Tag Archive for Security

| December 20, 2012
Comments Off on Detroit Leader in Identity Fraud Rings

Detroit Leader in Identity Fraud Rings

Detroit Leader in Identity Fraud RingsMotown has a new not-so-good title. ID AnalyticsID:A Labs has identified the metro Detroit area as one of the top areas for identity fraud. According to their research, there are over 10,000 identity fraud rings in the U.S., and the three-digit ZIP codes with the most fraud rings are around Washington DC; Tampa, FL.; Greenville, MS; Macon, GA; Detroit; and Montgomery, AL.

DetroitThe credit rating bureau says an identity fraud ring is a group of people actively collaborating to commit identity fraud. Help Net Security reports this study is the first to investigate the interconnections of identity manipulators and fraudsters to identify rings of criminals working in collaboration.

While many of these fraud rings involve two or more career criminals, surprisingly, others are family members or groups of friends. The article says that ring members operate by either stealing victims’ identities or improperly sharing and manipulating personal identifying information such as dates-of-birth (DOB) and Social Security numbers (SSNs) on applications for credit and services.

Other findings of the study include:

  • States with the highest numbers of fraud rings include Alabama, the Carolinas, Delaware, Georgia, Mississippi, and Texas.
  • While many fraud rings occur in cities, a surprisingly high number were also found in rural areas of the country.
  • A large number of families are working together in fraud rings, even using each other’s SSNs and DOBs. However, rings made up of friends are more common, with the majority of fraud rings made up of members with different last names.

“In this latest research, we have taken a broader approach, looking at connections among bad people rather than studying individual activity,” Dr. Stephen Coggeshall, chief technology officer of ID Analytics said in the post. “This information enables us to build new variables into our fraud models so we can help our customers to make better decisions and improve protection for consumers.

ID:A Labs looked at about 1.7 billion identity risk events including applications for credit cards, wireless phones, payday loans, utilities, and other financial services credit products. It also examined changes in personal identifying information among accounts such as changes in name, address, DOB, and SSN to identity over 10,000 fraud rings in the United States.

 

10,000 ID fraud gangs active in US, especially the Southeast, study finds

ID Analytics chart The dots show concentrations of identity theft crime rings.

 

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| December 15, 2012
Comments Off on Scan Your Sclera for Security

Scan Your Sclera for Security

Scan Your Sclera for SecurityTyping a password into your smartphone might be a reasonable way to access the sensitive information it holds, but a startup called EyeVerify thinks it would be easier—and more secure—to just look into the smartphones’ camera lens and move your eyes to the side scan your sclera for security.

EyeVerify logoMIT Technology Review says that Kansas City, KS-based EyeVerify software claims that it can identify you by your “eye-prints,” the pattern of veins in the whites of your eyes. The firm claims the method is as accurate as a fingerprint or iris scan, without requiring any special hardware.

The company plans to roll out its security software next year. CEO and founder Toby Rush envisions a range of uses for it, including authenticating access to online medical records or bank accounts via smartphones. Mr. Rush told TR that phone manufacturers are interested in embedding the software into handsets so that many applications can use it for authenticating people, though he declined to name any prospective partners. The security software allows people to bypass the security on their mobile devices just by looking at it.

The article explains that the technology behind EyeVerify comes from Reza Derakhshani, associate professor of computer science and electrical engineering at the University of Missouri, Kansas City. Dr. Derakhshani, the company’s chief scientist, was a co-recipient of a patent for the eye-vein biometrics behind EyeVerify in 2008.

Retina scanTo the users, EyeVerify seems pretty simple (though somewhat awkward in its prototype stage according to the article). To access data on a smartphone that’s locked with EyeVerify, the blog says you would look to the right or the left, enabling EyeVerify to capture eyeprints from each of your eyes with the camera on the back of the smartphone. (Eventually, EyeVerify expects to take advantage of a smartphone’s front-facing camera, but for now, the resolution is not high enough on most of these cameras, Rush says.) EyeVerify’s software processes the images maps the veins in your eye and matches that against an eye-print stored on the phone.

