A serious state of security - The loss of one's private information and its effects.

we all feared, now the phishing scams and social engineering methods has become the primary household name showing its nasty head to consumers and businesses alike. It is only through knowledge and awareness of these issues that we will beat these methods of infection and propagation.

While talking to people on a daily basis it is very clear that the general public tends to shun a blind eye to these issues and thinks that it will not and cannot affect them as individuals. While this is surely not the case and is one of (if not the) main reasons why these high profile and very cunning methods of human attacks are so much a high risk. People do not take these threats seriously today and I will try to shed some light on these issues as i’ve done so over the past few years.

Over the past 2 years we have seen and heard more and more about “phishing” and what it is and the methods of attacks. While consulting with the FBI’s cybercrime division and talking to them about the ways in which they address these issues, they have been overwhelmed by people who have fallen victims of these scams and it’s just a matter of simple common sense. A “phishing attack” can only be successful if the intended recipient is not aware of such a scam or is tempted by the “too good to be true” offer presented.

Why would someone want to invest millions of dollars in you and you’ve never met them, never heard of nor seen anything about them and they throw these millions at you with a mere $25,000 investment on your part. Surely that would catch the attention of anyone looking to get past that life of always being broke or always wanting to take their lives to the next level but was always financially strapped down or stressed out.

Ask yourself, why is the president of such a major organization or country want me of all people to do business with and for them and not have to commit to any signed agreements stating the terms and conditions of the deal.

Why is this major financial institution located in some far region of the world choose me to be the one to work this deal for them, this surely seems odd and should be a cause for concern but yet still, unchecked, they buy into the scam and get burnt. Some people have invested thousands of money into these false deals and it’s after the fact that they realize the severity of their doing.

Common sense should have stepped up and said hey, wait a minute, do I know these guys, what do they want with me and why are they asking me for this payment to buy into such a sweet deal, hmmm, this is suspect.

Instead the opposite happens and you see the $25,000 vs. the millions that are presented in the offer. Hell yea, of course it’s human nature to see the vastness of the offer vs. the small percentage of the buy in payment. If someone came to me right here and now with that very same offer and I knew of and about them i’d do my lil research and then by all means i’m almost sure i’d buy into it. But this is far from the case. You will not find a phish that extravagant locally or nationally because there are so many ways that you can look into that situation to know if it’s legit or not, sometimes the deal is so sweet and looks so good and even after researching it it’s still a hoax, so what do you do.

Do not get suckered by these offers and these too good to be true deals. If someone came to you and told you they were selling you a 10 million dollar winning lottery ticket for $25,000 what would you do . We need to think about these things and weigh in on the validity and chance it takes to make such a move.

I’ve seen too many people burned by this and it’s always the same story over and over. The FBI gets so many of these cases that they have to tackle them in bulk due to how many they are.

So, what is “phishing” and why is it so prevalent today with such high success levels?

Phishing is a method of deception by means of appealing to the human intelligence by presenting something of value that is not legitimate or true.

I’m sure everyone by now has gotten some kind of email from financial institution stating that their account need to be verified or updated and that they need to log into the server to do so. When logging into what you think is the financial institutions server you’re actually logging into somewhere else or someone else’s server. This being the case your information is now in the hands of someone other than yourself who can use it for any means necessary and thus you’re just been “phished”.

So that's in essence the real overview and look on the phishing scene.

Next we have the social engineering techniques which are very similar to “phishing” but can also come in the physical form.

Someone comes to your place of business and tells you they are the CEO of the company from headquarters in DC and they are here to meet with the rest of the management team and they need access to your network, infrastructure or office. This normally gets people arouse due to the fact that he/she is the CEO and you don’t want to mess with that person or else, so this person comes in under false pretenses and gains the access to internal private and confidential business information and property that should never be given out to anyone outside of the company. By the time you catch a with what is going on that person has gathered all the needed information and left with it, now that information is being circulated on the internet and your company is being sued and dragged through the legal system for that reason.

Who is to be blamed?
What went wrong?
Could this be avoided, if so, how?

