Link: http://titssn.net

A serious state of security - The loss of one’s private information and its effects
Reposted from my forum post on June 21st 2006

Over the past year we have seen a tremendous growth in the proliferation of threats and attacks aimed at the human intelligence level. These threats have been growing at an alarming rate and it is surely due to a lack of knowledge and awareness of the general public. Gone are the days when we have to worry about viruses, worms and hacking being a major pain and something we all feared, now the phishing scams and social engineering methods has become the primary household name showing its nasty head to consumers and businesses alike. It is only through knowledge and awareness of these issues that we will beat these methods of infection and propagation.

While talking to people on a daily basis, it is very clear that the general public tends to shun a blind eye to these issues and thinks that it will not and cannot affect them as individuals. While this is surely not the case and is one of the (if not the) main reasons why these high profile and very cunning methods of human attacks are so much a high risk, people simply do not take these threats seriously today and I will try to shed some light on these issues as i’ve done so over the past few years.

Over the past 2 years we have seen and heard more and more about “phishing” and what it is and the methods of attacks. While consulting with the FBI’s cybercrime division and talking to them about the ways in which they address these issues, they have been overwhelmed by people who have fallen victims of these scams and it’s just a matter of simple common sense. A “phishing attack” can only be successful if the intended recipient is not aware of such a scam or is tempted by the “too good to be true” offer presented.

Why would someone want to invest millions of dollars in you and you’ve never met them, never heard of nor seen anything about them and they throw these millions at you with a mere $25,000 investment on your part. Surely that would catch the attention of anyone looking to get past that life of always being broke or always wanting to take their lives to the next level but was always financially strapped down or stressed out.

Ask yourself, why is the president of such a major organization or country want me of all people to do business with and for them and not have to commit to any signed agreements stating the terms and conditions of the deal.

Why is this major financial institution located in some far region of the world choose me to be the one to work this deal for them, this surely seems odd and should be a cause for concern but yet still, unchecked, they buy into the scam and get burnt. Some people have invested thousands of money into these false deals and it’s after the fact that they realize the severity of their doing.

Common sense should have stepped up and said hey, wait a minute, do I know these guys, what do they want with me and why are they asking me for this payment to buy into such a sweet deal, hmmm, this is suspect.

Instead, the opposite happens and you see the $25,000 vs. the millions that are presented in the offer. Hell yea, of course it’s human nature to see the vastness of the offer vs. the small percentage of the buy in payment. If someone came to me right here and now with that very same offer and I knew of and about them i’d do my lil research and then by all means i’m almost sure i’d buy into it. But this is far from the case. You will not find a phish that extravagant locally or nationally because there are so many ways that you can look into that situation to know if it’s legit or not, sometimes the deal is so sweet and looks so good and even after researching it it’s still a hoax, so what do you do.

Do not get suckered by these offers and these too good to be true deals.

If someone came to you and told you they were selling you a 10 million dollar winning lottery ticket for $25,000 what would you do?

We need to think about these things and weigh in on the validity and chance it takes to make such a move.

I’ve seen too many people burned by this and it’s always the same story over and over. The FBI gets so many of these cases that they have to tackle them in bulk due to how many they are.

So, what is “phishing” and why is it so prevalent today with such high success levels?

Phishing is a method of deception by means of appealing to the human intelligence by presenting something of value that is not legitimate or true.

I’m sure everyone by now has gotten some kind of email from financial institution stating that their account need to be verified or updated and that they need to log into the server to do so. When logging into what you think is the financial institutions server you’re actually logging into somewhere else or someone else’s server. This being the case your information is now in the hands of someone other than yourself who can use it for any means necessary and thus you’re just been “phished”.

So that’s in essence the real overview and look on the phishing scene.

Next we have the social engineering techniques which are very similar to “phishing” but can also come in the physical form.

Someone comes to your place of business and tells you they are the CEO of the company from headquarters in DC and they are here to meet with the rest of the management team and they need access to your network, infrastructure or office. This normally gets people arouse due to the fact that he/she is the CEO and you don’t want to mess with that person or else, so this person comes in under false pretenses and gains the access to internal private and confidential business information and property that should never be given out to anyone outside of the company. By the time you catch a with what is going on that person has gathered all the needed information and left with it, now that information is being circulated on the internet and your company is being sued and dragged through the legal system for that reason.

Who is to be blamed?
What went wrong?
Could this be avoided, if so, how?

