It sounds like some kind of high-tech cyber stuff right out of Ocean’s Eleven, except it’s very real.

Tracking, eavesdropping, viewing text messages are all possible with versions of cell phone spy ware that make identity theft as well as cyber stalking possible.

According to Rick Mislan, former military intelligence officer and current cyber forensics teacher at Purdue University’s Department of Computer and Information technology, “It’s real, and it is pretty scary.” Mislan says, “I think a lot of people think their cell phone calls are very secure but our privacy isn’t always what we think it is.”
It happened to Heather and Courtney Kuykendall who told NBC’s Today Show that stalkers were “listening to us and recording us,” and “we know that because they will record us and play it back as a voicemail.” The Kuykendalls are featured on a YouTube video of a channel 13 WTHR investigative report by Bob Segall. The Kuykendalls, from Tacoma, Washington, were not only spied on and tracked but Courtney, a teenager, was harassed and threatened by an unknown caller for four months. Even after the family changed cell phones the calls continued. Once the FBI was brought in, the cyber stalking stopped but the stalker was never identified.

How does cell phone tapping work?
Cell phone spyware is marketed on the web by sites offering the latest spy technology and tempting customers with idea of catching a cheating spouse, listening in on a boss or coworker or even spying on a babysitter. Web sites claim that you can spy without anyone ever knowing. Most of these services are offered from Taiwan, Thailand and the United Kingdom and vendors charge anywhere from $60.00 to $3,000.

Are cell phone tapping programs legal?
No. Using these programs without permission is illegal. That doesn’t mean it isn’t happening and a lot more often than most of us ever knew.
“These are gross violations of the federal and state laws,” said Joe Farren, a spokesperson for CITA-The Wireless Association, an industry organization representing the nation’s major cell phone manufacturers. Farren adds, “It’s very clear, without their express permission, you can’t listen in to someone’s phone calls, you cannot read their text messages, you can’t track their movements. You can’t do any of those things and there are numerous laws being broken.”

Reporter Tests Out the Cell Spyware
Reporter Bob Segall use a cell phone spyware program on a producer’s cell phone, with her permission. He admitted that downloading the spyware took several attempts and some patience but once it was up it worked just as the vendor as promised. This demonstration reveals what can happen when your cell phone is tapped:
Segall could her hear her phone conversations that she was having her home on his own cell phone from outside of her house. He also received constant satellite updates on her location and he could read all of her text messages. Unbelievably Segall could hear her conversation from four miles away when her cell phone was in the room, even though the cell phone was not turned on.

Can You Tell if Your Cell Phone has been Tapped?
You may very well never know but here are signs to look for:
- If your cell phone battery is warm even when your phone has not been in use.
- If your cell phone lights up at unexpected times, especially if the phone is not even in use.
- If you hear unexpected beeps or clicks during phone conversations.

How Can You Protect Yourself?
-Keep a close eye on your cell phone (don’t leave it in an unlocked gym locker) so that no one has an opportunity to download information such as spyware
-Install and use a security password on your phone
-Take the battery out of the phone when not in use
-Only use new, prepaid cell phones for especially sensitive information
Be aware that high-end cell phones that allow for internet or online access are the most vulnerable.
Think that no one would be interested in boring phone cell phone conversations? Consider these questions. Have you ever called your bank and given your social security or credit card or debit card numbers over the phone? Have you ever called a catalog company and placed an order using your debit or credit card? Have you ever called your doctor’s office and been asked for your date of birth? These cell phone spyware programs make identity theft, as well as a host of crimes easy to commit and difficult and to trace.

http://www.wthr.com/global/story.asp?s=9346833

—————-
Note: If you have a legitimate reason
for tapping someone else’s cell phone
(like reading the texts of your children),
then we recommend the following:
Text Messages: Cell Phone Spy
Other tapping: Mobile Spy
—————–