These are valid questions to a real life issue that happens on a daily basis. A helpdesk representative gets a phone call from someone claiming to be the CTO or CIO or some other C-level executive of the company. He is traveling and for some reason cannot log into the network and so he’s calling the helpdesk to have them unlock his account and help him through the log in process. The helpdesk individual knows the name of the executive and so tries to validate the credentials that person is using to gain access to the network. If this is a person that has done his homework he may know the login name but not the password and so he most certainly tell the helpdesk support rep the login info but states that he can’t remember his password. Now the helpdesk person feels this info is good because the login username is correct and so that person should be who they are and so he/she proceeds to ask for some additional information such as full name, address, last 4 digits of the social security number or the employees unique company ID #.

All these information can be had by various means and so this is nothing for a person performing a social engineering attack to gain access to. So validating all the info the helpdesk rep now changes the password and helps the user to gain access to the network and its resources. Being a C-Level executive you can just imagine the access and information available to he/she once they are logged in and authenticated on the network.

I’ve seen organizations where the helpdesk gets so scared when a C-level executive calls in with a support issue that they just need the name and some info in order to quickly expedite the support issue and get that person on the way. This is wrong and presents many critical vulnerabilities and should be addressed immediately.

Social engineering like phishing can be stopped and mitigated by user awareness and knowledge. Policies, practices and measures can and should be put in place to offset these methods of attacks. Companies should spend more time going over scenarios like these in order to get the support people alert and proactive to these issues.

Identity Theft

Wow, now this is a growing issue that is even a bigger problem due to the arrogance of users thinking they are not affected nor will they be affected by this issue. Most of the victims i’ve spoken to had no clue they were victims of such an attack until years after when the person who did the wrongs simply missed a payment or 2, and now you’re caught smack dead in the middle of the scheme of things. At that point it is already too late because you have been victimized for years and now that you’ve found out about it is way too late, the damage has been done. The most unfortunate part about the Identity theft issue is the fact that the information will still remain on your credit for the full term of the cycle and you have to hope to God that the person was keeping up on their payments and so the credit standing was good.

I recently met a lady that just found out that she was the victim of an identity theft scam after years of being used by someone else, fortunately for her that person was keeping up to date and current on the payments and so that was generating good things for her report. How she came to find out about the theft is one of the credit card companies called her asking to make payment arrangements for a past due balance she had and when she continued to deny the claims she came to find out the sad truth about the whole situation. There was a car, an apartment, credit cards and other things in her name and she had no idea about it.

Let me tell you how bad this can get and for how long you can be screwed by such a nasty issue, yet still, there are simply ways for protecting yourself from things like this. These days with the privacy issues and concerns surrounding the selling and use of your private information it is so easy to find or get information on or about you on the internet that it’s not even funny. Don’t worry about the information, worry about the use and abuse of it. It’s like worrying about doing online shopping and using your bankcard and credit card online when the banks all have that very same information online and that’s where the accounts were opened and are kept.

I recommend a credit monitoring service for you, your spouse, your children (yes, your children as well) and anyone with a valid social security number. These credit monitoring services do a very good job of keeping you alerted and updated on any happenings with your social security number and credit. I personally use Credit Expert and I have found them to be very good, very quick to alert and very detailed as to who, what , where, why and when anything affects my social security number and credit. I highly recommend the service which is a yearly fee but it is very much worth it and should be looked into.

When you think about the long term effects and heartaches that presents itself from a identity theft case the yearly fee associated with these services is well worth it. Go get it NOW. There are quite a few good ones available but they differ in offers and benefits. With Credit Expert I get a free credit report every 30 days if I want it, I can log in and have a look at what is on my credit, who I have credit with (if any), what are my reported balances and the contact information for the creditor. I have found this to be a very valuable and needed resource and I recommend it.

How can my identity be gained, lost or acquired.

There are more ways to lose your identity than it is to prevent it from being lost, as I said before, don’t worry about losing it, worry about the use and abuse of it. Someone having your private information such as your employer, a company that you did business with, a place you went to apply for a job and had to fill out an application form that had all your info, a utility company that you had to subscribe to for their service, so many ways of giving your information out, don’t worry about the info, worry about the use or abuse.

