Information Security Tips from Westfield Insurance: Cybercrime Trends

Follow @WestfieldIns

Search

About

Westfield Links

Westfield Blogs

InfoSec Favorites

CMU Anti-Phishing Game
Learn to identify fraudulent URLs
OnGuard Online
Many security tips and educational materials collected and shared by the FTC
Anti-Phishing Blog
Lots of examples of phishing and other scams
SEO by the Sea
Search Engine Optimization
Fraudwar
Schneier on Security
eDiscoTECH
Reviews of legal cases and decisions in the new field of Electronic Discovery
IT Business Edge

29 posts categorized "Cybercrime Trends"

Do You Know the Security of Your Smartphone? (Part 3 of 3)

This is the final post in a three-part series on smartphones and information security. The series has covered overall security of the BlackBerry, Apple and Android mobile operating systems.

Continuing from our earlier posts on the advantages and challenges of the Blackberry and Apple iOS, we are concluding with Google’s Android operating system (OS).

Android is a Linux-based open-source platform whose unified progress is sponsored by Google. Android Inc. developed Android OS circa 2004 and was purchased by Google in 2005. The OS caught on like wild fire and is used by literally dozens of companies who are creating tablets, phones and myriad other form factors around it. Despite competition from Apple and Blackberry, 2010 was a huge year for Google. With more than 250,000 apps available on the Android Market, the platform saw an 861 percent increase in app sales.

Additionally, customer intelligence firm Market Force Information recently released findings from a survey on smartphones, which indicated Android’s current appeal over its competition. According to a Feb. 22, 2011 Market Force press release, “When asked which smartphone they would purchase, 34% of survey respondents said Android, while only 21% said iPhone, and 12% said Blackberry.”

Android OS Security Concepts

A major aspect of the Android security model resdies in the interface of the platform’s OS application layers and is implemented by running each application in its own efficient Dalvik virtual machine.

From the end user's perspective the effect is quite similar to sandboxing in Apple’s iOS. Each application’s default view of the device is that it has the entire device to itself, i.e., unless it is explicitly permitted to see other apps, its default view is that it is the only application on the device.

How this works is that when a developer is coding and packaging an application, they must declare what device resources, e.g. GPS, Bluetooth, W-Fi, etc. the application needs to use. This is necessary to build the application but that information is then also used when the end-user installs the app! This user notification takes the form of an install-time dialog that indicates the list of resources needed on the device to run that application. So, depending on what resources are listed, the user can either accept, or refuse, installation. For example, if you can’t figure out why the first person shooter game “I Spy On U” wants access to the GPS information on the phone, then you could simply terminate the installation.

Android vs iPhone – Swiss Army Knife vs Sabatier Fine Cutlery

The Android environment is much less centrally controlled than Apple’s iOS. For example, users can skip the Android Market altogether, and download an application directly from a developer’s web site. Of course, you do so at your own risk. The developer might have bad intentions or, if the developer’s download server has been compromised, and his downloads tampered with, you may be getting “more than you bargained for”. Many Android fans suggest that the healthy skepticism that the Android openness encourages is the only sane default attitude and that Apple users dangerously naïve to believe that “because it came from iTunes App Store it must be safe and well-behaved.”

Incidentally to take complete and utter control of your Android device from the carrier you will need to “root” the phone. “Rooting” is the equivalent of jailbreaking an Apple iOS device, which, as described in the iOS edition of this blog, pretty much lets the end user do anything the hardware is capable of.

Android Virtual Phones

Improving upon the user and developer experience with Android, virtualization software company VMware has created a new offering that changes the platform interface, called Mobile Virtualization Platform (MVP).

MVP is similar to the Dalvik VMs of Android; however, whereas the virtual machine presented by Dalvik is an idealized JVM-like set of resources, the VMware VM is more like a thin layer of virtualized hardware implemented as a so-called hypervisor. This allows a carrier or end-user to install multiple virtual phones! E.g., on a phone model sold by multiple carriers or by one carrier with multiple versions – like an HP phone that runs either WebOS or Win 7 Mobile – if there was a version of the MVP hypervisor for HP mobile phone hardware, one could run both a Win 7 Mobile and a WebOS phone instance on the same hardware at the same time and “flip” between them. The Win 7 and WebOS phones don’t even “know” the other personality is resident on the same hardware. This example is hypothetical but intriguing.

These “guest virtual phones”, running atop the MVP hypervisor, look and act like full-fledged phones! Besides being interesting technology, VMware’s mainstream concept is that a device owner can have one phone with multiple “personalities” – like a work phone and a personal phone but on a single handset. With this ability, a corporate IT department could manage the “work phone,” while the owner could have complete control over the personal side. The MVP platform is mature to the point of being released for some of the most popular phone hardware and it only remains for the phone manufacturers and carriers to embrace it.

What has your experience been?

Have you experienced any issues with your Android device? Have you felt the need to “root” the device? If so, what drove you there; curiosity, annoying carrier apps which you couldn’t delete? How many apps have you installed? Did you get them straight from the developer’s site or the Android Market? Have you ever refused application installation because of the resource the app was asking to use? We’d like you to share your thoughts and questions with us.

Check out the other posts in this series, and stay tuned for more posts on information security with the leading smartphone operating systems:

----------------------------

John Brady is an Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust.

IMAGE SOURCE: http://www.flickr.com/photos/osde-info/4623612094/

John Brady on 02 March 2011 | Permalink | Comments (2)

Do You Know the Security of Your Smartphone? (Part 2 of 3)

This is the second post in a three-part series on smartphones and information security. The series will discuss overall security of the BlackBerry, Apple and Android mobile operating systems.

Continuing from our previous post on the advantages and challenges of the BlackBerry operating system, we now move on to Apple mobile operating system (iPhone, iPad, iPod Touch), known as iOS.

