Your identity is an illusion

Robert Siciliano Identity Theft Expert

 

Like it or not, you will soon be effectively identified. And by “soon,” I mean within the next 10 years. Big Brother, whatever that means, will have your “number.” Governments across the globe have been gearing up and introducing numerous technologies to identify, verify and authenticate.

Identity is a simple idea that has become a complex problem. It has become complex due to fraud. Fraud, motivated by money, easy credit, and the ease of account takeover. Because identity has yet to be effectively established, anyone can be you. “Identity has yet to be established” is a bold statement that really requires an entire blog post. I’ll explain briefly here and in detail another time.

We have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data. All of these documents can be compromised by a good scanner and inkjet printer. This is not established identity. This is an antiquated treatment of identity and ID delivery systems. Identity has yet to be established.

Proper identification starts with government employees, who basically have little say in the matter. Small, specific segments of society such as airport employees, those of immediate concern to Homeland Security, are also first in line to be identified.

Security Management reports that as of this month, all workers and mariners attempting to access secure maritime and port areas nationwide will have to flash a government-approved Transportation Worker Identification Credential (TWIC),biometric identification card before entry. As expected, the system is riddled with problems and complaints.

HSPD-12, or Homeland Security Presidential Directive 12, set universal identification standards for federal employees and contractors, streamlining access to buildings and computer networks, but not without some glitches.

Many privacy advocates scream in horror about a national ID. The fact is, we already have a national ID and it’s the Social Security number. While the Social Security number was never intended to be a national ID, it became one due to functionality creep. And it does a lousy job, because anyone who gets your SSN can easily impersonate you.

Privacy advocates and others who believe that there is or ever was true privacy are operating under an illusion. The issue here isn’t really privacy, its security. It’s managing our circumstances. Growing up, my mother was a privacy advocate. She advocated that privacy was a dead issue as long as I lived in her house. At any given time, she could rifle thorough my stuff if she even got a hint of glazed eyeballs.

I’ve always been fascinated with identification and what it means. Over the years, as I’ve dug deeper into information security and then identity theft, I have been floored by the ineffectiveness of the existing system. Numerous identity technologies use software or hardware as the delivery system. A Smartcard is a delivery system, it isn’t your identity. Identity may include biometrics and verification questions.

Then there is the issue of properly identifying a person. How? And what is the difference between authentication and verification? I’ve always used them interchangeably, so I asked an expert, Jeff Maynard, President and CEO of Biometric Signature ID, who is in the game of properly identifying his clients’ clients through dynamic biometrics, for his take on authentication vs. verification. There is a distinct differenceAuthentication is the ability to verify the identity of an individual based on their unique characteristics. This is known as a positive ID and is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples of each are: Static – iris, fingerprint, facial, DNA. Dynamic – signature gesture, voice, keyboard and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify their asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.”

Identity proofing means proving identity, which, as I see it, is the foundation for identity and one of the most overlooked and under discussed aspects of identity amongst industry outsiders. This is a most fascinating topic. I will get into that soon.

Robert Siciliano, identity theft speaker, discusses Social Security numbers.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself.  Check out uniball-na.com for more information. 

Government Agencies Engaging in Criminal Hacking Techniques

Identity Theft Expert Robert Siciliano

This article may be a little political. However bad guys are trying to win a cyberwar against us and it’s important to understand what’s being done to protect us.

The US National Security Agency is probably the most sophisticated group of security hackers in the world. Many will argue this point. The fact is, without NSA, US STRATCOM, which directs the operation and defense of the military’s Global Information Grid, and US CERT, attacks on our critical infrastructures would be successful. We’d be living in the dark, telephones wouldn’t work, food wouldn’t be delivered to your supermarket and your toilet wouldn’t flush. These are not the same bumbling government employees you see on C-SPAN.

The Obama administration is in the process of completing aninternal cyber-security review,  announcing plans for cyber-security initiatives and determining who’s going to lead the charge.

The New York Times reports that the NSA wants the job and of course, this is raising hackles amongst privacy advocates and civil libertarians who fear that the spy agency already has too much power. I’m all for checks and balances. However, in order to detect threats against our nation and other global computer infrastructures from criminal hackers and terrorists, those in charge of cyber-security must have full and unlimited access to networks. There is certainly a legitimate concern here that any government agency with too much power can overstep citizens’ rights. However, coming from a security perspective, there are some very bad guys out there who would like nothing more for you to be dead.