I remember seeing an article in 2005 where a nursing assistant had a patient in the hospital and he though the guy was going to die and so he took the patients information and started using it, he got credit cards and other things in the name of the patient and was doing good until the patient didn’t die and so after coming out of the hospital a few months later the patient started to see strange things and collection notices coming to him. After contacting the authorities and turning the matter over to them and they conducted an investigation they found out it was the nursing assistant, wow.

Don’t worry about the information, worry about the use and abuse.

I had started writing this article a few months ago after seeing what happened with that patient due to the theft from the nursing aid but with all the things that were going on I was just consumed in consulting issues with people who were affected or became so afraid of these issues that they don’t even want to face the reality of it.

I am sure by now everyone has heard about the data loss issue of the 26 million U.S. VA members which has sparked a whole sleuth of privacy issues, regulations and laws at the highest levels. This should not have come as a surprise to people because over the past year we have seen data breaches and identity theft problems at the highest levels of government and business. Everyday there is a new breach reported from some major financial institution or organization and with that comes the fears about what will happen next. The biggest problem with this is, how long ago did the theft/loss actually occur?

You’re being advised of the breach now but how long ago did it happen and to what extent of breach did the victim actually get. While that is the bad part of the situation the better part that saves us from the real effects of these issues is the alerting and monitoring services like Credit Expert, True Credit, Equifax and the other credit bureaus. They will alert you of any possible use of your social security number way before the company that was breached discloses the loss of the data depending on the use of the information that was lost. In some breach cases the information is never used but it's better to be safe than sorry. I implore you to look into these services for yourselves as the time from alert to major impact on your credit is just a matter of you stopping the issue.

My next look at this issue will go into the methods of securing your data that in the event of data loss it is secured.

