Friday, August 29, 2008

FoxIT Exposes IE8 Beta Privacy Limits

There is a breaking story out of the Netherlands this hour regarding the recently-announced privacy features of the new Microsoft IE8 browser currently in beta.

Webwereld reported that forensics firm FoxIT has found that retrieving a user history is trivial, even with IE8's new privacy features turned on. Christian Prickaerts, a researcher with FoxIT had this to say about the IE8 beta:

"The privacy option in this beta is mainly cosmetic. For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited."

The IE team's response was interesting: "InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history. The feature isn't designed to protect a user's privacy from security experts and forensic researchers."

That isn't a great response. "Security experts" could conceivably write tools based on their techniques that are user-friendly, defeating the whole purpose. Which brings us to the real issue at stake here, and the reason why the stated design aim was to secure the browser history from "other users".

The feature has been roundly dubbed "porn mode" by many in the blogosphere. However, now that these issues have been raised, one wonders how many people desiring of this "porn mode" feature will migrate from Safari, the current "private browser" of choice, to IE.

Firefox, which has had issues of its own, is helped greatly by its adoption of a truly open developer polatform. Several plug-ins for the browser have been written using the XPI and XUL framework and tools that increase Firefox user security to acceptable levels.

Of course, the above is not an unbiased view - we have had the goal of building a secure and private browsing environment for several years, not for the stated purpose above, but for ensuring the privacy of online banking transactions.

With SafeCentral, we've achieved that purpose, and we now have the best solution for browser privacy on the market today - with the added claim of offering a security posture that protects privacy from the hardware layer of the PC all the way to the user's (private) web server of choice.

How do we achieve better security that the leading browser manufacturers? By not just focusing on the browser, and more specifically, its plug-in environment. Authentium SafeCentral includes its own secure virtual desktop, supported by a system-level security library developed over many years, a secure look-up system, and a global secure DNS infrastructure.

Because of this clsoed system, we are able to offer much greater control of what is stored (or not stored) when it comes to user privacy.

Friday, August 22, 2008

Phishing 1.0 Attacks Persist

I received a "warning" this morning - a "Sun Trust Banks Installation and Upgrade Warning" pretending to be from SunTrust Bank - requesting that I head over to the bank's "Upgrade Department" and download a "the latest software updates".


I'm pretty sure that if I called SunTrust and asked to speak with the "Update Department", the request would be met with some form of confused silence.

I find it interesting that these "Phishing 1.0" scams are still being sent out. The formatting alone looks pretty dire, and I wonder who, if anyone, might still be uninformed enough to click on such an obvious fraud.

True, it was addressed to me personally, and has a return email address that looks genuine. This combination may just prompt a consumer to click on the link. Despite some obvious malformations, the URL also looks somewhat official.

I saw a much better attempt a few days ago that targeted one of the leading main street banks in the UK and did a much better job of looking official and sounding convincing.

Some are calling these kind of attacks "Phishing 2.0" - phishing that actually looks real, as opposed to the easily picked-apart example above, that combines with malware that looks inviting (free antivirus) but is potentially extremely harmful.

If you're a bank, trying to communicate with customers so you can educated them about these threats can be difficult - many of the Phishing 2.0 scams include privacy notices and all kinds of promises concerning data security. They are much more carefully crafted than the example above.

One positive move you can make to reduce the effectiveness of these scams is to encourage users to use a secure browsing environment, such as Authentium SafeCentral when banking or trading online.

We have excellent protection in place against these kind of threats, and SafeCentral also enables a secure communications channel that can be used for customer education - and actual security warnings.

Thursday, August 21, 2008

Comments on "The State of PC Security"

I'm a fan of Internet.com. I met their CEO, Alan Meckler, at a conference in Singapore a few years ago, where he was speaking about the power of newsletters and blogs to create and engage an audience.


So it was with disappointment that I downloaded and read the latest Internet.com white paper entitled, "The State of PC Security".

Much of the paper (in fact, the first three quarters) was up to the usual standards of research and reporting, with a solid article by Kenneth van Wyk benchmarking Linux and Mac security, and a good article on the current state of patching by Andy Patrizio, in which he quotes some interesting statistics from a recent study conducted by Secunia that showed just 5% of 20,000 surveyed computers were patched and fully up to date.

However, the final article "We Need to Rethink PC Security Software", written by Adrian Kingsley-Hughes, was rather a disappointment. He had nothing good to say about the PC security industry, or the people working in it. Instead of offering insights about how to protect PCs and users (against phishing and viruses, for example), he simply painted PC security software as unnecessary.

Fast-emerging threats, such as zero day attacks, man-in-the-middle attacks, man-in-the-browser attacks, root kits, and HOSTS file mods, were not even mentioned.

Now, I think I understand how the "sponsored white paper" works - if the sponsor is a patch management or software compliance company (i.e. like Secunia), then "reducing faith in end point security" serves an editorial purpose that serves the sponsor.

But white papers are supposed to inform, as well as serve their sponsor, and I personally think Kingsley-Hughes could have done better than simply rail against the number of alerts offered by his security suite. He could have easily supported the sponsor's argument for keeping a device and its applications fully-patched without writing things like:

"My take on the situation is that security companies have done a good job of convincing people that their products are essential if you are to keep your system free of badware (that's not true, but I'm not going to get into that argument right now), and as such the incentive to develop a good, solid product is lost."

This is simply untrue. The fact is, security software companies are innovating at a rate never seen before in the industry, and providing service at unprecedented levels.

Let me name just a couple of terrific innovations that I think have recently made the world a safer and more enjoyable for PC users: McAfee Site Advisor, Firefox v3's terrific Antiphishing and Identity Services, Authentium SafeCentral (our unique secure browsing service - which incorporates the Firefox 3 security innovations), the various Anti-Rootkit technologies produced by multiple vendors including F-Secure and Panda, SecureZIP, and in the world of business end point security, WebSense Express and the equally excellent Spector 360 (from our fellow Floridians just up the coast).