Here’s a glowing example of how this power is used for good. Wired.com’s Kevin Poulsen (who should be required reading) reports on an FBI-developed super spyware program called “computer and Internet protocol address verifier,” or CIPAV, which has been used to investigate extortion plots, terrorist threats and hacker attacks in cases stretching back to before the dotcom bust. This is James Bond, Hollywood blockbuster technology that makes for a gripping storyline. The CIPAV’s capabilities indicate that it gathers and reports a computer’s IP address, MAC address, open ports, a list of running program, the operating system type, version and serial number, preferred Internet browser and version, the computer’s registered owner and registered company name, the current logged-in user name and the last-visited URL. That’s the equivalent of a crime scene investigator having fresh samples of blood for the victim and perpetrator, and 360 degree crystal clear video of the crime committed.

The FBI sneaks the CIPAV onto a target’s machine like any criminal hacker would, using known web browser vulnerabilities. They use the same type of hacker psychology phishers use, tricking their target into clicking a link, downloading and installing the spyware. They function like any illegal hacker would, except legally. In one case, they hacked a mark’s MySpace page and posted a link in the subject’s private chat room, getting him to click it. In another case, the FBI was trying to track a sexual predator that had been threatening the life of a teenage girl who he’d met for sex. The man’s IP addresses were anonymous from all over the world, which made it impossible to track him down. Getting the target to install the CIPAV made it possible to find this animal. Numerous other cases are cited in the Wired.com article, including an undercover agent working a case described as a “weapon of mass destruction” (bomb & anthrax) threat, who communicated with a suspect via Hotmail, and sought approval from Washington to use a CIPAV to locate the subject’s computer.

So while Big Brother may yield some scary power, criminals and terrorists are a tad scarier. I’ve always viewed the term “Big Brother” as someone who watches over and protects you. Just my take.

As always, invest in identity theft protection and Internet security solutions to keep the bad guys and the spyware out.

Robert Siciliano, identity theft speaker, discusses spyware.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert; Organized Webmobs Focused on Cyber Crime

Identity Theft Expert Robert Siciliano

New reports confirm what we have been seeing in the news; organized criminals have upped the ante. Global web mobs are tearing up financial institutions’ networks.

We’ve known for some time that the long-haired, lowly, pot-smoking, havoc-reeking hacker, sitting alone in his mom’s basement, hacking for fun and fame is no more. He cut his hair and has now graduated into a full time professional criminal hacker, hacking for government secrets and financial gain.

His contacts are global, many from Russia and Eastern Europe, and they include brilliant teens, 20-somethings, all the way up to clinical psychologists who are organized, international cyber criminals.

We are in the middle of a cold cyber crime war.

Their sole motivation is money and information and they either find their way inside networks due to flaws in the applications, or they work on their victims psychologically and trick them into entering usernames and passwords, or clicking links.

According to a new Verizon report, a staggering 285 million records were compromised in 2008, which exceeds total losses for 2004-2007 combined. As many as 93% of the breaches were targeted hacks occurring at financial institutions.

Hackers made $10 million by hacking RBS Worldpay’s system, then loading up blank dummy cards and gift cards, and sending mules to use them at ATMs. The entire scheme took less than one day to pull off.

Many of these hacks occur due to flaws in the design of web applications. The criminals send out “sniffers,” which seek out those flaws. Once they are found, the attack begins. Malware is generally implanted on the network to extract usernames and passwords. Once the criminals have full access, they use the breached system as their own, storing the stolen data and eventually turning it into cash.

Meanwhile, criminal hackers have created approximately 1.6 million security threats, according to Symantec’s Internet Security Threat Report. 90% of these attacks were designed to steal personal information including names, addresses and credit card details. Almost every single American has had their data compromised in some way.

Unsuspecting computer users who do not update their PC’s basic security, including Windows updates, critical security patches or anti-virus definitions often become infected as part of a botnet. Botnets are used to execute many of the attacks on unprotected networks.

