P2P on Your PC Equals Identity Theft

Robert Siciliano Identity Theft Speaker

Peer to peer file sharing is a great technology used to share data over peer networks.  It’s also great software to get hacked.

The House Committee on Oversight and Government Reform is responding to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

What’s interesting is that they didn’t already realize this was going on. Most of the committee members probably have kids, and their own home PCs probably have P2P software installed.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

The House Committee on Oversight and Government Reform sent letters to the Attorney General and FTC Chairman, asking what the Department of Justice is doing to prevent the illegal use of P2P. Which is kind of ridiculous, because it’s not illegal to use P2P programs. Even if it were made illegal, P2P file sharing is a wild animal that can’t be tamed.

The letter also asks what the government is doing to protect its citizens. Okay. I’ve sat with both the FTC and the DoJ. These are not dumb people. I‘ve been very impressed by how smart they are. They know what they are doing and they see the major issues we face. But they are not in a position to prevent an Internet user from installing a free, widely accessible software, and subsequently being stupid when setting it up and unintentionally sharing their C-drive with the world. No government intervention can prevent this. The House Committee on Oversight and Government Reform should focus more on educating the public about the use of P2P file sharing.

Politicians are most likely being lobbied and funded by the recording and motion picture industries to put pressure on the providers of such software. Letters and government noise will not do anything to stop file sharing. While there have been plenty of witch hunts leading to prosecutorial victories, the public will always be vulnerable. It is up to us, as individuals, to protect ourselves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Phishers Getting Smarter

Identity Theft Expert

It wasn’t long ago that most phishing emails were from a supposed Nigerian General Matumbi Mabumboo Watumboo. And you and I were flattered that we were the chosen ones to help the general transfer 35 million out of the country, because the Nigerian government was a bunch of jerks and wouldn’t let him keep the inheritance his wife had inherited from her deceased uncle Bamboo.

I distinctly remember getting a Nigerian phishing email in 1994-ish, back when I had an AOL account, and actually calling my bank and asking them what their thoughts were and what I should do. I mean 10% of $35 million, which the scammer offered in exchange for my help transferring the funds, was quite a fee for nominal work. All I had to do was front 10 grand in a wire transfer to make it all happen. My bank thought my Nigerian general and I were both nuts, and really didn’t know what I should do.

We didn’t have a lot of data on 419 scams or affinity fraud back then, or at least we didn’t have reliable access to that data, so I relied on what my mom told me early on: if it sounds too good to be true, it’s probably isn’t. So I deleted the email. Then I began to see more and more emails from others in the same quandary as the general.

Times have changed dramatically.

Today, with low cost delivery of email, billions of fraudulent emails are sent out every year. Any sales person knows it’s a numbers game. With billions of emails, you’ll eventually get someone to buy in.

Not too long ago, most spam emails came from a few legitimate servers. Once the government cracked down with the Can Spam Act, spam went underground. Most of today’s phishing emails originate from botnets. But what hasn’t changed much is the fraud victims’ sophistication, or lack thereof. The scammers are smarter, but the victims, not so much.

While phishing emails keep pouring in, their methods are changing rapidly. Posing as a Nigerian prince is still common, but not as effective. Even posing as a known bank or Paypal, asking to update an account for various reasons and requesting a potential victim’s user name and password is not as effective as it used to be.

Much of the phishing that occurs today is targeted “spear phishing,” in which the spammers are after a localized target. Recently, the usernames and passwords for 700 Comcast customers were posted on a document-sharing website, possibly as a result of a phishing attack. A Comcast employee with access to this type of data could easily have been tricked by a phisher posing as Comcast’s own IT staff, and foolishly released the customer information.

Going after a CEO is called “whaling.” Who better to take down than the biggest phish of them all? Most corporate websites offer plenty of data on the company officers and administrative contacts, which makes it relatively easy to create a sucker list. If scammers send an email blast to the entire company, eventually someone is likely to cough up enough data to allow the scammers to tap into the company’s intranet. Once the scammers have accessed the intranet, all further phishing emails will appear to be coming from a trusted, internal source.

