Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information
Security
J. Carlton Collins
ASA Research - Atlanta, Georgia
770.734.0950
Carlton@ASAResearch.com
InformationSecurity
TableofContents
Chapter
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
ChapterTitle&PageCount
Locks(2Pages)
GovernmentCompliance(3Pages)
SecuringHardDrivesandLaptopComputers(16Pages)
Encryption(12Pages)
StrongPasswords(7Pages)
WindowsFilesandFolders(8Pages)
SystemRestore(3Pages)
Firewalls(7Pages)
WirelessSecurity(8Pages)
CheckingtheSecurityofyourPC(4Pages)
OnlineSecurityTests(3Pages)
WindowsUserAccounts&Groups(6Pages)
WindowsScreenSavers(4Pages)
Pornography(4Pages)
SampleContracts(9Pages)
ComputerBreadCrumbs(6Pages)
ComputerDisposal(5Pages)
BackupStrategy(14Pages)
Viruses(6Pages)
Phishing(7Pages)
SpyStuff(14Pages)
PrivacyTest(6Pages)
FakeIDs(7Pages)
NationalIDCards(4Pages)
FakeSocialSecurityCards(5Pages)
IdentityTheft(14Pages)
EmployeeTheft(6Pages)
BackgroundChecks(5Pages)
BondingEmployees(3Pages)
AsteriskKey(2Pages)
EncryptionAnalyzer&Passware(3Pages)
SecuringDesktopComputers(3Pages)
WindowsWindowsServices(6Pages)
RiskofFire(3Pages)
CreditCardFraud(11Pages)
CounterfeitMoney(9Pages)
CrackingandHackingPrimer(15Pages)
PageNumber
6
8
11
27
39
46
54
57
64
72
76
79
85
89
93
102
108
113
127
133
140
154
160
167
171
176
190
196
201
204
206
209
212
218
221
232
241
InformationSecurity
38
39
40
41
42
43
44
PiratedSoftware(4Pages)
15TopSecurity/HackingTools(4Pages)
SafetyOnline(6Pages)
Spam(11Pages)
SecurityBookReviews(3Pages)
FingerprintTechnology(6Pages)
AppendixAInstructorsBiography(1Page)
256
260
264
270
281
284
290
InformationSecurity
Course Level
Pre-Requisites
Advanced Preparation
Presentation Method
Recommended CPE Credit
Handouts
Instructors
All rights reserved. No part of this publication may be reproduced or transmitted in any form without the
express written consent of AdvisorCPE, a subsidiary of ASA Research. Request may be e-mailed to
marylou@advisorcpe.com or further information can be obtained by calling 770.734.0450 or by accessing
the AdvisorCPE home page at: http://www.advisorcpe.com/
All trade names and trademarks used in these materials are the property of their respective
manufacturers and/or owners. The use of trade names and trademarks used in these materials are not
intended to convey endorsement of any other affiliations with these materials. Any abbreviations used
herein are solely for the readers convenience and are not intended to compromise any trademarks.
Some of the solutions discussed within this manual apply only to certain operating systems or certain
versions of operating systems.
Some of the material herein has been consolidated and condensed based on research of numerous
security books, security articles and security web sites. AdvisorCPE makes no representations or
warranty with respect to the contents of these materials and disclaims any implied warranties of
merchantability of fitness for any particular use. The contents of these materials are subject to change
without notice.
Contact Information:
J. Carlton Collins
CARLTON@ASARESEARCH.COM
770.734.0950
InformationSecurity
www.ASAResearch.com
www.AccountingSoftwareAdvisor.com
www.AccountingSoftwareAnswers.com
www.AccountingSoftwareConsulting.com
www.AccountingSoftwareNews.com
www.AccountingSoftwareReports.com
www.AdvisorCPE.com
www.CarltonCollins/footer/hotlist.htm
www.CarltonCollins.com
www.CPAAdvisor.us
www.ExcelAdvisor.net
www.QuickbooksAdvisor.info
www.MBSAdvisor.com
www.SBAAdvisor.com
www.OfficeAdvisor.us
WepublishallofourmaterialsonthewebasaservicetotheCPAcommunity.Pleasefeelfree
tolearnaboutourothertopicsatthesegreatwebsites.Thankyou.
InformationSecurity
Locks
Chapter1
InformationSecurity
Locks
Virtually all computers, files, and data are protected behind locked doors, locked
cabinets, or locked files but how secure are those locks? It turns out that most
locks today are not very secure at all. Not only can most locks be picked by
professional locksmiths, but hundreds of YouTube clips teach novice people how
to pick locks as well. As examples, consider these YouTube clips and web sites:
Open any padlock with a beer can Learn how locks work
Open door locks with picking tools
Make your own pick tools
Pick a padlock with homemade pick
tools
Open door locks with a bump hammer
Open a door lock with a pick gun
Open a car with a tennis ball
Open car with wood wedge and pole
Open a tubular lock
Pick a club and pick a car ignition
Pick tools described
Order picking tools online
Order a pick gun online
Order a bump hammer online
Order car pick tools online
http://www.metacafe.com/watch/yt1eGxRQlWTrM/open_a_master_padlock_with_a_
beer_can/
http://www.metacafe.com/watch/ytcuLC9klMsRI/the_visual_guide_to_lock_picking_p
art_06_of_10/
http://www.metacafe.com/watch/877739/kwikset_d
oor_lock_picked/
http://www.metacafe.com/watch/1029493/home_
made_lock_picks/
http://www.metacafe.com/watch/1015152/how_to_
open_padlock_lockpicking/
http://www.metacafe.com/watch/ytzTfEwChCG0U/brockhage_bump_hammer_set/
http://www.metacafe.com/watch/884219/how_to_p
ick_locks_with_a_lock_pick_gun_lockpicking_tutor
ial/
http://www.metacafe.com/watch/410981/blondie_u
nlocks_car/
http://www.metacafe.com/watch/1078391/how_to_
unlock_car_without_keys/
http://www.metacafe.com/watch/1029502/lock_pic
king_tubular_locks/
http://www.metacafe.com/watch/1029496/lock_pic
king_club_and_car_ignition/
http://www.metacafe.com/watch/1363050/lock_pic
king_with_all_my_sets_tools/
http://www.lockpicks.com/index.asp?PageAction=
VIEWCATS&Category=204
http://www.lockpicks.com/index.asp?PageAction=
VIEWCATS&Category=215
http://www.lockpicks.com/index.asp?PageAction=
VIEWCATS&Category=324
InformationSecurity
GovernmentCompliance
FederallyRequiredSecurityMeasures
Chapter2
InformationSecurity
Gramm-Leach-Bliley Act
http://www.ftc.gov/os/2000/05/65fr33645.pdf
http://www.keytlaw.com/Links/glbact.htm
The Gramm-Leach-Bliley Act has been deemed to apply to CPA firms, and
nearly all financial institutions. Within this Act, the Safeguards Rule of GLB
requires CPAs and financial institutions to develop a written information
security plan that describes how the company is prepared for, and plans to
continue to protect clients nonpublic personal information. Then plan went
into effect as of March 2001. This plan must include:
1. Assign at least one employee to manage the safeguards.
2. Constructing a thorough [risk management] on each department handling the nonpublic
information.
3. Develop, monitor, and test a program to secure the information. and
4. Change the safeguards as needed with the changes in how information is collected, stored, and
used.
HIPPASecurityRequirements
1. AccesstoMedicalRecords(Patientscanseetheirownrecordsandcorrecterrors)
2. NoticeofPrivacyPractices(Patientsmustbeprovidednoticeofprivacymeasures)
3. LimitsonUseofPersonalMedicalInformation(Onlyminimalinformationcanbeshared)
4. ProhibitiononMarketing(Patientinformationcannotbeusedinmarketing)
5. StrongerStateLaws(Statelawsarenottrumped)
6. Confidentialcommunications(Communicationsmustbeconfidential)
7. Complaints(http://www.hhs.gov/ocr/hipaa/orbycalling(866)6277748)
8. WrittenPrivacyProcedures(Nowrequiredandmustbedetailed)
9. EmployeeTrainingandPrivacyOfficer(Botharenowrequired)
10. PublicResponsibilities(Disclosuresofhealthmustbemadeinaresponsiblemanner)
11. EquivalencyRequirements(Privateandgovernmenthospitalsmustbothcomply)
12. Penalties(Upto$250,000and10yearsinprison)
InformationSecurity
SarbanesOxleyCompliance
TheSarbanesOxleyActof2002(SOX)creatednewbusinessrulesregardingthestorageandmanagement
ofcorporatefinancialdata.SOXholdsmanypubliclyheldcompaniesandallRegisteredPublicAccounting
Firmstoarigoroussetofstandards.Theserulessetguidelinesforhowdatashouldbestored,accessed,
andretrieved.
SectionNumber
DescriptionofRule
Section103:
Auditing,QualityControl,
AndIndependence
StandardsAndRules
TheBoardshall:(1)registerpublicaccountingfirms;(2)establish,oradopt,
byrule,"auditing,qualitycontrol,ethics,independence,andother
standardsrelatingtothepreparationofauditreportsforissuers;"The
Boardrequiresregisteredpublicaccountingfirmsto"prepare,andmaintain
foraperiodofnotlessthan7years,auditworkpapers,andother
informationrelatedtoanyauditreport,insufficientdetailtosupportthe
conclusionsreachedinsuchreport."
Section104:
InspectionsofRegistered
PublicAccountingFirms
Qualityinspectionsmustbeconductedannuallyforfirmsauditingmore
than100issuesperyear,orevery3yearsforallotherfirms.TheSECorthe
Boardmayorderimpromptuinspectionsofanyfirmatanytime.
Section105(d):
InvestigationsAnd
DisciplinaryProceedings;
ReportingofSanctions
AlldocumentspreparedorreceivedbytheBoardareregarded"confidential
andprivilegedasanevidentiarymatter(andshallnotbesubjecttocivil
discoveryorotherlegalprocess)inanyproceedinginanyFederalorState
courtoradministrativeagency,unlessanduntilpresentedinconnection
withapublicproceedingor[otherwise]released"inconnectionwitha
disciplinaryaction.
TitleVIII:
"Knowingly"destroyingorcreatingdocumentsto"impede,obstructor
Corporate&CriminalFraud influence"anyfederalinvestigation,whetheritexistsoriscontemplated,is
AccountabilityActof2002 afelony.
Section802:
MandatoryDocument
Retention
Thissectioninstructsauditorstomaintain"allauditorreviewworkpapers"
forfiveyearsfromtheendofthefiscalperiodduringwhichtheauditor
reviewwasconcluded.ItalsodirectstheSecuritiesandExchange
Commission(SEC)todisseminateanynecessaryrulesandregulations
relatingtotheretentionofrelevantrecordsfromanauditorreview.This
sectionmakesitunlawfulknowinglyandwillfullytoviolatethesenew
provisionsincludinganyrulesandregulationsdisseminatedbytheSEC
andimposesfines,amaximumtermof10years'imprisonmentorboth.
Section802:
DocumentAlterationor
Destruction
Thissectioncriminalizesknowinglyaltering,destroying,mutilating,or
concealinganydocumentwiththeintenttoimpairtheobject'sintegrityor
availabilityforuseinanofficialproceedingortootherwiseobstruct,
influenceorimpedeanyofficialproceeding.
Section1102:
TamperingWithaRecordor
OtherwiseImpedingan
OfficialProceeding
10
InformationSecurity
SecuringHardDrives&
Laptops
Chapter3
11
InformationSecurity
StolenLaptops
Laptopcomputersarekeytargetsforthieves,andthesethievesarenotafterthelaptopforthe
valueofthecomputeritisthevalueonthedataandembeddedpasswordsthatenticethese
thieves.Laptopsareeasytargets.Theyaresmallandeasytograb,andoncestolentheyblend
in without attracting attention. In 2008, the Government Accountability Office found that at
least 19 of 24 agencies reviewed had experienced at least one breach that could expose
people'spersonalinformationtoidentitytheft.TheComputerSecurityInstitute/FBIComputer
Crime&SecuritySurveyfoundtheaveragetheftofalaptoptocostacompany$89,000.
Many laptops contain data which can be exploited or resold on the black market to
unscrupulous people. In particular, embedded passwords can allow hackers to access critical
systems and personal information that can be used to perpetuate identity theft and other
crimes. Presented below is a sampling of some laptop thefts that have been reported in the
newsinthepastfewyears.Alengthylistofbreachesviastolenlaptopsandhackscanbeseen
here:http://www.privacyrights.org/ar/ChronDataBreaches.htm.
Organization:NationalInstituteofHealth
DateofTheft:February2008
TypeofDataStolen: Patientdatafor2,500patientsovera7yearperiod
HowStolen:Fromanemployeeshome
12
InformationSecurity
Organization:CitibankStudentLoanCorporation
DateofTheft:March8,2006
TypeofDataStolen: Informationon3.9million
customers
HowStolen:Lostintransitwhilebeingshipped
Organization:TransportationSecurityAdministration(TSA)
DateofTheft:August10,2006
TypeofDataStolen: SocialSecuritynumbers,payrollinformation,andbank
accountdataforapproximately133,000employeerecords
HowStolen:Fromagovernmentvehicle
13
InformationSecurity
Organization:InternalRevenueService(IRS)
DateofTheft:June,2006
TypeofDataStolen: 291employeesandjobapplicants,including
fingerprints,names,SocialSecuritynumbers,anddatesofbirth
HowStolen:Intransitonanairlineflight
Organization:FederalTradeCommission(FTC)
DateofTheft:June22,2006
TypeofDataStolen: Dataonabout110peoplethatwas"gatheredinlaw
enforcementinvestigations
HowStolen:Stolenfromalockedvehicle
14
InformationSecurity
Organization:USGovernmentVeteransAffairsAdministration
DateofTheft:May3,2006
TypeofDataStolen: 26.5millionveterans,theirspouses,andactiveduty
militarypersonnel
HowStolen:Laptopstolenfromemployeeshome
Thelistofsecuritybreachesduetolaptoptheftsseemsendless,herearetenmore:
1. A laptop that belonged to an Ernst & Young employee was stolen from a vehicle. The
computercontainedpersonalinformationof243,000Hotels.comcustomers.
15
InformationSecurity
3. An Equifax Inc., company laptop was stolen from a travelling employee. Information
compromisedincludedemployeenamesandSocialSecuritynumbers.
4. 13,000DistrictofColumbiaemployeesandretireeswereputindangerofidentitytheft
when a laptop belonging ING U.S. Financial Services was stolen from an employees
home.
5. A laptop containing debit card information and Social Security numbers of 65,000
personswasstolenfromYMCAsseeminglysafeadministrativeoffices.
6. Four laptop computers containing names, Social Security numbers, and addresses of
72,000 customers were stolen from the Medicaid insurance provider Buckeye
CommunityHealthPlan.
7. ABoeingemployeeslaptopwasgrabbedatanairport,compromising3,600employees
Social Security numbers, addresses and phone numbers. Again in 2006 Boeing lost an
unencryptedcomputerharddrivewhichheldthenamesandSocialSecuritynumbersof
approximately 382,000 workers and former employees, including addresses, phone
numbers,birthdatesandsalaryinformation.
8. StolenUCBerkeleylaptopexposedpersonaldataofnearly100,000.
16
InformationSecurity
9. A laptop computer stolen from an MCI employees automobile in 2005 included the
names and social security numbers of 16,500 MCI employees.
10. In2006FidelityInvestmentsreportedthetheftofalaptopcomputersharddrivewhich
containedpersonalinformationforapproximately196,000HPemployees.
These types of events raise many security concerns for the information contained on these
computerscouldbeusedbycriminalstoassumeothersidentitiesandabscondwiththeircash
andassets.Thedistressingpartisthatalloftheseeventscouldhavebeenminimizedifonlythe
computersownershadtakenafewminutestosetupapasswordencryptingthecomputers
contents. While setting up a computer BIOS password or a Windows Logon password will
thwartanovicethief,thesemeasuresareisnotenoughbecausethievescansimplyremovethe
harddriveandinstallitinadifferentcomputer(whichusesadifferentoperatingsystem)asa
secondarydrivewhichthenenablesthecriminaltoviewthedataonthestolendevice.Tofully
protect the system, you must encrypt the entire hard drive. For example, Microsoft Vista
includes a solution called BitLocker which once setup, automatically encrypts the contents of
entireharddrive.SimilarsolutionsareofferedbyPGP,GuardianEdge,andTruCrypt.
17
InformationSecurity
MeasuresyouCanTaketoProtectYourLaptopComputer
1. Physical Security - Physical devices can be used to secure your laptop computer,
ranging from chains and alarms to ID programs which clearly identify the computer
as belonging to you.
a. Cables - Targus and Kensington both manufacture cable devices that physically
secure your laptop by locking it to a table or other object. These cables are very
tough, but they can be cut with power tools or large clippers. While these
products can be circumvented, they are good for deterring crimes of opportunity.
b. Alarms - Motion sensing locking devices are also available, and these add an
extra layer of security by setting off a loud alarm if the cable is tampered with
or if the device goes out of range by a certain distance.
Fingerprints can be hacked, it is not as hard as you might think. You can use
a gummy bear to pick up a print and then apply it to the fingerprint reader.
18
InformationSecurity
Of course you can also make a fingerprint using super glue as was
demonstrated in both Hollywood movies Beverly Hills Cops and National
Treasure.
TheCryptoGramNewsletterwasthefirsttopublicizetheGummyBearHackasfollows:
AJapanesecryptographerhasdemonstratedhowfingerprintrecognitiondevicescanbefooled
usingacombinationoflowcunning,cheapkitchensuppliesandadigitalcamera.FirstTsutomu
Matsumoto used gelatin (as found in Gummy Bears and other sweets) and a plastic mould to
createafakefinger,whichhefoundfooledfingerprintdetectorsfourtimesoutoffive.Flushed
with his success, he took latent fingerprints from a glass, which he enhanced with a
cyanoacrylate adhesive (superglue fumes) and photographed with a digital camera. Using
PhotoShop, he improved the contrast of the image and printed the fingerprint onto a
transparencysheet.Herecomesthecleverbit.
Matsumototookaphotosensitiveprintedcircuitboard(whichcanbefoundinmanyelectronic
hobbyshops)andusedthefingerprinttransparencytoetchthefingerprintintothecopper.From
thishemadeagelatinfingerusingtheprintonthePCB,usingthesameprocessasbefore.Again
thisfooledfingerprintdetectorsabout80percentofthetime.
d. Retina Scanners Similar to fingerprint technology discussed above, retina
scan products are also available, for example the Qritek mouse (pictured
below and to the right) is priced at $315 has a built-in retina scanner.
If your laptop did not come with a biometric security device built in, you will
need to purchase a third-party add on that connects through the USB or PC
card ports. Because these devices must function via the operating system,
19
InformationSecurity
they can be easily bypassed. They are most useful for securing data when
combined with encryption software, but biometric devices are viewed as more
of a password enhancement than an additional layer of security for your
laptop. While biometric devices are cool, they provide little additional benefit
over simply using passwords and encryption to protect your property.
2. Laptop Identification Programs
a.
b.
The STOP Program - You can also enroll your laptop into the STOP Program.
In this case an identification tag provides proof of ownership and perhaps acts
as a deterrent to theft. Laptops protected with STOP plates are registered in a
Web-based database which increases the chances of the safe return of lost,
stolen, or misplaced laptops, notebooks and other equipment.
c.
d.
20
InformationSecurity
ability to delete selected data once the laptop has been reported as stolen.
Most of these software packages are difficult to detect and remove, and some
claim to be able to survive re-partitioning and reformatting of the hard drive.
If the hard drive is removed, so is the tracing software. Most of these services
work on a yearly subscription basis. Popular tracking software packages are
as follows:
i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
x.
xi.
xii.
ETrace
Computrace
GadgetTrak for Windows PC
The CyberAngel w/ Wi-Trac by CyberAngel Security Solutions, Inc.
BackStopp by Virtuity, Ltd.
XTool Laptop Tracker by XTool Mobile Security, Inc.
LoJack for laptops.
PC PhoneHome by Brigadoon Software, Inc.
nTracker by SyNet Electronics, Inc.
Inspice Trace by Inspice.
Verey Mac Theft Recovery Software
DataDots
3. Common Sense Measures Watch your laptop closely at the airport many
thieves target this venue and use decoys in order to steal laptop computers. They
know it will take you some time to travel to your destination before you can close
down password protected web sites. Don't leave your laptop visible in your car, your
trunk, your hotel room, or anywhere while traveling. Consider using a plain carrying
case or backpack to carry your laptop, as this can deter would be thieves.
4. Data Encryption - It is extremely hard, if not impossible, to effectively secure a
computer to which an intruder has physical access. There are four steps you can take
to make it rather frustratingly hard and time consuming for the bad guys to get at
your vital data however, as follows:
a.
21
InformationSecurity
up, or in the manual) to enter the BIOS setup. You are looking for 'set
password' or something similar. Set it (write it down so you don't forget it)
and save and exit. The next time you boot, you will be prompted for a
password after POST. Make sure you keep a record of the password.
b. Use Strong Passwords - After stealing your laptop, a thief has an unlimited
time in which to crack your passwords. They will likely attempt to use the
SAM and SYSTEM file password hash extraction method in combination with
some sort of password cracking software to discover your password. Let's
assume that your password is happy' It would take them about 5 minutes or
less to crack using a fast computer. If the password were happy44 add
another 10 minutes maybe But what if your password was (hAP5py28)
You've just extended the time it will take them to crack your password to
several hours, perhaps days. The more numbers, uppercase letters, symbols
and digits in your password, the harder it is to discover. Microsoft
recommends using no less than 6-digit passwords with at least three of the
following: lower case, uppercase, numbers and special characters. I would
recommend using 16 digit passwords with a mixture of letters, characters and
numbers. To make it easier for you, you might always use the same
beginning or ending for all of your passwords such as an old phone number
you remember, followed by a strong password (ie: 9126388947happy7755).
22
InformationSecurity
4. Right click and select 'rename' to change it.
c.
23
InformationSecurity
security feature in the Windows Vista operating system that ensures that
data remains encrypted even if the computer is tampered with when the
operatingsystemisnotrunning.Thishelpsprotectagainstattacksmadeby
disabling or circumventing the installed operating system, or made by
physically removing the hard drive to attack the data separately. BitLocker
protects your data from theft or unauthorized viewing by encrypting the
entire Windows volume. Microsoft Vistas BitLocker tool encrypts
everything written to a BitLocker-protected volume, including the
operating system, the registry, the hibernation and paging files,
applications, and data used by applications, but not the boot sector, any
bad sectors, or the volume metadata. BitLockeristransparenttotheuser,
24
InformationSecurity
andtheuserlogonprocessisunchanged.However,iftheTPMismissingor
changed, or if the startup information has changed, BitLocker will enter
recovery mode, and you will need a recovery password to regain access to
thedata.
BitLockerisdesignedforsystemsthathaveacompatibleTPMmicrochipand
BIOS. For more information about TPM specifications, visit the TPM
Specifications section of the Trusted Computing Group's Web site
(http://go.microsoft.com/fwlink/?LinkId=72757).
c. TrueCryptTrueCryptisfreeopensourcediskencryptionsoftwareforWindows
Vista/XP, Mac OS X, and Linux . The software creates a virtual encrypted disk
withinafileandmountsitasarealdisk.Itencryptsanentirepartitionorstorage
devicesuchasUSBflashdriveorharddrive.Italsoencryptsapartitionordrive
where Windows is installed (preboot authentication). The encryption is
automatic, realtime (onthefly) and transparent. Two levels of plausible
deniabilityisprovidedasfollows,incaseanadversaryforcesyoutorevealthe
password:
1)Hiddenvolume(steganography)Itmayhappenthatyouareforcedby
somebody to reveal the password to an encrypted volume. There are
many situations where you cannot refuse to reveal the password (for
example, due to extortion). Using a socalled hidden volume allows you
25
InformationSecurity
tosolvesuchsituationswithoutrevealingthepasswordtoyourvolume.
The principle is that a TrueCrypt volume is created within another
TrueCryptvolume(withinthefreespaceonthevolume).Evenwhenthe
outer volume is mounted, it is impossible to prove whether there is a
hidden volume within it or not, because free space on any TrueCrypt
volume is always filled with random data when the volume is created*
and no part of the (dismounted) hidden volume can be distinguished
fromrandomdata.NotethatTrueCryptdoesnotmodifythefilesystem
(informationaboutfreespace,etc.)withintheoutervolumeinanyway.
The password for the hidden volume must be different from the
password for the outer volume. To the outer volume, (before creating
thehiddenvolumewithinit)youshouldcopysomesensitivelookingfiles
that you actually do NOT want to hide. These files will be there for
anyonewhowouldforceyoutohandoverthepassword.Youwillreveal
only the password for the outer volume, not for the hidden one. Files
thatreallyaresensitivewillbestoredonthehiddenvolume.
2) No TrueCrypt volume can be identified (volumes cannot be
distinguished from random data). As of TrueCrypt 4.0, it is possible to
write data to an outer volume without risking that a hidden volume
within it will get damaged (overwritten). When mounting an outer
volume, the user can enter two passwords: One for the outer volume,
andtheotherforahiddenvolumewithinit,whichhewantstoprotect.In
thismode,TrueCryptdoesnotactuallymountthehiddenvolume.Itonly
decrypts its header and retrieves information about the size of the
hidden volume (from the decrypted header). Then, the outer volume is
mountedandanyattempttosavedatatotheareaofthehiddenvolume
willberejected(untiltheoutervolumeisdismounted).
26
InformationSecurity
Encryption
Chapter4
27
InformationSecurity
Encryption
How Encryption Works Encryption is based on prime numbers two prime numbers to be
exact.Whenmultipliedtogether,twoprimenumberswillyieldaproductthatisonlydivisible
byoneanditselfandthosetwoprimenumbers.Theseprimenumbersareusedinacomplex
algorithm to scramble (encrypt) a message or file. Thereafter, the two prime numbers are
neededagaininordertounscramble(decrypt)themessageorfile.Anexampleisshownbelow:
Bits Explained All data stored on a computer (including prime numbers) is converted to
hexadecimal and then to binary format. A binary format is a 0 or a 1. The 0 or 1 is
representedasapositiveornegativechargeonacomputersharddrive,orasasmallof
largepit(hole)onaCDROM.FromexampletheletterAisrepresentedonyourcomputers
hard drive as 0100 0001. Here is the complete alphabet and numbers 1 through 15
representedinbinarycode.
28
InformationSecurity
As you can see in the chart above, 8 bits of data are required to record a single letter, or
numbergreaterthan15.Thereforeifyouhavea40bitencryptedpassword,youreallyhavea5
character password. 56 bit, 64 bit, and 128 bit encrypted passwords translate to 7, 8 and 16
characterpasswords.Inotherwords,whenyouuse128bitencryption,thismeansthatyouare
usingprimenumbersthatare16digitsinlengthtogeneratethebasisforscramblingyourdata.
TheSizeofthePrimeNumbersThesizeoftheprimenumbersuseddictatehowsecurethe
encryptionwillbe.Amessageencryptedwith5digitprimenumbers(40bitencryption)yields
about 1.1 trillion possible results. A message encrypted with 7 digit prime numbers (56bit
encryption)yieldsabout72quadrillionpossibleresults.Howeverusing128bitencryption(16
digit numbers) yields 340,282,366,920,938,463,463,374,607,431,768,211,456 possible results.
Mathematically, It would take a super computer testing 100 billion passwords per second,
107,829billionsyearstobreak128bitencryptionusingbruteforce.(Todaysfastestchipscan
handleabout256millionencryptionspersecond.)
Time Needed To Crack Mathematically speaking, based upon todays top computing power
40bit,56bit,64bit,and128bitencryptioncouldbebrokenin1second,19hours,7months
and11,000quadrillionyears,respectively.Thisiswhy128bitencryptionisthestandardused
worldwidetoprotectfinancialtransactionsandsensitivedata.
KeyLength
(bits)
1995
2000
2005
40
68seconds
8.6seconds
1.07seconds
56
7.4weeks
6.5days
19hours
64
36.7years
4.6years
6.9months
128
Tableoftimeneededtobreakcertainkeysizesusinghardware
http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter3.html
Ithasbeenestimatedthat128bitencryptionwillbebreakableinabout105to125years(by
theyears2109to2129).
LettersversusNumbersYoumightbeinterestedtoknowthatfourwordsselectedatrandom
aremuchmoreeffectivethan56Bitencryption.AccordingtoJeremyBradleyoftheUniversity
ofBristol,a7characterpassword(56bit)has1,028,071,702,528possibleresults.Howeverfour
randomwordsyieldatotalof390,625,000,000,000,000possibleresults.Hisbasisforthisclaim
isexplainedhere:http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter3.html.
29
InformationSecurity
PGP(PrettyGoodPrivacy)
PGPorPrettyGoodPrivacywasreleasedonJune5,1991.DevelopedbyPhil
Zimmerman,PhilfirstsentPGPtoAllanHoeltjeandthenKellyGoenwhoin
turn released PGP through Internet user groups. This set offan unexpected
feedingfrenzy.VolunteersaroundtheworldofferedtohelpPhilportPGPto
other platforms, add enhancements, and generally promote the product. Fifteen months later, in
September1992,PGP2.0wasreleasedforMSDOS,Unix,CommodoreAmiga,Atari,andafewother
platforms, and in about ten foreign languages. Shortly thereafter US Customs took an interest in
thecase.AtfirstthegovernmenttriedtobuildacaseagainstPhilforexportingweaponsoutside
the US, and they frequently harassed him. By doing so the government helped propel PGP's
popularity by igniting controversy that would eventually lead to the demise of the US export
restrictionsonstrongcryptography.Today,PGPremainsjustabouttheonlywayanyoneencrypts
their email. And now there are a dozen companies developing products that use the OpenPGP
standard.YoucandownloadPGPforfree,orpurchaseamorefeaturerichversionatthiswebsite:
www.pgp.com.HereisaquickintroductionintousingPGP:
30
InformationSecurity
TostartusingPGP,launchtheproductandstartthewizardtogeneratetheencryptionkeysas
shownbelow:
ThePGPwizardshownabovewalksyouthroughtheprocessofcreatingyourencryptionkeys.
Onceyouhavecreatedanencryptionkey,youcanencrypttext,files,folder,oremailsusing
that newly created PGP encryption key. Presented below is an example of a simple message
beforeandafterencryptingwithPGP.
OriginalMessage
SameMessageasAboveEncryptedwithaPGP128BitKey
31
InformationSecurity
It is important to point out that an encrypted message is still naked and wideopen on the
internet or on a computer hard drive its just that now no one can make sense of that
message/file/emailwithouttheproperdecryptionkey.
