask permission to install rogue software on your computer using a "EULA" (End User License Agreement). It is a well known fact that recipients hardly ever bother to read the EULA.

Some e-card recipients are told to download certain software to read their message. Then, this program bombards everyone in their address books with scam e-cards and unwanted marketing messages.

E-cards scams have been out on the internet for quite some time now. The last few  months however, I have literally been bombarded with e-cards and postcards. What got me suspicious right away that the referring link was always an IP address with no reference to a web domain.

Here's a typical email:

 

"Subject: You've received a postcard from a Mate!

Hi. A mate has sent you a postcard.

See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

URL of e-card 

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
PostcardsFrom.Com"

There are a number of variations using different company names and websites.

Sophos.com reported widespread malware attacks around the 4 July, disguised as Independence Day greetings.

Some of the many subject lines used include:

4th Of July Celebration
American Pride, On The 4th
America's 231st Birthday
Americas B-Day
America the Beautiful
Celebrate Your Independence
Celebrate Your Nation

• In general, a the purpose of e-cards send by scammers are:
• To install viruses on your hard drive
  
• To install spyware or Trojans on you hard drive to scan for personal and financial information.
• To install adware that will lead to pop-up ads, launching of adult websites or that send phony e-cards to everyone in your address book appearing to have come from you.
• Turn your computer into a 'zombie' to help spam or attack other computers.

Different tactics are used to infect a computer. In some cases, merely opening the phony ecard will cause malicious software to download onto your computer. In other cases, you are asked to install software that is supposedly needed to view your card.

The cleverest method of spreading rogue programs is to ask your permission first. Once you are on the site you are presented with an End User License Agreement (EULA): pages of legal mumbo jumbo.

Web surfers are so used to automatically accepting these EULAs that they hardly ever actually read them. 

Snopes.com reported about a wave of e-card scams that tried to induce people to click links that would install malicious programs: a species of the Storm Trojan: "an aggressive piece of malware that has been hijacking computers to serve as attacker bots". 

The most obvious sign that an e-card may be fake is in its vagueness about the actual sender: a friend?, neighbor?, classmate?, secret admirer?, relative? without providing a real name. Be suspicious when an e-card arrives with a vague sender or no name of the sender. 

Other give aways include:

• Spelling errors, or your name is incorrectly spelled
• Errors in the message (I had one I supposedly sent myself to myself)
• The sender someone you don't know

Some tips to stay safe

• If in doubt, don't open an e-card
  Delete any ecard from someone you don't know
  Check the link to the card
  Don't click on anything from an unknown sender
  
• Don't open attachments from an unknown sender
  
• Never download from an unknown source
• Never click to accept terms from any company without reading the fine print. Beware of those EULA
• Use antivirus software and keep it up to date.
• Many ecard scams use security exploits in Internet Explorer. Consider using an alternative like Firefox which is far more secure against this type of scam.
• Whatever you do keep your browser software and computer system in general updated.
• Consider not opening any e-card with an attachment ( I know I do not open any of them). The content of the attachement could very likely be malicious and you don't want to find that out once it is too late.
• Keep in mind that opening attachments that appear to come from people you do know could still put you at risk. Their computers might have been infected with the trojans you are trying to protect yourself from
  

And last but not least as my good friend Ken would say: forget all those tips and buy yourself a Mac. They are usually safe from all these attacks. 

Information Security: Social Engineering

		Saturday, 11 August 07 - 12:22 AM (GMT) By John ML Dierckx in Information Security

IRS employees ignored security rules and turned over sensitive computer information to a caller posing as a technical support person, according to a government study. Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.

Read full article here

Some time ago I read two great books, "The Art of Intrusion" and "The Art of Deception" both written by the very famous ex-convicted hacker Kevin Mitnick. I especially enjoyed "The Art of Deception" which points out that where technical IT Security becomes more and more sophisticated, social engineering will gain grounds as a means used by people that want to intrude computer networks and find out about about company secrets. Chapter after chapter he describes the ways that skilled social engineers use to penetrate in company systems and find their way to sensitive data.

