Your identity is an illusion

Robert Siciliano Identity Theft Expert

 

Like it or not, you will soon be effectively identified. And by “soon,” I mean within the next 10 years. Big Brother, whatever that means, will have your “number.” Governments across the globe have been gearing up and introducing numerous technologies to identify, verify and authenticate.

Identity is a simple idea that has become a complex problem. It has become complex due to fraud. Fraud, motivated by money, easy credit, and the ease of account takeover. Because identity has yet to be effectively established, anyone can be you. “Identity has yet to be established” is a bold statement that really requires an entire blog post. I’ll explain briefly here and in detail another time.

We have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data. All of these documents can be compromised by a good scanner and inkjet printer. This is not established identity. This is an antiquated treatment of identity and ID delivery systems. Identity has yet to be established.

Proper identification starts with government employees, who basically have little say in the matter. Small, specific segments of society such as airport employees, those of immediate concern to Homeland Security, are also first in line to be identified.

Security Management reports that as of this month, all workers and mariners attempting to access secure maritime and port areas nationwide will have to flash a government-approved Transportation Worker Identification Credential (TWIC),biometric identification card before entry. As expected, the system is riddled with problems and complaints.

HSPD-12, or Homeland Security Presidential Directive 12, set universal identification standards for federal employees and contractors, streamlining access to buildings and computer networks, but not without some glitches.

Many privacy advocates scream in horror about a national ID. The fact is, we already have a national ID and it’s the Social Security number. While the Social Security number was never intended to be a national ID, it became one due to functionality creep. And it does a lousy job, because anyone who gets your SSN can easily impersonate you.

Privacy advocates and others who believe that there is or ever was true privacy are operating under an illusion. The issue here isn’t really privacy, its security. It’s managing our circumstances. Growing up, my mother was a privacy advocate. She advocated that privacy was a dead issue as long as I lived in her house. At any given time, she could rifle thorough my stuff if she even got a hint of glazed eyeballs.

I’ve always been fascinated with identification and what it means. Over the years, as I’ve dug deeper into information security and then identity theft, I have been floored by the ineffectiveness of the existing system. Numerous identity technologies use software or hardware as the delivery system. A Smartcard is a delivery system, it isn’t your identity. Identity may include biometrics and verification questions.

Then there is the issue of properly identifying a person. How? And what is the difference between authentication and verification? I’ve always used them interchangeably, so I asked an expert, Jeff Maynard, President and CEO of Biometric Signature ID, who is in the game of properly identifying his clients’ clients through dynamic biometrics, for his take on authentication vs. verification. There is a distinct differenceAuthentication is the ability to verify the identity of an individual based on their unique characteristics. This is known as a positive ID and is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples of each are: Static – iris, fingerprint, facial, DNA. Dynamic – signature gesture, voice, keyboard and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify their asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.”

Identity proofing means proving identity, which, as I see it, is the foundation for identity and one of the most overlooked and under discussed aspects of identity amongst industry outsiders. This is a most fascinating topic. I will get into that soon.

Robert Siciliano, identity theft speaker, discusses Social Security numbers.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself.  Check out uniball-na.com for more information. 

Identity Theft Expert; Cybersquatting Leads to Fraud

Robert Siciliano Identity Theft Expert

Ever click on a link from an email or while surfing and something just wasn’t right? The domain name in the address bar looked like a letter or two off? A misspell? Maybe it had a number tossed in there for good measure? This is either cybersqautting or typosquatting and its a problem.

Cybersquating is the act of procuring someone elses trademarked brand name online as a dot com or any other US based extension.

Cyber squatters squat for many reasons including impostering for fun, hoping to resell the domain, using the domain to advertise competitors wares, stalking, harassment or outright fraud.

Grabbing someone’s given name is also a form of cybersquatting and is happening in social networks and on Twitter. Twitter is affected by Twittersquatting where peoples names and an estimated top 100 brands have been hijacked.

There are also bunches of Kevin Mitnicks ( hacker) on Facebook that even prevented the Gent from accessing his own Facebook account. Facebook fixed the problem after Mitnick rightfully bitched then CNET made a call. Then Facebook listened. Facebook said “We are very aggressive in fostering and enforcing our real name culture and sometimes we make mistakes. But it’s rare, and it’s been fixed.”

