Showing posts with label Identity Theft. Show all posts
Showing posts with label Identity Theft. Show all posts

May 7, 2018

Weaponizing Your Privacy


So this was the funniest War of the Roses on the Kane Show that I ever heard. 

They use the Alexa personal assistant from Amazon (voiceover) to call the cheater. 

In this skit, we really see the potential power of these home computing devices. 

Alexa hears and knows everything that goes on in the house (including the cheating).

Alexa confronts the cheater and calls him a few descript names for his infidelity.

Alexa punishes the cheater by going online to purchase items with his credit card. 

Alexa betrays him by calling his girlfriend and telling her about the cheating. 

Cheating aside, maybe this is a great lesson how we should all be considering our privacy in our homes and on our persons before we install Alexa, Siri, Cortana, the Google Assistant or any other personal or home surveillance systems. 

With all the bad actors out there and people that want to steal everything from your money, identity, secrets, and maybe even your wife--these devices are a direct line into your personal life.

This is called weaponizing your privacy!

Tell me, do you really believe that no one is listening or watching you?  ;-)
Share/Save/Bookmark

August 25, 2016

Modesty And Privacy Of Body and Information

So modesty and privacy is very important in terms of propriety and security.

Both are intimately connected. 

Already as children, we learn not to show or talk about our "privates" to others. 

And as adults, we understand that there are certain things about ourselves that we don't just talk about or divulge to others indiscriminately. 

Not being discrete with these and showing either your private parts or your personal information can get you in a load of trouble by giving others the opportunity to take undue advantage of you. 

Both open you up to be ridiculed or even raped of your person or information identity. 

That which is yours to use with others in propriety is instead disclosed for taking out from your control and for use against you. 

Security demands modesty of body and of information, and if not taken seriously, then no amount of lame covering will keep that which is private from public consumption. ;-)
Share/Save/Bookmark

July 12, 2015

The "Real" OPM Data Breach

A lot has been made and should be made of the theft of over 21 million federal employees' sensitive personnel records and security clearances. 

Everyone rightly, although somewhat selfishly, is worried about identity theft and the compromised privacy of their information.

The government is worried about hostile nation states using the pilfered information to bribe or coerce military, intelligence, high-level politicals, and others to turn and work for them or otherwise to use against them. 

But what is grossly missing in this discussion is not what information presumably the Chinese stole and how they will use it against us, but rather what information they inserted, altered, or otherwise compromised into the OPM personnel and security databases when they got root access to it.

Imagine for a moment what could hostile nations or terrorists can do to this crown jewel database of personnel and security information:

- They could insert phony records for spies, moles, or other dangerous persons into the database--voila, these people are now "federal employees" and perhaps with stellar performance records and high level security clearances able to penetrate the depths of the federal government with impunity or even as superstars!

- They could alter personnel or security records taking prominent or good government employees and sabotaging them to have questionable histories, contacts, financial, drug or criminal problems and thereby frame or take-down key government figures or divert attention from the real bad guys out there and tie our homeland security and law enforcement establishment in knots chasing after phony leads and false wrongdoers and villains.

Given that the timeline of the hack of OPM goes back to March and December 2014, this was more than enough time for our adversary to not only do to our data what they want, but also for the backup tapes to be affected by the corrupt data entering the system. 

The damage done to U.S. national security is unimaginable. As is typically the case with these things, "An ounce of prevention is worth a pound of cure." Instead of investing in security, now we can invest in "credit monitoring and identity theft protection" for a very sparse three years, while federal employees will go a lifetime in information jeopardy, and the federal government will be literally chasing its tail on personnel security for decades to come. 

With the price so low to our adversaries in attacking our systems, it truly is like stealing and much more. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

June 25, 2015

18 Million--Change The SSNs

So, maybe one of the most detrimental hysts of information from the Federal government in history. 

Now involving over 18 million current and former federal employees, including military and intelligence personnel. 

No getting around it, but we are major screwed here--this is a treasure trove of personal and privacy information ready to use for identity theft, blackmail, assassination/decapitation attacks at home and work addresses, kidnapping of family members, and literally attacking our national security apparatus from the very inside out--it's people. 

Imagine, if at the time of its choosing, an adversary attacks our nation, but preempts this with sophisticated and coordinated attacks on our critical government personnel--generals, spy masters, political kingpins, and other key decision makers--thereby distracting them from their duties of safeguarding our nation. 