These products all provide excellent levels of utility - and a level of quality and efficacy that was unavailable years ago.

These improvements are important to note. High efficacy is much more necessary today that it was years ago - the kind of hacks we are seeing today are sponsored by criminals and involve unprecedented levels of sophistication, and not only in terms of the layered approaches we're seeing to deployment and data theft: social engineering has now reached a level of sophistication (personalized emails from government departments citing case numbers, accurate addressee information, seamless branding) where every contact with a corporation or organization is starting to become suspect.

In terms of service, when I look at the billions of emails we process in partnership with our spam-fighting friends at Microsoft, Google, WebSense and Secure Computing, and the constant improvements in process being brought online (30 minute update turnaround times, versus days or weeks years ago), I wonder how it is possible that all this hard work somehow gets missed by journalists.

At one point, Kingsley-Smith says:

"I've gotten to the point where I think I'd rather take my chances with the bad guys myself rather than bother with so-called security software".

Great. Hopefully, no one reading this article put it down and thought "that's good advice". I certainly wouldn't recommend it, and I think it was not useful for Kingsley-Smith to suggest it as the final paragraph in a white paper entitled "The State of PC Security". Computer users deserve better. So let me try and provide a different perspective.

The real state of PC security right now, from the user's perspective, ranges from "not protected" to "well protected". Advising PC owners to run even a fully-patched computer without security software is not responsible advice.

And while I agree that it is true that a perfectly-behaved, totally-informed person running a perfectly-patched PC could in theory potentially escape infection, or the exposure of their personal data or online banking credentials, in the real world, there is no such thing as a perfectly-patched PC.

Security software, such as our SafeCentral application, provides good insurance for those times when a phishing email fools you into clicking a link, or your chosen download turns out not to be the program (or content) advertised, or the bank's site gets overtaken by hackers, or your kids borrow your PC for five minutes and go somewhere without telling you.

Wednesday, August 20, 2008

Lions, Tigers, Hurricanes, Hackers

As if dodging tropical storms and chasing hackers isn't challenging enough... today, a lion and a Bengali tiger escaped from a private zoo a few miles down the road from the Authentium offices in Palm Beach Gardens.


Both animals were later caught without injury to either animals or State wildlife officials. No damage or loss of life was reported. Luckily, the other five lions, four tigers and six cougars, stayed put, and were not part of the outlaw posse.

The zoo has released no official word, but it is believed yesterday's passage through the area of Tropical Storm Fay may have created an opportunity for the pair to escape.

Hopefully, by tomorrow, it will be business as usual, and the only dangerous creatures on our radar (or in our neighborhood) will be those in the malware business.

Monday, August 18, 2008

Hackers Welcome Joomla Security Fixes

On Thursday, Joomla announced the 1.5.6 upgrade of its popular web-based CMS (content management system), a release designed to fix several security issues.


However, within hours of the security-oriented release, the Joomla web site was defaced by a team of hackers calling themselves the Red Eye Crew, bent on spoiling the fun.

The fact that Joomla's site got defaced isn't the newsworthy piece, though. The newsworthy piece is the fact that Joomla's site was defaced in a similar way almost exactly a year ago - in 2007.

I recall this because at the time, we were looking at purchasing a new CMS system and I was wading through one of various "Beginning Joomla" guides recently purchased from Barnes and Noble. For various reasons, we didn't end up going the Joomla route.

On Thursday, the PR folks did a reasonable job of explaining to folks why, on the eve of a security release, they should take the view that the hack was meaningless. But I'm not sure they went far enough. Joomla is a community - and any web-based hack is worrying to the people that have chosen Joomla as their web-based CMS.

Worse, the accouncement did not even acknowledge the previous issues, choosing to speak as if this were a one-time event:

"Nothing but good will come of this experience. There's nothing like first hand experience to remind us of the trust our end user community places in us and the importance of working harder and smarter towards improving security."

Nothing but good will come from this? This kind of statement only works the first time. The fact that this morning's hack was a repeat effort requires the organization to "get serious" - and do more than offer an apology for "poor operating procedures" - you can only do that once. That card was played last year (and possibly earlier - but evidence for this is mainly anecdotal).

On the Joomla site, the organization is encouraging users to adopt the new release for security reasons, and signs off by saying "In retrospect, we wish we'd followed our own advice more diligently."

When attacks occur a second, or possibly third time, you need to win back trust by committing to look deeper, and you need to personalize it as well, and offer to look at the people involved as well as the systems.

Five Steps to Avoiding a SCAM

Candy Colp, our director of sales, sent me a copy of a news article from the magazine section of the Palm Beach Post this morning in which Jeffrey Deaver, author of The Bone Collector, talks about his experience with identity theft.

The article contained a list I hadn't seen before - the US Department of Justice's four recommended ways to avoid having your identity stolen. It's a simple method - just remember the word SCAM and what each letter stands for:


S is for: Be Stingy with Personal Information

Start by adopting a "need to know" approach to your personal data. Your credit card company may need to know your mother's maiden name, so that it can verify your identity when you call to inquire about your account.

A person who calls you and says he's from your bank, however, doesn't need to know that information if it's already on file with your bank; the only purpose of such a call is to acquire that information for that person's personal benefit.

Also, the more information that you have printed on your personal bank checks -- such as your Social Security number or home telephone number -- the more personal data you are routinely handing out to people who may not need that information (buy Frank Abagnale's book "Stealing Your Life" for some insight into what criminals do while waiting in the check-out line).

