On-line Job Application Scam

As if job-seekers didn’t have it hard enough, the Better Business Bureau of Abilene, TX posted warnings about on-line job application scams that trick applicants into providing personal information.

http://abilene.bbb.org/article/score-a-job–not-a-scam-28725

The scammers were smart to target people who are willing to provide whatever information it takes to get hired by an employer.  Your resume usually contains your contact information and your employment history.  With the job market tightening up and many employers referring applicants to websites, it is no wonder that social engineers recognized this as a way to steal identities on a large scale.  With the publicity of websites like Linked.com and Monster.com it was inevitable that scammers would create copy-cat websites or create fake Craigslist postings.  Some scammers were even able to convince applicants to provide direct-deposit information or send money to the fake companies!

As we all prepare to look for Co-Op and permanent jobs, it is best to watch out for the red flags to a scam as suggested by the Better Business Bureau.

1. Watch out for grammatical and/or spelling errors on application websites or in e-mails.
2. Emails from job posting websites claiming there’s a problem with a job hunter’s account.
3. Employer asks for extensive personal information such as social security or bank account numbers.
4. An employer offers the opportunity to become rich without leaving home.
5. An employer asks for money upfront.
6. The salary and benefits offered seem too-good-to-be-true.
7. The job requires the employee to wire money through Western Union or MoneyGram.

Overall, be sure to know the company that you are applying for.  Do some research and make some telephone calls to be sure that the company and website are legitimate.  And remember that if it sounds too good to be true, it probably is!

Behavioral monitoring malware

Behavioral monitoring malware is a new class of malware that mines many of the social networking sites for behavioral patterns. What I mean by behavioral patterns is that it will monitor what kind of websites you like, who you associate with, the kinds of things you buy. This kind of information is a goldmine for marketers. It allows them to build profiles of individuals outside a greater scope of sex, age, and location. Now they can know that your friends with x,y,z or that your a Chihuahua enthusiast who loves NASCAR. This kind of information can  be more insidious then more conventional malware.

Through this information they could then targets ads just for you or extending beyond marketing, unique attacks. We’ve talked about phishing attempts before in class and how its always kind of broad message to get as many people as possible. Thanks to behavioral pattern malware they can now easily tailor specific attacks just for you even if your some nobody. The usual malware targets things like credit cards or accounts and passwords. While these can cause trouble and be an inconvience you can at least cancel a credit card or change your password. But once they know who you are your in trouble. You can’t just change everything about yourself. Your not going to get rid of your friends and family and stop liking the things you do.

Some of the interesting technical aspects about this malware is it’s able to recognize who is on the fringe of social connections. That is if I’m someone who posts prolifically on twitter or Facebook and have lots of followers/friends, I’m going to stand out as a greater target compared to someone who has very few. Since I would have lots of connections I become a greater target because through my connections it can move on to new targets. Another interesting thing is that they infect unconventionally comapared to the usual malware. Most malware attempts to infect as many devices as fast as possible, while behavior patter malware would want to take its time in order to go unnoticed and collect as much information as it could.

http://www.pcworld.com/article/207659/malware_aimed_at_social_networks_may_steal_your_reality.html

Preventing skimming

For those who don’t know skimming is when a person records the information on a credit or debit card without the persons permission, and in most cases without them knowing. Skimming has been going on for a long time and continues to be a big issue. Just recently a German man was sentenced to three years in prison for bringing skimming equipment into the UK. SANS had a article about this in there news bits that read:

A German man has been sentenced to three years in prison for bringing card skimming technology into the UK. Thomas Beeckmann was arrested at Victoria Station in London in June; investigators say he was carrying sophisticated skimming equipment, some of which would allow users to retrieve data captured by skimmers though Bluetooth technology from a distance of 100 meters. Beeckmann’s sentence includes time for refusing to divulge his laptop encryption password to law enforcement officials as well as for possessing skimming equipment.
-http://www.bbc.co.uk/news/technology-15312057
-http://www.h-online.com/security/news/item/Sentenced-German-engineer-modified-ca
rd-terminals-for-criminal-gangs-1362217.html

Law enforcement in the United States as well as other countries are continuously investigating skimming attacks. But the problem I have found is that even with investigations and prison sentences, skimming attacks are still to easy to preform with little risk of getting caught. Equipment to perform simple skimming attacks is very easy to come by. A simple search around the internet and you can find a place to purchase some equipment at not to high of a price. Also people don’t really watch out for skimming much, which makes it easy to get away with and not get caught. If people don’t know its happening there not going to report it to the police.  An article at merchantequip.com said:

Skimming most commonly occurs in restaurants, where the card owner looses contact with the card and a purchase is made. It takes about two seconds to scan a card through a portable reader, and the reader records all of the information on the credit card. Portable card readers are small enough that someone could easily conceal one in the pocket, sleeve, and even in their hand.

Which brings to question, how many people even think about whats happening to their card when they give it to the waiter or waitress at a restaurant.