As mentioned previously, the iPhone has been making waves in the industry concerning its recent introduction to the Verizon Wireless network. Regardless of the initial customer turnout for Verizon’s in-store release, the iPhone is still considered one of the most highly respected and coveted smartphones in the market.

Exclusivity of the iPhone iOS

The iPhone, iPod Touch and iPad now run iOS 4.2. Apple has not only changed its major version, but also changed its name — from iPhone OS to iOS — in recognition of the fact that voice phone functions are a shrinking fraction of their mobile devices’ functionality.

So, what's the main differentiator between early smartphones and iPhone? I believe the essential “newness” was that Apple inserted the iPhone into its maturing iPod/iTunes content ecosystem and added the App Store. This closed environment gives users a unified device experience within Apple’s “walled garden.” Apple prides itself on having created a trusted, friendly device that, conveniently for Apple, only downloads music, videos, podcasts and apps from the iTunes App Store.

While most iPhone owners find this state of affairs comforting, some find it frustrating. The ultimate form of challenging the control of Apple and their carrier at the device level is a process known as “jailbreaking”. Jailbreaking removes the controls, limitations and safeguards put in place by Apple, thus enabling the device to access and run applications, extensions and themes available outside of Apple’s App Store. However, the added freedom comes with a tradeoff because the App Store is part of the Apple “cocoon of security.” While Apple makes no guarantees (in their end user agreement) that apps will not misbehave, they do take more effort than any other vendors to assure that an application does what it says it does and only that. They also restrict content they deem explicit.

iOS Security Benefits and Weaknesses

In addition to scrutinized applications, Apple’s iOS uses a “sandboxed application” philosophy. A sandbox is a default installation state of no access to OS level objects, such as persistent storage or executable. The sandboxed app can, of course, access its own data and network resources freely, but can’t reach into the phone’s OS or even “talk to” other applications except in very controlled ways. This makes it harder to write applications that cooperate via drag and drop, etc., but improves security significantly. It makes it harder for applications to spy on and export each other’s data, and more straightforward when uninstalling an application and cleaning up its associated data. If an employer controls the apps and deletes the CRM app, the CRM’s database of company confidential customer information is deleted with it.

Of course, retaining our healthy skepticism, iOS is just a device operating system and like all large complex software systems is not exempt from bugs and security issues:

Erik Sherman’s post, “Want to Protect Your Emails? Don’t use these 11 Android and iPhone Email Apps” cites, in particular, issues with Microsoft’s Windows Live Messenger on the iPhone.

Just this month (Feb. 2011) the Frauenhofer Institute SIT, exploited an iOS stored password/encryption vulnerability. Via the aforementioned jailbreaking process, the SIT research team was able to crack into stored iOS password vault, called the Keychain, in as little as six minutes. In addition to the hardware encryption key for that device's storage, where application data would be stored, the Keychain contains user account/password pairs for such things as websites, email accounts, wi-fi hotspots, etc. Optimistically, since Apple controls the ecosystem from the hardware up, they can rework the affected encryption architecture and system libraries to use the hardware in a different way to restore security to the iOS devices out there. This should be an advantage of a monolithic device provider.

Apple continues to make iOS more enterprise friendly with hooks to email and other corporate services considered critical. For example, companies can control whether the device locks its screen after an idle interval and requires a password to get in. Or, after say, ten failed attempts to get into the device, it wipes itself (data and applications or just the corporate controlled data and applications). It can now be remotely wiped on demand by a command sent from a company IT security department.

What has your experience been?

Do you love the security of Apple’s walled garden or is it driving you nuts? Are you excited or worried about switching from your current smartphone to an iPhone? We’d like you to share your thoughts and questions with us.

Check out the first post in this series, and stay tuned for additional posts on information security with the leading smartphone operating systems:

BlackBerry
Google Android

----------------------------

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust.

John Brady on 24 February 2011 | Permalink | Comments (0)

The Trusted Insider

The U.S. military’s response to all the problems it has been having with sensitive documents appearing on WikiLeaks is to prohibit the use of removable media such as USB drives. They are even threatening court marshals. Here is an article on CNN that gets into more detail on this:

http://www.cnn.com/2010/TECH/web/12/10/military.stops.leaks.wired/index.html?hpt=Sbin

Will this be an effective way to stop information loss? It will certainly make things a little harder to get large amounts of data out of their secure networks. But, in order to be useful, information does need to move around and be accessed on multiple platforms by multiple people. As the information moves around, there are opportunities for it to move out of your organization's control. Is there an effective technical control that could be put in place to mitigate this risk?

The problem here is not technical. No technical control failed; it’s that a trusted user, with appropriate credentials and the required access needed to perform their job, has decided to violate their organization’s (the U.S. military) policies and trust. The people who are uploading this information are intentionally misusing the access that they have been granted. This is probably the worst risk that Information Security professionals everywhere have to deal with: the Trusted Insider. You know them: the high performers with positive attitudes who have been around a long time, are working on important initiatives and who would never do anything wrong.

We can monitor logs, block websites, restrict network protocols, ban USB drives, disable DVD burners, encrypt data at rest, layer on more and more technical controls … Will this address the issue and mitigate the risk?

Putting technical controls in place, like banning USB drives, makes it harder for the Trusted Insider to do bad things, but they are still there in your organization, accessing your most sensitive information. How do you mitigate the risk of information misuse by the Trusted Insider?

We'd like to hear your thoughts on this issue - please comment below.

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust.

Bill Murray on 14 December 2010 | Permalink | Comments (0)

Securing Mobile: When a Phone is as Powerful as a Laptop

There seems to be a disconnect between want and need with respect to smartphones and information protection. Securing mobile is a “downer” along at least two main axes of mobile phone interaction: convenience and cost.

If your phone is as powerful as your laptop; meaning the operating system, the peripherals and the applications on your phone are as – or are more - sophisticated than those of your laptop then shouldn’t the security measures that protect the contents be similar? The real question here is, if you’re using your phone to process the same information as your laptop, then we have to ask – how can one justify not securing it to the same degree as your laptop?