This is our new Achilles Heel and overall a security disaster bar none!

Well, we can't go back and put the genie back in the bottle--although wouldn't it be nice if such critical information (if not encrypted--already unforgivable) would have a self-destruct mechanism on it that we could at least zap it dead.

But for the people whose personal identities are at risk--whose social security numbers (SSNs) and dates of birth (DOBs) have been compromised what can we do? 

While we can't very well change people DOBs, why not at least issue them new SSNs to help thwart the adversaries peddling in this information in the black markets. 
 
If we can put a man on the moon, surely we can issue some 18 million new SSNs and mandate government and financial institutions to make the necessary updates to the records. 

This is not rocket science, and certainly we owe this much to our people to help protect them.

Will our government be there for it's own employees and patriots? ;-)

(Source Photo: here with attribution to Donkey Hotey)
Share/Save/Bookmark

November 23, 2014

Data 4 Ransom

The future of cybercrime will soon become the almost routine taking of your personal and corporate data as hostage. 

Once the hacker has control of it, with or without exfiltration, they will attach malware to it--like a ticking time bomb.


A simple threat will follow:


"I have your data. Either you pay for your data back unharmed OR your data will become vaporware! You have one hour to decide. If you call the authorities, you data is history."


So how valuable is your data to you?  


- Your personal information--financial, medical, legal, sentimental things, etc.


- Your corporate information--proprietary trade secrets, customer lists, employee data, more.


How long would it take you to reconstitute if it's destroyed?  How about if instead it's sold and used for identity theft or to copy your "secret sauce" (i.e. competitive advantage) or maybe even to surpass you in the marketplace? 


Data is not just inert...it is alive!


Data is not just valuable...often it's invaluable!


Exposed in our networks or the cloud, data is at risk of theft, distortion, or even ultimate destruction. 


When the time comes, how much will you pay to save your data?


(Source Comic: Andy Blumenthal)

Share/Save/Bookmark

May 24, 2014

Driving Identity Theft

It's been only about 4 months since my mom passed, and now my dad becomes very sick from chemotherapy and ends up in the hospital for a week.

His red and white blood count were extremely low, but thank G-d, the doctors were able to save him.


However, he is in a drastically weakened state and now looks like he will need regular assisted living just to get by every day. 


This has been horrible to see someone who has always been so strong, smart, and there selflessly for all of us, to be in this condition. 


We found a nice place for him, but even the nicest place isn't his place and doesn't allow the independence he (and we all) always cherish. 


On top of it, I get a letter in the mail with more than half a dozen tickets on his car.


It's impossible, because he hasn't been driving due to his illness.


We run down to check his car, and sure enough someone stole his plates (and replaced them with another set). 


They did this to his car that has handicapped tags.


In the meantime, they are driving around through tolls and doing G-d knows what.


The police were helpful--they came as soon as they could--took a report, the plates that were switched onto his car, and dusted for fingerprints.


I will never forget standing there just after my joint surgery--when not three hours before, I thought to myself, maybe things are finally calming down. 


Hopefully, the police will catch whoever did this. 


In the meantime, I take comfort knowing that G-d is the ultimate police force. ;-)


(Source Photo: Dannielle Blumenthal)

Share/Save/Bookmark

February 27, 2014

Newspaper, Identity Thief

So, true story.

I know identify theft is a serious matter, but really...

I'm heading out of the driveway and I see the newpaper delivery guy just pulling up.

He's running a little late, but I figure I can still get the paper in time for morning reading on the Metro. 

I walk over to him and ask if I can get the Journal that he's deliverying to me.

He says, "No, I only deliver the Wall Street Journal and the Post."

I say, "Yeah, the Wall Street Journal, can I get it, since you're running a little late this morning."

He says. "I'm never late!"--actually, he is and sometimes doesn't deliver at all (the other week, I got 3 papers in one day). 

I say, "OK, but I can take it from here."

He says, "No, I only deliver to the door."

I say, "But I'm right here."

He says, "How do I know you are who you say you are?"

I say, "I am, and thank G-d, I really don't need to steal a $2 newspaper from you, Sir."

He says, "Okay, but I'll need to see an id!"

I say, "Are you serious?"

He says, "Yeah," pulling back to safety the pile of newspapers he is holding is his arms. 

Reluctantly, I flip open my wallet and flash my license to him.

Not good enough...he insists I take it out so he can read it. 