PGPsTwoKeySystemPGPisbasedonpublickeycryptography,awidelyacceptedandhighly
trusted public key encryption system, by which you and other PGP users generate a key pair
consistingofa'privatekey'anda'publickey'.Asitsnameimplies,onlyyouhaveaccesstoyour
privatekey,butinordertoexchangefileswithotherPGPusersyouneedacopyoftheirpublic
keyandtheyneedacopyofyours.Youuseyourprivatekeytosignthefileattachmentsyou
sendtoothersandtodecryptthefilestheysendtoyou.Conversely,youusethepublickeysof
otherstosendthemencryptedfilesandtoverifytheirdigitalsignatures.PGPwon'trouteyour
emailoveraSecureSocketLayer(SSL),butitwillbeunreadablebyanyoneotherthanyouand
thepersontowhomitisaddressed.Keepinmindthatencryptionisforthemessagebodyonly
itdoesnothidethesubjectlineortheheaders.
SSLAWebBasedVersionofPGPsTwoKeySystemOnepopularimplementationofpublic
key encryption is the Secure Sockets Layer (SSL). Originally developed by Netscape, SSL is an
Internet security protocol used by Internet browsers and Web servers to transmit sensitive
information.SSLrecentlybecamepartofanoverallsecurityprotocolknownasTransportLayer
Security(TLS).
Look for the "s" after "http" in the address whenever you are about to enter sensitive
information,suchasacreditcardnumber,intoaformonaWebsite.Inyourbrowser,youcan
tellwhenyouareusingasecureprotocol,suchasTLS,inacoupleofdifferentways.Youwill
noticethatthe"http"intheaddresslineisreplacedwith"https,"andyoushouldseeasmall
padlockinthestatusbarinthebrowserwindow.
Thepadlocksymbolletsyouknowthatyouareusingencryption.Basicallywhatthismeansis
that a private key hasbeen generated by the serveryouare accessing, and hasbeen sent to
yourcomputerandisbeingheldinRAMuntilneeded.Onceyouhaveenteredtheinformation
youwanttosendandpresstheSUBMITbutton,thekeyisusedtoencryptthemessageandthe
dataissenttothewebserver,orinthecaseshownabovetheDeltaAirlineswebserver.
Publickeyencryptiontakesalotofcomputing,somostsystemsuseacombinationofpublic
key and symmetry. When two computers initiate a secure session, one computer creates a
symmetric key and sends it to the other computer using publickey encryption. The two
32
InformationSecurity
computers can then communicate using symmetrickey encryption. Once the session is
finished, each computer discards the symmetric key used for that session. Any additional
sessionsrequirethatanewsymmetrickeybecreated,andtheprocessisrepeated.
IsBigBrotherWatchingYouAnyway?WhenPGPwasfirstdeveloped,itwasunderstoodthat
the only person capable of reading an email encrypted with PGP was the email recipient.
While unconfirmed, it is suspected that since PGP was purchased from Phil Zimmermann, its
developer,byNetworkAssociates,Inc.(NAI)severalyearsago,thata'masterkey'existsinthe
handsofbothNAIandtheU.S.FederalGovernment.Evenwiththisinmind,PGPisjustabout
thesafestandmostreliablemethodofencryptionavailable.
In October, 2001, NAI put PGP up for sale. With no buyers, in March of 2002 NAI dropped
supportanddevelopmentofitsPGPdesktopencryptionsoftware.OnAugust19,2002,NAIsold
PGPtoPGPCorporation,anewlyformedcompany.Thedealgivesthenewcompanyalineof
encryption products based on the PGP algorithm, including PGPmail, PGPfile, PGPwireless,
PGPkeyserver,fortheWindowsandMacintoshoperatingsystems.AfullhistoryofPGPcanbe
foundatwww.pgp.com/company/pgphistory.html
ThoughafreewareversionofPGPdoesexist,theEndUserLicenseAgreement(EULA)israther
restrictive limiting it to homebased nonprofit use. Freeware PGP setup only takes a few
minutes,butusersshouldnotethesefactsaboutthefreeversionofPGP:
Doesnotincludeautomaticencryptionofemailfileattachments
Does not provide plugin integration with Outlook, Outlook Express, and other
emailapplications
DoesnotoperatewithPGPAdminorotherPGPdeploymenttools
33
InformationSecurity
SelfDecryptingFiles
Someimplementationsofencryptionareselfdecryptingwhichmeansthattheunlockingkey
neededisalreadyembeddedinthefileallyouneedisthepasswordtoactivatetheunlocking
key.Considerthefollowingtwoexamples:
YouSendaPGP
encryptedEMailto
aFriend.
Youemailan
encryptedWordor
Exceldocumenttoa
Friend.
You
YourFriendmust
havethePGP
unlockingkeyand
knowthepassword
inordertounlock
theemail.
YourFriend
YourFriendonly
needstoknowthe
passwordinorder
tounlockthefileas
theunlockingkeyis
alreadyembedded.
Athiefwho
interceptsthee
mailwillhaveno
wayofopeningthe
email,evenifthey
knoworguessthe
correctpassword
becausetheyhave
nounlockingkey.
AThief
34
Athiefwho
interceptsthee
mailneedstoonly
guessthecorrect
passwordtoopen
thefileas
unlockingkeyis
embedded.
InformationSecurity
EMailEncryptionSoftware
PKWAREsSecureZip(www.pkware.com)($30)Itdoesautomaticallyencryptemail,aswell
as Office files. Save and send files securely directly from Microsoft Office applications,
including Word, Excel, and PowerPoint Secure and compress emails and attachments in
MicrosoftOutlook.Encryptdatausingpassphrases,X.509digitalcertificates,orboth.
ShyFile ($59) Make up a 32 character key entry, Enter the text you wish to encode, Attach
secureShyFiletoyouremail,Recipientsimplyusesabrowsertodecode.Theunlockingkeyis
embeddedinthefile.ShyFileencodesyourtext(txtandhtmlfiles)andpacksitintoanextra
filethatistobeattachedtoanoutgoingemailoruploadedtoawebsite.Therecipientthereof
35
InformationSecurity
does not need to have ShyFile installed to be able to decode since any Internet browser will
openitandprompttheusertoenterthematchingkeyphrasebeforedecodingit.ShyFilealso
encrypts binary files, which require a free demo version of ShyFile to decode though. Simple
1on1 symmetric key entries are used, no Public and Private Keys. ShyFile exclusively uses its
own independently developed TL6144D algorithm, offering a depth of encryption of up to
6144bit. That reaches or even tops military requirements. A File Shredder is included to
thoroughly delete a file on your hard drive in a way no undelete tool could ever restore it
again.ShyFileworksindependentlyfromallyourwebbasedemailaccountsanddesktopemail
applications.
SecureHive(www.securehive.com)($86)SecureHiveisatoolforsecurearchivingandsharing
of files. It enables you to create encrypted archives and selfextracting .exe files for secure
storageandfilesharing.Italsoincludesameansofencryptingpartsof,orentire,documents,
email messages, etc. Secure Hive offers the enterprise a method of: Securing sensitive
documents;protectinginformationduringtransfer;Securingemails.
36
InformationSecurity
37
InformationSecurity
Conclusions
1. You should assume that every email you send has been read by more than 1,000
people.Thisisbecauseallunencryptedemailsarenakedandwideopentotheworld.A
simplerSniffertoolcancaptureyourpacketsandreassembleyouremails.
2. PGP was the first computer based encryption tool, although the existence of coded
messages(orcryptography)hasbeenverifiedasfarbackastheRomanEmpire.
3. Encryption works on primed numbers. According to Bill Gates in his book The Road
Ahead, there are more prime numbers of adequate size and length than there are
Atomsintheuniverse.
4. Data on your computer is stored in binary code called bits, which means zeros and
ones. These Since it takes 8 bits to represent a number or letter, it takes 40 bits to
represent5numbersorletters,or128bitstorepresent16numbersorletters.Hence
whenyouworkwith128bitencryptionthismeansthatyouareactuallyworkingwith16
digitprimenumbers.
5. Usingtodaystechnology,itwouldtakeabout11,000quadrillionyearstobreaka128bit
encryptedmessage.
6. Toprotectyouremailswithencryption,youandyouremailpalcouldinstallPGP.
7. Upon installing PGP, you would need to generate a set of encryption keys, and send
your locking key (private key) to your pal. You pal would do likewise sending their
lockingkeytoyou.Thereafter,allemailssenttooneanother(includingattachments)
wouldbeabsolutelyencryptedwith128bitencryption.
8. It is widely rumored that the US government secretly holds a universal code for
unlockingallPGPkeys.Atleastthismakesforagoodconspiracytheory.
38
InformationSecurity
StrongPasswords
&Password
Management
Chapter5
39
InformationSecurity
OnePasswordorMultiplePasswords?
Doyouhaveonecatchallpasswordthatyouuseeverywhereordoyoucreateanewpassword
for every different account, website, file, and relationship you deal with? It is a perplexing
questionbutalmosteveryoneagreesthattheuseofasinglepasswordeverywhereisfoolish.
AnRSAsurveyshowsthat58%ofusershavemorethansixpasswords,andhalfofthosehave
thirteen.Hereswhy:
1. If one company can see the password you use for their account, an unscrupulous
employeemightattempttousethatsamepasswordandemailaddresstoaccessyour
Amazonaccount,PayPalaccount,orCreditcardaccount.
2. From time to time it is necessary to provide a friend or associate with your password
informationforexampletoedityourwebsite.Ifyouusethesamepasswordforyour
web site and bank account, then your friend or colleague may be armed with
informationthatcouldbeusedtocompromiseyouridentity.
3. Passwordstendtolastforyearswithsomeaccountsifyourpassworddoesmanageto
getoutintheopen,itmightbeanightmaretochangeallknownpasswordsfor allof
youraccounts,emailsaddresses,websites,etc.
Althoughmanagingmultiplepasswordshasitsownsetofproblems,itiswidelyconsideredto
beabetterstrategythanusingoneorafewpasswordsacrossmultipleaccounts.
CreatingStrongPasswords
In most cases, when people who find out too late that their passwords have been
compromised,itisusuallybecausetheyweresimplytooeasytoguess.It'snotsohardtocreate
astrongpassword...herearesometipstomakethekeystoyouridentityatougherlocktopick.
1. Atleast12CharactersAsthelengthofyourpasswordincreasesit'shardertocrackit.
Most people recommend a minimum of 8 characters, but anything more than that
makesitevenmoresecure.Iliketouseatleast12characters.
2. Letters & Numbers Combining letters, numbers and special characters makes your
passwordmuchhardertoguess.Usingapasswordthat'seasyforyoutoremembermay
alsobeaneasypasswordforanidentitythieftoguess.Butthere'sadelicatebalance...
youwantpasswordsthatsimpleforyoutoremember,butdifficultforotherstoguess.
3. Use all Lower Case It is true that you can add complexity by alternating between
upper and lowercase letters. However, these will be harder to remember, read, and
typecorrectly.Further,uppercaselettersrequiretwohandstobeusedfortheshiftkey.
I find that this is too frustrating to mix case and therefore and I always try to use
lowercaselettersforallofmypasswords.
40
InformationSecurity
4. Somepeopleliketosubstitutingspecialcharactersforlettersandnumberssuchasthe
"$" instead of an "S" or a "1" instead of "I". Once again, I find this too frustrating to
remember,read,andtype.Idontrecommendthis.
5. Tomakepasswordbothhardtocrackandsimpletoremember,Ihavesomestandard
wordsthatIembedinfrontandbehindmypasswords.Forexample,myDeltaAirlines,
AVIS,andMarriottpasswordsmightlooksomethinglikethis:
a. delta5544summer6388947+
b. avis3319summer6388947+
c. marriott2298summer6388947+
Eachpasswordhas5parts:
1. thebeginningpartdeltaforDeltaAirlines;
2. thesecondpart5544isfourrandomlychosennumbers;
3. thewordsummerisacommonwordIalwaysthrowin,
4. thenumber6388947ismychildhoodtelephonenumber;
5. andforgoodmeasureIthrowa+signontheend.
Usingthisapproach,allIreallyhavetorememberisthe4randomnumbers(likeaPIN)in
part 2, the other 4 parts I can easily remember. This way I can usually recreate my
password from memory, but a hacker or hacking programwould takebillions of years to
breakthepasswordinitstotality.
The Microsoft Password Checker which is available online tells me that the strength of these
passwordsareexcellentseeforyourself:
http://www.microsoft.com/protect/yourself/password/checker.mspx
41
InformationSecurity
BadPasswords
Password pitfalls include using your name, child or pet's name, your birthday or other
informationthatmaybelinkedwithyouridentity.Alsosteerclearofnobrainerslike"abc123"
or "password" as your password. Hackers recently created a fake Myspace login page, and
collectedover34,000passwordsbeforetherusewasdetected.Becausethedatawasleftona
public server for some time, it proved to be an interesting realworld case study on BAD
passwords. Analysis of this data showed some surprising results almost one percent of
Myspace users had the word "password" in their password. With over 100 million Myspace
users,that'saMILLIONeasilyguessedpasswords!
Otherpopular"words"usedinpasswordsincluded:abc,baseball,football,iloveyou,myspace,
monkey,princess,qwerty,soccer,superman,and123456.Itwasalsocommontoaddanumber
totheendofthesewords,suchasabc123orbaseball1.Profanitiesalsooccurredwithahigh
frequency in passwords. Your takeaway: don't use these words, or variants of them in your
password, or you'll be making it that much easier for Evildoers to guess their way into your
privateinformation.
ChangingPasswordsRegularly
Changingpasswordsonaregularbasiswillhelptoensurethatyouaremaintainingahighlevel
ofsecurity.PersonallyIbelievethatthismeasureisnotcosteffectiveasittakesfartoomuch
time to change, record, and edit the proper documentation so that you can find the right
passwordlater.However,insomeworkplacesettings,loginpasswordsmustbechangedevery
30 days. Whatever interval you choose, be careful not to use a predictable pattern for your
passwords, such as AxxxxxA / BxxxxxB / CxxxxxC or JANxxxx / FEBxxxx / MARxxxx. This is
importantbecauseanintrudermaynotleavetracks.Ifsomeonehasguessedyourpassword,
youcanatleastmakesuretheywon'thavelongtermaccesstoyourdata.
ManagingPasswords
Storinganunprotectedlistofpasswordsonyourcomputerisnotagoodidea,howeverifyou
storetheminaverywellprotectedExcelorWorddocument(passwordprotectedwithavery
strongpassword),thenyouarefineinmyopinion.However,youalsohavetheoptionofusinga
Password Manager Tool to help you keep track of these passwords. A password manager is
softwarethathelpsauserorganizepasswordsandPINcodes.Thesoftwaretypicallyhasalocal
databaseorfilesthatholdtheencryptedpassworddata.Manypasswordmanagersalsowork
likeaformfiller,thustheyfilltheuserandpassworddataautomaticallyintoforms.Somehave
passwordgeneratorcapabilities.InviewoftherisingthreatofPhishing,passwordmanagersare
alsousedasthebestdefenseagainstsuchthreats.Unlikehumanbeings,apasswordmanager
program, which can handle automated login script, is notsusceptibleto visual imitations and
lookalikewebsites.Withthisbuiltinadvantage,theuseofapasswordmanagerisbeneficial
toeveryone,evenifheorsheonlyhasafewpasswordstoremember.However,onemustkeep
42
InformationSecurity
in mind that not all password managers can automatically handle the more complex login
proceduresnowimposedbybankingwebsites.
ForexampleRoboform(Freeto$35)isatopratedPasswordManagerandWebFormFillerthat
automates password entering and form filling. RoboForm was named PC Magazine Editor's
Choice,andCNETDownload.com'sSoftwareoftheYear.RoboFormdoesthefollowing:
1. MemorizesyourpasswordsandLogsYouInautomatically.
2. Fillslongregistrationandcheckoutformswithoneclick.
3. Encryptsyourpasswordstoachievecompletesecurity.
4. Generatesrandompasswordsthathackerscannotguess.
5. FightsPhishingbyfillingpasswordsonlyonmatchingwebsites.
6. DefeatsKeyloggersbynotusingkeyboardtotypepasswords.
7. Backsupyourpasswords,Copiesthembetweencomputers.
8. SynchronizespasswordsbetweencomputersusingGoodSync.
9. Searchesforkeywordsinyourpasswords,notesandInternet.
10. Portable:RoboForm2GorunsfromUSBkey,noinstallneeded.
11. PDAfriendly:syncyourpasswordstoPocketPCandPalm.
12. Neutral:workswithInternetExplorer,AOL/MSN,Firefox.
13. IE7andVistaarenowsupported.
43
InformationSecurity
PasswordManagerXPisaprogramtostorepasswords.Itclaimstorid
computer users of the headaches caused by lost passwords, forgotten
access codes and other sensitive information. With this program, you
safelystoreallyourlogins,passwords,PINcodes,creditcardnumbers,
accesscodes,files,andanyotherconfidentialinformationinoneplace.
Theproductallowsyoutocreateseveraldatabasesforstoringdesired
information. Each database has its own access password and is
encryptedwiththealgorithmsofyourchoice.Thismeanscapabilityto
apply several different encryption algorithms at a time, which
significantly increases protection against unauthorized access of your data. Besides, the
program comes with an option to automatically exit databases when idle for a set period of
time, which decreases the likelihood of stealing your data when leave your computer with
applicationrunning(forexample,youhavebeendistractedbyotherthingsorsimplyforgotto
quittheprogram).
KeePassisafree/opensourcepasswordmanagerorsafewhichhelpsyou
tomanageyourpasswordsinasecureway.Youcanputallyourpasswords
inonedatabase,whichislockedwithonemasterkeyorakeydisk.Soyou
onlyhavetorememberonesinglemasterpasswordorinsertthekeydisk
tounlockthewholedatabase.Thedatabasesareencryptedusingthebest
andmostsecureencryptionalgorithmscurrentlyknown(AESandTwofish).
It allows you to organize your entries into categories andoffers several ways to conveniently
enter your username/password; you can use drag and drop, copy to the clipboard, or create
autotypesequencesthatcanenterthelogininformationwithasingleclick.
TheFirefoxbrowseralsohasarudimentarypasswordkeeperandhasamaster
password option. Internet Explorer will remember passwords, but lacks the
master password option. Social engineering, phishing, and even careless
oversightbyinternetserviceprovidersareyetotherwaysthatahackersmight
get your password. Read more about Phishing Scams to avoid voluntarily
providingyourpasswordviadeceitandfallingvictimtoIdentityTheft.
PasswordFatigue
Passwordfatiguedescribesthesyndromewherepeoplearerequiredtorememberanexcessive
number of passwords as part of their daily living. The increasing prominence of information
technologyandtheInternetinemployment,finance,recreationandotheraspectsofpeople's
lives, and the ensuing introduction of secure transaction technology, has led to people
accumulating a proliferation of accounts and passwords. According to British onlinesecurity
consultant NTA Monitor the typical intensive computer user has 21 accounts that require a
password.
44
InformationSecurity
Asidefromcontributingtostresspasswordfatiguemayencouragepeopletoadopthabitsthat
reducethesecurityoftheirprotectedinformation.Forexample,anaccountholdermightuse
the same password for several different accounts, deliberately choose easy to remember
passwordsthatarevulnerabletocracking,orrelyonwrittenrecordsoftheirpasswords.
PasswordRecovery
Themajorityofpasswordprotectedwebsitesprovidepasswordrecoverythatallowsusersto
recover their passwords via email. Sometimes this is automated via the web site, although
somewebsites(especiallypaidforor'highvalue'websites)mayrequireadditionalchecksvia
customer service operators. According to a PBS report, a survey of customer service
representatives revealed that about 20% of the CS calls from users are about problems with
passwords.
Beawarethatifsomeonehasaccesstoyourcomputerforafewmoments,theycouldaccess
your online account, click the lost password button, and have the password resent to your
computersemail.Theretheycouldquicklylearnyourpassword,andthendeletetheemailto
erasetheirtracks.
45
InformationSecurity
WindowsSecurity
File&FolderSecurity
Chapter6
46
InformationSecurity
FAT32versusNTFS
1. You Must Choose When you format your hard drive, you must choose to use either
FAT32(FileAllocationTable32)orNTFS(theWindowsNTFileSystem).
2. DoNotChooseFAT32becauseFAT32doesnotofferanysecurity.
3. DoChooseNTFSNTFSallowsyoutopasswordprotectfiles,passwordprotectfolders,
andtoapplyencryptiontoyourharddriveusingEFS(EncryptionFileSystem).
4. Deleted Files When using FAT32, deleted files are not really deleted. They are only
renamed in the File Allocation Table (from Budget.xls to *udget.xls. The asterisk
prevents the file name from being viewed, but the file still exists on the hard drive.
Manyavailabletoolsenableyoutorenamethefilereplacingtheasteriskwithaletteror
number,andthenthefileiscompletelyvisibleagain.
WithNTFS,whenyoudeleteafile,thefileslocationontheharddriveisoverwritten,
andthereisnotrecoveryoption.
5. NoImpactonNetworkChoosingFAT32orNTFShasnoimpactonsharingdataacross
anetwork.
6. NTFSisAlsoBetterinOtherWaysNTFSsupportslargerfiles,largerdrivepartitions,
hasbetterdatacompression,andhaslessfilefragmentation.
47
InformationSecurity
7. ItsEasytoChangetoNTFSIfyouarenotalreadyusingNTFS,youcanchangetoNTFS
rathereasily.YoucanswitchtoNTFSwithoutreformattingyourharddiskandrestoring
your apps and data from a backup. Just choose Start, Run, type cmd.exe, and press
<Enter>toopenaCommandPromptwindow.Nowtype<convertc:/fs:ntfs>(without
thebrackets)toconvertyourC:drivetoNTFS.
File&FolderSecurity
To configure the security and permissions of a file or folder, rightclick the file or folder and
selecttheSharingandSecurityorPropertiesoption.
In the example above the folder named Carltons Private Folder has been protected by
denyingaccesstoeveryone(excepttheuserCarlton).Now,nooneonthenetworkoronthe
computerwillseethefolderorhaveaccesstothefolderanditscontentsunlesstheyarelogged
inastheuserCarlton.
WarningHiddenFilesandFoldersCanStillBeDeletedPleasebeawarethateventhoughthe
folderishiddenfromview,groupsoruserswhoaregrantedFullControlonaparentfoldercan
deleteanyfilesinthatfolderregardlessofthepermissionsprotectingthefilesaccess.
Warning Anonymous Users Do Not Belong to Everyone In Windows Vista and Windows
Server 2003, by default the Everyone group does not include the Anonymous group, so
permissionsappliedtotheEveryonegroupdonotaffecttheAnonymousgroup.Youmustapply
thosepermissionsseparately.
48
InformationSecurity
FileSharingPermissions
1. SharePermissionsversusNTFSPermissionsSharepermissionsandNTFSpermissions
are independent in the sense that neither changes the other. The final access
permissions on a shared folder are determined by taking into consideration both the
SharepermissionandtheNTFSpermissionentries.Themorerestrictivepermissionsare
thenapplied.
2. WindowsXPHomeandWindowsVistaHomeUsersArelimitedtoSharepermissions
only.
3. Using Share with FAT32 Share permissions are often used for managing computers
withFAT32filesystems,orothercomputersthatdonotusetheNTFSfilesystem.
InformationSecurity
restrictaccess.ThisfreesyoufromhavingtothinkaboutSharepermissions,butNTFS
permissionsaremorecomplexthanSharepermissions.
5. FourFolderTypesFourdifferenttypesoffolderscanbesetupusingShareorNTFS
Permissions,withslightdifferencesasthetablebelowshows:
a. NTFSpermissionsaffectaccessbothlocalandremoteusers.
b. Sharepermissionsapplyonlytonetworkshares.
c. Share permissions do not restrict access to any local user, or to any terminal
server user, of the computer on which you have set Share permissions. Thus,
Sharepermissionsdonotprovideprivacybetweenusersonacomputerusedby
severalusers,noronaterminalserveraccessedbyseveralusers.
50
InformationSecurity
FolderSettings
You can apply many settings to each folder by selecting the Tools, Options from the Folder
menu.Fourofthesesettingshaveasecurityimpactasfollows:
1. Hide Hidden Files One option allows you to display or hide hidden files or hidden
folders. Hidden files are just like ordinary files in all other respects. You can choose
whetherafileishiddenorvisiblebychangingitspropertiestodesignateitashidden.
Hiddenfilesaregenerallyusedtoreduceclutter,buttheyalsomakeyoursystemmore
securetonovicehackersbecauseyoucanhideconfidentialfilesfromotherpeople,but
youshouldnotrelyonhiddenfilesasyouronlymeansofsecurityorprivacy.
2. Hide protected Operating System Files These files are hidden by default, and you
shouldkeepthemhidden.Hidingthesefilesisusuallyagoodidea,becauseithelpsyou
avoiddeletingthemaccidentally.Butforsomespecialpurposes,youllneedtodisplay
thesefilestemporarily.
3. ShowEncryptedFilesorFoldersinColorsThisoptioncouldtellahackerwhichfilesto
target;thereforeyoumightconsiderturningoffthisfeature.
4. UseSimpleFileSharingMostsecurityexpertsrecommendturningofftheSimpleFile
Sharing in Windows 95, 98, 2000 and XP and that you use the standard File Sharing
instead.(SimpleSharingisdisabledbydefaultinWindowsVista.)SimpleFileSharingis
usedprimarilyintheHomeeditionsofWindowsXPandWindowsVista.
51
InformationSecurity
EncryptingFileSystem(EFS)
There'sonlyonesurewaytomakeyourfilestrulyconfidentialyoumustencryptthem.The
Encrypting File System (EFS) in most versions of Windows Vista, XP, and 2000 scrambles the
contentsoffilesandfolders,makingitimpossibleforotherstoreadthem(assumingastrong
passwordisusedandkeptsecret).Presentedbelowarekeypoints:
1. WhereisEFS?EFSisincludedinWindowsVistaBusiness,Enterprise,andUltimate;XP
Pro; and Windows 2000; however, Windows XP Home lacks EFS, and Vista Home
Premium,VistaStarter,andVistaHomeBasiconlyallowdecryptionthisallowsusers
toreadencryptedfilesbutnotencryptthem.
2. Must Use NTFS As mentioned above, to use EFS on a hard drive partition, that
partitionmustfirstbeformattedusingtheNTFSfilesystem.
3. EncryptToencryptafileorfolder,rightclickitinanyfolderandchooseProperties
GeneraltabAdvanced.CheckEncryptcontentstosecuredata.Ifyou'reencryptinga
folder,you'llbeaskedifyouwanttoencryptitsfilesandsubfolders,aswell.
Onceencrypted,thefilesorfolderswillworklikeanyothersonyoursystem;youdon't
havetouseanyspecialpasswordstoopenorsavethem.However,otheruseraccounts
on the PC, and other PCs on the network, will not be able to view the file contents
unlesstheyareloggedintoyouraccountwithyourpassword.
52
InformationSecurity
TipYoucanaddtheEncryptcommandtoyourrightclickcontextmenuusingTweak
UI, a free PowerToy from Microsoft. To do this download Tweak UI for free, installed
andlaunchTweakUI,selectExplorerintheleftpane,andscrolltotheoptionandcheck
Show"Encrypt"oncontextmenu.
4. ColorCodedEncryptedfoldersandfileswillappearingreentextasanindicationthat
the contents are encrypted. You can change this by opening Explorer and choosing
Tools,FolderOptions.ClicktheViewtab,andintheAdvancedSettingsbox,makesure
thatShowencryptedorcompressedNTFSfilesincolorischecked.Encrypteditemswill
be shown in green and compressed ones blue. If you don't want others to see which
filesareencryptedorcompressed,uncheckthisoption.
5. Grant Permissions to Others You can grant users access to your encrypted files by
username.Dothisbyrightclickingasingleencryptedfile(notafolderormultiplefiles),
andchooseProperties.IntheGeneraltab,clickAdvanced,andnextto'Encryptcontents
tosecuredata',chooseDetails.Inthemiddleofthatdialogbox,clickAddtoopenthe
Select User dialog, which lists others who have a certificate (a digital document that
helps confirm authenticity) on your system. Users can acquire certificates in various
ways, but one of the simplest is by encrypting one of their own documents. Select a
trusteduserandclickOK.
6. DisableProfilesRatherthanDeletingThemDeletingaprofilemightpreventyoufrom
accessing an encrypted file. For example, if Steve goes on leave, you should disable
ratherthandeleteSteve'sprofile:TodothisinXP,chooseStart,Run,typelusrmgr.msc,
and press Enter. In Vista, click Start and enter the same command in the Start Search
field.ClicktheUsersfoldericonintheleftpaneanddoubleclickStevesprofileinthe
right pane. In the General tab, check Account is disabled and click OK; when Steve
returnstowork,simplyreversethisprocedure.
53
InformationSecurity
SystemRestore
Chapter7
54
InformationSecurity
System Restore
SystemRestoreisafeatureofMicrosoftWindowsXPandVistathatautomaticallysavesacopy
ofimportantsystemsettings(theregistry)andfilessothatyoucaneasilyrestorethosesettings
ifsomethinggoeswrong.SystemRestorecreatesabackupcopyeverydayandeverytimeyou
installnewhardwareorsoftware.
If your computer starts functioning poorly, System Restore can be used to returns system
settingsandsystemfilestothestatetheywereinonanearlierdatewhenthecomputerwas
workingproperly.
SystemRestorehassavedmybaconmanytimes,soIreserveasmuchdiskspaceaspossiblefor
its restore points. (Not everyone is a big restore point fan because it does not always work
properly,butmyexperiencehas100%great).Commentsfollow:
1. OnWindowsVistacomputers,youneedatleast300megabytes(MB)offreespaceon
eachharddrivethathasSystemProtectionturnedon.
2. SystemRestoremightuseupto15percentofthespaceoneachdisk.
3. As the amount of space fills up with restore points, System Restore will delete older
restorepointstomakeroomfornewones.
4. SystemRestorewillnotrunondiskssmallerthan1gigabyte(GB).
5. InWindowsXPcomputersonly,youcanadjusttheamountofdiskspaceSystemRestore
claims, rightclick My Computer in Explorer or on the desktop and choose Properties.
55
InformationSecurity
Click the System Restore tab and select a drive whose storage settings you want to
change.ChooseSettings,dragtheslidertothedesiredlevel,andclickOKtwice.
6. Restorepointsarecreatedautomaticallyeveryday,andjustbeforesignificantsystem
events,suchastheinstallationofaprogramordevicedriver.Youcanalsocreatea
restorepointmanually.
7. IfyouturnoffSystemProtection(thefeaturethatcreatesrestorepoints)onadisk,all
restore points are deleted from that disk. When you turn System Protection back on,
newrestorepointsarecreated.
8. System Restore doesn't protect FAT32 and other FAT disks because FAT disks don't
supporttheuseofshadowcopies.ShadowcopiesrequiretheNTFSfilesystem.Inthis
versionofWindows,SystemRestoreusesshadowcopiestocreaterestorepoints.Ifyou
storesystemfilesonaFATdisk,youcannotuseSystemRestoretoundochanges.
