If it looks too good to be true...it probably is

Could you be a victim of Internet fraud?

The Looks Too Good To Be True.com website was created to help prevent consumers from becoming victims of Internet fraud. The site offers education on the various types of Internet fraud and allows victims to help others from becoming a victim by sharing their experience.

The site is sponsored by a combination of federal law enforcement agencies and private businesses such as Microsoft, Symantec, and Monster Worldwide.

James Bell

Report Internet crimes to the IC3

Do you feel that you are a victim of online fraud and don't know what to do?

The Internet Crime Complaint Center (IC3) gives the victims of cyber crime an easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations.

The IC3 is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).

James Bell

Achieve website security through distributed isolation

Hacker...cracker...cyber-attacker. As these criminals become more sophisticated so must your efforts to thwart them. One defense strategy, known as distributed isolation, disperses the attack surface of a computer system into isolated pieces. This strategy effectively divides system functionality and data in a way that makes it nearly impossible for an attacker to join them back together.

Two-factor authentication works in a similar way. Under this authentication method, a user needs two things to access the system; something you know (i.e. username and password) and something you have (i.e. authentication token or cell phone). Without both, an untrusted user cannot log into the system.

The first tactic in this strategy is to separate passwords from other data in your database. Large corporations typically keep passwords in an LDAP database and website data in a relational database. In this scenario, if the relational database is compromised the passwords in the LDAP database would be safe. Mashup APIs like RPX abstract out the nuances of provider specific authentication and allow your website users to authenticate with their existing identities from Facebook, Google, Yahoo!, Twitter, MySpace, AOL, Windows LiveID or other OpenID providers. This simple strategy would have prevented the type of security breach that occurred at RockYou.com where 32 million email addresses and passwords were exposed.

The next tactic is to separate encryption keys from encrypted data. Encryption keys should not be stored in the same database that contains encrypted data, especially when using symmetric-key encryption. Ideally, a random encryption key is generated for each encrypted item from a data set stored in the file system or in the cloud. This way, not only would an attacker need to compromise your database they also need to compromise your file system or cloud data storage infrastructure in order to decrypt the data.

The final tactic is to separate highly confidential data from less private data. Similar to the previous tactic highly confidential data should not be stored in the same database as less private data. The confidential data should be encrypted, then serialized in some manner and stored in a separate data set.

For example, let’s assume that I have a brokerage account that stores highly confidential beneficiary information for an expensive asset. Access to this information is protected by RPX. It uses myOpenID as the OpenID provider, which in turn uses my cell phone for two-factor authentication through CallVerifId™. After logging in, I choose to assign a new beneficiary to this asset. When I submit the information, the beneficiary information is serialized as XML, randomly encrypted from a set of keys stored in the file system, and stored in the Amazon S3 cloud infrastructure as a bin file with a generated Globally Unique Identifier as the file name.

In order to access this information an attacker would need to compromise the data in either one of two ways: 1) Use my cell phone, OpenID url, and OpenID password to login as me, or 2) Compromise the website file system, the relational database, and the Amazon S3 cloud infrastructure...then reverse engineer the website code to determine how to fit all the pieces back together.

As you can see from this example, a properly implemented distributed isolation defense strategy makes it nearly impossible for an attacker to compromise your data. Let’s hope your service provider agrees!

James Bell

Leaving home? Don’t tweet about it!

Common sense tells you not to advertise the fact that you're not at home. Surprisingly, everyday thousands of people advertise this very fact on Twitter. A new website appropriately named PleaseRobMe.com shows tweets that specifically contain keywords such as "not at home" and "on vacation".

How dangerous is this? Just for fun, I closely examined one of the tweets. It was from a young entrepreneur in Salem, OR advertising the fact that he had just settled down at the local Starbucks. A couple of Google searches quickly revealed his iPhone number, websites, and various social media accounts. His website also uses foursquare.com, which gave me a map of his exact location.

One website, intelius.com, offered to sell me his full name, address, age, date of birth, home phone number, relative’s names, address history, average income, and home value for just $0.95...all of the information a burglar would just love to have. For criminals, it doesn’t get any easier than this!

James Bell

Keyloggers pose biggest threat of identity theft

You may be shocked to learn how easy it is for another person to monitor everything that you are doing on your computer. Keystroke logging software (known as keyloggers) tracks your keystroke activity, typically in a concealed manner so that you are completely unaware of being monitored.

When a keylogger is installed on your computer with your knowledge (which is legal), it’s known as Internet Monitoring and Surveillance software. This is usually done by employers who monitor their employees computer usage or by parents trying to limit their children’s Internet activity.

When a keylogger is installed without your knowledge (which is illegal), it’s known as spyware. The keylogger is usually installed along with shareware or when your computer becomes infected by a Trojan.

By operating in stealth mode, you have no idea that this software is active on your computer. It completely compromises your privacy by transmitting your activity to others through your Internet connection. Even worse, most antivirus scanners fail to detect this type of intrusion. In fact, most scanners fail to detect 70% of keyloggers available on the market.

What can be done? Several software products, such as Identity Patrol and Spy Reveal, are currently available that exclusively focus on detecting keylogger activity. We highly recommend that your run this type of software in tandem with your antivirus scanner.

James Bell

Don’t get clickjacked

Clickjacking is a fiendishly clever way to hijack your website. This hacking technique overlays a legitimate web page with an invisible hacked web page. When you click a button, you unknowingly click the button on the invisible overlaid page.