I finally got the paper, but we wasted what seemed like 5 minutes between the negotiation and proof of identity exercise. 

Don't get me wrong, I appreciate his diligence, but I think this type of scrutiny over access and identity would be better placed squarely on our cyber assets--somewhere where we really need them! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

May 13, 2012

Facebook IPO--Love It, But Leave It

With the Facebook IPO scheduled for this week, valuing the company at as much as $96 billion, many investors according to Bloomberg BusinessWeek (11 May 2012) see this as overvalued.

Facebook will be the largest Internet IPO in history, and would be about 4 times as much as Google was valued at its IPO at $23 billion in 2003.

Further, Facebook could be valued at offering at 99 times earnings.

This is more than the price earnings ratio of 99% of companies in the S&P Index, yet even with some estimating sales of $6.1 billion this year, Facebook would only rank about 400 in the S&P 500.

True Facebook has amassed an incredible 900 million users, but the company's revenue growth has slowed for the 3rd year in a row.

Another article in BusinessWeek (10 May 2012) describes a new social networking contender called Diaspora.

Unlike Google+ which is predominantly a Facebook copycat, Diaspora is bringing something new and major to the table--they are addressing the privacy issues that Facebook has not.

Diaspora is a distributed (or federated) social network, unlike Facebook which is centralized--in other words, Diaspora allows you to host your own data wherever you want (even in the cloud).

Each of these independently owned Diaspora instances or "pods" (dispersed like in the Diaspora) make up a true social "network"--interconnected and interoperable computing devices.

With Diaspora, you own your own data and can maintain its privacy (share, delete, and do what you want with your information), unlike with Facebook where you essentially give up rights to your data and it can and is used by Facebook for commercial use--for them to make money off of your personal/private information.

When it comes to personal property, we have a strong sense of ownership in our society and are keen on protecting these ownership rights, but somehow with our personal information and privacy, when it comes to social networking, we have sold ourselves out for a mere user account.

As loss of personally identifiable information (PII), intellectual property, identity theft, and other serious computer crimes continues to grow and cost us our money, time, and even our very selves in some respects, alternatives to the Facebook model, like Diaspora, will become more and more appealing.

So with social networks like Facebook--it is a case of love it, but leave it!

Love social networking--especially when privacy is built in--and others don't have rights to what you post.

But leave it--when they are asking for your investment dollar (i.e. IPO) that could be better spent on a product with a business model that is actually sustainable over the long term.

(Source Photo: here with attribution to Allan Cleaver)

Share/Save/Bookmark

February 19, 2012

Big Phish, Small Phish

Phishing is an attack whereby someone pretends to be a trustworthy entity, but is really trying to get your personal information in order to steal from you or an organization.
Phishing is a type of social engineering where fraudsters try to deceive and spoof their victims by sending email or instant messages (or even by calling) and pretending to be a legitimate private or public sector organization. They then either request personal information, provide links to fake websites, or even create unauthorized pop-ups from legitimate websites to get you to give them your personal data.

Additionally, phishing emails can contain attachments that infect recipient's computers with malware, creating a backdoor to control or compromise a system and its information.

In all of these cases, the intent of phishing is impersonate others and lure consumers into providing information that can be used to steal identities, money, or information.
The word phishing alludes to the technique of baiting people and like in real fishing, fooling at least some into biting and getting caught in the trap. 

In this fraudulent type, perpetrators pretend to be legitimate financial institutions, retailers, social media companies, and government agencies in an attempt to get you to divulge private information like date of birth, social security numbers, mother maiden names, account numbers, passwords and more.
Once criminals have this valuable information, they can commit identity theft, break into your accounts, and steal money or information.

Spear-phishing is a derivative of this scam that is targeted on specific people, and whaling is when the scam is perpetrated on organization executives or other high profile targets,  which can be especially compromising and harmful to themselves or the organizations they represent.
The first recorded phishing attack was in 1987.  Over the years, the prevalence of these attacks have steadily increased. According to the Anti-phishing Working Group (APWG), there were some 20,000-25,000 unique phishing campaigns every months through the first half of 2011, each targeting potentially millions of users.  Additionally, as of March 2011, there were as many as 38,000 phishing sites.  The most targeted industry continues to be financial services with 47% of the attacks.
There are a number of ways to protect yourself against phishing attacks.
  1. Delete email and messages that are unwarranted and ask for personal information
  2. Do not click on links, instead go directly to a website by using a search engine to locate it or copying the link and pasting it into the browser
  3. Configure your browser to block pop-ups
  4. Use anti-virus, firewalls, and anti-spam software
  5. Set up automatic security updates
  6. Input personal information only into secure sites, such as those that begin with "https"
  7. Only open attachments when you are expecting them and recognize where they are coming from
  8. Check financial statements upon receipt for any fraudulent activity
  9. If you are caught in a phishing scheme, notify law enforcement and credit reporting authorities immediately
  10. Always be cautious in giving out personal information
Whether you consider yourself a big fish or a small fish, beware of those trying to catch you up on the Internet--hook, line, and sinker.