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

With the end of the holidays it is quite fitting that we look at staying safe while sharing content online as many of use probably have many pictures, videos and messages to share with our friends and family, some of which celebrated with us and some which were unable too.
The internet offers in many cases a free, efficient way of sharing information with our friends and family, especially those far away, with the opportunities for free storage and immediate connections. As a result throughout the year and especially after major holidays, people have much to share. For example, I recently sent links of pictures to Grandma and Grandpa so that they could see their grandchildren opening their gifts and playing with them.
Many sharing service providers have offered settings and controls to protect you and your family. By understanding the settings and controls on the sites you may use, such as Facebook, MySpace, Shutterfly or Photobucket, you can keep your information safe.
The most important thing to remember when sharing information online is to set your controls each time. Indicate if you want pictures, photos, images or videos to be available to the public (anyone can view them); to friends (only those you indicate); or to be private (only you can view them). Forgetting to set these controls is like forgetting to lock the door when you leave the house.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The holiday shopping season keeps many people online, shopping for the best deals, banking and planning their travel. But many people use these services and many more every day from news to travel, that require them to set up accounts with user names and passwords. Passwords are essential for keeping your online information safe from identity theft so it is important to follow three simple instructions for creating, using and storing your passwords.
Google Privacy and AARP have teamed up to provide us with a quick video on using your passwords. Google Product Manager for Business and Trust offers the following tips on keeping your passwords safe, no matter what site or service you are using.
1. Create a secure password, something easy to remember but hard to guess. Do not include public or private information such as names, birthdays or social security numbers. One suggestion is to use a phrase you won’t forget. Then use the first letter of each word in that phrase to create a password.
2. Use different passwords for different accounts or services. This way if one password becomes compromised, the remaining sites and information stored there will be protected.
3. Passwords protection and safety are especially important on public computers. Do not use the “remember me” function available on many websites or the “store password” function. Both of these leave your passwords open to use, and your information open to identity theft.
After creating a secure online password, make sure you remember it without writing it down or carrying it with you. This too leaves your information open to access should you lose the paper, calendar or wallet that it is stored in.
The internet is an amazing tool, one which I use every day to earn a living, help my children with homework, and communicate long distance, shop, travel and bank. Without the protection of my passwords to protect me, my identity would be open to others to do the exact same things, but all at my expense and that of my family.
View the AARP and Google video to learn more about these important tips and hints for keeping your password and your identity safe from theft.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Google and AARP have joined together in an effort to provide information on a number of important topics, including identity theft. One video that can help you this holiday season is “Safer Shopping On-Line.” In this video, Google Systems Engineer Maile Ohye provides:
*information on trusting your on-line shopping experience and organizations
*four questions you should ask before you buy on-line
*how to tell if your on-line shopping site is secure and what they can and may do with your information once you provide it.
This engineer advocates not using public computers for shopping and banking on-line as they may not be safe. See our article 7 Steps to Protect Yourself with Shared Computers on ways to use a public computer to have a safer shopping experience.