My opinion is that the only logical answer is yes. For an increasing number of functions, phones are replacing laptops. I believe that there are ways to secure mobile phones to the same standard as laptops while minimizing the inevitable inconveniences and extra cost. The solutions require thoughtful re-evaluation and sensible compromise. Rather than slapping the old products from the laptop onto the smartphone, we should look at it as a qualitatively different platform.

Drawbacks to Treating a Smartphone like a “Small Laptop”

Here’s an example of when it may be typical to treat a smartphone as a “small laptop”.

Many companies now use URL filtering perimeter systems, such as WebSense, to prevent employees from accidentally going to infected websites. When an employee uses their laptop outside the company network, you may tell them they must “VPN into” the network before using the web. (This way, once the VPN tunnel is established, their browsing goes through the URL filter.)

It is possible to treat the smartphone like a laptop in this scenario, because there are VPN clients that work as well as the laptop version. Employees could be told to “VPN into” the corporate network before web surfing on their smartphone.

However, there are drawbacks: a) VPN clients take a fair amount of computational horsepower to run, and b) from a network architecture and management standpoint, why tunnel all that traffic from every mobile browser into the corporate core in order to turn around and go back out to the Internet?

Rather than treating the smartphone like a laptop, the solution may be to change how your URL filter works. So perhaps, instead of bringing the traffic to the filter, bring the filter to the traffic! Put the URL filter on the Internet, and everyone’s computer (smartphone or laptop) can get to it from everywhere. Companies such as WebSense and zScaler advocates and vendors of such solutions.

Speaking of changing the place where the processing happens – how about using another ancient solution? How about moving where the applications run and so, where the information is processed? I am speaking here of just using the phone as a window into the corporate computing environment. This is déjà vu all over again, the fat client/thin client debate of the 1990s – the Unix X Window system and Citrix ICA. The fact is that this class of “collapsed data center” solution, which once suffered complaints about bandwidth and server capacity issues has become increasingly viable not increasingly outdated. Since the days of the mainframe terminal sessions, the thin client paradigm was always attractive from cost, administrative and data security perspectives. Now the protocols for computing in the data center core and transmitting just the display have become more efficient and bandwidth has come down in price. Similarly, multi-core servers with dozens of gigabytes of RAM are the rule not the exception. This makes it very attractive indeed to just load the thin client app onto the smartphone and have it connect securely to the core to process corporate information which is also on the core. If the organization wants people to be able to drag and drop files or query results from the core within apps that run on the endpoint – then the endpoint needs heavy securing as described above. But if the thin client is set up so that information cannot be transferred from the core to the endpoint then one has a lot less to worry about in terms of “information leakage.” The “drag and drop” tradeoff being that the information the employee wants to transmit to their smartphone is not directly usable by other apps on their smartphone that make them more productive (e.g., transferring an address to the smartphones contact management system or its GPS app).

So where does this leave us? I think, for now, the choice is between:

a. Smartphones with powerful processors and awe-inspiring local apps and local corporate data loaded down with classical malware protections like encrypted file systems, anti-virus, URL filtering, anti-spam, personal firewalling (local or in the cloud)

b. Collapsed data center where the employees log into a virtual desktop running on a big server and all the employee ever has on their smartphone is a thin interface to corporate data on a far-away desktop

The convenience trade-off is clear – I would much prefer to be able to download a spreadsheet to the app on my phone and then hop on a plane and “play with the numbers” versus having to be on the network and constrained by my company's standard spreadsheet program.

Cost wise, the price of buying and administering standalone smartphones with high performance client software on them is much higher risk and less cost-effective than standing up a big server with desktop OS licenses, a few licenses for each app and issuing a thin client for each employee’s corporate or privately owned smartphone, laptop or desktop.

Is there is a happy medium? What do you think?

Next time we’ll discuss modifications to these paradigms that may remove some of the downsides to both, namely, data centers in the cloud and always connected mobile networking.

----------------------------

Some links to others thinking about the same topics:

http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/Pages/Mobile-Devices-May-Pose-Greatest-Threat-to-Confidential-Information-New-ISACA-White-Paper.aspx

http://isc.sans.edu/diary.html?storyid=9787

----------------------------

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust

John Brady on 18 November 2010 | Permalink | Comments (0)

Smartphones are great, but are they secure?

Something I've noticed over the past month is the tremendous amount of smartphones in use, whether at the grocery store, or in a local coffee shop. These devices are really pretty amazing, even playing some of the most high definition games on a simple little phone. I saw someone swipe their shopping card at the register the other day, I sure could use that. Up until the most recent series of smartphones, most people didn't really have the ability to store information other than contacts or small pictures on their phones. But now, the opportunities are endless. Most have browsing history available, pictures, videos, stored passwords, emails, and the list goes on and on, what's next? credit cards?

So what are people doing to ensure the sensitivity of the information stored on these devices remains sensitive?

The short answer is very little. I haven't come across many smartphones with a password set, and the memory card has only become increasingly easier to get at. Next time you have a few minutes (please not while driving your car), take a look at the security settings available to you.

Ensure you have a password on the device .
Review your application settings, do any applications have permissions to send information to the internet about you?
Check on your internet browser settings, paying special attention to your identity and privacy options.
Review the media (pictures, videos, text logs) that you keep on the device.
Check into solutions that will send a remote wipe to your device, in case its lost.
Know how to contact your provider to report the device lost or stolen as soon as possible.

Share your ideas for keeping smartphones and other mobile devices secure!

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Jake Harris on 16 September 2010 | Permalink | Comments (0)

Sir, May I See Your Drivers License

I was reading some of the ever increasing material relating to identity theft and ran across an article that I wanted to share. Apparently there has been a sharp increase of fraudulent identification being given to police and state troopers when they are pulling people over in traffic stops and at driver’s license examination stations.

http://www.daytondailynews.com/news/ohio-news/ohio-highway-patrol-id-theft-increase-alarming-858936.html

Imagine getting a speeding ticket in the mail or having your auto insurance go up because someone falsely used your information when they were pulled over or committed a crime.