UnderstandingtheRegistry
The system registry is where Windows stores your computer settings and other information
abouthowyourcomputerruns.Theregistryisconstantlychangingasyouinstallnewprograms
andchangesettingsinControlPanelandelsewhere.Hereiswhattheregistrylookslike:
Ordinarily, you do not need to make changes directly to the registry because the registry
containscomplexsysteminformationthatisvitaltoyourcomputer,andanincorrectchangeto
your computer's registry could render your computer inoperable. However, you can run the
commandREGEDITtolaunchtheregistryandscrollitsthousandsoflinesofcontent.Windows
RestorePointtakessnapshotsofyourregistrywhichcanbeeasilyrestoredlaterifneeded.
56
InformationSecurity
Firewalls
Chapter8
57
InformationSecurity
Firewalls
Afirewallisadedicatedappliance,orsoftwarerunningonanothercomputer,whichinspects
networktrafficpassingthroughit,anddeniesorpermitspassagebasedonasetofrules.
TheconceptofneedingafirewallfirstoccurredwithCliffordStoll'sdiscoveryofGermanspies
tamperingwithhissystemin1988.Thatattackandothersledprogrammerstoapplyfilterrules
to their network routers. The term Firewall was widely
popularized when it was it was referenced in the movie war
games.
RoutersandFirewallsHaveOpposingObjectives
The whole point of the Internet is to allow for the free flow of information throughout the
world. The whole point of the computer security is to prevent the free flow of information
throughouttheworld.Giventhesetwodirectlyopposingobjectives,itiseasiertounderstand
whyairtightcomputersecurityissoelusive.Therealtrickistoallowauthorizedaccesstoyour
systems,andtopreventunauthorizedaccess.Thisispreciselywhatfirewalldevicescandofor
yourorganization.
58
InformationSecurity
FirewallsDevicesversusSoftware
Firewallscanbehardwaredevices,orsoftwareapplications.Hereareexamples:
In my opinion, hardware device firewalls are better because they set up a defense against
attackatthepointwhereyourInternetcableentersyourbuilding.Softwarebasedfirewallsset
up the defenses at the server (or worse at each computer), which potentially leaves your
routers,printers,faxmachinesandotherdevicesvulnerable.Becausejustonehardwarebased
firewall can protect your entire organizations computer systems, I recommend a firewall
device.
PleaseChangetheFirewall
Password
59
InformationSecurity
WhatFirewallRoutersDo
Todaysfirewalldevicesprovideseveralsecurityfeatures,asfollows:
1. RestrictAccessFirewallsprovideNetworkAccessRulesthatallowtheadministratorto
blockalltrafficofacertaintype,suchasInternetChat(IRC).Rulescanbecreatedtogive
InternetusersaccesstoaspecificserveronaLAN.Mostimportantly,firewallsprovide
absolute control of your ports, Java, ActiveX, Cookie, Proxy blocking, etc. The
administratorcancustomizethefirewalldevicetoallowJava,ActiveXandcookiesfrom
trusted sites. When a proxy server is located on the WAN it is possible for LAN users
pointingtothisproxyservertocircumventcontentfiltering.
2. Hacker Attack Prevention Firewalls can inspect packets as they arrive to protect
private LANs from Internet hackers and vandals by detecting and thwarting Denial of
ServiceattackssuchasPingofDeath,SYNFlood,LANDAttack,IPSpoofing,etc.
3. AlertsMostfirewalldevicesmaintainalogofsecurityeventsforlaterreview.These
eventscanalsobesenttoappropriateusersviaemailforimmediatereview,depending
upontheseverityoftheevent.
4. Network Address Translation (NAT) Allows companies to use private addresses for
bettersecurity.
5. IP Address Management NAT also allows LANs to share low cost Internet accounts,
suchasxDSLorcablemodems,whereonlyoneIPaddressisprovidedbytheISP.
When shopping for a firewall appliance, make sure to select on that has been ICSA Certified.
This internationally accepted certification means that the device has been subjected to a
rigorousseriesoftestsintendedtoexposevulnerabilitiestoattacksandintrusions.Thereare
manyfirewallsinthemarketplaceranginginpricefrom$95to$46,000.
60
InformationSecurity
HowFirewallsFilterData
Status:U
ReturnPath:<godiva@email.godiva.com>
Received:fromnoehlo.host([127.0.0.1])bywhmx
tenant.pas.sa.earthlink.net(EarthLinkSMTPServer)withSMTPid
1jH4Y75i43NZFmB2;Wed,2Apr200808:33:430700(PDT)
Received:frommh.godiva.m0.net([209.11.164.74])
bywhmx
tenant.pas.sa.earthlink.net(EarthLinkSMTPServer)withESMTPid
1jH4Y73cx3NZFmB0 for<carlton@accountingsoftwareadvisor.com>;
Wed,2Apr200808:33:430700(PDT)
As you can see, the senders IP address is embedded in the email. With this information, I
could simply instruct my firewall device to block all packets to and from this IP address
(exclusivefiltering).Likewise,Icouldalsoinstructmyfirewalldevicetoblockallpacketsexcept
for those containing this IP address (inclusive filtering). The screen below shows where you
wouldsetuptheserulesonaNetGearFirewalldevice.
61
InformationSecurity
YoucanTestYourFirewallsEffectivenessThereareseveralwebsitesthatyoucanvisitthat
will test the vulnerability of your current internet connection and the effectiveness of your
firewalldevice.OnesuchwebsiteofferedbySymantecislocatedatthefollowingURL:
http://security.symantec.com/ssc/sc_ipcheck.asp?ax=1&langid=ie&venid=sym&plfid=23&pkj=
OBQXESLHFEPGEVVSDUX
Symantec publishes the results of this online security testing and based on more than 2.5
million tests, 16% to 21% of all users are vulnerable to network and NetBIOS attacks via the
internet.Theseresultsareshownbelow:
WindowsXP&WindowsVistaFirewalls
BothWindowsXPandWindowsVistahavefirewallsbuiltrightin,andtheyare
excellent.Toaccessthefirewallsettings,selectWindowsFirewallfromControl
Paneltodisplaythefollowingdialogboxes:
62
InformationSecurity
Followingareafewpointsofinterestregardingthesefirewallsolutions.
1. WindowsFirewallwasfirstintroducedaspartofWindowsXPServicePack2.
2. Everytypeofnetworkconnection,whetheritiswired,wireless,VPN,orevenFireWire,
hasthefirewallenabledbydefault,withsomebuiltinexceptionstoallowconnections
frommachinesonthelocalnetwork.
4. XP'sWindowsFirewallcannotblockoutboundconnections;itisonlycapableofblocking
inboundones.
5. WindowsFirewallinWindowsVistasignificantlyimprovesthefirewallasfollows:
a. IPv6connectionfilteringisnowavailable.
b. Outboundpacketfilteringisnowavailable.
c. RulescanbespecifiedforsourceanddestinationIPaddressesandportranges.
d. Rulescanbeconfiguredforservicesbyitsservicenamechosenbyalist,without
needingtospecifythefullpathfilename.
e. IPsecisfullyintegrated,allowingconnectionstobeallowedordeniedbasedon
securitycertificates,Kerberosauthentication,etc.
f. Encryptioncanalsoberequiredforanykindofconnection.
g. AnewmanagementconsolesnapinnamedWindowsFirewallwithAdvanced
Securityprovidesaccesstomanyadvancedoptions,andenablesremote
administration.ThiscanbeaccessedviaStart>ControlPanel>Administrative
Tools>WindowsFirewallwithAdvancedSecurity.
h. Abilitytohaveseparatefirewallprofilesforwhencomputersaredomainjoined
orconnectedtoaprivateorpublicnetwork.
If you have a firewall device, and use Windows builtin firewall solution, you do end up with
redundant protection. This is fine; I see no significant problems or performance issues with
running these two layers of firewall protection. In fact, the Windows firewall protection
becomesimportantbecauseitprotectsyourcomputerfromattacksfromotheremployeesor
personswithinyourorganization.
63
InformationSecurity
WirelessSecurity
Chapter9
64
InformationSecurity
WirelessSecurity
Theuseofawirelessdeviceprovidesaninvisibleaccesspointintoyourcomputernetworkina
rangeupto300feetradiusfromyourwirelessdevice.Hackersuseemptytennisballcansto
builddevicesdesignedtodetectandboostyoursignal,likethedeviceshownbelow.
Many users setting up wireless home and small office networks rush through the job to get
their Internet connectivity working as quickly as possible, but the fail to take the additional
measures needed to properly lock down this new access point. The recommendations below
summarizethestepsyoushouldtaketoimprovethesecurityofyourhomewirelessnetwork.
1. ChangeDefaultAdministratorPasswords(andUsernames)Thefirstorderofbusiness
is to log into your wireless device settings and change the default username and
password. The default login name and password is usually admin and password
andallofthehackersoutthereknowthis.Thereforeyoushouldchangethesesettings
immediately.Hereshow:
a. First,youmustbeconnectedtothewirelessdevicewithaphysicalwire(suchas
anEthernetcable),youusuallycannotdothiswirelessly.
b. LogIntotheNetworkRouterbytypingthefollowingintoyourbrowser:
HTTP://192.168.0.1orwhateverIPaddressisprintedonthebottomofthe
wirelessdevice,ifdifferent.
c. NavigatethemenutotheRouter'sChangePasswordPage.
d. ChooseandEnteraNewPassword.
e. SavetheNewPassword.
65
InformationSecurity
2. Turn on WPA2 or WPA Encryption All WiFi equipment supports some form of
encryptionschemeasfollows:
a. WEP(WiredEquivalentPrivacy)Foundtohaveseriousshortcomingsin2001.
b. WEP2Also,founddeficient,WEP2mutatedintoTKIP.
c. WEPplusLucentsattempttocorrectWEPshortcomings,butthisfellshort.
d. DynamicWEP3COMsattempttocorrectWEPshortcomingswhichfellshort.
e. WPA(WiFiProtectedAccess)theanswertoWEP.
f. WPA2.0BetterthanWPA,butdoesnotalwaysworkwitholderdevices.
g. WPAPSKTKIPSoftwaredriven
h. WPA2PSKAESHardwaredriven
i. WPA2PSKTKIPSoftwaredriven
Encryption technology scrambles messages sent over wireless networks so that they
cannot be easily read. Several encryption technologies exist for WiFi today. Naturally
you will want to pick the strongest form of encryption that works with your wireless
network.However,thewaythesetechnologieswork,allWiFidevicesonyournetwork
mustsharetheidenticalencryptionsettings.Thereforeyoumayneedtofinda"lowest
commondenominator"setting.HereshowyousetupWPA:
j.
First,verifythateachcomputerisrunningWindowsXPServicePack1(SP1)or
later.
k. Oneachcomputer,verifythattheclient'snetworkadapteriscompatiblewiththe
WirelessZeroConfiguration(WZC)service.(Todothis,consulttheadapter's
productdocumentation,manufacturer'sWebsite,orappropriatecustomer
66
InformationSecurity
servicelinefordetails.Upgradethenetworkadapterdriverandconfiguration
softwaretosupportWZConclientswhereneeded).
l.
Foreachcomputer,downloadandinstalltheWindowsXPSupportPatchforWiFi
ProtectedAccess,walkthroughtheinstallationdialogboxesandfollowingthe
instructions.
m. ContinuefollowingtheinstructionsandconfigureallWirelessAccessPoints(your
wirelessdevices).
n. ContinuefollowingtheinstructionsandconfigureallWirelessNetworkAdapters
(yourLANcards).
67
InformationSecurity
3. ChangetheDefaultSSIDAccesspointsandroutersalluseanetworknamecalledthe
SSID.ManufacturersnormallyshiptheirproductswiththesameSSIDset.Forexample,
the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by
itself allow your neighbors to break into your network, but it is a start. More
importantly, when someone finds a default SSID, they see it is a poorly configured
network and are much more likely to attack it. Change the default SSID immediately
whenconfiguringwirelesssecurityonyournetwork.
a.
b.
c.
d.
LogIntotheNetworkRouter
NavigatetotheRouter'sBasicWirelessSettingsPage
ChooseandEnteraNewSSID
SavetheNewSSID
4. Enable MAC Address Filtering Each piece of WiFi gear possesses a unique identifier
calledthephysicaladdressorMACaddress.RouterskeeptrackoftheMACaddressesof
alldevicesthatconnecttothem.Manyroutersoffertheowneranoptiontokeyinthe
MAC addresses of their home or small business equipment which restricts network
connectionstothosedevicesonly.Hereshow:
a. TosetupMACaddressfiltering,firstpreparealistofcomputersanddevicesthat
willbeallowedtojointhenetwork.
68
InformationSecurity
b. Next,obtaintheMACaddressesofeachcomputerordevicefromitsoperating
systemorconfigurationutility.
c. Nextenterthoseaddressesintoaconfigurationscreenofthewirelessrouter.An
examplescreenisshownbelow.
d. Finally,switchonthefilteringoption.
e. Onceenabled,wheneverthewirelessrouterreceivesarequesttojoinwiththe
WLAN,itcomparestheMACaddressofthatclientagainsttheadministrator's
list.Clientsonthelistauthenticateasnormal;clientsnotonthelistaredenied
anyaccesstotheWLAN.
(While this feature represents yet another obstacle/deterrent to hackers, there are
manysoftwareprogramsavailablethatenablehackerstodefeatthismeasurebyeasily
fakingaMACaddresses.)
5. Disable SSID Broadcast In WiFi networking, the wireless router typically broadcasts
thenetworkname(SSID)overtheairatregularintervals.Thisfeaturewasdesignedfor
businesses and mobile hotspots where WiFi clients may roam in and out of range. In
the home or small business, this roaming feature is probably unnecessary, and it
increasesthelikelihoodsomeonewilltrytologintoyourhomenetwork.Fortunately,
mostWiFiaccesspointsallowtheSSIDbroadcastfeaturetobedisabledbythenetwork
administrator. To do this simply log into your wireless router device, navigate to the
SSIDmenu,andclickthedisablebuttonasshownbelow.
69
InformationSecurity
6. DoNotAutoConnecttoOpenWiFiNetworksConnectingtoanopenWiFinetwork
such as a free wireless hotspot or your neighbor's router exposes your computer to
securityrisks.Althoughnotnormallyenabled,mostcomputershaveasettingavailable
allowing these connections to happen automatically without notifying you (the user).
Thissettingshouldnotbeenabledexceptintemporarysituations.Hereshow:
a. ToverifywhetherautomaticWiFiconnectionsareallowed,openControlPanel.
b. Clickthe"NetworkConnections"optionifitexists(otherwisefirstclick"Network
andInternetConnections"andthenclick"NetworkConnections.")
c. Rightclick"WirelessNetworkConnection"andchoose"Properties."
d. Clickthe"WirelessNetworks"tabonthePropertiespage.
e. Clickthe"Advanced"button.
f. Findthe"Automaticallyconnecttononpreferrednetworks"setting.Ifchecked,
thissettingisenabled,otherwiseitisdisabled.
7. Assign Static IP Addresses to Devices Most home and small business networks use
dynamic IP addresses because DHCP technology is easy to set up and use.
Unfortunately,thisconvenienceworkstotheadvantageofnetworkattackers,whocan
thenobtainvalidIPaddressesfromyournetwork'sDHCPpool.Tobemoresecure,you
may want to turn off DHCP on the router, set a fixed IP address range instead, then
configure each connected device to match. Use a private IP address range (like
12.12.12.x) to prevent computers from being directly reached from the Internet. The
specific procedures to follow will vary on the devices you are using, therefore you
should refer to the user manual or web for detailed instructions for each device you
haveonyournetwork.
70
InformationSecurity
8. EnableFirewallsOnEachComputerandtheRouterWirelessrouterscontainbuiltin
firewallcapability,buttheoptionalsoexiststodisablethem.Ensurethatyourrouter's
firewall is turned on. For extra protection, consider installing and running personal
firewallsoftwareoneachcomputerconnectedtotherouter.Todothissimplyloginto
yourwirelessrouterdevice,navigatetotheFirewallmenu,andclicktheEnablebutton
asshownbelow.
9. Position the Router or Access Point Safely WiFi signals normally reach beyond the
walls of a home or small office. A small amount of signal leakage outdoors is not a
problem, but the further this signal reaches, the easier it is for others to detect and
exploit. WiFi signals often reach through neighboring homes and into streets, for
example.Wheninstallingawirelesshomenetwork,thepositionoftheaccesspointor
routerdeterminesitsreach.Trytopositionthesedevicesnearthecenterofthehome
ratherthannearwindowstominimizeleakage.
InformationSecurity
CheckingtheSecurity
ofYourPC
Chapter10
72
InformationSecurity
1. FirewallTestAfirewalltestshouldbeconductedoftenandiseasytodo.Thistestwill
checkyourcomputerforportsthatarecommonlyleftopen.Openportscouldallow
yourcomputertobecompromised.Asanexample,youcouldrunafirewalltestinless
than10secondsat:http://www.auditmypc.com/firewalltest.asp.Thisfirewalltestwill
alsocheckforopenportsknowntobeusedbyVirusesandTrojans.
2. Anonymous Surfing Test Anonymous surfing is a key step to staying safe online. It
tested my computer at http://www.auditmypc.com/anonymoussurfing.asp, and
immediatelyitshowedmethefollowing:
ThismeansthatawebsiteorotherpersoncantellwhereIam
located(approximately).
HideYourIPTothwartthispossibility,Iwouldneedtohide
my IP address using an anonymous proxy. Be very careful
thoughasnotallproxyserversdoastheyclaim.Infact,many
junk proxy servers give people a false sense of security or
worse,andinsteadrecordeverythingyoudoinhopestoscore
apasswordortwo!YoucanhideyourIPwithmanyproducts
includingthisone:
73
InformationSecurity
Theproductclaimstoprovidethefollowingbenefits:
1.
EasilyConcealYourIPAddressJustclick"HideIP"andyourIPisinstantlyhidden!Otherpeoplesee
afakeIP,whichisnotassociatedwithyourrealIP.
2.
AnonymousWebSurfingProtectyourprivacyandcoveryourtracks!Selectfromoneofourmany
fakeproxyIPaddressesfortotallyanonymousbrowsing.
3.
Works with many Applications Hide My IP 2007 works with all major browsers and dozens of
instantmessengers,Emailclients,andgames.
4.
StopHackersIdentitythievescanpotentiallyuseyourIPaddressestocompromiseyourcomputer
byinstallingkeyloggers,Trojans,andothertools.
5.
Send Anonymous Emails Hide your IP in Email headers. Supports Webmail services like Yahoo,
Hotmail, and GMail. Mail clients supported with a Premium account include Outlook, Outlook
Express,andEudora.
6.
UnbanYourselfFromForums,Blogs,Etc...ByfakingyourIPyoucanoftenaccessmanysitesyou
werebannedfrom.CombinewithCookieCrumbleforthemosteffectiveness.
3. PopupTestAtaminimum,unwantedpopupadsstealtimeandprovideadistraction.
PopupTesttohelpyouverifyyouradblockingsoftwareisreallycapableofpreventing
pop
up
ads.
I
tested
my
computer
for
pop
ups
at
http://www.auditmypc.com/freescan/popup/popuptest.asp.Ididnothavemypopup
blockerturnedon,andthereforeIfailedthetest.ThenIturnedontheInternetExplorer
PopUpBlockerandreranthetest.Theresultsbeforeandafterwereasfollows:
74
InformationSecurity
AfterturningonthestandardInternetExplorerPopUpBlocker,IpassedthePopuptest
withflyingcolors.
4. InternetSpeedTestAslowInternetconnectioncanstealyourproductivity.Therefore
you should conduct an Internet Speed Test for Broadband, Cable, Satellite and DSL
Modems that helps determine your true bandwidth. I tested my speed here:
http://www.auditmypc.com/internetspeedtest.asp.Herearetheresults:
This test provides you with your true speed, rather than the speed claimed by your
provider.Thiswillhelpyouidentifytheproblemintheeventthatyouarenotgettingall
thespeedyouarepayingfor.IrecommendCableataminimum;inmyopinionDSLis
tooslowandshouldbeusedwhenitistheonlyoption.
75
InformationSecurity
OnlineSecurityTests
Chapter11
76
InformationSecurity
OnlineSecurityTests
ShieldsUp!PortAuthorityEditiongrc.com
InternetVulnerabilityProfiling,GibsonResearchCorporationbySteveGibson.[Freeservice]
Checksthesecurityofyourcomputer'sInternetconnectionbyperformingqueriesandprobing
commonportaddresses.Areportisissuedonyourhackervulnerability."PortAuthority"isthe
secondgenerationShieldsUP!!
BroadbandTestsandToolswww.broadbandreports.com/tools
BroadbandReports.com[Freeservice(limiteduse);Feerequiredforunlimiteduse]Internet
speedtests,tweaktest,linequality,linemonitor,whois,doctorping,routerwatch,andmore.
BrowserSpygemal.dk/browserspy
[Freeservice]Showsyouwhatdetailedinformationisrevealedaboutyouandyourbrowser
version,whatitsupports,JavaScript,Java,plugins,components,bandwidth,language,screen,
hardware,IP,cookies,webserver,andmore.
GFIEmailSecurityTestingZonewww.gfi.com/emailsecuritytest
GFISoftwareLtd[Freeservice]Findouthowsecureyouremailsystemisbydoinga
vulnerabilitycheck.
HackerWhackerwww.hackerwhacker.com
[Firsttestisfree;Subscriptionfeeappliesonsubsequentscans]Seeyourcomputertheway
hackersdo.Thefollowingissuesareaddressed:Aretherestrangersinyourcomputer?Could
yourwebserverbehijacked?Freesecurityscan.Hasyournetworkbeenbrokeninto?Areyou
secure?Arehackerstargetingyou?Wanttotestyourfirewall?Alsocontainsalistingofcurrent
newsarticlesonhacks,andalistingoflinkstoothersecuritysites.
PCFlankwww.pcflank.com
[Freeservice]TestYourSystemChoosefromQuickTest,StealthTest,BrowserTest,Trojans
Test,AdvancedPortScanner,andExploitsTest.(Kudostothewebmasterforgreatsitedesign!)
PCPitstopwww.pcpitstop.com
[Freeservice]InternetSecuritytest,InternetPingtest,Spywarecheck,Inmemoryviruscheck,
bandwidthtests,assortedbenchmarks,andmore.
Qualys'FreeBrowserCheckupbrowsercheck.qualys.com
Qualys[Freeservice]Aseriesofauditsdesignedtotestandfixyourbrowser'ssecurity
vulnerabilities.SupportsonlyMicrosoftInternetExplorer,andyoumusthavecookiesenabled.
Privacy.netprivacy.net/analyze
TheConsumerInformationOrganization[Freeservice]PrivacyanalysisofyourInternet
connectionperformstestsoninformationthatiscollectedaboutyouwhenvisitingawebsite
withexplanationsofwhateachtestisandhowitisperformed.
77
InformationSecurity
ScannerXscannerX.com
[Initialassessmentisfree;Choosefromavarietyofplanssubscriptionfeeapplies]
Vulnerabilityassessmentservicesprovidedetailedtesting,reportingandfixes.
Secuniawww.secunia.com
[Freeservice]Onlineservicesincludebrowserchecker,onlineantivirus,andvulnerability
scanner.
SecuritySpacewww.securityspace.com
EsoftInc.[Free"BasicAudit";First"DesktopAudit"isfree,subscriptionfeeapplieson
subsequenttests]"BasicAudit"Ourclassicportscanscans1500+knownserviceports
lookingforserviceshackersmightusetogetin."DesktopAudit"Acomprehensivesuiteof797
vulnerabilityteststolearnifyoursystem'ssecurityisatrisk.
SymantecSecurityChecksecurityresponse.symantec.comClickon"checkforsecurityrisks".
Symantec[Freeservice]Aservicedesignedtohelpyouunderstandyourcomputer'sexposure
toonlinesecurityintrusionsandvirusthreats.
TrendMicroHousecallhousecall.trendmicro.comClickon"checkforsecurityrisks".
TrendMicro[Freeservice]Anonlinevirusscanningservice.
FileAuthentication&LeakTests:
FireHolekeir.net/firehole.html
RobinKeir[Freeware]Anothertoolfortestingtheoutbounddetectionofpersonalfirewalls.
ForusewithNetscapeandInternetExplorer.
LeakTestFirewallLeakageTestergrc.com/lt/leaktest.htm
InternetConnectionSecurityforWindowsUsers,GibsonResearchCorporationbySteve
Gibson.[Freeware]Thissmallutilitywilltestforvulnerabilitiesthatmightallowamalicious
programtobypassyoursoftwarefirewall.
TooLeakytooleaky.zensoft.com
BobSundling[Freeware]Testyourfirewallwithaprogramthatcandefeattheoutbound
detectionofpersonalfirewalls.ForusewithInternetExplorer.
78
InformationSecurity
WindowsSecurity
UserAccounts&SecurityGroups
Chapter12
79
InformationSecurity
UserAccounts&SecurityGroups
8. The Login Screen When logging into Windows, you are greeted by the Welcome
screen.Youmustloginasausertocontinue.
9. No Security in W95 & W98 In Windows 95 and Windows 98, there was no security
becauseyoucouldsimplyhittheESCAPEtocontinue.
10. UserAccountsNowRequiredWindowsXPandWindowsVistaforceyoutocreatea
useraccount;youcancreateuptofiveuseraccounts.
11. AccessingUserAccountsTheControlPanelUserAccountsoptionallowsyoutosee
the user accounts that are allowed to log in; however there are other hidden user
accountsusedbytheoperatingsystemandapplicationsthatarenotshown.
12. LimitingUserAccountsThemoreuseraccountsyouhave,themoretargetsahacker
has. Therefore, you might consider limiting the number of user accounts using the
hiddenAdministrativeTools.
13. MakingAdministrativeToolsVisibleTodothis:
a. RightClicktheStartButton
b. SelectProperties
c. ClicktheStartMenuTab
d. ClicktheCustomizeButton
e. ClicktheAdvancedTab(inWindowsXPonly,Vistauserssimplyscrolldown)
f. SelectOptiontoDisplayAdministrativeTools
Thedialogboxandresultingadministrativetoolsareshownbelow.
80
InformationSecurity
14. Disable the Guest Account in W95, W98, W2000 and Vista Most security experts
adviseyoutodisabletheGuestaccountbecauseitservesnorealworldpurpose,ithas
no password by default, and hackers like to target the guest account. In Windows 95,
98, 2000, & Vista, disabling the Guest account is easily accomplished via a button
selectioninControlPanelsUserAccountdialogbox.
15. PasswordProtecttheGuestAccountinWindowsXPInWindowsXP,turningoffthe
Guest Account only hides it from the log in screen it still remains active behind the
scenesbecauseitisnecessaryforsharingresourcesonanetwork.Thereforeratherthan
turningofftheGuestAccount,youshouldapplyastrongpassword.Creatingapassword
fortheGuestaccountinWindowsXPiseasy,butitisalsonotaneasytaskinWindows
XP Home. When you open the User Accounts console from the Control Panel in
WindowsXPHomeandselecttheGuestaccount,CreateaPasswordisnotoneofthe
available options. To create a password for the Guest account in Windows XP Home,
youwillneedtoopenacommandlinewindow(clickStart|AllPrograms|Accessories|
Command Prompt). Enter the following: net user guest <password>. Leave off the
bracketsandsimplytypethepasswordyouwanttoassignattheendofthecommand
line and press Enter. Oddly, now that you have created a password for the Guest
account,theoptionsforchangingorremovingthepasswordwillnowappearintheUser
Accountsconsole.
16. Rename the Administrator Account To hack into your computer, a hacker needs to
knowboththeusernameandthepassword.Everyonealreadyknowsthenameofthe
administrator account. By changing the name of the administrator account, you
compound the hackers efforts. This is easy just log into Windows as the
Administrator, go to Control Panel User Accounts, Choose the Change Name
option,andenteranewnameasshownbelow:
81
InformationSecurity
17. Security Groups Just as you can create user accounts, you can also create security
groups.ThedefaultgroupsthatareincludedintheWindowsareasfollows:
a. AdministratorsCandoeverything
b. UsersCanusesystem,butcantinstallorchangesystem
c. PowerUsersGrantssomepowertoinstallandconfigurethesystem
d. GuestsLimitedaccess,canseesharedfoldersandprinters
e. HelpServicesAllowssupporttechnicianstoconnecttoyourcomputer
f. BackupOperatorsCanbackupandrestorefiles
g. ReplicatorsCancopyfiles
h. NetworkConfigurationOperatorsAdd,changeordeletenetworkconnections
i. RemoteDesktopUsersCanconnectremotely
Groupsarehelpfulinlargerorganizationsbecausetheadministratorcansimplyset
up a few groups, and then assign users to those security groups. They will
automatically inherent the security rights of the group they belong to. The use of
security groups is considered to be faster and more accurate. (Security groups are
notavailableintheHomeeditionsofWindowsXPandWindowsVista).
18. Administrator Rights Required in Vista Windows Vista allow users to be standard
users or administrators. Beginning in Windows Vista, you must be logged in as an
administratortoaccomplishmanythingssuchasinstallsoftwareortochangecomputer
settings. This can be frustrating because standard users will encounter this obstacle
frequently, and they will need to log in as an administrator frequently in order to
manage their computer system. This is actually a great security measure, but it
frustrates standard users and you should be aware of this problem. Following is an
examplescreenthatstandarduserswillseefrequently.
82
InformationSecurity
BewaretheHackerTools
There are a multitude of hacker tools available for circumventing the user accounts and
passwords.Microsoftcontinuallyreleasespatchestoshutdownthesetools,butthecompanies
thatmakethesetoolskeepfindingnewwaystocircumventthem.
WindowsPasswordReset5.0isjustoneofmanysimilarprogramsdesignedforresettinglocal
administrator and user passwords on any Windows system. The company claims that if you
haveforgottenyourpassword,orarelockedout,oryoudonothaveaccesstothepasswordof
thesystem,youcaneasilygetbackin.Keyfeaturesclaimed:
1. 100%recoveryrate
2. Veryeasytouse(3stepsonly),withcompletescreenshots
3. Nootherinstallationrequired
4. SupportsFAT16,FAT32,NTFS,NTFS5filesystems
5. Supportslargeharddiskdrives(evengreaterthan200GB)
6. SupportsIDEATASATA&SCSIharddiskdrives
7. Supports Windows XP, XP+SP2, 2003, 2000, NT, Windows XP Professional x64 Edition
(64bit),WindowsServer2003x64
8. Edition(64bit)OperatingSystems,WindowsVISTA,WindowsVISTA(64bit)&Windows
Server2008
9. Allpasswordsareresetinstantly
10. 100%Moneybackguarantee
83
InformationSecurity
Presentedbelowareaseriesofscreensthatshowhowtheproductworks.
