Topics

1
Topics

• Identity Theft
• Phishing/Email
• Malware - Virus/Worm/Trojan/Spyware
• SPAM
• Social Engineering
• Passwords
• Other Issues

2
Identity Theft

• Definition
• Occurs when someone wrongfully acquires or uses
  another person's personal data, typically for
  their own financial gain.
• A new type of common fraud

3
Identity Theft (cont)

• Trends/Statistics
• According to 2 studies done in July 2003 (Gartner
  Research and Harris Interactive),
• approximately 7 million people became
  victims of identity theft in the prior 12 months.
  That equals 19,178 per day, 799 per hour, 13.3
  per minute.
• The 2003 survey from the Identity Theft Resource
  Centre found that
• Average time to resolve this problem in 2000 was
  175 hours.
• 85 of victims found out about the crime due to
  an adverse situation.
• Denied credit or employment, notification by
  police or collection agencies, receipt of credit
  cards or bills never ordered, etc.
• The emotional impact is similar to that of
  victims of violent crime.
• Javelin Strategy and Research reports in May
  2006, Arizona has Highest rate of Identity theft
  in the Nation
• Most thieves still obtain personal information
  through traditional rather than electronic
  channels.

4
Identity Theft (cont)

• How does it happen?
• Steal information from the workplace
• Steal your mail
• Rummage through the trash
• Complete change of address form to divert mail

5
Identity Theft (cont)

• Best Practices for clients/at home
• Request your own credit report each year and
  check the reports for inaccuracies and new lines
  of credit issued that you did not request.
• They are FREE! (one per year at
  www.annualcreditreport.com)
• Go online to see your bank statement and credit
  card statement every few days
• Good information at http//www.consumer.gov/idthef
  t/

6
Identity Theft - Phishing

• Definition
• The practice of luring unsuspecting Internet
  users to a fake Web site by using
  authentic-looking email with the real
  organization's logo, in an attempt to steal
  passwords, financial or personal information, or
  introduce a virus attack.

7

8
(No Transcript)
9
Identity Theft - Phishing

• Trends/Statistics
• May 2006 Record Breaking month with unique 20,109
  Phishing sites reported, according to
  www.anti-phishing.org.
• Ebay, Paypal, small and large banking
  institutions are the top targets of phishing
  scams.
• Emailed phishing may ask you to call a customer
  support phone number where a person or audio
  response unit awaits to take your personal
  information.

10
Identity Theft - Phishing (cont)

• Best Practices
• Be wary of e-mail!
• Always TYPE the known name of your financial
  institution into your browser and never click the
  hyperlink.
• Treat all unsolicited e-mail/phone contacts with
  suspicion.
• When in doubt, call the institution using the
  number listed in the phone book, not one provided
  in the e-mail or link.
• Nobody needs to verify your passwords or pins.

11
Identity Theft - Phishing (cont)

• Best Practices (continued)
• Always use a secure website when dealing with
  financial or sensitive personal information
• Look for the https//www.bankname.com
• Look for the padlock in the lower right corner of
  your browser
• Click on the padlock icon for details. If the
  "Issued To" name does not match the name of the
  site then you may be looking at a spoofed site.
• Report phishing scams directly to your bank.

12
SPAM

• Definition
• Unsolicited e-mail, often of a commercial nature,
  sent indiscriminately to multiple mailing lists,
  individuals, or newsgroups junk e-mail.

13
SPAM (cont)

• Trends/Statistics
• MessageLabs reports that 66.75 of all messages
  on the Internet are unsolicited.

14
SPAM (cont)

• Best Practices
• Avoid asking to be removed from SPAM list.
• Tells the spammers that you are alive.
• Avoid responding to an email from unknown source.
• Avoid putting your email address on the Internet.
• Website registrations, Discussion groups/forums,
  Chat rooms.

15
Malware

• Definition
• Malware (Malicious Mal) (Software ware)
  is Malware.
• Virus
• A software program not usually capable of
  reproducing itself, usually capable of causing
  great harm to files or other programs on the same
  computer "a true virus cannot spread to another
  computer without human assistance."
• Worm
• Worms exist as separate entities they do not
  attach themselves to other files or programs. A
  worm can spread itself automatically over the
  network from one computer to the next. Worms take
  advantage of automatic file sending and receiving
  features found on many computers.
• Trojan
• Named after the classical Trojan Horse. Secretly
  waits in silence monitoring your activities,
  waiting for an event to happen, or watches your
  activities transmitting your personal and
  confidential information.
• Spyware
• Any software that covertly gathers information
  about a user while he/she navigates the Internet
  and transmits the information to an individual or
  company that uses it for marketing, tracking, or
  even criminal purposes.

16
Malware (cont)

• Trends/Statistics
• Increased involvement of Organized Crime
• Money is the motivator more than notoriety
• Increasingly targeted attacks to stay under the
  radar
• May 2005 Israeli incident w/CDs to Execs
• Targeting Blackberrys, Treos, smartphones
• Recent vulnerabilities and sensitive information

17
Malware (cont)

• How do you get it?
• Distributed with other program installation
  bundles such as freeware (web browser tool bars,
  smiley-face enhancements for Outlook, clock or
  weather programs), peer-to-peer software (Kazaa),
  and computer games

18
Malware (cont)

• Symptoms
• Excessive pop-up windows.
• Homepage changes spontaneously
• Computer speed slows and applications crash more
  frequently as spyware uses computer/network
  resources to run in the background.

19
Malware (cont)

• Best Practices
• Anti-Virus Updates, Patches, Network IPS
• Avoid opening/responding to emails/attachments
  from unknown source, especially attachments with
  file extensions of .scr, .com, .exe
• Be cautious of software downloaded from the
  Internet.
• Avoid inappropriate web sites
• Close unwanted pop-ups with the X in upper right
  corner.

20
Social Engineering

• Definition
• the practice of obtaining confidential
  information by manipulation of legitimate users.
  A social engineer will commonly use the telephone
  or Internet to trick people into revealing
  sensitive information or getting them to do
  something.

21
Social Engineering (cont)

• Types
• Shoulder Surfing
• Impersonation
• Bank staff
• Online/Email
• A good example of this was an AOL hack,
  documented by VIGILANTe In that case, the
  hacker called AOLs tech support and spoke with
  the support person for an hour. During the
  conversation, the hacker mentioned that his car
  was for sale cheaply. The tech supporter was
  interested, so the hacker sent an e-mail
  attachment with a picture of the car. Instead
  of a car photo, the mail executed a backdoor
  exploit that opened a connection out from AOL
  through the firewall.

22
Social Engineering (cont)

• Example tactics
• 1. Claim authority
• 2. Stress urgency
• 3. May be angry, happy, flattering, etc..
• 4. Threaten negative consequences if you do not
  comply.
• 5. Name drop to get what they want
• 6. Show discomfort when questioned.
• 7. Make an unordinary request.

23
Passwords

• Best Practices
• Do not share your password with anyone.
• Avoid writing down your password.
• Avoid storing your password in a notepad, word,
  or other document.
• Avoid using personal information (birthdays,
  hobbies, favorite sports teams, your dogs name)
  about yourself that can be easily accessed or
  guessed.
• Avoid using words that can be found in any
  dictionary of any language

24
Password Best Practice
25
Password Best Practice

• Example
• V3g3t_at_bl3 instead of vegetable
• W0rld3ri3 instead of Worldseries
• Use Pass Phrases instead of Pass Words
• MyDogsN_at_m31sF1d0

26
Portable Devices

• Always password protect
• Handheld security policy
• Smart phones and PDAs