Phishers even follow a similar editorial calendar as newspaper and magazine editors, coordinating their attacks around holidays and the change in seasons. They capitalize on significant events and natural disasters, such as Hurricane Katrina and most recently, swine flu. Since the swine flu outbreak, as much as 2% of all spamhas the words “swine flu” in the subject line. Numerous websites referencing swine flu in the address have also been registered.

Perhaps the most insidious type of phishing occurs when a recipient clicks a link, either in the body of an email or on the spoofed website linked in the email, and a download begins. That download is almost always a virus with a remote control component , which gives the phisher full access to the user’s data, including usernames and passwords, credit cards details, banking and Social Security numbers. Often, that same virus makes the victim’s PC part of a botnet.

How to avoid becoming a victim? Delete.

And of course update McAfee anti-virus and makes sure your PCs operating system has the latest critical security patches.

Robert Siciliano, identity theft speaker, discusses scam-baiters.

Perez Hilton is a Hater and Social Media Suffers

Robert Siciliano Identity Theft Expert

I was on CNN this week and CNN also featured Perez Hilton, who was hired by Donald Trump, to judge a beauty contest and Hilton made hateful remarks about Miss Californias beliefs. Perez is a hateful sardonic celebrity critic, and his actions are parallel to others who rant and hate, spew racist comments and even kill. Perez Hilton posts numerous videos of himself in the media, but he hasn’t posted this video on CNN to his site, because he knows he’s wrong. He is right now downgrading the story on his own site because of the heat is he getting.

CNN invited me to discuss the murder of a young woman who was stalked and harassed via social media, specifically YouTube and Facebook. She was eventually shot and killed in her college classroom by her stalker, who then put the gun in his own mouth.

Anyone who reads this blog does so because they are intent on improving their personal safety by way of information security. With almost 50,000 reads a month on a variety of portals, I’ve come to understand the reader a bit. You guys want and need news that’s going to help save you time and money by preventing criminals and scammers from trying to take it.

I got my legs in personal security as it pertains to violence prevention. I started doing this in 1992, teaching self defense. My background as a scrawny, greasy Italian kid growing up in the Boston area, fighting my way though life and meeting other victims along the way brought me to a place where teaching others how to protect themselves gave my life a purpose. As my business grew, I needed more technology. I also needed “merchant status,” which is the ability to accept credit cards, which led to even more technology. In the early 90s, I set up my IBM PS1 Consultant PC, Windows 3.1, 150mb hard drive, and became hooked on technology. Soon after, I was plugged into the Internet. Within weeks, my business was hacked. Thousands of dollars in orders and credit card information went out the window. Now, personal security meant self defense from a different kind of predator: identity thieves and criminal hackers.

My passion is personal security as it relates to violence and fraud prevention. It’s all encompassing. I talk about the things that mom and dad didn’t teach you. Lately, I’ve been discussing broad issues that no parent is prepared to discuss. Really, neither am I. But somebody’s go to do it.

I love technology. But it has a very dark side to it. And predators have rapidly figured that out. I’m not blaming technology for this. Just its users.

Social networking is changing the world. Everybody’s information is everywhere, and access is instant. Predators use these tools more than ever to stalk children online. Stalkers can anonymously harass and harangue women or men, and law enforcement’s hands are tied.

Anyone can post relatively anonymous rants and raves, saying anything they like with little or no repercussions. Simple online newspaper articles meant to provide information about some innocuous issue devolve into hateful rants against the author or the source, thanks to the first few comments on the thread. A single comment can lead people in this dangerous direction. Newspapers need eyeballs, so they rarely police these comments, and the public puts up with them. Hate, racism, sexism and overall ignorance permeate every online newspaper and social network. Not a day goes by that I don’t see something entirely inappropriate for public consumption.

With social media, everyone gets a say. The KKK used to be a bunch of cross burning hillbillies. Terrorists lived in caves. Militias and skinheads were small groups that held an occasional rally. Now, they have an international platform, which they use to promote their agendas and recruit believers. Lots of people have very bad things to say and it’s hurting a lot of people. Words incite. What we say leads to action. We become what we think about. If we are fed hate, we act hatefully.

Most school shooters have read the manifests of what occurred at Columbine. Many serial killers study other serial killers. Every story we read about the Craigslist Killer and others like him reveals a bag with a knife, duct tape, rope, and wire ties. They all consume this information.

