It’s an axiom that [tag]computer security[/tag] impossible these days without several security components. At the very minimum you should have anti-virus and anti-spyware programs installed on your computer. Those programs can minimize the risk of unwanted intrusions. There are many computer security packages, and they are not equal in their ability to identify and prevent potential attacks.

One of the most well-known internet security programs is a security line of Symantec products known as “Norton family”: Norton AntiVirus, Norton Internet Security, Norton Anti-Spyware Edition, etc.

Of course, Symantec claims that your computer will be totally secure and protected if you use their security products. The sad truth however, that Norton security products are known in the hackers world as theone of the most easiest to hack into.

The most sought after type of vulnerabilities are the ones that can grant remote access to user’s computer, and if this access can be obtained without authentication, it’s even better.

And Norton security products are so popular among average computer users that it make them almost as wide-spread as computers with some kind of Windows OS installed, and thus even more desirable targets for hackers.

A few days ago Symantec had to release a security warning about security vulnerability found in 2 ActiveX controls. The vulnerability belonged to the class of input validation errors.

This means that data received by user computer was not properly validated which could allow a malicious attacker to remotely execute arbitrary code with the rights of logged in user (which means no additional authentication is required). The only other thing that attacker would need to successfully complete the attack is to trick the user to go to the website where this code would run.

This vulnerability affected Norton AntiVirus, Norton Internet Security, and Norton System Works, version 2006 and Norton Internet Security, Anti Spyware Edition, version 2005. Symantec Corporate Edition and Symantec for Linux were not affected.

Symantec Security Response team realesed Bloodhound.Exploit.148 that patches this vulnerability.

If you’re using Norton security products and you regularly update virus definitions and signatures through LiveUpdate then you should be OK.

Otherwise click on your LiveUpdate Right Now!

You can learn more about this vulnerability from the Symantec website: “Symantec ActiveX Control Input Validation Error”

Symantec credits Secunia Research for reporting this issue. Funny thing that this exploit is announced as a new one.

But it was known to hackers community for over 3 months! Yes, the remote access computer vulnerability through the execution of arbitrary code within those Norton ActiveX was annonunced by one of the hackers group on their blog more than 3 months ago, and they even released proof of concept code proving their point.

That just gives to show you that Symantec is not very quick in pinpointing and liquidating newest threats. Plus their support department is notoriously slow in support responses.

So in the next post I’ll talk about other computer and internet security programs that offer better support, and have quicker response.

In one of my recent posts I talked about sexual predators and child molesters and how in some cases they can use their hacking skills to abuse children. of course the most important question is what to do to keep your [tag]kids safe[/tag]?

Luckily, online molesters are still fairly rare type of child predators, but there are many more potentionally dangerous situations in the daily life of your children that should be addressed properly.

The book called “How To Protect Your Child From Sexual Predators” that can show you how to teach your children to stay safe while you’re not around. It’s not just “don’t take candy from the strangers” that we all heard about.

You’ll learn things like The Ultimate Safety Secret, The Five Secrets To Playing Outside Safely, The Magic Approach To Online Safety With Real Results.

Do you know for example that confidence and mental focus are two critical factors that can drastically improve the chances for your kid to avoid potential danger?

Well, I didn’t know either, I’m not an expert on children psychology and behavior or kids safety. Things like this can help your child when s/he needs it most. And the “Keeping Kids Safe” program created by Preston Jones and Joyce Jackson teaches you how to develop those skills in your child.

Take a look at their “Keeping Kids Safe” program and see if you can learn something that might be useful for your kid.

In the previous post I wrote about the test that revealed serious misuse of your personal information by IRS staff. If you’re shocked by the careless atitude of IRS employees in regards to the disclosure of such vital piece of information as people’s SSN, just read this post and you might grasp the whole scale of the problem.

What would you say if I tell you that the personal information of 26.5 million US military veterans plus the records of 1.1 million active-duty personnel are right now in the open and can be used any moment for [tag]identity theft[/tag] or worse?

How in the world could it happen? Human mistake, as always. Last year the laptop of the analyst working for the Department of Veterans Affairs was stolen from his home in Montgomery county, Maryland.

Though this guy had absolutely no right to take such sensitive information home, he was doing it for quite a while, just because it was convinient for him I guess.

When his laptop was stolen, all these data was stolen too. As a result, the information about millions of american soldiers is now floating somewhere completely unprotected.

And if it would fell in the wrong hands, the potential damage could be enormous. Considering this data concerns active millitary personnel, terrorist would probably pay a lot to get their hands on this laptop. I still haven’t heard that this laptop is found. So the real threat still exists.

You can read the whole story at Guardian. The article is named “US troops at risk from civil servant’s stolen laptop“.

So what’s the point of this story? It’s quite simple actually. No one really cares about safe-guarding your SSN, date of birth, mother’s maiden name, your address, etc. So it’s up to you to make sure this information is not used by con artists or indentity thieves.

Until the law is passed that will prohibit companies to request SSN from you as a mean of authentication, your SSN will always be at risk.

Now the obvious question. If you have absolutely no way to make sure your SSN and other information of similar importance is protected, how can you ensure that it won’t be used by identity thieves?

There is no perfect answer to this question. But there are some ways to mitigate the risk.

The answer below is only relevant for US residents. If you live in other countries, you might have similar services, so read on, it will give you idea what to do.

By the US law you’re allowed to request your credit report from each of 3 major credit agencies free of charge once per year. It certainly is not enough to make sure you’re not a victim of identity theft, but at least it’s a start.

Most likely you need to be able to monitor your credit more frequently. You need a system that can alert you the same day some strange activity happened on one of your bank or credit card accounts. The timely alert will allow you to react accordingly and stop the identity theft at the very beginning.