I wonder if the police will ever consider making drivers licenses into a multi-factor credential similar to how ATM cards work. With ATM cards, you have to have the card and know a PIN number in order to use it. That way when you presented your drivers license you would have to tell the policeman something that he could check to ensure that you were really you. I am sure that this approach could be easily bypassed as well.

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust

Bill Murray on 23 August 2010 | Permalink | Comments (0)

The Problem with Honest People

The problem with honest people is that they don’t think too seriously about how the things that they do or information that they share could be misused or be used against them.

It’s not the nature of good people to think like bad people. I can hear people saying: “No one cares about my information. I don’t have anything that people would want to steal. Bad things happen to other people, not me. I am just one person in a million; there are better targets out there. etc…” It’s not until something actually happens to them, or someone that they know, that they realize the truth.

Please! Please! Please! All you honest and good people living in modern world, think a little bit more about it! What could a malicious person do with your information if they wanted to? Even the simple messages you post on Facebook or Twitter. Malicious people do exist. I see it regularly in my career as an Information Security professional. Only in hindsight does the light bulb go off for the victim. Also, the victim might not be the person who’s information is misueed, many times one person’s information is misused to victimize another who trusts them. Social networking sites are a ripe field for this kind of information to be harvested.

Here are some tips I ran across that talk about basic security precautions on social networking sites. These are just some common sense things that can help reduce the probability and impact of information misuse: http://www.bankinnovation.net/profiles/blogs/10-ways-to-prevent-social-1

Even if you don’t think that YOUR information will be stolen or misused, don’t give anyone the opportunity to prove you wrong. Keep being honest but be "Information Misuse" aware!

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance. Sharing Knowledge. Building Trust

Bill Murray on 23 July 2010 | Permalink | Comments (0)

A Key to Decreasing ID Theft Exposure

No one wants to have their identifying particulars stolen and abused. To help, there is the security concept of using one secret (a key) to unlock keys to other services. The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles. That collection of keys is kept in a locked wall-mounted cabinet. Upper management are the only people with the keys to the “key locker.”

On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied. They are stored in a browser-managed repository which is the equivalent of the “key locker” described above. Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials. But there is simple way to mitigate this risk. For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords. This master password is the equivalent of the key to the key locker in our physical world example. This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!

Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard. These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments. Here’s how it works:

First you sign up for the payment service of your choice, let’s say PayPal:

you create an account at the payment service using a unique string such as your email address
you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through

That’s it! Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):

go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
proceed to check out and notice that there is a PayPal option, choose it
Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
you confirm your PayPal password and then tell PayPal which of your accounts to debit
when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment

So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!

Why bother with that? In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information. Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time. So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.

Is there a downside to using these services? Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history. Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).

So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust

John Brady on 01 July 2010 | Permalink | Comments (2)

At the Nexus of Social Networking and Business

In a recent blog post I suggested that, while social networking (e.g., facebook, myspace, twitter, orkut, LinkedIn, etc.) is here to stay, one needs to be somewhat circumspect in using them. I focused mostly on “apps” within these social networking communities. These apps often want access to your personal information or want you to install or run some program at their behest.

As a follow-up, I’d like to discuss some general ways in which you can improve the likelihood that you will not get your personal or business systems hacked while still being able to enjoy the fruits of these dynamic, fast-growing communities.

Think before you click on anything asking:

- for access to your personal information (on various sites, they may be called “applications”, games, “e-cards”, “gifts” like a virtual cup-of-coffee, virtual bouquet of flowers, a snowball). Do you trust the requestor? Do you even know their privacy policy?

- you to install some “missing piece of software” (e.g., a dll, driver, codec) and perhaps offering to forward you to the site where you can install it now and then proceed with your original task. Do you know the software provider?

Review your privacy settings periodically, there are many recommendations in this regard in the mainstream media (see table at bottom).

When the social network provider notifies you that their privacy policy has been changed – READ the new privacy policy! There have been cases where the provider has retroactively instituted new default access rules rendering previously private parts of user profiles open to the public!

Don’t lend the use of your computer (laptop, desktop) to anyone that might be reckless with it. If the borrower surfs to an infected web site and your account on the PC becomes infected then they have unwittingly put your personal information at risk. To mitigate the danger – always create a separate account for other users (either one account per person for regular users, or) a shared guest account for people that just want to use a browser for short time. When creating such accounts do be sure they are not endowed with any administrative powers. Delete all the files they leave behind and perform a virus/spyware scan. Don’t think of it as being distrustful, think of it as good hygiene.

Taken to its logical extreme, you might seriously consider having a completely separate system for when you are working on your high privacy stuff (employee personal info., online banking, personal/business financials, tax returns, medical bills/records, …). This will almost guarantee that your private information stays that way. **

Although it may sound like I need to lighten up, if you read some of the horror stories about people that have experienced ID theft, you may decide I am not being adamant enough! Of course, you have to find a happy medium for your circumstances. Hopefully, the list above will help you make more informed decisions before you click.

--------------------------

Site Policy	Privacy Recommendation
facebook	High level: NY Times Very detailed: AllFacebook
MySpace	For better privacy control, switch from profile 1.0 to profile 2.0. MySpace recommendation
LinkedIn	Walk-through: Network World LinkedIn recommendation
twitter	Creating a non-public twitter account

** If you are computer savvy enough to know about virtual machines (VM) – you can get much of the same degree of isolation using a separateVM, instead of a separate piece of physical hardware.

John Brady on 06 April 2010 | Permalink | Comments (1)

The Overly Eager Bird Catches a Worm

The social network phenomenon has shown many benefits. These sites, such as facebook (FB), have great potential for people seeking friends to hang out with online. Businesses too are finding it desirable to create a company presence on FB, myspace, twitter, etc. Given their explosive growth, however, these sites have also attracted an unsavory element looking to exploit such new fertile ground.