If someone you don't know calls you on the telephone and offers you the chance to receive a "major" credit card, a prize, or other valuable item, but asks you for personal data -- such as your Social Security number, credit card number or expiration date, or mother's maiden name -- ask them to send you a written application form.

If they won't do it, tell them you're not interested and hang up.

If they will, review the application carefully when you receive it and make sure it's going to a company or financial institution that's well-known and reputable. The Better Business Bureau can give you information about businesses that have been the subject of complaints.

If you're traveling, have your mail held at your local post office, or ask someone you know well and trust ­ another family member, a friend, or a neighbor ­ to collect and hold your mail while you're away.

If you have to telephone someone while you're traveling, and need to pass on personal financial information to the person you're calling, don't do it at an open telephone booth where passersby can listen in on what you're saying; use a telephone booth where you can close the door, or wait until you're at a less public location to call.

C is for: Check your financial information regularly

If you have bank or credit card accounts, you should be receiving monthly statements that list transactions for the most recent month or reporting period.

If you're not receiving monthly statements for the accounts you know you have, call the financial institution or credit card company immediately and ask about it.

If you're told that your statements are being mailed to another address that you haven't authorized, tell the financial institution or credit card representative immediately that you did not authorize the change of address and that someone may be improperly using your accounts.

In that situation, you should also ask for copies of all statements and debit or charge transactions that have occurred since the last statement you received. Obtaining those copies will help you to work with the financial institution or credit card company in determining whether some or all of those debit or charge transactions were fraudulent.

Note: If someone has gotten your financial data and made unauthorized debits or charges against your financial accounts, checking your monthly statements carefully may be the quickest way for you to find out.

Also, if someone has managed to get access to your mail or other personal data, and opened any credit cards in your name or taken any funds from your bank account, contact your financial institution or credit card company immediately to report those transactions and to request further action.

A is for: Ask for a copy of your credit report

Your credit report should list all bank and financial accounts under your name, and will provide other indications of whether someone has wrongfully opened or used any accounts in your name.

M is for: Maintain your financial records

Even though financial institutions are required to maintain copies of your checks, debit transactions, and similar transactions for five years, you should retain your monthly statements and checks for at least one year, if not more. If you need to dispute a particular check or transaction ­ especially if they purport to bear your signatures ­ your original records will be more immediately accessible and useful to the institutions that you have contacted.

Even if you take all of these steps, however, it's still possible that you can become a victim of identity theft. Records containing your personal data -- credit-card receipts or car-rental agreements, for example -- may be found by or shared with someone who decides to use your data for fraudulent purposes.*


This is a good, sensible list and solid advice for every consumer - and if you follow it religiously, you will indeed reduce the chances of having your identity stolen. However, there is one addition step you should take.

If you've read my blog before, you already know that the fifth thing you should do to protect yourself from identity theft online is add another letter "s" to the above and download SafeCentral - Authentium's anti-identity theft service.

Source of list: U.S. Department of Justice

Sunday, August 17, 2008

6,000 to 6,000,000,000 in 25 Years

On November the 7th, 1988, USA Today reported that the world's first Internet worm, the Morris virus, had effectively propagating itself to 6,000 computers:

The "virus'' - a rogue program planted by a high-tech vandal - showed up last Wednesday, duplicating itself rapidly and using vast quantities of computer space. It apparently didn't destroy any information, but it clogged an estimated 6,000 computers at universities and military labs.

Though there is some dispute over this estimate, that 6,000 number fairly accurately describes the reach of a virus back then (it was estimated that 10% of 60,000 hosts connected to the Internet were affected.)

Today, a 6,000 PC outbreak would barely rate a mention outside the targeted organization.

Part of the reason is the massive scale of our telecommunications networks, worldwide. Two years prior to the publishing of the USA Today article, the number of hosts on the Internet was less than 2,000. In the year immediately after the publication, the number more than doubled - to 130,000 (computerhistory.org).

The growth has not abated. Today, the number of networked devices in need of protection has grown to an estimated 3 billion, possibly as many as 3.5 billion, if you include computers along with consumer cell phones.

This hard-to-believe 3 billion cell phone estimate comes from a reputable source - Jan Chipchase, one of the lead researchers at Nokia. He estimates that within another two years, i.e. by 2010, another billion cell phones will come online (according to the ITU, China turned on its 601 millionth cell phone at the end of March, 2008.)

Which means that if current trends continue, we're talking close to 6,000,000,000 networked devices online by the end of 2013.

This remarkable difference in scale - and the fact that in three to five years, the total number of potentially vulnerable networked devices could be almost 1,000,000 times larger than it was when USA Today reported on the above story in 1988 - is interesting to ponder in terms of past and future risk mitigation efforts.

As Chipchase reported in his TED talk, there are three objects that consumers grab when they leave home - their keys, their money, and their (increasingly, Internet-enabled) cell phone.

Yet, if several of the start-ups that myself and others are involved in have their way, within a few years, you will simply grab your cell phone on the way out the door: your house security and your cash will be embedded.

The door will lock behind you (upon you entering the correct PIN), and your SIM will be loaded with more cash than you currently carry with you in your wallet. Which means your entire assets are going to be IP-based and in need of protection - the kind of protection currently offered by a mere handful of non-government threat mitigation companies.

This is worthy of study. I happen to think that the researchers and engineers at the antivirus and antispyware and firewall companies have done a pretty stunning job of keeping devices (and their users) protected over the twenty years since the Morris worm outbreak.

But have we factored in enough R&D, enough new staff hires and training, enough process automation, enough industry cooperation, to take into account the fact that a consumers entire asset base will be online, not to mention the exponential rise in networked devices?

Are we adequately prepared for the fast-approaching situation in which the average consumer will effectively place their assets (or access to them) entirely in digital form, lock their houses via the Internet, or trust their lives to a networked heart monitor or medicine dispenser?