Coming from a personal security perspective, I am seeing lots of bad things happening to good people. Bad things are being said and bad things are happening. Totally unacceptable and hateful rants have become acceptable, when 10 years ago those kinds of rants would have been unheard of. Let’s get this straight, I’m no puritan. I’m certainly no saint. I’ve been there, done that, and have plenty of skeletons in my closet. I’m capable of saying anything and doing almost anything, and nothing offends me. I’ve lived a hard life and danced with the devil on plenty of occasions.

The meteoric rise of Perez Hilton is a direct sign of what’s wrong with social media and web 2.0. Web 2.0 can be used for good, or for very bad. Perez Hilton is a hateful person with an agenda. He says horrible things and uses social media as a platform to distribute his agenda no differently than a terrorist. What’s worse is millions of people follow him. For him, its not “all in fun”, its hate.

We all need leaders to take charge. Everyone needs direction on some level. Perez Hilton leads a flock of misguided and lost souls. And he empowers them no differently than Hitler, Mussolini, Pol Pot, Saddam, Stalin, David Koresh or Jim Jones did.

Hurtful, hateful ranting isn’t freedom of speech. It’s irresponsible and it’s bad karma. It will only lead to hurt and hate. Its okay to have beliefs, but when those beliefs have a tonality of hate and you express hate in your words, the problem mushrooms.

I spend more energy not saying what I want to say. My mother and father taught me tact. And it’s taken a lifetime to apply it, believe me. I use social media to spread what I hope is a better message, tactfully. I hope you rise against what is happening here and spread a better word. Lead. Don’t be led.

Robert Siciliano Identity Theft Speaker discussing Hate on CNN

Your identity is an illusion

Robert Siciliano Identity Theft Expert

 

Like it or not, you will soon be effectively identified. And by “soon,” I mean within the next 10 years. Big Brother, whatever that means, will have your “number.” Governments across the globe have been gearing up and introducing numerous technologies to identify, verify and authenticate.

Identity is a simple idea that has become a complex problem. It has become complex due to fraud. Fraud, motivated by money, easy credit, and the ease of account takeover. Because identity has yet to be effectively established, anyone can be you. “Identity has yet to be established” is a bold statement that really requires an entire blog post. I’ll explain briefly here and in detail another time.

We have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data. All of these documents can be compromised by a good scanner and inkjet printer. This is not established identity. This is an antiquated treatment of identity and ID delivery systems. Identity has yet to be established.

Proper identification starts with government employees, who basically have little say in the matter. Small, specific segments of society such as airport employees, those of immediate concern to Homeland Security, are also first in line to be identified.

Security Management reports that as of this month, all workers and mariners attempting to access secure maritime and port areas nationwide will have to flash a government-approved Transportation Worker Identification Credential (TWIC),biometric identification card before entry. As expected, the system is riddled with problems and complaints.

HSPD-12, or Homeland Security Presidential Directive 12, set universal identification standards for federal employees and contractors, streamlining access to buildings and computer networks, but not without some glitches.

Many privacy advocates scream in horror about a national ID. The fact is, we already have a national ID and it’s the Social Security number. While the Social Security number was never intended to be a national ID, it became one due to functionality creep. And it does a lousy job, because anyone who gets your SSN can easily impersonate you.

Privacy advocates and others who believe that there is or ever was true privacy are operating under an illusion. The issue here isn’t really privacy, its security. It’s managing our circumstances. Growing up, my mother was a privacy advocate. She advocated that privacy was a dead issue as long as I lived in her house. At any given time, she could rifle thorough my stuff if she even got a hint of glazed eyeballs.

I’ve always been fascinated with identification and what it means. Over the years, as I’ve dug deeper into information security and then identity theft, I have been floored by the ineffectiveness of the existing system. Numerous identity technologies use software or hardware as the delivery system. A Smartcard is a delivery system, it isn’t your identity. Identity may include biometrics and verification questions.