Do you recall, back in the early 2000s, when email phishing was a relatively new phenomenon? Eventually people became savvy about not following links that arrived in email messages from businesses with which they had no established relationship. You see, in order to compromise your system, eventually the bad guys have to get you to act on their behalf ... so at some point, they have to present you with some “stuff to click on” ... thereby tricking you into giving your operating system (Windows, MacOS, linux, etc.) the go-ahead to install their evil code.

In a similar vein – have you noticed that when you go to play a game on a social site, say FB, you are presented with a dialog-box saying something like "This application requires access to your FB profile. Do you wish to grant access?” This is the FB security layer warning you that this application is trying to access your FB profile. This is like a stranger asking to look through your wallet and record whatever they feel like while they’re in there browsing. Alarm bells should be sounding in your head! Let’s see ... a game that’s all sorts of fun to play and has really nice graphics, and which must have taken some people a lot of time to develop, all apparently, “for free”! Too good to be true? Gee whiz -- that's a little like those emails I occasionally get from "banks" promising to consolidate all my debt into a "Zero down, 0% APR loan” ... too good to be true indeed.

So, while most FB applications/games are not bogus fronts for bad guys that want access to your personal information, it is also true that some of those ostensible applications are in fact phony. So be very careful before deciding to unleash these apps on your private information.

In another example of social networking abuse, there was recently a worm blazing its way through FB accounts called KoobFace ("facebook" spelled sideways, sort of). KoobFace arrives as a FB message from a FB friend in your FB inbox. When you open it, you are told to check out a YouTube video. When you click on the link to the video you are sent to a fake YouTube site. When you try to start the video playback, you are told that your system is missing an important piece of video playback software called a codec (engineering speak for coder-decoder). It asks if you want to install the missing codec.

Let’s step back here. At the request of a site that looks like YouTube, you are about to install and run some piece of software! Are those internal alarms bells clanging loud and clear yet? They should be. The supposed missing codec is really a worm. If you OK installation -- your system is infected. The worm begins executing immediately, making a few "adjustments" to your Windows Registry to make sure it gets restarted whenever you reboot. It then proceeds to wander about in your browser cookie cache finding out which social networking sites you belong to. For each site, it authenticates and then sends messages, in your name, to all your friends! Of course, those messages are just more infect-o-grams like the one you fell for. And so the worm turns...

The lesson here is: think twice before accepting requests to "access" your social networking profile(s) from applications, games and gifts. Moreover, think three times about saying yes when some web site that you have followed a link to recommends you OK installation of software you supposedly need! If you believe you really might be running an old version of a plug-in, anti-virus program, etc., you should still always refuse the unsolicited pop-up style request. Instead, you should explicitly type in the URL for the software maker and check if there you are missing codecs or updates to the software. If there are updates then update your software and retry playing the video.

If your software is already up-to-date, or if you get the pop-up again after updating, then assume the pop-up is malicious and just skip playing it! It cannot be worth the inherent risk. You might even go the extra step to inform the sender of your suspicions. For example, in this particular case, the “sender” would be surprised you even got an email from them! You’ll recall, in our scenario, it was the worm that sent it. This is often how people find out their system is infected so you are doing them a big service.

To read further, here is a link to a technical explanation of how the koobface worm works.

John Brady on 05 March 2010 | Permalink | Comments (0)

How to Stay Clear of Census Scams

Every ten years Uncle Sam asks each of us to provide some information through a Census, in an effort to distribute billions of dollars into appropriate infrastructure and services projects each year. It's purpose is important, however it also opens the door to scammers and criminals alike, who can't wait to take advantage of situations like this.

How will you be counted?

A form will be sent to your home via the mail, which will ask 10 questions, and no it isn't available on the Internet for 2010. These questions are aimed at determining the number of residents per home, and a minimally invasive set of information about each resident. You won't be asked to share your social security number at any time. It's very important that you fill out the form and send it back, or a "Census Taker" may visit your home to gather your answers in person.

What should you be aware of?

Legally you must provide the answers to the Census, whether via the form, a Census Taker who visits your home, or both.

Scams which may pose as the 2010 Census are sure to be in abundance. These scams may come across as emails, websites, telephone calls, or even people knocking at your door.

Do we have any tips for protecting your information?

Online Information

Read through the 2010 Census website, and contact them if you have any questions or concerns.

Remember, the 2010 Census will never ask for your information online, via email or a website.

The Form

Know how to identify the census form, any request will be clearly marked as coming from the U.S. Census Bureau and as OFFICIAL BUSINESS of the United States.

Census Taker

A Census taker may visit your home even if you mailed the form back. Your form may have gotten lost or not arrived yet, you still need to provide the Census Taker with the answers shown on the form you received.

Identifying a Census Taker can be confusing, remember they will not ask to enter your home, if they do, be wary.

It's a good idea to ask to see 2 forms of identification, the first will be a badge with the persons name, and the second could be any form of photo identification, like a drivers license, or state id.

If a census taker contacts you via the phone, you still need to provide the information which is on the official form, but it's a good idea to gather the persons name, the office they work from, the date and time they called, and a phone number to reach them back on. Most scammers won't provide you this information.

The information you share

Remember you only need to provide the answers to the questions which are on the form, you don't need to provide any other information.

Jake Harris on 16 February 2010 | Permalink | Comments (0)

Your information security "chain" breaks at its weakest link

I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost Here are some current examples of this happening:

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/

This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves. There are some very simple common sense things that can be done to protect information that you care about.

I have broken this down into three basic steps:

Step 1: Understand what you need to protect

The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect. Really take the time to think about it. Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers. These are easy ones, but how about your customer contact lists? new product ideas? customer order histories? etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control? In addition to data loss, think about data integrity. When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers? How important are the decisions you make from your data. The controls you place around preserving the integrity of data need to match its importance.

