Paul Lubic Jr. – A Man on a Cybersecurity Mission

Staying malware free on the Internet – managing privacy issues –  reducing exposure to predators and scam artists (a seemingly inexhaustible list of threats) – takes effort. Increasingly – a major effort.

That effort must include a serious, conscientious, and effective commitment to becoming educated in both the technical, and sociological issues, that  impact your relationship with the Internet. Oh yes – you have a relationship with the Internet. Who knew?  

How successful you are likely to be, will depend to a large extent on the source material you reference. Unfortunately, the nature of the Internet is such, that not all resources will be equally as effective in helping you reach your goal.

Citizen Journalism is a good thing – but, in the real world of Internet and system security – expert opinion, coupled with the ability to convert technical information into human readable form (not so easy) – is critical. If you can’t understand what’s being said………

One expert that I’ve come to rely on (and, you can as well), is my good friend and fellow blogger, Paul Lubic Jr. (Paul’s Internet Security Blog).

Paul, a cyber-security expert whose professional background includes cyber-terror prevention and preparedness (Homeland Security), is committed to his mission to cultivate a new level of cyber security awareness in his readers.

In a major effort to help educate that readership base, Paul has just completed a four part series that should be on all Internet users’ “must read” list. I’ve taken the intros (as posted below), from Paul’s site, so that you can easily judge your interest level in any one of those articles. Simply click on – “Continue reading” – to uh, continue reading.  

Target: Social Networking Sites

Social Networks is the first in a series of “Target” articles, discussing the various areas the cybercrime organizations are attacking. Unfortunately for computer users, our Internet environment is, as the military would say, “a target rich environment”. By social networking sites we refer to Facebook, Twitter, and LinkedIn.

As we’ve mentioned in the past, global cybercrime is organized and the organizations resemble a hybrid of a mafia and a large corporation. Continue reading →

Target: Mobile Devices

Target: Mobile Devices is the second installment of the series of “Target” articles, discussing the various areas the cybercrime organizations are attacking. Unfortunately for computer users, our Internet environment is, as the military would say, “a target rich environment”. See Target: Social Networking Sites, the first article, to get some background on the tactics and strategies of cyber crime organizations.

Mobile devices include smartphones, tablets, PDAs, or any small, handheld computing device that can access the Internet. Continue reading →

Target: Cloud Storage Databases

Cloud storage databases are large server (computer) farms, accessible over the Internet, and owned by a service company for storing customer data for a fee. See The Cloud: A Definition. Companies rent storage space in the cloud to lower their local storage requirements, or as a backup of their data, thus saving them money. Cyber criminal organizations target these very large databases to steal information Continue reading →

Target: eBay, Amazon, & Credit Card Processors

The last (for now) installment of our Target series of articles addresses the large repositories of credit card information such as eBay, Amazon, and of course credit card processors for MasterCard and Visa. They’re huge, they use computers and the Internet to conduct their business, and there’s a market for credit card account information; and…you guessed it: personally identifiable information (PII).

Yes, we’re talking about extremely well-known, successful companies who undoubtedly have the best computer and Internet security money can buy. However, those attributes also make them more of a target in terms of Continue reading →

Avoid Accidents On The Internet Highway By Patching Your OS AND Applications

This morning, I read Ed Bott’s latest (Bott is a favorite of mine) – If your PC picks up a virus, whose fault is it? Here’s a summary –

Want to avoid being attacked by viruses and other malware? Two recent studies reveal the secret: regular patching. A fully patched system with a firewall enabled offers almost complete protection against drive-by attacks and outside intruders.

While reading through Bott’s  article, I was certainly put in mind of Yogi Berra’s often quoted “This is like deja vu all over again.” Current Internet security, and the best practices associated with it, really is “deja vu all over again” – and over, and over, and over. The fundamentals haven’t changed. Common sense is as much in vogue now, as it ever was.

In his article (which is worth a read), Bott relies on two recently released studies to bolster his point, that staying safe online, begins with “regular patching …….. the single most important element in any security program”.

Since the underlying theme is something I hammer on here, on a regular basis, it goes without saying that I agree with Bott, and the data generated in the studies. With that in mind, I’m reposting an article which I wrote in July 2010 – If You Get A Malware Infection Who’s Fault Is It Really? – which underscores the importance of patching not only the operating system, but the often neglected patching of installed applications.

If You Get A Malware Infection Who’s Fault Is It Really?

The security industry, especially security analysts, and for that matter, computer users at large, love to dump on Microsoft when they get a malware infection. If only Microsoft got their act together, the theory goes, and hardened Windows more appropriately, we wouldn’t have to deal with this nonsense.