Source: Google and AARP.org One-Line Safety

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: This is Jonathan Kraft with Identity Theft Secrets and I’m here again today with Paul Herbka. Today we’re going to be talking about Web Application Security which doesn’t sound like that exciting of a topic, but it’s pretty amazing what can happen when you have a website or web application that gets hacked and all of your information for all of your customers is stolen and what do you do about that? So Paul’s going to talk with us a little about that today.
Paul Herbka is actually the President of The Information Systems Security Association in Denver. He’s the Vice President for South Seas Corporation which is headquartered in Littleton, Colorado and he’s also a Certified Identity Theft Risk Management Specialist and has spoken at numerous conferences and I know you just have a wealth of knowledge here. So thank you very much Paul for taking a few minutes with us today.
Paul (web application expert): Absolutely – I appreciate the time to be with you and just share some information. Really I’m hearing a lot of buzz about Web Application Security. It’s really become an age where if a company has a website, then they’re legitimized and people feel they’re a real company and “ok, I can do business with them, because they must be a real one if they have a website.”
Identity Theft Secrets: You know what’s funny about that – can I interject there real quick? I actually used to work at when it was US West/Dex, you know the yellow pages and I used to sell internet advertising back in 1999, I was a phone sales rep for internet advertising. I would call these businesses in like Pine Junction, Arizona and I’d say, “hey, we’d like to talk with you about getting your website set up on the internet.” And seriously, people would go, “inter- what?!” And it’s so funny to have gone from that in 1999 to today where having a website is being a “real business.” Anyway, I just thought I would interject that there.
Paul (web application expert): No, that is funny and it’s so true. It’s funny – I was just talking to another gentleman and he wants to setup a website; he’s like, “well, people keep asking me, what’s your website?” As if, as long as they have a website, then he’s legitimate. It used to be if you had a business card, you were legitimate and I think some people still do that. But now a lot of people printed up mass, different business cards – so now it’s “ok, do you also have a website? – then you must be real!” So it’s interesting to see that trend.
Well along with that trend is a lot of people are serving up applications and a lot of even government entities are going to where, “hey, now you can do everything online” — and it’s a mixed review, right? Some people say “great! Now I don’t have to leave home – I can just do that, I can do it online; I can it while I’m traveling.” Other people say “hey, this is scary, because now all of my information is “out there.” ”
The reality is a lot of different government entities are making it’s job applications, etc, are all being done over the web which now means, people are putting in their social security numbers, their date of birth, their address, their home numbers, etc., and all that information is traveling. So obviously, security becomes a big issue in that as people are becoming very aware of the cost-savings by having a website. And not only that, but the ability to maybe be in one town or one country, but now offer things to the world, right? We saw those commercials a while back where they say, “hey, you might be a small business here but now you can do business worldwide by having a website.” And you look at the people selling stuff on eBay and now all this stuff is out there.
Now one of the root issues is, is that stuff secure and is your web application secure? So there’s actually a coalition out there called OWASP – I don’t know if you’ve heard of them, but they have the OWASP “Top Ten” and what that is, is it’s a list of the Top Ten issues or vulnerabilities that they are seeing in web applications. And I won’t read through all of them, but the top ones are Cross Site Scripting, Injection Flaws, Malicious File Execution, Insecure Direct Ops References, etc. So basically, it’s the ability for me to hack that website remotely and now it doesn’t matter where I am, I can be in Russia, or China or wherever and hack into these websites and now I no longer have to worry about getting onto the network, right? I don’t have to worry about getting into the physical building – they’ve given me access out on the Worldwide Web and opened it up for me to get in!
The interesting part of that is when people are developing those applications, all the programmers went through school – but in school, they never worried about security. They were worried about efficiency, right? Write better code, more efficient code, less code, the more it can do with less lines -the more efficient it is; the faster it runs, happier everyone is. So they worried less about security, or even not at all about security, and just worried about the efficiency of the code. Well now, what they’re finding out is, this code is efficient, but it’s very easy to fake or to hack and take advantage of these vulnerabilities that just aren’t secure just because of the way it was written. Now when they look at these applications that have grown over the years, that are now thousands and thousands of lines of code, they either need to go back in and do code review or they need to find some other way to secure it.
So that’s really become a key issue in web application and web application security. In fact one of the biggest things now that people are looking at are web application firewalls that are purpose-built firewalls specifically just for web applications.
Identity Theft Secrets: Can you explain more what that means?
Paul (web application expert): Sure! So web application is really focused on all the different things like SQL Injection, Cross-Site Scripting and Cookie Poisoning. Just a simple example of that, is like if you’ve ever done an order online and you see there’s a large string at the top and then the last part is your order number? Well, if you go up and change that order number — and it’s not a secure website — then you’ll actually pull up someone else’s order. Now that’s interesting, but it’s now a security risk if that order had their name, information, credit card number, address, etc., not to mention their order, which they may be ordering something that they may not want the world to see – depending on who they are and what they’re buying or where they’re buying it from.
