It is well known that the internet is not the safest of media as intrusions into foreign networks have become very easy and too convenient for hackers. Nowadays a large number of bots (developed and implemented by hackers) scan networks, and insert and infect fully automated malicious code into foreign remote machines.

Putting additional safety measurements in place is therefore an important requirement to minimize the risk of possible identity theft in a corporate environment. Identity theft often leads to data theft under the victim’s name which can lead to serious repercussions should the case end up in court where a judge has to decide whether the offence was committed by the victim himself or by a professional hacker who just misused the identity of the poor victim.

Recent statistics about economic crime in online media show a strong increase of registered intrusion activities in corporate environments which is now taken very seriously by both governments and major corporate organizations as well as individuals.

So how does a common intrusion happen in corporate environments?

The scenario is very simple. A hacker tries to insert a malformed common file into a trusted well visited website. Let’s say he has created an image file that has been malformed with the purpose to exploit a severe vulnerability of a specific web browser.

In this example the malformed image file will display the logo of the trusted website. Now the hacker tries to replace this original image logo of the target trusted website with his own malformed image. As both image files look the same, the replacement of the image file will not be noticed immediately.

Whenever a visitor opens the trusted website with his specific web browser, the web browser (of the visitor’s client remote machine) will automatically download the webpage including the infected image on his hard disk.

The web browser will process the website including the malformed image logo. By opening this malformed image logo an exploitation of a severe vulnerability of the client’s web browser will take place.

What has happened?

In many cases the web browser will crash immediately and the visitor will be notified with an error message that an unexpected error has occurred. This is a common sign which may indicate that a malformed file has been processed and caused an exception on the web browser level.

However the visitor may not understand why the web browser has crashed and what effects the crash could have for him and for his system. Usually a web browser crash means that the malicious code can now run outside his web browser. So any safety measurement of the web browser will fail, because the crash of the web browser has terminated the existence of the web browser and its own safety measurement.

Any malicious code can run freely outside the sandbox meaning that the malicious code will run with full access rights of the user account (of the visitor). For any system administrator it will look like the malicious code has been run by the victim himself, although in reality the actions were the result of an infected file placed by a hacker (who is sitting somewhere outside the corporate network). As the hacker can implement any type of malicious code he has a free reign to open any doors for data theft on the target machine.

In the next instalment of this blog series we’ll look further into intruder detection and the ways it can happen.

PII refers to information which can be used to identify an individual and typically includes a combination of first name or initial, last name and an additional identifier such as Social Security number, passport number, biometric record, or bank account information.  Information that is publicly available such as work or home phone and address do not generally constitute PII.

A number of states (in the USA) have enacted legislation designed to protect PII and therefore reduce the likelihood of identity theft.  The most recent and possibly the toughest in the nation is Massachusetts regulation 201 CMR 17, or “Standards for the Protection of Personal Information of Residents of the Commonwealth.”  This regulation defines a number of measures which any business, regardless of its location, must put into place if that business stores or transmits PII of a Massachusetts resident.

The steps outlined in 201 CMR 17 make sense whether or not you conduct business with Massachusetts’ residents, and can only help to protect your organization.  (The sole exception is if your organization is subject to even more stringent standards, such as those of the Department of Defense.)

The regulation lists the following items that businesses must put into place.  This is only a partial list.

1. Organizations must identify all areas in which PII is stored or transmitted.
2. Any PII that is transmitted electronically (email, FTP, IM, etc.) must be encrypted.  The regulation defines encryption as a transformation of the data that requires a key to render back to its original form.  Basic password-locking of a document does NOT meet this requirement.
3. Any PII that is stored/transported on portable media such as laptops, USB or flash drives or even smartphones must be encrypted.
4. All organizations must conduct periodic training of employees that have access to PII.
5. All organizations must draft a written information security policy (WISP) that clearly documents the organization’s security policies and processes regarding protection of PII.  In addition, one individual at the organization must be identified as the point of contact for all issues relating to the regulation.
6. Any PII that is stored on paper must be protected when not actively used and must be subject to archival and/or disposal processes.
7. Organizations must implement up-to-date protection for its network, including firewall and antivirus software.

