* [Please post your job openings here] *

August 30, 2008

Safe Computing Tips

Richard Kuper
The Kuper Report
http://TheKuperReport.com

********************************************************
NOTE:
This article was originally posted August 8, 2007 but is still relevant,
and so we are reposting it now.
********************************************************

If someone is truly determined to hack into your computer or your emails and they have the tools and knowhow, then they will probably succeed. But you can make it harder for them to do so. Unless it is the government. On Monday, President George W. Bush signed into law an expansion of the Foreign Intelligence Surveillance Act (FISA), giving government expanded rights to intercept phone calls and e-mails without warrants.

You can protect your computer by installing a suite of protection products. One such product, Grisoft's AVG Internet Security Suite has previously been reviewed. (See the original review here and the follow-up here.)


Such suites provide protection from spyware and viruses and a variety of other malware. That would be an excellent first step. And of course be sure to keep it up to date and proactive.

Be very careful what emails you choose to open, and set your email to hide graphics by default. If you are confident that a particular email is from a trusted source, you can always activate the graphics for that individual email as you are viewing it. Turning off graphics in email is a simple way to prevent a lot of the newer means of introducing malware to your computer that just might start capturing everything you do, including all your passwords.

Be very careful about clicking on links, especially in emails that look like they came from your financial institution. The safest way to deal with your financial institution online is to not click on links in emails, but instead go to their website by entering their web address directly into your browser. Otherwise you may end up at a very good copy that looks like your financial institution's website but is instead a rogue site that will collect all the information you type and then will use it to potentially steal your identity, or at least order lots of stuff in your name billed to you but shipped somewhere else.

When connecting to the internet, never do so from a computer id that has administrative rights except when absolutely necessary (e.g., to download and install new software that you purchase online from a reputable source). Being connected to the internet with administrative rights is akin to leaving your front door open while you are not at home and expecting no one will walk in andpotentially walk out with many of your valuables.

When creating passwords, try to use a combination of letters and numbers, and the longer the password the better. Of course, don't write it down and leave it by the computer or where someone could find it.

And if you really want secure communication in email, you need to be sending encrypted email. That's not as easy as all of the other suggestions above. It requires a means for encrypting by the sender and decrypting by the receiver, and the encryption/decryption codes can only be known by just those parties for it to truly be of value.

Does your cell phone have internet access? Then it can be hacked just as easily as your desktop or notebook computer.

One more thing. It does not matter what brand computer or cell phone you have. All are vulnerable.

Labels: , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

June 27, 2008

Fraud Alert: Woman Gets Two Years for Aiding Nigerian Internet Check Scam

As hopefully all readers of this newsletter know, emails asking for help to cash checks are scams. Sadly, there are still a lot of folks out there who fall for these things every day. According to this article, at least one person in the United States was assisting in the Nigerian scam, and has been tried and convicted.

Please don't be taken in by such scams, and please pass this note along to all your friends, relatives, and business associates to remind them not to fall for them either.

Richard L. Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

June 21, 2008

Privacy & Security Watch: TJX Fires Employee for Disclosing Security Problems

As readers of this newletter know, TJX, the parent company of T.J. Maxx, Marshalls, and Home Goods stores, had a serious security breach over a long period of time. (See http://www.TheKuperReport.com/2007/03/stolen-data-from-tjx-tj-maxx-marshalls.html
and subsequent articles on this subject). Well, it seems they still haven't learned from their mistakes. According to this article, a young employee in a Lawrence, KS T.J. Maxx store tried, but failed to convince management that running their server in administrator mode and giving everyone id's with blank passwords was a very bad and insecure thing to do. So he anonymously posted about this lack of security to an online forum. TJX found out it was him and they fired him. No word on whether they address this serious security breach.

Richard L. Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

May 04, 2008

Updated: Privacy & Security Watch: Beware of fake emails appearing to be from the IRS


Richard Kuper
The Kuper Report
http://TheKuperReport.com

(Originally posted April 23, 2008)

I received the following email today. Beware! It is a fake!

===

From:
"Internal Revenue Service"
(the associated email address was: easytref [at] tax.ref.co.us)

Subject: Tax return (Message ID IRS-9438-2825)

A Secure Way to Receive Your Tax Return

After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $620.50.
Please submit the tax refund request and allow us 3-9 days in order
to process it.

A refund can be delayed for a variety of reasons.

For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Note: For security reasons, we will record your ip-address, the date
and time. Deliberate wrong inputs are criminally pursued and indicated.