Identity Theft Secrets: And may also include their credit card information in that order.
Paul (web application expert): Absolutely! Credit card information, the CVV code off their credit card, any of that stuff. And depending on again what they’re doing it may also include – let’s say you’re doing a job application and you change that code, now you may be seeing someone else’s job application; now it also has their social security number, their date of birth, their home address. As far as an identity thief, they’re going, “hey, that’s great! Game over! I’ve got all the information I need. This is fun.” Of course the more sophisticated ones are saying, that’s only the one-sies and two-sies; I’m going to go after the thousands and the tens of thousands or millions. For the hacker that wants to setup a script to just keep doing that – running through all the orders, that’s an easy way to glean information without having to do much hacking.
Identity Theft Secrets: Right, the machine is doing all the hacking for them at that point. Gleaning some random order numbers over and over and over and over and over until it finds one and then it’s grabbing all that information and then putting it into an Excel sheet or something and somebody can open that from wherever.
Paul (web application expert): Exactly and so we’re finding that, more and more, people are going “ohhh, ok, we didn’t realize!” They’re starting to realize the implications of “yes, it was nice that you put this stuff out there; but now, what are the issues?”
So just as an example of what a web application firewall does is, if there are Web worms – so worms written specifically for the web. A regular firewall only has limited access to stopping that. But a web application firewall is built specifically to. Another example would be web vulnerabilities like Cross-Site Scripting, etc. A web application firewall knows about those — a regular firewall has no clue. So that’s something that’s there. The other thing would be directory files or directory structures, brute force attacks, which is where they’re basically just guessing passwords or guessing random numbers or guessing strings. Changing the cookies — most people are familiar with what a cookie is on a website, but a cookie is basically something that says, “I’ve initiated, I’ve authenticated this transaction; whether it’s a purchase or an inquiry or whatever for maybe my bank statements or maybe my access to my records, for medical or whatever.” “I’ve done the authentication,” so then it assigns a cookie to that session or to me so that when I do another request, it says, “oh, ok. I know who you are and I remember who you are.” So if I can find a way to adjust that cookie or tamper with that cookie, called Cookie Poisoning, then I can now take that and get other people’s information the same way. So that’s one example. Brute force attacks are another example where a regular firewall doesn’t know how to handle that; but a web application firewall is built specifically to help with that. So it doesn’t matter if it’s SQL or OS Injection, Cookie Poisoning, Hidden File Manipulation, Parameter Tampering and the list goes on. But there’s a bunch of things — SSL Flooding, a lot of people say, “well, I’m secure, I’m ok, no one can hack in because I’m using SSL VPN or I’m using SSL sessions, HTTPS — so I’m good.” Well, you can do something called SSL Flooding and again a regular firewall isn’t going to know what to do about that; whereas a web application firewall can.
One of the best web application firewalls out there is an F5 Product and they call it ASM Application Security Manager. But it’s basically specifically built to help with that and their whole company policy is to deliver applications that make them secure, but make them available all the time. They also do “low balancing” to make sure that it’s got high availability.
So when we talk about web application security, really the two options are either, review all of your code and make sure it’s secure which is kind of a nebulous thing to start off with anyway; not to mention a painstaking, time …
Identity Theft Secrets: No kidding, hunting through lines of code trying to find vulnerabilities.
Paul (web application expert): Exactly and thousands of thousands lines of code which now are causing other things. You need to know not only that, but you need to follow the whole thought process of what’s being passed, what should be passed, what are the legal ranges for the items being passed – do we have a way of checking for those legal ranges, testing if they are or aren’t legal, etc. And then what happens, how do we handle the exceptions when it’s a typo versus it’s a hacker trying to get in? So we don’t want to cut all sessions that don’t have the right information, but we don’t want to allow them either. So there’s different issues there.
So those are the types of issues that people are facing and I think it’s interesting that there are some people that say, “oh, well I’m not worried about that.” Well, if that application is tied to a database or tied to your network which now has a database that has any information, again, people’s names, social security numbers, their identity, you should be worried about securing that – otherwise you’re going to have a breach and you’re going to be in the newspaper, you’re going to be on the “bad list” of companies to deal with because you don’t secure their information correctly.
Identity Theft Secrets: Let’s say I’m either government institution or a large business. Or even — I work a lot with internet marketing people – those are some of the people I know just selling odds and ends of little products online. But they’re storing credit card information, at least temporarily. If any of those people have issues, what are some good, just everyday resources for people to find details about what they need to do to secure web applications?
Paul (web application expert): Wow, great question! One is, I would say definitely; find yourself a good security consultant, right? Not just a computer reseller, firewall reseller, but find a security consulting company that focuses on that and there’s several things they should do. One is they should be able to do assessments and penetration tests and web assessments to go and find out what are the issues on your website? Is it vulnerable to all those things we just discussed? And then two is, after they do that, they should give you a detailed report that not only says, “here are all the issues we found,” but ranks them in the order of priority – here are the issues that are most important; like a high-red – oops, you’ve got to get this fixed right away. That way you know what your priority list is because no one has unlimited time, unlimited resources and unlimited money to go and just fix all them. You want to figure out what are the big holes that are serious violations or vulnerabilities that I need to plug up now!