Cybersquatting is also done maliciously for fraud. The Identity Thieves will jack a domain similar to that of a bank and create a spoofed site for phishing. Often if the domain isnt available, then the next best thing is Typosquatting. Annualcreditreport.com was a victim of that. More than 200 domains were snapped up right after the site launched.

This is just one more reason to protect yourself from identity theft.

Back in the day, I was accused of cybersquatting! Here. I wasn’t I swear! Back in the early 90’s with my IBM PS1 Consultant 3.1 Microsoft operating system and a rockin 150mb hard drive, I bought me up some domains as well. Some that I sold, others I regrettably gave up and one that will haunt me till the day I die.

I owned LEDZEPPELIN.com for about 5-6 years. Led Zeppelin then and now is my band, and as a fan I bought the domain as a keepsake. I would get emails from people globally like “I am Paulo from Brazil, I love the Led Zep!”

Then when Clinton passed a law later making cybersquatting illegal, I knew it was a matter of time. I had it for 5 years before anyone from the bands team of lawyers approached me on it. And when they did I didn’t know how to handle it. And my lawyer at the time even less so. Ultimately I gave it up without a fight on my part, but I’m sure the bands lawyers billed them for the 1 inch thick book of a lawsuit I was served with. Sorry dudes. My bad.

In this case the lawyers saw an opportunity to build a case against me, a fan that would have been happy with a stupid guitar pick from Jimmy. Instead I sat in silence for a year while they built a huge case as to why they should own the domain. When served, I freaked and called them yelling to take it, I never wanted that.

One of few regrets. But I have a nice 1 inch thick book about me and the band and why I’m an idiot.

Anyways back to cybersquatting. A recent report from the NY Times sourced MarkMonitor, a domain name seller and company that protects brands names from misuse, tracked an 18 percent rise in incidence of cybersquatting.

Which means as a brand or individual (or band, eesh) get your name on social network sites or domain name NOW. Then get your kids names as well.

Because they may be Zeppelin famous and have to fight a twit like me.

Robert Siciliano Identity Theft Speaker discussing DNS issues Here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information

Fake IDs, Fake Passports Easy To Make or Buy

Robert Siciliano Identity Theft Expert

Fake IDs aren’t just a tool to get in a bar, they are a significant threat to personal security and national security.

Who in their teens and college years didn’t have a fake ID? I did.

At 17, I was 23! That meant I could buy alcohol, go to bars and take others to “R” rated movies. It also meant I was a ROCK STAR. For a minute.

A friend of mine peeled apart Massachusetts IDs and melted crayons together to create colors that matched the IDs colors. He would apply the crayon to the face of the ID and alter the persons age. For example if you were born in 1968, he would color the left side of the 8 the same color as the ID making it a 3. 1963 gave you five extra years to party!!

Then he’d just seal it back up and voila! You were a ROCK STAR.

CNN reported the Government Accountability Office did a test. An investigator used a fake ID to get a real passport. Once he had the passport he bought an airline ticket and went through security. How stupid big is that hole in security?

Former DHS Secretary Chertoff said, and I agree; “I’m going to submit to you that in the 21st Century, the most important asset that we have to protect as individuals and as part of our nation is the control of our identity, who we are, how we identify ourselves, whether other people are permitted to masquerade and pretend to be us, and thereby damage our livelihood, damage our assets, damage our reputation, damage our standing in our community.”

The problem here is the speed of technology has far outpaced the security of our identifying documents. Anyone with a computer, scanner, printer, laminators and for crying out loud CRAYONS can create breeder documents getting real IDs.

This makes it very difficult to prevent identity theft when anyone can be you any time.

What contributes to the problem is there are thousands of variations of birth certificates, dozens of social security cards and a couple hundred different drivers’ licenses in circulation. Very little security and no significant standards preventing counterfeiting. I’m sure plenty will argue this point with me, however the fact remains, fake IDs are everywhere.

Identity theft protection becomes very difficult.

