Could you be a victim of Internet fraud?
The Looks Too Good To Be True.com website was created to help prevent consumers from becoming victims of Internet fraud. The site offers education on the various types of Internet fraud and allows victims to help others from becoming a victim by sharing their experience.
The site is sponsored by a combination of federal law enforcement agencies and private businesses such as Microsoft, Symantec, and Monster Worldwide.
James Bell
Posted at 01:00 PM in Identity Theft | Permalink | Comments (0) | TrackBack (0)
Do you feel that you are a victim of online fraud and don't know what to do?
The Internet Crime Complaint Center (IC3) gives the victims of cyber crime an easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations.
The IC3 is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).
James Bell
Posted at 01:00 PM in Identity Theft | Permalink | Comments (0) | TrackBack (0)
Hacker...cracker...cyber-attacker. As these criminals become more sophisticated so must your efforts to thwart them. One defense strategy, known as distributed isolation, disperses the attack surface of a computer system into isolated pieces. This strategy effectively divides system functionality and data in a way that makes it nearly impossible for an attacker to join them back together.
Two-factor authentication works in a similar way. Under this authentication method, a user needs two things to access the system; something you know (i.e. username and password) and something you have (i.e. authentication token or cell phone). Without both, an untrusted user cannot log into the system.
The first tactic in this strategy is to separate passwords from other data in your database. Large corporations typically keep passwords in an LDAP database and website data in a relational database. In this scenario, if the relational database is compromised the passwords in the LDAP database would be safe. Mashup APIs like RPX abstract out the nuances of provider specific authentication and allow your website users to authenticate with their existing identities from Facebook, Google, Yahoo!, Twitter, MySpace, AOL, Windows LiveID or other OpenID providers. This simple strategy would have prevented the type of security breach that occurred at RockYou.com where 32 million email addresses and passwords were exposed.
The next tactic is to separate encryption keys from encrypted data. Encryption keys should not be stored in the same database that contains encrypted data, especially when using symmetric-key encryption. Ideally, a random encryption key is generated for each encrypted item from a data set stored in the file system or in the cloud. This way, not only would an attacker need to compromise your database they also need to compromise your file system or cloud data storage infrastructure in order to decrypt the data.
The final tactic is to separate highly confidential data from less private data. Similar to the previous tactic highly confidential data should not be stored in the same database as less private data. The confidential data should be encrypted, then serialized in some manner and stored in a separate data set.
For example, let’s assume that I have a brokerage account that stores highly confidential beneficiary information for an expensive asset. Access to this information is protected by RPX. It uses myOpenID as the OpenID provider, which in turn uses my cell phone for two-factor authentication through CallVerifId™. After logging in, I choose to assign a new beneficiary to this asset. When I submit the information, the beneficiary information is serialized as XML, randomly encrypted from a set of keys stored in the file system, and stored in the Amazon S3 cloud infrastructure as a bin file with a generated Globally Unique Identifier as the file name.
In order to access this information an attacker would need to compromise the data in either one of two ways: 1) Use my cell phone, OpenID url, and OpenID password to login as me, or 2) Compromise the website file system, the relational database, and the Amazon S3 cloud infrastructure...then reverse engineer the website code to determine how to fit all the pieces back together.
As you can see from this example, a properly implemented distributed isolation defense strategy makes it nearly impossible for an attacker to compromise your data. Let’s hope your service provider agrees!
James Bell
Posted at 01:00 PM in Identity Theft, Web/Tech | Permalink | Comments (0) | TrackBack (0)
Technorati Tags: distributed-isolation, myOpenID, OpenID, RPX
Common sense tells you not to advertise the fact that you're not at home. Surprisingly, everyday thousands of people advertise this very fact on Twitter. A new website appropriately named PleaseRobMe.com shows tweets that specifically contain keywords such as "not at home" and "on vacation".
How dangerous is this? Just for fun, I closely examined one of the tweets. It was from a young entrepreneur in Salem, OR advertising the fact that he had just settled down at the local Starbucks. A couple of Google searches quickly revealed his iPhone number, websites, and various social media accounts. His website also uses foursquare.com, which gave me a map of his exact location.
One website, intelius.com, offered to sell me his full name, address, age, date of birth, home phone number, relative’s names, address history, average income, and home value for just $0.95...all of the information a burglar would just love to have. For criminals, it doesn’t get any easier than this!
James Bell
Posted at 02:00 PM in Identity Theft, Web/Tech | Permalink | Comments (0) | TrackBack (0)
Lifestrand is a new social utility for sharing memories about your departed loved ones. This new digital afterlife service brings together people for purposes of celebrating the lives of those no longer with us.
A memorial is created for the deceased consisting of free space to upload photos, post written memories, and publish timelines that refer to events in your loved one's life.
James Bell
Posted at 01:00 PM in Death Care, Estate Planning, Web/Tech | Permalink | Comments (1) | TrackBack (0)
Lots of websites offer upload space for you to store files. A few even claim to store your files securely. Even fewer explain how exactly what secure means. A securely stored file must have at least three characteristics. It must be unreadable to unauthorized parties, it must be tamper resistant, and it must be available when needed.
Making a file unreadable to unauthorized parties requires encryption. The encryption algorithm used must be strong, such as 256-bit AES. The file must be encrypted while it is being moved (in-flight) between computers using SSL. More importantly, the file must remain encrypted while it is stored (at- rest).
