Group items tagged

The following is an excerpt from the book The Truth About Identity Theft. In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password. People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them. A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office. So I went back to my office, sat down, and picked up the phone. The first call I made was to find out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actuall

A list of user names and passwords for customers of Comcast, one of the nation's largest Internet service providers, sat unprotected on the Web for the last two months. The list was 8,000 lines long, but Comcast said late Monday that just 700 of those lines contained information for active customer accounts. Kevin Andreyo, an educational technology specialist in Reading, Pa., and a professor at Wilkes University, came across the list Monday on Scribd, a document-sharing Web site. Mr. Andreyo was reading a recent article in PC World entitled "People Search Engines: They Know Your Dark Secrets… And Tell Anyone," when he was inspired to find out what information about him was online. He searched for his own e-mail address on the search engine Pipl. The list on Scribd was one of four results, and it also included his password, which was a riff on his love for a local sports team. Statistics on Scribd indicated that the list, which was uploaded by someone with the user name vuthanhan2004, had been viewed over 345 times and had been downloaded 27 times.

By now, many employees are uncomfortably aware that their every keystroke at work, from email on office computers to text messages on company phones, can be monitored legally by their employers. What employees typically don't expect is for the company to spy on them while on password-protected sites using nonwork computers. But even that privacy could be in jeopardy. A case brewing in federal court in New Jersey pits bosses against two employees who were complaining about their workplace on an invite-only discussion group on MySpace.com, a social-networking site owned by News Corp., publisher of The Wall Street Journal. The case tests whether a supervisor who managed to log into the forum -- and then fired employees who badmouthed supervisors and customers there -- had the right to do so. The case has some legal and privacy experts concerned that companies are intruding into areas that their employees had considered off limits. "The question is whether employees have a right to privacy in their non-work-created communications with each other. And I would think the answer is that they do," said Floyd Abrams, a First Amendment expert and partner at Cahill Gordon & Reindel LLP in New York. The legal landscape is murky. For the most part, employers don't need a reason to fire nonunion workers. But state laws in California, New York and Connecticut protect employees who engage in lawful, off-duty activities from being fired or disciplined, according to a report prepared by attorneys at the firm Proskauer Rose LLP. While private conversations might be covered under those laws, none of the statutes specifically addresses social networking or blogging. Thus, privacy advocates expect to see more of these legal challenges. In February, three police officers in Harrison, N.Y., were suspended after they allegedly made lewd remarks about the town mayor on a Facebook account. The officers mistakenly thought the remarks were protected with a password, but city officials view

You systems administrator knows more about you than you think.

More than one-third of information technology professionals abuse administrative passwords to access confidential data such as colleagues' salary details or board-meeting minutes, according to a survey. Data security company Cyber-Ark surveyed more than 400 senior IT professionals in the United States and Britain, and found that 35 percent admitted to snooping, while 74 percent said they could access information that was not relevant to their role. In a similar survey 12 months ago, 33 percent of IT professionals admitted to snooping. "Employee snooping on sensitive information continues unabated," Udi Mokady, CEO of Cyber-Ark, said in a statement. Cyber-Ark said the most common areas respondents indicated they access are HR records, followed by customer databases, M&A plans, layoff lists and lastly, marketing information. "While seemingly innocuous, (unmanaged privileged) accounts provide workers with the 'keys to the kingdom,' allowing them to access critically sensitive information," Mokady said. When IT professionals were asked what kind of data they would take with them if fired, the survey found a jump compared with a year ago in the number of respondents who said they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security. The survey found a six-fold increase in staff who would take financial reports or merger and acquisition plans, and a four-fold increase in those who would take CEO passwords and research and development plans.

"A Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers."

Shared administrative passwords lead to privacy breach notification of 1.2 million customers. Nobody out there still using such bad process! Right?