The exercise of bringing an organization into compliance typically involves an interview process by those responsible for the security of the organization, but is often better served by bringing in an unbiased security professional familiar with the intricacies of the law.  Following the interview process, the security professional will then produce the WISP and recommend steps to remediate deficiencies.  And once all is said and done, it’s critical that management buy into the changes and not request exclusions for itself, and also that everyone understands that security protection is dynamic.  It’s not possible to make changes and then relax; new protection mechanisms, policies and procedures should be made on a regular basis and whenever there is a significant change to business process.

The full text of Massachusetts regulation 201 CMR 17 can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.

About the Author:

Brad combines a rare blend of security, high-end systems architecture and application development skills with a unique sense of humor. On top of these, he adds a strong scientific background that he draws upon to analyze and troubleshoot complex IT problems.  Brad is the founder and president of Fieldbrook Solutions LLC,  an IT, MIS and security consulting firm based in Ashland, MA, USA.  He has taught classes in Active Server Pages, JavaScript, HTML and the Theory of Relativity.

He is a Certified Information Systems Security Professional (CISSP), a Microsoft MVP in Enterprise Security as well as a Microsoft Certified Systems Engineer (MCSE) and a Certified SonicWall Security Administrator.  He also earned a Ph.D. in physics from Boston College to help him calculate how long it would take to launch his frozen computer across the local highway.

Brad is a frequent contributor to various online TechTips sites and gives user group/conference presentations on topics ranging from spam and security solutions to Internet development techniques. He also published numerous articles in international physics journals in his earlier, scientific career.

Brad is the founder and president of the National Information Security Group, the former chair of the Boston Area Exchange Server User Group, a member of the FBI’s Infragard Boston Members Alliance, and a member of the Microsoft IT Advisory Council.

I recently came across a very interesting article by Jacqui Cheng on Ars Technica called “Learn how to protect yourself from identity theft” and thought that this article was important to mention because it tackles two very important targets that weren’t covered in my articles; Children’s Identity Theft and Medical Identity Theft.

Children’s Identity Theft

Children are a very good target for an identity thief as he is far less likely to get caught using a child’s identity than he would using a grown up’s identity. People generally check their credit report regularly but they don’t check their child’s since in most cases he shouldn’t have any. This ensures that in most cases the child’s identity can be misused until he is old enough to apply for a loan or anything that might finally reveal his identity’s misuse.

The Federal Trade Commission (FTC) reports that 18,787 complaints where received in 2006 from people aged 19 or under; 19,810 in 2007 and this figure rose to 20,597 in 2008. This is about 8% of the total complains received. Of course it’s important to note that the actual number of thefts is far greater – these are simply the number of people who discovered the theft and reported it.  The total number of complaints received by the FTC in 2008 was 258,427; however, the FTC also estimates the number of identity thefts to be closer to 8 million. So all things being equal it’s more likely that the actual number of child identity theft cases stands closer to 600,000 a year rather then in the range of 19,000 – 20,000. However note that this is only an estimate that makes a number of assumptions such as that the estimated amount of identity theft cases provided by the FTC is close to the true value and even then that the ratio between the estimated and the reported categories is the same. However that being said it is also important to note that y child’s Identity theft cases are more difficult to discover and as such it is likely that the ratio of reported cases involving children’s identity is in fact smaller than it should be.

To protect your child’s identity the same rules that apply for the protection of your own identity, apply for him.

• Make it a point to check his credit report periodically.
• Check his earning records as well.
• Protect his social security number as best as you can and if you receive suspicious mail such as request to file taxes or credit card offers and such, don’t dismiss them, follow them up and ensure it’s not due to someone else using your child’s identity.

