ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Posts Tagged ‘Identity Theft’

What’s your Pain Threshold for Mobile Phone Identity Theft?

Tuesday, November 30th, 2010

The FBI’s Internet Crime Complaint Center (IC3)recently published a warning about Smishing and Vishing. These mobile phone threats are variations of phishing, but smishing uses SMS texts to initiate the scam, while vishing uses automated phone calls.

These threats are new variations on an old and costly mythology of identity theft. The problem here is that mobile users who are novice with regard to computer security threats are simply unaware they are in jeopardy when they respond to text and audio phishing on their mobiles.

Similarly, sophisticated corporate IT users who should know better, are similarly compromised via their mobile phones.

Just to backup a step, SMS stands for short message service. SMS is also often referred to as texting, sending text messages or text messaging. The service allows for short text messages to be sent from one cell phone to another cell phone or from the Web to another cell phone. Just because the SMS service runs on a phone does not make it impervious to computer phishing.
The particularly nasty form of SMS spam called smishing, is the act of phishing by SMS for private information, often to be used for identity theft. These smishing attempts take the form of text messages and voice massages, which come to your phone saying things like “We’re confirming you’ve parcel delivery” Your account status as been changed or ABC credit card is confirming your purchase.”
The user is given a phone number to call or a website to log onto to provide account credentials to remedy the issue. Or the victim is directed to a spoofed web site. A spoofed web site is a fake site that misleads the victim into providing personal information, which is in turn routed to the scammer’s computer.
If a victim attempts to telephone back to the inbound number of a phishing call they will most probably encounter no voice mail or a constantly busy signal. This is due to attackers calling from throw-away, untraceable phones, rendering these calls virtually untraceable.

The FBI report said a recent smishing scam was used to steal money from customers of a credit union. After receiving a text about an account problem, victims called the number provided and gave out their personal information. Within 10 minutes money was withdrawn from their bank accounts. The same technique also recently used to attack banking customers who were told via text that they needed to reactivate their ATM cards at a bogus web site.

What to do. What not to do.

Once again, here are old and trusted simple steps to avoid being a victim of identity theft and fraud:
• Do not respond to respond to text messages or automated voice messages from unknown or blocked numbers.
• Do not respond to unsolicited (spam) email.
• Do not click on links contained within an unsolicited email.
• Be cautious of email claiming to contain pictures in attached files, as the files may contain   viruses. Only open attachments from known senders. Avoid filling out forms contained in email messages that ask for personal information.
• Do compare the link in the email with the link to which you are directed. Look and see for yourself if it is the legitimate URL address. Better still, just log directly onto the official web site for the business identified in the email. If the email appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
• Do contact the actual business that supposedly sent the email to verify if the email is genuine.
• Do verify any requests for personal information from any business or financial institution by contacting them using the main contact information.

Have a secure week. Ron Lepofsky CISSP, CISM www.ere-security.ca

Tags: , , , ,
Posted in Security Postings | 2 Comments »

Stolen Gaming Credentials can cost Big Bucks!

Wednesday, June 2nd, 2010


Here’s a glaring example of how recreational online gaming of any sort can lead to unintentional expense and headache.

On May 27, Angela Moscaritolo at SC Magazine wrote an article about Symantec having discovered a database server hosting the stolen credentials of 44 million accounts belonging to at least 18 gaming websites.    You can see the article on the ERE RSS feed or at http://www.scmagazineus.com/44-million-stolen-gaming-credentials-discovered/article/171128/e.

Online gamers own virtual assets within their games.  These assets can be bought and sold for real dollars, up to thousands of dollars.  An individual who steals and uses a gamer’s identity will gain access to the gamer’s assets which they can then use, sell and vandalize.

In any instance, where a gaming siter has access to their gaming membership’s credit card and banking information, the potential for identity theft and credit theft is escalated if a gamer’s credentials are already stolen.

Online gamblers face similar risks as online gamers whose credentials are stolen, with the added grief of facing a foreign jurisdiction when attempting to claim for losses against the gaming site.  This is because most gaming sites, for reasons of US law, reside outside of the jurisdiction of the USA.

The same problem is faced by members of online transaction sites, where the members’ authentication credentials are stored by the transaction site.  If a member’s user name and password are stolen, the member faces exactly the same potential risks as the online gamer, and is exacerbated if the member’s credit information is also electronically stored with the site.

While credit companies are implementing multi-factor authentication in order to mitigate potential fraudulent transactions, electronically stored credit card information is still a potential security and theft vulnerability.    In these critical situations, my preference is to err on the side of conservatism; if anyone has access to electronic information, than potentially anybody has electronic access to that same information.

So the question is “What should gamers and transaction site members do to protect their electronic identities?”

The answers are pedantic but effective:

  • Regularly change passwords.  Chances are that a stolen old password will be used by a theft and, of course, will be useless.
  • Use groups of passwords, prioritized by importance, for different uses.  The best advice, of course, is to use a different password for every single use, including logon to your home and work computers, online banking, transaction sites, etc.  This is not practical for most folks, so a tradeoff is to have a few different passwords but never use the same password for both critical and less critical applications.
  • Consider storing (new!) passwords in an encrypted file or an electronic vault.  Various programs and utilities are available for assisting with this process.  The immediate two benefits are that people do not store their passwords in an unencrypted state and that the stress of remembering all the passwords and their use immediately disappears.
  • Store the password for your  “password vault” in a secure, non-electronic format or encrypt it with your own personal encryption system.  For instance –  add a suffix and prefix that are meaningful only to you and which are not composed of any personal information.
  • Do not log onto any system over Wi-Fi or cellular network without the logon sequence being encrypted.  Otherwise the logon credentials are easy prey for “man in the middle” attacks.
  • Do not share passwords with anyone.  Ever.