Regards,

Internal Revenue Service

Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

===

Also note that the link (not included here) seems to point to a website for a boy scout troop in Virginia!

UPDATE:
Due to the hacking of that boy scout website, the ISP shut the site down.
Also, there are other scam emails out there regarding the Stimulus Rebate checks being sent out, also appearing to be from the IRS.

If you get any such scam emails, the best way to help the IRS track down the perpetrators is to first, if your email program has the option, choose "show all headers" or something similar. Then forward the email to the following address (and substitute the "[at]" with "@"):
phishing[at]irs.gov

Labels: , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

February 23, 2008

Privacy & Security Watch: Beware of fake emails appearing to be from a financial institution

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Your money and your identity are precious to you. You money and identity are also of great value to thieves. It is important to be extra vigilant, especially in emails and on the Internet, to protect both.

At the link below, you will find an example of one such real-looking communication, but it could just as easily have been set up to look like it was from whatever bank or financial institution you do business with.

Please note that in order ensure you that you are actually going to the real HSBC website indicated below (they provided this to warn their customers about this particular scam), I have not encoded the link. Please copy it and open a *new* web browser (or new tab), and paste it into your web address bar, and press ENTER. (If you do it on the same page that you are viewing this newsletter on you will need to hit the BACK button on your browser to get back here to read the rest of this article.)

Copy and paste this link to a new web page or new tab:
https://www.us.hsbc.com/1/2/3/personal/inside/securitysite/alerts/alert-1

As you saw if you followed the above instructions, someone was very creative and sophisticated. It looks real.

Remember that just because the text looks legitimate, if it is a live link that you can just click on, you need to verify that where the link is going is where the link claims to be going. I'll provide an example:

Click on the below link (which looks just like the link above):
https://www.us.hsbc.com/1/2/3/personal/inside/securitysite/alerts/alert-1

Other than the fact that the above is a link you can click on (try it - it will open in a new window), you cannot tell by looking at it that it will actually go somewhere else. And if I had created a fake HSBC-looking web page and pointed the link there, you might not have noticed at all because the resulting page would have looked just like an HSBC page (instead of taking you to ThisIsMyStore.com).

Now, move your mouse over the above link and right-click. You will get a list of options, one of which is "properties". Now click on "properties" and you will see that the link will actually take you to http://ThisIsMyStore.com and not to the secure HSBC page. This is an easy way to check where a link may actually be taking you. But note that the link displayed might still look kind-of legitimate, so it is always safest to go directly to your financial institution's website by
entering the proper web address yourself.

Labels: , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

January 17, 2008

Privacy and Security Watch: Backup Tape Missing With Personal information On About 650,000 Customers

Richard Kuper
The Kuper Report
http://TheKuperReport.com

According to this article, "Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing." About 150,000 of those missing records contained social security numbers. GE Money, part of General Electric Capital Corp., is the credit card operations for Penney's and the other retailers. They apparently discovered the tape was missing last October. There is no explanation in the article why this is first coming to light now. The tape was being stored at a warehouse run by Iron Mountain Inc.

Labels: , , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

September 24, 2007

Privacy and Security Watch: Are you giving away your personal or corporate data to thieves?

Richard Kuper
The Kuper Report
http://TheKuperReport.com

I came across a couple of articles that continue to bring home the fact that many companies and individuals still do not have a handle on ensuring the privacy and security of data:

What's on your hard drive?

When businesses or individuals discard old computers, apparently many are not ensuring that personal or business data has been securely removed first. According to this article, from a sample of 350 hard drives acquired in online auctions, details about salary, company financial data, medical data, credit card numbers, visa applications, details of online purchases, and even online pornography were found.

There are many tools available today for corporate and individual use that can shred the data on your hard drives and other storage devices. They are not very expensive, especially for individual use. Simply reformatting the hard drive, for example, will not wipe the data from it.

Do you or your employees connect to a file-sharing network?

If you connect your computer to a file-sharing network, such as BearShare or LimeWire or the like, you are opening up your computer to anyone who cares to search it and copy stuff from it. According to this article, "Three spreadsheets containing more than 5,000 Social Security numbers and other personal details about customers of ABN Amro Mortgage Group were inadvertently leaked over an online file-sharing network by a former employee." In this case, the computer had the BearShare software installed.