Step 2: Inventory where it is stored

The next thing to do is to identify where all of this information is located. In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone. Ask yourself these questions:

Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
Where do you store and how do you protect your system backups?
Could someone gain access to a system backup and restore the information to their computer?
Can you reduce the number of locations that your critical information or copies of it are stored?
Are you relying on third parties to protect your information when it is in their systems? Do they have the appropriate security controls in their environment?

Step 3: Align security controls with business risk

Finally, assess the security controls that you are using to protect your information. You should align your controls across systems based on the value of the information you are trying to protect. You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored. Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.

Know what information you want to protect and protect all locations that this information is stored consistently. Your information chain will break at its weakest link.

The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.

Bill Murray on 08 February 2010 | Permalink | Comments (0)

Four Steps to Avoid Scams: A Courage-Building Cheat Sheet

New scams are created every day which target each and every one of us. The AMS Users group identified a prime example recently that targets independent insurance agents. This new scheme attempts to steal an agent's credit card information posing as a representative of the department of insurance.

Our blog posts have identified several of the scams in the past such as toner scams, and the Michael Jackson spam emails recently spread across the web.

Most people find it difficult to challenge these scammers, but a great courage builder is to make a simple cheat sheet and post it near your phone. Here is an example that hopefully will save you quite a bit of grief and money in the future:

Step 1: If it sounds too good to be true...it most likely is.

Don’t be afraid to ask hard questions after all they wouldn’t be calling you if they didn’t want to.

Step 2: Ask for a reference for validation or a call back number.

A scammer probably won’t have a reference available and surely won’t want to give you a number to contact them back. If they aren’t reputable enough to have a reference, use caution.

Step 3: Ask for the request or offer in writing.

Any offer can be provided in writing, and it provides you an easy out if someone is attempting to pose as an official or service provider. Most companies have policies which state they must send you a notice in writing if requested.

Step 4: If and when they hang up on you, take it as a compliment.

You most likely just avoided a scam. Feel good about yourself, and share your experience with others. One of the best ways to protect yourself and others is to share positive experiences.

Feel free to share your cheat sheets as well!

Jake Harris on 10 August 2009 | Permalink | Comments (0) | TrackBack (0)

The dangers of vacationing via your web browser

Now that mid summer has arrived, most people are looking forward to a vacation. Of course it's important to let everyone know you will be away from work for a few days, but when is broadcasting your upcoming vacation on Facebook, Myspace or Twitter a danger?

Let's say you plan to travel out of state for the week, and you post to your Facebook profile about it. It just so happens a thief may be watching by searching public profiles for the word "vacation" or "leaving", and they run across your post. Now they know when you will be gone, and it's not very hard to lookup your full name and city from your profile. From there a simple google search provides directions to your home. Guess what happens next?

What can you do to protect yourself?

Take steps not to post information which could harm you or your property.

Examples:

Don't post about vacations, business trips, the big graduation party at the park, or going to the mall until you've come back.
It's not a good idea to post about your brand new car or HD TV.

Ensure your privacy / security settings are appropriate for your accounts.

Example:

Set your Facebook "Privacy Settings" so you aren't broadcasting information to everyone in your "Network." Remember, "network" could mean everyone in a specific geographic region for example. Maybe only your friends, and maybe their friends, should be able to view your profile.

There are multiple options to securing a Facebook profile:

Secure your basic profile to make sure only people you want to see your information can see your information.
Secure your search settings to determine who can search for you, and what they can see about you.
Secure your posts to make sure you aren't sending everything you post to everyone, unless of course you want to.
Secure any add-ins and remove applications which are no longer being used on your account.

Sure are a lot of options available to secure an account, but it's important to pay attention to each of them.

I hope this encourages a few people to take another look at their profile settings, and start thinking about what kind of personal information should or shouldn't be posted.

If anyone has any great ideas or recommendations, please drop them off so everyone can benefit.

Jake Harris on 13 July 2009 | Permalink | Comments (0) | TrackBack (0)

Social Networks: The Good, The Bad and The Ugly

Where were you on June 9, 2009 at 10:22am? At that moment in history, the 1,000,000^th word was adopted into the English language. What was that word? Web 2.0. Now you are probably asking yourself, I’ve heard of Web 2.0 well before June…why are we only adopting it now? Well, the Global Language Monitor has certain criteria by which they judge; but that is well beyond the scope of our discussion here.

So what is Web 2.0? It has nothing to do with the technology or domain naming. Mostly it is about the dynamic content and the way users interact with the Internet. Remember how your parents read the newspaper every evening or watched a newscast on television? The information flow was one way. Web 2.0 is about sharing information, opinions and experiences. You live with Web 2.0 everyday and you probably don’t even know it. Have you read a review on Amazon? Have you commented on a news article? Those are just a couple examples of user provided content. Websites such as Facebook, Twitter and MySpace, YouTube and other social networks are the big names in social networks or Web 2.0 but there are countless others. You may think that because you don’t have a Facebook account or don’t visit social networking sites that you, your family or business are immune from anything harmful; you better think again.

The Good

Rather than jump right into the bad or ugly, let’s first discuss how social networks can be good. Social networking or social media IS the future of communication. Rather than wait for the newspaper to be delivered, you get news as it happens by the people who are experiencing or involved in the situation. Remember the US Airway’s flight that landed in the Hudson River? Well before the media had a chance to deploy reporters to the scene, passengers on the flight were posting pictures and updates through their Twitter account. Companies are using social networks as a tool to market their brand. Have you heard of Blendtec? How about “Will it Blend?” Blendtec CEO, Tom Dickson, became an instant celebrity when he began posting videos of his blender destroying things like iPhones, Guitar Hero guitars, etc on YouTube. It also helped them sell a lot of blenders. Even Westfield Insurance uses LinkedIn and Facebook to find talent, as well as, communicate promotions and events. Blogs such as this one and the Westfield Loss Control Blog are another way that companies can reach out to current and potential customers. Internally, employees can network between departments giving them a feeling of being more than just another “employee.”

