IE Bleeps...again!

18 Dec 2008
A vulnerability has been discovered in Internet Explorer which is being rapidly exploited by some web site and about which you need to be aware. To read more: Microsoft's Advisory Service, and a simpler explanation can be read here: Secunia.

Identity Theft: What it is & How To Avoid It

We can define roughly two levels of Identity Theft.
First, Social Theft: This is your online identity. If someone steals your online identity it enables them to pretend they are you in online activities in the area of what has become known as Social Networking. A 'social network' is an association of people drawn together by family, work or hobby. The term was first coined by professor J. A. Barnes in the 1950s, who defined the size of a social network as a group of about 100 to 150 people. However, since the advent of the World Wide Web, social networking sites have evolved online and provide networks numbering millions of members. These are now virtual communities of people interested in a particular subject or just as a 'place' to "hang out" together. On these sites, members create their own online "profile" with biographical data, pictures, likes, dislikes and any other information they choose to post. They communicate with each other by voice, chat, instant message, videoconference and blogs. It is easy to see how these can become zones of danger for the unwary. Indeed, there have been plenty of news stories covering some of the pitfalls the unwary can fall into while networking on these sites. These unfortunate events can range from just nuisance level through to the more distasteful and criminal activities of pedophiles etc.

The area of concern in this column to the wider community is when someone assumes your identity to the degree they can start buying things in your name, running up huge credit card debt, phone bills and relieving you of large sums of money directly from your bank account, etc.
Sadly, identify hijackers very frequently get clean away and continue to perpetrate their crimes again and again. Statistically, the police have few prosecutions and are usually without any clue as to who the thieves may be.

Be Afraid, Be Very Afraid!
There is only one defense -extreme caution. The old adage, ‘vigilance is the price of liberty’, is again a truism. In this case, constant vigilance is required to stay free from all the various ways in which someone can steal your electronic identity and use it to steal from you. Sometimes, not just once, but again and again. Added to the pain and loss of this is the downstream difficulties associated with identity theft. Your ability to obtain credit is compromised, there are ongoing difficulties with the police, the hassle of proving you are not the person responsible for the credit card purchases made in your name and with your card and so on and so on.

In the End, It's All Very Easy For the Thief
Authorities do agree on one thing, it is very easy to hijack someone's online identity. For example, to do a credit card transaction in someone else's name, the perpetrator often only needs the following information:

• Your credit card number
• The expiration date of your card
• The billing address zip (or post) code
• The CVC number (that 3 digit number on the back of your card)
• Your name

If the thief already has your credit card in their hand, they already have four out of these five pieces of information. They are only missing the PIN (Personal Identification Number) and they can use your card whenever they wish. This they may well harvest off your machine or by some other method when your actually using your card at an ATM. Harvesting PINs from ATMs while people are accessing their accounts is becoming very common indeed.

Second: Harvesting Your Identity From Your PC
Because It's Likely All There On Your Computer
In this connected age, the scary fact is that all this information is likely stored in your computer waiting for a hijacker to get his or her hands on it. Further, you don’t need any fancy technology to dig it out. Unless your already practicing safe computing you can find it just by following these simple steps:

Go to an online form, you can use my Contact Centre form for the purpose if you like. But any form where you fill in information about yourself will do. By the way, I don’t harvest any information from my form. It is a simple email form and I haven’t even taken steps to guard against abuse on it. As a result I often get junk email off it when online nutters fill it in with gobbledygook and I have to waste my bandwidth and time and delete it from my inbox. So, use if freely, although, if I get an increase in misuse as a result of this invitation, I will certainly get busy and put some simple checks in place.

If, as you complete this form using Internet Explorer, Firefox or any other browser, and the information you enter, such as your name, phone number, bank account number, IRD/Social Security number etc and the details are automatically completed for you as you begin to enter them, you know your compromised.

This is because the information is stored on your computer and it is available to be harvested by an identity thief quite easily. If you’ve been using computers and the net for a while, you should know this by now. If not, consider yourself educated. Turn off auto-complete this instant and be many times safer as a result. If you’re running Firefox, my preferred browser, go to the Menu Bar and click ‘Tools’ and then the ‘Private’ tab. Check as many boxes as you can to make yourself comfortable about what information remains on your PC. You can also choose to have Firefox clear all your Private Data when you shut Firefox down. Click the ‘Settings’ button on the LHS of the Private Data section and check as many or all the boxes you feel comfortable with as well. In Internet Explorer go the Menu Bar and click ‘Tools’ and click the ‘Delete Browsing History’ option right now. Then go back to ‘Tools’ and choose ‘Internet Options’. Next, choose the ‘Privacy’ tab and move the slider you will see as high as you feel comfortable with. If you are now paranoid, you can click the ‘Advanced’ tab and check ‘Override cookie handling’ and check everything in sight –or whatever! While you’re there, if you wish, you can check the ‘Turn on pop-up blocker’ as well. You can have a look around at the other tabs while you’re in Internet Options and read all the information available.

Caution!
Be aware, that actions you take here will affect your browsing and you may wish to return and fine tune your settings. However, keep in mind that the point of the exercise is safeguarding your online security and privacy. To do this some of the fancy gizmos you find on the net and some of the easy options, such as having your browser remember passwords, may have to be missed out on. It’s up to you.

The Telephone
Now for the telephone! I mention this because it's amazing how trusting we can be. You can be asked a series of questions all related to your security and your identity by someone on the other end of the line and pass it all over without a second thought.