The most famous example of this hack was the “Don’t click me” exploit of Twitter. Suddenly, Twitter was full of messages pointing to a website with a button that read “Don’t click me”. For a more detailed explanation, see Daniel Sandler’s blog article Twitter’s “Don’t Click” prank, explained.

To mitigate this problem web pages should contain a framekiller script that prevents framing of invisible web pages. However, this script can still be hacked on older browsers. If you are an Internet Explorer user, you should upgrade to Internet Explorer 8, which contains enhanced security features that directly address this problem. Firefox users should install the NoScript Firefox add-on to protect yourself against Clickjacking attacks.

James Bell

How is your data encrypted?

A virtual safe deposit box must provide the highest degree of safety to its users. Data stored on its servers must be encrypted. Data at rest is particularly sensitive to hackers, so it is vital to encrypt information stored in databases and file servers.

Encrypted data is only as good as its encryption algorithm. Recently, hackers have broken the 768-bit RSA algorithm, although the 1024-bit version is still safe (for now). With the increasing amount of computing power available to users, weaker encryption algorithms will become more susceptible to cracking by hackers.

AES/Rijndael is a strong encryption algorithm, which is highly resistant against brute force attacks, such as linear cryptanalysis and differential cryptanalysis. The US Government uses the AES algorithm to protect TOP SECRET information. A 128-bit AES encryption key is roughly equivalent to 2600-bit RSA key.

Before choosing a virtual safe deposit box provider make sure that you understand exactly how your information is stored. Your provider should employ a double encryption standard where data is encrypted in transmission ("in-flight") using SSL and in storage ("at-rest") using a 128-bit AES algorithm or better.

James Bell

Is your password in harm’s way?

A virtual safe deposit box is meant to hold your most precious information. So, it’s prudent to ask your service provider exactly how they store your information? In light of the recent security breach at RockYou.com, where 32 million passwords were exposed, your provider should, at the very least, publish a security policy clearly stating how information is stored.

Your provider should encrypt (hash) passwords that are stored in a database. Passwords can be further disguised through a technique called salting, where additional data is stored with the password prior to hashing. If the database is hacked, the passwords will be unreadable. Salting the passwords makes it far more difficult for a password cracker program to decipher your password.

A more secure approach would be to use OpenID or RPX for authentication. This way, passwords are stored off-site. Some OpenId providers, like MyOpenId, also offer SSL certificate sign in and two-factor authentication.

Additionally, your service provider should prevent their database from being hacked by guarding against SQL injection attacks. This security breach allows a hacker to enter database commands into an input box. If successful, this technique reveals details about the database, which allow the hacker to steal information. Input data should be sanitized using tools such as AntiXSS. Another defensive strategy is to query the database exclusively through stored procedures and disallow the use of Dynamic SQL.

Make sure to change your password often. If you suspect a security breach, change your password immediately and contact your service provider. Learn how to create strong passwords and avoid phishing attempts. Once your information is compromised, you will not get a second chance.

James Bell

Sources

RockYou Hacker: 30% of Sites Store Plain Text Passwords
by Jolie O'Dell

One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now.
by MG Siegler

RockYou Hack: From Bad To Worse
by Nik Cubrilovic

Stop unwanted junk mail once and for all!

Are you tired of receiving junk mail from companies even after you asked them to stop?

If so, then USPS Form 1500 is the answer. It's simple and free of charge. Even though the form states that it stops sexually oriented advertisements, a new postal regulation opened it up to any kind of junk mail. (The USPS never updated the form).

James Bell

What is "better than bank" security?

Not all computer systems are created equal. Most financial institutions do a fine job at securing your data, but some do not. Any system, including a virtual safe deposit box, that touts “better than bank security” should, at minimum, address these security design flaws:

Break in the chain of trust. Many financial institutions outsource functions, such as bank statements, to a third party. The problem occurs when an account holder is redirected from the bank web site to the third party web site. In many cases, the bank web site provides no information stating that the account holder is being redirected nor is any information given stating that the third party can be trusted. The chain of trust is broken because the account holder has no way to determine if they can trust the third party site.

Presenting secure login options on insecure pages. When an insecure (non-https) web page contains a login and password box, the user has no way of knowing if they will be sent to a legitimate web site after submitting the information. This type of login page is easily spoofed by phishing attempts. The login page should be secured by https in addition to the rest of the web site.

Contact information for security advice on insecure pages. When a failure occurs and a web page requests that you call tech support, the contact information needs to be on a web page secured by https. If not, this web page can also be spoofed with bogus contact information. In this scenario, a phone number can be set up by a hacker to collect personal information, like your social security number.

Inadequate policies for user IDs and passwords. A web site should never use social security numbers, account numbers, or email addresses as a user ID. A web site should always publish its password policy and should never permit weak passwords.

Emailing sensitive information insecurely. Email, in general, is insecure. Your email may pass through several different servers before ending up in your Inbox. A financial institution should never email account statements or password resets. Statements should be downloaded through https. Password resets should be self-serviced or given out on demand by tech support.

Improper firewall configuration. When opening ports on a firewall, a minimalist approach is best. With fewer ports open, a hacker has fewer ways to enter a system. Trojans typically send out information through an obscure open port.

To find out more, I recommend that you read this excellent survey of bank security flaws by the University of Michigan.

James Bell