Internet Danger Report

Today, we Americans celebrate Independence Day…our 232nd birthday. It’s a day of parades, family get-togethers, barbecues, and fireworks. A day for relaxing and fun. A day for reflecting on the wonder of the American experiment.

Cyber-crooks will be launching some fireworks of their own, flooding cyberspace with millions of booby-trapped e-greeting cards. Experts are expecting a new round of Storm worm infections, and other bits of malware designed to turn your computer into a bot. A bot, or Zombie, hijacks your PC and puts it under the complete control of the bot master.

So, make it a safe Fourth of July. Be careful with fireworks. And don’t open any e-greeting cards. Not even from your mother.

Good question. There’s really nothing wrong with credit monitoring. In fact, you should monitor activity on your credit records. You can do that fairly easily for free. Or you can pay one of those companies that tell you that you can prevent having your identity stolen by putting yourself in their hands.

That cute guy in the crab shack singing the catchy jingle about how he shoulda called Free Credit Report Dot Com and he wouldn’t be waiting tables.

Todd Davis, the Life Lock founder who says he’s so confident in the service that he broadcasts his own Social Security number. Great gimmick. What he doesn’t advertise is that he pays a different company to clean up the mess every time his SS# is used by a fraudster. Lawsuits against Life Lock are little noticed, but the company is catching a steady stream of legal flak.

And a flock of others selling the idea that all you have to do to protect your identity is watch your credit. Put a freeze on it. Add a fraud alert. Not true.

The problem is that credit monitoring is not identity protection.

It’s not about your credit, it’s about your identity.

The plain truth is that just 33 percent of all identity theft cases are related to credit or credit fraud. The rest–the 67% majority of all identity theft crime–comes from other sources of personal information, as I pointed out in my last post.

Identity theft is too serious a threat, too severe a crime, too traumatic an experience, to take chances on weak measures or a partial solution. Make sure the identity protection service you select meets these five criteria:

1. Protects your whole identity, not just your credit.
2. Protects your entire family, including children, who are prize targets because it usually takes years for the crime to be discovered.
3. Monitors your whole identity, watching out for all forms of identity theft, including credit fraud. That means scanning thousands of databases constantly, watching for any appearance of your name and social security number.
4. Provides comprehensive recovery in the event your identity is stolen. Comprehensive means having trained professionals handle every detail of the recovery process for you until pre-theft status is achieved.
5. Covers children up to age 25 (so college students are protected). You should be covered even if the crime is committed by a family member.

I know of only one product that meets all five, and more. It’s called iDefend, and it’s not advertised on radio or TV. The company says that would produce too much growth too fast, and quality would suffer. As it is, thousands of new customers are subscribing to iDefend every month. You can find out more about it here. (Full disclosure: I was so impressed with the company that I joined its partner program.)

You can’t prevent identity theft because there are simply too many ways for thieves to get your personal information.

The easiest way is to just buy a file of names with social security numbers on the Internet. You can buy a million names for about a hundred bucks. Some files include dates of birth, home addresses, driver’s license numbers, and a lot more.

Data breaches are the biggest source of this kind of information. A data breach occurs when files are exposed, sometimes accidentally but mostly through purposeful hacking computer files via the Internet or physically stealing storage media. Between January 2005 and December 2007, the Identity Theft Resource Center identified 919 data breach incidents that exposed a total of just under 212 million personal records. During the first half of 2008, data breaches are up 69 percent over the same period last year, with 342 incidents tracked through June 27. From an article by Brian Krebs in the Washington Post

:

The 342 breaches the ITRC studied from this year involved almost 17 million consumer records. But ITRC founder Linda Foley said the true number of records jeopardized by those breaches is likely far higher, because in nearly 40 percent of the breaches the affected entity has not yet disclosed how many consumer records were lost or stolen.