They may be after the phone, but what about the data? How much of your life is on your mobile device? Some misguided companies let employees use personal devices for work. I wonder what an auditor would say about due diligence and due care when data is leaked through such ignorance. Think, before you set a lax password, or none at all. Karl Thieves are increasingly going after iPhones and other smartphones but victims now can fight back with technology. One device allows a user to remotely activate a loud siren designed to rattle the thief. Another application, designed for iPhones, can reveal the phone's location. Police statistics show petty crime is down in New York but anecdotal evidence and recent headlines about street muggings targeting costly and coveted devices like Apple's iPhone and T-Mobile's Sidekick have disturbed smartphone users concerned about protecting access to e-mail, passwords and other data.

Thieves are increasingly going after iPhones and other smartphones but victims now can fight back with technology. One device allows a user to remotely activate a loud siren designed to rattle the thief. Another application, designed for iPhones, can reveal the phone's location. Police statistics show petty crime is down in New York but anecdotal evidence and recent headlines about street muggings targeting costly and coveted devices like Apple's iPhone and T-Mobile's Sidekick have disturbed smartphone users concerned about protecting access to e-mail, passwords and other data.

"UC San Francisco said late Tuesday it has alerted 600 patients and others that an external hacker may have obtained "temporary access to emails containing their personal information" as a result of a late September phishing scam. The breach occurred about three months ago, and was investigated in mid-October, but wasn't disclosed to the public until Dec. 15. Corinna Kaarlela, UCSF's news director, told the San Francisco Business Times late Tuesday that individuals whose data may have been compromised were notified between Oct. 21, when an in-depth investigation began, and Dec. 11, when it was completed. UCSF said Tuesday that an unnamed faculty physician in the School of Medicine was victimized in late September by the alleged scam. The physician provided a user name and password in response to an email message fabricated by a hacker, that appeared as if it came from those responsible for upgrading security on UCSF internal computer servers. UCSF's Enterprise Information Security unit subsequently identified the breach and disabled the compromised password. UCSF says it conducted an investigation and in mid-October determined that emails in the physician's account ─ including some containing demographic and clinical information and, in a few cases, Social Security numbers ─ may have been exposed."

"The credentials of thousands of Microsoft Windows Live ID accounts were posted online late last week, company officials said Monday. The company confirmed Monday in a blog post that several thousand Windows Live customers had their usernames and passwords exposed on a third-party site over the weekend. "Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers," the post said. "As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts." Windows Live IDs let users gain entry into Hotmail, Messenger, Xbox LIVE, according to Microsoft. The usernames and passwords that were leaked may also be used for other Microsoft services, including the company's web-based Office program and the Skydrive online storage service. News of the breach spread early Monday, but it was unclear how the credentials were originally obtained."

As Forrest Gump said, "Stupid is as stupid does." The 2009 Verizon Business data breach investigation report confirmed what the 2008 report revealed -- attackers usually gain a foothold through stupid, basic errors. "In virtually all the cases, we found that lots of the things that were simple and straightforward, had they been deployed, would have stopped the attack," said Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. "Simple things like changing the password from the word "password" on the system, those basic errors were somewhere, endlessly; they were everywhere." In fact, the 2009 Verizon Business Data Breach Investigations Report showed that 67% of the 90 confirmed data breaches that Verizon investigated last year revealed that kind of error, usually on a third-party system, often tangential to the heart of the enterprise. But they open the door to the good stuff: thousands or even millions of customer records.

Like this http://www.hdfilmsaati.net Film,dvd,download,free download,product... ppc,adword,adsense,amazon,clickbank,osell,bookmark,dofollow,edu,gov,ads,linkwell,traffic,scor,serp,goggle,bing,yahoo.ads,ads network,ads goggle,bing,quality links,link best,ptr,cpa,bpa. www.killdo.de.gg

A year after Microsoft (NSDQ: MSFT) chief research and strategy officer Craig Mundie urged the technology industry to come together to create a more trustworthy Internet, the company's vision of End to End Trust is starting to take shape. At the RSA Conference this year, Scott Charney, Microsoft's corporate VP of Trustworthy Computing, plans to deliver a progress report on his company's campaign to move beyond the password as a means of authentication.