84
InformationSecurity
WindowsSecurity
PasswordProtectedScreenSavers
Chapter13
85
InformationSecurity
WindowsScreenSavers
Originally, a screensaver was a type of computer program designed to prevent a problem
knownas"Phosphorburnin"onCRTandplasmacomputermonitorsbyblankingthescreenor
fillingitwithmovingimageswhenthecomputerwasnotinuse.Today,newerflatpanelLCDs
monitorsdonotneedascreensaverprotection,butscreensaversareactuallyveryusefulfor
securitypurposes.
(The first screensaver (written for the original IBM PC by John Socha) was
publishedinDecember1983issueoftheSoftalkmagazine.Itsimplyblankedthe
screenafterthreeminutesofinactivity.)
Today most Windows screen savers can be configured to ask users for a password before
permitting the user to resume work. To do this, right click the Windows Desktop and select
personalize, Screen Saver. Indicate the number of minutes of inactivity desired before the
screensaverkicksin,andchecktheboxtitledOnResume,DisplayLogonScreen.
Now your computer screen will revert to the screen saver and will become locked until the
properpasswordisapplied.Ofcourseifthehackerrebootsyourcomputer,theywillencounter
theWindowslogonscreen.
86
InformationSecurity
Tripstothebathroomdohappen,briefdeparturesfromyourdeskdobecomeextended.For
thesereasonsandmanymore,itmakesgoodsensetoapplyapasswordProtectedscreensaver
toyourcomputer.
Therearemanygreatscreensaversoutthere.Windowsallowsyoutoturnyourphotosintoa
screen saver. PhotoImpression allows you to create a slide show screen saver set to music.
Therearealsomanycleverscreensaversouttherelikethese:
WindowsVistaBubbles
BeamingCows
Aquariums
87
NoahsArk
InformationSecurity
FancyCars
BeautifulScenery
Exciting
CuteAnimals
Sports
Be careful not to download a screen saver from an untrusted web site you could be
inadvertentlydownloadingavirus,spam,orTrojanhorseontoyourcomputer.
Funny
88
InformationSecurity
Pornography
Chapter14
89
InformationSecurity
Pornography
If you supply your employees with a computer and Internet access, and they use that
equipment view pornography at work, and another employees see it are you liable? The
answer is yes, you most are certainly liable unless you have taken reasonable measures to
protectemployeesfrompornography.Eveniflitigationisnotanissue,pornographycansteal
employeeproductivityandpornographicwebsitesareoftenasourceofspyware,malwareand
viruses.Presentedbelowisalistofpossiblemeasuresyoushouldtakeinyourorganizationto
blockpornography.
1. Written Policy Provide all employees with a written policy explaining that the
accessingorviewingpornographywithcompanycomputers,companyemailorduring
companyhoursorduringcompanyactivitiesisforbidden.Thisprovidesnotice.(Seethe
chapterondocumentsforanexample.)
2. SignedAgreementAskemployeestosignacontractinwhichtheyagreenottoaccess
or view pornography using company computers, company eamil or during company
hours or during company activities. This may help shield you from liability. (See the
chapterondocumentsforanexample.)
3. Require Safe Searches Only Most search tools such as Google, Yahoo! And MSN
provideanoptionwhichfilters99.99%ofallpornographyfromthesearchresults.You
shouldrequireyouremployeestoalwaysleavethesafeSearchsettingtoon.
4. Plain View You might require all employees to always work in plain view of others
with doors opened and computer screens visible to passerbys as a deterrent, unless
conductingaconfidentialmeeting.
5. Use A Router Based Content Filter Consider using a router based content filter to
block pornography. For example, the ContentProtect Security Appliance monitors
everythinggoinginandoutonarealtimebasis.Featuresinclude:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
DynamicContentFiltering:Identifiesandblocksobjectionablewebmaterial.
BandwidthManagement:Monitorsbandwidthusagetoensuregoodperformance.
Spyware:Tracksspywaretoseewhoscatchingit,andneutralizesthethreat.
SlowInternet:Discovertheproblem,downtotheindividualuser.
BandwidthAbuse:Seewhoshoggingit,andwhattheyreusingitfor.
WebActivity:Seewhosvisitingwhatsiteswhen,andwhattheyredoingonthem.
PeertoPeer:FindoutwhatP2Pappsaredoingtoyournetwork.
InstantMessaging:Knowwhostalking,andwhattheyresaying.
Viruses:Preventviruses,includingthoseinwebbasedemails.
AnonymousProxies:Preventusersfrombypassingyourfiltersandsafeguards
90
InformationSecurity
6. CheckBreadCrumbsUsethechapteronBreadCrumbstorandomlycheckemployee
computersforinappropriatepornographicactivity.
7. MonitorEmployeeEMailsBylaw,companieshavetherighttoreademployeeemails
sentorreceivedoncompanyprovidedcomputersoratthecompanysplaceofbusiness
evenpersonalemails.Youshouldrandomcheckemailstogivenoticetoemployees
thattheirsystemsarebeingchecked,andpornographicactivitywillnotbetolerated.
8. EmployeeTrainingMakeemployeesawareofallaspectsrelatedtopornography.For
example, simply viewing a pornographic web site even for a moment will leave
pornographic images in the browser history files. If just one of those pictures is of an
underagedchild,thenyoucouldbelegallychargedasapedophile(Ithink).(TheChild
PornographyPreventionActof1996wasstruckdownin2002forbeingoverlybroad.)
Whatwouldachapteronpornographybewithoutapictureofsomenakedblondechicksora
nudethumbnailofBradPitt?Hereyougo:
NakedBlondeChicksNudeThumbnailofBradPitt
(Yes,thisisajoke)(Yes,Iknowitsnotthatfunny)
Pornography & Inappropriate Web Access The 1999 CSI/FBI Computer Crime and
SecuritySurveyindicatesthatninetysevenpercent(97%)ofcompaniesreportthattheir
employees abused Internet access. According to the Saratoga Institute of Human
Resources, more than 60 percent of American company employee have been
disciplinedand more than 30 percent have been terminated for inappropriate use of
theInternet.Commonabusesincludeaccessingpornography,chattingonline,gaming,
investing, or shopping at work. According to some statistics, employees spend more
than one hour per workday surfing the Web for personal reasons. The Institute
estimatesthatacompanywith1,000employeeswhousecompanyInternetaccessone
91
InformationSecurity
hourperdayforpersonalsurfingcancostacompanyupwardsof$35millioneachyear
inlostproductivity.
Recently, higher bandwidth internet activities such as Internet Radio, PointCast, stock
tickers, popup ads, music downloads, etc. are eating into corporate bandwidth. This
significant increase in traffic can adversely affect other business operations such as e
mail,printing,datasavingandretrieval,oroperatingbusinessapplications.
Ataminimum,herearesomestepsthatyoucantake:
1)Establishandpublishawrittenpolicythatstates:
a. Thecompany'saccesstotheInternetandcompanyemailshouldbeusedin
muchthesamewaythatthebusinesstelephoneisusedbriefpersonal
usageinfrequentlyisOK,butisnottobeabused.
b. Visitingpornographywebsitesisstrictlyprohibited.
c. Visitingwebsitesofterrorists,gangs,hategroups,etc.withcompany
equipmentisstrictlyprohibited.
d. EmployeesshouldbeawareoftheInternet'suniqueabilitytodistractthem
fromtheirnormalworkduties,accordingly,employeesshouldlearnto
recognizeandavoidthisproblem.
e. EmployeesareprohibitedfromplayinggamesontheInternet.
f. Employeesareprohibitedfromdownloadinganyfilethatisnotbusiness
related.
g. Employeesshouldusecautionwhenprovidingcompanyinformationacross
theweb.
h. Otherrestrictionsyoufeelarenecessary.
2)ConsideractivatingContentAdvisoronallemployeecomputers,therebylimiting
accesstoratedpornographicsites.
3)Considerinstallingablockingprogramtoblockselectedsites.
4)Routinelycheckemployeecomputersatrandomhistoryfiles,email,cookies
folder,links,andGIFs.
5)Establishanduseemailfilteringrulestocutdownontheamountofjunkmail
receivedbyemployees.
Conclusion
Inconclusion,itshouldbeobvioustoanyonethatthedangersarerealyourcomputer
systems are vulnerable in many ways. However, there are also a wide range of well
provenandaffordablesolutionsandreasonablestrategiesthatcanhelpyourcompany
minimizeyourrisk.
92
InformationSecurity
SampleContractsand
Documents
Chapter15
93
InformationSecurity
AcceptableUsePolicy
In the event that an employee uses company computer and communication systems to copy
copyrightedmaterial,accesspornography,copymoney,sendfraudulentcommunications,etc.
your company will be better protected from liability if you have an Acceptable Use Policy
Agreementinplace.Whilethereisnosinglecorrectpolicystatement,theexampledocument
belowreflectstheconceptscoveredinseveralgoodpolicycontracts.Asalways,thisisonlyan
exampleyoushouldseekadviceofcounselbeforeimplementingyourownversion.
The acceptable use policy defines the acceptable use of computer equipment, software,
communications, and equipment as provided by your company. Everyone in the company
should be expected to follow the written policy without exception. The policy should be
providedinwritingtoallemployees,andsignedcopiesofthisagreementshouldbekeptonfile.
So, what defines an Acceptable Use Policy? To provide guidance as to what to place in your
policystatement,letsdefineafewunauthorizedusesforacomputeraccount.
Thelistabovedefineseachofthespecificareasofconcernacompanyusuallyencounters.The
followingtakestheseconcernsandplacestheminanappropriatetextforapolicystatement.
Again, you should review your policies carefully, have them reviewed by legal counsel for
wordingandenforceabilityappropriatetoyourgeographicarea.
AcceptableUsePolicyStatementforExampleCompany
Example Company encourages the sharing of information, comprehensive access to local and
nationalfacilitiestocreateanddisseminateinformation,andfreeexpressionofideas.General
access facilities and infrastructure are provided to further these purposes. There is an
obligationonthepartofthoseusingthesefacilitiesandservicestorespecttheintellectualand
accessrightsofotherslocally,nationallyandinternationally.
ComputingresourcesandfacilitiesofExampleCompanyarethepropertyofthecompanyand
shallbeusedforlegitimateactivityrelatedtotheperformanceofthedutiesandresponsibilities
of the users only, administrative, public service, or approved contract purposes. Supervisors
may,attheirdiscretion,allowpersonalusebytheemployeeoftheseresourcesthatdoesnot
interfere with the institution or with the employees ability to carry out company business.
Individuals who disregard elements of this policy will be subject to appropriate disciplinary
and/or legal action by Sample Company. Use of company computing facilities for personal or
commercial use is not authorized. Use of company computing facilities for educational
purposes must be consistent with other training educational programs. The use of company
94
InformationSecurity
computingfacilitiesforhighereducationdegreeseekingorcertificationprogramsmayonlybe
donewiththespecificwrittenapprovaloftheappropriatesupervisor.
Individualsandnoncompanyorganizationsusingthecompanysfacilitiestogainaccesstonon
companyfacilitiesmustbecognizantofandobservetheacceptableusepoliciesofthecompany
atalltimes.
Failuretoobservethesepolicieswillresultinimmediatedisconnectionorlossofuseprivileges,
aswellaspossibledisciplinaryactionorterminationatthediscretionoftheoffendingparty's
supervisorordepartmentheadbasedonthenatureandseverityoftheoffense.
CompanyPolicies
1. Userswillnotviolatecopyrightlawsandtheirfairuseprovisionsthroughinappropriate
reproduction and/or distribution of music (MP3, etc.), movies, computer software,
copyrightedtext,images,etc.
2. Usersshallnotusecompanycomputersornetworkfacilitiestogainunauthorizedaccess
to any computer systems. Using programs intended to gain access to unauthorized
systemsforanyreasonorpurposeisstrictlyprohibited.
3. Usersshallnotconnectunauthorizedequipmenttothecompanysnetwork,toinclude
hubs, routers, printers or other equipment connected to the companys network
directlyorviaremoteattachment.
4. Usersshallnotmakeunauthorizedattemptstocircumventdataprotectionschemesor
uncover security loopholes. This includes creating and/or running programs that are
designedtoidentifysecurityloopholesand/ordecryptintentionallysecuredata.
5. Users will not associate unapproved domain name sites with a company owned IP
address.
6. Userswillnotknowinglyorcarelesslyperformanactthatwillinterferewiththenormal
operationofcomputers,terminals,peripherals,ornetworks.
7. Userswillnotknowinglyorcarelesslyrunorinstallonanycomputersystemornetwork,
orgivetoanotheruser,aprogramintendedtodamageortoplaceexcessiveloadona
computer system or network. This includes, but is not limited to, programs known as
computerviruses,TrojanHorses,andworms.
8. Users will refrain from activity that wastes or overloads computing resources. This
includesprintingtoomanycopiesofadocumentorusingexcessivebandwidthonthe
network.
95
InformationSecurity
9. Users will not violate terms of applicable software licensing agreements or copyright
laws.
10. Userswillnotusecompanyresourcesforcommercialactivity,suchascreatingproducts
orservicesforsale.
11. Userswillnotuseelectronicmailtoharassorthreatenothers,ortosendmaterialsthat
might be deemed inappropriate, derogatory, prejudicial, or offensive. This includes
sendingrepeated,unwantedemailtoanotheruser.
13. Userswillnotinitiate,propagateorperpetuateelectronicchainletters.
14. Users will not send inappropriatemass mailings not directly associated with, or in the
performance of, the routine course of duties or assignments. This includes multiple
mailings to newsgroups, mailing lists, or individuals, e.g. "spamming," "flooding," or
"bombing."
15. Userswillnotforgetheidentityofauserormachineinanelectroniccommunication.
16. Users will not transmit or reproduce materials that are slanderous or defamatory in
nature, or that otherwise violate existing laws, regulations, policies, or which are
consideredtogenerallybeinappropriateinaworkplace.
17. Userswillnotdisplayimagesortextthatcouldbeconsideredobscene,lewd,orsexually
explicit or harassing in a public computer facility or location that can be in view of
others.
18. Users will not attempt to monitor or tamper with another user's electronic
communications, or reading, copying, changing, or deleting another user's files or
softwarewithouttheexplicitagreementoftheowner.
19. Unauthorized viewing or use of another persons computer files, programs, or data is
prohibited.Allusersshouldalsobeawarethatallprogramsandallfilesaredeemedto
bethepropertyofthecompany,unlesstheindividualhasawrittenagreementsigned
by an appropriate representative or officer of the company. Federal or state law may
requiredisclosureofindividualcomputerfileswhicharedeemedpublicrecordsunder
the state public records statute and that state and federal law may prohibit the
disclosureofcertainrecordsaswell.
96
InformationSecurity
20. Entry into a system, including the network system, by individuals not specifically
authorized (by group or personally), or attempts to circumvent the protective
mechanisms of any system, are prohibited. Deliberate attempts to degrade system
performance or capability, or attempts to damage systems, software or intellectual
propertyofothersareprohibited.
21. Theelectronicmailsystemshallnotbeusedfor"broadcasting"ofunsolicitedmailorfor
sending chain letters,and the communication system shall not be used for sending of
materialthatreasonablywouldbeconsideredobscene,offensive,orthreateningbythe
recipientoranotherviewerofthematerial.
22. The company reserves the right to monitor and record the usage of all facilities and
equipment,andallsoftwarewhichisthepropertyofthecompanybyownership,lease,
rent, sponsorship or subsidy, if it has reason to believe that activities are taking place
thatarecontrarytothispolicyorstateorfederallaworregulation,andasnecessaryto
evaluateandmaintainsystemefficiency.Thecompanyhastherighttouseinformation
gainedinthiswayindisciplinaryorcriminalproceedings.
23. TheFederalCopyrightActnearlyalwaysprotectscommercialsoftware.Useofcompany
facilities or equipment for the purpose of copying computer software that does not
containspecificpermissiontocopy(somelicensesdoallowthemakingofonecopyfor
backup) is prohibited. The unauthorized publishing of copyrighted material on a
companyserverisprohibited,andusersareresponsiblefortheconsequencesofsuch
unauthorizeduse.
24. Anindividualsaccesstocomputerresourcesmaybesuspendedimmediatelyuponthe
discoveryofaviolationofthispolicy.
This policy contains the company's complete acceptable use policy and replaces any pre
existing policy issued before Month Day, Year. For questions about this policy, contact Name
andContactInformationhere.
Failure to comply with any of the above policies may result in termination of your Example
Company network services, disciplinary action, and/or criminal prosecution. The company
reserves the right to terminate any company network connection without notice if it is
determinedthatanyoftheabovepoliciesarebeingviolated.
97
InformationSecurity
SampleEmail/InternetUserAgreement
EmployeeAgreement:
AspartoftheExampleorganizationanduseofExample'sgatewaytotheInternetandemail
system, I understand that this email/Internet corporate guideline applies to me. I have read
theaforementioneddocumentandagreetofollowallpoliciesandproceduresthataresetforth
therein.Ifurtheragreetoabidebythestandardssetinthedocumentforthedurationofmy
employmentwithExampleCompany.Iamawarethatviolationsofthiscorporateguidelineon
email/Internet acceptable use may subject me to disciplinary action, up to and including
dischargefromemployment.
I further understand that my communications on the Internet and email reflect Example
Company,worldwidetoourcompetitors,consumers,customersandsuppliers.Furthermore,I
understandthatthisdocumentcanbeamendedatanytime.
_______________________________________
EmployeeSignatureDate
______________________
EmployeePrintedName
______________________
ManagerSignature
Youshouldcommunicatethispolicyinseveralways,including:
1. Onlinemessagethatappearswhentheuserlogsontoemail/Internet.
2. Shortpolicystatementregardingemail/Internetacceptableuseintheemployeehandbook.
3. Orientationandhiringstatementnotifyingnewemployeesofemail/Internetpolicies.
4. Training Sessions on computer and Internet use and email policies. An employee who is
toldthatmonitoringwilloccurmaybeapprehensiveaboutusingthecompany'semailand
Internetsystems.Trainingsessionswherepoliciesareexplainedindetailcangoalongway
inallayingfears.
98
InformationSecurity
SamplePrivacyStatement
ExampleCompanyunderstandstheimportanceofprotectingtheprivacyofourcustomersand
otherswhovisitourWebsite.Weconsideranypersonalinformationyoumaysupplytousto
be personal and confidential, and we are committed to using this information solely for the
purposeofprovidingyouwithsuperiorserviceandconvenientaccesstotherightproductsand
services.
We take our commitment to safeguarding customer information seriously, which is why we
haveadoptedthefollowingprinciples:
1. ExampleCompanymakeseveryefforttocollect,retain,andusecustomerinformation
only where we believe it is useful (and as allowed by law) in administering Example
Company business and to provide products, services, and other opportunities to our
customers.
2. Example Company limits employee access to personally identifiable information to
thosewithabusinessreasonforknowingsuchinformation.ExampleCompanystresses
the importance of confidentiality and customer privacy in the education of its
employees.ExampleCompanyalsotakesappropriatedisciplinarymeasurestoenforce
employeeprivacyresponsibilities.
3. ExampleCompanydoesnotdiscloseourcustomerspersonaloraccountinformationto
unaffiliatedthirdparties,exceptforthetransferringofinformationtoreputablecredit
reporting agencies; or when the information is provided to help complete a customer
initiated transaction; the customer requested the release of the information; or the
disclosureisrequiredorallowedbylaw.
4. Example Company maintains appropriate security standards and procedures regarding
unauthorizedaccesstocustomerinformation.
5. If Example Company provides personally identifiable information to a third party, we
insist that the third party adhere to similar privacy principles that provide for keeping
suchinformationconfidential.
99
InformationSecurity
CompanyAcceptableInternetUsePolicy
If a user violates any of the acceptable use provisions outlined in this document, his/her
account will be terminated and future access will be denied. Some violations may also
constituteacriminaloffenseandmayresultinlegalaction.Anyuserviolatingtheseprovisions,
applicablestateandfederallaws,issubjecttolossofaccessprivilegesandanyotherCompany
disciplinaryoptions.
1)AcceptableUse
Must be in support of education and research consistent with company policy, and
employeesjobdescription
Mustbeconsistentwiththerulesappropriatetoanynetworkbeingused/accessed
Unauthorizeduseofcopyrightedmaterialisprohibited
Publishing,downloadingortransmittingthreateningorobscenematerialisprohibited
Distributionofmaterialprotectedbytradesecretisprohibited
Useforcommercialactivitiesisnotacceptable
Productadvertisementorpoliticallobbyingisprohibited
2)Privileges
AccesstotheInternetisnotaright,butaprivilege
Unacceptable usage will result in cancellation of account, and possible disciplinary
proceedings
3)Netiquette
Bepolite
Donotusevulgarorobscenelanguage
Usecautionwhenrevealingyouraddressorphonenumber(orthoseofothers)
Electronicmailisnotguaranteedtobeprivate
Donotintentionallydisruptthenetworkorotherusers
Abidebygenerallyacceptedrulesofnetworketiquette
4)Security
Ifyouidentifyasecurityproblem,notifyasystemadministratorimmediately
Donotshoworidentifyasecurityproblemtoothers
Donotrevealyouraccountpasswordorallowanotherpersontouseyouraccount
Donotuseanotherindividual'saccount
Attemptstologonasanotheruserwillresultincancellationofprivileges
100
InformationSecurity
Any user identified as a security risk or having a history of problems with other
computersystemsmaybedeniedaccess
Usermustnotifythesystemadministratorofanychangeinaccountinformation
User may be occasionally required to update registration, password and account
informationinordertocontinueInternetaccess
Companyhasaccesstoallmailanduseraccessrequests,andwillmonitormessagesas
necessarytoassureefficientperformanceandappropriateuse.
5)Vandalism/Harassment
Vandalism and/or harassment will result in the cancellation of the offending user's
account
Vandalismisdefinedasanymaliciousattempttoharmordestroydataofanotheruser,
the Internet or other networks. This includes, but is not limited to, creating and/or
uploadingcomputerviruses
Harassmentisdefinedasthepersistentannoyanceofanotheruserortheinterference
inanotheruser'swork.Thisincludes,butisnotlimitedto,thesendingofunwantedmail
6)Penalties
Anyuserviolatingtheseprovisions,applicablestateandfederallawsorpostedcompany
rulesissubjecttolossofnetworkprivilegesandanyotherCompanydisciplinaryoptions,
includingcriminalprosecution
All terms and conditions as stated in this document are applicable to all users of the
network. This policy is intended to be illustrative of the range of acceptable and
unacceptableusesoftheInternetfacilitiesandisnotnecessarilyexhaustive.
I understand and will abide by the Company Acceptable Internet Use Policy. I further
understand that any violation of this Acceptable Internet Use Policy is unethical and may
constitute a criminal offense. Should I commit any violation, my access privileges may be
revoked,disciplinaryactionand/orappropriatelegalactionmaybetaken.
UserSignature:__________________________________Date:________________
101
InformationSecurity
ComputerBread
Crumbs
Chapter16
102
InformationSecurity
ComputerForensics
Itisfairlyeasytoseewhatapersonhasbeendoingontheircomputer.Ofcoursetheremaybe
seriouslegalissuesrelatedtotheinspectionofanotherpersonscomputer,butforpurposesof
this chapter let us assume that you have the legal right to inspect the computer in question.
Whether it is an employee, a child, a spouse or some other person, you can inspect their
computerusageanumberofways,asfollows:
1. RecentApplicationsTheStartButtoninWindowsdisplaysrecentlyusedapplications.
Thereforeifanemployeehasbeenplayinggamesonthejob,youcanseethiseasilysee
the application icon displayed in the Program list. For example, the user below has
recentlylaunchedtheFreeCellapplication.
2. GameHighScoresIfanemployeedeniesplayinggames,youcancheckthehighscores
toseeifthegamehasindeedbeenplayed.Also,averyhighscoremighttellyouthatthe
employee has spent a great deal of time learning to play that particular game. (High
scorescanusuallyberesettodefeatthisbreadcrumb).
3. Search history Most search tools keep a log of recently searched terms. As shown
belowtheGoogletoolbardisplaysrecentlysearchforphrasesthroughthesimpledrop
downarrow.(SearchHistoriescanusuallyberesettodefeatthisbreadcrumb).
4. Browsing History In most browsers, you can drill to a cache of browsing history, as
showinthescreenbelow(InInternetExplorer,chooseTools,Options.Asshownbelow,
this Settings, View Files Buttons display a list of web site objects (webpages, pictures
andobjects)thathavebeenviewed.
103
InformationSecurity
The data in this screen is a little cryptic, but you generally can pick out the URLs that
havebeenvisited.Youcanalsodoubleclickonanyiteminthelisttodisplaythatweb
page,imageorobject.Ifapersonhasbeenvisitingandinappropriatewebsite,youcan
probably see those tracks here. In addition, the browser keeps track of the date and
timesthesewebsiteswerelastvisited,providingsolidproofastohowacomputerwas
beingusedduringbusinesshours.(BrowsingHistoriescanberesettodefeatthisbread
crumb.Furthertheamountofspaceusedforcapturingbrowsinghistoriescanbesetto
zeroinordertopreventthisbreadcrumb).
5. CookieHistoryManywebsitesdepositcookiesonyourcomputer.Cookiesareharder
toavoidbecausemanywebsitesrequirecookiesinordertoworkproperly.Thereforeif
auserdeletesorblockscookiesfromtheircomputer,thentheycannotaccesstheweb
site.TheCookiesscreenshownbelowshowsthatthisuserhasvisitedthewebsitesfor
FedEx, Earthlink, eCost, epinions, Yahoo Finance, and eNews among others. In
addition, the browser keeps track of the date and times cookies were last updated,
providingsolidproofastohowacomputerwasbeingusedduringbusinesshours.
(Cookiescanbeerasedindividuallytodefeatthisbreadcrumb,butdoingsoistedious.
Theuserisnotlikelytodeleteallcookiesassomeofthemareprobablyimportanttothe
accessibilityofwebsites.)
6. Temporary Internet Files Most browsers also keep a history of temporary internet
files,whichmakesitmuchfasterforausertobrowsebackwardstorecentlydisplayed
websitesusingthebackbutton.TemporaryInternetFilesarelikeBrowsingHistoryfiles,
104
InformationSecurity
but they are kept in a separate folder. In Internet Explorer, these files are accessed
throughtheTools,OptionsdialogboxunderBrowsingSettings.
(TemporaryInternetfilescanbesettozerodaysinordertodefeatthisbreadcrumb.)
8. RecycleBinAnemployeeorchildtryingtocovertheirtracksmightdeletepicturesor
otherfilesfromtheircomputer,buttheymightnotbecleverenoughtorememberto
empty their recycle bin. When filesareerased in Windows, they are not reallyerased
untiltherecyclebinisemptied.Thereforeaquickpeekattherecyclebinmightbevery
revealing.(Thisbreadcrumbcanbedefeatedbyemptyingtherecyclebin).
9. PasswordProtectedFilesIfanemployeeorchildhaspasswordprotectedfilesontheir
computer,youmaybeabletoopenthemwithcommonlyavailablehackertools.Thisis
true particularly for Word and excel 2003 documents (and earlier). These tools are
discussedinthehackingandcrackingchapter.
10. RequestingLostPasswordsIntheeventthatyouwanttoreviewyourchildsMySpace
orFacebookaccounts,andthechildrefusestoprovideyouwiththeproperpassword,
105
InformationSecurity
youcouldattempttologintoanaccount,clicktheforgottenpasswordbutton,andane
mailwillmostlikelybesenttothatcomputerenablingyoutoresetthepassword.
11. Review Sent and Received EMail Of course it should be obvious that you could
review the sent and received email of an employee or child in an effort to identify
inappropriatecomputerusage.
12. ReviewDeletedEMailFolderOfcourseanemployeeorchildmaybecleverenough
to delete their inappropriate sent or received email messages, therefore you might
wanttoinspecttheDeleteEmailFolder.Liketherecyclebin,mostdeletedemailsare
notactuallydeleteduntiltheDeleteFolderisemptied.
13. ReviewJunkEMailFolderOfcourseanemployeeorchildmaybesmartenoughto
delete their sent or received email, therefore you might want to scan the deleted e
mailfolder.Liketherecyclebin,mostdeletedemailsarenotactuallydeleteduntilthe
DeleteFolderisemptied.
14. UseEMailRulestoTrackUsageAstrongermeasurewouldbetosetupemailrules
onthecomputerinquestion.Forexample,youcouldsetuparulethatforwardsacopy
of all email to your account, or just those emails from certain persons or those that
containcertainwords.Chancesaregoodthattheseruleswillbeundetectedbytheuser.
15. Use EMail Server Settings to Track Usage A better way to track the users emails
wouldbetosetupthemailservertoforwardacopyofallmessages,sentorreceived,
to your email address. You might also use a rule on your computer to send these
messagesautomaticallytoaspecifiedfolder.
16. ToolstohelpYouTrackComputerUsage
a. Key Loggers You could download and install a key logger on the computer in
question.Thistoolwouldcaptureallkeystrokestypedintothecomputerandwould
laterallowyoutoidentifypasswordsusedbytheuser.Thisisafairlysignificantstep,
butdownloadingandinstallingakeyloggerisrelativelyeasyittakesabout3to5
minutes. KGB (free), ActualSpy ($60), and Family Keylogger (free) are examples of
keyloggers.
b. PrintMonitorPro(free)Onceinstalled,thistoolcapturesascreenshotofevery
documentprintedfromthecomputerandstoresthoseimagesinadatabase.
c. Give Me Do (free) This tool captures all visited Web pages, sent and received
emailsandstoresthemtoafolderofyourchoice.
106
InformationSecurity
d. DesktopSpy(free)MonitorstheactivityofusersonaPCbyautomaticcapturingof
desktop/activeapplicationscreenshotsandsavingthemtoaspecifieddirectoryon
theharddrive.
e. Hardware Keylogger ($60) USB device plugs into a computer, and automatically
capturesallkeystrokesenteredintothekeyboard.Verystealth.
f. Internet Spy (free) Freeware utility that continuously monitors every Web page
accessedonthecomputerandmakesachronologicalrecordofallvisitedURLs.
g. EvidenceTrackerEvidenceTracker.com"ET"isoneoftheveryfirstentirelybrowser
basedevidencetrackingapplicationsforpoliceandlawenforcementagencies.This
software is ideal for agencies that track evidence from the point of delivery by an
officer until it is ordered to be destroyed. The ET system allows users to track
evidence through the entire process and to print out all the necessary reports for
internal or court purposes. Tracker Products Software is used in a variety of
industries including law enforcement, forensic analysis, legal, museums, gaming,
construction, manufacturing and hospitals just to name a few. The system
customizationfeatureallowsyourorganizationtotailorthesoftwaretomeetyour
particular needs. All item entry screens can be modified to collect the information
thatisimportanttoyou.Whysettleforasoftwarepackagethatrequiresexpensive
customizationupgrades?TrackerProductssoftwarewillworkforyou!
17. EvidenceBlaster($23)Nottobeoutdone,EvidenceBlasterisaproductthatdeletes
allevidenceofpornographyfromyourcomputer.