Then there is the issue of properly identifying a person. How? And what is the difference between authentication and verification? I’ve always used them interchangeably, so I asked an expert, Jeff Maynard, President and CEO of Biometric Signature ID, who is in the game of properly identifying his clients’ clients through dynamic biometrics, for his take on authentication vs. verification. There is a distinct differenceAuthentication is the ability to verify the identity of an individual based on their unique characteristics. This is known as a positive ID and is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples of each are: Static – iris, fingerprint, facial, DNA. Dynamic – signature gesture, voice, keyboard and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify their asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.”

Identity proofing means proving identity, which, as I see it, is the foundation for identity and one of the most overlooked and under discussed aspects of identity amongst industry outsiders. This is a most fascinating topic. I will get into that soon.

Robert Siciliano, identity theft speaker, discusses Social Security numbers.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself.  Check out uniball-na.com for more information. 

Government Agencies Engaging in Criminal Hacking Techniques

Identity Theft Expert Robert Siciliano

This article may be a little political. However bad guys are trying to win a cyberwar against us and it’s important to understand what’s being done to protect us.

The US National Security Agency is probably the most sophisticated group of security hackers in the world. Many will argue this point. The fact is, without NSA, US STRATCOM, which directs the operation and defense of the military’s Global Information Grid, and US CERT, attacks on our critical infrastructures would be successful. We’d be living in the dark, telephones wouldn’t work, food wouldn’t be delivered to your supermarket and your toilet wouldn’t flush. These are not the same bumbling government employees you see on C-SPAN.

The Obama administration is in the process of completing aninternal cyber-security review,  announcing plans for cyber-security initiatives and determining who’s going to lead the charge.

The New York Times reports that the NSA wants the job and of course, this is raising hackles amongst privacy advocates and civil libertarians who fear that the spy agency already has too much power. I’m all for checks and balances. However, in order to detect threats against our nation and other global computer infrastructures from criminal hackers and terrorists, those in charge of cyber-security must have full and unlimited access to networks. There is certainly a legitimate concern here that any government agency with too much power can overstep citizens’ rights. However, coming from a security perspective, there are some very bad guys out there who would like nothing more for you to be dead.

Here’s a glowing example of how this power is used for good. Wired.com’s Kevin Poulsen (who should be required reading) reports on an FBI-developed super spyware program called “computer and Internet protocol address verifier,” or CIPAV, which has been used to investigate extortion plots, terrorist threats and hacker attacks in cases stretching back to before the dotcom bust. This is James Bond, Hollywood blockbuster technology that makes for a gripping storyline. The CIPAV’s capabilities indicate that it gathers and reports a computer’s IP address, MAC address, open ports, a list of running program, the operating system type, version and serial number, preferred Internet browser and version, the computer’s registered owner and registered company name, the current logged-in user name and the last-visited URL. That’s the equivalent of a crime scene investigator having fresh samples of blood for the victim and perpetrator, and 360 degree crystal clear video of the crime committed.

The FBI sneaks the CIPAV onto a target’s machine like any criminal hacker would, using known web browser vulnerabilities. They use the same type of hacker psychology phishers use, tricking their target into clicking a link, downloading and installing the spyware. They function like any illegal hacker would, except legally. In one case, they hacked a mark’s MySpace page and posted a link in the subject’s private chat room, getting him to click it. In another case, the FBI was trying to track a sexual predator that had been threatening the life of a teenage girl who he’d met for sex. The man’s IP addresses were anonymous from all over the world, which made it impossible to track him down. Getting the target to install the CIPAV made it possible to find this animal. Numerous other cases are cited in the Wired.com article, including an undercover agent working a case described as a “weapon of mass destruction” (bomb & anthrax) threat, who communicated with a suspect via Hotmail, and sought approval from Washington to use a CIPAV to locate the subject’s computer.

So while Big Brother may yield some scary power, criminals and terrorists are a tad scarier. I’ve always viewed the term “Big Brother” as someone who watches over and protects you. Just my take.

As always, invest in identity theft protection and Internet security solutions to keep the bad guys and the spyware out.

Robert Siciliano, identity theft speaker, discusses spyware.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert; Organized Webmobs Focused on Cyber Crime

Identity Theft Expert Robert Siciliano

New reports confirm what we have been seeing in the news; organized criminals have upped the ante. Global web mobs are tearing up financial institutions’ networks.