Back in 1988, there were few assets at risk - and no antimalware software. Authentium (Command) was one of the first to release a professional antimalware scanner in product form, with F-Prot Professional, in 1992 - and at the time of our v1.0 release, we protected computers from an incredible one hundred viruses.

Now, our complete update file contains almost one million signatures, a number that, like Moore's law, has been doubling roughly every eighteen months since that first release.

The fact that both key variables - the number of networked devices and the number of signatures - are increasing trending exponentially suggests that in the next few years, we are going to see some quite different approaches to security emerge, if only to alleviate the tax on networks due to update (and scanner upgrade) delivery.

Like the innovations of before, these innovations will come from the private sector, but this time, the stakes are significantly higher: as the world moves to a scenario in which a majority of the world's population and assets are online - including all the criminals, device blueprints, and software exploits.

Our own SafeCentral service provides a hint of one such innovation - it doesn't use definition files, and doesn't require knowledge of the malware targeting the user. There will be others.

Note: Yes, I know that some of the cell phones I'm referring to here are not "Internet-enabled" as such, but that doesn't mean they're immune to malware - the core subject of this blog entry. If you're interested in what cell phone viruses look like, read this.

Saturday, August 16, 2008

The Viruses of Khan El Khalili

I recently came back from a 16 country trip, during which I had a chance to meet and talk with IT security guys in lots of different environments.


What I discovered was that in some countries, consumers are overwhelmed with phishing and identity fraud-style attacks, including man in the middle and man in the browser attacks, while in other countries, destructive viruses are far more of a concern.

I also discovered that some markets have grown to the point where local language attacks and coding efforts are starting to pay dividends to hackers. This is not good news.

The other day in Cairo, I got to talking with an IT guy who does quite a number of large data center installations. He says one of the problems he faces is that western-based antimalware applications that are signature-dependent don't do a great job of detecting some of the local viruses.

He wasn't complaining - he spends a lot of his time re-imaging machines because of this (the best remedy when no disinfection routines are available), and it's good business - it also helps drive customers to adopt Linux, which is the fastest-growing part of his company.

But as we sipped our coffees by the eastern side of the Nile (in a very nice bar called Sangria), it was clear to both of us that a system that relies on constant re-imaging of devices is eventually going to be pushed aside in favor of one that doesn't (Ubuntu, anyone?).

Interestingly enough, in Japan, I noticed the issues they faced were more similar to Egypt that the US. More emphasis on data backup and protecting files from viruses, and less talk about spyware and the stealing of user credentials - which might explain why Trend Micro, a Japanese company, is, in my opinion, better at the former than the latter.

One of the reasons I think Rising and Jiangmin are doing well in China is because they are focused on viruses and other forms of malware (such as the Panda virus above) that target the Chinese market. The same could be said for Korea-based Hauri.

In the Southern hemishere, phishing and 419 scams, identity fraud, spyware, and all of the virsues and Trojans recently written to steal user credentials were far more prevalent issues. From South Africa to Australia, and north to regions such as Singapore to Europe and the UK, it was clear that user credentials, not devices, were more the focus of attacks.

Likewise in the Gulf countries I visited, where phishing, wifi hacks and man in the browser attacks increasingly dominate conversations. I heard from several IT guys, including several CSOs, about increased prevalence of local language attacks - something they never used to see at all until quite recently.

Clearly, as these individual markets grow, at a certain point, hackers start "going local" - creating demand for security solutions capable of protecting local users from locally-focused hackers. I expect this "going local" factor will start to have ramifications soon regarding antimalware testing and certification, which is currently very Europe-centric in nature, and design.

Because when it comes to local threats attacking narrowly-defined markets, even signature-based systems that feature great heuristics will find it harder and harder to keep up.

This last fact was one of the concepts that we kept in mind while designing Authentium SafeCentral, our "secure browser plus virtual desktop plus secure DNS service". When we designed this product we focused on five basic areas of vulnerability: the user, applications, the device, the network and the destination.

SafeCentral maintains a solid security posture, and enables secure transactions, regardless of your location, or where the malware was written. You could look at it as our investment in a future build on increasingly large, interlocked, local economies.

You can download a free copy here.

Note to the antimalware companies mentioned above - if you're interested in offering SafeCentral to your customers, we do have an OEM program: a large part of our antimalware business is OEM-based, through companies like Google, Microsoft and Symantec.

Monday, August 11, 2008

Protecting Your Online Trading Account

Among the many entertaining stories in the book "Stealing Your Life" (mentioned below), Frank Abagnale relates the story of an online brokerage customer who has their account taken over by a hacker and used to trade options in Cisco Systems, to the tune of a $40,000 profit.

Now, if the story stopped there, you can imagine it becoming a modern-day version of "The Elves and the Shoemaker".

"I swear Honey, we had 2,000 Cisco options when I went to bed, but when I woke up, they'd all been sold - for a net gain of 170%!"

Unfortunately, like most stories involving identity theft, the story doesn't stop there. The thief isn't a charitable elf. He performs a risk-free set of trades, cashes out, and leaves you with those GM and Lucent shares you bought eight years ago.

Yes, you can go to your broker and explain your loss, and most of the time they'll believe you. But don't think this is the first time your broker has heard the "it wasn't me - I was hacked" story. Be prepared to have all your documents prepared, and get ready to prove your case.

Or better still, stop it from happening before it starts.

This is both harder (and, ultimately, easier) than it sounds.

Harder, because a lot of people try and apply enterprise security solutions to situations that are much different.

Easier, because it is possible to harden the user authentication mechanism against attack, so that user credentials are not easily stolen. You just need the right approach.

A lot of on-lines banks and brokerages have recently started experimenting with expensive physical tokens and "virtual keyboards" - on-screen keyboards that feature randomized, repainted numbers that users can click on with a mouse to gain access.