Making a file tamper resistant requires taking a digital signature. This signature is created using a hash function, which is a mathematical procedure that converts a large amount of data (your file) into a small unique data value (your signature). This same procedure is used by criminal forensic specialists to ensure that digital evidence remains tamper free. A digital signature of your file should be taken immediately after it’s uploaded and again just before it’s downloaded. If the two signatures do not match, your file must not be downloaded.
Making sure your files are available when needed requires that a regular backup be taken. In most cases a periodic (i.e. weekly) backup may suffice. However, under high volume conditions this method may be inadequate. A more robust approach requires that data files be stored within an infrastructure that is both redundant and distributed. This means that multiple copies of data files (redundant) are stored in geographically separate locations (distributed). If a file is lost or destroyed in one location it is immediately available from another location.
Make sure that your service provider clearly states how your files are stored. If nothing is mentioned about these safety measures, it’s highly likely that no precautions are being taken. If your file is intercepted by a hacker, you may not get a second chance.
James Bell
Posted at 01:00 PM in Web/Tech | Permalink | Comments (0) | TrackBack (0)
Technorati Tags: backup, digital-signature, encryption, hash
You may be shocked to learn how easy it is for another person to monitor everything that you are doing on your computer. Keystroke logging software (known as keyloggers) tracks your keystroke activity, typically in a concealed manner so that you are completely unaware of being monitored.
When a keylogger is installed on your computer with your knowledge (which is legal), it’s known as Internet Monitoring and Surveillance software. This is usually done by employers who monitor their employees computer usage or by parents trying to limit their children’s Internet activity.
When a keylogger is installed without your knowledge (which is illegal), it’s known as spyware. The keylogger is usually installed along with shareware or when your computer becomes infected by a Trojan.
By operating in stealth mode, you have no idea that this software is active on your computer. It completely compromises your privacy by transmitting your activity to others through your Internet connection. Even worse, most antivirus scanners fail to detect this type of intrusion. In fact, most scanners fail to detect 70% of keyloggers available on the market.
What can be done? Several software products, such as Identity Patrol and Spy Reveal, are currently available that exclusively focus on detecting keylogger activity. We highly recommend that your run this type of software in tandem with your antivirus scanner.
James Bell
Posted at 01:00 PM in Identity Theft, Web/Tech | Permalink | Comments (0) | TrackBack (0)
My mother, who suffered from heart disease, always envisioned that she would die quickly from a massive heart attack. However, sadly, she lingered in poor health for many weeks before she finally passed away. Luckily, years before, she had an attorney draw up an estate plan.
Because of HIPAA laws, the nurses and doctors would not talk to me until I gave them a copy of her health care durable power of attorney. Because her doctor decided to honor her living will, she was spared from the feeding tube and received comfort care during her last pain-filled days.
Without the proper documents and consenting medical professionals, this situation could have been much worse. At minimum, you need to have a living will and a health care durable power of attorney. In some states, a Five Wishes form can be used as a substitute. In either case, you should complete these forms with the assistance of an attorney. If you choose to do-it-yourself, it's possible to omit crucial items. If you make a mistake, you will not get a second chance.
Make sure to discuss the contents of these documents with your physician. Don't assume that your physician has the same beliefs concerning "right to life" and "freedom of choice" issues as you do. If your physician does not agree with your choices, you might need to change physicians. Waiting until you are incapacitated is too late to find out that your attending physician will not provide treatment that agrees with your end-of-life choices. If possible, have your physician complete a Physician Orders for Life-Sustaining Treatment (POLST) form and keep it with your estate plan.
Make sure that your family members also understand your choices. Once again, don't just assume that they have the same exact beliefs as you. Family members could argue in court of law that you didn't fully understand the contents of your advance directives and have them revoked. Having an attorney complete your estate plan along with having your physician complete a POLST form ensures that you fully understand the contents of these documents.
You also need a clear understanding of exactly what treatment you can expect to receive at various health care institutions. For example, a hospital with a religious affiliation may choose not to honor your advance directives because the treatment conflicts with their religious doctrine. Moving an incapacitated patient to a new health care institution can be a frustrating and stressful experience at best.
Most important of all, no matter how much time you spend preparing these documents, they can't be used if they can't be found. Keep your original copies and store backup copies in a virtual safe deposit box (VSDB). It's an ideal place to make sure that your advance directives are available when they're needed most!
James Bell
Posted at 01:00 PM in Death Care, Estate Planning, Personal Stories | Permalink | Comments (0) | TrackBack (0)
Technorati Tags: death-care, estate-planning, executor, financial-planning, guardian, legal, living-trusts, POLST, power-of-attorney, retirement, retirement-planning, trustee, virtual-safe-deposit-box, wills, wills-and-trusts
The Good to Go Toolkit and Good to Go Resource Guide were created by CompassionAndChoices.org to help you identify your end of life priorities and help ensure that your final wishes are honored. These materials were designed to guide the decision making process and help communicate your decisions to loved ones.
James Bell
Posted at 01:00 PM in Death Care, Estate Planning | Permalink | Comments (0) | TrackBack (0)
A Physician (or Medical) Order for Life-Sustaining Treatment form is a one-page form your physician can use to turn your wishes into specific written medical orders. Your physician may use this form to write orders that reflect the types of life-sustaining treatment that you do or do not want and that are appropriate for your medical si tuation.
To find out what states have POLST/MOLST forms go to www.ohsu.edu/polst or ask your physician if they are available in your state.
James Bell
Posted at 01:00 PM in Death Care, Estate Planning | Permalink | Comments (0) | TrackBack (0)