The same study shows computer users were hit by 349 billion spam and phishing messages. Many were tricked into giving up personal information. It is common sense not to plug data into an email that appears to be from your bank, asking to update your account. Attacks directed towards mobile phones are also rising. “Phexting” is when a text message phishes for personal data. Just hit delete.

Much of the data stolen is out of your hands. So invest in identity theft protection, and keep your McAfee Internet security software updated.

Robert Siciliano, identity theft speaker, discusses criminal hackers who got caught.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

E-banking just got less secure

Robert Siciliano Identity Theft Speaker

There is no end to the ingenuity of the criminal hacker. They’ve figured out how to hack debit card PINS. Debit cards are linked directly to our checking accounts, which makes them tasty treats for criminal hackers.

At an ATM or cash register, most debit card users are blissfully unaware of what occurs when they swipe their cards and enter their pin numbers. A magical mystery takes place and we get to walk away with our new purchase, simply by swiping a card and tapping a few keys. The money magically disappears from our account and we celebrate by eating the Twinkie we just bought.

Whether you’re swiping your debit card at an ATM or in a store or restaurant, the process is similar. The user swipes his or her card and types in the pin number. The data is verified by a 3rd party payment processor or, in some cases, by a bank, over telephone lines or the Internet. Once the information has been validated and the payment processor confirms that the required funds exist, the money is moved from the user’s account to the merchant’s account, or is dispensed in cash.

The convenience of debit cards has led to global popularity that vastly exceeds that of handwritten checks, all the way into 3rd world countries.

We’ve known for some time that low-tech skimming at ATMs and gas pumps has been a point of compromise. Now, Wired reports that the transaction itself puts your PIN number at risk. Academics discovered this flaw years ago, but didn’t think it would be possible to execute in the field. Criminal hackers, however, have come up with the holy grail of hacks, stealing large amounts of encrypted and unencrypted debit card and pin numbers. And they have figured a way to crack the encryption codes.

The first signs of PIN tampering were recognized when investigators studied the processes of the 11 criminals who were caught after the TJX data breach. That breach involved 45 million credit and debit cards. The crime ring needed PIN codes to turn that data into cash. An investigation into this breach reported that the hacks resulted in “more targeted, cutting-edge, complex, and clever cyber crime attacks than seen in previous years.”

This revelation has some saying that the only cure for this type of hack is a complete overhaul to the payment processing system.

The compromise occurs in a device called a hardware security module (HSM), which sits on bank networks. PIN numbers pass through this device on their way to the card issuer. The module is tamper-resistant and provides a secure environment for encryption and decryption for PINs and card numbers. Criminal hackers are accessing HSMs and tricking them into providing the decrypting data. They are installing malware called “memory scrapers,” which capture the unencrypted data and use the hacked system to store it.

The PCI Security Standards Council, a self regulating body that oversees much of what occurs regarding payment card transaction, said they would begin testing HSMs. Bob Russo, general manager of the global standards body, said that the council’s testing of the devices would “focus specifically on security properties that are critical to the payment system.”

I don’t own a debit card and never have and never will. Simply put, if my debit card were hacked, that money would be coming directly from my bank account. A compromised ATM or point of sale transaction often fails to exhibit evidence of hacking. This means that I’d have to go through the arduous process of convincing my bank that it wasn’t me who withdrew thousands of dollars from my account. Whereas if a credit card is compromised, the zero-liability guarantee kicks in and I’m cured much more quickly.

Your ultimate responsibility here is to check your statements very closely and look for unauthorized activity. Read your statements online biweekly as opposed to relying solely on your monthly paper statement, and refute unauthorized charges immediately. Consider using a credit card instead of a debit card.

While this type of fraud is generally out of your control it’s still imperative you invest in internet security software such as McAfee and consider identity theft protection.

Identity Theft Expert discussing flawed card transactions

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Scamming the scammers

Robert Siciliano Identity Theft Expert

Scammers and even pedophiles are getting hacked by vengeful insidious opportunists.

Who doesn’t love vigilante justice? Some readers may remember Charles Bronson, an American actor who starred in the popular series Death Wish. Bronson played Paul Kersey, a man whose wife is murdered and whose daughter raped. In response, Kersey becomes a crime-fighting vigilante. This was a highly controversial role, as his executions were cheered by crime-weary audiences.

