I enjoyed watching this from @gcluley. It shows how easily personally identifiable information can be gathered by anyone who tries. The lesson we learn goes hand in hand with the load of great stuff I got out of a Chicago bank dumpster.
I just got a text message on my cell phone. The message said
Chase anual (sic) maintenance.
Please call 877-257-1139
The message itself was from phone number 1010100001
If you dial the 877 number, you'll hear a lovely American recorded voice asking for your Debit card number and PIN.
Obviously, it's fake. But what a clever way to grab debit card numbers. Frank Abagnale, the famous author of Catch Me If You Can, says he never uses Debit cards because they are the same as cash – and in fact don't fail until you run out of cash. Word to the wise.
Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.
Is he evil? Ask some manufacturers and they'll say yes, emphatically. Ask privacy advocates, and they'll praise him for exposing the seeds of Big Brother. Chris Pajet didn't stop at cloning your HID prox card while standing next to you in line at the 7-Eleven.* Now he has begun war-driving through San Francisco, gleaning RFID tags from US Passports. This is another assault on the Western Hemisphere Travel Initiative. Read about it here.
White hats like Chris find the holes in our tech infrastructure that the bad guys also find. I'd rather know about it than keep my head in the sand. Besides, these problems are ususally fixable, so let's fix the problems and not ignore them.
*not sure if he ever did that, but the cloning device he showed me sure could have been used that way.
It looks to be the biggest credit card identity theft in history. Princeton, N.J., payment processor Heartland Payment Systems may have suffered the theft of more than 100 million credit and debit card accounts. Avivah Litan, a Gartner analyst whom I respect said it seemed deceptive that the company waited until today – inauguration day – to report it. However, if I were CEO of Heartland, I certainly wouldn't want to wait for a day when I could be the cover of the Wall Street Journal, would you? Read the story.
James DeLuccia reflects on the newest estimates of the cost of credit card fraud. See what he and a Visa representative have to say here.
Here is a blog post from HuntBI associate, Jeffrey Stutzman, CISSP. His post makes me wonder how many corporate networks will be infiltrated by malware when Olympics visitors come home and plug back in. -sh
What happens in Vegas stays in Vegas right?
What happens in China won’t necessarily stay in China.
What do I mean by that? In the Navy there was a sea story. It went something like this…
We pulled into <name your favorite port>. When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up. The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.
So here’s the deal….
Chinese cyber spies WILL steal your stuff! When you get to China and use your computers to access the Internet, you will be monitored, and will almost assuredly download, or be pushed, software that will execute on your computer. This software will sit quietly on your computer, will not be detected by anti-virus or intrusion detection/prevention software, and will likely ‘phone home’ –send your data back to intelligence collectors in China. When you return home, that software will likely spread automatically to other computers that you connect to or communicate with via email or through the web. You will be infected. Be ready for it.
The problem? Antivirus vendors don’t have the syringes to fix you. It’s a sad state, but the protections currently loaded on your computers are designed to protect from the common threats –those that infect everybody. When a specific group of users are targeted –Olympic visitors for example, or maybe Olympic visitors staying at a specific hotel, or maybe Olympic visitors who work for or represent certain governments or industries, the methods of infection are not always the same. Smart intelligence collection operators won’t use the same tools on everyone. You know why? They don’t WANT antivirus and intrusion prevention vendors to be able to keep up! Even if they are successful 10% of the time, the number of journalists, politicians, and business people entertaining others will easily afford the cyber spies small pieces of information that they can combine with other small pieces of information to eventually put together the pieces of the puzzle –the BIG piece of information.
You should expect this. It shouldn’t come as a surprise.
A recent interview on CNN disclosed publically (finally!) that over 3500 Chinese front companies exist in the US today solely for the purpose of collecting intelligence. It reported that cyber attacks on the Pentagon (and likely all of DoD) have increased 55% since 2007. References to other Chinese cyber attacks and information gathering run in the thousands on the Internet. A quick Google search for the words “Titan Rain”, the term coined by US Government officials to describe the coordinated information warfare being waged from Chinese sources, yields over four million hits.
Thousands (millions?) of influential people – business managers, politicians, journalists, you name it, have headed to China for the 2008 Summer Games. Don’t be a victim. Don’t allow your home/work networks to be victimized.
Here’s what you can do:
• Think like a spy…
o Leave your computer(s) at home. If you have to have one, take a clean one (one used only for surfing the web and sending emails).
o Use anonymous, encrypted email. The best spies never use computers to relay details of their exploits. If you must use a computer, create two anonymous accounts on an encrypted service such as Hushmail; an encrypted, web-based email service that scrambles your email. Use one account to send, and the other to receive. If you must send data to your company from China, give the second account to the intended recipient before leaving the country. Do not send the account and credentials by email. Kill, or abandon those accounts after you return.
o Do not under any circumstances divulge your identity in email, even when using encrypted communications. This is a sure-fire way to give others those “small pieces of information” that can later be used to target you when you return home.
o Never use HTML formatted email. All communications should be formatted as text only. Graphics and other fancy things that make your email sexy also make it very easy to hide viruses and Trojans in your email –those pieces of software that will later be used to send data back to China once you return home.
o Do not send email directly to a work address. Use the anonymous service. Software may get embedded in your outbound communications. That software will spread once opened by your intended recipient.
o When you do return home, expect to receive more junk e-mail. Spam, phishing, or spearphishing (targeted phishing) are easy ways to get you back into the collection network by embedding malicious software into HTML formatted messages.
o Never forward or respond directly to emails received. If you need to respond to something, start with a fresh email, and format it in text only.
o When you return home, do not, under any circumstances, plug these computers into ANY network without first having it professionally cleaned and reloaded with a fresh version of Windows, or your operating system of choice.
Be safe. Be smart. I really don’t want to hear your IT guy bragging about the number of syringes in his dartboard!
Of all the services for protecting identity, I think Identity Truth has it going on. Trusted ID, Life Lock (Life Crock), or even Experian’s own service just miss the point. Identity is not just about protecting your credit score. Although, that’s what Life Lock would like you to think (spending millions displaying the CEO’s social security number). Life Lock has its troubles as a company too, with several lawsuits, and restrictions from some states and credit companies. The company’s partners are starting to shy away, too, because of fear of being included in the lawsuits.
Identity Truth, the service I use (and reviewed here), focuses on what really matters – protecting my assets, privacy and reputation. The service gives me a measurement of my identity risk. If something has already happened to threaten me, they tell me what they’ve found. If it is a threat for the future, they tell you how bad guys could encroach on my identity. Then they give me a heads up and tell me what to do about it.
Maybe you are just interested in credit score protection. You could call Life Lock, but I look at all that Identity Truth offers, with its dashboard so I can view my data, and realize I get a lot more value for the same price.
Identity Truth is not a client of mine. It’s just one of those rare companies that lives up to its marketing claims.