But, what if it isn’t entirely Microsoft’s fault? What if it’s really a shared responsibility split between Microsoft, third party software developers, and the user?

From time to time, I’m accused of being “too frank”; usually on those occasions when diplomacy needs to be put aside, so that realities can be dealt with. For example, I’ve left myself open to criticism, in some quarters, by stating on more than one occasion –

It has been my experience, that when a malware infection occurs, it’s generally safe to say, the user is, more often than not, responsible for their own misfortune.

Computer users, by and large, are lackadaisical in securing their computers against threats to their Internet safety and security.

Strong statements I’ll admit, but if you consider the following, which I have repeated over and over, you’ll understand why I feel comfortable making this statement.

Not all users make use of Microsoft’s Windows Update so that they are current with operating system critical updates, and security fixes. More to the point, few users have given consideration to the vulnerabilities that exist in third party productivity applications and utilities.

Unless you monitor your system for insecure and unpatched software installations, you have left a huge gap in your defenses – it’s just plain common sense.

The just released Secunia Half Year Report – 2010, shows “an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored”, supports my view that security is a shared responsible, and blaming Microsoft simply ignores the reality.

The report goes on to conclude, “users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals.”

Key highlights of the Secunia Half Year Report 2010:

Since 2005, no significant up-, or downward trend in the total number of vulnerabilities in the more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.

A group of ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco, account on average for 38 percent of all vulnerabilities disclosed per year.

In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010, to 760.

During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.

A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.

The full report (PDF), is available here.

Each week, I receive the Qualys Vulnerability Report, and I never fail to be astonished by the huge number of application vulnerabilities listed in this report. I’ve always felt, that the software industry should thank their “lucky stars”, that this report is not particularly well known outside the professional IT security community. It’s that scary.

There is a solution to this quandary however – the Secunia Personal Software Inspector (PSI).

PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available.

ZD Net, one of my favorite web sites has stated “Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine”. In my view, this is not an overstatement.

Installing this small free application will definitely assist you in identifying possible security leaks; give it a try.

Quick facts:

The Secunia PSI is free for private use.

Downloaded over 800,000 times

Allows you to secure your PC – Patch your applications – Be proactive

Scans for Insecure and End-of-Life applications

Verifies that all Microsoft patches are applied

Tracks your patch-performance week by week

Direct and easy access to security patches.

Detects more than 300,000 unique application versions

Provides a detailed report of missing security related updates

Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.

Provides a Toolbox offering a set of links which helps you assess a problem and how you can resolve it.

System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7 32/64bit.

Download at: Secunia

Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.

System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7 32/64bit.

Link: Secunia Online Software Inspector

As an added bonus for users, Secunia provides a forum where PSI users can discuss patching, product updates, exploits, the PSI, and anything else security-related.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

My ID Score – Assess Your Identity Theft Score With This Free Tool

Unless you’re in the cyber security business, it’s unlikely that you’re aware of this rather startling statistic – a cyber crime goes down every ¼ of a second.

It’s just as unlikely that you’re aware of these statistics:

One in four consumers is a cybercrime victim.

An identity is stolen every three seconds online.

Nearly 10 million people have reported identity theft in the U.S. alone, in the last 12 months.

There’s a popular misconception, held by most people, that they’re just not worth a cyber criminal’s time or effort. This is another cyber security myth. Cyber criminals will steal you blind, no matter how much, or how little, you have.

The free Norton Online Risk Calculator, recently released by Symantec, will help you evaluate how valuable you are to the cybercriminal economy. The calculator is easy to use, and bases its assessment on a number of simple questions  concerning your net usage.

Please consider taking this test. If you are aware of just how much value you have as a victim, I’m sure you will take all the appropriate steps to ensure you don’t become a victim.

One of those steps should be developing an awareness of the risk you face of having to contend with the aftermath of identity theft. And, to make that assessment easier, My ID Score offers a free risk assessment tool.

Unfortunately, this tool is only available t0 residents of the US, and since I live in Canada, it’s not possible for me to test this service. Nevertheless, in the interest of keeping you safe, the following information has been taken directly from the developer’s site.

My ID Score gives you real–time actionable insight into the risk of you becoming a victim of identity theft.

My ID Score is a statistical score that’s based on technology currently used by leading communications, financial services, retail companies, healthcare providers, government agencies, and consumers to assess your risk of identity theft. These companies use ID Analytics’ scoring technology to ensure that fraudsters do not apply for goods and services in an innocent consumer’s name

My ID Score calculates identity risk by looking at the use of billions of identity elements like name, Social Security number, phone number, date of birth, and address across multiple industries.

Get Real-Time Insight Into Your Risk of Identity Theft

My ID Score is a quick, easy, and free way to assess the risk that your identity is being misused. It can be an essential fraud detection and early-warning tool for consumers who are concerned about identity theft.