MicrosoftCOFEE Microsoft offers a small plugin device that investigators can use to
quicklyextractforensicdatafromcomputersthatmayhavebeenusedincrimes.TheCOFEE,
whichstandsforComputerOnlineForensicEvidenceExtractor,isaUSB"thumbdrive"thatwas
quietlydistributedtoahandfuloflawenforcementagenciesinJune,2007.Thedevicecontains
150commandsthatcandramaticallycutthetimeittakestogatherdigitalevidence,whichis
becomingmoreimportantinrealworldcrime,aswellascybercrime.Itcandecryptpasswords
andanalyzeacomputer'sInternetactivity,aswellasdatastoredinthecomputer.Thisdevice
eliminatestheneedtoseizeacomputer,whichtypicallyinvolvesdisconnectingfromanetwork,
turningoffthepowerandpotentiallylosingdata.Instead,investigatorscanscanforevidence
on site. More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany,
NewZealandandtheUnitedStates,areusingthedevice,whichMicrosoftprovidesfree.
107
InformationSecurity
ComputerDisposal
Chapter17
108
InformationSecurity
ComputerDisposal
Itisestimatedthat45millioncomputersbecomeobsoleteeachyear.Thissituationcreatestwo
problems protecting information and disposing of your old computers. Most organizations
store their old computers, which serve as backup equipment in case newer computers break
down.Theseoldcomputersoftensitinstoragewellbeyondtheirpotentialusefullife.Atsome
point,adecisionmustbemadeaboutdisposalofthisequipment.Continuingtostoreitisoften
notaviableoption,becauseiteventuallytakesupaconsiderableamountofspace.Theleast
desirable option is to throw old computers in the garbage. Not only are there the potential
liabilitiesanddisposalcostsimposedbystateandfederalenvironmentalagencies,thereisalso
thepossibilityofsomeoneremovingharddrivesandrecoveringsensitivedata.Tocombatthese
problems,youshouldfollowagooddisposalstrategy.
ComputerDisposalComments
1. FederalEnvironmentalLawTheResourceConservationandRecoveryAct(RCRA)has
been updated recently to include guidelines regarding the disposal of computer
monitors.
2. Sarbanes Oxley and HIPPA Sarbanes Oxley and HIPPA laws require that all data be
properlyremovedbeforeharddrivesareproperlydisposedof.
3. Hazardous Materials Computers contain hazardous materials such as mercury,
cadmium(aknowncarcinogen),andhexavalentchromium(associatedwithhighblood
pressure,ironpoorblood,liverdisease,andnerveandbraindamageinanimals).
4. CRTConcernsMostenvironmentalconcernsareassociatedwithmonitors.Specifically,
a color cathode ray tube (CRT) contains about four to five pounds of lead, which of
courseisconsideredhazardouswasteaccordingtotheEPA.
109
InformationSecurity
5. Computers in Landfills Outlawed California, Massachusetts, and Minnesota have
outlawedthedisposalofcomputerwasteinlandfills.
6. PonderThisSupposewhatmighthappenifgroundwaterbecomescontaminatedanda
search for the source finds that your old computer (identified by a control tag or
manufacturersnumber)hasbeendiscardednearby.Youcouldbesubjecttopotentially
costly criminal and civil litigation (i.e., SARA, formerly CERCLA, litigation). This could
happen even if the organization had donated the equipment to a charity or paid a
companytorecycleit.
7. License Considerations If you donate your computer, you should evaluate software
license agreements to determine if they preclude transfer of the software along with
thecomputer.
ComputerDisposalProcedures
1. RemoveDataandInformationBeforedisposingofyourcomputersyoumustremove
allinformationfromthecomputerbeforegivingitaway,donatingit,throwingitaway,
or shredding the computer. Simply deleting files does not prevent them from being
recoveredfromtheharddrive;sometimes,filescanevenberetrievedfromreformatted
drives,dependinguponwhichoperatingsystemisusedtoreformattheharddrive.Here
areyourlegitimateoptionsforremovingdata:
a. EraseFilesSimplyerasingfilesisnotgoodenough,yourdataisstillthereand
readable.
b. ReformatHardDriveReformattingtheharddriveisnotgoodenoughyour
dataisstillthereandreadable.
c. Hard Drive Eraser Tools To properly erase a hard drive, you must use a
softwareprogramdesignedtocleantheharddrive.Hereareafewsuchtools:
1.
3.
5.
7.
BCWipeFree
ParagonHardDiskManagerFree
DariksBoot&Nuke
PCInspectoremaxx
2. DriveScrubberFree
4. EraserforWindows
6. ActiveKillDiskFree
Thesetoolsworkusingoneofthefollowingerasuremethods:
i.
ii.
QuickErase:Fillsharddrivewith0's
Gutmann:27randomorderpassesusingspecificdatacombinedwitheight
passesusingrandomdata.Duetochangesinthedifferentdataencoding
schemesnowusedbymodernharddrives,Gutmannnolongerrecommends
35passes.Afewrandompassesshouldsuffice.
110
InformationSecurity
iii.
AmericanDoD522022.M:Asevenpasswipeusingrandomcharacters,
complementsofcharacters,andrandomdatastreams.
iv.
CanadianRCMPTSSITOPSII:8drivewipingpasseswitharandombyteinthe
overwritesequencechangedeachtime.
v.
PRNGStreammethods:OverwritesthedrivewithastreamfromaPseudo
RandomNumberGenerator(PRNG)
2. TaggingInlargerorganizations,computerequipmentthatisnotlikelytobeusedagain
shouldbetaggedfordisposal,anddisposedofinbulkeachyear.
3. Remove Company IDs You should consider removing all company insignia and
inventory control tags from computers to be disposed of. This step might hamper
hackersfromidentifyinganydatatowhichcompanyanyrecoveredinformationbelongs
ormightpreventliabilityintheeventthatthecomputersnewownerthrowsitinaland
fill.
4. KeeptheHardDrivesSomecompaniesfinditeasiesttosimplyremovetheharddrives
and keep them in storage forever rather than going through the trouble of removing
files. They are easy to remove and small enough to keep. Also, this may act as a
rudimentarybackupmeasure.
Ifyoudofollowthisprocedure,itmightbehelpfultonotateoneachharddrivethesize,
date,andbriefdescriptionofthecontentsoftheharddrivebeforestoring.
a.
b.
c.
d.
Applerecyclingprogram
Dellrecyclingprogram
Epsonrecyclingprogram
Gatewayrecyclingprogram
111
InformationSecurity
e.
f.
g.
h.
HewlettPackardrecyclingprogram
IBM/Lenovorecyclingprogram
Lexmarkrecyclingprogram
NECrecyclingprogram
6. Recycling Companies Below is a short list of some of the major recycling companies
capableofrecyclingcomputers.
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
p.
q.
r.
ETechRecycling(http://www.etechrecycling.com/)
GenesisRecycling(http://genesisrecycling.ca/)
IBMPCRecycling(http://www.ibm.com/ibm/environment/products)
InterconSolutions(http://www.interconrecycling.com/)
BackThruthefuture,Inc.(http://www.backthruthefuture.com)
EnvirocycleInc.(http://www.enviroinc.com)
TotalReclaim(http://www.totalreclaim.com/)
UnitedRecyclingIndustries(http://www.unitedrecycling.com)
NationalRevitalizationServices(http://www.natrs.com/)
ShareTheTechnology:(http://sharetechnology.org)
NationalCristinaFoundation:(http://www.cristina.org)
Recycles.org:(http://www.recycles.org/)
CompuMentor:(http://www.compumentor.org/)
RebootCanada:(http://www.reboot.on.ca)
RECONNECT:(http://www.reconnectpartnership.com/)
BatterySolutions(http://www.batteryrecycling.com)
RBRC(http://www.rbrc.com)
GNB(http://www.gnb.com)
8. MaintainRecordsAskyourrecyclingcompanytoprovide
writtendocumentationoftheproperdisposalofcomputer
equipment. If a recycling company cannot or will not
providesuchdocumentation,thiscouldbeasignthatitis
not a reputable company. Finally, a written record of all
disposedof computers should track the serial number,
description,methodofdisposal,anddateofdisposal.This
information should be kept with all other documentation
regardingcomputerdisposal.
112
InformationSecurity
BackUpStrategy
Chapter18
113
InformationSecurity
IntroductiontoBackupStrategy
Acomputerbackupislikeinsuranceyousincerelyhopethattheeffortandmoneyinvestedin
bothyourinsuranceandbackupsarecompletelywasted.However,intheeventthattheworst
casescenariodoesoccur,youwillbegladthatyouhadinsuranceandbackups.Oneofthemost
importantaspectsofaninformationsecuritystrategyistocreateregularbackupsofcomputer
dataandapplications.Givenourtendencytofocusonmorefashionablesecuritysystemssuch
as firewalls, intrusion detection and prevention, and antivirus and antiSPAM solutions, just
wheredoesdatabackupfitinaneffectiveinformationsecuritystrategy?Quitesimply,routine
backup may be the most important element of all, because if these other systems and
strategiesfailtoprotectourdata,backupremainsourlastbastionofdefense.
Databackupisanessentialelementofanyinternalcontrolsystemanddisasterrecoveryplan.
Thischaptercoversbackupplanningandprocesses,issuestobeconsideredinimplementinga
backupplan,andbackupmediafromstreamingtape,CD,DVD,externalharddisks,network
attachedstorage,toonlinebackup.
DataOrganization
1. One Computer Situation In the case on one computer system, all data should be
organizedunderthesamefoldersuchasaDATAfolderortheMyDocumentsfolder.
2. FileServerSituationInthecaseofmultiplecomputerswhereafileserverispresent,
alldatashouldbesavedtothefileserver,onceagainunderthesamefoldersuchasa
DATAfolderortheMyDocumentsfolder.
3. Peer to Peer Situation Where there are multiple computers but no file server, you
shoulddesignateoneofthecomputerstoactasthefileserverpreferablytheonethat
hasthebiggestharddrive,bestperformance,andisrebootedlesfrequently.
Howyourdataisorganizedonyourharddiskthefolderordirectorystructurecanplaya
significantroleinthebackupprocess.Datathatisstoredinasinglefolderorsetofsubfolders
withinasingleparentfolderismucheasiertobackupthanafolderstructurethatstoresdatain
numerous locations scattered across multiple folders. Microsoft applications, including
MicrosoftOfficeSmallBusinessAccounting,routinelystorealldatainafolderorsetoffolders
114
InformationSecurity
within a single parent named My Documents. This makes it easy to create a backup plan
because all data is stored in a single location. Another critical factor is how often the data
changes.
YoushouldfurtherorganizeyourdataUndertheDATAfolder(orwhicheverfolderyouchoose
for your data) with subfolders. The particular subfolder strategy you use depends upon your
situation. If you have 50 large customers, you might set up a new folder for each customer.
HowevertheapproachIlikebestistosetupanewfolderforeachyear,asfollows:
Thisapproachwillmakeiteasiertolocateandfinddata,andmoreimportantly,thisapproach
willhelpyoudesignabackupstrategythatbacksupyourcurrentfoldermorefrequentlythan
otherfolders.
IdentifyDatatobeBackedUp
Most people seek to back up their data only, but the reality is that for each computer, you
shouldbackupyourentirecomputerwithallapplications.Thereforethequestionastowhich
datashouldbebackedupiseasilyansweredbackupallofyourcomputersintheirentirety.
115
InformationSecurity
WhentoBackUp
Data that changes frequently needs to be backed up frequently. Data that changes less
frequentlycanbebackeduplessoften.Sinceoperatingsystemsandapplicationsdonotchange
very often, full backups can be made less frequently. Therefore you might establish a time
frameforconductingyourvariousbackupsasfollows:
TypeofFiles
BackupFrequency
2008DataFiles(Word,Excel,etc.)
Daily
EMailFiles
Daily
EntireComputerwithallApplications
Monthly
You should also coordinate your backup procedures with your business processes. End of
monthandendofyearbackupsshouldcoincidewiththecompletionofwriteup,adjustment,
closing, and financial statement preparation processes performed by your accountant. That
wayyourfinalbackupswillincludeandpreserveaccuratefinancialinformation.
BackupMethods
There are three types of backups generally used by small businesses to protect their mission
critical data. The types of backup available are dependent upon the backup software used.
Amongthecommonlyusedbackuptypesavailableinclude:
Full Backup A procedure that backs up all files stored on a system, including the
operatingsystemandapplications.
Differential Backup A procedure that backs up all files that have been added or
changedsincethelastfullbackup.
Incremental Backup A procedure that backs up all files that have been added or
changed since the last backup, regardless of whether the backup was full or
incremental.
Nearly everyone understands the meaning of a full backup. The difference between a
differentialbackupandanincrementalbackuprequireselaboration.Adifferentialbackupisa
cumulative backup. It contains all files that have been added or changed since the last full
backup.Anincrementalbackupisnotcumulative.Eachincrementalbackuponlycontainsthe
filesthathavebeenaddedorchangedsincethelastincrementalbackup.
Letsexaminetwoexamplestounderstandthedifferencebetweenanincrementalbackupand
adifferentialbackup.ABCCompanyproducesafullbackupatthecloseofbusinesseachFriday.
116
InformationSecurity
Anincrementalbackupisproducedatthecloseofeachworkday,MondaythroughThursday.
ABCsuffersacatastrophicfailureofitsprimaryserveronThursday.Inordertofullyrecoverall
of their data, ABC must restore the last full backup and each of the incremental backups
performedsincethelastfullbackup.
Alternatively,ABCproducesafullbackupeachFridayandperformsadifferentialbackupeach
day.Torecoveralloftheirdatainthiscircumstance,ABCmustrestorethelastfullbackupand
the last differential backup only. Thats because a differential backup contains a cumulative
backupofeveryfileaddedorchangedsincethelastfullbackup.
Thedifferencebetweenanincrementalbackupandadifferentialbackupalsohasimplications
forrestoringsingleormultiplecorruptedfiles.Adifferentialbackupcontainsallfilesthathave
been added or changed since the last full backup. In order to restore a file that has become
corruptedinuse,justrestorethefilefromthelatestdifferentialbackup.Ifincrementalbackups
wereused,eachbackupwouldhavetobeexaminedinordertodeterminethelatestversionof
thefileinquestion,becausethelatestversionofafilecouldbeonanyoneoftheincremental
backups.
ConclusionYoushouldprobablyneverusetheincrementalbackupoption,asitdoes
not save much back up time and a restoration would be very complicated. The full
backupordifferentialbackupoptionsmakethemostsense.
SelectingtheRightMedia
Yourbackupmediaoptionsareasfollows:
1. StreamingTapeCartridge
2. CDs
3. DVDs
4. USBThumbDrive
5. SDCards
6. ExternalHardDrives
7. ServerBasedStorage
8. NetworkAttachedStorage
9. Onlinebackup
Notethat1.44MBdiskettesarenotincludedinthelist.Thesize
oftodaysdatabasesandthelimitedcapacityofdiskettesrender
them less suitable for use as backup media. These options are
discussedbelow:
InformationSecurity
need to purchase a tape recording device as well such as the Dell PowerVault backup
device.Thisoptiondeliversisdesignedtoarchivemissioncriticaldatainanenterprise
environment.ShownbelowareexamplesofDellsPowerVaultoptions:
Theseunitsstartat$165andrampuptocapture102Terabytes.
TheproblemwithusingCDsistheyareveryslow,butmightrepresentagoodmediafor
backingupthecurrentdatafolder.
3. DVDsDVDtechnologyandreliabilityaresimilartoCDs,buteachDVDcanhold4.7GB
ofdataonasinglelayerdiskandnearlydoublethatonadoublelayerdisk.Ifyouhave
largeamountsofdatatobackup,thenDVDsmaybeabettersolution.
118
InformationSecurity
4. USBThumbDrivesTodaysthumbdrivesarelarge,fastand
inexpensive. They are larger than CDs, far faster than CDs,
andtheyaremoreeasilyreused.
5. SDCardsSDcardsandsimilarmediaworkwell,buttheyaremorecostly
than thumb drives. Further, every computer, including laptops has USB
ports, but not necessarily an SD Card port. Therefore USB thumb drives
areconsideredtobethebettersolutioncomparedtoSDcards.
6. ExternalHardDrivesExternalharddisksarebecomingincreasinglypopularforprimary
storageandfordatabackup.Unitsarecurrentlypricedfrom$49andaccommodateup
to4terabytesofdata.Examplesfollow:
DeviceImage
USBExternalHardDrive
BuffaloDriveStationQuattroTurboUSBHDQS4.0TSU2/R5Hard
drivearray4TB4bays(SATA150)4xHD1TBHiSpeedUSB,
SerialATA150(external)$1,950
GTechGRAIDminiHarddrivearray500GB2bays(SATA300)
2xHD250GBFireWire800,HiSpeedUSB,FireWire400
(external)
$980
IomegaUltraMaxProDesktopHarddrivearray1.5TB2bays2x
HD750GBHiSpeedUSB,SerialATA300(external)
$510
IomegaUltraMaxProDesktopHardDriveharddrivearray
Harddrivearray1.5TB2bays2xHD750GBHiSpeedUSB,
SerialATA300(external)
$375
LaCied2QuadraHardDisk500GBFireWire/FireWire800/
Harddrive500GBexternalFireWire/FireWire800/HiSpeed
USB/eSATA3007200rpmbuffer:16MB
$165
These devices support the higher transfer rates of USB 2.0. These units are also true
plugnplayifWindowsXPorWindowsVistaisinstalled(therearenodriverstoinstall
justplugitinandgo).TheexternalharddiskwillautomaticallyappearinMyComputer.
119
InformationSecurity
7. Network Attached Storage (NAS) Network Attached Storage (NAS) can be used for
backupinthesamewayasserverbasedstorage.Upuntilrecently,NASwasrelatively
expensive for small businesses. In the past year, several vendors have modified their
externalharddriveproductstoincludeanEthernetportfordirectconnectiontoalocal
area network. The storage is accessible as a mapped drive from any workstation
desktop on your network, very similar to the way a user would attach to a network
server.Examplesfollow:
DeviceImage
USBExternalHardDrive
IBMTotalStorageDS4800Model82harddrivearray.
$39,700
IntelEntryStorageSystemSS4000E.2TB.TheSS4000Ecan
connecttoaGigabitEthernetnetworkandsupportuptofourSerial
AdvancedTechnologyAttachment(SATA)harddisks.
$418
UnibrainFireNAS2U,NetworkAttachedStorageserver.Hotswap
drives,andRAIDprotection.12.0TB(12,000GB)ofstorage
managedbyaWindowsStorageServer2003R2.Easyinstallation
withplugnplayconnectivity.
$10,000
FireDisk800s:500GBharddrive.
$270
8. OnlineBackupThelatestinnovationinbackupmediaisnetworkbasedonlinebackup.
OnlinebackupissimilarinoperationtoafileserverorNAS,butthefiletransferspeedis
limited to the speed of your Internet connection. A typical DSL connection will have
about 1/100 of the throughput of a LAN. That means that backup times will be
considerablylongerusingonlinebackupthanbackinguptoafileserverorNAS.Because
oftheslowtransferspeeds,onlinebackupisnotwellsuitedforfullsystembackups,but
isanexcellentchoiceforfinancialdataanddocuments.Thechiefadvantagesofonline
backupare:
a. Thebackupisstoredoffsite
b. Thestoragelocationisprofessionallymanagedandbackedup
c. The process is convenient because users do not have to deal with handling,
storing,oradministeringbackupmedia
120
InformationSecurity
Prices range from as little as $10 per month for 4GB of managed backup storage
space. Plans typically include a backup application to schedule periodic backups
fromyourdesktop.
Asanexample,considerCarbonite:
Forjust$50peryear,Carbonitewillbackupallofyourdata.Justclickonthefilesor
foldersyouwanttobackup,andCarbonitewillworkinthebackgroundtokeepyour
datainsynconarealtimebasis.However,ItriedCarbonitewithacableconnection
totheInternet,andafter46days,Carbonitestillhadnobackedupmyentire53GBs
ofdata.ThereforeIcanconcludethatCarboniteisgreatforbackingupyourcurrent
data folder, but not your entire computer system. Following is an example screen
thatshowshowCarboniteworks:
AdvantagesofEachBackupMediaTypes
SuitabilityforBackingUp:
DataOnly
FullSystem
BackupSpeed
RestorationSpeed:
FullRestore
LimitedorSingleFile
Portability
SuitabilityforArchiving
Tape
CD/DVD
121
USB
Thumb
External
Disk
NAS
Online
InformationSecurity
XcentricOnlineLineBackup
In2008Itestednumerousbackupsolutionsincluding
Carbonite,QuickBooksOnlineBackup,eBackups,and
Xcentric.Myobjectivewastofindaninexpensiveonline
backupsystemthatIwashappywithformyownuse,andtherecommendtoattendeesofthe
securitycourse.ThesolutionthatIhavebeenmostpleasedwithisXcentricOnlineBackup.
Hereswhy:
1. Completelyautomatesthebackupprocess.
2. Upto2terabytesperday
3. About$2.50pergigabytepermonth(Free30daytrialavailable)
4. 128bitencryption
5. Notapes,nohardware
6. Eliminatesriskoftapesbeingcorrupted,misplaced,damaged,orstolen.
7. Usesstateoftheartbackup,security,anddatacentertechnologies.
8. Backupsarefullyoffsite.
9. Openfilebackupifneeded,youcanrestoredataimmediatelyevenasinglefile.
10. Noequipmenttobuy
11. Simple15minutesetup
12. Dailyemailreportingreportsareemailedtoyoueachdaytoacknowledgethesuccess
ofyourbackups.Thisreportalsoshowsdatabackupsize,remainingquota,retention
copies,uploadvolumes,andotherkeyinformation.
13. Webbasedmanagement
14. Upto8:1compression
122
InformationSecurity
XcentricContactInfo:
Xcentric(JasonHand),3015WindwardPlaza,Suite500,Alpharetta,GA300056782970066ext.514
123
InformationSecurity
BackupRotationScheme
Ifyouconstantlybackupyourdatabyoverwritingyourpreviousbackups,youarevulnerablein
theeventthatyourcomputercrashesduringthebackupprocess.Youwillbeleftwithnothing.
Forthisreason,aBackuprotationschememustbechosentofacilitateefficientandeffective
backupofyourmissioncriticaldata.Thereareseveralacceptablerotationschemesfromwhich
tochoose.AmongthemareGrandfatherFatherSon(GFS)andTowerofHanoi.2
GrandfatherFatherSon is the most widely used and easiest to understand media rotation
scheme.Anincrementalordifferentialbackupismadeeachdaywithafullbackupmadeatthe
end of each week and the end of each month. A three week version history is preferred by
informationsecurityprofessionals.Thatmeansthatdailybackupsarenotoverwrittenforthree
weeks.
Lets examine a practical example. ABC Company is open for business five days per week,
MondaythroughFriday.ABCusesstreamingtapewithGFSandathreeweekversionhistory.It
requires 12 (4 days x 3 weeks) daily tapes, up to 5 weekly tapes, 12 monthly tapes, and one
annual tape for a total of 30 tapes. The daily tapes are labeled D1 trough D12, the weekly
tapesarelabeledW1throughW5,andthemonthlytapesarelabeledM1throughM12.
ThetaperotationschemeforABCCompanyisillustratedinFigure1.NoticethatTapeD1isnot
reuseduntilthefirstdayofthefourthweekintherotation,inthiscaseMay22nd.TapeW1is
notreuseduntilthefollowingmonth,inthiscaseonJune2nd.
May - June 2006
Mon
1
Tue
2
Tape D-1
8
3
Tape D-2
9
Tape D-5
Wed
Tape D-6
Thu
Fri
Tape D-4
5
Tape W-1
4
Tape D-3
10
11
12
Tape D-7
Tape D-8 Tape W-2
15
16
17
18
19
Tape D-9 Tape D-10 Tape D-11 Tape D-12 Tape W-3
22
23
24
25
26
Tape D-1
Tape D-2
Tape D-3
Tape D-4 Tape W-4
29
30
31
1
2
Tape D-5
Tape D-6
Tape M-1 Tape D-8 Tape W-1
MonthlyGrandfatherFatherSonTapeRotationScheme
124
InformationSecurity
Themonthlytapes,suchasTapeM1usedonMay31st,aretakenoutoftherotationandare
neverreuseduntilthefollowingyear.Ascanbeseenfromthisexample,athreeweekversion
history means that three weeks of daily backups are produced before any tapes are
overwritten.
If the GrandfatherFatherSon rotation scheme is used, here are some simple rules to make
surethatyourmissioncriticaldataisfullyprotected.
1. Thedailybackupsshouldnotbeoverwrittenforaperiodofatleastthreeweeks.
2. Theweeklyfullbackupsshouldnotbeoverwrittenforatleastonemonth.
3. The monthly full backups should be maintained and not overwritten for at least one
year.
4. Theannualfullbackupshouldbemaintainedforatleastsevenyears,orasmandatedby
localregulatoryrequirements.Annualbackupsshouldbecataloguedandmaintainedoff
siteinadatavaultorafireandwaterproofsafedepositbox.Duplicatecopiesshouldbe
maintainedatdifferentoffsitelocations.
BackupArchive
Regardlessofyourbackupmethodsused,youshouldendtheyearwithacompletesnapshot
of all computers as of the end of each month or each quarter. This archive should be
maintainedoffsite.Ifyouareusingtapes,thenyoushouldbeabletoproduce12tapes,each
representingallcomputersasoftheendofeachmonthoreachquarter.IfyouareusingCDsor
DVDs, then you should be able to produce 12 sets of CDs or DVDs representing computer
systems as of the end of each month or each quarter. If you are using hard drives, then you
should have 12 folders representing snapshots of each computer every month or for every
quarter.Hereisanexampleofwhatthefinalproductshouldlooklike.
n b
125
InformationSecurity
OtherBackupConsiderations
Redundantbackupscanbeausefultechnique.Inotherwords,datacouldbebackedupdailyto
aseparateharddisk,fileserver,orNAS,aswellastopermanentstorage,suchasCDRorDVD.
Havingthesamebackupdatastoredinmultiplelocationsprovidesanadditionallevelofsafety
through redundancy. The greatest advantage of this technique is realized when it becomes
necessary to recover a single corrupted file. Daily data backups stored on highspeed media
with ready accessibility provides users with the ability to restore important files onthefly,
without the hassle of finding and loading the latest backup media. This is especially useful in
situationswherebackupmediaaretakenoffsiteforstorage.Dailybackupstoharddisk,afile
server,orNASshouldnotbeusedalone.Makesuretobackuptopermanentmediaandstore
thebackupsoffsiteformaximumprotection.
Offsite storage of backup media provides the greatest protection against unanticipated
disasters.Ifyourofficeisfloodedorburns,anybackupmediastoredinyourofficeislikelytobe
destroyed or rendered unusable. Storing backups in the same location as live data does not
provide sufficient protection from data loss when disaster strikes. Backup media should be
storedoffsite.Smallbusinessestypicallystorebackupsatthehomeoftheowneroratrusted
employee.Abetterpracticewouldbetostoreyourbackupmediainafireandwaterproofsafe
depositboxatyourlocalbank.
Everybusinessshoulddevelopadataretentionpolicyaspartofitsbackupplan.Governmental
entities and taxing authorities regulate the retention of certain types of data. The Internal
Revenue Service requires that financial and tax records be maintained for seven years.
Employee payroll, benefits, and HR records should be maintained from three to seven years.
Other federal agencies and some states require longer data retention periods. Your data
backupplanshouldaccommodatetheregulatoryframeworkimposedinyourbusinesslocation.
Ataminimum,longtermarchivemediashouldbegeneratedformonthend,quarterend,and
yearendfinancialrecords.Atleasttwocopiesofeacharchivemediashouldbemaintained,and
the copies should be stored in different physical locations. Natural disaster, mishandling of
media,storageininappropriateenvironmentalconditions,ormisplacementofasinglecopyof
criticaldataarchivescanputacompanyatrisk.
The data backup process is fraught with potential problems that could render your backups
unusable or incomplete. Media could be damaged, backup equipment may not be properly
maintained,oradefinedbackuproutinemaynotincludeanewlyinstalledharddisk.Whatever
the reason, backup is not successful unless you can get your data back! 3 The SANS Institute
reports that one of the worst security mistakes made by IT professionals is their failure to
maintain and test data backups.4 Test the integrity of your backup process by doing trial
restoresonaregularbasis.Onlythencanyoubeconfidentthatyourbackupswillfunctionin
theeventofhardwarefailure,datacorruption,ornaturaldisaster.
126
InformationSecurity
ComputerViruses
Chapter19
127
InformationSecurity
ComputerViruses
In1986,therewasonlyoneknowncomputervirus.By1989thereweresixandin1990there
were80confirmedcomputerviruses.InapressreleaseissuedinJuneof1999,AdamHarriss
and Catherine Huneke of Computer Economics, Inc., a research firm in Carlsbad, California,
stated,Theeconomicimpactofvirusandwormattacksoninformationsystemshasincreased
significantlythisyear,withbusinesseslosingatotalof$7.6billioninthefirsttwoquartersof
1999 as a result of disabled computers. Other surveys suggest that throughout the world,
morethan60%ofallcompaniesarehitbyatleastoneviruseachyear;thatnumberisgreater
than70%intheUnitedStates.Today,between10to15newvirusesappeareverydaycosting
an estimated 55 billion dollars in damages (according to antivirus company Trend Micro
Incorporated).Someestimatesarefarhigher.
Viruses come in many forms and with many different problems attached to each kind. Some
viruses are designed to mess up your entire computer and destroy all data; others are made
justtoshowyouunwantedadvertisementseveryonceinawhile.Eitherway,theyshouldn'tbe
onyourcomputerandcanberemovedbyyoumanuallyorbyvirusremovalsoftware.Themost
common types of computer viruses and what they can do to you or your computer are as
follows:
1. The Worm Virus This type of virus can duplicate itself and it will use the email
addresses from your address book, and send itself to those people. This means your
friendsandfamilycomputerscouldevenbecomeinfectedwiththisvirus.
2. TheTrojanVirusThisisasneakyviruswhichdisguisesitselfasaprogramthatprovides
a legitimate function. But really it is a virus that will damage your computer or steal
personalinformationlikepasswords.
3. TheBackdoorTrojanVirusIfyourcomputerwasinfectedwithit,someonecouldtake
controlofyourcomputerthroughyournetworkortheinternet.
4. File Virus File viruses can attach to real software, so that whenever you use the
software, it will load into your memory and infect other files that are associated with
that program. That means that the most important documents and data could be
destroyedbyonesimpleclick.
5. AdwareandSpywareAdwareisbasicallyjustadvertisementsthataresavedonyour
computer,andshowthemselvessometimesinarandompopuporwhenyoutypeina
webaddressthatisincorrect.Spywareisactuallytheworstofthetwobecausespyware
canlogyoureverykeystroke,recordeverywebsiteyougoto,andreportyourstatistics
backtoanindividualorcompany.