Quite honestly, bang for the buck – I would recommend a web application firewall because that’s going to stop – with all of your applications, the old ones, new ones, etc., long-term, the whole OWASP mentality is we’ll learn how to program better and code better and make that a part of your whole development lifecycle and that’s great. It’s a great goal, but it’s not going to get there quick enough. It’s kind of like saying, ok, our car should be energy-efficient. Well that’s not just going to work overnight – it’s a good goal, but if you’re driving an 8-cylinder SUV, it’s not going to become energy-efficient overnight. So those are things you can add to that so that’s it’s protected and it’s secure to give you time to fix the process behind and work with that.
The other thing is it’s constantly getting updated as well from that vendor so that as new vulnerabilities are found, it’s keeping up with that and you don’t have to worry about it. Because people will just say, “well I’ll just work it into my development lifecycle.” Even if all their coders were of that same mentality — which just being real — they’re not, is what about when a new thing comes out are you really going to stop production and coding to go tell everyone about this new thing – here you have to worry about coding it this way or are you just going to say, “well, we’ll fix it up in the next version.” If that’s the case, you’re still open to vulnerabilities and you’re open to being breached and then you again have that high expense of being reactive to a breach; versus proactive on the front-end.
Identity Theft Secrets: Sure and what you’ve said before is that it’s always – and I think “always” and “never” are two words you should always remember never to use – but, you’ve said it’s always cheaper to be proactive then to deal with it on the back-end.
Paul (web application expert): Absolutely, absolutely! In fact, I want to say it’s under 10% — normally the cost for breaches is usually under 10% to deal with it proactively before it happens versus after the breach occurred because you’ve got all these fines and notifications and fees and things you’ve got to do. Not to mention all the hidden costs; customers don’t trust you now so you lose business, the goodwill, things you’re trying to do then to overcome that goodwill. So yes, if you look at the overall costs, always, always, always – which you should never use – (laughs) it’s always more effective to be preventative – at least cost-effective to be preventative – unless you’re just one of those gamblers who says, “I’m going to gamble and hope I don’t have a breach before I go out of business.” But hopefully most people are deciding they want to be in business a long time and therefore that’s not a good policy because the chance of time is against you.
Identity Theft Secrets: Sure. If I’m looking for a solution, what types of solutions are available?
Paul (web application expert): Wow, there’s low-end web application firewalls, there’s “do-everything-in-one-box” type of UTM, Unified Thread Management box and the good thing about that is that they do everything. The bad news about them is that they are a “Jack-of-all-Trades, Master of None.” So, they’re going to be ok at just about everything, but they’re not going to be great at anything. So I really recommend getting a purpose-built box specifically for something as high-volume, high-traffic as a web application where you need that delivery not to be slowed down, but you need it to be looking at everything and securing everything. So I would look at things like that; I would look at again, the F5 product which is really recommended which has great success. It works well, you plus it in and it works; it’s what makes it a great solution and they are constantly increasing it and developing it to make sure it’s always secure and it’s always working to help you.
Then also look at the Data leakage-type products, like the Vontu product from Symantec that really helps you do that. Another thing that people don’t realize when they’re looking at the costs are just all the different fines. In fact, even the payment card industry has figured out this web application stuff is serious. In their new version, PCI DSS, Version 6.6, they’ve said, “you’ve got to have” it’s no longer it’s “nice to have” – they’re saying now “you’ve got to have either code review, which means going through all those lines of code or you have to have a web application firewall.” So they’ve now admitted to themselves and to their community, hey, if you’re taking credit cards, if you’re storing credit cards, no matter how temporary that might be, you need to have a web application firewall or you need to show improved and do the constant code reviews to make sure your code is always secure.
Of the two, the least expensive is going to be the web application firewall. Unless again, you only have one program and it’s only a couple hundred lines long, then yes, do a code review. But if it’s hundreds of thousands or millions of lines of code, a web application firewall is going to be less expensive and it’s going to be easier to implement.
Identity Theft Secrets: You just mentioned too that there was some law or some rule that required people to have things set up. What other kinds of compliance changes or government issues – is the government getting involved as they do in lots of different arenas, so that ideally they’ll protect and help people; but what kinds of compliance issues are people facing now when it comes to web application security outside of the one you just mentioned?
Paul (web application expert): I’m glad you asked that – in fact, it reminds me of a local news story here in Denver where the District Attorney for Denver has just published and said to all the different public websites, so any of the cities or counties or what not, “hey, this is serious and you should not be having people’s social security number or private information out on public websites.” And while that was a general rule that everyone thought they were following, everyone forgot and again it becomes more of the business process in the paper world that then got changed into the web world and people forgot how that became a security risk.