What to do to prevent skimming? I doubt it will ever just stop happening, so the best thing to do is just be aware of how it can happen, and watch out for it. If your careful about how you use your card, and who you give it to there’s less chance your cards information will be stolen.

Risk map – ATM machines

For this week's blog i decided to respond to what we talked about in class, regarding analyzing and 
creating risk maps for various things. The idea of creating risk maps is a helpful tool and should be 
used in the creation of basically anything, as it allows us to understand what could potentially go 
wrong and helps us to plan ahead to avoid various problems. I have chosen ATM machines as my subject 
because it is high risk and yet a vital machine that a lot of people depend on, on a dialy basis. ATM 
machines are almost necessary even in an age where most people are using cards for most transactions, 
but sometimes cash is necessary, and even though I am charged a fee by both my bank and the atm, I 
find myself still using them due to the fact that they are conveniently place in most 
banks/restaurants/gas stations. 
For atm machines, security is the name of the game, there are a lot of potential dangers for an atm 
machine. First and foremost you must find a secure location that also has high traffic volumes. The 
location needs to be easily and conveniently accessible by the public, but also profitable for the 
company. If the atm is outside then you must worry about things like weather, graffiti, and potential 
risk to people who are using it while exposed to an open area. Inside or outside the atm is 
vulnerable to general abuse from the public and that must be taking into consideration when designing 
the machine itself, it should be durable and able to handle the volumes of people using it. I also 
wanted to blog on this so that i could include the technical risks involved, including hackers who 
can setup skimmers, and take personal information from someone who has used that machine. The atm can 
be considered a risk to all parties involved and can harm the people who own it, who store it at 
there location, and to the people who use it. 
The atm is prone to a lot of different risks, but has some pretty basic defenses that can keep it 
safe and intact. Most atms have a camera built into it and if it is in a place of business then it 
can easily be watched, but if it's in a crowded place then it is still vulnerable. I don't have any 
risk maps drawn out but i wanted to name off a few and where they fit in. 
1. Graffiti: medium likelihood (based on location and if its outside), low risk.
2. Weather: Again depends on location but for the most part low likelihood, low risk.
3. People abusing the atm: low likelihood, high risk.
4. Hackers: low likelihood, very high risk.
5. Getting mugged: low-medium likelihood (depends on area), high risk.

Pastebin – A source for leaked information in the world

Hackers have used the website, Pastebin, to post information about the JP Morgan Chase CEO, James Dimons. The hackers, “CabinCr3w” were able to post information about James Dimon’s addresses, family, business connection, political contributions and legal information.

These hackers have also been responsible for posting the personal information of Goldman Sachs CEO Lloyd Blankfein and of Anthony Bologna, the New York Police Deputy Inspector Anthony Bologna.

This is a concern to all Americans because this information was posted to the whole world, and with this information it is unknown what someone could do with this information, and what they may be capable of doing because of someone that may have a problem with that individual would do.

There have already been numerous protests already where the demonstrators are protesting a US financial system that they claim favors the wealthy at the expense of everyone else. These protests which began about two weeks ago, and have already attracted thousands of participants and garnered the support of Noam Chomsky, and students and organized labor groups.

The major concern is that hackers are now using public websites to be able to get mass amounts of information to hundreds of thousands of people at one time, being about to get many people to believe the ideas and theories of an individual or group which can allow, a group or individual to manipulate people into do things that they would not otherwise think or do. These websites should be a concern to all people and should be monitored for information that would harm or have a major impact on an individual.

 

3D Printers used for Skimming

Criminals are getting more sophisticated with ATM skimmers. A skimming gang recently stole more than $400,000 using ATM skimmers made with a 3D printer. Up until this point, skimmers were usually made by hand and carefully modeled to blend in with the ATM. Last year, a 3D printing company denied an order to print an ATM skimmer, while back in June, four men were indicted whom authorities said had reinvested their “profits” from skimming into a 3D printer.

Franky De Schouwer, from a leading 3D printer manufacturer, says a high quality 3D printer can cost as much as $20,000. He also said that 3D printers would be able to “print a high quality skimming device that, including some post finishing, will look like the real thing.”

A possible solution to counter these new skimmers made with 3D printers is to use security seals near the card reader on the ATM. Criminals would have a hard time replicating these seals, but the downside is that customers may not know the difference between a real and a fake seal.

Biometric Security

Biometric security is really useful in the world of today. Securing passwords are easier than ever, and the methods of accessing personal information are much more secure. With the swipe of a finger or scan of a face, a user is able to log into online bank accounts and gain access to email accounts.

Biometric security is one of the oldest forms of security, and now days it’s becoming more popular. Many businesses today incorporate the use of biometrics and many consumer electronics today are equipped with biometric sensors. According to the article, there is an expected growth for mobile phone embedded biometric security solutions.  To be more specific, an increase from four million to 39 million users by 2015.