EyeVerify CEO Rush says the software can tell the difference between a real person and an image of a person. It randomly challenges the smartphone’s camera to adjust settings such as focus, exposure, and white balance and checks whether it receives an appropriate response from the object it’s focused on.

Biometrics

The look of the veins in your eyes changes over time, and you might burst a blood vessel one day the article speculates. But Mr. Rush says long-term changes would be slow enough that EyeVerify could “age” its template to adjust. And the software only needs one proper eye-print to authenticate you, so unless you bloody up both eyes, you should be able to use EyeVerify after a bar fight.

EyeVerify still needs to do more to prove that. Mr. Rush says that in tests of 96 people, the eye-print system was 99.97 percent accurate. The company is working with Purdue University researchers to judge the accuracy of its software on 250 subjects—or another 500 eyes.

Mr. Rush’s favorite application is for voters on Election Day. “Being able to vote from the convenience of my house, I can already send in a mail-in ballot, why not verify biometrically here and simply vote?” he told Fox News.

rb-

The end-user will be the fundamental roadblock to any eye-based biometrics.   Traditionally, anything related to eye recognition has received strong resistance, because it is just human nature to be squeamish about having our eyes scanned.

I covered the challenges of biometrics here, as long as this technology is limited to smartphones, some but not all biometrics issues remain:

  1. What is the real-world sensitivity/specificity trade-off i.e. quantified False Positive and False Negative Error Rates?
  2. Revocability. What happens if the mobile device is lost? What is the strategy to cancel and reissue a pair of eyes?

Despite the concerns scanning your sclera for security is coming to an iPhone near you.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| December 11, 2012
Comments Off on Disposal Dummies Cause Privacy Problems

Disposal Dummies Cause Privacy Problems

The article Disposal Dummies Cause Privacy Problems, posted at  SecureWorld Post by Rebecca Herold lays out the privacy problems caused by dumb disposal policies. The article claims that trash-based breaches are worse than ever.

Disposal Dummies Cause Privacy ProblemsThe oldest security and privacy problem, unsecured disposal of personal information, is prevalent today as it was centuries ago reports the author. She says because of the rapidly growing amount of data, in which EMC (EMC) and IDC claim that data is doubling every two years, along with print information, there are even more ways in which disposal-related breaches are occurring. Here are just a few instances I found:

The blog outlines some of the most common egregious information disposal dummy security and privacy mistakes:

  • DTrash canonating print documents with personal information on them to outside groups, like pre-schools and community groups, to use as scrap paper.
  • Selling computers, smartphones, copiers, fax machines, and other computing devices, to recoup some of the investment, but not irreversibly removing the data before the sale.
  • Putting digital storage devices in the trash without first irreversibly removing the data.
  • Putting print documents containing personal information into unsecured dumpsters, and not shredding them.
  • Never throwing away no-longer-needed hard copy and digital devices; letting them accumulate in storage areas, with inadequate or no security, allowing them to be taken by anyone who happens along.

Data disposal is important because breaches caused by poor disposal activities are getting so bad that the article states there are growing numbers of laws explicitly covering disposal, and bills are being proposed at the state and federal levels. The Disposal Rule (part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) has been in effect since 2005. The blog says FACTA has many very specific requirements that basically all types of businesses, of all sizes, that do most types of credit checks must take when disposing of information in all forms.

In Michigan, data destruction requirements are covered in IDENTITY THEFT PROTECTION ACT MCL Section 445.72a. where destruction of data containing personal information required; violation as misdemeanor; fine; compliance; “destroy” are defined.

MichiganBesides the fact that secure information disposal is now a legal requirement for most businesses, it makes sense to dispose of information securely to prevent privacy breaches. By having effective disposal policies, procedures and supporting technologies in place businesses demonstrate reasonable due diligence.