Have a secure week.

Ron Lepofsky, CISSP,  B. A. SC. (Mech Engineering)

Tags: , , , ,
Posted in Security Postings | 5 Comments »

Irrefutably Identifying Ourselves

Wednesday, May 26th, 2010


A deluge of compliance requirements have inundated organizations, which obligate information security officers to protect; sensitive personal and corporate data from theft; critical data from theft and corruption; medical and health data from theft, surveillance, and destruction.

Fundamental to these security and privacy imperatives is the ability of an organization to restrict control of access to only those individuals with the need and permission to see and change the data in question.  Access should be predicated upon the ability to conclusively and positively identify an individual or entity requesting access to data, while being able to deny access to everyone and to everything else.

In my May 4 blog, Forensic Identification Using Skin Bacteria, I discussed this idea.  This may or may not come to pass in the future, but it did emphasize the on-going, if somewhat imaginative research, in user identification.  A more down to earth and currently available means of verifying identity is two-factor authentication or 2FA.

2FA has been around for a long time and has undergone major improvements.  Now the banking industry has adopted it for the magnetic cards we use for credit and debit transactions – a pin number – which is something we know.  Smart cards provide the ability to deny or permit the use of any transaction based upon the electronic identification of a card. The card is generically known as a token or something we have that is unique to us.

2FA is critical for some organizational applications and many organizations have the technical capability and financial resources to implement two-factor or even strong authentication.

However, in my opinion, the issue of 2FA is particularly important for individuals doing remote access to their business or personal computers, the reason being that individuals may not have the technical expertise or financial resources to ensure their remote communication sessions are indeed secure.

For example, I see many laptop users at public hot-spots hammering away, presumably over WiFi .  (Or why else would they be at a hot-spot?)  We know those networks are not secure and, therefore, the users are subject to any number of man-in-the-middle and covert surveillance attacks.

Users may think their sessions are safe as the WiFi access service announces that once a user has paid for the service, their sessions will be encrypted.  However, the log-on portion of the payment transaction is wide open!

Or even worse.  Many users implement all manner of RDP remote connections to their systems.  I have seen numerable instances where identification and authentication by single password is done in the open.  Even though the RDP session may be implemented via an unusual port number, there is still the possibility of  monitoring the port activity and gaining access to the authentication data.

This problem is exacerbated by using the same user name and password for both an RDP session and for system login.

In my opinion, the bottom line is that all users of remote communication should implement some form of two-factor authentication, especially when using any or a combination of RDP, VPN, Bluetooth, WiFi, and wireless broadband.

My guiding principle for remote communication is that if I perform an unencrypted remote login to a system, then everybody on the Internet just saw my authentication credentials.

Have a secure week.

Ron Lepofsky,   CISSP,  B.A.SC. (mech eng)

President,

ERE Information Security and Privacy Auditors

http://www.ere-security.ca

Tags: , , , , ,
Posted in Internet Security | 1 Comment »

Dark Side of Cyberspace

Wednesday, April 14th, 2010

The Toronto Star ran an informative article last week about spying on the Internet, particularly using easily accessible tools like Google, blogs and social networking sites.  The article delves into cyber-spy rings like Shadows and GhostNets and mentions the upcoming global cyber security summit to be hosted by the University of Toronto this fall.  You can see the article on the ERE RSS news feed at www.ere-security.ca .

The article is compelling but the message should not be news to any computer user today.  I’m not sure why anybody would be surprised that private information is stolen on the Internet after vast amounts of publicity on Identity Theft and about cyber-fraud.

So the important question is: Are you vulnerable to cyber –spying or to identity theft?

With regard to cyber-spying, the obvious question is: do you have any sensitive defense or political information worth stealing?  If the answer is “no” then we can all assume you are not being targeted by a spy-ring.

With regard to identity theft and cyber-fraud, some important questions about your computer are:

Do you update your anti-virus and anti-malware software daily?

Do you patch your operating system as soon as important security patches are available?

Do you patch your web browser with security patches as soon as they are available?

Do you avoid updating software tools such as Adobe Acrobat until the updates have been proven to not introduce security vulnerabilities?

Do you run a sweep of your computer work station with an anti-virus and anti-malware tool once a week?

Do you run a web site safety evaluation tool?

If the answer is “no” to any of the above, you probably have security weaknesses.  If you answer “no” to more than one question, you definitely want to consider improving your security procedures.

What about the answers to these questions about your cyber-behavior:

Do you open emails from sources you do not recognize?

Do you open attachments from friendly sources, without screening the attachment for malware prior to opening?

Do you visit unfamiliar web sites without first validating their safety?

Do you post on blogs or social networking sites any personal information including photographs?

Do you provide your home phone number to strangers?

Do you identify the names of your family members to strangers?

If you answer “yes” to any of these questions, you are probably jeopardizing the security and privacy of information on your workstation.   If you answer “yes” to any of the last three questions, you may be putting your family members or yourself in harm’s way.

What about your cyber-housekeeping habits, such as:

Do you regularly change the password to your workstation?

Do you have a strong password for your workstation?

Do you encrypt personal information and passwords?

Do you leave unencrypted personal or sensitive information on external media?

Do you dispose of used disks and computer technology without destroying the media and memory hardware?

Do you dispose of scanner and photocopier technology without destroying the media and memory hardware?

Answering “yes” to any of the above, as you’ve already figured out, is not good for your cyber-health.

So the big question is: Do you want to greatly improve your personal cyber-security?  If yes, by now you probably have a few new specific action items to execute.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

Tags: , , , , , , , ,
Posted in Information Security | No Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button