Privacy became more of a wish in our times than something that does really exist. Let’s
briefly look at the bigger picture of this [tag]privacy invasion[/tag] issue. We’re under total video surveillance, not only from different cameras, but also from space. You can be videotaped anywhere and anytime.

And it’s not just government video surveillance, take a look at such relatively new features as Google’s “StreetView” and other video programs where your house (and all its PRIVATE land) can be photographed from the space and the photo can be seen by anybody curious enough to peak in your private life. Note that you didn’t give anyone permission to take pictures of your private property. And if your property is behind the fence, then without the space video-invasion it would be difficult to look inside your property without your direct permission (or breaking the law).

But that’s only part of the problem. Don’t you love airport security checks where you have to take off your shoes (be thankful that not your pants)? Sure, it’s explained by the greater good, and it might be necessary, but what I’m worried about is that people are losing the very sense of privacy. If you think about it, any security measures can be explained by a greater good. But where is the border between the security requirements and the total violation of human rights?

Though the line about taking of your pants is a joke, X-ray naked scans can become a reality for the nearest future. It was already tested in UK and US. It looks like everything has been done so people forget even the idea of privacy. I mean how people can maintain self-respect if they can be virtually stripped for no reason at all?

And don’t kid yourself that your naked photo will be stored separately from the file with
your name, address, etc. It’s just doesn’t matter, because all this information can be easily analyzed and records can be matched. In other words, your naked picture can be easily matched to your name.

Do you still have illusion of privacy? May be you think something like this, “I might be scanned, but at least my thoughts remain private”? Don’t kid yourself. Look at government wiretapping that is often done without a warrant. Can it really help to find potential terrorists or it’s just a great substantiation for the eavesdropping on all your calls? May be both, but my guess is that terrorist are capable to encrypt their calls much more effectively than average citizen who has no idea about wiretapping and eavesdropping.

And even that’s not all! Some advocates of “privacy compromise” suggest that all end users should have a second layer of authentication including our biometrics.
Biometrics is just another set of parameters that can be added to the huge data banks that are already used to make a decision about every aspect of your life. It might be and extra security layer for the commerce security. (Though who said that the biometrics can’t be stolen the same way as any other data from the hacked databanks?) But if used for the access to the public services it certainly one further step to the elimination of privacy.

Another suggestion is that we should completely give up our anonymity and authenticate everything, from computers and applications to every ingress and egress connection, in order for the authorities to be able to track down the source of hacker’s attack.
That might help to track down hackers, but combined with space video surveillance, and wiretaps it puts us under almost total 24/7 control.

I’m saying “almost” because now you at least don’t have a computer chip built in your passport. But it’s going to change very soon. Bush administration suggested to implant radio frequency ID (RFID) chips (that can be read remotely) into each passport issued after October 2006. And other governments (including UK and Britain) have similar plans. This means that your name, nationality, sex, date of birth, place of birth,
photograph (and in the nearest future biometrics) will be readily available anytime for anyone with a badge.

What is worse, this information can be stolen by identity thieves by aiming powerful antennas at the person. The encryption keys used to somehow protect the privacy, are not sufficiently secure…

So for those who think that authentication for every network packet is necessary, I say it’s better be done using other measures such as IP v6. It’s not perfect, but at least it allows us to preserve some privacy. Otherwise we totally give up all our rights and let government track virtually all our steps. And it doesn’t mean that we have something to hide, we just want to preserve human dignity that separates us from the animals.

Where is the borderline between security measures and giving up all our rights, and when will be the end of this madness? Here’s something we need to remember: there couldn’t be any freedom or democracy or human dignity in any country if there is no privacy left in it and if its people are under total surveillance.

According to the recent article published in Boston Herald, eavesdroppers are rather successful in bypassing seemingly sophisticated data encryption, authentication and other methods used to boost [tag]wireless security[/tag].

The reason for popularity of wireless attacks (in addition to tons of inherent insecurities in wireless models) lies in the serious improvement of modern hacking wireless equipment. Modern antennas allow hackers to reach access points even if they are 10 or 20 miles away from those points. That means that hacker can now easily avoid the most significant limitation he faced not long ago. He doesn’t have to sit anymore on the same parking lot (figuratively speaking) used by the company that was chosen as a target for wireless attack. Instead, he can now safely conduct his intrusion without the danger of being physically noticed and identified by the security staff of that company.