Both these approachs are seriously flawed.

Let's look first at Virtual Keyboards. Let me say this loud and clear: virtual keyboards are 100% useless. If you're infested with malware created by a hacker with an IQ even slightly above room temperature (and more than half of you that are reading this are infested with malware that matches this description), your randomized virtual PIN entries are going to get captured - in the form of JPG screen shots.

Print. Print. Print. Send as email (to hacker).

Hardware-based tokens can be equally problematic. It's not that these sleek-looking devices don't do their job and create credentials that are unfathomably hard to guess - they do. That isn't the problem.

The problem is that these credentials are susceptible to being stolen by hackers en route to the login page, via very simple forms of the Man In The Browser attack. See my earlier post on this subject a couple of months back.

So what's an online brokerage to do, if it wants to protect its customers, aside from keep paying its SIPC dues?

The technology issues seem overwhelming. If someone were to dream up a technology solution for adoption by online trading professionals, it would, on the surface, appear complex.

It would, out of necessity, include a combination of system-level command handling and file hardening approaches, desktop virtualization, a locked-down non-standard browser with update and plug-in controls, secure DNS infrastructure, secure application update channel, and the best in current third party anti-phishing systems. And all of this would have to work seamlessly and simply.

I'll spare you any further build-up: we've built this. The solution we've created to protect consumers against online trading fraud is called SafeCentral.

Authentium SafeCentral is currently being evaluated by online brokerages on four continents, and our first release went live just over three weeks ago at Firstrade, the top-ranked US online broker (Consumer Reports).

"Stealing Your Life" by Frank Abagnale

Frank Abagnale is best known for writing a rip-roaring memoir that was adapted into the Steven Spielberg/Tom Hanks/Leonardo DiCaprio movie "Catch Me If You Can".


The scenes where Frank impersonates a PanAm pilot are my favorite - I think of them everytime I travel through MIA/Miami.

I contacted Frank (played by Leonardo DiCaprio in the movie) right after seeing the movie, to see if there was a way we could team up to fight Identity Theft.

At the time, Frank was helping to put together PrivacyGuard, now one of the most widely-deployed solutions on the market. We decided to keep in touch, once our respective identity protection products - PrivacyGuard, and SafeCentral (then called VirtualATM), launched.

As it turns out, Frank's product beat me to market by three years. And, as I recently found out, he followed up the launch of PrivacyGuard with an outstanding book on the identity theft problem.

Called "Stealing Your Life", the book is one of the best-researched and practical books on identity theft yet written - and easily the most readable.

As in "Catch Me If You Can", Frank is able to detail what criminals are thinking as they're plotting to steal your money. The stories he has to tell in "Stealing Your Life" are disturbing - in some cases, appalling.

I'm going to pick up on a couple that I have some additional color on and share them over the next week or so. In the meantime, I strongly suggest you go out and find this book, or order a copy through Amazon.

You won't find a more informative book on the wide-ranging forms of identity theft out there, and you certainly won't find another written by a former confidence guy.

If you'd like to review our own solution to identity theft, Authentium SafeCentral, just head over to our site and download the free trial version.

Saturday, August 9, 2008

ID Theft: What is a 419 Scam?

The term "419 scam" is synonymous with phishing and identity theft. I personally receive about a hundred million dollars' worth of these emails a day.


The variations are endless. The scams range from the baiting of the greedy and needy ("I AM THE FORMER CFO OF A LARGE BANK AND I HAVE 9.5 MILLION DOLLARS THAT I WISH TO SHARE WITH YOU") to out-and-out scare tactics ("SOMEONE HAS PAID ME $5,000 TO KILL YOU").

But what does "419" mean?

"419" refers to the name of the section of the Nigerian Criminal Code used to prosecute these crimes, when they are prosecuted. The section, one of several sections within Chapter 38 (Obtaining Property by false pretences; Cheating), reads as follows:

419. Any person who by any false pretence, and with intent to defraud, obtains from any other person anything capable of being stolen, or induces any other person to deliver to any person anything capable of being stolen, is guilty of a felony, and is liable to imprisonment for three years.

If the thing is of the value of one thousand naira or upwards [about seven $US], he is liable to imprisonment for seven years.


It is immaterial that the thing is obtained or its delivery is induced through the medium of a contract induced by the false pretence.
The offender cannot be arrested without warrant unless found committing the offence.

A quick read of a half dozen Nigerian newspapers today turned up very few stories involving the successful prosecution of 419 email scammers. Attempts to pass and prosecute a law in Nigeria targeting computer crime in general, such as the above, have mostly failed.

This inaction at the government level has reduced many intelligent and proud Nigerians to despair. One London-based Nigerian expat, tired of the association with Nigeria and email scams, blames lack of government investment in Nigeria's younger generation:

"What has the local, state or federal government done in the last 20 years for example to prepare for the future of this generation of internet rats? What have they done or what are they still doing other than stealing, looting and gallivanting like nonentities?"

Many other in-country commentators agree. About the only positive seems to be the fact that voices are at last being raised. Maybe change (and a decent law) is in the air.

Note to recipients of 419 scam emails: 419 scams are unbelievably easy to avoid. If you receive an email from anyone, claiming:

a) you won a lottery you didn't enter
b) you have the same last name as the heir to a fortune
c) you are targeted for murder (unless you pay up)
d) you will have "bad luck" if you don't pass on the email
e) you are otherwise in line for a windfall

...you have just received a scam email of the variety commonly known as a 419 scam. Don't respond to strangers offering money by email. Don't get tricky and try and "scam the scammer" like some have attempted. Delete the email.

There is a much better chance you'll get five dollars in a card from your grandmother on your birthday that you'll see any money from one of these emails.

