May 04, 2008
Updated: Privacy & Security Watch: Beware of fake emails appearing to be from the IRS
Richard Kuper
The Kuper Report
http://TheKuperReport.com
(Originally posted April 23, 2008)
I received the following email today. Beware! It is a fake!
===
From: "Internal Revenue Service"
(the associated email address was: easytref [at] tax.ref.co.us)
Subject: Tax return (Message ID IRS-9438-2825)
A Secure Way to Receive Your Tax Return
After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $620.50.
Please submit the tax refund request and allow us 3-9 days in order
to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Note: For security reasons, we will record your ip-address, the date
and time. Deliberate wrong inputs are criminally pursued and indicated.
Regards,
Internal Revenue Service
Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.
===
Also note that the link (not included here) seems to point to a website for a boy scout troop in Virginia!
Due to the hacking of that boy scout website, the ISP shut the site down.
Also, there are other scam emails out there regarding the Stimulus Rebate checks being sent out, also appearing to be from the IRS.
If you get any such scam emails, the best way to help the IRS track down the perpetrators is to first, if your email program has the option, choose "show all headers" or something similar. Then forward the email to the following address (and substitute the "[at]" with "@"):
phishing[at]irs.gov
Labels: data security, e-mail, email, fake, irs, Kuper, kuper report, privacy, richard kuper, security, spam
| FindJobsPostJobs.com | CareerHotList.com |
February 23, 2008
Privacy & Security Watch: Beware of fake emails appearing to be from a financial institution
Richard Kuper
The Kuper Report
http://TheKuperReport.com
Your money and your identity are precious to you. You money and identity are also of great value to thieves. It is important to be extra vigilant, especially in emails and on the Internet, to protect both.
At the link below, you will find an example of one such real-looking communication, but it could just as easily have been set up to look like it was from whatever bank or financial institution you do business with.
Please note that in order ensure you that you are actually going to the real HSBC website indicated below (they provided this to warn their customers about this particular scam), I have not encoded the link. Please copy it and open a *new* web browser (or new tab), and paste it into your web address bar, and press ENTER. (If you do it on the same page that you are viewing this newsletter on you will need to hit the BACK button on your browser to get back here to read the rest of this article.)
Copy and paste this link to a new web page or new tab:
https://www.us.hsbc.com/1/2/3/personal/inside/securitysite/alerts/alert-1
As you saw if you followed the above instructions, someone was very creative and sophisticated. It looks real.
Remember that just because the text looks legitimate, if it is a live link that you can just click on, you need to verify that where the link is going is where the link claims to be going. I'll provide an example:
Click on the below link (which looks just like the link above):
https://www.us.hsbc.com/1/2/3/personal/inside/securitysite/alerts/alert-1
Other than the fact that the above is a link you can click on (try it - it will open in a new window), you cannot tell by looking at it that it will actually go somewhere else. And if I had created a fake HSBC-looking web page and pointed the link there, you might not have noticed at all because the resulting page would have looked just like an HSBC page (instead of taking you to ThisIsMyStore.com).
Now, move your mouse over the above link and right-click. You will get a list of options, one of which is "properties". Now click on "properties" and you will see that the link will actually take you to http://ThisIsMyStore.com and not to the secure HSBC page. This is an easy way to check where a link may actually be taking you. But note that the link displayed might still look kind-of legitimate, so it is always safest to go directly to your financial institution's website by entering the proper web address yourself.
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
The Kuper Report
http://TheKuperReport.com
Your money and your identity are precious to you. You money and identity are also of great value to thieves. It is important to be extra vigilant, especially in emails and on the Internet, to protect both.
At the link below, you will find an example of one such real-looking communication, but it could just as easily have been set up to look like it was from whatever bank or financial institution you do business with.
Please note that in order ensure you that you are actually going to the real HSBC website indicated below (they provided this to warn their customers about this particular scam), I have not encoded the link. Please copy it and open a *new* web browser (or new tab), and paste it into your web address bar, and press ENTER. (If you do it on the same page that you are viewing this newsletter on you will need to hit the BACK button on your browser to get back here to read the rest of this article.)
Copy and paste this link to a new web page or new tab:
https://www.us.hsbc.com/1/2/3/personal/inside/securitysite/alerts/alert-1
As you saw if you followed the above instructions, someone was very creative and sophisticated. It looks real.