For all of you who would like to know more about social engineering and how it is used to penetrate systems, I could not recommend any book more than this one.

Mitnick focusses especially on the human factors involved with information security. He explains why all the firewalls and encryption protocols in the world will never be enough to stop a a smart intruder with an intent to attack a corporate database or an employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how vulnerable even the most secured information systems are to a skilled imposter impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented. The book reads like a true-crime novel. And most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.

Additionally an interview with the master himself found on the CNN website.

A Convicted Hacker Debunks Some Myths

Thursday, October 13, 2005; Posted: 3:11 p.m. EDT (19:11 GMT) Source CNN
Location file http://www.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna/index.html

(CNN) -- To many, the name Kevin Mitnick is synonymous with hacking, the cinematic sort where a snot-nosed kid thumbs his nose at authority. But, Mitnick says, the characterization is a bit overdone and the legend untrue, if not libelous.

It is true, he says, that he broke into corporate computer systems and stole source code to satisfy his curiosity, but he denies the stories that he hacked into NORAD -- North American Aerospace Defense Command -- or that he wiretapped the FBI.

After a well-publicized pursuit that made him notorious, the FBI arrested Mitnick in 1995. He served five years in prison after pleading guilty to charges of wire and computer fraud. He was released in 2000 and today runs a computer security firm. In a telephone interview with CNN's Manav Tanneeru, Mitnick talks about his past, the state of online security today, and how he handles what his name has come to mean.

CNN: There is a certain myth of Kevin Mitnick, but you seem to disavow a lot of it. Why exactly did you become so famous and what specifically was reported that was inaccurate?

MITNICK: [The claims] that I wiretapped the FBI or something like that were something out of a movie like "War Games" or "Enemy of the State" or something. There were fictional events that were tied to real events, like when I took code from Motorola and Nokia when I was a hacker to look at the source code. I took a copy, which is essentially stealing, to look at the information. That was true, that was the truth ... in the story, but there were a lot of libelous statements. ...

I'm the one that got myself into trouble, but because the reporting in the [New York] Times portrayed me as this very dangerous character, the government stepped up the prosecution of the case.

At the end of the day, I would have been prosecuted, but I wouldn't have been held in solitary confinement for a year for the fear that I could launch nuclear missiles by whistling through a pay phone.

I was powerless because I was represented by a publicly appointed attorney who had a very limited budget. But a lot of accusations I wasn't charged with. If I hacked into NORAD or wiretapped the FBI, I certainly would have been charged with it. I got into trouble largely because of my actions. However, because of the media reporting, I was treated as "Osama bin Mitnick."

CNN: You were once the most famous and sought after hacker in the country. After your release from prison you were asked to testify before the Senate, and you now run a Web security firm, which is a fascinating evolution.

MITNICK: It's kind of interesting, because hacking is a skill that could be used for criminal purposes or legitimate purposes, and so even though in the past I was hacking for the curiosity, and the thrill, to get a bite of the forbidden fruit of knowledge, I'm now working in the security field as a public speaker. Twenty-five percent of my revenue is actually doing security assessments, so people actually hire [me] to break into their systems to find their security failures and patch them before the bad guys find them.

So, it's kind of interesting, because what other criminal activity can you ethically practice? You can't be an ethical robber. You can't be an ethical murderer. So it's kind of ironic. But it is really rewarding to know that I can take my background and skills and knowledge and really help the community.

CNN: The fact that you are back in the online world, especially the cyber security sector, may give many reason for a certain insecurity and paranoia. How has your firm been received?

MITNICK: There are several in the security field that don't trust me. They're my competitors, and right there, there is an agenda. But I'm sure that our company does not receive phone calls because they're concerned about my past, and then again, there are a lot of people that do make those calls, and they keep the business going pretty good. I never got a phone call saying, "Hey, we're not hiring your firm because of x, y and z."