An example is now, public records for a house; who purchased the house and who’s the lien against the house. Wedding information, all that stuff is now filed online and you can look it up online. Well because of that now, people worldwide have access to that, can go in there and get that and they’re saying, “hey, we’ve got to take that off.” If you’ve got a lien record, you’re supposed to be taking the social security numbers off, you’re supposed to be taking the private information off. So now that’s something that’s been kind of declared as an internal or external rule, depending on how you look at it, that says, “hey, we need to be doing this!”
Again, it’s not something where people were doing maliciously posting information; they were just taking what they did in the paper world and automating it to the web world to make things easier for people. But in our “lust” for making things easier, we forgot about security and now we’ve opened people up to the possibility of having identity thieves get their information and use it maliciously.
Identity Theft Secrets: So as far as compliance issues, there’s nothing specific necessarily that requires them to be compliant?
Paul (web application expert): Well, that’s where it’s interesting. There was no specific solution mentioned, but it basically said, “go through all of your web information, whether it’s millions or thousands of pages of stuff you can get off the web and make sure that none of it contains social security numbers, credit card numbers, personal information.
So now there’s a huge market out there for programs that can go out and search for that stuff automatically, right? Using the technology to go through and scan your whole farm of web pages and say, ok, where does that apply? And then, either wipe it clean or take those off and find a way to keep that information off of it – and that’s important. So now there are programs and one of the things that the F5 product can do and that people are using, is the ability of the F5 product to say, “oopss, you’re sending out this webpage, but it contains social security numbers. I should change that so that now it’s generic, right? And I just put X’s instead of the actual number.” So that people see, yes, there is a social security number on this file, but they don’t know what it is. So that’s something that people are doing to automate that. Quite honestly, the payment card industry has said, if you aren’t doing that, you’re in trouble. Now the Denver District Attorney has said, yes, I want all the state’s entities to do that; so it’s becoming more and more and I don’t think that’s a rare thing, I think you’re going to see that more and more and more whether you’re a small business or government entity falling under the SEC or falling under PCI or SOX or HIPAA. Now all the members saying yes, we need to start securing our data because they’re realizing that Identity Theft is a big issue.
So where can you go? Again I would go to … by all means, you can get in touch with us and we can help you with a solution; we can help figure out what’s the best solution. Is it easier to scan through your data, re-clean up your data or just filter it on the way out and change it all out? Or just not allow it? You know there are a lot of different solutions there, but I would say, start working on that and making it a priority. Otherwise you’ll end up paying fines or breach costs, one way or another.
Identity Theft Secrets: I know that South Seas Corp offers people a lot of solutions, as we’ve talked about before, for dealing with web application security and a whole other variety of things. If people want to get in touch with you, how do they do that?
Paul (web application expert): Well, the best way is either email or phone. Our 800 number is 1-866-794-1655. Again, toll-free is 1-866-794-1655 or they can call me directly at 303-798-7588. Or they can email me, my email address is pherbka@SouthSeasCorp.com.
One thing I’d like to offer is that anyone who mentions that they heard it here, we will go ahead and give them a discount and we will give them a 2% discount on any web application firewall they buy from us or any services specifically for security by mentioning this ad. As long as two things: one is they are not an already pre-existing customer and it’s on something they’ve already been quoted or already bought and two is that it’s not on a government contract, because on government contracts I can’t adjust the pricing that way.
Identity Theft Secrets: Well thank you very much for taking a few minutes with us to talk about web application security. I hope people are more informed about – if they have any sort of web application, they need to be looking at creating some security specifically around that web application.
I appreciate you taking a few minutes to share your expertise with us today.
Paul (web application expert): Absolutely and one other thing I forgot to mention is another resource they may want to go look at is the OWASP Top Ten. If you just Google OWASP Top Ten, it will give you the Top Ten List and you can drill down in that – here’s all the things and here’s what it means, here’s how to do it, here’s how to do the code review, here’s some of the products that work against it. So that’s a good resource as well — so I neglected to mention that earlier. If you’re in a web application environment, that’s hopefully something you already know about but if not, that definitely would be a good place to go to.
There are also local chapters of the OWASP that have different meetings. I know there’s a Denver Chapter, there’s a Boulder Chapter – they’re nationwide. I think they’re worldwide, but they’re at least nationwide and so you may want to look at if there’s a OWASP Chapter in your area and get plugged into that because that’s a good way to network with other peers that are concerned about security for web applications as well.
Identity Theft Secrets: Awesome! Well, thanks so much for taking the time with us today and we’ll look forward to talking with you again soon!
Paul (web application expert): Sounds good, thanks so much for having me!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Google and AARP have broadened their services to providing videos which may help you with your safety online. These videos will help you to discover what is posted online about you with simple step by step instructions on how to get the information removed from search engines as well as webpages.
Protect yourself and your information, be persistent, and you can work to keep your information off of the internet — which AARP video refers to as a virtual card catalog of information on just about everything and everyone.
There is some truth to that, depending on who you are, and how much information is out there about you.
Use this information to make sure what is “out there” about you is only what you want to have out there.