Detect Misuse

Detect the possible misuse of your identity as early as possible.

Take Control

Take the necessary steps to control your identity.

Peace of Mind

Technology used by Fortune 100 companies is now available to you.

The process seems simply enough, as the following screen captures indicate.

Given the high incidence of identity thief, it seems prudent to develop as much information as possible on the risk factors you might be facing. I can’t endorse this service without a through test, but I do recommend that you checkout the developer’s site – you might find that this is a worthwhile resource.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Global Cyber Crime: The Playing Field, The Players -The Perfect Storm

Guest writer Paul E. Lubic, Jr. takes a close up look at those who are really responsible for cybercrime – organized crime syndicates. You may find some surprises here.

In my recent article Internet: The Good, The Bad, And The Ugly, I mentioned that organized crime was responsible for much of the malware and hacking now abundant across the Internet.  This article will delve into those organizations and where they’re located across the world.

It’s important to point out that the global economy and the Internet play an important part in how many cyber criminals are in business, and where they operate.

The international bestselling book The World Is Flat: A Brief History of the Twenty-First Century by Thomas L Friedman, analyzes globalization, primarily in the early 21^st century.  The title is a metaphor for viewing the world as a level playing field in terms of commerce, where all competitors have an equal opportunity.

Friedman astutely points out that because of the Internet, the personal computer, and other technological advances, businesses can provide products and services to customers across the world when heretofore the cost of doing so was prohibitive.  So…what’s this got to do with global cyber crime?

The criminal element, recognizing that there was money to be made, took advantage of the “flat world” just as the legitimate businesses have.  Thus, there has been an explosion of cyber (Internet) criminal activity across the world…primarily by organized crime syndicates.

But, the recent development of these syndicates selling hacking tools packaged in such a way that an inexperienced hacker can operate a “productive” criminal business, has allowed much smaller players to enter this lucrative field.

Authentication firm VeriSign, recently reported that they studied 25 botnet herders across 3 online forums and found that botnets could be rented for an average US$8.59 per  hour on which hacking attacks could be launched.  A 24 hour rental goes for around US$64 on which could be run several different attack vectors.  We’re talking about cost similar to a flash drive or a box of printer ink cartridges!

Who are these syndicates?

As you might expect, they prefer to remain secret and as anonymous as possible in order to avoid detection and arrest.  However, we know that they are highly organized and very complex cyber crime organizations.

In recent years they have transformed from individual operations to an organized multi-layered network of cooperating syndicates.  Some of their names are China’s Gray Pigeons and Honkers Union of China; and the largest and most successful Russian Business Network of the Russian Federation.

Steven Chabinsky, deputy assistant director in the U.S. Federal Bureau of Investigation’s (FBI) cyber division recently told participants of  a US government trade show that criminal hacker organizations are operating with increasing corporate-like efficiency and specialization.  He listed some of the specialized roles in cyber crime organizations:

Coders, who write the exploits and malware.

Distributors, who trade and sell stolen data.

Tech experts, who maintain the criminal enterprise’s IT infrastructure.

Hackers, who search for and exploit vulnerabilities in applications,systems and networks.

Fraudsters, who woo potential victims with social engineering schemes like phishing and spam.

Hosted system providers, who offer illicit content servers.

Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.

Money mules, who complete wire transfers between bank accounts.

Tellers, who transfer and launder illicit earnings through digital currency services.

Organization leaders, who assemble the team and choose the targets.

Where do these criminal threats come from?

ThreatExpert.com reports that the worldwide distribution of threats is as follows:

China   31%

Russian Federation 22%

Brazil    8%

United Kingdom  6%

United States   6%

Spain    4%

Germany   4%

Others   19% (Includes: Canada, India, Iran, Algeria, Egypt, Syria, Iraq, Saudi Arabia, South Korea, and Turkey).

As indicated above, China is the threat leader, and has been for some time.  However, security software vendor Zscaler indicates a new threat is emerging in South America; where 7 of the top 10 countries with high saturation of malware-distributing servers were South and Central American nations.

These include Brazil, Bolivia, Peru, Argentina, Paraguay, Ecuador and Colombia.  My own organization’s security logs reflect this trend with increasing numbers of attempted attacks from all these countries and more…every day.

The threats referred to in this article include: malicious mail servers which send millions of phishing and ad-related spam email; viruses; keylogger bot programs that record keyboard keystrokes to collect user access Ids, passwords, and bank account numbers which are sent to the criminal controllers of the bot for use in identity theft and bank fraud; and various backdoor Trojans that allow future access by other malware.