So, does that mean criminals have access to the personal records of some 229 million individuals? No. Many of the compromised records are duplicates, and not all records will filter into criminal hands. But the size of the threat is clear. The incidence of identity theft is high, and it’s expected to increase by a factor of twenty over the next few years. A whole industry has developed in response to this crime, and it is booming. You can’t turn on the radio or TV without being bombarded with ads that promise to protect you from identity theft. With few exceptions they tell you that all you have to do is watch your credit and you’ll be OK. But that’s not true. Credit fraud is the tip of the iceberg: just 33% of id theft cases result from credit fraud. The majority of identity crimes stem from other sources, like data breaches. There is no way to “prevent” identity theft, and credit monitoring is not identity protection. Learn more about the topic and get a free report on true identity protection here.

The video here is directed primarily at companies, which are being targeted more and more by highly sophisticated criminal groups. But the message has important implications for individual computer users as well, for we are major targets of cyber criminals, and the most vulnerable.

Would you like to know how cyber crime works? How likely you are to become a victim?

USA Today reporters Byron Acohido and Jon Swartz have been investigating this phenomenon for years. “Since 2003, the pair has produced a series of award winning investigative stories about how cyber crime works and why the problem continues to worsen.” The quote is from the flyleaf of their new book, “Zero Day Threat.” Here’s more from the book cover blurb:

A digital true-crime story, Zero Day Threat is an alarming and eye-opening investigative exposé of our growing vulnerability to identity theft and fraud–due not only to scheming cyber-criminals, but also to deliberate policies of banks and other technology giants that place their own profits above public security.

Watch the video above. Read the book.

Be afraid.

Google “Kraken” and you’ll learn that the name refers to a legendary giant sea monster capable of swallowing up whole ships.

It’s also the name of a new bot worm that swallows up personal computers by the hundreds of thousands, according to a story from Dark Reading. The article, published in April 2008, claims the Kraken botworm is twice the size of the Storm worm, which is widely recognized as the world’s largest, in terms of computers infected.

But Kraken the worm is as illusive as Kraken the sea monster. If it’s so big, why aren’t others reporting on it? I did a search at the Internet Storm Center and it came back empty (although I did eventually find an ISC diary entry on Kraken). I also searched Sophos and PC Magazine’s Security Watch with zip results. That’s not to say Kraken is not a threat. The fact is, new bot worms and variants on old ones (ISC says Kraken looks like it is just part of the Bobax family of malware) appear every day. Every bot worm is a serious threat.

Chris Rouland, Chief Technology Officer of IBM Internet Security Systems, says, “A bot is like a worm on a leash. The bot master can walk the worm to wherever he wants it to go, and then he can stop it, and let it off the leash and tell it to do whatever he wants it to do.”

You don’t want a bot worm unleashed inside your PC, where it not only goes to work spreading itself to all your friends and family, but does its crooked master’s bidding. That could include joining a denial-of- service attack, broadcasting spam, even storing and distributing child pornography. But how do you prevent it? They are notoriously resistant to anti-virus software, because the bot master can change his worm’s “spots” so that the security software doesn’t recognize it. So, what you need is two lines of defense. One, enterprise grade software. The same class of security technology that a fortune 500 company uses. Two, expert human backup. Because even the best security software in the world is not invulnerable.

First he was fired.

Then he was arrested.

When Michael Fiola’s laptop computer was stolen back in November 2006, his employer, the Massachusetts Department of Industrial Accidents, gave him a replacement. It was a ticking time bomb.

A few months later, officials noted that his usage account was 4 times normal. On investigating, they found that Fiola’s laptop was loaded with child pornography. He was summarily fired, and his bosses reported the incident to state police. And thus began a year of hell for Fiola and his wife.

Their story is detailed here.

Michael was finally exonerated after hiring a computer forensics expert, who proved his innocence. But it’s an experience from which no one could fully recover.

In Michael’s case, experts concluded that his laptop was misconfigured, and that the virus protection software on the machine was inoperative. IT people at his agency blamed the problem on Fiola. The reality seems to be that the software they were relying upon simply wasn’t up to the task.