A common search, by those seeking something other than a song, is to search on terms like "password" to find data on connected computers that will net usable information for identity theft and other crimes. In addition, it would seem that most users of file-sharing networks do not take the appropriate steps to limit what can be searched on their computer. Any time you allow your computer to be accessed by others whom you do not know and therefore have no known level of trust, you are looking for trouble.

Regarding the leaked spreadsheet with over 5,000 Social Security numbers and other personal customer details, according to a spokesperson for ABN parent company Citigroup Inc.: "Citi's information-security standards require that confidential information be stored on Citi-managed devices." In the case of the spreadsheet, it would seem the employee had it on his home pc.

Labels: , , , , , , , , , , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

May 10, 2007

Privacy and Security Watch: University of Missouri Hacked For Second Time This Year

According to this article, The University of Missouri has been hacked for the second time this year. The hacker gained access to the social security numbers of over 22,000 students and alumni through a Web page that was used "to make queries about the status of trouble reports to the university's computer help desk."

Back in January, there was a similar breach. In that case, "a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system."

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

May 05, 2007

Transportation Security Administration, a division of Homeland Security, loses hard drive with personal data on 100,000

According to an Associated Press report, "the Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees."

The privacy and security of personal information is clearly not being addressed by government agencies, as previously reported in The Kuper Report and in various news reports over the years. This breach by a division of the Homeland Security Department is just the latest reported problem. As the Congress perhaps begins to address this problem in the private sector, it needs to also address this problem in the public sector. However, unless there are severe consequences for breaching the privacy, this problem will not end.

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

April 26, 2007

Privacy and Security Watch: Lawmakers decry continued vulnerability of federal computers

Corporate computers are not the only ones being breached. The Federal Government (and state and local governments as well) are also not doing a good enough job of protecting the data from unauthorized access. In the case of the Federal Government, some of our lawmakers are finally waking up to this problem and speaking out about the issues. Read all about it here.

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

Privacy and Security Watch: Group calls for federal data security breach notification law

With the massive data breach of TJX (see various articles on TheKuperReport.com), several banks are suing TJX Companies Inc. over the data breach that "exposed at least 45.7 million credit and debit card holders to identity fraud." You can read more about that here.

Because of this and the many other breaches at other firms, the Cyber Security Industry Alliance (CSIA) is lobbying Congress to pass a law that will require companies that are breached to notify victims. Read all about it here.

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

April 03, 2007

Privacy and Security Watch: More Security/Identity Breaches and Issues

According to an article in ComputerWorld, "RadioShack Corp. dumped 'thousands' of customer records behind a store near Corpus Christi, exposing consumers to possible identity theft." The article goes on to say "According to Attorney General Greg Abbott, the Fort Worth-based company violated multiple state statutes, including the Identity Theft Enforcement and Protection Act, a 2005 law that requires businesses to protect and properly dispose of customer personal information."

But in another ComputerWorld article in the same state of Texas, it seems that "Texas Gov. Rick Perry has signed into law a bill that allows the state's county and court clerks to disclose "in the ordinary course of business" Social Security numbers contained in documents held by their offices."

So, at least in Texas, Social Security numbers are no longer considered protected data if they exist in "public records held by clerks in the state" but are protected data if held by anyone else. So if you have public documents containing personal data, such as mortgage records and tax liens in the state of Texas, your private information, already being posted by Texas to the internet and for sale unredacted, is no longer protected.

And now your browser may be used to capture your personal information on your computer and as a hacking tool against others. According to another article in ComputerWorld, javascript code that could be used to turn a Web browser into a hacker's tool is now available on Internet.

Meanwhile, in yet another ComputerWorld article we are told that there is a critical Windows flaw that Microsoft has apparently known about since December 2006 that affects Windows 2000 SP4, XP SP2, Server 2003 (up to SP2), and even Vista (both 32- and 64-bit versions). Microsoft was apparently in no hurry to fix this but the pressure has mounted and they are supposedly rolling out a fix soon. This critical flaw will allow a rogue program to "run malicious code on a victimized PC, infecting it with spyware, stealing identity information or adding it to a botnet of hijacked systems."

To borrow from a tag line in an old TV show (NYPD Blue, if memory serves):
"Be careful out there."

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

March 22, 2007

Privacy and Security Watch: Stolen Data from TJX (T.J. Maxx, Marshalls and HomeGoods stores) since 2003 Used in $8M Scheme Before Breach Discovery

According to recent reports in eWeek (links below), massive amounts of data, dating back to 2003, were stolen from TJX (T.J. Maxx, Marshalls and HomeGoods stores) over an extended period of time, starting in 2005. The breach, or intrusion as TJX prefers to call it, was not discovered until December 2006.

