A weekly roundup of all the things that go bump on the net

A weekly roundup of all the things that go bump on the net

A weekly roundup of all the things that go bump on the net

The Top 10 Most Common Identity Theft Myths

giftEvery year around this time we see the same experts dole out the same identity theft prevention tips. And yet, identity theft keeps getting worse. Maybe it's because we have to take a step back, and start by exposing some of the myths that can lead to consumer apathy about identity theft. If we help consumers to better understand the reality of identity theft, they might better appreciate these tips and apply them more often.

So here goes:


2 Million Hacked Passwords and the Troubling Truth About Keyloggers

safesurfingAs security researchers uncovered a stash of more than 2 million hacked passwords on a hacker's server in the Netherlands last week, from users of Facebook, Google, LinkedIn and Twitter, most of the focus was on just how many people are still using awful, and awfully weak passwords. But did all the commentators miss an even bigger story connected to the hack?

Researchers from security firm Trustwave revealed how they discovered the kidnapped passwords on a hacker server in the Netherlands, and how a study of the stash revealed what we already know about passwords; that many users think weak predictable passwords are perfectly OK. Some of the most common passwords discovered in the server and apparently favored by many users included 123456, 11111, and, worst of all, password. Yes, the word password for a password. Maybe we're not explaining the whole concept of passwords properly.

But the other lesson that came from the discovery is how effective a little known tool called a keylogger can be in fleecing passwords and other information from millions of computers. The initial suspect in this case was a keylogger, a small piece of malware that once installed on a computer will capture whatever the user types. And maybe even more. And there's a good chance that your antivirus software won't catch it. While the better antivirus brands are generally good at catching the most common malware, a study by the University of Alabama found that those same products only catch around 25% of the more advanced malware. And that's the stuff that can do the most harm.

But there was more relevant news. On the very day that media oulets around the world were railing at how bad the passwords were, a security firm in San Francisco called OPSWAT quietly revealed even worse news. When they planted a basic keylogger on one of their test computers, and ran scans with more than 40 of the most popular antivirus products over two weeks, only one product caught the keylogger. Which probably means most consumers won't.


The Evolution of the Super Thief

superthiefGive a man an inch and he thinks he's a ruler. Keep ignoring identity thieves and you end up with a generation of Super Thieves that are skilled, cocky and almost impossible to catch.

I've worked with thousands of victims of identity theft, and hundreds of police departments and other law enforcement agencies. The biggest complaint I hear from victims is not about thieves but about law enforcement.

As most victims of identity theft will tell you, law enforcement are typically not very sympathetic to the crime or its victims. I'll occasionally come across a cop who really gets it - that identity theft can be a life-altering crime and that even if there's not much law enforcement can do to investigate, at least a sympathetic ear can go a long way.

But such cops are as rare as bull's milk. Things got so bad in California that the legislature actually had to introduce legislation requiring law enforcement to take reports from identity theft victims, because so many police and sheriff's departments simply refused to.

And it's that indifference that has helped to create Super Thieves. Super Thieves are everywhere, in almost every community. More than four years ago, law enforcement in the city of Oakland California admitted to me that they had identified more than two dozen local identity gangs who operated in the city with almost complete impunity. And while most of these gangs started at the very bottom, they didn't linger there long.

Super Thieves are professional identity thieves who started out as anything but. They are usually criminals to start with, though a little petty, and often as a result of drug dependence. Their venture into the business of identity theft usually starts with the most basic of ground-floor crimes, like mail theft, check forgery, or dumpster diving. When they realize (a) it's very easy, (b) it's very lucrative, and (c) nobody seems to be chasing them, they get confident and even a little cocky. It's simply human nature. If you commit a crime that's easy and pays well, and realize that not only are cops not looking for you but they don't really seem to care at all about what you're doing, you're just going to keep doing it.


Flood of stolen identities forces hackers to reduce their prices

hackersHave you any idea how much your identity is worth on the black market? And before you answer, remember that there's a difference between wholesale and retail. Wholesale is the price hackers charge other crooks for stolen information, like credit card numbers, Social Security numbers, and bank account information. Retail is the value those crooks place the amount of money they can make from the stolen identities they buy.

A couple of weeks ago, Dell Secureworks put together a very compelling summary of exactly how much personal information goes for in the hacker world. Researchers at the company took a peek inside more than a dozen of the more active and professional underground hacker forums, a kind of data bazaar, where hackers buy and sell people just like you.

And it seems like there is so much stolen information in circulation and for sale, it's driving the prices down. Way down. Which could mean that hackers have to steal and sell even more information just to make a living.

Here's just a sampling of what Secureworks found:


Why Holiday Security Tips Might Be A Waste of Time

letter to santaEvery year around this time, the only thing as certain as sales is the same worn out old list of holiday safety tips being trotted out by a whole gaggle of security experts, wannabe experts, and people peddling products. And while these tips are important, especially around this time, I wonder if they work anymore. Or even if they ever worked.

I think the answer is yes, but only to generate some exposure for their authors. I have to admit, I was part of that posse. I started offering holiday security tips back in 2000 when I was the Director of Education for ZoneAlarm (killer firewall!). More recently, it was an annual tradition for me to dust off and tune up my own set of holiday safety tips, beautifully packaged as "The 12 Thefts of Christmas and How You Can Grinch them!" They're retired now so don't even ask.

In spite of the same predictable collection of tips on how to avoid identity theft and other scams, I don't see much movement in the consumer awareness needle. I still do plenty of town halls and community presentations, and get daily calls from victims, and I see little improvement in consumer commitment to self-defense.

Subscribe to this RSS feed