There is a certain amount of satisfaction when the victim becomes victor, exacting justice, and the predator that violates the law is sufficiently punished by the vigilante. Anyone who has ever entertained vengeance fantasies can relate. Of course, one doesn’t need to have been victimized in order to seek justice. Security guard David Dunn, played by Bruce Willis in the movie Unbreakable, avenges a crime committed against someone else.

The Internet has spawned a new breed of opportunist predator. The anonymity of the web, coupled with the inherent naïveté of many computer users, along with development of new technology at a speed that outpaces the learning curve of most users, make confidence crimes easier than ever.

What I find most disturbing are parents with young families who allow their children full, unsupervised Internet access. Fox News reports that in the past 5 years, federal agents have set up honeypots of agents posing as minors to attract pedophiles and have caught upwards of 11,000 in their nets. If they caught 11,000, there must be multitudes that haven’t been caught. What most people don’t realize is that there are over a half million registered sex offenders in the United States, and over 100,000 more sex predators unaccounted for.

“Don’t talk to strangers” used to be the extent of our personal security training. Now, a stranger can be in your 12-year-old daughter’s bedroom at 2 am, chatting on his or her webcam, or even under the covers on the iPhone that he bought her in order to evade her parents’ grasp.

Now, a new form of vigilante justice is occurring: scammers are illegally scamming, blackmailing and extorting other scammers.

The FBI recently caught up with one couple who has been posing as minors, engaging sexual predators in explicit online conversations and then adding a twist. This tech savvy couple are also hackers who engage in black-hat activities. As the predators attempted to gain the trust of the supposed “minors,” the couple was actually gaining access to the predators’ computers, sending numerous files that, when opened, launched an executable and granted full and unauthorized access to the kiddy-fiddlers’ computer systems. After gaining access to the predators’ computers, the couple learned their names, addresses, family members’ contact information, places of employment, and the user names and passwords for all of their financial accounts. Once armed with this type of data, the fun began. The couple would access the pedophiles’ bank, eBay and Paypal accounts. They would also blackmail their victims, threatening to expose their deviant behaviors to anyone who would listen if they didn’t cough up some cash. In one instance, after financial demands were made and not met, the couple accessed the user name and password of a New York teacher who didn’t comply and posted the explicit chats to the teacher’s school’s intranet.

In another example, 3 men apprehended in Kentucky set up a fake child pornography website, then extorted money out of their customers. When arrested, the men confessed to the crime but claimed that they were doing it to punish child pornographers.

Call this blackmail, call it extortion, or call it vigilante justice. You decide.

Robert Siciliano, personal security and identity theft speaker discusses online predators.

Protect your identity and your child’s identity. Install McAfee security software on your PC to prevent predators from intruding. And install child monitoring software to watch your kids online.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert and Laptop Computer Security: CTO of MyLaptopGPS Reiterates that a Mobile Computer is Stolen Every 12 Seconds

(BOSTON, Mass. – April 13, 2009 – IDTheftSecurity.com) The single most important thing a laptop computer owner should assume is that he or she could be the next victim of laptop computer theft, according to Dan Yost, chief technology officer of laptop computer security firm MyLaptopGPS. A laptop computer is stolen every 12 seconds, noted Yost, who pointed out that the single most effective laptop theft deterrent is laptop tracking technology such as MyLaptopGPS’, which is powered by Internet-based GPS.

“A mobile computer is stolen every 12 seconds,” said Yost, who invited readers to follow MyLaptopGPS’ laptop computer security blog and laptop computer security posts at Twitter. “Once laptop owners process and accept this fact, they will realize that their machines could very well be next. Laptop computer owners who comprehend this will see their instincts and common sense doing an amazing job of helping to protect their assets. They’ll be far ahead of the curve.”

Yost’s expertise has been featured twice in CXO Europe. Furthermore, in December of 2008, he and widely televised and quoted identity theft expert Robert Siciliano co-delivered a presentation titled “Information in the Modern Age: Maintaining Privacy in an Era of Medical Record Identity Theft” at the 4th Annual World Healthcare Innovation & Technology Congress in Washington, D.C., where Former U.S. Congressman Newt Gingrich delivered the keynote address.