We’ve known for some time that the long-haired, lowly, pot-smoking, havoc-reeking hacker, sitting alone in his mom’s basement, hacking for fun and fame is no more. He cut his hair and has now graduated into a full time professional criminal hacker, hacking for government secrets and financial gain.

His contacts are global, many from Russia and Eastern Europe, and they include brilliant teens, 20-somethings, all the way up to clinical psychologists who are organized, international cyber criminals.

We are in the middle of a cold cyber crime war.

Their sole motivation is money and information and they either find their way inside networks due to flaws in the applications, or they work on their victims psychologically and trick them into entering usernames and passwords, or clicking links.

According to a new Verizon report, a staggering 285 million records were compromised in 2008, which exceeds total losses for 2004-2007 combined. As many as 93% of the breaches were targeted hacks occurring at financial institutions.

Hackers made $10 million by hacking RBS Worldpay’s system, then loading up blank dummy cards and gift cards, and sending mules to use them at ATMs. The entire scheme took less than one day to pull off.

Many of these hacks occur due to flaws in the design of web applications. The criminals send out “sniffers,” which seek out those flaws. Once they are found, the attack begins. Malware is generally implanted on the network to extract usernames and passwords. Once the criminals have full access, they use the breached system as their own, storing the stolen data and eventually turning it into cash.

Meanwhile, criminal hackers have created approximately 1.6 million security threats, according to Symantec’s Internet Security Threat Report. 90% of these attacks were designed to steal personal information including names, addresses and credit card details. Almost every single American has had their data compromised in some way.

Unsuspecting computer users who do not update their PC’s basic security, including Windows updates, critical security patches or anti-virus definitions often become infected as part of a botnet. Botnets are used to execute many of the attacks on unprotected networks.

The same study shows computer users were hit by 349 billion spam and phishing messages. Many were tricked into giving up personal information. It is common sense not to plug data into an email that appears to be from your bank, asking to update your account. Attacks directed towards mobile phones are also rising. “Phexting” is when a text message phishes for personal data. Just hit delete.

Much of the data stolen is out of your hands. So invest in identity theft protection, and keep your McAfee Internet security software updated.

Robert Siciliano, identity theft speaker, discusses criminal hackers who got caught.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

E-banking just got less secure

Robert Siciliano Identity Theft Speaker

There is no end to the ingenuity of the criminal hacker. They’ve figured out how to hack debit card PINS. Debit cards are linked directly to our checking accounts, which makes them tasty treats for criminal hackers.

At an ATM or cash register, most debit card users are blissfully unaware of what occurs when they swipe their cards and enter their pin numbers. A magical mystery takes place and we get to walk away with our new purchase, simply by swiping a card and tapping a few keys. The money magically disappears from our account and we celebrate by eating the Twinkie we just bought.

Whether you’re swiping your debit card at an ATM or in a store or restaurant, the process is similar. The user swipes his or her card and types in the pin number. The data is verified by a 3rd party payment processor or, in some cases, by a bank, over telephone lines or the Internet. Once the information has been validated and the payment processor confirms that the required funds exist, the money is moved from the user’s account to the merchant’s account, or is dispensed in cash.

The convenience of debit cards has led to global popularity that vastly exceeds that of handwritten checks, all the way into 3rd world countries.

We’ve known for some time that low-tech skimming at ATMs and gas pumps has been a point of compromise. Now, Wired reports that the transaction itself puts your PIN number at risk. Academics discovered this flaw years ago, but didn’t think it would be possible to execute in the field. Criminal hackers, however, have come up with the holy grail of hacks, stealing large amounts of encrypted and unencrypted debit card and pin numbers. And they have figured a way to crack the encryption codes.

The first signs of PIN tampering were recognized when investigators studied the processes of the 11 criminals who were caught after the TJX data breach. That breach involved 45 million credit and debit cards. The crime ring needed PIN codes to turn that data into cash. An investigation into this breach reported that the hacks resulted in “more targeted, cutting-edge, complex, and clever cyber crime attacks than seen in previous years.”

This revelation has some saying that the only cure for this type of hack is a complete overhaul to the payment processing system.