Share/Save/Bookmark

February 3, 2012

Online Presence, Your Calling Card

In the age when Facebook has surpassed 800 million users, I still often hear people say that they don't like to join social networks or put any information about themselves on the Internet. 

Whether or not their apprehensions about their privacy being compromised is justified or whether they feel that "it's simply a waste of time" or that they "just don't get it," the impetus for us to all establish and nurture our online presence is getting more important than ever. 

In the competition for the best jobs, schools, even mates, and other opportunities, our online credentials are becoming key.

We've heard previously about jobs checking candidates backgrounds on the Internet and even bypassing candidates or even firing employees for their activities online.  

Numerous examples of people badmouthing their companies or bosses have been profiled in the media and even some politicians have been forced out of office--remember "Weinergate" not too long ago?

Now, not only can negative activities online get you in trouble, but positive presence and contributions can get you ahead.

The Wall Street Journal (24 January 2012) reports in an article titled No More Resumes, Say Some Firms that companies are not only checking up on people online, but they are actually asking "applicants to send links representing their web presence" in lieu of resumes altogether. 

What are they looking for:

- Twitter Accounts
- Blogs
- Short Videos
- Online Surveys/Challenges


The idea is that you can learn a lot more about someone--how they think and what they are like--from their history online, then from a resume snapshot.

Of course, many companies still rely on the resume to screen applicants, but even then LinkedIn with over 135 million members is sometimes the first stop for recruiters looking for applicants.

Is everything you do and say online appropriate or "fair game" for people screening or is this going over some sacred line that says that we all have professional lives and personal lives and what we do "when we're off the clock" (as long as your not breaking any laws or doing something unethical) is no one's darn business.  

The problem is that when you post something online--publicly--for the world to see, can you really blame someone for looking?  

In the end, we have to be responsible for what we disclose about ourselves and demonstrate prudence, maturity, respect, and diplomacy, perhaps that itself is a valid area for others to take into account when they are making judgments about us. 

When it comes to children--parents-beware; the Internet has a long memory and Facebook now has a "timeline", so don't assume everyone will be as understanding or forgiving for "letting kids be kids."

One last thought, even if we are responsible online, what happens when others such as hackers, identity thieves, slanderers, those with grudges, and others--mess with your online identity--can you ever really be secure? 

Being online is no longer an option, but it is certainly a double-edged sword. 

(Source Photo: here; Image credit to L Hollis Photography)

Share/Save/Bookmark

October 13, 2011

Increase Security On Your Google Account

After reading the article Hacked! in The Atlantic (November 2011), I looked into Google's new security feature called 2-Step Verification (a.k.a. Two Factor Authentication).

This new extra layer of security--adding "something you have" to "something you know"--to your sign in credentials helps to better protect you and your information in Google (i.e. in the Google cloud), including your emails, documents, and applications.

While a little extra work to login to Google--you have to type in a verification code that Google sends or calls to your phone (this is the something you have), it provides an extra layer of defense against hackers, criminals, and identity thieves.

To protect your Smartphone, Google provides "Application-specific passwords" that you generate from the 2-Step Verification screen and then you enter those into the specific iPhone, Droid, or Blackberry device.

You can sign up for 2-Step Verification from your Google Account Settings page and help protect yourself, your information, and your privacy.

In the future, I hope that Google (and other cloud vendors) will improve on this and use biometrics, to add "something you are," to the authentication process and make this even sleeker and more secure yet.

Stay safe out there! ;-)

Share/Save/Bookmark

January 22, 2011

When My Friend Got Hacked

True story.

So an old friend of mine had his account hacked on Facebook.

And the hacker is sending chat messages to my friend’s Facebook contacts—like me—pretending to be him—with his picture and name and all his online information.

He says that he is stuck in London, just got mugged—at gunpoint—losing his money and phone and needs my help.