The single most effective action any laptop computer owner can take to protect a machine is to equip it with laptop computer security technology, noted Yost, who added that simple strategies and tactics help to further deter laptop thieves. These include, according to Yost, stowing a laptop away from outside view when leaving it in a locked vehicle and keeping a laptop carrying case’s strap close to the shoulder, placing a hand on the case itself at all times.

Featured in Inc. Magazine and TechRepublic, MyLaptopGPS maintains the Realtime Estimated Damage Index (REDI™), a running tally of highly publicized laptop and desktop computer thefts and losses and these losses’ associated costs. Since the beginning of 2008, 3,279,909 data records associated with laptop theft have been lost, according to the REDI at MyLaptopGPS’ website. A log of these high-profile laptop thefts is available.

“Once a laptop computer owner realizes his or her machine could be the next one stolen, many commonsense habits will become second nature,” said Siciliano, who endorses MyLaptopGPS and is CEO of identity theft protection firm IDTheftSecurity.com. “No tactic is foolproof, but aware laptop owners are much more likely to do the kinds of things that will keep their mobile computers out of thieves’ hands. And people whose mobile computers are out of laptop thieves’ reach are, frankly, people whose confidential data is much less likely to be within identity thieves’ reach, as well.”

YouTube video shows Siciliano on a local FOX News affiliate discussing the importance of securing mobile computing devices on college campuses, where laptop theft can run rampant. To learn more about identity theft, a major concern for anyone who’s lost a laptop computer or other mobile computing device to thieves, readers may go to video of Siciliano at VideoJug.

Anyone who belongs to LinkedIn® is encouraged to join MyLaptopGPS’ laptop computer security group there. They may download a demo of MyLaptopGPS, as well, and have the opportunity to read one of two reports tailored to the type of organization they run.

###

About MyLaptopGPS

Celebrating 25 years in business, Tri-8, Inc. (DBA MyLaptopGPS.com) has specialized in complete system integration since its founding in 1984. From real-time electronic payment processing software to renowned mid-market ERP implementations, the executive team at MyLaptopGPS has been serving leading enterprises and implementing world-class data systems that simply work. With MyLaptopGPS™, Tri-8, Inc. brings a level of expertise, dedication, knowledge and service that is unmatched. MyLaptopGPS™’s rock-solid performance, security, and reliability flow directly from the company’s commitment to top-notch software products and services.

About IDTheftSecurity.com

Identity theft affects everyone. CEO of IDTheftSecurity.com, Robert Siciliano is a member of the Bank Fraud & IT Security Report‘s editorial board and of the consumer advisory board for McAfee. Additionally, in a partnership to help raise awareness about the growing threat of identity theft and provide tips for consumers to protect themselves, he is nationwide spokesperson for uni-ball in 2009 (uniball-na.com provides for more information). A leader of personal safety and security seminars nationwide, Siciliano has been featured on “The Today Show,” “CBS Early Show,” CNN, MSNBC, CNBC, FOX News, “The Suze Orman Show,” “The Montel Williams Show,” “Tyra” and “Inside Edition.” Numerous magazines, print news outlets and wire services have turned to him, as well, for expert commentary on personal security and identity theft. These include Forbes, USA Today, Entrepreneur, Good Housekeeping, The New York Times, Los Angeles Times, Washington Times, The Washington Post, Chicago Tribune, United Press International, Reuters and others. For more information, visit Siciliano’s Web site, blog, and YouTube page.

The media are encouraged to get in touch with any of the following individuals:

John Dunivan

MyLaptopGPS Media Relations

PHONE: (405) 747-6654 (direct line)

jd@MyLaptopGPS.com

http://www.MyLaptopGPS.com

Robert Siciliano, Personal Security Expert

CEO of IDTheftSecurity.com

PHONE: 888-SICILIANO (742-4542)

FAX: 877-2-FAX-NOW (232-9669)

Robert@IDTheftSecurity.com

http://www.idtheftsecurity.com

Brent Skinner

President & CEO of STETrevisions

PHONE: 617-875-4859

FAX: 866-663-6557

BrentSkinner@STETrevisions.com

http://www.STETrevisions.com

http://www.brentskinner.blogspot.com

Week of FUD; Hackers breach electric grid, Conficker sells out, Obama has a plan

Robert Siciliano Identity Theft Expert

They say adversity university and the school of hard knocks makes your stronger, faster and streetsmart.  And if it doesn’t kill you it makes you stronger. Lately, I’ve been killing my readers with lots of deadly data so I bet your security muscles are getting huge!