Ms. Herold argues that all organizations, from the smallest to the largest, need to follow proper information disposal practices or they will experience significant privacy breaches and non-compliance penalties. She presents an action plan to get started:

  • Assign overall responsibility for information security and privacy compliance to a position or department within your organization, which will include responsibility for the disposal of information in all forms.
  • Perform a disposal risk assessment to find exactly how your organization really disposes of all types of information.
  • Create information disposal policies and procedures, or update existing ones, based upon the results of the disposal risk assessment.

The policies and procedures need actions:

  • Locate, inventory, and gather at the end of their business useFilingcabinetfulness all types of digital storage devices, including CDs, DVDs, USB drives, external drives, tapes (yes, many organizations still use them), microfiche (yes, these too), and any other type of storage media.
  • Inventory all types of computing equipment, including not just the “traditional” computers, but also devices such as printers, fax machines, copiers, smartphones, MP3 devices, and any other types of devices that do computing activities.
  • Define acceptable shredding methods and locations for paper documents. Finely cross-shredding hard copy information is recommended, as well as ensuring any contracted shredding company does such shredding on-site.
  • Define acceptable methods of irreversibly removing data from computing and digital storage devices. Degaussers are still often used, in addition to contracted services to wipe storage devices clean.
  • Make sure you include information backups, and all types of information archives, in your disposal procedures. These items are typically overlooked, and many breaches have resulted from such items.

Data destructionThe bottom line for all organizations, the author argues is: You need to make sure there are proper safeguards for information, computing, and storage devices, during the disposal process.

The author concludes with some recommended resources and articles to aid you with improving your own personal, and organizational, disposal practices:

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| December 4, 2012
One comment

Is Cloud-Based Anti-Virus Ready?

Is Cloud-Based Anti-Virus Ready?Cloud computing technology is one of the most disruptive technologies in recent history. Xath Cruz at CloudTimes argues in a recent article that cloud computing is also disrupting security software such as anti-virus and he asks how effective are cloud-based anti-viruses?

malwareThe article, How Effective are Cloud-Based Anti-Viruses? claims the demand for cloud-based anti-virus software has gone up steadily as more cloud-dependent computing devices have invaded the market. Cloud-dependent computing devices like iPads, Nooks, iPhones, and Galaxy’s are as susceptible to malware as their big desktop brethren.

In order to fight the malware threats to cloud-dependent computing devices, cloud-based anti-virus has evolved.  Cloud based anti-virus works differently than popular cloud-based document editors like Google Docs, where you only need a web browser and internet access. The blog post explains that cloud-based anti-virus software can’t function if it’s only in the cloud, since your PC won’t easily give the right kind of administrative access needed by antivirus software to programs hosted remotely, as that would leave your PC at risk of being intruded upon by other programs.

small native app that runs on the deviceIn order to protect a PC, tablet, or smartphone, a cloud-based anti-virus software requires a small native app to run on the device. When downloaded, the app acts as the anti-virus, with its database and heuristics data being hosted on the cloud. There is also cloud-based anti-virus software that use web browser extensions or Active X and Java to gain proper access to your PC.

Like any technology, cloud-based antivirus software has specific pros and cons when compared to native anti-virus suites, Mr. Cruz lays out some of the pros and cons of cloud-based anti-virus:

Cloud advantages

cloud based anti-virus1. No Installation Required – The first advantage of cloud-based anti-virus is that there’s no need to install them on your PC. Cloud-based anti-virus does not eat up hard disk space, with its storage and memory footprint being a fraction of what local anti-virus need. Additionally, you can get them up and running immediately, and there’s no likelihood of messing up the installation (which usually results in a non-working antivirus or corrupted file volume).

2. No Updating Necessary –  With cloud-based anti-virus, there is no need to update data files, since it’s hosted on the cloud, and will automatically be patched or updated by the provider. This will offer the latest in protection when it becomes available.