I don't know what the percentage is, but I'm sure there are people that don't want to use our firm because they really don't know much about the case. They just know me as a hacker that went to jail.

CNN: Compared to the time you were an illegal hacker, and the contemporary landscape, how easy is it to hack a computer? Has security improved much? Would you still be able to do what you did years ago?

MITNICK: I get hired to hack into computers now and sometimes it's actually easier than it was years ago. It really depends on who the client is -- or if you're doing ethical hacking, who the target is. It could be a difficult target or an easy target. The security landscape, the only thing that's changed in regards to vulnerability are technical issues, but with social engineering, it's all remained the same. So, it depends how vigilant the owners and the operators of the computer systems and the network are, and it really doesn't go to the question of are we living in a more secure world?

CNN: Then, how vulnerable is the common user? Sure, it depends on how many safeguards they've installed, but if they have the most effective of security, how easy is it?

MITNICK: I did a study USA Today was involved with and another marketing firm in San Francisco was involved with within the last year, and we set up a honeypot network, which was six different networks running various different operating systems. We plugged them into a DSL line in San Francisco, and we just watched them to see how quickly these systems could get broken into without having any protection. And one of the computers was broken into four minutes after plugging it into the Internet, which is quite astounding.

CNN: You previously mentioned social engineering. What exactly does that term mean to you?

MITNICK: Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. It could be something as simple as talking over the telephone to something as complex as getting a target to visit a Web site, which exploits a technical flaw and allows the hacker to take over the computer.

CNN: And how do contemporary hackers use social engineering in what they do?

MITNICK: Well, how about Paris Hilton? She was attacked on her cell phone, and she was attacked two ways. One was because of a T-Mobile's Web site, and the other guy was able to compromise it by getting her phone number by going on T-Mobile's Web site, doing a password reset, which SMS-ed her new password because, presumably, only the owner would have the handset.

And then what they did was, they did a technique called caller ID spoofing, which allows a person to change the number they're calling from on their calling phone number display. So, they were posing as T-Mobile customer service, and they called her phone, and on the caller ID it showed as T-Mobile customer service, and then they told her, "There are some network difficulties. Have you been getting any SMS [messages] about a password reset, and what were the contents of the message?" and she freely gave it out, and that's how these guys were able to get to her T-Mobile Sidekick, and her e-mail, and whatnot.

In another example, the IRS just did a security audit under the office of the inspector general and called 100 managers posing as IT people at the IRS, and 35 of those mangers freely gave out their password and user name over the telephone.

So, it's a significant threat. A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted. It's essentially meaningless.

CNN: How much do you trust online banking and the usage of credit cards online?

MITNICK: I trust online banking. You know why? Because if somebody hacks into my account and defrauds my credit card company, or my online bank account, guess who takes the loss? The bank, not me.

CNN: Then what about other transactions? Do you pay bills online or shop online? I'm just curious if Kevin Mitnick is worried about ID theft?

MITNICK: Somebody already stole my identity once and used it to apply for a cell phone account. And it's too bad. I wish they stole my identity 10 years ago when I was a fugitive -- that would have been cool. It was a $400 bill, and they used my mom's address in Las Vegas when I was living in California under my name. That's really easy, because all you need to steal someone's identity is the Social Security number. It's not really rocket science.

But, I don't have a problem at all using my credit card online. There are attacks that can be done, but it's unlikely that I'll be targeted as an individual. It's more likely the attackers will target the bank. So that way they can get many user names and passwords, and get access to many accounts, rather than just targeting me. I think it's safer to use a credit card over the Internet than it is to go to a Macy's and use it where an employee can simply skim off the card, or go into a bar, or a restaurant where they have your credit card number.

CNN: You've become something of a star, a cult one, at least, even appearing on an episode of "Alias" as a hacker. What do you make of your celebrity?