Sources:
Check out all the videos Google and AARP created at the YouTube Channel about personal information protection.
And here’s the post about finding what information about you is online at the official Google Blog

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

As needs change and options abound, consumers often upgrade computers faster than they upgrade cars. Depending on the original cost and condition of the computers, some people offer a trade in to dealers that offer used computers and others give away their old computers to family or friends. Some simply drop them off at a recycle center and many choose to donate old computers to after school programs, struggling schools or other charities. In all cases, it would seem a good deed is done. Whether consumers opt for a resale, reuse, recycle or donation, they often believe they’ve made a earth friendly and society friendly choice for their old computer. The problem is, of course, that with identity theft no longer becoming but now the fastest growing white-collar crime, the hands your old computer lands in may not be safe. You’ve heard that no good deed is left unturned and if your old computer falls into the wrong hands, you can be sure the traceable information left on it won’t be unnoticed.
So you’ve erased all of your files from your hard drive, right? Consumer Reports conducted a study using drives purchased on e-bay and ran simple and inexpensive software available to anyone.
What Was Found on These Supposedly Cleaned Hard drives purchased from e-bay?
*A Microsoft Word tax document including salary information
* Quicken files with expense and finance data
* A MySpace account, complete with name and password
* Outlook express e-mails
* Lists of favorite web sites
* Love letters and photographs
These computers were all described by sellers as “reformatted” or “wiped cleaned.”
In a larger study, a research fellow at Harvard University examined over 1,000 hard drives and found only one third of them were properly cleaned. Microsoft Windows doesn’t claim to have an easy or secure way to erase your entire hard drive and recommends using third party software. Mac OS X has a feature to permanently erase Trash files but it has been reported to be slow and only 10.3 or later versions can permanently erase entire hard drives.
Inside Edition also checked out the possibilities and probabilities of identity theft for well meaning citizens who donated their computers to Good Will. The 25 computers purchased in the east coast hubs for as little as $30.00, as well as four computers picked up from a dumpsite held not just surprising but alarming information.
Computer expert Steve Elderkin who examined the hard drives shares that “Of all the hard drives, not one was cleaned of any of the information. Depending on the hard drive itself, you could have all the data in a matter of minutes with almost no work.”
An Arlington, VA resident who believed he had erased all of the information on his hard drive was shocked to learn that within minutes, experts had found both his and his wife’s social security numbers. Social security numbers are of course a jackpot for identity thieves who can easily use a social security numbers to connect the dots for identity theft with other easy to access information. A social security number is a winning lottery number to gain access to your financial or medical credit. In addition to social security numbers, the expert found these do-gooders’ passwords and information from his tax return.
“That’s just about enough to give you a heart attack seeing that,” the computer donator shared. “I was absolutely floored.”
Before you donate, give away, or recycle your old computer, see clear be not to give away personal information that in the wrong hands, could rob you blind. Consider options like WipeDrive from WhiteCanyon.com who have been providing security solutions since 1998 or Eraser, which is free at www.heidi.ie/eraser.
If you’ve used your computer to make purchases, do taxes or finances or monitor bank accounts, be sure you completely erase your identity before you “give away” this computer and information to identity thieves.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Computers don’t have a warm and fuzzy feel. It’s not like they are a treasure chest or sentimental hatbox full of mementos tied up in ribbons? Or are they? When computers hold not only your needed documents but also favorite documents, photographs and music, owners have good reason to hold their computers close to their hearts. Viruses, worms and Trojans threatened to damage or destroy not only your life’s work but also your life’s treasures.
There’s not just the precious to consider of course. The seemingly mundane, but personal information on your computer puts you at risk for the heartbreak of identity theft.
CA security products have really been moving up in ratings.
New features of CA Anti-Virus 2008:
*Automatic live updating
* Automatic file scanning
* Automatic e-mail scanning
* Scheduled hard drive scanning
* On-demand hard drive scanning
* Archive scanning
* Interactive virus detection messages
* Threat outbreak warning system
* File exclusion lists & file quarantine
The 2008 reviewers were happy with the new features of CA Anti-Virus 2008. They describe it as “very user friendly” and go on to say that “…CA seems to be scanning faster with this year’s version of the product.”
CA Anti-Virus 2008 has earned a B+ rating.
What would improve the rating?
“We would like to see improvement in CA’s customer support. Such an improvement would enhance our overall rating. With that said, we still consider CA anti-virus software a wonderful virus protection product and deserving of a B+ Rating.”
CA Anti Virus 2008 is available for $39.99 a year for the first year and renewals are just $29.99 annually.
Remember Anti-Virus protection protects your computer from threats but anti-virus protection does not protect the PC users from the spyware and the threats of identity theft.
CA also offers AC Anti-Spyware 2008. AC offers a free downloadable version that will detect but not delete spyware threats. It can be a helpful, free tool to find out how many spyware threats have targeted you. If you need one, AC Anti-Spyware 2008 is available for $39.99 a year and protects up to three PCs.
Features of AC Anti-Spyware 2008:
* Detects and removes spyware in real time
* Automatic updates
* Stop Annoying Adware Pop-Ups
* Helps prevent theft of personal data
* Improves PC performance
For those of you who want to protect the confidential as well as the sentimental, you may want to consider a security suite that offers comprehensive coverage in a single protection product, which makes suites a money saver all around.
However, memory is a consideration with security suites. If your PC has less than 1 gigabyte of memory, a security suite may slow down your computer.
CA offers a security suite CA Security Suite Plus for $69.99 that covers three computers and includes anti-virus, anti-spyware and anti-phishing to further protect you from the risks of identity theft.
Features of the CA Security Suite Plus:
* Anti-Virus
* Anti-Spyware
* Personal Firewall
* Anti-Spam
* Anti-Phishing
* Parental Controls
* Data Backup
Taking an inventory of what you have in your PC is important. Are there not only necessary but personally important documents, photos or music stored on your PC? How much time do you spend on the computer? How often do you type in important personal information? Being aware of how you use your computer, whether it is a holder of hobbies, a personal treasure trove or survival pack can help you decide what types of protection you need. Think carefully about what you do and have on your computer because you can be sure that keyloggers, phishers and those who want to make you a victim of identity theft will know if you are not protecting yourself and your treasures.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Want to know if the lawyer you’re considering has a good track record of honest representation? Who would you turn to? Other than personal referrals you might want to check with the Better Business Bureau in your area.
On the other hand, need to make a complaint about a dry wall contractor that left you, but not your walls, high and dry? The Better Business Bureau is the appropriate place to file a complaint that can save others this aggravation.
The Better Business Bureau has a long history of helping consumers. They’ve earned public trust and that is just why the Better Business Bureau is such an attractive bait for spear phishing scams.
What is spear phishing?