There is a credit monitoring service that does this. It provides comprehensive credit file monitoring and automated alerts of key changes to your Equifax, Experian, and TransUnion credit reports (three major credit report agencies), plus it gives you Free 3-in-1 Credit Report and unlimited access to your Equifax Credit Report™. What is also important, it gives you Identity Theft Insurance with a coverage of up to $20,000 to help you recover from possible identity theft.

Get Equifax Credit Watch Gold 3-in-1 Now! Or if you just want to start somewhere, and are not ready for credit monitoring service, at least request your free credit report to make sure you’re OK. 

Get your FREE credit score Today!  

[tag]Identity theft[/tag] is not even a buzz word anymore. It’s a sad reality of our times. It could happen to anyone anywhere. And it shouldn’t necessarily be the attack of the hacker who cracked the server and copied financial records.

There are numerous examples when people just bought used computers on e-bay, and discovered sensitive financial data on those computers that was supposed to be erased. I’ll just give 3 examples here but I think it’s enough to get the picture.

First example: One Canadian bank was supposed to send 2 servers to the company that can securely erase the data, instead those servers end up on e-bay.

Second example: German police got rid of useless computer, sold it on e-bay and the guy who bought it found tons of criminal records on the machine…

Third example: health department of one USA State sold used computer, and this computer turned out to be a server that stored the records of people with sexual diseases.

So your SSN, and other sensitive information can easily end up on some auction site, no one can guarantee that it wouldn’t.

Of course hackers hack tons of sites and sell thousands of identity records every day -
cheaper by the dozen, you know…

Or, and when you’re giving 4 last digits of your SSN to anyone who asks, you’re not doing yourself any good either. Sure, it might look harmful to you – after all, you’re not giving out your entire SSN. But in reality – it’s almost the same. There are tons of companies who work as liasons with credit agencies – your mortgage broker, for example, who can easily pull up your credit report based on your name, address, and last 4 digits of your SSN.

And that’s basically means that every identity thief with even modest resources can get this information too.

Even if you’re lucky enough to avoid millions of internet scams that are created in such a
way that you give away all your information, you’re still not off the hook.

Or, and one last gem for today. Have you heard about social engineering? It’s a technique
that is often used by hackers for gathering the information that is difficult to receive
otherwise. Hackers often pose as either sys admins or computer-repair techs that claim
something is wrong with either your computer or network, etc, and they need your help to fix
it. Well, you can imagine the rest. If you’re helpfull enough, the entire network of the
company can be indeed “fixed”.

Ok, may be you already heard about these social engineering techniques, and you would ask the
caller to verify his identity before giving him important passwords on a silver platter.

Good for you. Then you’re much more security-savvy than IRS. What IRS has to do with this,
you ask? After all, this organization safeguards our most sensitive financial information
and its personnel sure follows all the security procedures, right? It turned out to be just our wishful thinking.

In reality, all you have to do to receive extremely confidential information is just politely ask IRS agent to give it to you, and s/he will!

According to the Treasury Inspector General for Tax Administration (who oversees IRS
operations), the security test was recently conducted within IRS. This test showed that out
of 102 people who were asked by the test caller to provide either their username or change
password, did so without any second thought!

You can read article “Computer security problems found at IRS” at MSNBC to get the full
scope of the story.

It just shows you that unfortunately your most private information is not as secure as you would hope it would be. So you need to take certain steps to make sure you won’t be a victim of identity theft.

In the next post we’ll talk about things you need to do to prevent the possibility of
becoming the victim of identity theft.

It’s hard to imagine talking about [tag]online security[/tag], and in particular, online business security without the inevitable appearance of the shadow antipode of the [tag]security professional[/tag] otherwise known as “hacker”.

The word “hacker” has such a bad publicity associated with it that for the average Internet users hackers are almost always a synonym of the serious online trouble.

So let’s “set the records straight”. There are many different types of hackers, some of them are really dangerous, others can help you patch gaping vulnerabilities in your business or even save your online business.

They are known as “White Hat Hackers” and they have the full right to be called “the White Knights of the Online World”.

So who are these guys? I would say every gifted programmer who found and reported serious security vulnerability in publicly available systems (either in open source architecture or in commercial application) could be called a “white hat hacker”.

If s/he wouldn’t report this security whole, it could be later identified by black hackers and used as a new exploit for a successful 0-day attack.

Every security professional who stumbled upon un-known security risk during penetration testing and informed not only his client (for whom this testing was performed) but also the community of security professionals, could be called a “white hat hacker”.

The person who was able to reverse-engineer binaries of the sophisticated new virus not only through a creation of a sandbox or virtual machine simulation, but by getting his hands dirty and actually playing with the code and understanding the internal actions of the binaries through core dump analysis, and then show the world the structure of this virus, could be called a “white hat hacker” too. 

All these guys have one thing in common: they used their knowledge to make this world a little better, more secure place. They didn’t use it for their own personal gains.

Make no mistake though – hacking is in their blood, it’s their alter ego. It gives the ultimate joy to their brains, because not many things in life can compare with a thrill of entering the presumably secure system through the newly created backdoor, without being noticed by company’s IDS and avoiding other traps.

But it’s one thing to hack in the system as part of penetration testing, when you was asked to do so by the owner, and use your knowledge to help the company to patch the security holes at the end of your ride. And quite another – to penetrate the same system without permission and rip off all the sensitive data off the company’s servers.

That’s in a nutshell the difference between white hat and black hat hackers.

Stay tuned, we’ll talk about grey hat hackers in the next post.