The compromise occurs in a device called a hardware security module (HSM), which sits on bank networks. PIN numbers pass through this device on their way to the card issuer. The module is tamper-resistant and provides a secure environment for encryption and decryption for PINs and card numbers. Criminal hackers are accessing HSMs and tricking them into providing the decrypting data. They are installing malware called “memory scrapers,” which capture the unencrypted data and use the hacked system to store it.

The PCI Security Standards Council, a self regulating body that oversees much of what occurs regarding payment card transaction, said they would begin testing HSMs. Bob Russo, general manager of the global standards body, said that the council’s testing of the devices would “focus specifically on security properties that are critical to the payment system.”

I don’t own a debit card and never have and never will. Simply put, if my debit card were hacked, that money would be coming directly from my bank account. A compromised ATM or point of sale transaction often fails to exhibit evidence of hacking. This means that I’d have to go through the arduous process of convincing my bank that it wasn’t me who withdrew thousands of dollars from my account. Whereas if a credit card is compromised, the zero-liability guarantee kicks in and I’m cured much more quickly.

Your ultimate responsibility here is to check your statements very closely and look for unauthorized activity. Read your statements online biweekly as opposed to relying solely on your monthly paper statement, and refute unauthorized charges immediately. Consider using a credit card instead of a debit card.

While this type of fraud is generally out of your control it’s still imperative you invest in internet security software such as McAfee and consider identity theft protection.

Identity Theft Expert discussing flawed card transactions

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Scamming the scammers

Robert Siciliano Identity Theft Expert

Scammers and even pedophiles are getting hacked by vengeful insidious opportunists.

Who doesn’t love vigilante justice? Some readers may remember Charles Bronson, an American actor who starred in the popular series Death Wish. Bronson played Paul Kersey, a man whose wife is murdered and whose daughter raped. In response, Kersey becomes a crime-fighting vigilante. This was a highly controversial role, as his executions were cheered by crime-weary audiences.

There is a certain amount of satisfaction when the victim becomes victor, exacting justice, and the predator that violates the law is sufficiently punished by the vigilante. Anyone who has ever entertained vengeance fantasies can relate. Of course, one doesn’t need to have been victimized in order to seek justice. Security guard David Dunn, played by Bruce Willis in the movie Unbreakable, avenges a crime committed against someone else.

The Internet has spawned a new breed of opportunist predator. The anonymity of the web, coupled with the inherent naïveté of many computer users, along with development of new technology at a speed that outpaces the learning curve of most users, make confidence crimes easier than ever.

What I find most disturbing are parents with young families who allow their children full, unsupervised Internet access. Fox News reports that in the past 5 years, federal agents have set up honeypots of agents posing as minors to attract pedophiles and have caught upwards of 11,000 in their nets. If they caught 11,000, there must be multitudes that haven’t been caught. What most people don’t realize is that there are over a half million registered sex offenders in the United States, and over 100,000 more sex predators unaccounted for.

“Don’t talk to strangers” used to be the extent of our personal security training. Now, a stranger can be in your 12-year-old daughter’s bedroom at 2 am, chatting on his or her webcam, or even under the covers on the iPhone that he bought her in order to evade her parents’ grasp.

Now, a new form of vigilante justice is occurring: scammers are illegally scamming, blackmailing and extorting other scammers.

The FBI recently caught up with one couple who has been posing as minors, engaging sexual predators in explicit online conversations and then adding a twist. This tech savvy couple are also hackers who engage in black-hat activities. As the predators attempted to gain the trust of the supposed “minors,” the couple was actually gaining access to the predators’ computers, sending numerous files that, when opened, launched an executable and granted full and unauthorized access to the kiddy-fiddlers’ computer systems. After gaining access to the predators’ computers, the couple learned their names, addresses, family members’ contact information, places of employment, and the user names and passwords for all of their financial accounts. Once armed with this type of data, the fun began. The couple would access the pedophiles’ bank, eBay and Paypal accounts. They would also blackmail their victims, threatening to expose their deviant behaviors to anyone who would listen if they didn’t cough up some cash. In one instance, after financial demands were made and not met, the couple accessed the user name and password of a New York teacher who didn’t comply and posted the explicit chats to the teacher’s school’s intranet.