Of course the fact that most users have difficulties with initializing security features available in most current Wi-Fi gadgets (or even sometimes don’t know where to find those features) is also very helpful for hackers.

Another possible reason of popularity for wireless hacking is that people are less used to wireless spaming (and hacking) yet, and are more likely to open the message or attachment sent from the un-known recipient.

Aside from the habitual reasoning there is another possible cause for the higher possibility of opening un-known attachments in the wireless devices compared to the wired ones (and thus getting the former infected).

According to the research published by Cisco and the National Cyber Security Alliance, the feedback from 700 businessmen from all over the world indicated that the root of this problem can be a small size of screen used in wireless handheld devices.

And one more interesting fact from the same research. 81 percent of all business executives around the world are already using some sort of wireless device. From 700 businessmen participated in the research (as a representatives of executive group), chilling 76% had trouble distinguishing between legal messages and those that can compromise their wireless devices!

You can read the whole story here: Mobile workers still struggling with security

Now just think about it! If the same proportion will be true for the rest of executives, then over 60% of all executives in the world not only use wireless devices, but also don’t care too much about wireless security!

And if the wireless device of such person is compromised, then the whole corporation can be at risk…

This is definitely something that hackers would want to explore. And this is a serious topic to think about for all business executives. They should educate themselves at least in basics of wireless security, or it might be too late…

Though the implementation of IPv6 can somewhat increase the security of the lower layers of OSI, the main stream of actual hacking happens on the application layer of the model.

We will talk about firewalls and intrusion detection systems in future articles, as well as the ways to further secure your hosts with live response toolkits and forensic image toolkits that can help you to define possible kernel rootkits, etc.

The network reconaissance is helpful if hacker plans to attack particular network. But in
reality this approach is used less often today.

The main trend of [tag]internet security[/tag] attacks for 2006-2007 is to use “wholesale approach”.

That means no network, organization or individual serves as a specific target. Instead the
target is every machine that is exposed to certain vulnerabilities.

Another trend that is clearly seen is the combination of different techniques. If in
2004-2005 intruder would (mostly) use either email with embedded virus or worm, or use the exploit that would give him a direct access to the system, now the intermediate hacks are more popular.

They are used to get initial access to the system and as a platform for backdoor downloads.

To facilitate the distribution of the malicious code, the combination of several techniques and methods is used. Quite often large spam networks are utilized for the initial distribution of the spam emails. In order to avoid current malware filters, no virus is usually embedded in the email. Instead, the reader is sent to the malicious url. The web-based url is used for automatic download of the exploit.

Such spam email campaigns can target over billion email addresses thus ensure the large amount of opened and clicked-trough emails. Huge targeted audience ensures a large  base for the of users infected with a new virus through such spam attack.

So what applications are currently targeted more often for the attacks?
According to Symantec Internet Security Threat Report for the second half of 2006 (Volume 11), mostly targeted group for attack were web browsers and third party web applications.

Among web browsers, IE holds the crown and accounts for 77% of web-broser-targeting attacks.

Another confirmation that direct attacks are more often replaced by “wholesale” approach  is derived from the fact that home users are the targets in 93% cases of latest attacks!

Which is logical, since the home users is the least educated group of computer users (as far as internet security is concerned) and can be rather easily tricked by the combination of spam and web-based located urls hosting payloads with middle-level of security threat security threat.

In other words, they can be easily tricked to open spam emails, download the malicious code and thus get their computers infected.

I was recently asked which future [tag]internet security protocols[/tag] / models can help increase the overall security of the Internet.

Before I can answer this question, let’s take a brief look at the current OSI model (and
it’s simplified most often used TCP/IP version) that is the base for the overall data
transfer between systems on the Internet. The internet security is tightly bound to the security (or rather, insecurity) of those protocols.

TCP/IP protocol was originally created to suit the needs of ARPANET, closed network which was essentially what we call today intranet. Since it was not a public network, but rather peer-to-peer communication between several US universities, not everybody had access to it, so there was not much thought given initially to the security of this protocol. The main task of the protocol was to efficiently deliver data between the remote locations.