MITNICK: It's kind of interesting, because I went through a horrific, horrendous experience and became the hacker poster boy, and it had a negative effect on my trip through the criminal justice system. But now that I've turned over a new leaf and people are interested in my skill-set, now the notoriety of my name helps me in my business. Not because of what I did in the past, but because I'm a known entity with my skill-set.

CNN: Do you miss being on the run?

MITNICK: No, no, I don't miss it all. I like my life now. I made some really stupid mistakes in the past as a younger man that I regret. I'm lucky that I've been given a second chance and that I could use these skills to help the community

http://www.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna/index.html

Awareness of Information Security in Your Company

		Tuesday, 26 June 07 - 12:15 PM (GMT) By John ML Dierckx in Information Security

Information Security is a hot topic, and I remember way back when I tried to discuss the issue of corporate espionage and and data leakage or theft with clients, they would often respond that this was a non-relevant issue: "there in nothing worth stealing in my company." And with a smile on the face clients would try and get to the next subject. Times have changed and companies nowadays have luckily become aware that there is most certainly data worth stealing in any company, but more importantly there is data your simply want to protect because information is part of your asset base: client information, R&D, marketing information, strategic plans and basically anything that would give a competitor an advantage if they knew. I like to refer to that as company sensitive data.  

All to often , when there is awareness of the importance of this issue, it is narrowed down to technical solutions. The already overloaded IT department 'recently got the issue of information security' assigned to its already overwhelming bundle of tasks. Now it can not be denied that IT and CT issues are an important part of information security. But moist certainly there is more.

I often refer back to one of the cases I dealt with for a large research outfit. The issue of information security was high on their priority list. The lab was developing new products on a regular basis and existing products were constantly upgraded. This lab saw itself confronted with the issue that information appeared to be leaking: a check of all the systems did not reveal anything. Forensic investigations of the network and specific computers did not lead to any indications that particular was involved. When I asked further it turned out that even the computer forensic experts did not know exactly where to start, it could basically have been anyone of the staff members.

When I was called I planned the initial visit at the end of the working day. This turned out to be a good decision. After a good chat about existing procedures, technical and non-technical I invited him to show me around the premises.

The outcome of this invitation was a strong eyeopener for the CEO who acknowledged that this was not quite what he had expected to see. I asked him when the last time was he ever made such a round. He could not tell but that it was quite some time ago.

Armed with my mobile phone camera I took pictures of we stumbled upon. It provided us an immediate confrontation between the "ought to be" as arranged in the formal policies of the company and the "actual reality" (sollen und sein in German).  This was not a pretty sight. Yes, the company had clean a comprehensive set of procedures:

• desk policies
  
• policies about  closing of equipment, network and internet connections
• password protection
• screen protection
• internet usage (accepted use policies)

These are just a few of the formal policies in place in the company. But how did they compare to daily reality? As you might have guessed: not so good. Here are some of the findings:

• client lists printed out on desk
• supplier arrangements printed out on desk
• contracts , draft R&D reports, strategic documents, plans and financials on desk and in waste bin under desk
• computers open and logged on
• computers closed but password and log in available on a post-it on the side of the computer screen, or in the unlocked top drawer
• computer logged on to the internet, Kazaa open and downloading 12 pornographic movies. I advised him that such peer to peer options should not be possible in the first place.
  
• 4 times msn mail box open on screen, 2 times yahoo and a staggering number of 14 Gmail accounts open and accessible

And you can probably guess what the staff was were we running into here and there: exactly the cleaners. They were the only ones left in the building by the time we entered the last floor. The CEO looked at me in despair. "What the heck are all these procedures for if no one cares to follow them up?"

As it turned out the procedures were not actively enforced and werte publicised through he intranet only. There was a lot that could be done here of course but the first step I advised should not be punishment, it should be awareness. And that's what we agreed upon: a staff meeting in the big auditorium with a presentation of the findings. Before doing that I asked for one more option: can we please take some of the most sensitive documents from those desks and see what would happen, if anyone would report them as missing. We ended up storing about 73 highly sensitive documents in his room with a clear indication of where we found them.
I will let you guess first, how many reports of missing documents came in:

36 maybe? NO, 20 maybe? NO, 10? NO I will tell, you right now,  ZERO, NIL, NADA.