While technology certainly exists to properly identify and authenticate through numerous technologies, privacy advocates and ignorant politicians will fight till the death to prevent their implementation for 2 reasons; 1. Cost, which is a naive argument. 2. Privacy issues.

Cost; spend whatever it takes to properly identify and authenticate. Privacy; is DEAD. Security is the issue we need to be concerned about. Manage out circumstances and tighten things up. The UAE has an “Identity Card” in place that is the best active solution I’m aware of.

There are hundreds of solutions being proposed every day, but cost and privacy continue to creep up. One argument some have is technologies such as RFID and biometrics are the equivalent to the Mark of The Beast. That just goes right over my head.

The Real ID Act has been passed, slammed and revisited. It is the first step towards effective authentication. Fight it as you might, its coming.

Robert Siciliano Identity Theft Speaker discusses Identity Theft and the rampant use of Social Security numbers Here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information

Criminals Target ATMs to Steal Vital Personal Financial Information From Customers

Robert Siciliano Identity Theft Expert Speaker

Skimming is one of the financial industry’s fastest-growing crimes, according to the U.S. Secret Service. Also, the worldwide ATM Industry Association reports over $1 billion in annual global losses from credit card fraud and electronic crime associated with ATMs.

Skimming is a relatively low tech crime. It can occur in a few different ways. The most common is when a store clerk takes a wedge card skimmer

and runs your card through and skims the information off the magnetic strip.

Once the thief has the credit or debit card data they can place orders over the phone or online.

They can also rip the data from the wedge and burn to blank “white” cards. These white cards are effective at self checkouts or when the thief knows the clerk and they “sweetheart” the transaction. These white cards can also be pressed with foils to look like a legitimate credit card.

Then there is a more sophisticated skim. Thieves actually place a hard device on the face of the ATM that looks like the ATM. It’s almost impossible for a civilian to know the difference unless they have an eye for security, or the skimmer is of poor quality.

Often the thieves will mount a small pinhole camera on the side of the ATM in a brochure holder to extract the victims pin number.

Its not just ATMs that are potential marks, gas pumps are just as vulnerable. See video of me discussing Here and another article Here

ADT Unveils Anti-Skim Tool

ADT has a new technology that prevents ATM of skimming. I haven’t seen it yet, but it sounds promising. The ADT Anti-Skim™ ATM Security Solution helps prevent skimming attempts and detects skimming devices on all major ATM makes and models.

ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader.

The ADT Anti-Skim ATM Security Solution:
• Helps protect the integrity of cardholders’ personal financial information during ATM transactions.
• Can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities.
• Requires no software adjustments to the ATM.
• Does not connect to or affect the ATM communications network.
• Has more than 40,000 successful ATM applications worldwide.

Prior to its North American introduction, the ADT Anti-Skim ATM Security Solution was successfully field tested on dozens of ATMs of four major U.S. financial institutions in controlled pilot programs. Testing pilots yielded positive results, with no known skimming compromises occurring.

Again, I haven’t seen it. But would like a first hand demonstration. ADT, Have your peeps call my peeps.

Robert Siciliano Identity Theft Expert discussing ATM skimming Here

Recession Turns IT Workers Into Hackers

Robert Siciliano Identity Theft Expert

What a nasty headline for an article.

From ABCnews.com the journalist roasts IT professionals on a spit. And the comments were all inspiring.

As the recession rears its ugly head, disgruntled ex employees are in the best position to drop a bomb in the companies network or suck all the data out with a few terabyte drives.

A recent study by McAfee and Purdue University put the tally of fraud, data loss and damage done at 1 trillion dollars. A thousand billion sounds like a lot of money.

To paraphrase some of the comments;

No matter how you look at it, when heads start to roll, most people that are about to be let go feel unjust and express hostility towards the employer (often, rightly so). These are the same people who were loyal company employees for years. Unfortunately, these are no win-win situations when it comes to the downsizing and companies should take proper actions to address it.

Your system admin is the gate keeper. Anyone who has access to sensitive data can potentially abuse the privilege. The loan officer, the loan processor, the secretary, the human resources gal two cubes down the hall, the cleaning people that take out our trash at night… Without proper controls in place anybody can be the bad guy. On the other hand, with adequate management these issues can be avoided, even when it comes to IT employees.