These are valid questions to a real life issue that happens on a daily basis. A helpdesk representative gets a phone call from someone claiming to be the CTO or CIO or some other C-level executive of the company. He is traveling and for some reason cannot log into the network and so he’s calling the helpdesk to have them unlock his account and help him through the log in process. The helpdesk individual knows the name of the executive and so tries to validate the credentials that person is using to gain access to the network. If this is a person that has done his homework he may know the login name but not the password and so he most certainly tell the helpdesk support rep the login info but states that he can’t remember his password. Now the helpdesk person feels this info is good because the login username is correct and so that person should be who they are and so he/she proceeds to ask for some additional information such as full name, address, last 4 digits of the social security number or the employees unique company ID #.

All these information can be had by various means and so this is nothing for a person performing a social engineering attack to gain access to. So validating all the info the helpdesk rep now changes the password and helps the user to gain access to the network and its resources. Being a C-Level executive you can just imagine the access and information available to he/she once they are logged in and authenticated on the network.

I’ve seen organizations where the helpdesk gets so scared when a C-level executive calls in with a support issue that they just need the name and some info in order to quickly expedite the support issue and get that person on the way. This is wrong and presents many critical vulnerabilities and should be addressed immediately.

Social engineering like phishing can be stopped and mitigated by user awareness and knowledge. Policies, practices and measures can and should be put in place to offset these methods of attacks. Companies should spend more time going over scenarios like these in order to get the support people alert and proactive to these issues.

Identity Theft

Wow, now this is a growing issue that is even a bigger problem due to the arrogance of users thinking they are not affected nor will they be affected by this issue.  Most of the victims i’ve spoken to had no clue they were victims of such an attack until years after when the person who did the wrongs simply missed a payment or 2 and now you’re caught smack dead in the middle of the scheme of things. At that point it is already too late because you have been victimized for years and now that you’ve found out about it is way too late, the damage has been done. The most unfortunate part about the Identity theft issue is the fact that the information will still remain on your credit for the full term of the cycle and you have to hope to God that the person was keeping up on their payments and so the credit standing was good.

I recently met a lady that just found out that she was the victim of an identity theft scam after years of being used by someone else, fortunately for her that person was keeping up to date and current on the payments and so that was generating good things for her report. How she came to find out about the theft is one of the credit card companies called her asking to make payment arrangements for a past due balance she had and when she continued to deny the claims she came to find out the sad truth about the whole situation. There was a car, an apartment, credit cards and other things in her name and she had no idea about it.

Let me tell you how bad this can get and for how long you can be screwed by such a nasty issue, yet still, there are simply ways for protecting yourself from things like this. These days with the privacy issues and concerns surrounding the selling and use of your private information it is so easy to find or get information on or about you on the internet that it’s not even funny. Don’t worry about the information, worry about the use and abuse of it. It’s like worrying about doing online shopping and using your bankcard and credit card online when the banks all have that very same information online and that’s where the accounts were opened and are kept.

I recommend a credit monitoring service for you, your spouse, your children (yes, your children as well) and anyone with a valid social security number. These credit monitoring services do a very good job of keeping you alerted and updated on any happenings with your social security number and credit. I personally use Credit Expert and I have found them to be very good, very quick to alert and very detailed as to who, what , where, why and when anything affects my social security number and credit. I highly recommend the service which is a yearly fee but it is very much worth it and should be looked into.

When you think about the long term effects and heartaches that presents itself from a identity theft case the yearly fee associated with these services is well worth it. Go get it NOW. There are quite a few good ones available but they differ in offers and benefits. With Credit Expert I get a free credit report every 30 days if I want it, I can log in and have a look at what is on my credit, who I have credit with (if any), what are my reported balances and the contact information for the creditor. I have found this to be a very valuable and needed resource and I recommend it.

How can my identity be gained, lost or acquired?

There are more ways to lose your identity than it is to prevent it from being lost, as I said before, don’t worry about losing it, worry about the use and abuse of it. Someone having your private information such as your employer, a company that you did business with, a place you went to apply for a job and had to fill out an application form that had all your info, a utility company that you had to subscribe to for their service, so many ways of giving your information out, don’t worry about the info, worry about the use or abuse.