Here are the topics we cover computer certification computer careers computer training computer games consulting data recovery data security digital entertainment emerging technology gadget reviews handheld computers hardware reviews home automation home networks home office how-to advice internet linux local companies local news local profiles macintosh mp3 players network security online music online security open-source small-business technology soho software reviews technology books technology dictionary vpn web site reviews wi-fi windows wireless technology tech articles tech news press releases tech dictionary education resources career solutions create your personal blog upload your videos become a writer usergroups special interest group SIG 3com cipts adobe adobe certified expert apc ncpi apple achds acpt acsa actc avaya bea 8.1 certified administrator 8.1 certified architect 8.1 certified developer 9 certified administrator bicsi rcdd checkpoint ccmse ccsa ccsa ngx ccse ccse ng plus with ai ccse ngx cisco access routing and lan switching ccda ccdp ccie ccip ccna ccnp ccnp old ccsp ccvp crmam ip communications optical proctored exams for validating knowledge sales specialist storage networking vpn and security wireless lan citrix cca 3.0 cca 4.0 cca 4.5 cca xp ccea 3.0 ccea 4.0 ccea xp ccia ciw ciw associate ciw certified instructor master ciw admin master ciw designer master ciw enterprise developer security analyst comptia a+ network+ security+ server+ computer associates ca cusa cuse cwna cwna cwsp dell eccouncil cea cep certified ethical hacker chfi e-commerce architect emc emc specialist implemenation technology foundations enterasys ese eta exam express exin exin itil extreme networks ena ens filemaker f7cd f8cd fortinet fortigate foundry cne fujitsu fujitsu guidance software ence hdi css hda hdm hdsa hitachi hitachi certified professional hp ais apc app aps ase certified systems developer csa cse master ase huawei hcne hyperion hcp ibm advanced deployment professional advanced technical expert application developer business process analyst certified administrator certified advanced system administrator certified advanced technical expert certified associate developer certified enterprise developer certified solution designer certified specialist certified systems expert database administrator db2 deployment professional enterprise developer eserver certified specialist ibm on demand business solution advisor solution designer solutions developer solutions expert storage administrator system administator iisfa cifi intel isaca cisa isc cissp sscp iseb itil ism cpm juniper jncia jncis legato lcaa lcea lotus clp lpi lpic level 1 lpic level 2 lpic level 3 macromedia mcafee mcdata csnd microsoft crm mbs mcad .net mcdba mcdst mcitp mcp mcpd mcsa longhorn mcsa 2003 mcsa 2008 mcsd .net mcse mcse 2000 security mcse 2000 to mcse 2003 upgrade mcse 2003 mcse 2003 messaging mcse 2003 security mcse 2008 mcts microsoft business solutions microsoft partner competency mile2 cnsa network appliance nac-na nac-nie naca nace nacp network general sniffer certified professional nokia nokia security administrator nortel ncde ncds ncse ncss ncts novell5 cna 5 cne 6 cna 6 cne 6.5 cne cne upgrade omg ocup oracle 10g dba 10g oca 11i 8i dba 9i dba 9i internet application developer oca ocp8 to ocp8i dba upgrade exam pmi project management professional polycom pcve redhat rhce rhct sair sas institute sas scp saas scp snia snia certified architect snia certified professional snia certified systems engineer snia storage networking certification program administrator professional associate symantec scse scsp scta scts teradata tca v2r5 tcad v2r5 tcda v2r5 tcis v2r5 tcm v2r5 tcp v2r5 tia ccnt ctp tibco tcp trusecure ticsa veritas infraguard chamber of commerce vcp vmware certified professional webex linkedin facebook myspace Professional page layout, image editing, vector illustration, and print production Website design, development, prototyping, and blogging Creation of rich interactive content Industry-standard visual effects and motion graphics Video capture, editing, and production; DVD titling; and digital audio, Adobe Photoshop CS3 extended, Adobe illustrator CS3,Adobe indesign CS3,Adobe Acrobat 8 Professional, Adobe Flash CS3 Professional, Adobe Dreamweaver CS3,Adobe Contribute CS3,Adobe Fireworks CS3,Adobe After Effects CS3 Professional, Adobe Premiere Pro CS3,Adobe Soundbooth CS3,Adobe Encore CS3,Adobe OnLocation,Adobe Bridge CS3,Adobe Version Cue CS3,Adobe Device Central CS3,Adobe Stock Photos, Intel Pentium 4 (1.4GHz processor for DV; 3.4GHz processor for HDV), Intel Centrino, Intel Xeon, (dual 2.8GHz processors for HD), or Intel Core, Duo (or compatible) processor; SSE2-enabled processor required for AMD systems Microsoft Windows XP with Service Pack 2 or Microsoft Windows Vista Home Premium, Business, Ultimate, or Enterprise (certified for 32-bit editions) 1GB of RAM for DV; 2GB of RAM for HDV and HD; more RAM recommended when running multiple components 10GB of available hard-disk space (additional free space required during installation) Dedicated 7,200 RPM hard drive for DV and HDV editing; striped disk array storage (RAID 0) for HD; SCSI disk subsystem preferred Microsoft DirectX compatible sound card (multichannel ASIO-compatible sound card recommended),1,280x1,024 monitor resolution with 32-bit color adapter Blu-ray burner required for Blu-ray Disc creation OHCI compatible IEEE 1394 port for DV and HDV capture, export to tape, and transmit to DV device QuickTime 7.1.2 software required to use QuickTime features Broadband Internet connection required for Adobe Stock Photos* and other services