Manage your end points, your USB devices, your computer ports, your printers… Segregate your system administration roles. Tools are there. And who is going to implement them? Your IT guy. (thank you Sashimi11)

With the incredible amount of layoffs occurring, companies are bound to layoff an employee who will exact some revenge. Some say “Companies whose knee-jerk response is to cut costs by canning employees deserve some wrath”. But, in the end, the wrath doesn’t get you your job back. (thank you Patches777)

Most are working individuals, doing what they do best. All the while staying under the radar, and afraid, just like everyone else, of the threat of layoffs. The latter doesn’t mean an internal flip is switched and they bug out and start stealing trade secrets. (thank you kyleratliff)

On another note, as budgets are cut and IT pros are let go, the show must go on.

Bill Lynch of RazorThreat said to me “We are encountering lots of very frustrated CIO’s who are caught on the horns of a dilemma…their IT budgets and headcount are being slashed but their CEO’s are simultaneously demanding that they reassure them and the Board of Directors that they are not vulnerable to the same kinds of cyber attacks that have plagued some big firms lately.

They know they cannot afford to buy complex, expensive and difficult to deploy new security software and the people to manage them and yet they have to stand before the Board and profess that their networks are secure”.

The fact is, data breaches will continue and IT will often be to blame. There is a light at the end of the tunnel. There are numerous technologies that won’t break the bank and will keep the BOD happy. Companies have to consider numerous threats of theft and mayhem. Review security policies and who has access to what and why. In the end make sure employees are let go with dignity and respect.

Robert Siciliano Identity Theft Speaker discussing Credit Card Fraud Here

Neighborhood Identity Thieves From Hell

Robert Siciliano Identity Theft Expert Speaker

Keep your friends close and your enemies closer. Unfortunately your enemies could be living in your home or across the street. As the economy tanks, people get desperate and thieves victims become those in their lives.

With all the hullabaloo about criminal hackers and identity thieves organizing as webmobs from all over the world, people often forget that it’s the people in our lives that are the closest to us who often perpetrate these crimes.

Especially in tough times, identity thieves could be someone in your inner trusted circle. I’ve consulted on stories where the dad stole his child’s identity. Those closest to us at home or work have direct access to our data.

“Familiar” Identity theft happens because the thief goes through a process of rationalizing their ability to commit the crime. The process is often referred to as the “Fraud Diamond”.

First they have Incentive. They say “I want to or have a need to commit this crime”. Next is Opportunity. They see a hole or weakness in the system they can easily exploit. And of course Rationalization; “I have convinced myself it is worth the risks”. Lastly, Capability; they determine they are the right person for the job and can pull off the scam.

Here a local neighborhood was terrorized by a drug addicted mom and dad who had a penchant for technology and used their skills to feed their habit.

Much of the crimes they committed could have been prevented.

1. Get a credit freeze or fraud alert
2. Invest in a locking mail box
3. Shred all throwaway paper work
4. Turn off the paper
5. Turn on WPA security for your wireless network
6. Pay attention to all your statements and refute unauthorized charges
7. As a national spokesperson for uni-ball, I recommend using a uni-ball® pen, which contains Uni “Super Ink” formula, to write checks and sign important documents. This specially-formulated ink won’t wash out and protects against check washing. Those closest to you have access to your canceled checks and can rewrite to themselves.

Robert Siciliano Identity Theft Speaker Expert discussing family identity theft Here

THIEVES INITIATE NEW IDENTITY THEFT SCAMS IN TIME FOR TAX SEASON

uni-ball® teams with Identity Theft Resource Center and Identity Theft Expert Robert Siciliano to Warn Consumers of Latest Scams and Offer Anti-Theft Solutions 

Oak Brook, Ill. – March 4, 2009 – Tax time scams are at an all-time high, according to Robert Siciliano, well-known identity and security theft expert and author of the book “The Safety Minute: How to Take Control of Personal Security and Prevent Fraud.”  As economic pressures continue to increase, Siciliano says criminal activities such as sophisticated, organized theft, including the number of new scams intended to trick consumers this tax season, are expected to rise as well. 