I remember seeing an article in 2005 where a nursing assistant had a patient in the hospital and he though the guy was going to die and so he took the patients information and started using it, he got credit cards and other things in the name of the patient and was doing good until the patient didn’t die and so after coming out of the hospital a few months later the patient started to see strange things and collection notices coming to him. After contacting the authorities and turning the matter over to them and they conducted an investigation they found out it was the nursing assistant, wow.

Don’t worry about the information, worry about the use and abuse.

I had started writing this article a few months ago after seeing what happened with that patient due to the theft from the nursing aid but with all the things that were going on I was just consumed in consulting issues with people who were affected or became so afraid of these issues that they don’t even want to face the reality of it.

I am sure by now everyone has heard about the data loss issue of the 26 million U.S. VA members which has sparked a whole sleuth of privacy issues, regulations and laws at the highest levels. This should not have come as a surprise to people because over the past year we have seen data breaches and identity theft problems at the highest levels of government and business. Everyday there is a new breach reported from some major financial institution or organization and with that comes the fears about what will happen next. The biggest problem with this is, how long ago did the theft/loss actually occur?

You’re being advised of the breach now but how long ago did it happen and to what extent of breach did the victim actually get. While that is the bad part of the situation the better part that saves us from the real effects of these issues is the alerting and monitoring services like Credit Expert, True Credit, Equifax and the other credit bureaus. They will alert you of any possible use of your social security number way before the company that was breached discloses the loss of the data depending on the use of the information that was lost. In some breach cases the information is never used but it’s better to be safe than sorry. I implore you to look into these services for yourselves as the time from alert to major impact on your credit is just a matter of you stopping the issue.

My next look at this issue will go into the methods of securing your data that in the event of data loss it is secured.

A few articles of reference.
IRS Laptop Lost With Data on 291 People
Laptop theft compromises Hotels.com customer data
VA data loss could prompt federal privacy law
VA to Recall All Agency Laptops
Personal data on millions of U.S. veterans stolen
Phishing scam uses PayPal secure servers
Trojan horse captured data on 2,300 Oregon taxpayers from infected gov’t
PC
Congress to Look at NSA Database of US Phone Calls

And I leave you with one of my favorite security quote as of lately, Don’t fear IT, Fear the “G” (Google)

~Brett A. Scudder~
The IT Security Attaché

Link: http://titssn.net

Good day to you,

As we approach yet another Christmas day and the soon to come New Year, we are reminded yet again of the continued blessings and good will of the season. TITSSN would like to wish our members, customers, clients, associates, friends, peers, families and the rest of the world, a festive, peaceful and secure Christmas and a Merry New Year when it comes.

May the joys of the season and the good cheer spread through our hearts and rest well with those around us as we celebrate this Christmas and usher in a new year in peace, love, unity and togetherness.

While we enjoy the season in many ways, we should be very vigilant of the increased threats and security risks as the use of the internet is very heavy during this time for spreading the festive emotions of the season.
While we are willing to spread the good cheer, please ensure it is not marred by malicious codes and/or harmful contents thus making it a valuable experience for all.

When it doubt, reach out.

We apprecilove your business and support and look forward to serving you even more in 2009.

Thank you and have a great day,

~Brett A. Scudder~
The IT Security Attaché
President/CEO/Chairman/Founder/Security Architect
TITSSN ~The IT Security Suite Network~

Link: http://titssn.net

Good day to you,

On December 1st 2008, TITSSN will initiate a major promotional campaign to promote our Secure Minds Initiative across the 3 primary social networking sites LinkedIn, Facebook and MySpace, in an effort to gather broader visibility/support of the cause. In 2005 TITSSN initiated its Community Outreach Program that created a more personal access and information for/about its security professional members in their local communities so that the needed information/awareness/education/resources for/about IT Security could be effectively disseminated to its residents.

Over the past three years we have integrated this program more deeply into our network as our beliefs in being a physical presence in times of need provides a more comforting and valuable feeling for people. People developed a sense of comfort in talking about their security issues/fears/concerns which in turn allowed us to relay the message of safe internet usage practices and the issues file sharing and illegal downloading of applications, movies and music presented.

As a result of the successes gathered from the Community Outreach Program, we decided to take this a step further and enacted the Adopt an Institution Program in 2006 to create a more seamless integration of this technical knowledge and resources into our educational institutions. As a part of our Adopt an Institution Program, we launched an industry IT Security Scholarship program in 2006 which is geared towards providing financial aid specifically towards IT Security professionals in the institutions that we adopted. In working with the administrative staff and technology teachers we selectively pick students who we see are heading towards higher levels of expertise in the security space and award them with a scholarship that will help towards the financial burdens of getting the training, education and becoming certified. Through our partnership with training and certification leaders such as Training Capital and Netcom we extend these opportunities to these institutions and scholarship winners.