Note: I found a curious story tonight while researching this post. Rumor has it that Mary Winkler, the Tennessee woman convicted of shooting her 31 year old preacher husband in the back, owed $17,500 to the Nigerian "Yahoo Boys" (the local Nigerian lingo for 419 perps) at the time of the murder.

You can read more about this story, and others, here.

Friday, August 8, 2008

Counting Sheep

Brian Krebs of the Washington Post wrote a nice article today about how sometimes security industry folks don't follow their own rules.


In fact, it turns out that security professionals can be pretty bad at remembering not to send their usernames and passwords over non-encrypted wireless networks - of the temporary type typically slapped up at conferences.

Thank goodness none of them were in a room full of hackers when their credentials were sniffed*.

You can get to Brian's post on the Black Hat "Wall of Sheep" here. The part where some of the people change their credentials after finding out they've been outed (even thought they are still connected to the same non-secure wifi network) is, well, illuminating.

*That's a joke, folks. The Wall of Sheep experiment takes place at every Black Hat conference, and always, unfortunately, they post similar results.

Bring Back "I Am Rich"

Dan Frommer of the Silicon Valley Insider thinks the Apple iPhone "I Am Rich" application that Apple pulled from their store today is "for jerks" because it costs $1,000 and "doesn't do anything" except twinkle.


I disagree entirely.

I think Armin Heinrich, the developer of "I Am Rich", is possibly smarter than just about any other developer on the iPhone platform. Not only has he created the first $1,000 program, he's come up with an app that acts exactly like a Rolex watch or a Gold Card, except in software.

Yes, you got it. "I Am Rich" meets a need that is as old as time: creating attraction by proxy.

Let's compare: Real gems are typically purchased from trusted brands/stores. Real gems feature hefty price tags. Real gems do nothing - except twinkle and assist in attracting mates, which in turn helps us, their owners, propagate the species.

Yes, I know, anthropologists and economists would have us believe that people also buy gems and precious metals in order to make their wealth more portable - but I think people also buy gems for the same reason people buy silver BMW convertibles and Apple iPhones: to show off/try to be more attractive.

Think about it. What need does the iPhone really serve, aside from creating a sense of status? Do we really need all those sleek, cool design components, just to make a call? If it's all about "personal communications" and "productivity-based applications", why isn't there a brown-paper-bag version? Why is the iPhone always on display?

The answer, as everyone knows, is that "cool is attractive" - and being cool is as important to us humans as shiny chrome objects are to bottle cap-collecting magpies.

"I Am Rich" may indeed be crass, and it may be a little too "in your face" for some (or possibly many) iPhone users - but that doesn't mean it deserves to get yanked from Apple's store.

One of the benefits of living in a free society is that you get to choose what kind of jerk you want to be. In revoking this application, Apple has acted more like an old-style communist dictatorship than an innovative, capitalist-led technology company.

Apple should recognize what's going on here and bring back "I Am Rich". It doesn't matter what people think of the app - revoking it wasn't cool, and will just create unfair competition for a space that Mr. Heinrich had targeted well - almost as well as Apple itself.

Thursday, August 7, 2008

DNS - The Basics Explained

I realized today why consumers sometimes get so fed up with news involving Internet security alerts: it's because sometimes the basics and the acronyms are not explained, which makes the rest of the news story hard to follow.

Take, for example "DNS", as in the recently-announced "DNS flaw" - currently the subject of much current news and speculation.

What, exactly, does a Domain Name Server do?

Let's start by explaining the concept of a "domain" on the Internet. The modern word "domain" originates from the Latin word "dominion". It's most commonly used by people to refer to their house, corner office, or area of expertise.

If you live in a block of condos, your domain is the condo in which you live. If you live in a house in the suburbs, your domain is your house. Your "domain" is simply your part of a much larger area - i.e. your condo, vs. the entire development.

Likewise, in Internet terms, a "domain" in simply a sub-section of the Internet.

The largest "top level" domains (i.e. the suburbs) use ".com", ".net", ".org", ".gov", ".edu" and similar suffixes to identify the type of top-level domain (.gov = government).

The next level down (i.e. your condo development) is usually the name of a company, organization, or government agency that is part of the top-level domain.

For example, the domain name "authentium.com" refers to the ".com" top level domain, then to the part of the Internet that is under Authentium's control. "Google.com" refers to the ".com" top level domain, then to the piece under Google's control.

Put another way, when you type the domain name "google.com" into your address bar, you are saying, I want to 1) Go to the commercial section of the Internet, then 2) Go explore the domain of the company Google.

"Finance.google.com" refers to a sub-domain of Google relating to finance. The smallest domain is on the left: The finance sub-domain is smaller than the Google domain. The Google domain is smaller than the ".com" top-level domain.

Now you're probably reading this, thinking "I thought I heard today that there was a problem with Domain Name Servers. How could there be a problem? I just type in a web site address, and so long as I spell the domain name correctly, I connect, right?"

Unfortunately, the answer is no.

The definition I just gave you is how us humans look at domain names. Computers - more specifically, the web servers that host the web pages of Authentium and Google - use a different form of domain name: a set of numbers called an Internet Protocol address, or IP address.

Human-version domain name: "google.com"
Computer-version domain name: "72.14.207.99"

Which is where the Domain Name Server (DNS) comes in.

DNS servers, or Domain Name Servers, are simply translation devices. What they do is take your request for "google.com" and turn it from "google.com" into the IP address 72.14.207.99, so that your request can be understood by the computers that form the Internet and sent to Google's domain for processing.

As you can imagine, translating the names of all the web sites we type in every day into numbers is a massive task - and that is what the ten million or so DNS servers do every day.

Sometimes, to make things faster, the servers store these translations. It is not uncommon for even small-sized Domain Name Servers, like the kind you might have sitting in a rack at your office, to contain thousands or even millions of similar "translations" in storage.