The staff meeting
The general staff meeting turned out to be a great success. A feat of recognition, with lots of laughs and denials. I made it very clear, on behalf of senior management that the purpose of the meeting was not to blame anyone, instead it was aimed at addressing the identified issues, why they were important and why compliance was so important.

I opened the presentation with a short fragment of a very explicit movie. Some people were outraged, that was until I told them that one of their colleagues was identified as not only downloading this movie, but actually watching those and similar movies and spreading them throughout the company. We discussed the findings in respect of confidential or better yet trade secrets and how certain documents could be utilised by the competition.

Al staff members were issued a copy of the formal procedures again to read and sign when they had read and understood them. Most staff members applauded the initiative and most of all the creative approach, even though some of them had been laughing at their own insensitivities.

Several (implicated) staff members came to me after the meeting advising me that they had had a very important lesson. I asked them: suppose your were the CEO, what would you do?  "Fire on the spot", they responded without  exception.  I responded that that would mean that their boss just deserved a lot of loyalty for not doing so. They agreed.

Information Security: Back to Basics

		Tuesday, 12 June 07 - 12:43 AM (GMT) By John ML Dierckx in Information Security

Not so long ago, reading through the Dutch news (to stay in touch with the home front) I found that the Dutch public were outraged.NOVA, a Dutch current affairs television program, had found confidential documents and information in the Dutch Royal Family's paper waste container. The documents were identified just outside the gates of the Royal Office in The Hague Netherlands and have been returned. The affair generated the necessary media attention, and rightly so I might add. But can we sit back and relax here in New Zealand?

Just Follow the Paper Trail
Whilst many of us are very concerned with protecting  out confidential information with  firewalls, encryption, virus scanners, spyware removal tools, at the same time we are more than once quite careless with our paper information.

More than once I still have to find that confidential information ends up in our garbage, waiting to be picked out of there by someone with less noble means: confidential correspondence, bank statements, credit card statements.

On another occasion  in 2006  I made some remarks on my previous blog Ask the Investigator New Zealand. In the blog post that followed I reported:

Not just the Internet

First of all, following the media reports on the subject: it is good to note that the risk of identity theft is not just related to the internet. A lot of people appear to think it is but good old dumpster diving and mailbox fishing can lead to incredible results.

Two examples where the issue will be felt first are: the credit card.

For some reason in New Zealand, you get your new credit card send to you via the mail. Now look outside to your mailbox: first question: can you actually see it from your living room or other place where you spend a lot of time?

Second question: is that mailbox secured?

I remember coming from the Netherlands to New Zealand and one of the first things that struck me was the great number of just open mail boxes. Now with that credit card being sent to your address, it is not hard for anyone on the lookout for it to just follow the mailman and start collecting bank correspondence. It is my guess that within a short period you will have collected at least a few credit cards. Ask your bank to send a notification when the credit card arrived: that way you can pick it up yourself instead of having it hanging around in the insecure mailbox waiting for someone to steal it from you to subsequently use it on a shopping spree.

The second issue: be careful with what you throw in the rubbish. A quick check on recyclables collection day and you will find that many people leave their credit card statements etc in the same bag as their old news papers.

Now why would someone be interested in the old statements? It is not like they have your card. Wrong!!

Those credit card statements have your card number on them. This is all one needs to go shopping on the internet together with your name which is on that same statement. Ahhh but you also need the expiry date. Well that is a month and a year: it will usually take less than 20 attempts to guess these. With the number of credit card facilities around on the internet, it will probably take you only a very short time before the correct date and number is guessed and shopping can commence."