Later this network grew up and became Internet, but TCP/IP protocol still was used as a main way of communication. However, it was not a closed network anymore. So because of the initial “friendly” architecture, now we have ip spoofing to deal with. This technique allows hackers to effectively conduct ping sweeps and port scans, and gives them ability to effectively hide the ip of the host that originated the attack.

Smurf attacks and arp-redirects also probably wouldn’t be possible if this model would be originally created with a security in mind (or rather, the enhanced version of this
protocol would be created for the public network).

The trace of the “friendliness” of the TCP/IP model could be better seen on layers 2-4 of the model.

The insecure nature of Ethernet still amazes me. Broadcasts allow anyone on the network to easily access the information passed between any other machines on the same bridge. The logic is that everyone will behave ethically and not eavesdrop on conversations that are not meant to them. Well, it could would work for closed networks, but it certainly doesn’t work for the Internet where you in effect trust all your private communications to the complete stranger.

And the relative ease of arp redirects where any machine can claim to have any MAC address it wants, is nothing more than just more advanced version of misuse of the same trust…

Same goes for DHCP servers and DNS servers…

Though many security experts believe that actual hacking happens on the application layer, it would be much more difficult to accomplish without the preliminary reconnaissance of the target subnet. Besides, all the sniffing also happens on the network layer. And if username/passwords are sniffed, then no hacking is really needed – you already have everything you need.

So if we want to achieve more secure Internet, the first logical conclusion would be to somehow boost the security of TCP/IP protocol.

IP version 4 is completely insecure, so big hopes were cherished for the introduction of IP version 6. At least it will allow to positively identify the source of attack.
Plus, ping sweeps won’t work anymore simply because of the size of subnets that would have to be scanned. And broadcast will be changed to multicast, thus reducing the number of hosts that will be able to intercept communication. Plus it would be more difficult for worms to spread.  Of course the mandatory inclusion of IPSec in the IPv6 could theoretically be helpful too.

(Though on practice, the deployment of this protocol will take at least a few years, and most likely no encryption will be initially implemented.)

Unfortunately, this protocol has its own weaknesses too. One thing I hate is that now you can’t filter all ICMPs, because it’s neighbor discovery totally depends on it. And ICMPs are well known as one of the most popular sources for DDOS.

In total, IPv6 should have more positives then negatives as far as Internet security is concerned.

But we also need to see what could be done to increase the security on the application layer.
We’ll talk about it next time.

Today I received an email forward that actually contains something interesting. It tells the story of police officer and little girl (she is 14 years old). The police officer was able to find the girl without getting data from police databases. All he used was either the data freely available on the child’s profile or the information he got from the girl herself during their friendly online chats. Of course this email is probably a hoax (meaning it described the situation that didn’t happen in the real life), but at least this was a useful hoax for once.

It’s worth to share it with your children, because it can help you to explain to them once and for all why it’s not a good idea to talk in the virtual world about the details of their personal lives that could be used to identify them in real world.

The virtual reality provides the false feeling of safety and anonimity, where many memebrs of social networking sites share tons of personal information in their profiles, and of course they like to chat and give away even more information during those conversations.

In this particular example, girl thought that her online friend was a teenager, and he lived far away from her, so she was rather relaxed and shared with him such details as the name of her softball team, her place in this team, etc. After all, the “boy” doesn’t know her real name and he doesn’t live in her town… And why did she thought that he was a teenage boy and lived in another state? Because he said so…
 
This story is probably not real (I’ve yet to hear about the special police officers that are hunting [tag]online predators[/tag]), but it could happen in real life. It’s absolutely realistic for online predator to find the girl based on all the information that police officer was able to collect in a short period of time. And it would be great if such police department would be organized in real life.

Ok, here is the story as I received it. Unfortunately there was no name so I don’t know whom to credit for this great educational piece that could save your children:
————————————————
“EVERYONE NEEDS TO READ ALL OF THIS and HAVE CHILDREN READ IT TOO!

After tossing her books on the sofa, she decided to grab a snack and get on-line. She logged on under her screen name ByAngel213. She checked her Buddy List and saw GoTo123 was on. She sent him an instant message:

ByAngel213:
Hi. I’m glad you are on! I thought someone was following me home today. It was really weird!