Most individuals have security software on their PCs that leaves them completely vulnerable to the same kind of attack that wrecked the Fiolas lives. Hackers invade computers and use them for all kinds of criminal jobs. Not the least of which is to turn them into porn servers. Porn is very big business. And it’s just one of many money makers for criminal hackers.

Sophos Labs, a world leader in security technology for enterprise, recently reported that it finds 15,000 newly infected websites every day. These are legitimate, trusted websites on which criminals plant malicious code. The moment you click on an infected site, that code is downloaded to your computer, where it opens a back door that allows the hacker to take over your computer. You’ll never know they’re there.

London based Sophos provides integrated security technology to governments and major corporations around the world. This technology is now available to consumers and small businesses on a low-cost monthly subscription basis from a company I have been associated with for more than 3 years. Write to me for information.

A little over two years ago, Red Herring magazine published an article on the rise of computer zombies. It quoted a report by anti-spam company CypherTrust that 172,000 computer users were losing control of their machines every day. That was a startling statistic. It meant that criminals were building botnets at a staggering rate.

Two years on the growth of botnets is greater and faster. The FBI has established an ongoing initiative called Operation Bot Roast which so far has identified one million bots, another name for a computer under the control of a hacker. The FBI has just scratched the surface. Vincent Cerf, a Google vice president and widely recognized father of the Internet, believes there are at least 150 million bots, comprising many thousands of botnets.

Secure Computing, which tracks the Internet threat landscape, reports that in the first half of 2007 the average number of new zombies per day was greater than 500,000. That’s about a threefold increase in just two years. Think about that! Fifteen million new zombie computers every month!

With numbers like this, what are the odds that your computer is under the control of a criminal hacker?

Read what happened to Candace Locklear (here). It took 8 hours for a technician to clean up her computer after she discovered that it had sent out dozens of instant messages with photos attached that were infected with malicious software. Eight hours at $75 per hour? I wouldn’t like to get that bill.

The article points out that “there is never 100 percent security.” But you can have security technology of the same grade that your bank uses, and you can have a security team watching your back that will fix problems like Candace’s and not charge you a penny. It’s called Managed Internet Security Service.

Disclaimer: I am a member of the national marketing team that promotes Managed Internet Security Service for consumers and small business owners. Detailed information is here.

So where has it been?

I started the Internet Danger Report more than a year ago as a way to share information about a subject I had become interested in as a result of a direct encounter with a criminal hacker.

I chose Wordpress.com to host the blog for two reasons. One, it offered the best software platform that I was able to find, and two, it hosts blogs for free.

Free is good, right?

Well, not always.

The one downside with free blog hosting arrangements is that you give up control. The host can shut you down for any reason at any time and you have no recourse whatsoever. That’s true of any of the free blog hosts. Just read their Terms of Service documents.

Here’s what happened to me.

On July 5 I tried to log in to post a new article and was met with the message that “This blog has been archived or suspended for a violation of our Terms of Service.” I immediately sent an email to the Wordpress support address, requesting information about the nature of the alleged violation and instructions on how to correct it. After 3 days and no response, I wrote again. I wrote a third time a few days later.

I have never received a response.

I have poured over the Wordpress Terms of Service trying to figure out what I might have done or said that could be interpreted as a violation. But I can’t find a thing.

Something I said must have offended somebody.

Bottom line: I can heartily recommend the Wordpress blog software. It’s available free from leading web hosting providers. But I strongly advise against putting yourself at the mercy of Wordpress censors, or those of any other company that offers free blog hosting. Get your own server. There are some excellent hosting services out there that charge as little as $5 per month.

Going forward, I plan to post entries more frequently than has been my habit. There are many dangers on the Internet, with all sorts of daily developments that you should know about in order to protect your privacy, your personal assets, your business, and your family. I collect stories from a variety of excellent sources, and my plan is to post recaps of the most interesting and appropriate ones, with links to the sources. I’ll write longer articles as the spirit moves me.

Stay safe out there on the information superhighway.