Perhaps you should try the test on recycling day in your neighborhood and be surprised at what you might obtain in terms of confidential information: copies of invoices, declarations, bank statements, credit card statements and other confidential documents out in the open to be collected by waste management or if you are unlucky a 'dumpster diver'.

From a recently published investigation by McAfee it transpires that whilst we that dumpster divers and key loggers cause billions of damage each year:

"Key Findings
1. Between January 2004 and May 2006, the number of “keyloggers” increased by 250 percent. During this same period, the number of alerts listed by the Anti-Phishing
Working Group multiplied by 100 (17,600 in May 2006 compared with 176 in January 2004).
2. Personal data for tens of millions of people disappears each year. It’s either been stolen or misplaced."
Download the full report here 

Another media publication reports that 97% of the British population regularly throws confidential informaton in the paper recyclables, documents that hold information such as name, titles, addresses and post codes.  30% of these people once in a while disposed (in an insecure fashion) documents holding the number of the credit card  and almost the half did the same with documents holding a bank account number.
In total almost 50% throws out in an insecure fashion documents with sufficient information with which a swindler can commit Identity Fraud.

Do and Don't: Some Tips 

I will close of here with some do and don't do tips of last year's that blog as a reminder.

• DO keep all personal documents in a secure place

• DO destroy any rubbish that could be used by someone with less noble intentions
• DO make sure your bank and credit card statements arrive on time and DO carefully check them for transactions that do not match your receipts
• DO inform your bank when you find transactions that you do not recognise
• DO sign your bank and credit cards immediately upon receipt.
• DO NOT store (if necessary at all) your PIN numbers and cards together, preferably memorise and destroy the paperwork. DO NOT ever give out your pin number.
• DO get your credit information from BayCorp Advantage at least once a year and see what has been registered in your name and when. Such a check: credit monitor is available for $25.00 and is money well spend especially when you transact through the internet regularly
• DO arrange redirection of your mail when you change to a different address, notify all relevant parties and number one NZ Post, but also your bank, the IRD and other relevant organisations
• DO make sure that you have a secure lockable mailbox AND actually lock it
• When you are on holiday: DO arrange for your mail to be collected or held at New Zealand Post
• DO NOT share personal details with anyone unless you are absolutely sure whom you are dealing with
• DO NOT respond to telephone calls or emails asking for personal details or financial information
• DO NOT get tricked into giving out personal information like your full name and or date of birth, address details etc, unless, again, you know who you are dealing with

Some more in respect of on line transactions specifically:

• DO NOT ever follow links in an email asking for personal details
• DO get up to date with the basic security programs for your computer and internet connection and make sure you update these regularly
• DO use strong passwords (8 characters with at least 1 Capital, 1 number, 1 special symbol)
• DO NOT store unencrypted or share your passwords and log in ID’s
• DO ALWAYS log out after you finished online transactions
• DO make sure that when you are in the process of online transactions, it is through a secured site: look for the padlock in the bottom right of your screen. Look if the website address changes to https://website address
• DO stick to organisations that are reputable and have exemplary privacy and other policy statements)
• BE AWARE that conducting transactions with overseas companies can pose difficulties when things go wrong and that assistance might be hard to find
• DO make hard copies of all your online purchase transactions
• BE WARY of dramatically lower prices: if it sounds too good to be true, it usually is!!

More do's and don't relating to on line resumes are in the original blog

It will be clear that it is pretty senseless to secure our digital door against fraudsters if at the same time we are opening the physical, and easier to access, gate.

With Father's Day yet to come you might want to consider a shredder instead of one of those latest power tools!

How Banks Could Assist in Tackling Phishing & Identity Theft

		Thursday, 31 May 07 - 01:37 AM (GMT) By John ML Dierckx in Information Security

In the past I have published several articles on scam letters (email) as a tactic used by phishers to get hold of your confidential information.