GoTo123:
LOL You watch too much TV. Why would someone be following you?
Don’t you live in a safe neighborhood?

ByAngel213:
Of course I do. LOL I guess it was my imagination cuz’ I didn’t see anybody when I looked out.

GoTo123:
Unless you gave your name out on-line. You haven’t done that have you?

ByAngel213:
Of course not. I’m not stupid you know.

GoTo123:
Did you have a softball game after school today?

ByAngel213:
Yes and we won!!

GoTo123:
That’s great! Who did you play?

ByAngel213:
We played the Hornets. LOL. Their uniforms are so gross! They look like bees. LOL

GoTo123:
What is your team called?

ByAngel213:
We are the Canton Cats. We have tiger paws on our uniforms. They are really cool.

GoTo1 23:
Did you pitch?

ByAngel213:
No I play second base. I got to go. My homework has to be done before my parents get home. I don’t want them mad at me. Bye!

GoTo123:
Catch you later. Bye

Meanwhile…….GoTo123 went to the member menu and began to search for her profile. When it came up, he highlighted it and printed it out. He took out a pen and began to write down what he knew about Angel so far.

Her name: Shannon
Birthday: Jan. 3, 1985
Age: 13
State where she lived: North Carolina

Hobbies: softball, chorus, skating and going to the mall. Besides this information, he knew she lived in Canton because she had just told him. He knew she stayed by herself until 6:30 p.m. every afternoon until her parents came home from work.

He knew she played softball on Thursday afternoons on the school team, and the team was named the Canton Cats. Her favorite number 7 was printed on her jersey. He knew she was in the eighth grade at the Canton Junior High School . She had told him all this in the conversations they had on- line. He had enough information to find her now.

Shannon didn’t tell her parents about the incident on the way home from the ballpark that day. She didn’t want them to make a scene and stop her from walking home from the softball games. Parents were always overreacting and hers were the worst. It made her wish she was not an only child. Maybe if she had brothers and sisters, her parents wouldn’t be so overprotective.

By Thursday, Shannon had forgotten about the footsteps following her.

Her game was in full swing when suddenly she felt someone staring at her. It was then that the memory came back. She glanced up from her second base position to see a man watching her closely.

He was leaning against the fence behind first base and he smiled when she looked at him. He didn’t look scary and she quickly dismissed the sudden fear she had felt.

After the game, he sat on a bleacher while she talked to the coach. She noticed his smile once again as she walked past him. He nodded and she smiled back. He noticed her name on the back of her shirt. He knew he had found her.

Quietly, he walked a safe distance behind her. It was only a few blocks to Shannon ’s home, and once he saw where she lived he quickly returned to the park to get his car.

Now he had to wait. He decided to get a bite to eat until the time came to go to Shannon ’s house. He drove to a fast food restaurant and sat there until time to make his move.

Shannon was in her room later that evening when she heard voices in the living room.

‘ Shannon , come here,’ her father called. He sounded upset and she couldn’t imagine why.

She went into the room to see the man from the ballpark sitting on the sofa.

‘Sit down,’ her father began, ‘this man has just told us a most interesting story about you.’

Shannon sat back. How could he tell her parents anything? She had never seen him before today!

‘Do you know who I am, Shannon ?’ the man asked.

‘No,’ Shannon answered.

‘I am a police officer and your online friend, GoTo123.’

Shannon was stunned. ‘That’s impossible! GoTo is a kid my age! He’s 14. And he lives in Michigan !’

The man smiled. ‘I know I told you all that, but it wasn’t true. You see, Shannon , there are people on-line who pretend to be kids; I was one of them. But while others do it to injure kids and hurt them, I belong to a group of parents who do it to protect kids from predators. I came here to find you to teach you how dangerous it is to talk to people on-line. You told me enough about yourself to make it easy for me to find you. You named the school you went to, the name of your ball team and the position you played. The number and name on your jersey just made finding you a breeze.’

Shannon was stunned. ‘You mean you don’t live in Michigan ?’

He laughed. ‘No, I live in Raleigh . It made you feel safe to think I was so far away, didn’t it?’

She nodded.