For example:

• IRD or Social security number (or last 4 digits)
• Mother's maiden name
• Email address
• Telephone number

All of this information is commonly given away to complete strangers whose first name you may have only heard once and already forgotten, or, in today’s world, you probably couldn’t understand it or pronounce it! So, be very careful who you give information to over the phone. Make as sure as you can that you are talking to a bona fide representative of a trust worthy organisation. If you have any doubts, say, “I’m sorry, I’ve decided not to proceed”, and hang up. Don’t let them talk you into proceeding. If they are genuine they will understand your concern and make some alternative arrangement for you that will give you more confidence.
Remember, if a thief can establish they are you, also over the phone, to another bank or financial organisation or business etc, they could ruin your life for a very long time. It’s worth taking precautions and, at the very least, being aware of the dangers.

This sort of information could allow a thief to transfer money out of your bank account, cancel your mobile phone, change all of your passwords, and access your email (probably via web mail) and much more.

How to Begin to Safeguard Yourself
Use Your Own Machine: Never do online transactions on any computer other than your own. Never at work, never on your friend's computer and NEVER NEVER at a public terminal.
Perform the simple check I outlined earlier and try it with your bank account number, IRD or Social security number, your phone number as well. Only start to do it with, say the first four or so numbers and see if your machine starts to complete it. If you know you’ve used another computer previously to do online transactions of any sort, and you can go back to that machine, use the steps I’ve outlined below to do the best you can to erase all stored information and hopefully you’ll wipe out any traces you may have left.
Remove All Personal Traces: Perform a system wide sweep of your own and any other machine you use, have used, to remove any traces of your online identity from them. If you would like help with this we, at Hamilton Office & Home PC Care are happy to assist. That’s what we do! Bear in mind that this means that you will have to type in your credit card number each time you need to use it. This might take a small amount of extra time, but to have your important numbers in your head, not in your computer, or any other, is better than leaving them lying around for someone to pick up. You can use encrypted software that you carry with you on a USB stick and have only one master password to remember. This is what I do and I use a little programme called Any Password for this purpose. This also has the facility to generate passwords that are reasonably secure. However, if you are a gazillionaire, then likely you are a target already and remember that sophisticated decrypting techniques and software are available that could possible crack any utility such as this. However, for most of us among the great unwashed, we aren’t that big a target and not likely to attract that amount of dedicated evil. At the end of the day, even your head is not totally secure. If a sufficiently large and well organised criminal organisation wants what’s in your head, I guess they can get it. “They have ways…!”
Scan Often: Scan your machine(s) for malware on a regular basis. Say, once every five or six days. Under the heading of malware we include, spam bots, denial of service attacks, and all sorts of other nasties. Malware dedicated to capturing your online identity is becoming steadily more common and you need to guard against it. So, install the best quality and the most highly recommended antivirus, antispyware and firewall you possibly can. More than one anti-spyware app is good. You can only run one antivirus programme on your computer, so make it the best you can find. These don’t have to cost the earth either. There are excellent free one’s available. Check out Hamilton Office & Home PC Care and go to my Tech links/Info page to check out my recommendations.
Secure Login: Set up a reasonably secure login password on your PC. Don’t use the obvious such as your wife’s or girlfriend’s name, your birth date, your street address, your phone number and so on. Work out something that you have to remember and don’t leave it written on a piece of paper stuck on or near your PC! If I had a dollar for every time I’ve seen that…
Log off: Log off from your PC when you are not in front of it. Even when going away for a moment or two. That’s all it takes for someone who knows what they’re doing to harvest personal information. An ounce of precaution is always worth a ton of cure. Trust me on this. On an XP based machine click, ‘Start’ then ‘Logoff’. On a Vista machine click, ‘Start’, then the little right arrow and ‘Logout’. If you’re using a laptop or notebook or netbook (see my blog about Notebooks v Netbooks) you might just have to close the lid. You can set this up by going to your Power Options in Control Panel.
Happy and safe computing,
John

Buying a New PC & the Internet

Buying a New PC & the Internet
CERT/CC has composed this Tech Tip concerning the growing risk to Internet users accessing the Internet without any knowledge about how to secure their nice new machine from the growing number of Internet nasties.
They say, "In recent months, we have observed a trend toward exploitation of new or otherwise unprotected computers in increasingly shorter periods of time. This problem is exacerbated by a number of issues, including (they say):

• Many computers' default configurations are insecure.

• New security vulnerabilities may have been discovered between the time the computer was built and configured by the manufacturer and the user setting up the computer for the first time.

• When upgrading software from commercially packaged media (e.g., CD-ROM, DVD-ROM), new vulnerabilities may have been discovered since the disc was manufactured.

• Attackers know the common broadband and dial-up IP address ranges, and scan them regularly.

• Numerous worms are already circulating on the Internet continuously scanning for new computers to exploit.

As a result, the average time-to-exploitation on some networks for an unprotected computer is measured in minutes. This is especially true in the address ranges used by cable modem, DSL, and dial-up providers.

Standard advice to home users has been to download and install software patches as soon as possible after connecting a new computer to the Internet. However, since the background intruder scanning activity is pervasive, it may not be possible for the user to complete the download and installation of software patches before the vulnerabilities they are trying to fix are exploited. "

Check my advice on PC Maintenance and Security

You can read the entire article here: www.cert.org/tech_tips/before_you_plug_in.html

Contact Hamilton Office & Home PC Care on our
PC Care