In another example, 3 men apprehended in Kentucky set up a fake child pornography website, then extorted money out of their customers. When arrested, the men confessed to the crime but claimed that they were doing it to punish child pornographers.

Call this blackmail, call it extortion, or call it vigilante justice. You decide.

Robert Siciliano, personal security and identity theft speaker discusses online predators.

Protect your identity and your child’s identity. Install McAfee security software on your PC to prevent predators from intruding. And install child monitoring software to watch your kids online.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert and Laptop Computer Security: CTO of MyLaptopGPS Reiterates that a Mobile Computer is Stolen Every 12 Seconds

(BOSTON, Mass. – April 13, 2009 – IDTheftSecurity.com) The single most important thing a laptop computer owner should assume is that he or she could be the next victim of laptop computer theft, according to Dan Yost, chief technology officer of laptop computer security firm MyLaptopGPS. A laptop computer is stolen every 12 seconds, noted Yost, who pointed out that the single most effective laptop theft deterrent is laptop tracking technology such as MyLaptopGPS’, which is powered by Internet-based GPS.

“A mobile computer is stolen every 12 seconds,” said Yost, who invited readers to follow MyLaptopGPS’ laptop computer security blog and laptop computer security posts at Twitter. “Once laptop owners process and accept this fact, they will realize that their machines could very well be next. Laptop computer owners who comprehend this will see their instincts and common sense doing an amazing job of helping to protect their assets. They’ll be far ahead of the curve.”

Yost’s expertise has been featured twice in CXO Europe. Furthermore, in December of 2008, he and widely televised and quoted identity theft expert Robert Siciliano co-delivered a presentation titled “Information in the Modern Age: Maintaining Privacy in an Era of Medical Record Identity Theft” at the 4th Annual World Healthcare Innovation & Technology Congress in Washington, D.C., where Former U.S. Congressman Newt Gingrich delivered the keynote address.

The single most effective action any laptop computer owner can take to protect a machine is to equip it with laptop computer security technology, noted Yost, who added that simple strategies and tactics help to further deter laptop thieves. These include, according to Yost, stowing a laptop away from outside view when leaving it in a locked vehicle and keeping a laptop carrying case’s strap close to the shoulder, placing a hand on the case itself at all times.

Featured in Inc. Magazine and TechRepublic, MyLaptopGPS maintains the Realtime Estimated Damage Index (REDI™), a running tally of highly publicized laptop and desktop computer thefts and losses and these losses’ associated costs. Since the beginning of 2008, 3,279,909 data records associated with laptop theft have been lost, according to the REDI at MyLaptopGPS’ website. A log of these high-profile laptop thefts is available.

“Once a laptop computer owner realizes his or her machine could be the next one stolen, many commonsense habits will become second nature,” said Siciliano, who endorses MyLaptopGPS and is CEO of identity theft protection firm IDTheftSecurity.com. “No tactic is foolproof, but aware laptop owners are much more likely to do the kinds of things that will keep their mobile computers out of thieves’ hands. And people whose mobile computers are out of laptop thieves’ reach are, frankly, people whose confidential data is much less likely to be within identity thieves’ reach, as well.”

YouTube video shows Siciliano on a local FOX News affiliate discussing the importance of securing mobile computing devices on college campuses, where laptop theft can run rampant. To learn more about identity theft, a major concern for anyone who’s lost a laptop computer or other mobile computing device to thieves, readers may go to video of Siciliano at VideoJug.

Anyone who belongs to LinkedIn® is encouraged to join MyLaptopGPS’ laptop computer security group there. They may download a demo of MyLaptopGPS, as well, and have the opportunity to read one of two reports tailored to the type of organization they run.

###

About MyLaptopGPS

Celebrating 25 years in business, Tri-8, Inc. (DBA MyLaptopGPS.com) has specialized in complete system integration since its founding in 1984. From real-time electronic payment processing software to renowned mid-market ERP implementations, the executive team at MyLaptopGPS has been serving leading enterprises and implementing world-class data systems that simply work. With MyLaptopGPS™, Tri-8, Inc. brings a level of expertise, dedication, knowledge and service that is unmatched. MyLaptopGPS™’s rock-solid performance, security, and reliability flow directly from the company’s commitment to top-notch software products and services.