‘I had a friend whose daughter was like you. Only she wasn’t as lucky. The guy found her and murdered her while she was home alone. Kids are taught not to tell anyone when they are alone, yet they do it all the time on-line. The wrong people trick you into giving out information a little here and there on-line. Before you know it, you have told them enough for them to find you without even realizing you have done it. I hope you’ve learned a lesson from this and won’t do it again. Tell others about this so they will be safe too?’

‘It’s a promise!’

That night Shannon and her Dad and Mom all knelt down together and thanked God for protecting Shannon from what could have been a tragic situation.”
—————————————-
As you can see, girl could be in serious danger. In addition to telling the stranger all that identifiable information she also told him that she’s home alone until particular time (6:30 pm in this example).

Internet is a powerful tool that brought a lot of convinience in our lives. But it also generated new types of danger that were not existing before. And it’s your responsibility as a parent to protect your child from them.

So if you still don’t know what your children are doing online, you better check it out.

At the same time don’t forget about offline predators who can meet with your child face to face. If your child is educated and knows what to do and how to react in dangerous situation, s/he is more prepared, and has better chance to avoid trouble.

To help you with this task, I’m glad to give you “17 Proven Time Tested Safety Secrets To Protect Your Child From Sexual Predators“, the report written by Preston Jones and Joyce Jackson. Just right click the link above with a name of the report in it, and you will be able to download it to your computer.

It’s an axiom that [tag]computer security[/tag] impossible these days without several security components. At the very minimum you should have anti-virus and anti-spyware programs installed on your computer. Those programs can minimize the risk of unwanted intrusions. There are many computer security packages, and they are not equal in their ability to identify and prevent potential attacks.

One of the most well-known internet security programs is a security line of Symantec products known as “Norton family”: Norton AntiVirus, Norton Internet Security, Norton Anti-Spyware Edition, etc.

Of course, Symantec claims that your computer will be totally secure and protected if you use their security products. The sad truth however, that Norton security products are known in the hackers world as theone of the most easiest to hack into.

The most sought after type of vulnerabilities are the ones that can grant remote access to user’s computer, and if this access can be obtained without authentication, it’s even better.

And Norton security products are so popular among average computer users that it make them almost as wide-spread as computers with some kind of Windows OS installed, and thus even more desirable targets for hackers.

A few days ago Symantec had to release a security warning about security vulnerability found in 2 ActiveX controls. The vulnerability belonged to the class of input validation errors.

This means that data received by user computer was not properly validated which could allow a malicious attacker to remotely execute arbitrary code with the rights of logged in user (which means no additional authentication is required). The only other thing that attacker would need to successfully complete the attack is to trick the user to go to the website where this code would run.

This vulnerability affected Norton AntiVirus, Norton Internet Security, and Norton System Works, version 2006 and Norton Internet Security, Anti Spyware Edition, version 2005. Symantec Corporate Edition and Symantec for Linux were not affected.

Symantec Security Response team realesed Bloodhound.Exploit.148 that patches this vulnerability.

If you’re using Norton security products and you regularly update virus definitions and signatures through LiveUpdate then you should be OK.

Otherwise click on your LiveUpdate Right Now!

You can learn more about this vulnerability from the Symantec website: “Symantec ActiveX Control Input Validation Error”

Symantec credits Secunia Research for reporting this issue. Funny thing that this exploit is announced as a new one.

But it was known to hackers community for over 3 months! Yes, the remote access computer vulnerability through the execution of arbitrary code within those Norton ActiveX was annonunced by one of the hackers group on their blog more than 3 months ago, and they even released proof of concept code proving their point.

That just gives to show you that Symantec is not very quick in pinpointing and liquidating newest threats. Plus their support department is notoriously slow in support responses.

So in the next post I’ll talk about other computer and internet security programs that offer better support, and have quicker response.

In one of my recent posts I talked about sexual predators and child molesters and how in some cases they can use their hacking skills to abuse children. of course the most important question is what to do to keep your [tag]kids safe[/tag]?

Luckily, online molesters are still fairly rare type of child predators, but there are many more potentionally dangerous situations in the daily life of your children that should be addressed properly.

The book called “How To Protect Your Child From Sexual Predators” that can show you how to teach your children to stay safe while you’re not around. It’s not just “don’t take candy from the strangers” that we all heard about.