Medical Identity Theft

Medical Identity theft is an especially insidious type of theft. Medical Identity theft is such defined when a third person uses your identity for prescription drugs and/or health related goods and services. This can include making fraudulent insurance claims or actually seek treatment under your name.

The FTC estimates that 3% of identity theft is used for medical purposes which translate to about 266,000 cases.

Why is medical identity theft so insidious? The obvious reason is because it costs money. Medical care can be expensive and as such the victim might be presented with expensive bills for treatments that they never had or even get into legal trouble for anything the perpetrator might be guilty of, such as drug abuse and possibly even child mistreatment if these are discovered during a hospital visit and later reported to the police.

However it doesn’t end there. There is also a physical danger to medical identity theft. If the identity thief goes in for treatment / surgery using your identity, as far as the medical institution personnel are concerned it is you receiving that treatment. This ultimately means that whatever the identity thief does will go on your history which can have life threatening consequences. Imagine a situation where an identity thief has an appendectomy and then you go to a hospital with such pains. There is a real risk that if a doctor reads your history before talking to you he might exclude such cause which could have some very dire consequences.

Protecting your medical identity involves more or less the same procedure as protecting your general identity.

• Never share your social security number unless really necessary.
• Monitor your summer of benefits from your insurance company for anything you might not have done yourself.
• Check your healthcare records on a regular bases
• Protect your insurance cards and health/insurance reports like you would any other confidential information.
• Shred any papers you’re going to throw away that have personal identification information on them

Nowadays a robbery is no longer exclusively about guns and taking people hostage, well at least not in the literal sense. Today a robbery can just as easily be done in the comfort of one’s home using email as the tool of choice. A robbery can be committed with the simple gesture of sliding a credit card through a skimmer or as simply as applying for a new credit card using someone else’s identity.

But what does it all ultimately mean? Should we just drop the digital age and go back to the Stone Age? Should we be all paranoid and never even get a credit card? No, there is no need for such extreme measures. As they say knowledge is power and being aware of the dangers can go a long way to prevent these undesirable scenarios from occurring.

Security Tips:

ATM

If you’re at an ATM check that there are no objects lying around that do not belong to that environment. Ensure that there are no foreign objects in front of the card slot and when typing your P.I.N. cover the keypad with your other hand. If there are foreign objects or suspicious-looking items talk to the bank personnel and ask them to check it out.

Credit Cards

When using a credit card keep an eye on it and ensure that it is not swiped anywhere except on the legitimate credit card company terminals. Check your statement regularly and ensure that there are no transactions listed that you didn’t authorize. If in the unfortunate event there are transactions that you do not recognize call the credit card company and let them know immediately.

Identity Theft

Always protect your data. Never give out information such as social security numbers to strangers. A good rule to follow so as to know what information you should never disclose to people is to keep in mind the questions that various institutions ask when they need you to prove your identity, for example when you apply for  a credit card, or when you call your telephone company. If you disclose certain personal information to outsiders, then they will easily be able to impersonate you and these institutions will think that they are in fact talking to you! Identity theft is a serious issue that can be very hard and tedious to get out of. After all once someone steals your identity you cannot simply change it like you would a credit card, so ensure that you always protect your personal data. Simple things such as shredding documents that contain certain confidential data instead of just throwing them out can help.

Scams

Life online is full of people trying to steal from other people. These malicious individuals try to lure people with promises of great riches. The trouble starts when victims start believing in these promises and believe that all their dreams will come true if they pay small amounts of money to these people. The initial payments seem negligible compared to the promised gains but these things tend to escalate and these ruthless individuals will try to extort every last penny until that individual is unwilling or unable to pay more. In some cases when this happens the victim is contacted by a supposed official  who can ‘help’ them recover their money – at a small cost… this is just a continuation of the scam which again should be ignored and reported to the police.