3. Double Security Layer – With cloud-based anti-virus software, it is possible to run a locally installed anti-malware app and run another different cloud-based antivirus without worrying about conflicts or PC slowdown. Different anti-virus software are better able to catch or inoculate different viruses.

collective intelligence4. An advantage of cloud-based anti-virus software the author missed is collective or community intelligence. SearchSecurity reports that when a system identifies malware, it’s able to give feedback to the cloud anti-malware provider, thus providing a wider surface area for rapidly detecting 0-day attacks.

Cloud disadvantages

1. Won’t Run in the Background – Cloud-based anti-viruses are not effective against viruses that run on startup. Cloud-based anti-viruses are not TSR (terminate and stay resident) programs and only run on an as-needed basis.

2. Limited Scan – Cloud-based anti-viruses risk missing dormant viruses in unopened or archived files. Windows’ security protocols will prevent some cloud anti-viruses from scanning the computer. They will only be able to scan core windows files and what’s currently loaded in the memory.

Network connection3. It Requires an Internet Connection – Cloud-based anti-virus is useless without access to the Internet. This is a problem for portable device users who can’t be connected 24×7. Without an Internet connection viruses will be free to do whatever they want.

rb-

The author concludes for the best protection your PC can get, you need to use the services of both a locally installed anti-virus software and a cloud-based one.

The main concern I have about cloud-based anti-virus apps is downtime. Cloud providers like Microsoft, Amazon, and Amazon have had issues lately providing their services. Downtime at the upstream ISP on the LAN can also play havoc with cloud-based anti-malware apps.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| November 27, 2012
Comments Off on Protecting Print Devices from Malware

Protecting Print Devices from Malware

Protecting Print Devices from MalwarePrinter/copier firm Xerox and anti-malware firm McAfee revealed new protection against malware and viruses with the first networked multifunction printer to use McAfee Embedded Control software, a filtering method that allows only approved programs to get through to protect print devices from malware.

Xerox, McAfee Protecting Print Devices from MalwareTom Moore, vice president, Embedded Security, McAfee told Help Net Security in a recent article,When a multifunction device receives data and processes it for printing, copying, scanning or faxing, it becomes susceptible to malware attacks a susceptibility that often is overlooked.

The Xerox and McAfee security solution simplifies processes for IT administrators with software embedded into a multifunction device’s controller to give an immediate alert and audit trail to track and investigate the time and origin of security threats – and take action. The blog says this eliminates the need for IT administrators to constantly stay on top of malware threats and proactively block them.

networked printers and multifunction devicesSurvey data from Xerox (XRX) and McAfee underscores the need for embedded security in networked printers and multifunction devices. In a poll of office workers taken earlier this year: 33% say they either don’t always follow their company’s IT security policies; 21% aren’t aware of the company’s IT security policies.

The survey also showed 39% of employees who copy, scan or print confidential information at work say they wonder whether information like customer credit card numbers, financial reports, human resources, and tax documents will remain secure on networked a device.

IT administrators Self protecting networkdon’t always consider printers as a threat – and with the Embedded Control software, we’ve put up even more defenses in our products so they don’t have to,” said Rick Dastin, president, Xerox Office, and Solutions Business Group.

Xerox devices protected and managed by McAfee Embedded Control and McAfee Embedded Management software will become available beginning in 2013, with products in the Xerox WorkCentre and ColorQube product lines.

rb-

Finally, some tangible results from Intel‘s (INTC) acquisition of McAfee. We use McAfee where I manage shared technical services, and just we just rolled out version 8.8 which says Intel on it.

I have covered the risks of putting multifunction devices on your network here, here, and here. This is not what I expected, maybe this is the first evolution before Intel builds McAfee anti-virus into a chip that goes on the mainboard or even right into the processor as a way to protect print devices from malware.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
« Older Entries   Recent Entries »