This perfect storm of:

1. A flat world facilitating global business activity.

2. The involvement of organized crime syndicates.

3. The selling and renting of malware packages and botnets to the criminal masses has radically increased the malware, hacking, and subsequent danger present on the Internet today.

Guest writer Paul E. Lubic, Jr. is a long time IT professional who has held the positions of programmer, IT Security Manager and Chief Information Officer.  His interests lie in the IT security area, but he writes on all categories of technology.

Paul is a mature and seasoned writer, with a rare ability to break down complex issues into an easy to understand format. Check him out at his Blog – Paul’s Home Computing.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Cyber Criminals Know Your “Net” Worth – To the Penny!

According to Marian Merritt, security provider Symantec’s Internet Safety Advocate, a cyber crime goes down every ¼ of a second – a pretty startling statistic. What makes this statistic so astonishing is, unless you are in the Internet security business, you are probably unaware of this.

More stats that shock:

One in four consumers is a cybercrime victim.

An identity is stolen every three seconds online.

Nearly 10 million people have reported identity theft in the U.S. alone, in the last 12 months.

Global cybercrime revenues exceed that of the international drug trade.

A stolen identity can be bought on the Internet for as little as $100.

Stolen credit card numbers may sell for as little as $2 to $25.

Zombie computers are the main source of online fraud, spam and other scams on the internet.

If you were unaware of these statistics don’t be surprised, or chagrined. There’s  a surprisingly simply reason why you may not have known – the lack of responsible reporting by mainstream media.

IT media do a highly credible job of keeping IT professionals like me, in the loop on cybercrime issues. But CNN and the rest of the mainstream media, do a pathetic job when it comes to informing the general public on these critical consumer safety issues. I suspect these issues are just not sexy enough; not violent enough.

Symantec’s Merritt made this point clear when she stated, “You turn on the news and they are talking about capturing drug dealers ……….., but they rarely show a hacker in handcuffs”.

By now you’re probably looking at the title of this article and asking yourself – where’s Bill going with this? When is he going to tell me how much I’m worth to a cybercriminal?

Well, here’s one answer. According to a recent report Get Safe Online, partially funded by the British government, the average surfer is worth $25,000 to the cybercriminal community.

But there’s a better way than just relying on this statistic. You can figure out what you’re worth to a cybercriminal, right to the penny. Well, sort of.

The free Norton Online Risk Calculator, recently released by Symantec, will help you evaluate how valuable you are to the cybercriminal economy. The calculator is easy to use, and bases its assessment on a number of simple questions  concerning your net usage.

Please consider taking this test. If you are aware of just how much value you have as a victim, I’m sure you will take all the appropriate steps to ensure you don’t become a victim.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

What’s Your Net Worth? To A Cyber Criminal, That Is!

According to Marian Merritt, security provider Symantec’s Internet Safety Advocate, a cyber crime goes down every ¼ of a second – a pretty startling statistic. What makes this statistic so astonishing is, unless you are in the Internet security business, you are probably unaware of this.

More stats that shock:

One in four consumers is a cybercrime victim.

An identity is stolen every three seconds online.

Nearly 10 million people have reported identity theft in the U.S. alone, in the last 12 months.

Global cybercrime revenues exceed that of the international drug trade.

A stolen identity can be bought on the Internet for as little as $100.

Stolen credit card numbers may sell for as little as $2 to $25.

Zombie computers are the main source of online fraud, spam and other scams on the internet.

If you were unaware of these statistics don’t be surprised, or chagrined. There’s  a surprisingly simply reason why you may not have known – the lack of responsible reporting by mainstream media.

IT media do a highly credible job of keeping IT professionals like me, in the loop on cybercrime issues. But CNN and the rest of the mainstream media, do a pathetic job when it comes to informing the general public on these critical consumer safety issues. I suspect these issues are just not sexy enough; not violent enough.

Symantec’s Merritt made this point clear when she stated, “You turn on the news and they are talking about capturing drug dealers ……….., but they rarely show a hacker in handcuffs”.

By now you’re probably looking at the title of this article and asking yourself – where’s Bill going with this? When is he going to tell me how much I’m worth to a cybercriminal?

Well, here’s one answer. According to a recent report Get Safe Online, partially funded by the British government, the average surfer is worth $25,000 to the cybercriminal community.

But there’s a better way than just relying on this statistic. You can figure out what you’re worth to a cybercriminal, right to the penny. Well, sort of.

The free Norton Online Risk Calculator, recently released by Symantec, will help you evaluate how valuable you are to the cybercriminal economy. The calculator is easy to use, and bases its assessment on a number of simple questions  concerning your net usage.

Please consider taking this test. If you are aware of just how much value you have as a victim, I’m sure you will take all the appropriate steps to ensure you don’t become a victim.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.