The term phishing was coined described e-mail scams where identity thieves were “fishing” for personal information like names, addresses, birthdates, social security numbers or account numbers. As opposed to the sport where one casts out bait to see what they can catch, spear fishing is sport where a specific fish is targeted for spearing. E-mil spear phishing is a scam that sends out mass phishing e-mails that target a small group of people, such as corporate executives.
The first waves of phishing scams were “too good to be true” types of scams in which lucky you, of all people, had been chosen to help move money and would be rewarded a great share. Then savvy identity thieves moved on to “too scary to ignore” scams such as your bank, e-bay or PayPal account has been compromised so just enter your name and passwords here so we can protect you.
According to Art Manion, a top vulnerability analyst for CERT, an internet emergency response group based at Carnegie Mellon University, scammers tactics are improving. Manion says “Today, the e-mail looks like it’s from my bank or my company, with better grammar, more believable stories, and better URLs.”
One of the latest scams used the Better Business Bureau to target to corporate executives. The mass spear phishing e-mails arrive saying they are from an address @idtheft.bbbb.org or consumer-complaints@bbb.org or fraud@bbb.org, none of which are Better Business Bureau addresses or even legit e-mail addresses. There are a long list of these fake addresses that have been used. Even as the Better Business Bureau spear phishing scams were being reported, identity thieves simple continued e-mailing using different addresses.
The messages begin with a variation similar to this message:
“This is an automated email that confirms the registration of your complaint case number: [CASE NUMBER] filed by (your company) on (date) concerning Online Identity Theft. The Better Business Bureau does not resolve individual problems but your complaints help us to investigate fraud and can lead to law enforcement action.” This message is followed by clickable links, attachments and request for information verification.
As with any suspicious e-mail, and remember how often they don’t look suspicious, do not open attachments which can be infected with viruses or click on any links which can take you to unsafe web sites. Do not supply any information or even respond to the e-mail because it confirms whom they have reached.
What you can do:
*Copy the internet header and forward to phishing@cbbb.bbb.org, which will reach the Council of Better Business Bureaus, Inc.
*Don’t assume that “they already know about it so they don’t need to hear from me.” Addresses and messages constantly change so each one is important.
*Not only does reporting spear phishing scams stop current scams and protect others, reporting them also helps programmers improve security programs to prevent future spear phishing attacks.
Joe Stewart of SecureWorks, has learned of a Chinese connection in both the IRS scams and the BBB scams. Stewart explains: “Typically when we see malware from China, it has one of two purposes – to either steam documents related to trade secrets of companies and military/government institutions, or to steal accounts from online role-playing games. This new scam doesn’t seem to fit into either category, so it may represent the emergence of a new kind of Chinese-based cybercrime. The question is then, just what do Chinese malware authors intend to do with the vast amount of data they’ve stolen from over a thousand U.S. corporate executives?”
Being a personal or corporate victim of spear phishing is no day at the beach. Spear phishing identity thieves are using attractive bait so beware of the hook and don’t get reeled in to participating in scams.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Individuals take many preventive steps to protect their identity and reduce their risk of identity theft. Not only consumers are taking steps to protect against identity theft, but many states are taking important steps to protect their residents. Among these steps are stiffer penalties, imposing sanctions and fines on careless companies and providing their residents with many tools necessary to correct the errors that identity theft has caused, both to their credit, medical or even in some cases criminal records.
Many identity theft savvy consumers are:
*Installing anti-spy ware software of their computers.
*Using shredders to shred personal documents before disposal.
*Being protective of social security numbers on-line and in public.
*Using services to stop junk mail and risky credit card applications.
While you may be taking all the right steps to protect yourself, businesses that have access to your information aren’t always looking for you. But many states are, such as Texas which is rapidly becoming a leader in consumer protection against identity theft. Texas has a growing reputation for being proactive in preventing identity theft and tough on punishing businesses who don’t comply. Texas law requires vendors to take specific precautions before disposing of personal documents that may include customers’ bank accounts, driver’s license and Social Security numbers. In the state of Texas, you can bet companies will be thinking twice before dumping your credit application in a public trash can.
Recent Identity Theft Threats Prosecuted in Texas:
Radio Shack
Radio Shack in Portland was investigated for dumping sensitive information from thousands of customers into public trash cans. The records included names, social security numbers, debit and credit card numbers as well as addressed and telephone numbers. Among the documents were credit applications and receipts.
Under the settlement with Radio-Shack, the retailer is required to enhance security procedures and implement employee training. Radio Shack also agreed to unannounced compliance audits in all Texas stores bi-annually.
Select Medical
Select Medical was investigated after a report that over 4,000 documents were found in the garbage behind their Select Physical Therapy Location. These un-shredded records included bank account numbers, drug testing results, insurance verification sheets as well as sensitive social and vocational therapy questionnaires.
Select Medical will also be required to amend security procedures and implement training for Texas employees about the newly established state laws governing customer record disposal.
The insurance forms are of particular concern in light of the growing trend of medical identity theft, in which an individuals’ insurance information is used to obtain medical services or to commit insurance fraud.
Under the settlement agreement, the state of Texas will receive nearly $1.5 million in fines, including attorney’s fees. As outlined in the Identity Theft and Protection Act, the remainder will be used for the investigation and prosecution of future cases of identity theft.
Stiff penalties are just one of the steps taken to protect and prevent identity theft. The Texas Attorney General’s Office has created a checklist for victims of identity theft to take steps and track their progress during recovery.
The identity theft check list includes:
*Closing all fraudulent accounts made in your name.
*Contacting the 3 major credit reporting agencies and requesting a fraud alert or security freeze for new accounts.
*Reporting identity theft crimes for local law enforcement and obtaining a copy of the police report.
*Reporting identity theft crimes to Federal Trade Commission and completing and ID Theft Affidavit.
*If victims are being harassed by creditor’s they should file a consumer complaint with the Office of the Attorney General.
The Texas Attorney General’s Office also offers an Identity Theft Victim’s Kit.
Texas has a real motivation to prevent and protect victims of identity theft. According to 2006 state statistics on identity theft, Texas ranks fourth. States are ranked according to victims per 100,000 people, and it should be noted that Texas also has a higher population than many other states.
Top Ten States with the Most Victims of Identity Theft Per Capita
Arizona
Nevada
California
Texas
Florida
Colorado
Georgia
New York
Washington
New Mexico
No matter where you live, identity theft is a real problem. Information, advocacy, laws and prosecutions in any state will ultimately help everyone but in the mean time consumers must educate themselves and arm themselves with protection against identity theft as well as the remedies available to them. With the continued efforts of law enforcement, state and federal agencies, stiffer fines and penalties as well as requiring a higher standard of care from businesses, progress is being made on many levels in protecting consumers.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.