128
InformationSecurity
ImportantVirusTips
Torecoverfromacomputerfreezingvirus,youshouldtakethesesteps:
1. Makeabackupcopyofyourharddrivesdataeveryweek.
2. BackupyourBIOSeverytimeyouchangeitorapartonyourcomputer.
3. Runvirusprotectionsoftware.
Virusesareafactoflifethatweallmustcontendwith.Luckily,virusprotectiontechnologyhas
neverbeenbetter,andtherearedozensofsuchproductstochoosefrom.Presentedbelowisa
listingoftenofthebestantivirusproductsonthemarket,followedbyabriefdescriptionof3of
themostrecommendedsolutions.
1. BitDefender
24.95
2. CA
39.99
4. TheShieldDeluxe
29.99
5. Panda
39.95
6. TrendMicro
39.95
7. McAfee
39.99
8. NOD32
39.99
9. Norton
39.99
10. Kaspersky
59.95
The Shield Deluxe 2008 is a rather simple to use antivirus software and antispyware
program.Itisrelativelypainlesstodownload,installanduse.
129
InformationSecurity
TheShieldDeluxeantivirussoftwarecomeswithaninstallationutilitythatdetectsremnants
ofpreviouslyinstalledantivirussoftware,weedingthemoutbeforethedownloadbegins.The
Shield Deluxe 2008has automatic updatesand weekly virus scans are all prescheduled. It is
Vista Compatible and you can use this Special 20% Off Coupon PCSS20 (Apply Coupon in
shoppingcart).
130
InformationSecurity
FreeAntiVirusPrograms
AVGisoneofthemostoftenrecommendfreewareantiviruspackages.WhileGrisoftoffersa
paidversion,thereisafreewareversionofthevirusprotectiononthewebsite.Itonlyoffers
virusprotection(noantispam,antispywareorfirewall)butissaidtobeveryeffectiveatthat
task. Highly recommended, but you'll need to add spyware protection separately. There is a
freeAVGAntiSpywareaddon,butitdoesn'tdoautomaticupdates,sounlessyouarediligent
tokeepitupdated,I'drecommendagainstit.
Avast!anotherfreebieantivirusprogramwithbasicfeatures,andeaseofuse.Itisupdated
regularly, also highly recommended. But again, it offers only antivirus protection, unless you
payfortheAvastProfessionalversion.
131
InformationSecurity
AviraAntiVirFreeAntivirusprogram,whichoffers:ExtensiveMalwareRecognitionofviruses,
Trojans, backdoor programs, worms, etc. Automatic incremental updates of antivirus
signatures,engineandentiresoftware.Permanentvirusprotection,withVirusGuardrealtime
monitoring.Installandconfigurationinjustacoupleofsteps.Virusprotectionagainstknown
and unknown threats, using an advanced heuristic system. Scheduler where you can set the
scannertomakeautomaticvirusscansorupdatesonyoursystem.Forumandphonesupport,
KnowledgeBasewithvirusdescriptionsavailableonwebsite.VistaSupport.RootkitDetection
and Removal. Version 8 adds an enhanced interface, a modularized AVsearch engine for
improvedscanperformance,andanfailsafesecuritysystem.
132
InformationSecurity
Phishing
Chapter20
133
InformationSecurity
Phishing
Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as
usernames,passwords and credit card details, by masquerading as a trustworthy entity in an
electronic communication. eBay, PayPal and online banks are common targets. Phishing is
typicallycarriedoutbyemailorinstantmessaging,andoftendirectsuserstoenterdetailsata
website, although phone contact has also been used. Phishing is an example of social
engineeringtechniquesusedtofoolusers.
In2007phishingattacksescalatedas3.6millionadultslost$3.2billioninthe12monthsending
inAugust2007upfrom1.2millioncomputerusersandanestimated$2billionbetweenMay
2004andMay2005.
The first recorded use of the term "phishing" was made in 1996 and alludes to the use of
increasingly sophisticated baits used in the hope of a "catch" of financial information and
passwords.
A phishing technique was described in detail as early as 1987, in a paper and presentation
delivered to the International HP Users Group, Interex in which phishing on AOL was closely
associatedwiththewarezcommunitythatexchangedpiratedsoftware.Thosewhowouldlater
phish on AOL during the 1990s originally used fake, algorithmically generated credit card
numbers to create accounts on AOL, which could last weeks or possibly months. After AOL
brought in measures in late 1995 to prevent this, early AOL crackers resorted to phishing for
legitimateaccounts.
TransitionToFinancialInstitutions
The capture of AOL account information may have led phishers to misuse credit card
information,andtotherealizationthatattacksagainstonlinepaymentsystemswerefeasible.
ThefirstknowndirectattemptagainstapaymentsystemaffectedEgoldinJune2001,which
wasfollowedupbya"post911idcheck"shortlyaftertheSeptember11attacksontheWorld
Trade Center. Both were viewed at the time as failures, but can now be seen as early
experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was
recognizedasafullyindustrializedpartoftheeconomyofcrime:specializationsemergedona
globalscalethatprovidedcomponentsforcash,whichwereassembledintofinishedattacks.
134
InformationSecurity
RecentPhishingAttempts
AchartshowingtheincreaseinphishingreportsfromOctober2004toJune2005.Morerecent
phishingattemptshavetargetedthecustomersofbanksandonlinepaymentservices.Emails,
supposedlyfromtheInternalRevenueService,havealsobeenusedtogleansensitivedatafrom
U.S.taxpayers.Targetedversionsofphishinghavebeentermed"spearphishing".
Socialnetworkingsitesarealsoatargetofphishing,sincethepersonaldetailsinsuchsitescan
be used in identity theft; in late 2006 a computer worm took over pages on MySpace and
altered links to direct surfers to websites designed to steal login details. Experiments show a
successrateofover70%forphishingattacksonsocialnetworks.
Almosthalfofphishingtheftsin2006werecommittedbygroupsoperatingthroughtheRussian
BusinessNetworkbasedinSt.Petersburg.
PhishingTechniques
1. Link manipulation Most methods of phishing use some form of technical deception
designed to make a link in an email (and the spoofed website it leads to) appear to
belong to the spoofed organization. Misspelled URLs or the use of subdomains are
commontricksusedbyphishers.Anothercommontrickistomaketheanchortextfora
linkappeartobevalid,whenthelinkactuallygoestothephishers'site.
Anoldmethodofspoofingusedlinkscontainingthe'@'symbol,originallyintendedasa
way to include a username and password. For example, the link
http://www.google.com@members.tripod.com/ might deceive a casual observer into
believing that it will open a page on www.google.com, whereas it actually directs the
135
InformationSecurity
browsertoapageonmembers.tripod.com,usingausernameofwww.google.com:the
pageopensnormally,regardlessoftheusernamesupplied.SuchURLsweredisabledin
Internet Explorer, while Mozilla and Opera present a warning message and give the
optionofcontinuingtothesiteorcancelling.
AfurtherproblemwithURLshasbeenfoundinthehandlingofInternationalizeddomain
names(IDN)inwebbrowsers,thatmightallowvisuallyidenticalwebaddressestolead
to different, possibly malicious, websites. Despite the publicity surrounding the flaw,
known as IDN spoofing or a homograph attack, no known phishing attacks have yet
takenadvantageofit.
2. Filter Evasion Phishers have used images instead of text to make it harder for anti
phishingfilterstodetecttextcommonlyusedinphishingemails.
3. Website Forgery Once the victim visits the website the deception is not over. Some
phishingscamsuseJavaScriptcommandsinordertoaltertheaddressbar.Thisisdone
either by placing a picture of a legitimate URL over the address bar, or by closing the
originaladdressbarandopeninganewonewiththelegitimateURL.
An attacker can even use flaws in a trusted website's own scripts against the victim.
These types of attacks (known as crosssite scripting) are particularly problematic,
becausetheydirecttheusertosigninattheirbankorservice'sownwebpage,where
everythingfromthewebaddresstothesecuritycertificatesappearscorrect.Inreality,
thelinktothewebsiteiscraftedtocarryouttheattack,althoughitisverydifficultto
spotwithoutspecialistknowledge.Justsuchaflawwasusedin2006againstPayPal.
A Universal Maninthemiddle Phishing Kit, discovered by RSA Security, provides a
simpletouse interface that allows a phisher to convincingly reproduce websites and
capturelogindetailsenteredatthefakesite.
Toavoidantiphishingtechniquesthatscanwebsitesforphishingrelatedtext,phishers
havebeguntouseFlashbasedwebsites.Theselookmuchliketherealwebsite,buthide
thetextinamultimediaobject.
4. PhonePhishingNotallphishingattacksrequireafakewebsite.Messagesthatclaimed
tobefromabanktolduserstodialaphonenumberregardingproblemswiththeirbank
accounts.Oncethephonenumber(ownedbythephisher,andprovidedbyaVoiceover
IP service) was dialed, prompts told users to enter their account numbers and PIN.
Vishing(voicephishing)sometimesusesfakecallerIDdatatogivetheappearancethat
callscomefromatrustedorganization.
5. Paypal Phishing Example As an example, the phishing email shown below targeted
PayPalusers.SpellingmistakesintheemailandthepresenceofanIPaddressinthelink
were both clues that this is a phishing attempt. Another giveaway is the lack of a
personalgreeting,althoughthepresenceofpersonaldetailswouldnotbeaguarantee
oflegitimacy.Othersignsthatthemessageisafraudaremisspellingsofsimplewords
136
InformationSecurity
and the threat of consequences such as account suspension if the recipient fails to
complywiththemessage'srequests.
137
InformationSecurity
InaJune2004experimentwithspearphishing,80%of500WestPointcadetswhowere
sentafakeemailweretrickedintorevealingpersonalinformation.
AntiphishingTechniques
Thereareseveraldifferenttechniquestocombatphishing,includinglegislationandtechnology
createdspecificallytoprotectagainstphishing,asfollows:
1. SocialResponsesOnestrategyforcombatingphishingistotrainpeopletorecognize
andtodealwithphishingattempts.
2. Check Legitimacy People can take steps to avoid phishing attempts by slightly
modifying their browsing habits. When contacted about an account needing to be
"verified"(oranyothertopicusedbyphishers),itisasensibleprecautiontocontactthe
company from which the email apparently originates to check that the email is
legitimate.
3. Look For Specifics Nearly all legitimate email messages from companies to their
customerscontainanitemofinformationthatisnotreadilyavailabletophishers.Some
companies, for example PayPal, always address their customers by their username in
emails, so if an email addresses the recipient in a generic fashion ("Dear PayPal
customer")itislikelytobeanattemptatphishing.Emailsfrombanksandcreditcard
companiesoftenincludepartialaccountnumbers.
a. HelpingToIdentifyLegitimateSitesSincephishingisbasedonimpersonation,
preventing it depends on some reliable way to determine a website's real
identity.Forexample,someantiphishingtoolbarsdisplaythedomainnamefor
the visited website. The petname extension for Firefox lets users type in their
ownlabelsforwebsites,sotheycanlaterrecognizewhentheyhavereturnedto
the site. If the site is suspect, then the software may either warn the user or
blockthesiteoutright.
b. BrowsersAlertingUsersToFraudulentWebsitesAnotherpopularapproachto
fighting phishing is to maintain a list of known phishing sites and to check
websitesagainstthelist.Microsoft'sIE7browser,MozillaFirefox2.0,andOpera
all contain this type of antiphishing measure. The screen below shows Google
blockingasuspectedphishingwebsite.
138
InformationSecurity
5. EliminatingPhishingMailSpecializedspamfilterscanreducethenumberofphishing
emailsthatreachtheiraddressees'inboxes.Theseapproachesrelyonmachinelearning
andnaturallanguageprocessingapproachestoclassifyphishingemails.
6. Monitoring And Takedown Several companies offer banks and other organizations
likely to suffer from phishing scams roundtheclock services to monitor, analyze and
assist in shutting down phishing websites. Individuals can contribute by reporting
phishingtobothvolunteerandindustrygroups,suchasPhishTank.
LegalResponses
1. GoodinConvictedOn January26,2004,theU.S.FederalTradeCommissionfiledthe
firstlawsuitagainstasuspectedphisherandCalifornianteenagerJeffreyBrettGoodin.
Hewasthefirstdefendantconvictedbyajuryundertheprovisions of theCANSPAM
Act of 2003. He was found guilty of sending thousands of emails to AOL users, while
posingasAOL'sbillingdepartment,whichpromptedcustomerstosubmitpersonaland
creditcardinformation.Hewassentencedtoserve70months.
2. InBrazilPhishingkingpin,ValdirPaulodeAlmeida,wasarrestedforleadingoneofthe
largestphishingcrimerings,whichintwoyearsstolemorethan$18million.
3. IntheUKUKauthoritiesjailedtwomeninJune2005fortheirroleinaphishingscam,
in a case connected to the U.S. Secret Service Operation Firewall, which targeted
notorious"carder"websites.
5. MicrosoftAttacksOnMarch31,2005,Microsoftfiled117federallawsuitsintheU.S.
District Court for the Western District of Washington. The lawsuits accuse "John Doe"
defendantsofobtainingpasswordsandconfidentialinformation.
139
InformationSecurity
SpyStuff
Chapter38
140
InformationSecurity
VMESpyPhoneEavesdroponConversations
FromAnywhereintheWorldThisproductoperates
asanormalmobilephonewheretheholdercansend
andreceivecallsasusual.However,whenyoucall
thephoneusingaspecialaccessnumber,it
automaticallyanswerswithoutanyringingorthe
holderbeingawarethatyouareconnectedtotheir
phonein"listeningmode".Therewillbenorecordof
thecallreceivedfromthespecialaccessnumberin
thephone'slistofreceivedcalls.Thereisalsoa
proximitylisteningdeviceenablingyoutolisten
directlytowhatisgoingonuptofivemetersaway
fromthephone.
VMECellPhoneInterceptorRealtimeinterception
andtrackingofcellphonecommunication*A
proprietarytechnologyallowingyoutoIntercept,
follow,trackandlistentocommunicationsusing
uniquetriangulationandotheradvancedtechnology.
ActiveorPassivesearchanddetection.Completely
undetectable.Followmultipletargetssimultaneously.
Laptopsizewithextendedrange.
ThePictureFrameBug
Thisisasneakywaytobugaroom,apictureframe
withabuiltinmicrophonethatyoucanphoneupand
listentowhatsgoingon.
TapyourownphonelinewithTeleport2.0
141
InformationSecurity
CellPhoneSIMCardSpy
Thisdeviceallowsyoutorecoverdeletedtext
messagesfromacellphone.Justplugitinanderased
messagesonthephonearerestoredtothedevice,
whichyoucanreadlaterbypluggingitintoyour
computer.
UnderDoorRemoteViewingKit
Theviewingkitallowsyoutoseebehindadoor
beforeyouopenit.Thescopesectionisusedtoslide
underthedoorandcanfitinaspacelessthen
quarterofaninch.Thefieldofviewis55whichcan
seefromthefloorrightuptotheceiling.Aswellas
seeingwhatitintheroom,thereisarightangle
adapterwhichallowsyoutoviewthebackofthe
doorsoyoucanobserveanybarricadesortraps.
MQ1Predator
TheUSGovernmenthasgiventheUniversityof
Michigana$10milliondollargranttocomeupwitha
sixinchroboticspyplanemodeledafterabat.
HoneywellHoveringSpyDrone
Spydronethatcanflya100waypointflightplanat57
MPH,ata10,500footaltitude.TheseMicroAir
Vehicles(MAVs)arealreadyinplaceoverIraqand
Afghanistan.TheyarewaitingforFAApermissionto
beusedhereinAmericansoil.$???
142
InformationSecurity
SpyTieandtheConcealedCameraSpyPenissure
toblendinbeautifullywhilstkeepingtabsonyourco
workersoremployees.
TheSpyCamOfficeCalculator
Thisisafullyfunctioningelectroniccalculator
completewithprintroll,comeswithahidden640x
480highresolutioncamerawhich,oncearmedvia
theunitswirelessremotecontrol,willentermotion
detectionmodeensuringthatthemomentsomeone
comeswithinrangeitwillbegincapturingvideo
footagetoanSDcardconcealedinahidden
compartmentwith2GBSDcardsstoringupto128
hoursofsurveillancevideo.$449
EstesXb30DigitalCameraSpyPlane
Aradiocontrolleddigitalcameraspyplanewithbuilt
indigitalcamerathatcantakeupto"26aerial
photographs"withthepushofabuttononthe
transmitter.Transferringtheimagestoyour
computerviaaUSBport.Poweredbyelectricfan
engineswithawingspanof55in.andis34in.long.
ShockingSuitcase
Keepallyoursecretdocumentssafewiththis
shockingsuitcase80,000voltstobeexact.The
electricshockalarmisactivatedatthepushofa
buttonviaremotecontrol.Abuiltinsecondary107db
alarmkeepswouldbethievesaway.Availablein
brownorblackcolors.
143
InformationSecurity
ShotgunFlashlight
Agrenadestylepinremovesthesafety,andthe
flashlightfiresa.410shotgunroundouttheback
whenabuttonispressed.AMiniMagsizefiresa.380
round.
ListenToConversations15FeetAway
NotyourordinarySL65,this"Interceptor"version
allowsusersto"dialupthedevice'ssupersecret
numbertoinstantlysurreptitiouslisteninon
whatever'shappeninguptofivemetersawayfrom
themic."Onedrawback,it'spricedatawhopping
$2,155.
MouseMicrophone
KeepacloseearonyourcomputerwiththeCP1.
Hiddeninsidethisotherwisenormallookingmouseis
acondensermicrophonecapableofpickingupon
anynearbyconversations.Itmeasures53x95x35
mmandweighsjust75g.
DigitalCameraWatch
Looksandworkslikeanormalwatch,howeveritcan
alsotakeVGAdigitalphotos!Sowhenyouareout
andabout,takesomecandidphotoswithyourwatch!
Perfectattradeshowsorevenjustoutwithyour
mates!Thebuiltin2MBofmemoryiscapableof
storingupto36photosanditincludessoftwareanda
serialcable(RS232)fordownloadingimagestoaPC.
SpyGlasses
Theyletyouseewhoisbehindyou!Thelenseson
thesespyglasseshaveaspecialcoatingthatallows
youtolookstraightaheadandstillseewhatisgoing
onbehindyou.Now,noonecansneakupbehind
you.
144
InformationSecurity
NoiseAmplifier
Theultimateinsurveillanceequipment,thishandy
littledevicefitsontheearandusesatinyamplifierto
increasethelevelofambientsoundinaroom.The
soundissenttotheearpieceallowingtheuserto
eavesdroponconversationsdiscretely.
KeySharkUSBKeylogger
Keystrokeloggingdevicewhichrecordseverykey
pressedonacomputerkeyboardstoringanexact
copyofeverythingtypedbytheuser!Withenough
capacitytostorehalfamillioncharacters(key
presses),itcanquietlyrecordtheaveragecomputer
userformanymonthsandstillhaveroomtospare.
Installationtakesjustseconds,andtheKeyShark
startstorecordautomatically.KeySharkworkswith
USBstylekeyboards.Itisasmallexternaldevice,
lookinglikeandadapterpluggedintoaUSBsocket.
U.S.$280.95
KeysharkPS/2PortKeylogger
TheKeyloggerisadevicethatcanbeconnectedtoa
keyboardtorecordallkeystrokesanddataentered.It
ispasswordprotected,andoffersakeywordsearch
facility,enable/disableoption,andwillstoreovera
yearsworthofdata!Keysharksitsbetweenthe
keyboardandyourcomputer.U.S.$280.95
WristWatchDigitalCamera
8MSDRAMallowsstorageofupto26VGAhigh
resolution350,000pixelpictures.Autoexposure,
autowhitebalance,edgedetectionwith
enhancementandbacklightcompensation.Upload
imagestoaPalmPDA,orPC.OneAAAbatterynot
included.ImagesaredisplayableonyourPCin16.7M
(32bit)colorComeswithaUSBwirelinkandaCD
Romsoyoucantransferandsavethepicturesinto
yourcomputer.U.S.$450.00
145
InformationSecurity
TeleMonitor2000
Discreetlylisteninonyourpremisesviaregular
telephonelinesfromanytelephoneintheworld!
Requiresnoactivatingbeeperorwhistleanddoesnot
affectnormalincomingandoutgoingcalls.Upto4
unitsperline.Sensitivemicrophonewillpickupeven
awhisperupto35feetaway.Tomonitor,justdial
yourphonenumberfromanytonetelephone.Size:
51/2"x31/2"x1"Thisisacompletelyselfcontained
unitnoactualtelephonerequired.Itcomeswith
modularplugsforinstantconnectiontotelephone
jacksneedsnobatteries.U.S.$379.95
SuperEar
Itincreasesyourabilitytohearthesoundsaround
youindoorsandout.Spyonsensitive
conversations.Handsfreelistening,deliversafull
50+dbofsoundgain.Measures31/2x13/4x3/4.
Comeswithearphonesandbinocularmountingclip.
U.S.$78.95
BugDetector
Moderndayminiature"bugs"canbehidden
anywhere.Listeningdevicescanbeeasilyplantedin
placeslikeyouroffice,residence,hoteletc.TheBug
Detectornotonlytellsifabugispresent,thereare3
LEDs:Level1(Weak),Level2(Medium),Level3
(Strong),indicatingthestrengthofthedetected
signal.Youcanzeroinonitsexactlocation.From50
Mhzto3Ghz,youchoosetoleavethebugordestroy
it.Allthiscanbedonewithoutalerting
eavesdroppers.Itcanalsodetectwirelesscamera,
wirelessphone,wirelesstap,andcellphones.Size:L
3.5"xW2.1"Power:(AAAbatteryx2)U.S.$239.95
146
InformationSecurity
TelephoneTapDetector
Instantlytellsyouifthereisataporeavesdropperon
theline.Automaticallymutesyourcallifatapis
enabledwhileyouaretalking.U.S.$269.95
CellularVoiceEncryption
TheCellularVoiceEncryptionsnapsontothe
dataportofanEricssoncellularphone(included)
workingovertheGSMnetwork.Ituses256BitAES
encryptionalgorithmwhichisthemostadvanced
encryptionstandardforvoicecommunication,even
moreadvancedthantheDESstandard.Transparency
operation,noactionrequiredbyuser.Military
strengthoffersvoiceprotectionagainstvirtuallyall
determinedlisteners.**Priceperunit2unitsare
needed(oneateachsideoftheconversation).U.S.$
2,200.00
ClockCamera
ClockCamerahidesawideanglelensbehindtheface
invisiblenomatterhowhardyoulook!Thecamera
hashighresolutionandhasanelectricirisforclear
viewinginlowlightsituations.Thecameraplugsinto
aTVmonitororVCR.12Vpowersupplyincluded.U.S.
$359.95
KeyChainAlcoholBreathAnalyzer
BreathAnalyzerisasensitiveinstrumentmeasures
breathalcoholcontenttoequivalentbloodalcohol
content(BAC)withinseconds.Shows5progressive
keyconcentrationlevelsdenotedbyacolorcoded
LEDdisplay.U.S.$149.00
147
InformationSecurity
50,000VoltsShockingBriefcase
TheRemoteControlShockingBriefcaseandMoney
Carrier,ifitispickedupto30degreesoutofits
horizontalposition,withoutbeingdisarmed,the
briefcasewillgivea5second85dBwarningsirenand
thenshockthewouldbethiefat50,000voltsof
power.Also,whenthebriefcaseisbeingcarried,a
thiefmayattempttostealit,howeverwithits'four
functionremote,youcanallowthewouldbethiefto
getwellawayfromyou,upto500ft.(welloverthe
lengthofafootballfield)toavoidconfrontationand
then...presstheremotecontrolkeytoshockthem
with50,000volts!!$699.00
DummySecurityVideoCamera
Authenticlookingcamerasimulatesahightech
securitysystemandmakescrooksthinktwice.
FlashingredLEDfoolsunwantedvisitorsintothinking
theyarebeingwatched.Uses2AAbatteries.U.S.$
39.95
MiniNightVision
Theworldsmallestnightvisionunitwithabuiltin
infraredilluminator.Youwillseeevenintotal
darkness!Goodforspying.Measures51/4x21/2
inches.1.6xmagnification.Amplifieslight15,000
times.Comeswithcarryingcase.RequiresAAA
batteries.U.S.$435.95
CobraVision
ThesegoggleswereoriginallydevelopedforSovietAir
Forcepilotswhorequiredhandsfreenightvision.
Helicopterpilots,paratroopersandtactops
commandosalsousethem.Theyamplifylight20,000
times.Infraredilluminatorallowsyoutoseeintotal
darkness.Wide,36deg.fieldofview.Adjuststofit
anysizehead.Dust,shockandwaterresistant.U.S.$
795.95
148
InformationSecurity
TheTruthMachine
Pocketsizeddevicethatmonitorsthetruthbehind
someoneswordsbyrespondingtovoicechangesand
inflections.Thedeviceisequippedwithahighly
sophisticatedprogramandcomputerchipthatallow
ittoworkonthesameprincipleasaliedetector.Itis
extremelysensitivetostressandsubtlechangesin
voiceinflectionasanindicatoroftruthfulness.U.S.$
89.95
AcousticalJammer
Secureyourroomconversation.Itworksby
generatingunfilterablerandomwhitenoise.This
desensitizesanymicrophonebasedeavesdropping.
TheJammeralsoprotectsyoufromtaperecorders,
shotgunmics,wireddevices,microwaveandlaser
pickups.U.S.$275
MiniStunGun
Theworld'ssmalleststungun(thesizeofapackof
gum).Ithasenoughjuicetostuna300lb.attacker
withoutpermanentdamage.Simplytouchthe
attacker'sskinorclothestodelivera400voltcharge!
Attachtobeltorkeyring,safetypinpreventsany
accidentaldischarge.U.S.$43.95
ProTrack1
DigitalVehicleTrackingSystem.Trackingrangeabout
3miles.Digitallyencryptedsignaling(confidentialto
owner).DisplaysIDcodeofyourtargettransmitter.
Simultaneousmonitoringofupto10targets.Displays
distancetotargetinfeet(from75to65,000)
Availableoptionaltransmitters:MagnetMount
VehicleTracker,BodyTransmitter,BeltClip
Transmitter,Childmonitoring(kidnap)Transmitter.
U.S.$2,850.00
149
InformationSecurity
PeepholeReverser
Developedtoassistlawenforcementofficialsto
assesspotentialthreatsoractivitybehindclosed
doors,theseunitsarenowavailabletothepublic.
Simplyplacethelensoverthepeepholeandyoucan
seeintotheroomwithoutalertinganyoneinsideby
negatingthepeephole'slens.Length:2.7"weight:1.5
oz.U.S.$89.95
SpyPhone
ItmaylooklikearegularNokiaCellularphone,
howeverthisSupertechnologygoesbeyondits
standardcapabilities.Itoperatesasanormalcellular
phonebutwhenthephoneiscalledinonaspecial
"Spy"mode(fromanywhereintheworld)itwill
automaticallyanswerwithoutanyringingorlights
comingonandthedisplaystaysthesameasifitison
a"StandbyMode".Whileonthe"Standbymode"it
willpickupthesoundsnearbyandtransmitthemback
toyou(thecaller).Allyouhavetodoistoactivateit
asifyouwouldactivateanycellularphone.TalkTime:
3to4Hours.StandbyTime:upto6Days.Weight:2.8
oz.Technology:GSMstandardsforU.S.Europe
Asia.
NOTE:ExceptforLawEnforcement,thisitemisnot
availabletoU.S.residents.U.S.$2,400.00
150
InformationSecurity
MicroUHFRoomTransmitter
TransmitterThispowerfullittledevicehasa5day
batterylifeandcanbeconcealedalmostanywhere.It
willpickuptheslightestwhisperfromupto40feet
awayandtransmittoourUHFreceiverwithamazing
clarityuptoadistanceof600meters.Dimensions:
6.5cm.x3cm.x1cm.
ReceiverAboutthesizeofacigarettepack,thisisa
stateofthearttwochannelUHFreceiver.Recently
upgraded,its'sensitivityisincredible.Itiscapableof
receivingthesignalfromourUHFtransmitterforlong
rangeusewithamazingclarity.Arecordercanbe
connectedtothereceiversotheusercanrecordall
conversationsandlisten,too.
PleasenotethisitemisNOTavailabletoU.S.
residentsU.S.
$1,370.00
EnvelopeXraySpray
EnvelopeXRAYSprayturnsopaquepaper
temporarilytranslucent,allowingtheusertoviewthe
contentsofanenvelopewithouteveropening.30
secondsafterapplication,theenvelopewillreturnto
its'originalstate,leavingabsolutelynomarkings,
discolorationorotherindicationsofuse.Eachcan
treatsseveralhundredsquareinches.Non
flammable,nonconductiveandnonphotochemically
reactive.Environmentallyfriendly(containsno
Freon).Netweight:8oz.WARNING:Nottobeused
onU.S.Mail,exceptbyorwiththeexpress
permissionoftheaddressee.CannotshipbyAir.U.S.
$45.95
151
InformationSecurity
AirTaser
TheAIRTASERisasmallhandheldselfprotection
systemwhichutilizescompressedairtoshoottwo
smallprobesupto15feetaway.Theseprobesare
connectedbywiretothelauncherwhichsendsa
powerfulelectricsignalintothenervoussystemofan
assailant.Thiscausesthebodytogolimpasthebrain
losescontrolovertherestofthebody.TheTASERis
highlyeffectivebecausetheelectricalsignal
penetratesthenervoussystemregardlessofthe
placementoftheprobes.U.S.$395.95
FiberOpticSnakeCamera
SnorkelCameraTubeCamera,SpyCamera,allinone.
Theremoteheadofthiscolorvideocameraisthe
smallestonthemarket,measuringonly.29"in
diameterand1.4"inlength,comeswithamicro
3.9mmlens.Optionalbuiltinlightsource(measures
.55"diameterand4"inlength).Theremoteheadis
connectedtotheminiaturecontrolunitbya38"
superflexiblecable.Greatforsurveillanceunderthe
door,tightplaces,machinevision,robotics,and
qualitycontrol.US$1,398
HiddenCamera
SmokeDetectorCamerahidesawideanglelens
behindthefaceplate.Totallyinvisiblenomatterhow
hardyoulook!Highresolutionwithelectricirisfor
clearviewinginlowlight.Italsocontainsahidden
microphoneforaudio.Comeswith12Vpower
supply,andhighceilingmount.Wirelessorwired,
colororB&Wcamera,yourchoice.US$389.95wired,
$689.95wireless.