3PAR, Accellion, Acronis, Actional, Active Endpoints, ActiveGrid, activePDF, ActiveServers, ActiveState, Actuate, Adaptec, Agile Software, AGiLiENCE, Agilysys, Akorri, AlachiSoft, Alter Logic, Altor Networks, Altova, AMD, AMDAHL, Amentra, Amyuni, anacubis, Apani, APC, Appcelerator, AppSense, AppStream, Array Networks, Ascential, Astaro, Attune Systems, Autodesk, AutoVirt, Availl, Avanade, Azul Systems, Barracuda Networks, BEA Systems, B-hive, Black Duck Software, Blackbaud, Blade Network Technologies, Blue Coat, Blue Lane, BlueArc, BlueNote Networks, BluePheonix Solutions, BMC Software, Borland, Bristol Technology, Brix Networks, BroadVision, Brocade, Burton Group, Business Objects, CA, CalAmp, Cassatt, Cast Iron Systems, Catbird, Cayenne Technologies, Ceedo Technologies, Cenzic, Certeon, CiRBA, Cisco Systems, Cision, Citrix Systems, ClearApp, ClearCube Technology, CollabNet, Compass America, Composite Software, Compugen, Compuware, Configuresoft, Continuity Software, Coraid, Courion, Coyote Point Systems, Crescendo Networks, CSC, DataCore, DataSynapse, Dell, Desktone, Digipede Technologies, Double-Take Software, Ecora Software, EDS, eG Innovations, Egenera, Elastra Corporation, Electric Cloud, Embotics, EMC Corporation, Emulex, Endeavors Technology, Enigmatic Corporation, Enterprise Management Associates, Entuity, EqualLogic, Ericom Software, ESRI, EVault, eXludus Technologies, F5 Networks, FalconStor, FastScale Technology, Foedus, Force10 Networks, Fortisphere, Forum Systems, Fujitsu, GemStone Systems, Getronics, GlassHouse, Green Hills Software, Grid Dynamics, GridGain Systems, GT Software, Hitachi, HP, Hyper9, Hyperic, IBM, ICEsoft, IGEL Technology, Illumita, ILOG, IMEX Research, Information Builders, Ingres, InstallFree, Integrien, Intel, Intellium, International Computerware, iTKO LISA, JBoss, Juniper, KACE, Kidaro, LeftHand Networks, Leostream, Lifeboat Distribution, Liquid Computing Corporation, Liquid Technology, Lynux Works, Mainline, ManageIQ, Managed Methods, ManageSoft, Marathon Technologies, McAfee, Mellanox Technologies, Microsoft, Mid-Atlantic Computers, Mindbridge Software, Mindreef, MKS, MonoSphere, Motorola, MQSoftware, mySoftIT, NASTEL, Ncomputing, NEC, Neocleus, NeoPath Networks, Neoware, NetApp, Netegrity, Neterion, Netuitive, Neverfail, Nexaweb, NextAxiom, Nimbus, Nimsoft, Niyuta, NoMachine, Novell, ONStor, Opalis Software, Open Kernel Labs, OpenSpan, OPNET Technologies, Optaros, OpTier, Oracle, Pano Logic, Parallels, Parasoft, Perforce Software, PHD Technologies, Phoenix Technologies, Phurnace Software, Pillar Data Systems, PlateSpin/Novell, Progress Software, Prolifics, ProSync Technology, Provision Networks, QLogic, Quest Software, Racemi, Raritan, Raxco Software, Red Hat, Reflex Security, Resolution Enterprises, RingCube Technologies, Riverbed Technology, Rogue Wave Software, RSA Security, Sagnet Solutions, SanDisk Corporation, SAP, SAVVIS, ScaleMP, Scalent Systems, Seanodes, Secure Command, Secure Computing, Sentillion, Shavlik Technologies, ServInt Internet Services, Silpion IT Solutions, SIMtone, Skytap, Skyway Software, Software AG, Sonasoft, SourceGear, Splunk, StackSafe, SteelEye Technology, StillSecure, StoneFly, Stonesoft, Stoneware, StoreVault, StrikeIron, STT WebOS, Sun Microsystems, SunGard, Supermicro Computer, Surgient, SWsoft, Sybase, Symantec, Systar, TBD Networks, Tenfold, TheInfoPro, Thinstall, Third Brigade, TIBCO Software, Tidal Software, Tideway Systems, TOA Solutions, TRANGO Virtual Processors, Trend Micro, Tresys Technology, Trigence, Tripwire, Ulteo, Unisys, United Devices, VaST Systems, VDIworks, VeeAm Software, Verari Systems, Verio, VeriSign, Vicom Computer Services, VirtenSys, Virtera, Virtual Iron, VirtualLogix, Virtugo Software, Virtutech, VisionCore, Vizioncore, VKernel, VMLogix, vmSight, VMware, Vordel, vThere-Sentillion, Vyatta, WaveMaker, Web Age Solutions, WSO2, Wyse Technology, XDS, XenoCode, Xiotech, xkoto, Xsigo Systems, Zenith Optemedia, Zeus Technology.