Monster.com is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database. The break-in comes just as the swelling ranks of the unemployed are turning to sites like Monster.com to look for work. The company disclosed on its Web site that it recently learned its database had been illegally accessed. Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday. USAJobs.com, the U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach. Monster.com has been checking for misuse of the stolen information but hasn't yet found any, it said. It has made changes since discovering the break-in but won't discuss them because it doesn't discuss security procedures publicly and because it is still investigating the incident, Richardson said. She also would not disclose the volume of data stolen, but said the company decided it would be prudent to alert all of its users via its Web site.

Did we need more proof that a chain is only as strong as its weakest link?

A secure Web mail company that challenged hackers to break into the company's Web mail system is paying out a US$10,000 prize, just days after launching the contest. A team of hackers managed to hack into StrongWebmail CEO Darren Berkovitz's Web mail account, using what's known as a cross-site scripting (XSS) attack, the company confirmed Monday. "They did it using an XSS script that took advantage of a vulnerability in the backend webmail program," StrongWebmail said in a statement. StrongWebmail launched the contest at the end of May as a way of promoting the voice-based identification technology sold by its parent company, Telesign. Hackers were given Berkovitz's e-mail address and password and challenged to break into the account. The company thought this would prove difficult because StrongWebmail requires a special password that is telephoned to the user before e-mail can be accessed.

Social networking users are more vulnerable than ever and taking more risks with their online privacy. According to the 'Bringing Social Security to the Online Community' poll by AVG, while the social networking community has serious concerns about the overall security of public spaces, few are taking the most basic of steps to protect themselves against online crimes. Participants indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community. Despite widespread use of social networks at home and/or at work, 64 per cent of users infrequently or never change their passwords on a regular basis, while 57 per cent infrequently or never adjust their privacy settings. Further, 21 per cent accept contact offerings from members they do not recognise, more than half let acquaintances or roommates access social networks on their machines, 64 per cent click on links offered by community members or contacts and 26 per cent share files within social networks. As a result of this widespread proliferation of links, files and unsolicited contacts, nearly 20 per cent have experienced identity theft, 47 per cent have been victims of malware infections and 55 per cent have seen phishing attacks.

"All Facebook users can deactivate their profiles, but doing so quietly might not make quite the same statement as using another service to slam the door on the site. One such service, Seppukoo.com, created by the Italian group Les Liens Invisibles, drew attention late last year after launching a campaign to convince people to commit Facebook suicide. Wannabe ex-Facebook members can provide Seppukoo.com with their names and passwords and Seppukoo then not only deactivates their profiles, but also creates a "memorial" page that it sends to users' former Facebook friends. Facebook evidently isn't happy about this development. Last month, the company fired off a cease-and-desist letter to Les Liens Invisibles, complaining that users who provide log-in data are violating Facebook's terms of service. The company also alleges that the scraping of its data violates a host of laws, including an anti-hacking law, the federal spam law and the copyright statute. "

FaceBook is sooooo concerned about our privacy!

"Hackers are using a variety of weapons and exploiting errors such as default passwords and weak or misconfigured access control lists (ACLs), according to the latest Verizon Business Data Breach Investigations Report. The follow-up to April's 2009 Data Breach Investigation Report looks under the hood of the company's probes, analyzing how breaches happen and how to protect sensitive data. "Customers who read the 2009 Data Breach Investigation Report said they wanted to know how these attacks take place, give some examples from our caseloads and see if those circumstances can happen to them," said Wade Baker, Verizon Business research and intelligence principal. "

"Medical records for about 15,500 Northern California Kaiser patients - about 9,000 of them in the Bay Area - were compromised after thieves stole an external drive from a Kaiser employee's car last month, Kaiser officials said Tuesday." Kaiser officials said the electronic device contained patients' names, medical record numbers and possibly ages, genders, telephone numbers, addresses and general information related to their care and treatment. No Social Security numbers or financial information was contained on the drive, and Kaiser officials said there's no evidence that the information has been used inappropriately. The device was not encrypted, but some of the information was password protected. Kaiser has sent letters to the 15,500 members and the employee, who Kaiser would not identify, has been fired.