152
InformationSecurity
MOBILTRACK
Monitordetailedinformationaboutavehiclestravel
activitiesusingasatellitepositioningnetwork(GPS)
crossreferencedwithdigitalstreetmapsproviding
proofofexactdate,time,speed,andlocationright
downtothestreetlevel.US$2,495
TelephoneVoiceChanger
TheTelephoneVoiceChangerincorporatesaneight
levelpitchadjustment.Atthehighrangeamans
voicewillsoundlikeawoman.Atlowrangeawoman
willsoundlikeaman.Abuiltinamplifiercanincrease
thesoundoftheincomingvoice.Itinstallsby
pluggingintothebaseandhandsetofthetelephone.
US$59.95
UVPen
Theinkinthispenisinvisibletothenakedeye,soany
paperyouwriteonwillappeartobeblank.However,
underaUVlightsource,your"secretmessage"will
appear.Possibletechniqueforsecuringpasswords
withoutleavingthemvisibleinworkspacearea.US
$5.95
CellularBlocker
Thesystemsutilizeauniquetransmissionmethod
thatconfusesthedecodingcircuitsofcellular
handsetsasifnocellularbasestationiswithinthe
servicearea.UponactivatingtheBlocker,allidle
phoneswillindicate"NOSERVICE".Consequently,all
cellularphonecallsalreadyinprogresswithinthe
definedareawillbecutoffandtheradiolinkwillbe
lost.US$1,948
153
InformationSecurity
PrivacyTest
Chapter22
154
InformationSecurity
PrivacyTest
AsusageoftheInternetandCRMproductsexpand,hugeamountsofdataarebeingcollected
on everyone. With each bulging database comes the increased possibility that tender
information will fall into the wrong hands or that erroneous information will be collected.
Everywhere you turn cameras are watching you, companies are building profiles on you and
your habits, software programs track where you go and what you read on the Internet. The
publichaspushedbackwithmanypeoplecryingenoughisenough.Thiswebpageaddresses
someoftheprivacyissuesandsomeofthemeasuresyoucantaketoprotectyourselfatleasta
little.Howeverpleasebeadvisedthatthiswebsitedoesnotpretendtoaddressalloftheissues
orsolvetheprivacydilemma.Youaloneareresponsibleforenactingprivacymeasureswhich
areconsistentwithyourowndesiresforprivacy.
TakethePrivacyTest
1.Haveyouorderedyourowncreditreportsfor$8.00each?
www.experian.com
Yes
No
www.equifax.com
Yes
No
Yes
No
www.transunion.com
2.Haveyouorderedyourmedicalhistoryreportfor$8.50?
Yes
No
www.mib.com
3.HaveyouorderedyourownSocialSecurityEarningsreport Yes
forfree?
No
www.ssa.gov
4.Haveyouorderedacopyofyourdrivingrecord?
No
155
Yes
InformationSecurity
http://www.ark.org/dfa/motorvehicle/driverservices.html
5.Doyoutaketimeto"OptOut"ofjunkmail?
Yes
No
http://www.thedma.org/
6.Doyouavoidfillingoutwarrantyandregistrationcardsor Yes
useanaliaswhendoingso?
No
7.Doyouavoidpubliclydonatingmoneytocharities?
Yes
No
8.Doyouavoidjoiningclubsandorganizations?
Yes
No
9.Doyouavoidsubscriptionstomagazinesoruseanalias?
Yes
No
10.Doyouhaveanunpublishedtelephonenumber?
Yes
No
11.Doyouavoidsweepstakes?
Yes
No
12.Doyouavoidgivingoutyoursocialsecuritynumber
wheneverpossiblewithpersistence?
Yes
No
13.Doyourefusetoallowyourcreditcardnumbertobe
writtenonyourchecks?(unlawfulinmanystatestodoso)
Yes
No
Yes
14.Doyourefusetoallowyourphonenumberandaddress
tobewrittenonyourcreditcardslips?(alsounlawfulinmany
states)
No
156
InformationSecurity
15.Doyouavoidcordlessphones?
Yes
No
16.Doyouavoidcellularphones?
Yes
No
17.Doyousubscribeto"CallerIDBlocking"?
Yes
No
18.DoyouhaveaPOBoxaddresstouseinallbutthemost
importantcircumstances?
Yes
No
19.DoyoushieldyourhandatATMmachineswhenentering Yes
yourPINnumber?
No
20.Doyoushieldyourhandwhenenteringcallingcard
numbersatpublictelephonestomakelongdistancecalls?
Yes
21.Doyoureadthefineprintonapplicationsandorder
forms?
Yes
No
Yes
22.Doyouencryptyouremail?
No
23.Doyouuseacombinationoflettersandnumbersinyour
passwords?
Yes
No
24.Doyouchangeyourpasswordsoccasionally?
Yes
No
25.Doyouusedifferentpasswordsforeveryaccount?
Yes
No
157
No
InformationSecurity
26.Isyourcomputerpasswordprotectedatthesystemlevel? Yes
No
27.Doyouhaveasecondemailaccountforpersonaluse?
Yes
No
28.Doyouhaveasecondemailaccountthatyouuseforless Yes
importantpurposes?
No
29.DoyousignyournamelegiblywhensigningSignature
CaptureDevices?
Yes
30.Doyoureadprivacypoliciesonwebsites?
Yes
No
31.Haveyoutaughtyourchildrennottogiveoutpersonal
informationontheinternet?
Yes
No
32.Doyouclearyourcachefrequentlyafterbrowsing?
Yes
No
33.Doyoumakesuretousesecureconnectionswhen
transmittingsensitivedataovertheinternet?
Yes
No
34.Doyourejectunnecessarycookies?
Yes
No
35.Doyouuseanonymousremailerswhenappropriate?
(Hushmailforexample)https://www.hushmail.com/
Yes
No
Yes
36.Doyouuseanonymizerswhenbrowsing?
http://www.anonymizer.com/
No
158
No
InformationSecurity
37.Doyouuseapersonalfirewallonyourinternet
connection?
Yes
No
38.Haveyoureadyourcompany'sprivacypolicy?
Yes
No
39.Doyouperformduediligenceonanynewservice,
company,orwebsitethatyoupatronize?
Yes
No
40.Doyouavoidusingnewsgroupsorchatrooms,oratleast
useanalias?
Yes
No
41.DoyouuseadigitalIDtoauthenticateyouremail?
Yes
No
42.Doyouignorejunkemail?
Yes
No
Howdidyouscore?
MultipleYourYESresponsesby3.Inpreviousaudiencesurveys,theaudiencehasscoredon
averageasfollows:
Lessthan2027%;
20to4055%;
40to608%
(10%didnotreporttheirscore.)
Thehigheryouscore,themoremeasuresyouhavetakentoprotectyourprivacy.
159
InformationSecurity
FakeIDs
Chapter23
160
InformationSecurity
DoitYourselfFakeIDs
Formanyyearsthegraphicimagesneededtocreateyourowndriverslicenseforeachstate
werefreelyavailablefordownloadfromnumerouswebsites.Asaresult,millionsofcomputer
savvyteenagershavecreatedfakedriver'slicensesdespitethehologramsandotherhightech
securityfeaturesthatstatesnowputonlicensestothwartforgers.UsingtheInternet,anyone
willingtobreakafewlawscanbeamassproduceroffakeIDs.Fakelicensescanbemadeeasily
by downloading these templates, scanning a picture into the computer, editing the template
andprintingthefinishedproductwithaphotoqualityinkjetprinter.Since9/11,manyofthese
siteshavebeenshutdownbutnewsitespopupcontinuously.
AreFakeIDsHardertoObtain?
There are over 900,000 web sites offering to help you obtain a fake ID. These services offer
holograms,fullcolorphotos,professionallaments,andallthetrimmingtomakeafakeID.For
example,thiswebsiteforTheIDShopclaimstoprovidenearidenticalpassports.
161
InformationSecurity
InyearspasttherewerenoproceduresforverifyingtheauthenticityofanIDonlythepolice
had that capability. However today, online verification terminals are popping up everywhere.
Furtherthelawsaredifferentnow,forexampletodayjusthandingafakeIDtoabarbouncer
couldlandyouinjail.
SomereportsindicatethatitisactuallyfairlydifficulttogetyourhandsonhighqualityfakeIDs
today.TheyclaimthatmostofthoseenticingfakeIDsitesontheinternetaretotalripoffsthat
delivernothing,ortheydeliverpoorqualityIDswiththewordNoveltystampedontheback.
SomefakeIDsitespromisetodeliverfakedriverslicenses,butwhenyourlicensearrivesit'sa
worthlessgokartlicense.Theygetawaywiththisbecausewhomcanyoucomplainto?
WhiletherearenumerousFakeIDwebsitesontheInternetnow,mostdonotseemtooffer
actualreplicadriverslicensesorotherofficialgovernmentdocuments.Icanonlyconcludethat
theDepartmentofHomelandSecurityismonitoringtheInternetandtakingmeasurestoshut
downtheseoperations,oratleastpreventingthemfromproducingofficiallookinggovernment
issuedIDs.
However,theyarenotdoingagoodenoughjob.Inlessthan10minutesofsearching,Ifound
the following web site that allowed me to download drivers license templates for Florida,
Michigan,Arizona,NewHampshire,Idaho,NewYork,andSouthDakota.
IwasabletoeditthesetemplatesinPhotoShopinabout5minutestocreatethefollowingfake
IDusingmypictureandfakeinformation.
162
InformationSecurity
NowIonlyneedtoprintitoutandapplyatransparentlamentsheetandtrimtoproducethe
fakeID.ThenumbersandinformationcontainedontheIDwontmatchthedataintheFlorida
database,butthisIDwouldprobablybegoodenoughtoenableunderageddrinking,orfoola
doctorsofficeintoadmittingapersonandprovidingservices,toengageinanumberofother
crimes.
Algorithms
Todaymoststatesusesometypeofalgorithmtomakeduplicationofdriverslicensesharderto
achieve.Forexample,inGeorgia,thelastdigitintheyearofbirthalsoappearselsewhereon
thedriverslicenseinaninconspicuousplaceifthenumbersdonotmatch,theIDisobviously
a fake ID. Forgers who are not aware of this check have only a 10% chance of producing a
driverslicensethatwillpasscloseinspection.
163
InformationSecurity
OutsidetheInternet,FakeIDsSeemtobeEasytoObtain
DespitethefactthatmanyfakeIDwebsitesmayseemtobeclosedforbusiness,itappearsthat
thereareothersourcesforhighqualityfakeIDsotherthantheInternet.Frommyownpersonal
experienceIknowafriendwhosdaughterwenttocollegein2007andduringherfirstsorority
meeting,applicationsandfeesforfakeIDsweresolicitedat.TheresultingIDswerehighquality
likethisfakeIDshownbelow.
(A$100,000identitytheftandcheckfraudscamwas
perpetratedbythisthiefusingthisphonydriver'slicensein
OregonState,targetingconstructionrelatedbusinesses.)
Congressional investigators confirmed this when they easily convinced motor vehicle agency
employeesaroundthecountrytoissuegenuinedriverslicenses.Accordingtoareportfromthe
General Accounting Office, agents operating undercover in seven states and the District of
Columbia, ultimately obtained drivers licenses at every agency where they applied. The most
seriousvulnerabilitiesappearedinCalifornia,whereagentsmanagedtocompletetheprocess
to receive three temporary state drivers licenses within two days using the same fake
information.
FloridapolicealsoconfirmtheavailabilityoffakeIDs.Duringfourspringbreakweeks,Florida
police staked out bars, restaurants and nightclubs in Panama City and Daytona Beach. The
police looked for IDs with flawed holograms and incorrect letter and number codes that are
supposedtobeknownonlybypoliceandastate'smotorvehiclesdepartment.
Theyarrestedabout350teenagersforcarryingfakeIDsand1,200forunderagedrinkingand
confiscated10,000bogusIDs.That'sanindication,policesaid,oftheenormouspopularityof
counterfeitlicensesamonghighschoolandcollegestudents.IfyouextrapolatethePanamaCity
andDaytonaBeachfigures,hesays,"you'retalkingmillionsandmillions"offakeIDsaroundthe
country. Another police officer estimated that 50% of underage high school and college
studentshavefakeIDs.
164
InformationSecurity
FakeDiplomas,CollegeDegrees&OtherDocuments
Fakediplomasandcollegedegreesincludingfaketranscriptsalsoseemtobereadilyavailable
asthiswebsiteshows.
In fact there are many internet sources for many fake documents from Fake High School
Diplomas,Faketranscripts,fakebirthcertificates,fakebusinesscards,fakeIDbadges,etc.
TheSolutionBackgroundChecks
ThesolutiontothethreatoffakeIDsisrathersimpledobackgroundchecksoneverybodyyou
come in contact with including customers, suppliers, employees and subcontractors. Dont
giveanybodyaccesstoyourbuilding,youroperations,oryourdatauntilyouconfirmwhothey
are.Asanexample,NetDetectiveclaimsthatyoucansearchover3.1billionrecordstoobtain
Information on over 90% of residents in the U.S. They claim to have 843,000 users. They
provide instant access, no download is required. The information provided includes criminal
records, family history, birth, death, social security, adoption, DMV Records, unlisted phone
numbers, address, phone number, email Addresses, access to your own credit reports, and
yourownFBIfile.
165
InformationSecurity
KeyPoints
1.
2.
3.
4.
5.
6.
7.
8.
FakeIDanddriverslicensetemplatesareavailableontheweb.
ManyfakeIDwebsitesprovidepoorqualityIDs,GoKartIDs,orNOVELTYIDs.
AtleastonesororitysolicitsmoneyforfakeIDsattheirfirstchaptermeetings.
Codesandalgorithmsareusedtohelppreventdriverslicenseforgeries.
Fakediplomasandcollegetranscriptsarealsoavailable.
AbackgroundcheckisyourbestprotectionagainstfakeIDs.
IDauthenticationmethodsandwebsitesarebecomingmoreprevalent.
Today,thebestfakeIDsarebackedupbyarealidentityusingidentitytheft.
166
InformationSecurity
NationalIDCards
Chapter24
167
InformationSecurity
National ID cards are advocated by some as a means to enhance national security, unmask
potential terrorists, and guard against illegal immigrants. They are already in use around the
world including most European countries, Hong Kong, Malaysia, Singapore and Thailand. The
UnitedStatesandUnitedKingdomcontinuetodebatethemeritsofadoptingnationalIDcards.
Historically,Americanshave rejected the ideaof a national ID card. When the Social Security
Number (SSN) was created in 1936, it was meant to be used only as an account number
associated with the administration of the Social Security system. Though use of the SSN has
expanded considerably, it is not a universal identifier and efforts to make it one have been
consistentlyrejected.Forexample:
1. In 1971, the Social Security Administration task force rejected the extension of the
SocialSecurityNumbertothestatusofanIDcard.
3. In1976,theFederalAdvisoryCommitteeonFalseIdentificationrejectedtheideaofan
identifier.
4. In 1977, the Carter Administration reiterated that the SSN was not to become an
identifier.
5. In 1981 the Reagan Administration stated that it was "explicitly opposed" to the
creationofanationalIDcard.
6. TheClintonadministrationadvocateda"HealthSecurityCard"in1993andassuredthe
publicthatthecard,issuedtoeveryAmerican,wouldhave"fullprotectionforprivacy
andconfidentiality."Still,theideawasrejectedandthehealthsecuritycardwasnever
created.
InformationSecurity
madeclearintheenablinglegislationthattheagencycouldnotcreateanationalIDsystem.In
September 2004, thenDHS Secretary Tom Ridge reiterated, "The legislation that created the
DepartmentofHomelandSecuritywasveryspecificonthequestionofanationalIDcard.They
saidtherewillbenonationalIDcard."
The public continues to debate the issue, and there have been many other proposals for the
creationofanationalidentificationsystem,somethroughthestandardizationofstatedriver's
licenses. The debate remains in the international spotlight several nations are considering
implementing such systems. The U.S. Congress has passed the REAL ID Act of 2005, which
mandates federal requirements for driver's licenses. Critics argue that it would make driver's
licensesintodefactonationalIDs.
TheREALIDActof2005
TheREALIDActof2005isalawwhichimposesfederaltechnologicalstandardsandverification
procedures on state driver's licenses and identification cards, many of which are beyond the
currentcapacityofthefederalgovernment,andmandatingstatecompliancebyMay2008.As
of April 2, 2008, all 50 states haveeitherapplied for extensions of the original May 11, 2008
compliancedeadlineorreceivedunsolicitedextensions,meaningthattheREALIDActwillnot
becomeanissueatfederalfacilitiesandairportsuntilDecember31,2009.
Some claim that REAL ID turns state DMV workers into federal immigration officials, as they
must verify the citizenship status of all those who want a REAL IDapproved state driver's
licenseoridentificationcards.
InordertogetaRealIDyouwillberequiredtoshowyourbirthcertificate,proofofaddressand
citizenship,photoID,andSocialSecuritycardswhicharejustsomeofwhatyoumightbeasked
topresenttotheDMV.IfyouenteranestablishmentandarerequiredtoshowyourRealIDall
ofyourpersonalinformationcanbescannedanddigitallystoredfromtheRFIDorstriponyour
card, such as your: name, birth date, sex, ID number, a digital photograph (Notice that the
image above also shows the individuals religion. Why would the DHS want to know your
religiousbeliefs?)
169
InformationSecurity
HomelandSecuritymayalsoaddadditionalrequirementssuchasafingerprintorretinalscan
theywontissuetheirspecificationsfortheRealIDforseveralmonths.TheDepartmentof
HomelandSecurityisinchargeoftheRealIDandeachcardwillhavepersonaldataencodedon
astripand/oraRFIDchip.DHScontemplatesusingtheREALIDsystemaspartofitsFederal
bordersecurityprogramandrequestedcommentsonhowStatescouldincorporatelongrange
radiofrequencyidentification("RFID")technologyintotheREALIDcardsothatitcouldbeused
aspartoftheWesternHemisphereTravelInitiative.
Revelation14:911
170
InformationSecurity
FakeSocial
SecurityCards
Chapter25
171
InformationSecurity
SocialSecurityCardsAreRequired
TheUSfederalgovernmentrequiresalllegalresidentstohaveavalidsocialsecuritycard.
ThiscardisusedbytheInternalRevenueService(IRS)totrackofanindividual'searnings
andtaxes.
TheSocialSecurityNumber
ThedigitsintheSocialSecurityNumberaredividedintothreeparts:
1. TheAreaThefirstthreedigitsofasocialsecuritynumberarebasedonanalgorithm
appliedtotherecipientsZIPCode (basedonthemailingaddressshownonthesocial
securityapplication).Thefollowingtableshowshowareanumbershavebeenassigned.
172
InformationSecurity
SocialSecuritynumberscontainingareanumbersotherthanthosefoundonthetableabove
areimpossible.
Priorto1972,cardswereissuedinlocalSocialSecurityofficesaroundthecountryand
theAreaNumberrepresentedthelocationfromwherethecardwasissued(the
numberingschemewasdesignedin1936(beforecomputers)tomakeiteasierforSSA
tostoretheapplicationsinourfiles).In1972,SSAbeganassigningSSNsandissuing
cardscentrallyfromBaltimore;andtheareanumberassignedisbasedontherecipients
ZIPcode.Sincetheapplicant'smailingaddressdoesnothavetobetheplaceof
residence,theAreaNumberdoesnotnecessarilyrepresenttheStateofresidence.
However,generallyspeaking,areanumbershavebeenassignedbeginninginthe
northeastandmovingwestward.Sopeopleontheeastcoasthavethelowestnumbers
andthoseonthewestcoasthavethehighestnumbers.
2. The Group The middle two digits range from 01 to 99 but are not assigned in
consecutiveorder.Foradministrativereasons,groupnumbersissuedfirstconsistofthe
ODDnumbersfrom01through09andthenEVENnumbersfrom10through98,within
eachareanumberallocatedtoaState.Afterallnumbersingroup98ofaparticulararea
havebeenissued,theEVENGroups02through08areused,followedbyODDGroups11
through99.
BecausethisnumberingschemeisconfusingandsincetheapplicationformforanSSN
asksforidentifyinginformationsuchasdateofbirth,placeofbirth,parents'names,and
(optionally)theapplicant'srace,acommonmythisthatthegroupIDidentifiesthe
cardholderbyaspecificgroupsuchasrace.AccordingtotheSSA,thisisnottrue.
3. SerialNumbersThelastfourdigitsrunconsecutivelyfrom0001through9999.
ObtainingFakeSocialSecurityCards
According to an article in the Arizona Republic, within hours of crossing the border, illegal
immigrantscanbuythemfrom"runners"onvirtuallyeverystreetcorner."Mica,mica,"runners
brazenlysaytopotentialcustomers.Mica(pronouncedMEEka)isSpanishslangforthegreen
cards.Otherdealersaremorediscreetastheypassoutbusinesscardsforautomechanics,yard
work,taxicabsandotherservicesthatarereallyfrontsformakersoffraudulentdocuments.
EdwardOchoaisanundercoverinvestigatorwhobuysfakedocumentsaspartoftheArizona
Fraudulent Identification Task Force. He explains how the process of obtaining a fake social
securitycard,greencard,ordriverslicenseworks.TogetafakeID,abuyerprovidesapassport
photo then waits while a runner takes the image to a "manufacturer," usually another
undocumented immigrant holed up in an apartment nearby. If they don't have a photo, the
runner can usually take a picture with an instant camera. Reportedly, a "twopack" a green
card and a Social Security card costs as little as $70 on the street. A "threepack" a green
173
InformationSecurity
card, driver's license and Social Security card goes for $140 to $160. Those prices buy
documents with randomly generated numbers. Sometimes the numbers invented by a
manufacturercoincidentallybelongtoactualpeople.
BuyingfakedocumentsmadewithgovernmentissuedIDnumbersandamatchingnamestolen
fromsomeoneelseisfarmoreexpensive.Thosedocumentsaremoredifficulttogetandcost
threetofivetimesasmuchasonesusingbogusSocialSecurityandimmigrationnumbers.Some
numbersarestolen.Othersbelongtochildrenortopeoplewhodied.
MakingFakeSocialSecurityCards
Templates of driver's licenses, green cards and other documents can be bought on the black
market, downloaded from the Internet or produced from scratch with a graphics software
program.Producingfraudulentdocumentshasbecomemucheasierallyouneedisacomputer,
scanner,agraphicssoftwareprogramlikePhotoShop,andhighgradecardprinterliketheones
shownbelow.Theycostabout$1,000andprintonplasticorPVCblanks.Cardblankscostabout
$1.00each.
Within two hours of taking an order for fake documents, the runner returns with
documentsrealenoughtofoolunsuspectingemployersortosatisfyunscrupulousones.
SocialSecurityCardSecurityFeatures
1. The card contains a blue tint marbleized random pattern. Any attempt to erase or
removedataiseasilydetectablebecausethetintiserasable.
2. Smallmulticoloreddiscsarerandomlyplacedonthepaperstockandcanbeseenwith
thenakedeye.
174
InformationSecurity
3. IntaglioprintingofthetypeusedinUScurrencyisusedforsomeprintingonthecard
andprovidesaraisedeffectthatcanbefelt.
Bytodaysstandards,thesesecurityfeaturesareconsideredlame.BecauseSocialSecuritycards
arepaper,manypeoplelaminatetheircards.However,alaminatedcardcanhampertheability
ofthegovernmenttoutilizethesesecurityfeatures.Thegovernmentwillreplaceyourcardfree
ifincaseyouloseit.
StrongerSocialSecurityCardsontheWay
CongressmenintroducedlegislationinFebruary2008toenhancethesecurityfeaturesofSocial
Securitycards.Theproposednewcardswillfeature:
1. Aphotograph
2. Afingerprint
3. Acomputerchip
4. Abarcode
5. Amagneticstrip
ThecardswouldbemodeledaftertheCommon
Access Card issued by the Department of
Defense, mostly to active military reserve
members and their dependents, said U.S. Rep.
Mark Kirk (RIll.), a sponsor of the bill. Current Social Security cards have limited security
featuresandhavenophotoorbiometricdata,hesaid.
LoseYourBusinessHiringIllegals
InJuly,2008Arizonaenactedatoughemployersanctionslawwhichrevokesbusinesslicenses
ofemployerscaughtknowinglyhiringillegalworkersasecondtime.Italsorequiresthemore
than150,000licensedArizonaemployerstorunSocialSecuritynumbersandotherdatafornew
employeesthroughthefederalBasicPilotProgram,anelectronicverificationsystem.Twoother
states,ColoradoandGeorgia,havepassedsimilarlaws.
175
InformationSecurity
IdentityTheft
Chapter26
176
InformationSecurity
IdentityTheft
AccordingtoU.S.FederalTradeCommissionreport,itisestimatedthatmorethan50million
Americanswerevictimsofidentitytheft.Abouthalfofthevictimsknewhowtheiridentitywas
stolen.Thereportfoundevidencethatsuggeststhatquickdiscoveryofidentitytheftreduces
theriskofthievesopeningunauthorizedaccounts.Herearesomerelevantstatistics:
1.
Accountswereopenedin45percentofidentitytheftcasesinwhichatleastsixmonths
elapsedbeforevictimsnoticedtheirinformationwasmisused.Accountswereopenedin
fewerthan10percentofcaseswherevictimslearnedofmisusewithinamonth.
2.
33.4millionAmericanswerevictimsofidentitytheftfrom1990to2003.
3.
34% say someone obtained their credit card information, forged a credit card in their
name,andusedittomakepurchases.
4.
12%saysomeonestoleorobtainedimproperlyapaperorcomputerrecordwiththeir
personalinformationonitandusedthattoforgetheiridentity.
5.
11%saysomeonestoletheirwalletorpurseandusedtheiridentity.
6.
10%saysomeoneopenedchargeaccountsinstoresintheirnameandmadepurchases
asthem.
7.
7%saysomeoneopenedabankaccountintheirnameorforgedchecksandobtained
moneyfromtheiraccount.
8.
7%saysomeonegottotheirmailormailboxandusedinformationtheretostealtheir
identity.
9.
5%saytheylosttheirwalletorpurseandsomeoneusedtheiridentity.
10. 4% say someone went to a public record and used information there to steal their
identity.
11. 3% say someone created false IDs and posed as them to get government benefits or
payments.
12. 16%sayitwasafriend,relativeorcoworkerwhostoletheiridentity.
13. The seven million victims the survey identified in 2002 represent an 81% rise over
victimsin2001.
Security risks related to identity theft are on the rise. There are a number of ways in which
identitythievescouldthreatenyourcomputersystems.Forexample,theycoulduseemployee
badgestoenteryourpremises,ormasqueradeinthecommunityasyouremployeeorvendor.
Forexample,athiefmightassumetheidentityofavendorssalesrepresentativeandvisityour
accountspayabledepartmenttocollectcashorcheckpayments.Withtodaystechnology,itis
177
InformationSecurity
easytoreproducebusinesscards,badges,uniformsandevenvehicleidentification.Thatsame
thiefmightmasqueradeasoneofyouremployeesandattempttowithdrawmoneyfromyour
corporate bank accounts. An identity thief could republish your web site to a similar domain
name,andchangeonlythecontactinformation.Thepossibilitiesarefrightening.
Toprotectagainstidentityfraud,commonsenseisyourbestally.Someofthetopprevention
measuresincludethefollowing:
1. SettingupPINnumbersonallbankaccounts
2. Using finger print or retina scan technology instead of passwords and badges to
preventaccesstocomputersystemsorbuildings
3. Instructemployeesnottowritepasswordsdown
4. Forceuserstochangepasswordsmonthly
5. Safeguard employee information such as social security numbers or employee
numbersfromnonauthorizedpersonnel
6. Useshredderstodestroysensitivedocuments
7. Reconcileallstatementstimelytothepenny
8. Passwordprotectalltravelinglaptopsatthesystemlevel.
9. Have someone in your organization to search the internet for the use of your
corporate name or the names of key individuals regularly to protect against
improperuse.
Anotherkeythreatfromidentitytheftisthatofhiringamasqueradingemployee.Usingafalse
identity,athiefcouldbehiredintoyourorganizationandgivenaccesstocriticalsystemsand
areaswithinyourorganization.Oncetrusted,thispersoncouldthenarrangetostealcashand
equipment, and disappear into the night. For this reason, background checks and a certain
amountofduediligenceworkisnecessaryinordertoverifythatnewhiresarewhotheysay
theyare.Formoreinformationonpreventingidentifytheft,visittheIdentityTheftPrevention
ChecklistatthefollowingURL:
http://victimsassistanceofamerica.org/eduinfo/idtheft_prevention.cfm
178
InformationSecurity
IdentityTheftWhatToDoIfItHappensToYou
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Reportittothepolice
Cancelallcreditcards
CallfraudunitsExperian,Equifax,TransUnion
Notifybanks
Filloutfraudaffidavitstoproveinnocence
GetanewATMcard
HaveSSNchanged
Notifythepassportauthorities
ReportstolencheckstoTeleCheck,NationalProcessingCompany(NPC),andEquifax
Notifypostalinspectorifyoususpectmailtheft
Calltelephone,electricity,andgascompaniesandalertthem
Changedriverslicensenumber
CallConsumerCreditCounselingforhelpremovingfraudulentclaimsfromyourrecord
800.388.2227
Keepalogofallconversationsyouhavedealingwiththis,includingnamesanddates
Considerseekinglegalcounsel.
Payattentiontoyourmentalhealth
Changepasswordseverywhere
ChangePINnumbers
Changeemailaddresses
Usecommonsense
RecommendationsforPreventingIdentifyTheft
PreventIdentityTheft
You can't guarantee that you will never be a victim, butyou can minimize your risk with the
followingmeasures.
1. BigDuhDon'tgiveoutpersonalinformationonthephone,throughthemailorover
the Internet (through email or online forms, or any other manner) unless you have
initiatedthecontactoraresureyouknowwhoyou'redealingwith.
3. SecureYourHomeSecurepersonalinformationinyourhomeinsafesthatarebolted
to the floor, especially if you have roommates, employ outside help, or are having
179
InformationSecurity
serviceworkdoneinyourhome.Securelystoreextrachecks,creditcards,documents
thatlistyourSocialSecuritynumber,andsimilarvaluableitems.
4. Fool Burglars Don't advertise to burglars that you're away from home. Put lights on
timers,temporarilystopdeliveryofyournewspaper,andaskaneighbortopickupany
itemsthatmayarriveunexpectedlyatyourhome.
5. GuardYourMailPickupmailfromyourmailboxpromptly.Donotsendmailthrough
yourmailboxaredflagraisedonyourmailboxiswellaredflagforburglarsthata
checkisprobablywaitinginside.Ifyou'replanningtobeawayfromhomeandcan'tpick
upyourmail(orarecalledawayonanunexpectedbusinesstriporfamilyemergency),
calltheU.S.PostalServiceat18002758777torequesta"vacationhold"oraskyour
carrieroracounterclerkfora"AuthorizationtoHoldMail"form(PSForm8076).You
might also consider purchasing and installing a relatively secure "locking" mailbox for
eithercityorruraluse.