Remember that just because the text looks legitimate, if it is a live link that you can just click on, you need to verify that where the link is going is where the link claims to be going. I'll provide an example:
Click on the below link (which looks just like the link above):
https://www.us.hsbc.com/1/2/3/personal/inside/securitysite/alerts/alert-1
Other than the fact that the above is a link you can click on (try it - it will open in a new window), you cannot tell by looking at it that it will actually go somewhere else. And if I had created a fake HSBC-looking web page and pointed the link there, you might not have noticed at all because the resulting page would have looked just like an HSBC page (instead of taking you to ThisIsMyStore.com).
Now, move your mouse over the above link and right-click. You will get a list of options, one of which is "properties". Now click on "properties" and you will see that the link will actually take you to http://ThisIsMyStore.com and not to the secure HSBC page. This is an easy way to check where a link may actually be taking you. But note that the link displayed might still look kind-of legitimate, so it is always safest to go directly to your financial institution's website by entering the proper web address yourself.
Labels: data security, id theft, identity, identity theft, Kuper, kuper report, privacy, richard kuper, safe computing tips, security
| FindJobsPostJobs.com | CareerHotList.com |
January 17, 2008
Privacy and Security Watch: Backup Tape Missing With Personal information On About 650,000 Customers
Richard Kuper
The Kuper Report
http://TheKuperReport.com
According to this article, "Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing." About 150,000 of those missing records contained social security numbers. GE Money, part of General Electric Capital Corp., is the credit card operations for Penney's and the other retailers. They apparently discovered the tape was missing last October. There is no explanation in the article why this is first coming to light now. The tape was being stored at a warehouse run by Iron Mountain Inc.
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
The Kuper Report
http://TheKuperReport.com
According to this article, "Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing." About 150,000 of those missing records contained social security numbers. GE Money, part of General Electric Capital Corp., is the credit card operations for Penney's and the other retailers. They apparently discovered the tape was missing last October. There is no explanation in the article why this is first coming to light now. The tape was being stored at a warehouse run by Iron Mountain Inc.
Labels: card, credit, data security, GE, general electric, iron mountain, Kuper, kuper report, penney, privacy, richard kuper, security
| FindJobsPostJobs.com | CareerHotList.com |
September 24, 2007
Privacy and Security Watch: Are you giving away your personal or corporate data to thieves?
Richard Kuper
The Kuper Report
http://TheKuperReport.com
I came across a couple of articles that continue to bring home the fact that many companies and individuals still do not have a handle on ensuring the privacy and security of data:
What's on your hard drive?
When businesses or individuals discard old computers, apparently many are not ensuring that personal or business data has been securely removed first. According to this article, from a sample of 350 hard drives acquired in online auctions, details about salary, company financial data, medical data, credit card numbers, visa applications, details of online purchases, and even online pornography were found.
There are many tools available today for corporate and individual use that can shred the data on your hard drives and other storage devices. They are not very expensive, especially for individual use. Simply reformatting the hard drive, for example, will not wipe the data from it.
Do you or your employees connect to a file-sharing network?
If you connect your computer to a file-sharing network, such as BearShare or LimeWire or the like, you are opening up your computer to anyone who cares to search it and copy stuff from it. According to this article, "Three spreadsheets containing more than 5,000 Social Security numbers and other personal details about customers of ABN Amro Mortgage Group were inadvertently leaked over an online file-sharing network by a former employee." In this case, the computer had the BearShare software installed.
A common search, by those seeking something other than a song, is to search on terms like "password" to find data on connected computers that will net usable information for identity theft and other crimes. In addition, it would seem that most users of file-sharing networks do not take the appropriate steps to limit what can be searched on their computer. Any time you allow your computer to be accessed by others whom you do not know and therefore have no known level of trust, you are looking for trouble.
Regarding the leaked spreadsheet with over 5,000 Social Security numbers and other personal customer details, according to a spokesperson for ABN parent company Citigroup Inc.: "Citi's information-security standards require that confidential information be stored on Citi-managed devices." In the case of the spreadsheet, it would seem the employee had it on his home pc.
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
The Kuper Report
http://TheKuperReport.com
I came across a couple of articles that continue to bring home the fact that many companies and individuals still do not have a handle on ensuring the privacy and security of data:
What's on your hard drive?
When businesses or individuals discard old computers, apparently many are not ensuring that personal or business data has been securely removed first. According to this article, from a sample of 350 hard drives acquired in online auctions, details about salary, company financial data, medical data, credit card numbers, visa applications, details of online purchases, and even online pornography were found.
There are many tools available today for corporate and individual use that can shred the data on your hard drives and other storage devices. They are not very expensive, especially for individual use. Simply reformatting the hard drive, for example, will not wipe the data from it.
Do you or your employees connect to a file-sharing network?