You’ll learn things like The Ultimate Safety Secret, The Five Secrets To Playing Outside Safely, The Magic Approach To Online Safety With Real Results.

Do you know for example that confidence and mental focus are two critical factors that can drastically improve the chances for your kid to avoid potential danger?

Well, I didn’t know either, I’m not an expert on children psychology and behavior or kids safety. Things like this can help your child when s/he needs it most. And the “Keeping Kids Safe” program created by Preston Jones and Joyce Jackson teaches you how to develop those skills in your child.

Take a look at their “Keeping Kids Safe” program and see if you can learn something that might be useful for your kid.

In the previous post I wrote about the test that revealed serious misuse of your personal information by IRS staff. If you’re shocked by the careless atitude of IRS employees in regards to the disclosure of such vital piece of information as people’s SSN, just read this post and you might grasp the whole scale of the problem.

What would you say if I tell you that the personal information of 26.5 million US military veterans plus the records of 1.1 million active-duty personnel are right now in the open and can be used any moment for [tag]identity theft[/tag] or worse?

How in the world could it happen? Human mistake, as always. Last year the laptop of the analyst working for the Department of Veterans Affairs was stolen from his home in Montgomery county, Maryland.

Though this guy had absolutely no right to take such sensitive information home, he was doing it for quite a while, just because it was convinient for him I guess.

When his laptop was stolen, all these data was stolen too. As a result, the information about millions of american soldiers is now floating somewhere completely unprotected.

And if it would fell in the wrong hands, the potential damage could be enormous. Considering this data concerns active millitary personnel, terrorist would probably pay a lot to get their hands on this laptop. I still haven’t heard that this laptop is found. So the real threat still exists.

You can read the whole story at Guardian. The article is named “US troops at risk from civil servant’s stolen laptop“.

So what’s the point of this story? It’s quite simple actually. No one really cares about safe-guarding your SSN, date of birth, mother’s maiden name, your address, etc. So it’s up to you to make sure this information is not used by con artists or indentity thieves.

Until the law is passed that will prohibit companies to request SSN from you as a mean of authentication, your SSN will always be at risk.

Now the obvious question. If you have absolutely no way to make sure your SSN and other information of similar importance is protected, how can you ensure that it won’t be used by identity thieves?

There is no perfect answer to this question. But there are some ways to mitigate the risk.

The answer below is only relevant for US residents. If you live in other countries, you might have similar services, so read on, it will give you idea what to do.

By the US law you’re allowed to request your credit report from each of 3 major credit agencies free of charge once per year. It certainly is not enough to make sure you’re not a victim of identity theft, but at least it’s a start.

Most likely you need to be able to monitor your credit more frequently. You need a system that can alert you the same day some strange activity happened on one of your bank or credit card accounts. The timely alert will allow you to react accordingly and stop the identity theft at the very beginning.

There is a credit monitoring service that does this. It provides comprehensive credit file monitoring and automated alerts of key changes to your Equifax, Experian, and TransUnion credit reports (three major credit report agencies), plus it gives you Free 3-in-1 Credit Report and unlimited access to your Equifax Credit Report™. What is also important, it gives you Identity Theft Insurance with a coverage of up to $20,000 to help you recover from possible identity theft.

Get Equifax Credit Watch Gold 3-in-1 Now! Or if you just want to start somewhere, and are not ready for credit monitoring service, at least request your free credit report to make sure you’re OK. 

Get your FREE credit score Today!  

[tag]Identity theft[/tag] is not even a buzz word anymore. It’s a sad reality of our times. It could happen to anyone anywhere. And it shouldn’t necessarily be the attack of the hacker who cracked the server and copied financial records.

There are numerous examples when people just bought used computers on e-bay, and discovered sensitive financial data on those computers that was supposed to be erased. I’ll just give 3 examples here but I think it’s enough to get the picture.

First example: One Canadian bank was supposed to send 2 servers to the company that can securely erase the data, instead those servers end up on e-bay.

Second example: German police got rid of useless computer, sold it on e-bay and the guy who bought it found tons of criminal records on the machine…

Third example: health department of one USA State sold used computer, and this computer turned out to be a server that stored the records of people with sexual diseases.