The Bad

Those were just a few examples of how social networks can be beneficial to a company. What are some of the drawbacks? First, it is difficult to balance a work culture that embraces social networking while ensuring that it does not impact productivity. It is increasingly more difficult to monitor or limit these activities as social networks extend beyond the desktop and onto cell phones. Additionally, companies may have a difficult time restricting or limiting the content that employees post. A disgruntled employee may post negative information about their employer for all to see. Companies may have human resource policies when it comes to employees posting information about their employer; but how does a company draw a hard line in the sand between moral, religious and political biases and freedom of speech? Social networks are making it difficult for companies to separate an employee’s business relationship and their personal lives. On the other hand, employees are learning that inappropriate use of social networking may allow a company to terminate their employment.

The Ugly

So your company is on the cutting edge of technology and you have an HR policy that addresses social networks; is that enough? Not quite. Aside from the fact viruses, Trojans and other malware have found a new distribution vector; there are many other security concerns. Data Loss Prevention is among the top as employees may maliciously or accidentally distribute sensitive company information. Depending on the leaked information, your company may be faced with regulatory fines and requirements such as privacy breach. Even if the information isn’t overtly sensitive, information may trickle that may give a hacker or your competitors an inside advantage. Take for example your network administrator who blogs and/or posts questions about Cisco routers and firewalls. A hacker may use that inside knowledge to target the vulnerabilities specific to Cisco products. I am sure there are additional threats that remain to be discovered.

Conclusion

Whether your company has adopted or is blocking social networks; it is probably time for a revisit. While the inherent risks and productivity impact of social sites such as Twitter, Facebook, etc. are good reason to not allow them in the work environment; you may find that people are spending more time on their cell phones texting or other social activities. It is difficult to balance a no tolerance policy for social sites while allowing shopping or other entertainment sites while on company time. Blocking all non-work essential sites has proven time and time again to reduce employee morale; which in turn has greater impact in reducing productivity. If you feel your company is behind in addressing this issue, don’t feel alone. Many companies are working struggling to weigh the risk versus the reward. We would love to hear how your company handles social networks. Please make a comment or contact us at infosec@westfieldgrp.com.

John Doan on 23 June 2009 | Permalink | Comments (1) | TrackBack (0)

Securing the future

Today was a day for milestones... I've reached 10 years with Westfield and my 8 month old starting saying da da.

10 years ago information security meant keeping up with anti-virus, and making sure you sent your e-mail to the right person. People were concerned about locking their doors, and making sure their checkbooks were still in their possession. Schemes weren’t as complex as they are today.

Today information security is almost as complex as the brain teasers you can pick up at the local toy store. You still need to keep your doors locked, but now you need to make sure you clean the circle the GPS device leaves on your windshield so your car doesn't get broken into. You also need to shred every document which could remotely leak your identity. If that's not enough, you need to keep your computer as secure as Fort Knox, with anti-virus software, personal firewalls, anti-spyware, anti-spam, and quite a few more anti-products that are widely available. If people are willing to dig through trash cans, and spend countless numbers of hours creating viruses what could tomorrow hold in store?

What is information security going to be like in 10 years? Will your home computer be joined by many other devices requiring all of the anti products above? Will your car need them, so a hacker doesn't program it to follow their car back to a chop shop? Will you have to use your fingerprint to access any computer information, including your email? Will your cell phone be capable of communicating with a maintenance robot doing your laundry, as it senses an intruder breaking into your home?

The message here is that we don’t know what is coming next, but it doesn’t mean that we can let our guard down. The best we can do is to educate ourselves and others to help protect the future and prepare for the unexpected.

I'm interested in hearing others thoughts on this topic? Please drop a comment, and help us keep the future secure.

Jake Harris on 15 June 2009 | Permalink | Comments (0) | TrackBack (0)

Lock your doors, here comes the Conficker worm!

You can hardly look at any news source anymore without being bombarded by articles about security incidents, privacy breaches, worms, viruses, zombies, botnet's or a host of other Information Security related headlines. The media really eats this Information Security stuff up.

This week’s news continues this trend.

Get ready for the “Conficker.c” worm that has already infected 5 to 10 million computers worldwide and is waiting for April 1, 2009 to awaken. The experts predict that the payload, which is what the worm will do when it is activated, will somehow involve people being separated from their money. This assumption is based on the knowledge that many of this worms predecessors have been targeted at convincing their helpless victims to purchase what they think is "anti-virus software" to protect their computers from the very worm that they are already infected with.

It really is all about money these days. Microsoft has even jumped in and offered a $250k reward for information leading to the capture and arrest of the worm writer.

Over the last few months the news has been filled with companies getting "hacked" and loosing their customer privacy related information (SSN & Account numbers, etc...). There have also been several companies that have just simply lost information through carelessness and bad security practices.

And over the next few months I am sure that we will continue to hear about more about companies losing information, more virus and worm scares that threaten society and more about victims who have lost money due to identity theft, phishing attacks or more worms.

I have been in the Information Security profession for a long time and while Information Security threats are ever changing, fast paced and have grown to ever increasing scales, there are some simple and basic things that companies and people can do to significantly reduce their exposure to these threats.

Not surprisingly, they are really just common sense, don't change much over time and you already know how to do them.

Patch your systems and do it all the time. The Conficker.c worm exploits a vulnerability that a patch was released to mitigate in October 2008. New patches are being released all the time. I guarantee viruses and worms will be written to exploit them.

Have basic protections in place like a personal firewall that blocks nonstandard traffic and antivirus software that is regularly updated and is configured to regularly scan your computer. We hear this all the time. Are you doing it?

Don't download and run pirated software or software that does illegal things. This includes peer-to-peer file sharing as well as pirated versions of your favorite tax software.