This could bring positives and negatives. Sure, it could keep data safe from hackers or prevent unauthorized entry to accounts, but it could cause hackers to become more advanced. Not that hackers are not already becoming more advanced.

For example, hackers might have no choice, but to try and gain possession of another person’s fingerprint.  It might be ok if someone found out another person’s password, but if a fingerprint was to be stolen then that would be bad.

Sources: http://www.homelandsecuritynewswire.net/strong-growth-mobile-phone-embedded-biometric-security-solutions

 

Biometric Authentication Systems

Many companies are now looking for ways to leave behind the “password”. The problem with using passwords is human error. Many people usually just make really simple password that are easy for them to type and or remember. Many times it not just simple passwords but rather some employees are willing to trust anyone with their password. This leaves a huge security risk for companies because many of their employees have access to sensitive information and if their account is compromised then there will be problems.

Biometric security systems fix many of the problems with passwords. Biometrics provides faster access to secure documents which in the end leaves employees happy. It also prevents people from letting others know their password because you can’t really lend a finger or eyeball. Biometrics is improving and now offers things like USB finger print scanners which allow users to easily access their account form multiple systems. They are also developing Biometrics for mobile platforms which will give users even more ways to access their accounts. Biometrics still has security risks but it is much more secure than passwords.

iPhone, Android owners worry about security, don’t know what to do.

According to recent data by the NPD group, users of both platforms are worried about having their credit card info stolen, device theft, hackers accessing personal information, harmful apps, and unwanted location tracking. Few do anything more then worry though.

Android users showed more concern than iPhone users, but in general both had the same percentages of worry in all categories. NPD expressed concern, however, in the low number of users who had taken any kind of security measures—the firm said that more than 25 percent of all smartphone owners (35 percent of iPhone owners) had no idea how to acquire any kind of security software for their devices. And among those who did know but still had no security products installed, one quarter said they were too expensive.

“Consumers are both unaware of security for their phones and reluctant to pay for it when they are aware,” NPD’s Stephen Baker said in a statement.

This is one area where Android users—the ones who know how to obtain security software—are much more conscientious than iPhone owners. NPD says 30 percent of Android users have some kind of security product installed, compared to only 6 percent of iPhone owners.

This problem seems like a problem of user education, since most phones in the past were controlled by telecom companies and the manufacturers they never had to worry about virus’s or people stealing their personal information. Now threats are beginning to emerge and no one knows what to get or who to trust.  Apple and Google should advise people on best practices for their devices.

Source: http://arstechnica.com/apple/news/2011/09/iphone-android-users-worry-about-security-but-dont-know-what-to-do.ars

 

 

Without unreasonable delay

Reading this article in the Boston Globe made me think about how often people are actually notified when their personal data is compromised. When customers’ personal data was stolen from Sony (as mentioned in the article) I was only informed by reading a short notice on my PS3 once when I turned it on. That was it…that is all I got. Apparently they also sent out emails but I can’t recall getting one – more than likely it went into my SPAM folder with all the garbage I get trying to sell me more games. So I decided to do a little digging and it seems that the US senate is in the process of enacting a bill to make it a federal law requiring companies to inform consumers whenever there is a security breach that could have possibly compromised personal information. It seems that most all states already have such laws but since the compromised information may be held by a company based in a different state (ie most credit card companies are based in Delaware) a federal law would be more effective.

I also see that while many states have the laws in place…several of them don’t have any penalty for not abiding by it. Here’s what I mean- Let’s compare NY and Indiana…

New York

Breach Notification Law: N.Y. Gen. Bus. Law § 899-aa S3760
Notification Requirement: Most expedient time possible, without unreasonable delay
Other Requirements: Encryption standard mandated
Summary:Civil or criminal penalty for failure to promptly disclose

Indiana

Breach Notification Law: Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq., 2009 H.B. 1121
Notification Requirement: Without unreasonable delay
Summary: No civil or criminal penalty for failure to promptly disclose

The bolded portion above shows that New York will (theoretically) penalize a company for not notifying a person of potential compromised data but Indiana has no penalty what-so-ever. What good is a law that can’t be enforced? And what the heck is “without unreasonable delay?”

I was relieved (for a moment) to read that the penalty is often very severe and can cost a company dearly, but quickly my concern returned as, just a few sentences later, I read that if “the personal information on the stolen device was properly encrypted… notification is not always required.”

So there could be someone out there right now, with a stolen laptop containing all your personal data, with as long as they need to crack the encryption…and you would have no way of knowing because the company doesn’t have to tell you since they had “proper encryption” –whatever that is.

Here’s the article and website where I got the quotes:

http://articles.boston.com/2011-09-21/business/30185263_1_data-breaches-data-thieves-data-leaks

http://www.credant.com/solutions/solutions-for-compliance/state-data-breach-laws.html(keep in mind when reading this the ‘data’ is provided by a company trying to sell something.)