The problem with this approach is that hackers can make a ton of money by successfully changing the "translations". Typically, in a DNS hack, the hacker just takes your request for mybank.com, changes the IP address, and re-routes you to a look-alike site, so he can steal your username and password.

Now, the effort required to hack a DNS server is not trivial, and not likely to be successful with respect to large, well-organized organizations. But the recent announcement of a major flaw in the underlying DNS software has even seasoned pros working late into the night to get their fixes in place.

The good news is - since the announcement yesterday of the full extent of the "Kaminsky DNS flaw", a majority of the world's servers have been patched, including 70% of Fortune 500 companies.

The other good news is, our product SafeCentral provides a really nice set of protections that secure DNS requests and bypass the standard DNS infrastructure. If you're worried, give it a try. It also stops key-loggers and screen-scraping spyware.

Note: If I didn't do a good job explaining these basics, email me, and help me improve this post. The shorthand in here (yes, I know the Google domain includes multiple IP addresses, etc, etc) is by design - I just want to help folks understand the basics of DNS so they can get a handle on what this flaw means.

If you want to dig deep on DNS, head over to Kaminsky's blog at DoxPara Research.

VIP Laptop "Rematerializes" in Office

Verified Identity Pass issued a press release today stating the they have "found" the laptop we reported was missing with over 33,000 personal profiles on it.

According to the firm's head of business development, the laptop was discovered in the office in which it was lost over a week ago. An "initial investigation" has revealed no tampering with the data.

Comments out on the blogosphere this afternoon range from the sarcastic ("that must be one a heck of a large office") to the suspicious ("Probably was put back after stealing the information" and "I would not use that computer - there is probably a hacker chip installed in there now") to the incredulous ("How do we know it's even the same laptop?").

I'm going with the "Gordian Knot" approach on this. I'm assuming VIP simply misplaced the laptop and found it sitting under a paper file somewhere. I am going to assume there was no attempt at cover-up, or no attempt to deceive -because that is the simplest explanation.

But I have a feeling that we're going to hear a lot more of these "discoveries" in future.

"Rediscovering" a laptop that has been reported missing with your entire company's customer base on it - after it has been missing a week - is a lot less painful than watching the story grow and your business shrink.

I am happy to assume this didn't happen in this case, but I'm quite certain folks looking for a quick solution in future will remember this approach, and apply it - safe in the knowledge that like me, most people will accept the news at face value.

Note: I originally read this occurred in NY. It didn't - it happened in SFO.

DNS Flaw: Two Practical Things You Can Do

Dan Kaminsky got two standing ovations at Black Hat yesterday - one for his detailed and thorough explanation of the DNS flaw he discovered earlier this year, and a second ovation for his handling of the matter.



He should get another ovation for media-savvy. Thanks to Kaminsky's diligence, 50% of DNS servers tested on July 25th were shown to be patched to the required levels - up from barely 15% on July 7th. 70% of Fortune 500 companies were also passing the test, as of last night (push "play" on the video above for Kaminsky's animated "DNS patch status map").

Also, by building up the focus to the August 6th announcement, and leaking out just enough information to push people to the right textbooks, he ensured that not only were the IT teams up to speed, but the journalists were as well.

But now that the applause is died down, we need to provide consumers with some practical answers.

Some of the other announcements - of flaws in various forms of VPN software and the Secure Sockets Layer (SSL - the technology that powers the padlock in your https:// secure browser sessions) were very well explained in the mainstream press reports I read last night.

But I wouldn't be surprised if there are a lot of consumers out there reading all this and saying "What the... ?" and wondering the best way to get to their bank or brokerage this morning. Let me suggest two sites: Kaminsky's own "Check My DNS" test page, and Authentium's very own SafeCentral.

If you're worried about the DNS you're using right now, head over to Dan's personal blog and click on "Check My DNS". It will run a quick test on the DNS server upstream from you to see if the patches are in place.

That check isn't going to fix anything, but it is a useful start. If you're interested in protecting your local HOSTS file and making sure that *all* of your requests are securely handled, I would strongly suggest you head over our site at www.safecentral.com and download the latest version of Authentium SafeCentral.

SafeCentral was designed to provide strong protection against many of the hacker exploits mentioned yesterday. PC Magazine and IRM have both tested our DNS security, and they say it worked 100% as advertised.

SafeCentral protects your local HOSTS file, blocks key-loggers and screen-stealers, and sends all web site requests to a secure DNS service.

Note re the patch map from www.doxpara.com: Red = Unpatched; Yellow = Patched (but NAT is screwing things up); Green = OK.

Note: Doxpara is getting *lots* of traffic this morning. Patience may be required to get in.

Wednesday, August 6, 2008

33,000 Customer Profiles Lost by TSA Vendor

This morning, it was announced that VIP, one of the vendors behind Clear, the smartcard that allows frequent travelers to breeze through TSA-controlled security lines at airports, lost 33,000 personal profiles of its VIP customers when one of its laptops went missing.


The 33,000 customer profiles were *not* encrypted.

Despite the company having adopted an internal policy of always encrypting important data (i.e. like customer profiles), the missing profiles may apparently be freely viewed by identity thieves, terrorists, or pawn shop owners with equal ease.

Which means that whoever now has this laptop has exactly the personal profiles most useful in engaging in acts of terrorism. A more perfect treasure trove of targeted identities could not be imagined.

I don't know about you, but I'm really tired of hearing about vendors that put data on laptops and then lose that data - data that consumers have entrusted to them.

I'm also tired of hearing vendors say "we don't think anything bad is going to happen because of our mistake". Yeah, right.

There is no reason on this Earth that anyone should ever download their entire unencrypted database of customers onto a laptop. None. Zip. Zero.