This is just the latest story in the ongoing issue of data security. Companies need to get their acts together and ensure that they are protecting the personal and private data of their customers. It may be time for the government to step in and create financial incentives for companies to do this. Of course, the Federal government and many state and local governments are guilty of not protecting the personal and private data of its citizens either, so they would also have to fine themselves (not likely). So this problem will continue to be a major problem until the public starts making its voice heard and making this a priority for government and corporations to take more seriously.

Here are the links to the TJX story:

Stolen TJX Data Used in $8M Scheme Before Breach Discovery

TJX: Data Theft Began in 2005; Data Taken from 2003

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

February 19, 2007

Corporate Security: Risk and Cost Tolerance in India

"Late last month, Indian police acting on an intelligence lead arrested a suspected Kashmiri militant near Jalahalli, a village just north of Bangalore. Authorities confiscated an assault rifle and 300 rounds of ammunition from the suspect, 34-year-old Bilal Ahmed Kota, as well as -- significantly -- a satellite phone, a cell phone, multiple cell phone SIM cards and a map of Bangalore. Several locations reportedly had been marked out on that map -- including the airport, the offices of Wipro Technologies Ltd. and the complex operated by Infosys Technologies, the global information technology (IT) services provider."

Click here to read the full article.

Richard Kuper
The Kuper Report
http://TheKuperReport.com

Labels: , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting

January 08, 2007

So how secure is your pc?

Richard Kuper
The Kuper Report
http://TheKuperReport.com

So how secure is your pc? According to a January 7, 2007 article in the NY Times titled "Attack of the Zombie Computers Is Growing Threat" by John Markoff, "the bad guys are honing their weapons and increasing their firepower." Programs are secretly installing themselves "on thousands or even millions of personal computers" and then using these computers and their collective combined power to commit crimes across the Internet. For example, the article states: "Last spring, a program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China." Elsewhere in the article, we are told about a program that collected data from 753 infected computers, generated 54,926 log-in credentials, 281 credit card numbers, affected 1,239 companies including "35 stock brokerages, 86 bank accounts, 174 e-commerce accounts and 245 e-mail accounts" -- and that was just one file that was intercepted that had collected data over 1 month. One company that monitors such things claims there are more than 250,000 new infections daily.

There were a number of other examples, including the spam regarding a penny stock that boosted the price of the stock significantly - just long enough for whoever spawned it to make a nice profit.

Even more interesting was this paragraph that appears near the end of the article:

"Serry Winkler, a sales representative in Denver, said that she had turned off the network-security software provided by her Internet service provider because it slowed performance to a crawl on her PC, which was running Windows 98. A few months ago four sheriff’s deputies pounded on her apartment door to confiscate the PC, which they said was being used to order goods from Sears with a stolen credit card. The computer, it turned out, had been commandeered by an intruder who was using it remotely."

So now that you know about these problems, what are you doing to prevent them? Are you making the mistake of Serry Winkler and turning off your antivirus, antispyware, antimalware products, or, worse, have you failed to even install such software or ensure it is up-to-date? Are you perhaps making the ultimate error of being connected to the internet 24x7 logged in with adminstrator rights and no password? If you are accessing the internet from home via cable or dsl, do you have both a hardware firewall and a software firewall? If you have gone wireless, are you sure no one can intercept what you are doing over the air?

There are a variety of very good antivirus, antispyware, antimalware and other products to protect your computer. Some are even available for free or very low cost. Some are bundled as suites.

And before someone tries to give you the old and tired line "just get a Mac", be advised that the recent Mac vs. Windows ads have raised the profile of the Mac and Linux operating systems and attracted the interest of the bad guys. There have been an increasing number of reports regarding breaches of such machines -- perhaps not to the level of Windows machines, but that is primarily because there are fewer such machines in use. Should machines running Mac or Linux continue to grow in popularity and become a larger portion of the user community, rest assured that there are folks out there who will manage to wreak the same havoc on those machines as well.

So make sure to take all the necessary steps to ensure that your computer and data are secure. If you are a company, your responsibilities may be further defined by a variety of laws.

Labels: , , , , , , , , , , ,




* [Please post your job openings here] *

ThisIsMyStore.com

FindJobsPostJobs.com CareerHotList.com
R.L. Kuper, Inc. - Management Consulting
























































































This page is powered by Blogger. Isn't yours?







Who links to me?