So your SSN, and other sensitive information can easily end up on some auction site, no one can guarantee that it wouldn’t.

Of course hackers hack tons of sites and sell thousands of identity records every day -
cheaper by the dozen, you know…

Or, and when you’re giving 4 last digits of your SSN to anyone who asks, you’re not doing yourself any good either. Sure, it might look harmful to you - after all, you’re not giving out your entire SSN. But in reality - it’s almost the same. There are tons of companies who work as liasons with credit agencies - your mortgage broker, for example, who can easily pull up your credit report based on your name, address, and last 4 digits of your SSN.

And that’s basically means that every identity thief with even modest resources can get this information too.

Even if you’re lucky enough to avoid millions of internet scams that are created in such a
way that you give away all your information, you’re still not off the hook.

Or, and one last gem for today. Have you heard about social engineering? It’s a technique
that is often used by hackers for gathering the information that is difficult to receive
otherwise. Hackers often pose as either sys admins or computer-repair techs that claim
something is wrong with either your computer or network, etc, and they need your help to fix
it. Well, you can imagine the rest. If you’re helpfull enough, the entire network of the
company can be indeed “fixed”.

Ok, may be you already heard about these social engineering techniques, and you would ask the
caller to verify his identity before giving him important passwords on a silver platter.

Good for you. Then you’re much more security-savvy than IRS. What IRS has to do with this,
you ask? After all, this organization safeguards our most sensitive financial information
and its personnel sure follows all the security procedures, right? It turned out to be just our wishful thinking.

In reality, all you have to do to receive extremely confidential information is just politely ask IRS agent to give it to you, and s/he will!

According to the Treasury Inspector General for Tax Administration (who oversees IRS
operations), the security test was recently conducted within IRS. This test showed that out
of 102 people who were asked by the test caller to provide either their username or change
password, did so without any second thought!

You can read article “Computer security problems found at IRS” at MSNBC to get the full
scope of the story.

It just shows you that unfortunately your most private information is not as secure as you would hope it would be. So you need to take certain steps to make sure you won’t be a victim of identity theft.

In the next post we’ll talk about things you need to do to prevent the possibility of
becoming the victim of identity theft.

It’s hard to imagine talking about [tag]online security[/tag], and in particular, online business security without the inevitable appearance of the shadow antipode of the [tag]security professional[/tag] otherwise known as “hacker”.

The word “hacker” has such a bad publicity associated with it that for the average Internet users hackers are almost always a synonym of the serious online trouble.

So let’s “set the records straight”. There are many different types of hackers, some of them are really dangerous, others can help you patch gaping vulnerabilities in your business or even save your online business.

They are known as “White Hat Hackers” and they have the full right to be called “the White Knights of the Online World”.

So who are these guys? I would say every gifted programmer who found and reported serious security vulnerability in publicly available systems (either in open source architecture or in commercial application) could be called a “white hat hacker”.

If s/he wouldn’t report this security whole, it could be later identified by black hackers and used as a new exploit for a successful 0-day attack.

Every security professional who stumbled upon un-known security risk during penetration testing and informed not only his client (for whom this testing was performed) but also the community of security professionals, could be called a “white hat hacker”.

The person who was able to reverse-engineer binaries of the sophisticated new virus not only through a creation of a sandbox or virtual machine simulation, but by getting his hands dirty and actually playing with the code and understanding the internal actions of the binaries through core dump analysis, and then show the world the structure of this virus, could be called a “white hat hacker” too. 

All these guys have one thing in common: they used their knowledge to make this world a little better, more secure place. They didn’t use it for their own personal gains.

Make no mistake though - hacking is in their blood, it’s their alter ego. It gives the ultimate joy to their brains, because not many things in life can compare with a thrill of entering the presumably secure system through the newly created backdoor, without being noticed by company’s IDS and avoiding other traps.

But it’s one thing to hack in the system as part of penetration testing, when you was asked to do so by the owner, and use your knowledge to help the company to patch the security holes at the end of your ride. And quite another - to penetrate the same system without permission and rip off all the sensitive data off the company’s servers.

That’s in a nutshell the difference between white hat and black hat hackers.

Stay tuned, we’ll talk about grey hat hackers in the next post.