“More than 155 million tax forms were filed last year,” said Siciliano, “the majority of them without incident.1  But people need to understand that thieves are inventing new ways to steal identities each and every day.  And since tax time is a key period when we see a spike in identity theft, it’s crucial that we get the word out now and educate people about the latest scams.”  

As part of the its ongoing campaign to elevate awareness about the growing threat of identity theft, uni-ball®, a leading brand of pens, many of which contain specially formulated ink that helps prevent check fraud, is working with the Identity Theft Resource Center (ITRC) and Siciliano to help stop identity thieves in their tracks.   As CEO of IDTheftSecurity.com, Siciliano has seen first-hand the brute blow identity theft delivers to its victims, and has helped scores of them dig out from the financial and emotional turmoil of being scammed.  

Together, the ITRC, Siciliano and uni-ball are issuing the following warnings, asking consumers to be on high alert during tax time for these identity theft scams and more:

·         Professional Thieves and Targeted Attacks.  The ITRC anticipates an increase in more sophisticated ways to “mine” information, sometimes by organized crime groups. Cybercrime, which includes transporting or selling large amounts of personal information from one group both nationally and internationally, will continue and expand. Part of this trend includes “skimming” (duplicate scanning of credit cards or debit cards), and the use of fake fronts on payment scanners and ATM machines. 

uni-ball® teams with Siciliano to promote simple anti-theft solutions during tax season – Add One

·         Tax Preparer Scams.  Most recently, there are reports of tax preparers telling clients they must pay back their 2008 stimulus payments and then pocketing the money.  Not all professional tax preparers have your best interest at heart, according to the ITRC.  Make sure you do research and choose your tax preparer wisely.

·         Check Fraud. As it becomes more difficult to get new lines of credit, identity thieves may be increasingly drawn to commit check fraud. These crimes may take the form of stolen checks, using checks thrown into the trash by unknowing consumers, or a type of identity theft known as “check washing.” Check washing occurs when checks or other tax-related documents are stolen from the mail or by other means and the ink is erased using common household chemicals, allowing thieves to endorse checks to themselves.   This is where something as simple and inexpensive as a uni-ball pen can help.  Select Uni-ball pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out. 

·         Late Payment Scam.  As people fall behind on their utilities or taxes, lists are created and available either internally or as public record. These lists can fall into the wrong hands and thieves call unassuming people to collect.

  • Text Messaging Scams: Phexting.  Criminal hackers have access to everything these days, including the technology that generates cell phone numbers, as well as access to mass text messaging services. Once the data is secured, they are able to send text messages that install keyloggers (a method of capturing and recording user keystrokes) or direct you to Web sites that steal personal data.

·         Internet Scams: Phishing.  Phony e-mails that try to trick customers into giving out personal information are the hottest, and most disturbing, new scam on the Internet. “Phishing” frauds attempt to make Internet users believe they are receiving email from a specific, trusted source, or that they are securely connected to a trusted Web site, when that is not the case.  This scam is generally used as a means to convince individuals to provide personal or financial information that enables the perpetrators to commit credit card, bank fraud or other forms of identity theft.

“Identity theft is a giant octopus,” said Siciliano.  “Educate yourself on the many facets of the problem and learn your options to defend yourself from each leg of this monster.  Doing something as simple as paying attention to the pen you use could save you thousands of dollars and endless hours of headaches.  Personally, I never write checks or sign important documents without using a uni-ball gel pen with specially formulated Uni-Super Ink.”  

“Uni-ball pens with Uni-Super Ink help prevent identity theft,” said Steve Gradman, senior brand manager of uni-ball.  “Our goal is to help ease the minds of individuals when writing sensitive materials – from legal and medical documents to checks and tax forms.  It’s a simple, inexpensive pen, but it packs a lot of punch when it comes to identity theft prevention.

uni-ball®teams with Siciliano to promote simple anti-theft solutions during tax season – Add Two 

Many uni-ball pens, including the uni-ball 207 gel pen, the Jetstream, Jetstream RT and Vision Elite roller ball pens, use specially formulated inks that contain tiny color pigments.  This exclusive “Super Ink™” helps prevent document and check fraud by absorbing into the paper fibers. When an individual tries to wash or lift the inked information written on the document, the ink remains “trapped” within the fibers of the paper, thereby discouraging the efforts of identity thieves.