Congress - want to pass a new law? You should make this kind of action - carrying around unencrypted customer profiles on a laptop - subject to a massive fine, and I mean massive. That might start to clean things up.

Though somehow, I doubt it.

Tuesday, August 5, 2008

"TJ Maxx 11" Charged With 40 Million Card Theft

A group of hackers that spent several months downloading 40 million consumer credit card profiles from horribly insecure wireless networks operated by TJ Maxx have allegedly been found, arrested and charged.

Yes, I know: "TJ Maxx Eleven" isn't about to be turned into a movie. But it certainly has the makings of one.

The hackers, which took turns monitoring wifi traffic from cars parked outside the stores, found security was so lax on TJ Maxx's wifi networks that they allegedly left notes for each other in plain sight in the databases they hacked into - informing their cronies which records still needed to be uploaded/stolen.

"Dave, I'm fresh out of Doritos and trail mix... suggest you start downloading the credit card records from the August purchases table while I reload..."

Database hacks are horrible because consumers are entirely at the mercy of corporate policy - there is almost nothing they can do aside from buying insurance.

And getting hacked doesn't just mean your credit is up for grabs - it creates inconvenience, and potentially large costs for banks and credit unions who must reissue new cards.

The hack was allegedly the biggest ever. The DoJ is calling it an international conspiracy and says that nationals of The Ukraine, Belarus, China and Estonia are responsible. These guys will be going away for a long, long, long time.

The TJ Maxx IT security guys? Still at large.

Note: TJX Corp is a large holding company and operates the TJ Maxx chain, plus Barnes and Noble, BJ's Boston Market, Dave and Busters, DSW shoe stores, Forever 21, Office Max, Sports Authority and the Wholesale Club.

I'm sure they have a different group running IT security these days. Or at the very least, a much larger security budget.

Sunday, August 3, 2008

Websense: 60 of Top 100 Sites Pushing Malware

Last week, Authentium partner Websense published some rather interesting statistics about what users can expect to find on the top-ranked web sites. In summary, what users can expect to find, at 60% of these sites, is malware.

"60 percent of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites - Websense Security Labs."

Note that Websense in not just saying "60 leading websites" - it is saying specifically that 60 of the top 100 ranked web sites either directly or indirectly (i.e. via a link) delivered some form of malware or link to malware - to their visitors.

Part of the reason for this may be that 45 of the 100 web sites that Websense Security Labs studied support user-generated content, such as the posting of images, videos, audio files, messages, comments, email attachments, etc.

Unsurprisingly, given the rise we've seen in sophisticated key-loggers and screen-stealers in the wild, the Websense Threatseeker Network found that 29% of the malware discovered involved a key-logger, screen-stealer, or some other form of data capture malware.

More statistics can be found at the Websense site.

Beyond FDIC: Ideas for Protecting Your Cash

Most consumers and small business owners in the US are aware that the FDIC insures individual accounts up to $100,000. That is the figure that each account holder is insured for in the event of a bank failure, such as the one that just occurred at IndyMac Bank in California.


FDIC insurance provides adequate protection to consumers with total cash assets below $100,000. However, retirees and small business owners need to look at things a little differently - that $100,000 limit may not be nearly enough if your retirement savings are $1,000,000, or the monthly payroll for your landscaping business is $200,000.

I saw a number of worried-looking retirees (and possibly a few landscapers) standing behind the television reporters in the IndyMac parking lot as they announced the failure.

Hopefully, some of these retirees had split their funds into multiple sub-$100k accounts at different banks, or, if a couple, split their deposits into separate joint accounts registered to the couple, single accounts registered to the husband, and another single account registered to the wife.

However, the looks on the faces of the folks I saw on television tells me otherwise. I think it's fair to say that a lot of people who saw the same images are looking to take action. If you're one of them, here's some ideas:

One option is the one I just mentioned - if you have $200,000 in a single account at a single institution, you may want to consider splitting it between yourself and your partner, or moving half to a different institution.

Another option that concerned retirees and small business owners might also wish to consider re insuring larger short-term cash deposits is CDARS. CDARS is a program that enables small businesses to split larger (e.g. >$100k) deposits into individual, FDIC-insured CDs.

CDARS was founded in 2003 by Alan Binder, former Vice-Chairman of the Federal Reserve. Around 2,200 banks in the US now offer this option. The program offers insurance for amounts up to $50mm - but even small business owners/sole proprietors with much smaller balances of working capital should take a look at CDARS.

The typical term of the CDs is four to six weeks. The CDARS web site is here.

Another investment category that concerned consumers need to keep an eye on is their stock portfolio. Because it is so convenient, a majority of consumers now trade their portfolios online. But accounts with online brokerages are not insured by the FDIC.

If you have $100,000 on deposit at one of the leading brokerages, you are SIPC-insured by a private non-government group. How much insurance is offered depends on the individual brokerage.

Many online brokerages offer 100% coverage, but the system has not yet suffered a test involving the closure of a large brokerage. Read the small print carefully - and look at their balance sheets - before you sign up.

Finally, one additional piece of "insurance" that retirees and small business owners should definitely consider is using Authentium SafeCentral - especially while banking or trading online.

The criminals behind last year's multimillion dollar thefts from online brokerages used stolen user credentials to steal $26 million in cash from online accounts in 2007. SafeCentral was designed to prevent that kind of fraud.

SafeCentral protects consumers and small business owners from key-loggers and screen-stealing malware better than anything else we've tested. If you're worried you and your funds may become a target, just go the web site: you can download SafeCentral for free.

Note: PC Magazine just gave SafeCentral an excellent review. Check out my blog post for the link.

Note: I'm not a financial advisor, or a banker - I'm a consumer and small business owner, just like you. I suggest you check out the above suggestions with your bank - they will undoubtedly have some excellent additional suggestions.