At first, I’m thinking oh crap; my friend is in trouble and needs me. Then, I’m like wait a second, he’s pulling my leg. So I ask “are you joking?”

The hacker—pretending to be my friend—continues how it was such a terrible experience, but thank G-d they are still alive.

I’m on the other end of this chat—and questioning now if this person is really who they say they are—despite the REAL picture and profile.

I ask who are you with?

The hacker replies with the name of my friend’s wife. Her real name!

And the hacker continues with the mugging story and how they are leaving in a few hours for their return flight to the States, but need help.

Ok, I am happy to help my friends, but I want to know this is really my friend. Behind the scenes, I am contacting other mutual friends, family and so on to verify this story and resolve this.

On the chat, I ask—can you tell me something that only the two of us would know?

The hacker starts flipping out and gives me "?!?!?!...."

I repeat my question and ask if the hacker understands.

The hacker responds that they do.

And then ignoring my questioning, proceeds with the storyline asking me to wire money and that it will be okay, because they will need identification to retrieve the wire.

Now I ignore the hacker’s request and go back to my question about who this person on the other end of the chat really is?

No response.

"U there?"

Hacker is offline...for now.


Share/Save/Bookmark

August 23, 2009

E-memory and Meat Memory

As we move towards a “paperless society” and migrate our data to the computer and the Internet, we can find personal profiles, resumes, photos, videos, emails, documents, presentations, news items, scanned copies of diplomas and awards, contact lists, and even financial, tax, and property records.

People have so much information on the web (and their hard drive) these days that they fear one of two things happening:

  1. Their hard drive will crash and they will lose all their valuable information.
  2. Someone will steal their data and their identity (identity theft)

For each of these, people are taking various precautions to protect themselves such as backing up their data and regularly and carefully checking financial and credit reports.

Despite some risks of putting “too much information” out there, the ease of putting it there, and the convenience of having it there—readily available—is driving us to make the Internet our personal storage device.

One man is taking this to an extreme. According to Wired Magazine (September 2009), Gordon Bell is chronicling his life—warts and all—online. He is documenting his online memory project—MyLifeBits—in a book, called Total Recall.

“Since 2001, Bell has been compulsively scanning, capturing and logging each and every bit of personal data he generates in his daily life. The trove includes Web Sites he’s visited (22,173), photos taken (56,282), docs written and read (18,883), phone conversations had (2,000), photos snapped by SenseCam hanging around his neck (66,000), songs listened to (7,139) and videos taken by (2,164). To collect all this information, he uses a staggering assortment of hardware: desktop scanner, digicam, heart rate monitor, voice recorder, GPS logger, pedometer, Smartphone, e-reader.”

Mr. Bell’s thesis is that “by using e-memory as a surrogate for meat-based memory, we free our minds to engage in more creativity, learning, and innovation.”

Honestly, with all the time that Bell spends capturing and storing his memories, I don’t know how he has any time left over for anything creative or otherwise.

Some may say that Gordon Bell has sort of an obsessive-compulsive disorder (OCD)—you think? Others that he is some sort of genius that is teaching the world to be free and open to remembering—everything!

Personally, I don’t think that I want to remember “everything”. I can dimly remember some embarrassing moments in elementary school and high school that I most sure as heck want to forget. And then there are some nasty people that would be better off buried in the sands of time. Also, some painful times of challenge and loss—that while may be considered growth experiences—are not something that I really want on the tip of my memory or in a file folder on my hard drive or a record in a database.

It’s good to remember. It’s also sometimes good to forget. In my opinion, what we put online should be things that we want or need to remember or access down the road. I for one like to go online every now and then and do some data cleanup (and in fact there are now some programs that will do this automatically). What I thought was worthwhile, meaningful, or important 6 months or a year ago, may not evoke the same feelings today. Sometimes, like with purchases I made way back when, I think to myself, what was I thinking when I did that? And I quickly hit the delete key (wishing I could do the same with those dumb impulse purchases!). Most of the time, I am not sorry that I did delete something old and I am actually happy it is gone. Occasionally, when I delete something by accident, then I start to pull my hair out and run for the backup—hoping that it really worked and the files are still there.

In the end, managing the hard drive takes more work then managing one’s memories, which we have little conscious control over. Between the e-memory and the meat memory, perhaps we can have more of what we need and want to remember and can let go and delete the old and undesired one—and let bygones be bygones.
Share/Save/Bookmark