See for instance:

• The BBC Guide to Identifying a Phising Scam
• Are New Zealand Banks Targetted by Phishers
• The Westpac Scam Letter

Alternatively there are several articles on my previous blog site Ask the Investigator New Zealand. And overview of all hits on the keyword "phishing" (for that blog) can be found here.

What strikes me probably most when reading about phihsing and phishing scams where it relates to banks and other financial institutions is that there might be a very simple solution to this.

What if banks, started to formulate and disseminate amongst their customers, new and existing, a standard policy on how banks will communicate with you. Wouldn't that help? Let's say a standard email policy and preferably an industry wide standard. Or perhaps even leave out email communication at all or by very specific and described exception for any formal corespondence.

If we all know, and have in writing that the bank will never ask for your personal details, except by let's say a letter in the mail and with a listed telephone number for verification purposes if the client still has doubts,  than we can all simply forget those phishing mails. Also I could imagine a system whereby you are to go to the nearest branch of your bank to provided the details upon showing the letter in which requests are made.

The damages are severe enough to consider a joint and standardised approach by now.

I am curious to hear your thoughts.

Scam Alert! Kiwibank hooked in phishing scam

		Tuesday, 29 May 07 - 02:54 PM (GMT) By John ML Dierckx in Information Security

Scott Mckenzie, ZDNet Australia
28 May 2007 05:14 PM

Cybercriminals -- in a sign of the times -- have used a legitimate Web site in a phishing attack aimed at Kiwibank, according to Sophos.

Customers of the New Zealand bank were sent an e-mail which invited customers to perform routine "account maintenance" to ensure that the bank can "guarantee their money".

Paul Ducklin, Sophos's Head of Technology Asia Pacific, said the phishing e-mail doesn't read like one that you would expect a bank to send.
"And the link in the e-mail leads off to a Web server in the USA which is currently blocking downloads, so there seems to be little risk of customers getting caught out."
While the risk of being hooked may be low, Ducklin believes there is a lesson to be learned from the campaign.

"SophosLabs currently estimates that 70 percent of malicious Web pages abused by phishers and malware spreaders are not directly associated with cybercriminals, but rather are legitimate sites which have been broken into and borrowed for criminal activity," he said.

Legitimate sites also lose in these scams. The Web site used in the Kiwibank phish appears to be that of a sole trader in the US. "That site is now widely blacklisted, and off the air," Ducklin said.
"The genuine owner of the site is left to sort out the mess."

FBI Internet Crime Report 2006 Available

		Friday, 16 March 07 - 09:59 PM (GMT) By John ML Dierckx in Information Security

The FBI’s Internet Crime Complaint Center (IC3) released its annual Internet Fraud Crime Report.

From January 1 through December 31, 2006, the center received 207,492 complaint submissions. The filings covered fraudulent and non-fraudulent complaints primarily related to the Internet and included many different fraud types such as

• auction fraud
• non-delivery
• credit/debit card fraud

Besides that there were non fraudulent complaints:

• computer intrusions
• spam/unsolicited email
• child pornography.

The report illustrates how sophisticated and widespread abuse of the internet is becoming.

All complaints received by IC3 are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts. During 2006, IC3 referred 86,279 complaints of crime to federal, state, and local law enforcement agencies around the country for further consideration.

The larger part of the cases reported involved activities of  a fraudulent nature resulting in financial losses by complainants. According to the report, the total damages resultig from all referred cases of fraud was $198.44 million with a median dollar loss of $724 per complaint.
 
Internet auction fraud was by far the most reported offense, comprising 44.9 percent of referred complaints. Electronic e-mail and webpages were the two primary mechanisms by which the fraudulent contact took place. Of those individuals who reported a dollar loss, the highest median losses were found among Nigerian letter frauds ($5,100), check frauds ($3,744), and other investment fraud ($2,694).

The Internet Crime Complaint Center (IC3) is a joint project of the FBI and the National White Collar Crime Center. To view the entire 2006 Internet Fraud Crime Report, go to www.ic3.gov/media/annualreports.aspx.

... More items are available in our News Archive