Identity theft rose 22 percent in 2008, and Siciliano predicts it will go up again in 2009.   “Now is the time to become educated in order to prevent this offensive crime,” he said.

 For more information on how to protect yourself this tax season, visit www.uniball-na.com

### 

1 http://www.irs.gov/newsroom/article/0,,id=188359,00.html 

About uni-ball®

uni-ball® is a world leader in providing an optimal writing experience, offering writing instruments with superior functionality and affordability.  From the JetStream® pen’s smooth write to the intense color and superior performance of the uni-ball 207 gel pen, the brand allows one to enjoy the ultimate in writing performance coupled with a distinctive, contemporary style.  Newell Rubbermaid Office Products, marketer and distributor of uni-ball® pens in North America, is a worldwide leader in the manufacturing and marketing of writing instruments, art products and office organization and technology products, including such well known brands as Paper Mate®, Sharpie®, DYMO® Parker®, Waterman®, EXPO®, uni-ball®, and Rolodex®, among others. Visit www.uniball-na.com for more information.

About Robert Siciliano

Robert Siciliano “The Lifesaver” is an expert on personal security and identity theft. He has 25 years of experience in self-defense, security work, martial arts and white collar crimes.  An author, sought after media personality and identity theft speaker, Robert has been seen on the Today Show, CBS Early Show, CNN, MSNBC, FOX, CNBC, USA Today, Forbes, Good Housekeeping, Readers Digest, Consumer Digest, Boston Globe, Washington Post, Chicago Tribune, ABC News.com, TechRepublic, Search Security, AP, UPI, Reuters, and Entrepreneur. Robert recently released his third book, “The Safety Minute: How to Take Control of Personal Security and Prevent Fraud”.

About the ITRC

The San Diego-based Identity Theft Resource Center (ITRC) is a non-profit (501(c) 3) organization established in December 1999, to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem.  

Are You a Hacker or Hackee?

Robert Siciliano Identity Theft Expert Speaker

In the past decade there have been hundreds of data breaches resulting in millions of compromised records. The motivation behind these hacks? Identity Theft. As a results dozens of new laws and government intervention to protect citizen data.

Black, White or Grey, over the past decade the media has given the term “hacker” a negative connotation. Or is it hackers that gave the term a negative connotation? Just asking!? Either way, whenever I’m talking bad guy hacker I’m careful to precede the word hacker with “criminal” so I don’t piss off anyone who considers themselves a good guy hacker.

Thomas Edison, Benjamin Franklin and Alexander Graham Bell were all hackers. Good ones too.

Hackers in general take pride in their skills, as they should. They are often a head above the rest, on top of what is new and ahead of whats next in technology. Many are self taught and many hone their skills with additional formal training.

In the past the word “Cracker” has been tossed around and never quite stuck when referring to criminal hackers. And of course “scriptkddie”, referring to bad hackers that are just trying to make a name for themselves. We don’t hear that term much anymore due to the fact that most mischievous hackers are generally criminal because they are breaking the law.

What many are beginning to realize is there is a battle going on 24/7/365 between the whitehats and the blackhats. President Obama has chimed in with a directive to review the nations cyber security as it relates to security and our critical infrastructures. You are either a (criminal) hacker or a hackee. Predator or prey.

The US Federal Aviation Administration, the bureau that would have been in the best position to stop 9/11, recently disclosed a breach in a server that was hacked.

Very recently reports came in from a Romanian based blog bragging about scriptkiddie type accomplishments that the criminal hackers had compromised sites owned by Kaspersky Security, F-Secure and BitDefender. To what degree they were compromised and if was considered a real threat is unknown. They all reported data was not stolen. Initial reports include hacks known as SQL injections and cross-site scripting, which affects applications and can steal data.

All this means the criminal hackers are not messing around. While this all may be over the heads of most hackees, it’s a real problem that everyone should and, unfortunately, will continue to become more familiar with. As a citizen who uses various technologies, you need to make a concerted effort to understand what you are up against and put systems in place to protect yourself.