About IDTheftSecurity.com

Identity theft affects everyone. CEO of IDTheftSecurity.com, Robert Siciliano is a member of the Bank Fraud & IT Security Report‘s editorial board and of the consumer advisory board for McAfee. Additionally, in a partnership to help raise awareness about the growing threat of identity theft and provide tips for consumers to protect themselves, he is nationwide spokesperson for uni-ball in 2009 (uniball-na.com provides for more information). A leader of personal safety and security seminars nationwide, Siciliano has been featured on “The Today Show,” “CBS Early Show,” CNN, MSNBC, CNBC, FOX News, “The Suze Orman Show,” “The Montel Williams Show,” “Tyra” and “Inside Edition.” Numerous magazines, print news outlets and wire services have turned to him, as well, for expert commentary on personal security and identity theft. These include Forbes, USA Today, Entrepreneur, Good Housekeeping, The New York Times, Los Angeles Times, Washington Times, The Washington Post, Chicago Tribune, United Press International, Reuters and others. For more information, visit Siciliano’s Web site, blog, and YouTube page.

The media are encouraged to get in touch with any of the following individuals:

John Dunivan

MyLaptopGPS Media Relations

PHONE: (405) 747-6654 (direct line)

jd@MyLaptopGPS.com

http://www.MyLaptopGPS.com

Robert Siciliano, Personal Security Expert

CEO of IDTheftSecurity.com

PHONE: 888-SICILIANO (742-4542)

FAX: 877-2-FAX-NOW (232-9669)

Robert@IDTheftSecurity.com

http://www.idtheftsecurity.com

Brent Skinner

President & CEO of STETrevisions

PHONE: 617-875-4859

FAX: 866-663-6557

BrentSkinner@STETrevisions.com

http://www.STETrevisions.com

http://www.brentskinner.blogspot.com

Week of FUD; Hackers breach electric grid, Conficker sells out, Obama has a plan

Robert Siciliano Identity Theft Expert

They say adversity university and the school of hard knocks makes your stronger, faster and streetsmart.  And if it doesn’t kill you it makes you stronger. Lately, I’ve been killing my readers with lots of deadly data so I bet your security muscles are getting huge!

The security community has bombarded the media with fascinating claims of gloom and doom. (I’m guilty of it, too.) The hype hasn’t entirely met the hyperbole. There have been no major catastrophic issues. The power hasn’t gone out, and data breaches haven’t occurred in the 3-15 million PCs that have been compromised by Conficker.

But that doesn’t change the fact that there are still real problems that need solving. The security community and the media are getting better at discovering these new hacks, reporting on them and taking decisive action to fix them before they get worse.

For good reason, President Obama ordered a cyber-security review earlier this year. And he announced plans to appoint a top cyber-security czar, who will coordinate government efforts to protect the country’s networks. This is a response to years of inaction, culminating in millions and millions of breached records by cyber criminals toying with our critical infrastructures and corporate networks.

The Register points out, “According to the Wall Street Journal – which cites unnamed national security officials – electro-spooks hailing from China, Russia, and ‘other countries’ are trying to navigate and control the power grid as well as other US infrastructure like water and sewage.” That could get messy. Let’s make sure the Cyber Security Czar gives the sewage situation his undivided attention. CNET reportsthat the Pentagon has spent over $100 million on its networks in the past 6 months in response to attacks on the government’s computers. This is part reactionary and part proactive.

Wired reports that Conficker is now a lame spambot, selling fake Internet security software in the form ofscareware. I’m going to shut up about Conficker, for the most part, unless this thing does something that impresses me.

Bob Sullivan points out today in “Why all the cyber-scares?” (as I did earlier this week) that, “Security experts use the term ‘spreading FUD’ – fear, uncertainty, and doubt – to criticize the sales tactics of firms that use hyperbole to scare customers into overpaying for security products. The Conficker incident appears to a be a classic example of FUD.”

I’m all done with this week and I’m going to paint eggs.

For an Easter treat, identity theft speaker Robert Siciliano provides you with a hilarious rare glimpse of someone he loves walking for the first time. (I am human, you know.)

And a big THANK YOU to uni-ball because I cant do what I do without them. I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.