We understood that this needed high level education and awareness was being provided at the college and university levels but there was something critical missing from the converged network, our youths in middle/high schools. These are people who have just as much access to internet connected resources as much as everyone else and in some cases (if not most) they are unmonitored and unprotected while in the home who are developing a sense of style to become tomorrow’s parents, professionals, business executives and educators. These are the people with curious minds who have downloaded malicious codes and other compiled malware/spyware kits and started playing with them in an effort to see what they do and how much of a problem they could really cause.

Over the years we have seen these curious minds creating major issues/impacts on the global technology sector rendering some companies/organizations helpless as they tried to defend against the newly created threats and new waves of attacks/exploits. These young curious minds are craving for a piece(s) of the technology resources/infrastructure and if not nurtured to understand what they are and how to choice between being on the good or bad side then we’re in for a very hectic future riddle with nonstop problems and critical effects from these young creative and curious minds.

As a part of our Adopt an Institution Program, we launched an industry IT Security Scholarship program in 2006 which is geared towards providing financial aid specifically towards IT Security professionals in the institutions that we adopted. In working with the administrative staff and technology teachers we selectively pick students who we see are heading towards higher levels of expertise in the security space and award them with a scholarship that will help towards the financial burdens of getting the training, education and becoming certified. Through our partnership with training leaders such as Training Capital and Netcom we extend the training and certification opportunities to these institutions and scholarship winners.

No one knows how much this is problem more than we do as we’re the ones being called in to fix the issues, explain how they happened, what are the impact(s) and how to fix/mitigate them going forward and putting the needed technology and resources in place to block/stop/prevent them from happening again. TITSSN’s advantage in the IT Security space is that we work with everyone and does not care if it is a home user, consumer, small business, educational, government or enterprise, our mission is to deliver the needed security to every device with internet connectivity and help with the education and awareness of how to properly use these resources to be safer and more secure while maintaining the full user experience of the World Wide Web. The more devices come into the technology space with these connectivity features is the more ways in which the bad guys can exploit them and use them to create severe issues with critical impacts/effects.

This is an issue in the home, schools, business places and everywhere that the internet presents its access/resources and with this access/resource should be the associate knowledge/education/awareness as to what it is and the problems it presents and why it is very important to stay on top of them.
Do not be naïve to these issues, the internet is here to stay and is the future of our connected/converged world and it is only going to get worse unless we start the education and awareness early.

In 2007 TITSSN decided to take this initiative to a more formal level and started working on the Secure Minds Initiative and how to integrate it into the school system which we further launched in 2008 as a featured program/initiative. The mission of the Secure Minds Initiative is to create an educated/aware resilient global network of IT Security Minded people who can secure and protect themselves from IT/Internet threats. The year 2008 was a very rough one for our network as we had major changes in our local chapters across the US that removed key leadership members and we had to create quick responsive backing and support for those chapters. This created a bottleneck for us and so we didn’t get to launch a few key programs as we had planned but will be doing so in early 2009 as we’ve restructured the network and is now fully functional and running full speed on all processors.

Now that we have this program and its mission embedded into the networks initiative, we have reached out to our network (vendors, consultants, VARs, business owners/executives, technology advisors, educators, mentors, professionals) with a request to help in the adoption, support and promotion of this initiative and we are very happy at the receptive responses so far.

The contributions gathered have and are being used in our community outreach programs to host and sponsor IT Security specific events, scholarships, forums and groups as we work to disseminate the message of why IT Security is a critical issue that needs to be addressed today for a safer and secure future tomorrow.

So it is with this mindset that we call on you to help in this initiative by joining us on either LinkedIn http://www.linkedin.com/e/gis/1397757, Facebook http://apps.facebook.com/causes/164545?recruiter_id=22179324 or MySpace http://www.causes.com/myspace/causes/164538?e=00fd116d&recruiter_id=33080893 as we build on it.

This initiative will hit every major social network by the end of the year so look forward to seeing much more info on it as we continue to contribute toward its mission.

Thank you and have a great day,

~Brett A. Scudder~
The IT Security Attaché
President/CEO/Chairman/Founder
TITSSN ~The IT Security Suite Network~