Robert Siciliano Identity Theft Speaker Expert discussing criminal hackers busted Here

Identity Theft Speaker Expert on National Television 2/24/09 M&J Show

Robert is in NYC Tues AM on the Morning Show with Mike and Juliet “M&J Investigates” work at home scams. http://www.mandjshow.com/about-the-show.

Here are past shows:
Holiday Scams http://www.youtube.com/watch?v=Q22ifUbTbiY

Cyber Monday Scams http://www.youtube.com/watch?v=Ixn26vVTfns

More here: http://www.youtube.com/user/stungundotcom

Show times and listings http://www.mandjshow.com/about-the-show/

Homepage www.IDTheftsecurity.com

LinkedIn http://www.linkedin.com/in/robertsiciliano
Twitter https://twitter.com/RobertSiciliano
FriendFeed http://friendfeed.com/identitytheft
Blog http://robertsiciliano.com/blog/
YouTube http://www.youtube.com/stungundotcom
Finextra http://www.finextra.com/community/profile.aspx?id=44396
BankInnovation http://bankinnovation.net/profile/IdentityTheftSpeaker
Facebook http://www.facebook.com/people/Robert-Siciliano/534933030
IMDB http://www.imdb.com/name/nm2892079/resume
Wiki http://en.wikipedia.org/wiki/Robert_Siciliano

Preventing Inside Jobs, Keeping Inside Hackers – Out

Robert Siciliano Identity Theft Speaker and Expert

Are you familiar with a “Logic Bomb”? This is a brilliant piece of code, a virus, designed for destruction. The goal of a logic bomb is to disable existing systems that may monitor data, protect it, back it up or access it. A logic bomb is designed to multiply like any virus and spread throughout a network multiplying its effects.

In a Wall Street Journal story an example provided, depicts an employee at Fannie Mae, knowing he is about to be fired commits an act of workplace violence by installing a logic bomb set to detonate almost 3 months after his departure. The detonation would have taken the organization off line for almost a week and cost millions and millions of dollars.

In this true crime story, an observant programmer, still employed noticed the code and disabled it before the damage could be done.

Think for a moment about your home/flat/apartment and how you would break in if you lost your keys. And if a burglar knew what you knew about where you hide and store your stuff. How much damage could he do, knowing what you know? Insiders pose the same problem. They know the ins and outs of all systems in place and can wreak havoc on your operation while they are employed and sometimes after they are let go.

The problems begin when we put people in a trusted place. They are granted access because that’s their job to perform certain duties and they are granted carte blanche access. Ultimately this is a people problem and needs to be addressed that way.

1. Limited Sources; only grant access to a few trusted sources. Minimize the amount of staff that has access to whatever systems in place.

2. Due Diligence; in the information age, our lives are an open book. Background checks from information brokers are very necessary. Not doing a background check increases your liability. A person previously convicted of a crime just might do it again.

3. Limit Access; even a good apple eventually can go bad. By restricting the access to even those who are in a trusted position, in the event they turn sour, they can only do limited damage.

4. Defense in Depth; audit, audit, audit. This is all about checks and balances. Separation of powers. Multiple layers of authorization. We’ve all watched the movie where in order to launch the missile there were 2 keys held by 2 people, who pressed 2 buttons in order for the missile to launch. Put systems in place that facilitate someone always watching over someone’s shoulder. This way the bad apple can’t hide or execute their malicious intent.

5. Prosecute the Guilty; in the event of a breach of trust, make an example of the person that others won’t forget. Public hangings set a strong deterrent.

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human being to drive down the street while cars are heading toward you only separated by a thin painted line. Without trust we wouldn’t get out of bed in the morning.

This explains why we are completely beside ourselves when someone who we have bestowed our faith and trust in deceives us. A week doesn’t go by where we read of the local girls team soccor coach was preying upon his underage team members. And we are still shocked.

Throughout our lives, and especially lately, we have observed government officials, CEOs from major corporations down to front line staff and many others who have been put in positions of trust, who ultimately deceived. Putting someone in a trusted position, without checks and balances can lead to utter destruction, and is liable and irresponsible.

Robert Siciliano Identity Theft Speaker and Expert; video discussing background checks