If you connect your computer to a file-sharing network, such as BearShare or LimeWire or the like, you are opening up your computer to anyone who cares to search it and copy stuff from it. According to this article, "Three spreadsheets containing more than 5,000 Social Security numbers and other personal details about customers of ABN Amro Mortgage Group were inadvertently leaked over an online file-sharing network by a former employee." In this case, the computer had the BearShare software installed.
A common search, by those seeking something other than a song, is to search on terms like "password" to find data on connected computers that will net usable information for identity theft and other crimes. In addition, it would seem that most users of file-sharing networks do not take the appropriate steps to limit what can be searched on their computer. Any time you allow your computer to be accessed by others whom you do not know and therefore have no known level of trust, you are looking for trouble.
Regarding the leaked spreadsheet with over 5,000 Social Security numbers and other personal customer details, according to a spokesperson for ABN parent company Citigroup Inc.: "Citi's information-security standards require that confidential information be stored on Citi-managed devices." In the case of the spreadsheet, it would seem the employee had it on his home pc.
Labels: abn, bearshare, citigroup, computer, credit, crime, data, disk, drive, file, id, identity, limewire, password, pc, privacy, security, sharing, stolen, theft
| FindJobsPostJobs.com | CareerHotList.com |
May 16, 2007
Privacy and Security Watch: IBM loses tapes with personal information on current and former employees
It seems even the great IBM can be affected by such problems as losing tapes containing social security numbers and other personal information on employees and retirees, along with records of customer transactions.
According to this article, "An outside vendor was transporting the tapes from one IBM facility to another on Feb. 23 when the tapes fell out of a contractor's vehicle in Westchester County, N.Y., not far from IBM headquarters in Armonk. IBM representatives went to the scene and couldn't find the tapes."
For some reason, only some of the missing tapes were encrypted.
Richard Kuper
The Kuper Report
http://TheKuperReport.com
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
According to this article, "An outside vendor was transporting the tapes from one IBM facility to another on Feb. 23 when the tapes fell out of a contractor's vehicle in Westchester County, N.Y., not far from IBM headquarters in Armonk. IBM representatives went to the scene and couldn't find the tapes."
For some reason, only some of the missing tapes were encrypted.
Richard Kuper
The Kuper Report
http://TheKuperReport.com
Labels: breach, data security, IBM, Kuper, kuper report, lost, personal data, privacy, private, richard kuper
| FindJobsPostJobs.com | CareerHotList.com |
May 10, 2007
Privacy and Security Watch: University of Missouri Hacked For Second Time This Year
According to this article, The University of Missouri has been hacked for the second time this year. The hacker gained access to the social security numbers of over 22,000 students and alumni through a Web page that was used "to make queries about the status of trouble reports to the university's computer help desk."
Back in January, there was a similar breach. In that case, "a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system."
Richard Kuper
The Kuper Report
http://TheKuperReport.com
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
Back in January, there was a similar breach. In that case, "a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system."
Richard Kuper
The Kuper Report
http://TheKuperReport.com
Labels: breach, college, data security, hack, Kuper, kuper report, personal data, privacy, richard kuper, school, security
| FindJobsPostJobs.com | CareerHotList.com |
May 09, 2007
Court Permits Search of Personal Computer in Workplace
According to this article at findlaw.com, "a federal court has just held that an employee did not have a reasonable expectation of privacy in the personal computer he brought to work." It seems that because this employee and a co-worker otherwise had to share a common personal computer, this employee decided to bring in his own computer and connect it to his employer's system. The employer, in this case, was a city government. The employee made no effort to protect any information on his personal computer and left it on and in a public space -- even when he was not at his desk. This failure to password or otherwise protect and guard the personal information on his personal computer eventually led to the discovery of child pornography on his personal computer. That eventually led to the appellate court case that resulted in this decision.
As the article concludes, "if you want to maintain your privacy rights under the Constitution, you yourself must keep your private matters private."
Richard Kuper
The Kuper Report
http://TheKuperReport.com
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
As the article concludes, "if you want to maintain your privacy rights under the Constitution, you yourself must keep your private matters private."
Richard Kuper
The Kuper Report
http://TheKuperReport.com
Labels: barrows, computer, constitution, court, Fourth Amendment, Kuper, kuper report, law, oklahoma, privacy, richard kuper, rights, search, seizure
| FindJobsPostJobs.com | CareerHotList.com |
May 05, 2007
Transportation Security Administration, a division of Homeland Security, loses hard drive with personal data on 100,000
According to an Associated Press report, "the Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees."