Best Practices

Another important factor is one’s behavior online. As much as protecting your information is important so is protecting your environment. Ensure that your computer is not compromised. Do not run applications which you do not need and always be careful as to what attachments you open in your email. Even if an email is seemingly sent from a friend it’s quite possible that it is actually a Trojan that has infected your friend’s PC and is trying to spread by email. Always have an anti-virus solution running and always ensure that your environment is up to date. Most outbreaks would be prevented if people installed the latest security patches for their operating system in a timely fashion.

Skimming

Technology has long played a part in most modern Hollywood movies, yet it’s not just the material of fiction, it is also something present in our daily lives. Technology can be an effective means for the 21st century thief to steal money with relative safety. The Skimmer is one such device that is used to steal credit cards. It is especially insidious when installed on an ATM. The thief would generally attach the skimmer on top of the normal ATM card slot. Unknowingly the victim would slide their card through the skimmer into the normal ATM slot which would copy the card and store it locally in a close by device or in some cases even transmit it to the thief who would be hiding nearby. A more elaborate system would also include a small hidden camera to record the victim’s PIN as he is entering it. Skimming is not limited to ATMs unfortunately, as these devices can be purchased relatively cheaply online and can be used anywhere from restaurants to any shop that allows payment by credit card. Therefore always be vigilant about your card and ensure that it is only inserted by staff in legitimate payment terminals. See for yourselves how a skimmer is used to defraud people.

Identity theft

Whilst cutting edge technology might seem glamorous, it is not a must for a 21st century heist. How about using normal equipment which is nowadays available to everyone?  Perhaps a simple laptop with a wireless connection? Wireless has been used to steal credit card numbers from the parking lots of stores. What about over the internet? Phishing emails have been used numerous times to perform identity theft; all that is required is a computer and an internet connection. But why is identity theft so dangerous? Why classify it as a 21st century heist?

Identity theft can be very dangerous to any victim. All that a malicious person needs is the victim’s name, date of birth and social security number and he can then apply for a new credit card in the victim’s name. The victim would be unaware of this new credit card and the perpetrator is free to use it for as long as he wants and never pay back any balance.  When the bank decides to take action they will not do so against the perpetrator, but against the victim, because for them it was always the victim who owned that credit card. And a credit card is not all that an identity thief can illicitly benefit from; what about taking a car loan? Again it too will be taken under the victim’s identity whilst the perpetrator would take the car bought from that money, or possibly even simply run away with the money. The victim will only get the bill. Another possibility is to open a bank account in the victim’s name and issue bogus checks on it. Again it will be the victim who will have to defend him/her self when faced with bank charges.

Fake money Orders / Checks

Another common modern theft method also involves a computer and an internet connection. The perpetrator will post a job opportunity or in some cases pretend to buy items from people who post ads online, but then send a fake money order or check. The method used here is that they will send you more money than the value of the item bought and ask that the difference in price be sent back as a voucher, gift certificate or wire transfer.  The fake check that was used as payment will clear for a few days until the bank processes the request properly and detects the check as being a fake. The scammer hopes that in the meantime the victim would have done his part and sent them the money in the form of a wire transfer or voucher. The money sent will be from the victim’s own bank account and therefore genuine. Meanwhile the money deposited to the victim will be withdrawn by the bank once the fake check/money order is detected, leaving the victim with a loss and the perpetrator with a profit.

Trojan, botnets and ransomware

Just like the modern age helped automate manufacturing in many industries it also helped automate the act of robbing people. Software designed to steal information such as credit card details, bank account logins and passwords is now commonly employed. I am of course talking about Trojans and botnets. Trojans like their virus counterparts before them are designed to spread autonomously. Some of this malware has evolved into being a modern equivalent of a heist, a sort of digital age kidnapping. known as ransomware, these  are viruses that encrypt documents and other important files when infecting a machine and then demand that the victim pay a ransom  for him to be able to access that data again.

I’ve just gone over the common hi-tech methods of theft employed these days; in Part 3, I will go into detail on how best to look out for such schemes and give tips about how to keep safe and avoid being victimized.