The security community has bombarded the media with fascinating claims of gloom and doom. (I’m guilty of it, too.) The hype hasn’t entirely met the hyperbole. There have been no major catastrophic issues. The power hasn’t gone out, and data breaches haven’t occurred in the 3-15 million PCs that have been compromised by Conficker.

But that doesn’t change the fact that there are still real problems that need solving. The security community and the media are getting better at discovering these new hacks, reporting on them and taking decisive action to fix them before they get worse.

For good reason, President Obama ordered a cyber-security review earlier this year. And he announced plans to appoint a top cyber-security czar, who will coordinate government efforts to protect the country’s networks. This is a response to years of inaction, culminating in millions and millions of breached records by cyber criminals toying with our critical infrastructures and corporate networks.

The Register points out, “According to the Wall Street Journal – which cites unnamed national security officials – electro-spooks hailing from China, Russia, and ‘other countries’ are trying to navigate and control the power grid as well as other US infrastructure like water and sewage.” That could get messy. Let’s make sure the Cyber Security Czar gives the sewage situation his undivided attention. CNET reportsthat the Pentagon has spent over $100 million on its networks in the past 6 months in response to attacks on the government’s computers. This is part reactionary and part proactive.

Wired reports that Conficker is now a lame spambot, selling fake Internet security software in the form ofscareware. I’m going to shut up about Conficker, for the most part, unless this thing does something that impresses me.

Bob Sullivan points out today in “Why all the cyber-scares?” (as I did earlier this week) that, “Security experts use the term ‘spreading FUD’ – fear, uncertainty, and doubt – to criticize the sales tactics of firms that use hyperbole to scare customers into overpaying for security products. The Conficker incident appears to a be a classic example of FUD.”

I’m all done with this week and I’m going to paint eggs.

For an Easter treat, identity theft speaker Robert Siciliano provides you with a hilarious rare glimpse of someone he loves walking for the first time. (I am human, you know.)

And a big THANK YOU to uni-ball because I cant do what I do without them. I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Conficker flexes muscles, phones home

Identity Theft Expert Robert Siciliano

The internets number one virus Conficker, called home and sent its next set of updates to its global botnet.

Conficker’s botnet, which includes anywhere from 3 to 15 million PCs, has a peer to peer (P2P) feature that allows each PC on the network to talk to one another. Each PC has the ability to become the command server. This characteristic allows Conficker to fluidly update each PC on the network.

The latest variant shows that Conficker is updating via P2P, as opposed to pinging a website for its updates. This makes Conficker “self reliant.”

botnet is a robot network of zombie computers under the control of a single leader. The concept behind a botnet is strength in numbers. Botnets can attack websites, send spam, and log data, which can lead to data breaches, credit card fraud and identity theft, and ultimately clog a network until it shuts down.

CNET reports that researchers have observed Conficker making its first update, which they believe to be a keystroke logger, a form of spyware designed to log usernames and passwords. This new update also tells the zombies to seek other PCs that have not been patched with Microsoft’s update. The worm also pings websites including MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com in order to determine whether that PC has Internet access.

The Register reports that Conficker is now pinging what’s known as a Waledac domain, which contacts a new server if the current one is blacklisted by ISPs for spamming. This allows the virus to download more updates.

In 2007 and 2008, the Storm Worm was thought to have infected over 50 million PCs. Waledac is using the same technology as the Storm Worm,which means two things. First, this may get ugly fast. And second, whoever is controlling Waledac must be the same criminal hackers that built Storm Worm.

All this means that Conficker is about as dangerous as a virus can be, with the best of the best technologies, both old and new. While the virus has yet to strike, it is definitely gearing up.

 

Identity theft speaker Robert Siciliano discusses criminals using viruses to hack credit cards.