The privacy and security of personal information is clearly not being addressed by government agencies, as previously reported in The Kuper Report and in various news reports over the years. This breach by a division of the Homeland Security Department is just the latest reported problem. As the Congress perhaps begins to address this problem in the private sector, it needs to also address this problem in the public sector. However, unless there are severe consequences for breaching the privacy, this problem will not end.
Richard Kuper
The Kuper Report
http://TheKuperReport.com
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
The privacy and security of personal information is clearly not being addressed by government agencies, as previously reported in The Kuper Report and in various news reports over the years. This breach by a division of the Homeland Security Department is just the latest reported problem. As the Congress perhaps begins to address this problem in the private sector, it needs to also address this problem in the public sector. However, unless there are severe consequences for breaching the privacy, this problem will not end.
Richard Kuper
The Kuper Report
http://TheKuperReport.com
Labels: breach, data security, government, homeland security, Kuper, kuper report, personal data, privacy, richard kuper, security, transportation security administration, tsa
| FindJobsPostJobs.com | CareerHotList.com |
April 03, 2007
Privacy and Security Watch: More Security/Identity Breaches and Issues
According to an article in ComputerWorld, "RadioShack Corp. dumped 'thousands' of customer records behind a store near Corpus Christi, exposing consumers to possible identity theft." The article goes on to say "According to Attorney General Greg Abbott, the Fort Worth-based company violated multiple state statutes, including the Identity Theft Enforcement and Protection Act, a 2005 law that requires businesses to protect and properly dispose of customer personal information."
But in another ComputerWorld article in the same state of Texas, it seems that "Texas Gov. Rick Perry has signed into law a bill that allows the state's county and court clerks to disclose "in the ordinary course of business" Social Security numbers contained in documents held by their offices."
So, at least in Texas, Social Security numbers are no longer considered protected data if they exist in "public records held by clerks in the state" but are protected data if held by anyone else. So if you have public documents containing personal data, such as mortgage records and tax liens in the state of Texas, your private information, already being posted by Texas to the internet and for sale unredacted, is no longer protected.
And now your browser may be used to capture your personal information on your computer and as a hacking tool against others. According to another article in ComputerWorld, javascript code that could be used to turn a Web browser into a hacker's tool is now available on Internet.
Meanwhile, in yet another ComputerWorld article we are told that there is a critical Windows flaw that Microsoft has apparently known about since December 2006 that affects Windows 2000 SP4, XP SP2, Server 2003 (up to SP2), and even Vista (both 32- and 64-bit versions). Microsoft was apparently in no hurry to fix this but the pressure has mounted and they are supposedly rolling out a fix soon. This critical flaw will allow a rogue program to "run malicious code on a victimized PC, infecting it with spyware, stealing identity information or adding it to a botnet of hijacked systems."
To borrow from a tag line in an old TV show (NYPD Blue, if memory serves):
"Be careful out there."
Richard Kuper
The Kuper Report
http://TheKuperReport.com
* [Please post your job openings here] *
R.L. Kuper, Inc. - Management Consulting
But in another ComputerWorld article in the same state of Texas, it seems that "Texas Gov. Rick Perry has signed into law a bill that allows the state's county and court clerks to disclose "in the ordinary course of business" Social Security numbers contained in documents held by their offices."
So, at least in Texas, Social Security numbers are no longer considered protected data if they exist in "public records held by clerks in the state" but are protected data if held by anyone else. So if you have public documents containing personal data, such as mortgage records and tax liens in the state of Texas, your private information, already being posted by Texas to the internet and for sale unredacted, is no longer protected.
And now your browser may be used to capture your personal information on your computer and as a hacking tool against others. According to another article in ComputerWorld, javascript code that could be used to turn a Web browser into a hacker's tool is now available on Internet.
Meanwhile, in yet another ComputerWorld article we are told that there is a critical Windows flaw that Microsoft has apparently known about since December 2006 that affects Windows 2000 SP4, XP SP2, Server 2003 (up to SP2), and even Vista (both 32- and 64-bit versions). Microsoft was apparently in no hurry to fix this but the pressure has mounted and they are supposedly rolling out a fix soon. This critical flaw will allow a rogue program to "run malicious code on a victimized PC, infecting it with spyware, stealing identity information or adding it to a botnet of hijacked systems."
To borrow from a tag line in an old TV show (NYPD Blue, if memory serves):
"Be careful out there."
Richard Kuper
The Kuper Report
http://TheKuperReport.com
Labels: breach, data security, identity, kuper report, personal data, personal information, privacy, security, social security
| FindJobsPostJobs.com | CareerHotList.com |
Who links to me?
