Rossander’s Security Reader

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It’s not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don’t think you’ve ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee’s practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don’t give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet – out of sight, out of mind. Don’t assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don’t just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You’d never be that careless at home. Don’t let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it’s time to ask for your free copy of your credit report from the next agency.

According to a Washington Post article, Microsoft and the state of Washington recently filed lawsuits against a number of scareware vendors. They’re finally taking on the scammers who are trying to trick us into buying worthless (or worse, malicious) “security” software.

One of the lawsuits specifically charges Texas-based Branch Software with involvement in the “Registry Cleaner XP” scam. A number of other “john doe” lawsuits were filed in an attempt to learn the identities of the individuals responsible for marketing other scareware products such as WinDefender, XPDefender, Antivirus2009 and Scan & Repair Utilities.

Kudos to Microsoft for finally attempting to do something about these scammers. Now if they’d just reset the defaults in their own software so it wasn’t so vulnerable in the first place…

Until they do, make sure you keep your computer fully patched, never bypass the firewall and be cautious of any suspicious links or pop-ups – especially ones telling you that your computer needs fixing.

If your office has an IT specialist, make sure he/she is signed up for regular alerts about the latest technical security vulnerabilities. These alerts will help you prioritize which patches need immediate remediation and which can wait while you test them for unintended consequences. Here are a few that I’ve found to be reasonably thorough:

• US-CERT (US Computer Emergency Readiness Team)
• Internet Storm Center (a service of SANS.org)
• BOL Tech Talk (a service of BankersOnline.com)
• Internet Security Systems’ X-Force Threat List (recently purchased by IBM)

If you don’t have someone who can watch and evaluate these notifications, you probably need to set your patches to automatically update themselves and hope that the patch doesn’t break anything else accidentally.

Earn millions! Help a damsel in distress! Win the lottery! Work at home! Whoops, I overpaid – please send back the overpayment!

These are just a few of the scams out there. The average adult American receives 4½ emails, phone calls or pieces of mail per week attempting one of these scams. Thirty percent say they receive 10 or more a week and 18% admit that they or a family member have fallen for one of them.

The National Consumers League (NCL) recently launched a website fakechecks.org to help educate consumers about check-fraud scams like these. The website includes a “fraud test” and some great videos that show exactly how these six scams work and how to recognize them when they come in . Take a few minutes at home to see how many of these you would fall for. And remember, this is what these scammers to for a living. Some of them are very good at building a rapport and sounding trustworthy. They play on our inherent trust and desire to be helpful and courteous.

Remember also that in a check fraud scheme, the victim is responsible for the lost money and any overdraft or returned check fees. The fraudster ought to be responsible but given the odds of catching him/her, that is dangerous wishful thinking. The bank has no responsibility if you fall victim to check fraud like the ones above.

If you are a victim who recently wired money to fraudsters, report the incident immediately to the security department of the business that handled the wire transfer. If the payment hasn’t been processed yet, they might be able to get your money back. If it’s an older scam, report it at fakechecks.org.

Every so often, people ask me "why do they do it?" Why do the hackers put so much time and energy into committing crimes and sending spam? Why can’t they channel all that innovation for good?

The stereotypical hacker used to be a pimply-faced, pizza-eating kid working late at night in a caffeine-induced frenzy for guts, glory and bragging rights – kids breaking into systems just to prove that they could or writing computer viruses to delete hard drives for the cheap thrill of vandalism. There are still some of those folks out there but the vast majority of hackers and spammers are now in it for the money. They are organized, well-educated and they’re making big bucks.

According to McAfee CEO David DeWalt, cybercrime has become a $105 billion business and is now larger than the value of the illegal drug trade worldwide. Unfortunately, computer crimes are relatively safe crimes. Hackers hide behind multiple networks and their digital footprints. Many hackers run at least part of their scam through a foreign country – often one with poor relations with the US, significantly increasing the difficulty in prosecuting any case against the criminal. Law enforcement’s ability to find, prosecute and punish cybercriminals has not kept up with the growth of the criminal activity. And even if you do get caught, DeWalt noted that “If you rob a 7-11 you’ll get a much harsher punishment than if you stole millions online.”

And even if the hacker can’t make any money off you directly (by stealing your personal information or using your computer as a point-of-entry into the corporate system), they can still hijack your computer’s processing power to attack other systems. The hacker sees your computer as an asset.

Take spam as another example. If we all stopped buying, the spam problem would dry up in a matter of months. Yet 98% of all message traffic on the Internet is now spam. Who buys that junk? According to a study from several years ago, a spammer only needs to make one sale or con per 100,000 messages in order to make a profit. With those odds, they don’t even have to be good scams. They just have to find the one gullible person among your 100,000 closest friends.

• Keep your personal computer protected at all times with anti-virus, anti-spyware and firewall – and keep them all current. Keep your computer patched at all times.
• Pick strong passwords and never give them out to anyone no matter how good their story is.
• Be alert for phishing scams.
• Never buy anything from a spammer.

Most people think that they’re protecting their computers but few are as safe as they think they are. According to a poll conducted by the National Cyber Security Alliance (NCSA) and the anti-virus company McAfee, 87 percent of Americans say they have anti-virus software. When their computers were scanned (with their permission), 94% actually had anti-virus software but only 52% had updated it in the last month. New viruses are released daily. An out-of-date anti-virus package does you almost no good at all. Most anti-virus packages have an option to update themselves automatically. For almost all of us, that’s the right choice.

73% of those surveyed said they had a firewall. 81% had a firewall but only 64% had it activated. That’s like saying your money is protected by the steel door of the bank vault but leaving the door hanging open. Never disable your firewall.

70%t said they had anti-spyware software but only 55% actually have it.

The poll also reported that 61% believe they have anti-spam software installed but only 21% do. (In this case, the poll question may have been worded poorly. If your spam filtering is done by your ISP or your webmail provider, you may be protected from spam even though the anti-spam software is not on your specific machine.) Regardless of how you run it, the important point is to have an anti-spam solution.

Oddly, the study found that computers of older Americans tend to be more secure than those of the allegedly-more tech-savvy younger Americans.

To be properly protected, you need current anti-virus, an active firewall, up-to-date patches for your operating system and applications and at least one anti-spyware program running. If you don’t, you are taking unnecessary risks with your personal information.

Click here to read the full study results.