Be suspicious of everything. And even more so if someone or something is trying to help you or give you something for free. Nothing is free. Come on, you know that don’t you?

The bottom line is simple. Protect the information on your computer the same as you would protect your physical property. Lock your doors and windows. Don't let strangers in your house even when one comes to the door and wants to give you $100 dollars. Change your locks if you think that someone has been inside your house. Don't accept (or seek out) stolen property. If you receive a recall notice for your car because of failing brakes, make a point to get them fixed as soon as possible.

Security is security. Use the same logic with computers and information that you use to determine what you should and should not do with your valued physical possessions. Applying this logic will avoid the majority of the Information Security problems that you hear about in the news.

Bill Murray on 31 March 2009 | Permalink | Comments (1) | TrackBack (0)

Post-holiday phishes

I trust everyone had a good holiday break and hope you have a good new year. With the way 2008 ended, many people are making plans for the future. Unfortunately, some of those planners include phishers and social engineers. And as I'm sure you've seen, they are getting more and more creative and professional in their scams. The days when you could delete a message just because it was poorly written are long gone. Today's scams are targeted, well-written and spell-checked.

In particular, we are already an increase in phishing messages that reference the recipient's holiday credit care spending pattern. The messages will claim to be requests for confirmation, reports of transactions and even a few of the traditional "your account has been frozen" scams. During the holiday season, many people have more transactions and shop with more different merchants; the scammers are attempting to exploit any confusion over those transactions in order to trick you into disclosing your account information, passwords, etc. If last year is any indication, expect that phishing campaign to accelerate during this week and last until the middle of next month or so.

We are also seeing a number of scams related to the economy. The number of work-at-home scam messages is up dramatically. As you may remember from prior tips, these scams promise easy money either for helping transfer funds or to conduct "quality control checks" on merchandise. In the first case, you become part of a money laundering operation, in the second, a fence. Either way, you're like to get a visit from some federal law enforcement agency. If it were that easy to make money, they wouldn't need to be sending out random emails about it.

Interestingly, the old "Nigerian fraud" is back in large numbers. These are fairly transparent messages alleging that someone needs your help to get money out of a foreign country (usually in Sub-Saharan Africa) and offering you a percentage if you will allow the person to transfer the money through your bank account. Foreign lottery scams are also back in significant numbers. I believe that by now most people know that these messages are scams but in times of financial difficulty, sometimes hope trumps common sense.

If an email asks for your personal information or if it contains an offer that looks too good to be true, trust your intuition and delete the message. To learn more about how to identify common scams, check out some of the links in our archived Tips on phishing. Have a safe New Year.

Mike Rossander on 05 January 2009 | Permalink | Comments (0) | TrackBack (0)

Get ready for a Storm of holiday-related scams

For the past year or so, we've seen a significant uptick in attempted scams and frauds around every holiday. Many of them trace back to the Storm Warn gang, a crime ring based out of Germany that sells hacker software. Their last big attack was at the Fourth of July and tricked many thousands of users into downloading the 'storm-bot' trojan by offering a fake video clip of "the largest fireworks" celebration in the nation. Victims found their computer hijacked as part of a bot-net or had keystroke loggers and other malicious software loaded onto their computer.

If past patterns hold true, we can expect to see a dramatic rise in the volume of spam and phishing attempts during this holiday season. Some of their cons last holiday season included dedicated sites like the Merrychristmasdude.com website (a site offering suggestive holiday-themed photos along with a very malicious download) and spam emails such as the Happy New Year phishes. This group develops very sophisticated software with hundreds of variants that attempt to evade and outrun standard anti-virus software.

To combat these scams, first be suspicious. Never open unexpected messages or attachments.

Second, keep your anti-virus up to date at all times. Set your anti-virus to automatically update itself as often as the software allows. And if you're particularly suspicious about an email or website, force a manual update before clicking the link. Remember that if your kids have a computer at home that runs under parental controls, their computer may not be able to complete the update under the restricted ID. Their computer may be at risk until you log on under your parental ID so the updates can take hold.

Finally, keep your firewall turned on and be very suspicious of any 'free' video or other offer sent through the internet. In particular, be cautious about electronic greeting cards. While some are legit, many are frauds. See this tip for some thoughts on how to sort out e-card invitations.

Mike Rossander on 08 December 2008 | Permalink | Comments (0) | TrackBack (0)

Just when you thought it was safe to let your kids back online

As if regular ID theft weren't enough, now there is an organized crime ring of password stealers who are targeting your online gaming accounts.

For those of you who aren't familiar with these online games, you create a character or 'avatar' who adventures through a fantasy world, interacting with other players to overcome various hazards and quests. Many people invest huge amounts of time and energy developing the character's skills and building up possessions in these online worlds. The Wall Street Journal has run several stories about the 'virtual economies' that sprang up around these games. Some players build up strong characters or search for rare possessions for the sole purpose of selling them to new players who don't want to go to the effort of building up an inexperienced character themselves. It may sound a little weird but it's all legal – the free market in action.

The hack in this case is an infection on your machine just so the hacker can steal the password to your online game account. They log on as you and sell all your carefully hoarded possessions for virtual gold coins which are then handed over to some other online confederate who sells the virtual gold for real-world cash at an online exchange like IGE. (Yes, you can make real money playing games.)

Unlike a theft of your real-world bank password, the theft is virtual so it's not clear that you can actually report it to the police (or that they could do anything if you did). Furthermore, it's very easy to launder the transaction – there's almost no chance that the hacker will get caught.

On the plus side, some of the recent security updates have closed the worst holes that these password stealers exploited. This example highlights the need to keep your computer fully-patched and your antivirus and anti-spyware up-to-date. And, of course, don't play those online games on your work computer.

Read more at CSOonline or get a copy of Exploiting Online Games by Hoglund & McGraw.

Mike Rossander on 10 November 2008 | Permalink | Comments (1) | TrackBack (0)