Another hospital employee fired for inappropraite access of medical records. More damage to a medical group reputation because someone failed to get the message.

"Yesterday, a "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your phone right now!" message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup. Through a combination of port scanning and OS fingerprinting of T-Mobile's 3G IP range, a Dutch teenager has for the first time automatically exploited a known security vulnerability introduced on jailbroken iPhones - the SSH daemon which unless modified remains running with default users root and mobile, using the same password on each and every device."

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee. The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma's Human Services' clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday. The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency. "We feel this was not a situation where someone was targeting the agency or that information," DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. "We feel it was random." Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said. News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

Federal regulators slapped hundreds of small telecommunications providers for not abiding by new rules designed to protect consumer phone records, proposing more than $13 million in total fines. The Federal Communications Commission proposed $20,000 fines on more than 650 small phone, pager and wireless providers Tuesday, accusing them of not filing paperwork that certifies they have put protections in place to protect customer phone data. "I have long stressed the importance of protecting the sensitive information that telecommunications carriers collect about their customers," said Michael Copps, the FCC's interim chairman, in a statement. "The broad nature of this enforcement action hopefully will ensure substantial compliance with our [privacy] rules going forward as the Commission continues to make consumer privacy protection a top priority." In April 2007, the FCC tightened privacy requirements on phone companies in response to consumer complaints about data brokers selling phone records they had obtained illegally through "pretexting," or getting information under false circumstances. The agency required telecom companies to increase security of phone records, requiring customers to provide a password before receiving account information over the phone or online. Phone companies are required to notify customers when changes are made to their accounts or if their information has been improperly accessed. Companies are required to file annual certifications that they have complied with those requirements. The FCC said hundreds of small companies didn't provide the information in 2008, although it noted it was the first year the agency had required the paperwork. The agency warned that future noncompliance could face "more severe penalties."

Mary Kay Hoal tried everything she could to keep her daughter off of MySpace. She put password locks on the computer and blocked the site. Still, her daughter found ways to log on. Hoal's concerns stemmed from statistics that showed 29,000 registered sex offenders were on MySpace, one out of every five kids are sexually solicited online, and nine out of ten children are exposed to pornography online. When she looked for alternative safe sites for kids, she found none, so she decided to do something about it. Story continues below ↓advertisement | your ad here Click Here! The result is www.yoursphere.com, the only social networking site for kids and teens that's backed by the Federal Trade Commission through the site's Privacy Vaults approval. The site's Chief Technology officer worked at the California Department of Justice tracking anonymous online sex offenders, as well as the Megan's Law database. Moreover, it requires verified parental consent for a minor to join. Other features include: -- Requires verifiable parental consent to join -- Confirms the identity of the parent providing consent -- Confirms that the parent or guardian providing consent is not a registered sex offender -- Is exclusively for kids and teens through age 18. -- Exceeds COPPA (Children's Online Privacy Protection Act) and Federal Trade Commission (FTC) guidelines for protecting kids online through our approval by Privacy Vaults Inc. -- Whose policy is "no creepers allowed" -- lurkers are removed and banned. -- No fake profiles. (No one is anonymous on Yoursphere.com) "The bottom line is that we're the only place in the online world that that has taken extraordinary measures to help ensure the safety of its members and meets or exceeds standards set by the government," Hoal said. "Our opinion is that if it's a behavior that is illegal, immoral or unacceptable offline, then it's unacceptable online." About Mary Kay Hoal After researching the disturbing la