To protect yourself, be sure you have updated Internet security software, and consider an identity theft protection service.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information

Confickers copycat evil twin

Identity Theft Expert Robert Siciliano

Both Microsoft Certified Professional and Computerworld report on a variation of Conficker known as “Neeris.” Neeris is a 4 year old virus that has resurfaced and is now behaving like a Conficker wannabe. It is believed that the criminal hackers who created Conficker and Neeris are either the same person or are working together, double teaming the computer security community.

Neeris began showing up on March 31st into April 1st which, as we know, was supposed to be the launch date for the next set of Conficker updates.

Conficker and Neeris both include auto-run and remote call features that allow it to slither into external storage, including cameras, USB drives, external hard drives and other memory-based devices. Furthermore, it is feared that the “call home” feature will eventually enable either virus to update their abilities to wreak havoc and compromise data.

What’s troubling is that Microsoft created a critical security update specifically for Conficker, labeled the MS08-067 patch. Now, Microsoft Certified Professional states that Neeris is able to “poke holes in” this patch, indicating that the patch is no match for Neeris.

However, as stated in Computerworld, “Due to the similarities to Conficker, most of the mitigations that were mentioned also apply here. Make sure to install MS08-067 if you haven’t done so yet, and be careful to use only autoplay options you’re familiar with, or consider disabling the Autorun altogether.”

Regardless, update critical security patches and run the latest McAfee anti-virus definitions.

Robert Siciliano Identity Theft Speaker discussing viruses slithering into memory based devices here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Credit card fraud is Americans number one concern

Identity theft Expert Robert Siciliano

A recent study conducted by the Unisys Corporation shows that identity theft as it pertains to credit card fraud is Americans’ number one concern.

When people ask me, “How do I protect myself from credit card fraud?” I tell them, “Cancel the card, or never use it.” Because that’s the only way.

Personal security (as it pertains to violence) and national security have always been a concern. However, this new study shows that people are more concerned with fraud, and the risk of having their savings depleted by scammers. Not so hard to believe, what with the number of data breaches, and the Madoffs of the world fleecing their unsuspecting investors.

75% of Americans feel that the recession has increased their chances of being victimized by criminal hackers and thieves. Most are also concerned their “private” information on a corporate or bank network may be compromised.

FBI’s Internet Crime Complaint Center’s 2008 Annual Report determined that online fraud increased by 33.1% last year. Dollar losses resulting from online fraud increased to $265 million.

Overall, these concerns are valid, due to flaws in the system of issuing credit that facilitate new account fraud. Furthermore, account takeover requires nothing more than access to credit card numbers, which are available in hacked databases or susceptible every time you hand your card over to a gas station attendant.

Viruses in spam or phishing emails continue to plague consumers and as scammers get more sophisticated, the chances of getting hooked increase.

Banks and business will continue to feel the pressure as criminals target their clients’ data.

Credit card skimming at ATMs and gas pumps makes it impossible to protect yourself when you could essentially be handing your digits over to a criminal.

Skimming is one of the financial industry’s fastest-growing crimes, according to the U.S. Secret Service. The worldwide ATM Industry Association reports over $1 billion in annual global losses from credit card fraud and electronic crime associated with ATMs.

Marite Ferrero, a blogger with Finextra, adds, “In Europe, the points of compromise are everywhere: ATM, gas pumps, parking, DVD rentals, movie tickets, food kiosks, tolls, buying metro tickets, and the list goes on… Because of chip and pin implementation, the proliferation of stand-alone terminals that accept chip and pin has provided a profitable playground for fraudsters.”

While the card holder is generally only responsible for the first $50.00 in losses, which is often waived by a “zero liability policy,” card holders who don’t pay attention to their statements often let these charges pass and eat them.

There are many technologies available to secure credit cards, such as “smart cards” and “chip and pin.” However, due to the nature of a credit card transaction, once the data leaves the card, it’s up for grabs. Whatever card security their may have been is now gone.

Check your credit and banking statements carefully. Scrutinize every charge and refute any unauthorized charges within 30-60 days. Call your bank or credit card company immediately if you see any fraudulent activity.

Invest in identity theft protection. Credit freezes or fraud alerts help prevent new account fraud. Protect your PC with McAfee, or other Internet security software.

Robert Siciliano, identity theft speaker, discusses credit card fraud.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.