Rossander’s Security Reader

Recently, four folks went into Cleveland together for a Cavalier’s game. As they pulled into the arena’s parking garage, they noticed that several of the parking spaces had been marked off with traffic cones. One of the parking attendants removed one of the cones and waved them into a very close parking spot on the same level as the pedestrian bridge to the game. They assumed that it was some sort of VIP treatment that came with their tickets. They locked coats and purses in the trunk, then went in to enjoy the game.

Over the next three days, all four reported that their corporate credit cards had been used for fraudulent transactions. Police believe that the car was "marked" by a confederate working as a parking attendant based on the make of their car and their professional appearance. He waved them into the "VIP spot" so his confederate would know which cars to target. The criminals either picked the lock of the car with a slim-jim and popped the trunk from the inside or recorded the electromagnetic code of the trunk’s remote so they could open the trunk themselves.

When the four people each checked their wallets, only these corporate credit cards had been stolen. Personal cards, personal checks and cash were untouched. It’s human nature to pay more attention to our personal accounts than to a faceless corporation’s account. Intelligent criminal exploit that trait and selectively target who and what to steal so they can go undetected as long as possible.

The bank did an excellent job of handling the fraudulent transactions but we all pay when the criminals get away. It is extremely unlikely even with this evidence that criminals will be caught or prosecuted. Sometimes the best we can do is to avoid being targets in the first place.

• If someone’s offering you a service that seems too good to be true, it probably is. Be extra cautious (and a little bit suspicious) when someone is giving you unexpected special treatment.
• Keep your valuables with you whenever possible.
• Watch your credit card accounts (personal and corporate) carefully.
• Always lock your vehicle.

It’s time for spring cleaning and you finally want to get rid of that old computer that’s been gathering dust for so long. What will you do with the old one? You can’t just give it away or sell it. There are thieves who specialize in buying used computers on eBay just to search them for private or financial information before reselling them.

Even if you remembered to delete your files, the data is not really gone yet. (When you delete a file in Windows, all that really happens is that the file information is removed from the computer’s "table-of-contents". The data is still on the hard-drive and will stay there until Windows decides that it needs to overwrite that particular space with a new file. That can take months or years.) Even re-formatting the hard-drive does not sufficiently wipe the data. You might hide it from a casual hacker that way but a determined attacker using the latest techniques will be able to reconstruct your hidden information. Read this PC World article for more.

You also can’t just put the old hardware out on the curb with the weekly trash. Even if it doesn’t get taken from your trash by some passerby, there are hazardous materials within most of the devices that should be properly disposed of. Here are some steps you should take:

1. Make a couple of backup copies of important data and programs by writing the files to CDs.
2. Use one of the free or relatively inexpensive software programs available that will write over the data on the hard drive. This ensures that no one will be able to access your personal information later even if they try to use data-restoration software. Click here for a review of several common programs.
3. If you can, donate or recycle the equipment. Computer manufacturers often have suggestions on their websites (see for example, Dell or HP) and may even offer free pick-up and will work with local agencies in order to donate or recycle the equipment. You can also look for local donation sites at websites such as Earth 911. Finally, many counties offer computer hardware drop-off locations at their hazardous waste collection and recycling sites (e.g., Medina, and Summit counties) .

Note: Several donation programs ask that you not delete the operating system or software from your computer, arguing that schools can’t afford to replace the software. This is in general untrue. Most schools, like most corporations, buy "site licenses" and can reinstall the operating system at a fixed, discounted rate. If you do want to donate the software along with the hardware, give them the original installation disks and let them install the software themselves. Always wipe the drive before you donate it.

My mother taught me to be polite and always hold the door for strangers. Those early lessons are hard to ignore, especially when the weather is bad. It is very hard to tell a coworker "no" and force them to walk around to the main entrance of the building in the rain or snow. Unfortunately, in today’s world of identity theft, litigation and physical violence, those polite habits are increasingly a threat to the safety and security of our coworkers and customers. Imagine the risks if you let someone in who does not belong here. With unescorted access to our building, an intruder could pick up enough information to commit identity theft against our customers on a massive scale. Or worse, the intruder could be coming in with malicious intent toward a fellow employee.

Every company needs have a policy about visitors and needs to enforce a strict "no tailgating" policy. Visitors should always be signed in and out of your facility and should always be escorted while in any non-public part of your facility. If a customer or other important visitor comes to the wrong door, politely greet them and then tactfully escort them to the correct entrance so they can be signed in.

Employees and contractors should be required to show their authentication every time they enter the building. Do not hold the door for anyone and please do not expect someone to hold the door for you. This is an essential part of security discipline.

If someone does follow you into a non-public part of your building and/or refuses to show their ID badge, immediately go to the nearest phone and call your local Security contact. Give them your name, location and a description of the intruder. The borders between information security and physical security are increasingly blurry. These days, security is everyone’s job.

If your wallet is ever lost or stolen, you need to immediately contact the issuers of all the credit cards and identity documents and begin the process of getting new cards.

About once a year, lay out the contents of your wallet on a photocopier. Copy both the front and back so you have a record of all the card numbers and phone numbers.

Be sure to keep the copy in a very safe place. When you make a new sheet, be sure to shred the old one so it can not be misused.

File a police report immediately in the jurisdiction where your credit cards or wallet were stolen. Do not wait until you return home. Promptly calling the police shows to the credit providers that you were diligent and will be the first step toward their investigation.

Consider calling the three national credit-reporting agencies to place a fraud alert on your name and social security number. That will make it a bit harder for the thief to open new accounts in your name.

If you are traveling, keep your identity document (passport or drivers license) separate from your wallet. You should also carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

The average cell phone has a life expectancy of 18 months. What happens to all your personal information when you upgrade your phone? In too many cases, that personal information gets passed along to the next user.

Personal information can include:

This is not an all-inclusive list. Modern phones also include calendars, memo pads, to do lists and other applications, all of which you might have used and which might have personal or business information that should be kept private.

Most phones include a delete function but independent reviews of those delete functions show them to be mostly pretty poor. Good hackers can undelete the information on most common cell phones with only a little specialized equipment and knowledge. To protect your privacy:

• Treat a phone’s text message service with the same caution that you use for unsecured email. Be especially professional in your use of text messaging.
• Make sure that your old information is really gone before giving the phone to a friend, family member, charity or try to sell it online. (If all else fails, a 2½ lb sledge hammer does a very reliable job of making the data unreadable – but it won’t be worth much when you’re done.)

For additional information and a real-life scenario, read this recent story from CNN.com.