6. Guard Your Trash Protect your garbage. Identity thieves rummage through trash in
yourtrashcanoratlandfillslookingforpersonalinformation.Tothwartidentitythieves,
whomaypickthroughyourtrashorrecyclingbinstocaptureyourpersonalinformation,
tearorshredyour...
a.
b.
c.
d.
e.
f.
g.
h.
i.
chargereceipts,
copiesofcreditapplications,
insuranceforms,
physicianstatements,
checksandbankstatements,
creditcardstatements,
expiredchargecardsthatyou'rediscarding,
preapprovedcreditcardoffersyougetinthemail,and
anydocumentsthatcontainyoursocialsecuritynumber
180
InformationSecurity
7. OptOutIfyoudonotusetheprescreenedcreditcardoffersyoureceiveinthemail,
youcan"optout"bycalling18885OPTOUT(18885678688).Youwillbeaskedfor
yourSocialSecuritynumberinorderforthecreditbureaustoidentifyyourfilesothat
they can remove you from their lists and you still may receive some credit offers
because some companies use different lists from the credit bureaus' lists.
(Ifyoudoacceptacreditcardoffer,beawarethatsomecreditcardcompanies,when
sending out credit cards, have recently adopted security measures that allow a card
recipienttoactivatethecardonlyfromhis/herhomephonenumber,butthisisnotyet
auniversalpractice.)
8. Purchase a Shredder Shredders come in a variety of styles and prices, starting with
shreddingscissorsandexculpatingtopowerfulshreddersthatcanshredthroughbinder
clips.
9. Limit,protect,andbeawareofthetypeandamountof
personaldatayoucarryaround...
Keepyourpurse/walletandorganizer/briefcaseaswell
asanycopiesyoumayretainofadministrativeformsthat
containyoursensitivepersonalinformationinasafe
placeatwork.
10. UsePINS&PasswordsPlacepasswordsonyourcredit
card, bank, brokerage and phone accounts. Avoid using
easily available information like your mother's maiden
name,yourbirthdate,thelastfourdigitsofyourSSNor
yourphonenumber,oraseriesofconsecutivenumbers.Whenopeningnewaccounts,
you may find that many businesses still have a line on their applications for your
mother'smaidenname.Useapasswordinstead.
11. AtWorkKeepyourpurseorwalletinasafeplaceatwork.
181
InformationSecurity
13. CreditCardPhotosSomeissuersofbankand/orcreditcardsoffertheoptionofadding
thePHOTO ofthenamedcustomeronthefaceofthecard.Ifyourissuer(s)offerthis
option, TAKE ADVANTAGE. It's certainly more difficult for someone else to use a card
withyourphotoonit.
14. Be Check Smart When ordering new checks, pick them up at the bank, rather than
havingthemsenttoyourhomemailbox.Considerusingonlyyourfirstinitial(s)rather
thanyourfullnamesoathiefwon'tknowwhattosign.Tosavetime,manypeoplehave
theirbankprinteverybitofpersonalinfotheycanfitonpersonalcheckstospeedup
checkapprovalinthecheckoutline(andminimizewhattheyhavetowriteinbyhand).
Resisttheurge.Don'tputanyinformationotherthanyournameandaddressonyour
checks. Also, keep a close watch on your checkbook both when you're writing checks
andwhenitislyingaround.
Somethievesusecleaningsolventtoremovewhatisalreadywrittenonacheck,making
itpayabletothemselves.Tomakethisharder,youshouldwritechecksusingapenwith
thick,darkink.Drawlinestofillingapsinthespaceswhereyoudesignatetowhoma
checkispayableandtheamount.
Ifyourcheckshavebeenstolenormisused,immediatelynotifyyourbank,placeastop
paymentorder,andcloseyourcheckingaccount.Also,immediatelyreporttoyourbank
182
InformationSecurity
any irregularities in your bank statements. Report mail theft or tampering to the U.S.
PostalInspectionService,whichislistedinyourphonebook
15. GUARD deposit slips as closely as you do checks. Not only do they have your name,
addressandaccountnumberprintedonthem,buttheycanalsobeusedtowithdraw
moneyfromyouraccount.Allathiefhastodoiswriteabadcheck,deposititintoyour
accountandusethe"lesscashreceived"linetowithdrawyourmoney.
183
InformationSecurity
16. AvoidShoulderSurfersA"shouldersurfing"identity
thief can memorize your name, address and phone
numberduringtheshorttimeittakesyoutowritea
check.Also,inmanypublicplaces"shouldersurfing"
criminals can stand nearby and watch you punch in
your phonecard number, debitcard PIN, credit card
number,orevenlisteninonyourconversationifyou
give your creditcard number over the phone for a
hotel room or rentalcar. Don't carry more checks
thatyouneed.Keepextrachecksinasecureplace.
19. CheckYourCreditReportsOrderacopyofyourcreditreportfromeachofthethree
major credit reporting agenciesevery year. Make sure it is accurate and includes only
thoseactivitiesyou'veauthorized.
20. BeCarefulatRestaurantsWhenpayingatstores,restaurants,andotherbusinesses,
be methodical at the payment counter, ensuring you retrieve your driver's license or
otherID,creditcardandyourcreditslipcopyafteryourpurchase.Makesurethatthe
personyougivethecreditcardtoreallyisthewaiterorproperperson.
21. Xerox Your Wallet or Purse Take a few minutes to make paper copies of all of the
cardsandIDsyoucarryinyourwalletorpurse,including
thebacksastheycontaincontactphonenumbersinthe
eventoftheft.Securethecopiesinasafepace.
InformationSecurity
more persons loitering around an ATM, often in a car, behind bushes or otherwise
nearby. Use your body, or cup your other hand over the keypad, to "shield" it as you
enteryourPINintotheATM.NeverwriteyourPINonthebackofyourcard;youcould
loseit,and someATM scamsinvolveascammer"distracting"thevictimandgrabbing
thecardbeforerunningaway.
23. DriveupATMsIfyouareusingadriveupATM,keepyourenginerunningandbesure
your passenger windows are rolled up and all doors are locked. Before you roll down
your window to use the ATM, observe the entire surrounding area; if anyone or
anything appears to be suspicious, drive away at once. When possible, leave enough
room between cars when you're in the ATM driveup queue to allow for a quick exit,
shoulditbecomenecessary.
24. CounterfeitCashier'sCheck
1. Inspectthecashier'scheck.
2. Ensuretheamountofthecheckmatchesinfiguresandwords.
3. Checktoseethattheaccountnumberisnotshinyinappearance.
4. Bewatchfulthatthedrawer'ssignatureisnottraced.
5. Officialchecksaregenerallyperforatedonatleastoneside.
6. Inspectthecheckforadditions,deletions,orotheralterations.
7. Contactthefinancialinstitutiononwhichthecheckwasdrawntoensurelegitimacy.
8. Obtainthebank'stelephonenumberfromareliablesource,notfromthecheck
itself.
9. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
25. CreditCardFraud
a. Ensureasiteissecureandreputablebeforeprovidingyourcreditcardnumber
online.
b. Don'ttrustasitejustbecauseitclaimstobesecure.
c. Ifpurchasingmerchandise,ensureitisfromareputablesource.
d. Promptlyreconcilecreditcardstatementstoavoidunauthorizedcharges.
e. Doyourresearchtoensurelegitimacyoftheindividualorcompany.
f. Bewareofprovidingcreditcardinformationwhenrequestedthroughunsolicited
emails.
26. DebtElimination
a. Knowwhoyouaredoingbusinesswithdoyourresearch.
b. Obtainthename,address,andtelephonenumberoftheindividualorcompany.
c. Researchtheindividualorcompanytoensuretheyareauthentic.
d. ContacttheBetterBusinessBureautodeterminethelegitimacyofthecompany.
e. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
f. Ensureyouunderstandalltermsandconditionsofanyagreement.
g. BewaryofbusinessesthatoperatefromP.O.boxesormaildrops.
185
InformationSecurity
h. Askfornamesofothercustomersoftheindividualorcompanyandcontact
them.
i. Ifitsoundstoogoodtobetrue,itprobablyis.
27. DHL/UPS
a. BewareofindividualsusingtheDHLorUPSlogoinanyemailcommunication.
b. Besuspiciouswhenpaymentisrequestedbymoneytransferbeforethegoods
willbedelivered.
c. RememberthatDHLandUPSdonotgenerallygetinvolvedindirectlycollecting
paymentfromcustomers.
d. FeesassociatedwithDHLorUPStransactionsareonlyforshippingcostsand
neverforothercostsassociatedwithonlinetransactions.
e. ContactDHLorUPStoconfirmtheauthenticityofemailcommunications
received.
28. Employment/BusinessOpportunities
a. Bewaryofinflatedclaimsofproducteffectiveness.
b. Becautiousofexaggeratedclaimsofpossibleearningsorprofits.
c. Bewarewhenmoneyisrequiredupfrontforinstructionsorproducts.
d. Beleerywhenthejobpostingclaims"noexperiencenecessary".
e. Donotgiveyoursocialsecuritynumberwhenfirstinteractingwithyour
prospectiveemployer.
f. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
g. Bewarywhenreplyingtounsolicitedemailsforworkathomeemployment.
h. Researchthecompanytoensuretheyareauthentic.
i. ContacttheBetterBusinessBureautodeterminethelegitimacyofthecompany.
29. EscrowServicesFraud
a. Alwaystypeinthewebsiteaddressyourselfratherthanclickingonalink
provided.
b. Alegitimatewebsitewillbeuniqueandwillnotduplicatetheworkofother
companies.
c. Becautiouswhenasiterequestspaymenttoan"agent",insteadofacorporate
entity.
d. Beleeryofescrowsitesthatonlyacceptwiretransfersorecurrency.
e. Bewatchfulofspellingerrors,grammarproblems,orinconsistentinformation.
f. Bewareofsitesthathaveescrowfeesthatareunreasonablylow.
30. IdentityTheft
a. Ensurewebsitesaresecurepriortosubmittingyourcreditcardnumber.
b. Doyourhomeworktoensurethebusinessorwebsiteislegitimate.
c. Attempttoobtainaphysicaladdress,ratherthanaP.O.boxormaildrop.
d. Neverthrowawaycreditcardorbankstatementsinusableform.
e. Beawareofmissedbillswhichcouldindicateyouraccounthasbeentakenover.
186
InformationSecurity
f.
g.
h.
i.
Becautiousofscamsrequiringyoutoprovideyourpersonalinformation.
Nevergiveyourcreditcardnumberoverthephoneunlessyoumakethecall.
Monitoryourcreditstatementsmonthlyforanyfraudulentactivity.
Reportunauthorizedtransactionstoyourbankorcreditcardcompanyassoon
aspossible.
Reviewacopyofyourcreditreportatleastonceayear.
j.
31. InternetExtortion
a. Securityneedstobemultilayeredsothatnumerousobstacleswillbeintheway
oftheintruder.
b. Ensuresecurityisinstalledateverypossibleentrypoint.
c. IdentifyallmachinesconnectedtotheInternetandassessthedefensethat's
engaged.
d. Identifywhetheryourserversareutilizinganyportsthathavebeenknownto
representinsecurities.
e. Ensureyouareutilizingthemostuptodatepatchesforyoursoftware.
32. InvestmentFraud
a. Ifthe"opportunity"appearstoogoodtobetrue,itprobablyis.
b. Bewareofpromisestomakefastprofits.
c. Donotinvestinanythingunlessyouunderstandthedeal.
d. Don'tassumeacompanyislegitimatebasedon"appearance"ofthewebsite.
e. Beleerywhenrespondingtoinvesmentoffersreceivedthroughunsolicited
email.
f. Bewaryofinvestmentsthatofferhighreturnsatlittleornorisk.
g. Independentlyverifythetermsofanyinvestmentthatyouintendtomake.
h. Researchthepartiesinvolvedandthenatureoftheinvestment.
i. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
j. ContacttheBetterBusinessBureautodeterminethelegitimacyofthecompany.
33. Lotteries
a. Ifthelotterywinningsappeartoogoodtobetrue,theyprobablyare.
b. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
c. Beleeryifyoudonotrememberenteringalotteryorcontest.
d. Becautiousifyoureceiveatelephonecallstatingyouarethewinnerinalottery.
e. Bewareoflotteriesthatchargeafeepriortodeliveryofyourprize.
f. Bewaryofdemandstosendadditionalmoneytobeeligibleforfuturewinnings.
g. Itisaviolationoffederallawtoplayaforeignlotteryviamailorphone.
34. NigerianLetteror"419"
a. Ifthe"opportunity"appearstoogoodtobetrue,itprobablyis.
b. Donotreplytoemailsaskingforpersonalbankinginformation.
c. Bewaryofindividualsrepresentingthemselvesasforeigngovernmentofficials.
d. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
187
InformationSecurity
e. Bewarewhenaskedtoassistinplacinglargesumsofmoneyinoverseasbank
accounts.
f. Donotbelievethepromiseoflargesumsofmoneyforyourcooperation.
g. Guardyouraccountinformationcarefully.
h. Becautiouswhenadditionalfeesarerequestedtofurtherthetransaction.
35. Phishing/Spoofing
a. Besuspiciousofanyunsolicitedemailrequestingpersonalinformation.
b. Avoidfillingoutformsinemailmessagesthataskforpersonalinformation.
c. Alwayscomparethelinkintheemailtothelinkthatyouareactuallydirectedto.
d. Logontotheofficialwebsite,insteadof"linking"toitfromanunsolicitedemail.
e. Contacttheactualbusinessthatsupposedlysenttheemailtoverifyiftheemail
isgenuine.
36. Ponzi/Pyramid
a. Ifthe"opportunity"appearstoogoodtobetrue,itprobablyis.
b. Bewareofpromisestomakefastprofits.
c. Exercisediligenceinselectinginvestments.
d. Bevigilantinresearchingwithwhomyouchoosetoinvest.
e. Makesureyoufullyunderstandtheinvestmentpriortoinvesting.
f. Bewarywhenyouarerequiredtobringinsubsequentinvestors.
g. Independentlyverifythelegitimacyofanyinvestment.
h. Bewareofreferencesgivenbythepromoter.
37. Reshipping
a. Becautiousifyouareaskedtoshippackagestoan"overseashomeoffice."
b. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
c. Beleeryiftheindividualstatesthathiscountrywillnotallowdirectbusiness
shipmentsfromtheUnitedStates.
d. Bewaryifthe"shipto"addressisyoursbutthenameonthepackageisnot.
e. Neverprovideyourpersonalinformationtostrangersinachatroom.
f. Don'tacceptpackagesthatyoudidn'torder.
g. Ifyoureceivepackagesthatyoudidn'torder,eitherrefusethemupondelivery
orcontactthecompanywherethepackageisfrom.
38. Spam
a. Don'topenspam.Deleteitunread.
b. Neverrespondtospamasthiswillconfirmtothesenderthatitisa"live"email
address.
c. Haveaprimaryandsecondaryemailaddressoneforpeopleyouknowandone
forallotherpurposes.
d. Avoidgivingoutyouremailaddressunlessyouknowhowitwillbeused.
e. Neverpurchaseanythingadvertisedthroughanunsolicitedemail.
188
InformationSecurity
39. ThirdPartyReceiverofFunds
1. Donotagreetoacceptandwirepaymentsforauctionsthatyoudidnotpost.
2. Beleeryiftheindividualstatesthathiscountrymakesreceivingthesetypeoffunds
difficult.
3. Becautiouswhenthejobpostingclaims"noexperiencenecessary".
4. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
ChapterReviewKeyPoints
1.
2.
3.
4.
5.
6.
7.
8.
Identitythefthasbecomerampantinrecentyears.
Detectingidentitytheftwithinamonthhelpssignificantlytominimizelosses.
Youshouldreview/balanceallofyourstatementseachmonth.
12%ofallidentitytheftcomesfromdiscardedpapers.
11%ofallidentitytheftcomesfromstolenwalletsorpurses.
16%ofallidentitytheftiscommittedbyfriends,relativesorcoworkers.
Itiseasyforsomeonetomasqueradeasalegitimateemployeeorcoworker.
PINscanhelpminimizedamagefromidentitytheft.
189
InformationSecurity
EmployeeTheft
Chapter27
190
InformationSecurity
EmployeeTheft
The US Chamber of Commerce estimates that employee theft costs businesses $40 billion
dollarseachyear.ThistotalistentimesthevalueofstreetcrimelossesannuallyintheUSA.
Another study estimate employee theft and dishonesty costs U.S. businesses between $60
billion and $120 billion per year, not including the billions spent on protecting against theft.
Presentedbelowareafewstatistics:
1. Employeesoutstealshoplifters.
2. TheUSChamberofCommerceestimatesthat75%ofallemployeesstealatleastonce,
andthathalfofthesestealagain.
3. TheDepartmentofJusticereportscitelowernumbersestimatingthatnearlyonethird
ofallemployeescommitsomedegreeofemployeetheft.
4. Recent reports claim that employee theft is increasing at a rate of fifteen percent
annuallyandaccordingtotheFBI,employeetheftisoneofthefastestgrowingcrimesin
theUSA.
5. Someexpertsclaimthatonethirdofallnewbusinessesfailbecauseofemployeetheft.
6. Itisestimatedthatapproximatelytwopercentofallbusinesssalesarelosttoemployee
theft.
7. Thepercentageofresumesandjobapplicationsthatcontainliesandexaggerationshas
beenestimatedbetween30and80percent.(SecurityManagementMagazine)
8. 5%ofprofessionalhireshavecriminalrecords.(Source:HRLogic)
9. 75%ofinternaltheftisundetected.("HowtoIdentifyDishonestyWithinYour
Business")
10. Employeetheftamountsto4%offoodsalesatacostinexcessof$8.5billionannually.
75%ofinventoryshortagesareattributedtoemployeetheft.(NationalRestaurant
Association)
11. TheLaborLawIndustryhasincreasedby2200%.(EqualEmploymentOpportunity
Commission)
12. Employeetheftcostsbetween1/2%3%ofacompany'sgrosssales.Evenifthefigureis
1%,itstillmeansemployeesstealoverabilliondollarsaweekfromtheiremployers.
("HowtoIdentifyDishonestyWithinYourBusiness")
191
InformationSecurity
13. 30%ofbusinessfailuresareduetopoorhiringpractices.Annuallossesgeneratedby
poorhires,absenteeism,drugabuse,andtheftamountto$75billionperyear.(U.S.
DepartmentofCommerceAtlantaBusinessChronicle.)
EmployeeThefttakesManyForms
Employeetheftcanencompassmanyactivitiesincluding:
1.
2.
3.
4.
5.
6.
7.
Fakingonthejobinjuriesforcompensation.
Takingmerchandise.
Stealingsmallsumsofcash.
Forgingordestroyingreceipts.
Shippingandbillingscams.
Puttingfictitiousemployeesonthepayroll.
Falsifyingexpenserecords.
Employeetheftmaybeasimpleisolatedeventcarriedoutbyoneindividual,ahighlyorganized
schemetoacquiresubstantialfinancialormaterialgain,oranythinginbetween.
PreventingEmployeeTheft
Statistics indicate that only two percent of businesses that suffer losses from employee theft
takesubsequentstepstopreventfuturecasesofemployeetheft.
Todealwiththeproblemofemployeetheft,employerscan:
1. Better Hiring In general, establish a smart hiring process more likely to yield
trustworthyemployees(i.e.personalinterviews,backgroundchecks,creditchecks,etc.);
a. Criminalhistoryforcrimesinvolvingviolence,theft,andfraud;
b. Civilhistoryforlawsuitsinvolvingcollections,restrainingorders,andfraud;
c. Driver'slicensecheckfornumerousorseriousviolations;
d. Educationverificationfordegreesfromaccreditedinstitutions;
e. Employmentverificationofpositions,lengthofemployment,andreasonsfor
leaving.
4. ReferencesCheckanddocumentreferencesofeachnewhire.
192
InformationSecurity
5. ConductFrequentPhysicalInventoriesPilferageisoneofthemostcommonformsof
internalloss.Reconcilesalestoinventoryonaquarterlybasis,oratleastannually,with
thehelpofathirdparty.Conductsurpriseinventories.
7. PersonallyApproveBookkeepingAdjustmentsApproveanyadjustmentstothebooks
nomatterhowslightevenadjustmentstocorrectanerror.
8. Control Check Signers Limit the number of signatories to yourself and one or two
highlytrustedassistants.Keepblankchecksunderlockandkey.
9. ReviewMonthlyBankStatementsInstructyourbanktosendthemonthlystatement
directly to you. Review the statement before passing it on to your bookkeeper. This
reviewallowsyoutospotanyimproperlyexecutedchecks.
10. TightenUpOnPettyCashAllowonlyoneortwotrustedemployeestodisbursepetty
cash. Require that a receipt and a signed voucher be submitted for all petty cash
disbursements.
11. Separate Buying and Bookkeeping To maintain a system of checks and balances,
assignorderingandpaymentresponsibilitiestodifferentemployees.
12. WatchCompanyCreditCardsRequireallcreditcardsbesignedoutandallcreditcard
expensesbeauthorizedbyapurchaseorder.
13. Document All Expense Reports Require strict documentation for all reimbursable
expensesincurredbyemployees.Subjecteveryexpenseaccountvouchertoapreaudit
reviewprocedurebeforepayment.
14. Have A Third Party Refund Policy Issue refunds only upon the approval of a third
party,preferablyatrustedassistant.
15. Culture of Honesty Try to cultivate a culture of honesty within your organization.
Short seminars, circulating articles, and recognizing and rewarding correct behavior. A
positive work environment encourages employees to follow established policies and
procedures,andactinthebestinterestsoftheorganization.Fairemploymentpractices,
written job descriptions, clear organizational structure, comprehensive policies and
procedures, open lines of communication between management and employees, and
positive employee recognition will all help reduce the likelihood of internal fraud and
theft.
193
InformationSecurity
16. SecurityCamerasInstallcamerasthroughoutyourfacilitiestorecordandcaptureall
activities.
17. BeOrganizedAwellorganizedstockroom,supplyroomorwarehousemakesiteasier
tospotmissingitems.
18. Test The System Remove some inventory, introduce a bogus invoice, etc see how
longittakesforyouremployeestodiscovertheerrors.
19. Closing Procedures Prepare a checklist of closing and lockup procedures for
employees.Makesureappropriateemployeesunderstandwhatisexpected.
20. Security Tags Make sure all equipment is marked. Take time to mark company
equipment with inventory tags or an electric pencil. Computers and computerrelated
equipmentisvulnerable,particularlylaptopcomputers.Useequipmentserialnumbers
orasimilarsystemtotrackequipment.
21. Employee IDs Use an employee identification system, if practical. If you have many
fullandparttimeemployeesoryouarehavingkeymanagementproblems,anaccess
systemthatrequirestheemployeetoinsertanelectronicallycodedcarduponentering
thebusinessorspecificareaswillgiveadditionalcontrol.
22. Screen New Customers A common ploy occurs when employees sell goods to their
friends, who in turn disappear and never pay. Take time to perform reasonable
background checks on new customers to ensure their authenticity. Look up their
address on Google maps, call the phone number to make sure it is valid, ask for
letterhead and business cards, review the customers web site, call and welcome the
customer,visitthecustomer.
23. EscalateLargerAccountingTransactionsImplementmeasurestoholdtheprocessing
of larger transactions until approved by a third party within your organization. The
escalationthresholdcanbeincreasedasemployeesearnmoretrust.
24. ImplementAnAnonymousReportingSystemProvideaconfidentialreportingsystem
foremployees,vendors,andcustomerstoanonymouslyreportanyviolationsofpolicies
andprocedures.
25. Perform Regular and Irregular Audits Perform regular and random unannounced
financial audits and fraud assessments to help identify new vulnerabilities, and to
measure the effectiveness of existing controls. This lets employees know that fraud
preventionisahighpriorityfortheorganization.
194
InformationSecurity
26. Investigate Every Incident A thorough and prompt investigation of policy and
procedure violations, allegations of fraud, or warning signs of fraud will give you the
factsyouneedtomakeinformeddecisionsandreducelosses.
27. EliminateTemptationsEliminateasmanytemptationsasyoucanbysecuringgoods
andcash,lockingdoorsanddrawers,andimplementingwellknowncontrols.
28. KeysBecarefulwithkeys.Signoutallkeysandcollectthemwhenemployeesleavethe
company.Betteryet,movetoelectroniccardkeysthatcanbedisabledwhenemployees
leave.
29. Lead By Example Senior management and business owners set the example for the
organization's employees. A cavalier attitude toward rules and regulations by
management will soon be reflected in the attitude of employees. Every employee
regardlessofpositionshouldbeheldaccountablefortheiractions.
30. Use Consecutive Numbers Make sure all checks, purchase orders, and invoices are
numberedconsecutively,andregularlycheckformissingdocuments.
31. For Deposit Only Stamp Use a "for deposit only" stamp on all incoming checks to
preventanemployeefromcashingthem.
32. UnopenedMailUnopenedbankstatementsandcanceledchecksshouldbereceived
by the business owner or outside accountant each month and they should carefully
examineforanyredflagitemssuchasmissingchecknumbers.Theyshouldalsolookat
thechecksthathavebeenissuedtoseeifthepayeesarelegitimate,andmakesurethat
thesignaturesarenotforgeries.
33. Reconcile Statements The purpose of the bank statement reconciliation is to prove
that the cash on the books agrees with the cash at the bank. It is difficult for an
employee to hide theft when bank reconciliations are prepared monthly. Of course,
bankreconciliationsshouldbepreparedbyanoutsidepersonandneedtobereviewed
bymanagement.
34. Two Signatures Require all large checks to have two signatures. Never sign a blank
check.Signeverypayrollcheckpersonally.Avoidusingasignaturestamp.
35. InsuranceConsiderobtaininganinsurancepolicythatcoversoutsidecrime,employee
theftandcomputerfraud.Itwillbethereasasafetynetincaseyourfraudprevention
tacticsdon'twork.
36. Look for Stress Be alert to disgruntled or stressed employees, or those who have
indicated that they are having financial difficulties. Also look for any unexplained
significantrisesinanemployee'slivingstandards.
195
InformationSecurity
Employee
BackgroundChecks
Chapter28
196
InformationSecurity
EmployeeBackgroundChecks
Withidentitytheftandcybercrimeontherise,andtheeaseinwhichFakeIDsandfakecollege
diplomas can be obtained via the internet, it is more important than ever to conduct a
backgroundcheckonpotentialemployees,ifnotallpotentialvendorsandcustomers.Thereare
dozensofbackgroundcheckcompaniestochoosefromchargingfeesrangingfrom$20to$200
perbackgroundcheck.Someofthesourcestheycommonlycheckareasfollows:
1. County Criminal Checks Search of superior, upper, lower, and/or municipal court
records,acrossthecountrytodetermineifasubjecthasafelonyormisdemeanorfiling
within the last seven years, or longer if the record includes a legally reportable
conviction.
a. CountyCourtHouses
b. StateDepartmentsofIncarcerations
c. StateRecordRepositories
d. ProbationDepartments
e. Townships
f. SexOffenderRegistries
3. SocialSecurityNumberTracesAcommonmistakeemployersmakeisfailingtocross
check the identity of their applicants with a Social Security Number Trace using credit
historyinformation.AproperbackgroundcheckshouldemploySSNTraceinformation
toauthenticatethattheSocialSecurityNumberprovidedbyyourapplicantisassociated
withanindividualofthesamename,thattheapproximatedateofissuerangeofthe
SSN equates with your applicants birth date, and that the address history associated
withthatSSNcorrespondswiththeareasofthecountrywhereyourapplicanthaslived,
worked, attended school, or spent other significant time. This type of SSN Trace will
usuallyturnupanyaliasnamesthathavebeenassociatedwiththatSSN.
4. Driver's License History Search This is an important search for applicants who are
required to operate their vehicle for business purposes and/or driving a company
vehicle. Records will show history over the past 37 years and are available in all 50
states and Washington DC. Reports will include all personal identifiers as well as
offensesandcitations.
5. PreEmployment Credit Reports Full credit report from one of the three nationwide
creditbureaus.Thisreportwillofferinsightintotheapplicant'sreliabilityandasenseof
their personal responsibility. This report will include derogatory credit information,
publicfilings(bankruptcies,liensandjudgments)aswellaspreviousaddresses.Thiscan
197
InformationSecurity
be another great tool for identifying other counties that the applicant may have lived
and is especially useful for companies whose candidates will have checkwriting
privilegesorotheraccesstocompanyfunds.
7. SubstanceAbuseScreeningIncorporatingSubstanceAbuseScreeningintoyourhiring
processisnowfairlyeasy.MostservicesofferUrine,HairandSalivatestingatthousands
of Patient Service Centers across the United States. Screens can be used for pre
employment, random and postaccident programs. Results are typically reviewed by
boardcertified Medical Review Officers (MRO), and handled in full compliance with
federalDOTregulationsandguidelines.Negativeresultsaretypicallydeterminedin12
days.
10. Employment Verifications Some candidates may be less than truthful about their
employment history. Research shows this to be the number one discrepancy on
resumesandjobapplications.Aproperbackgroundcheckshouldverifyinformationon
your applicant's resume. Dates of employment, starting and ending positions and
salaries, reason for termination, and eligibility for rehire are examples of the
information employers should be asked to verify. If possible, the background check
should include an interview of the candidates supervisor to gain more personal
knowledgeoftheapplicant'sskillsandfunctionalityintheworkplace.
11. Federal Criminal Court Searches There are many crimes that don't necessarily fall
under local laws, they fall under federal jurisdiction. These crimes may include: tax
evasion, embezzlement, counterfeiting, bank robbery and many other "white collar"
crimes.Thissearchlistscriminalfilingsinanyofthenation'sfederaldistrictcourts.
198
InformationSecurity
12. Sex Offender Registry A Sex Offender Registry Search should be conducted to see if
yoursubjectisaregisteredoffender.
13. Global Screening Services Some background checks include searches on applicants
thathavelivedorresideoutsideoftheUS.ManyservicesareabletoexecuteaCriminal
Records Search in over 150 countries and Employment and Education Verifications in
over200countriesthroughouttheworld.
14. WorkersCompensationAcheckofthestate(s)worker'scompensationcommissionsin
the area(s) where the candidate has resided, to locate any claim history. The
investigationisconductedincompliancewiththeAmericansForDisabilitiesAct(ADA).
15. ElectronicEmploymentEligibilityProcess(I9)Thisprocesstypicallyincludesa"smart"
errordetecting I9 form, electronic archival of completed forms and instant
confirmation of Employment Eligibility Status. This program is in compliance with the
government'sEVerifyprogram.
17. Neighbor Checks Some background checks include locating and interviewing
neighborswhohavelivednexttoorneartheapplicant.
18. Military Records Verification Military records can be searched to confirm military
service,includingdatesofserviceandranksreached.
BackgroundCheckPrivacy
There are some questions that cannot be asked, and information that cannot be relied upon
whenhiringanemployee.Ingeneral,thesequestionsrevolvearounddisabilities,bankruptcy,
criminalconvictionsafteracertainnumberofyears,andmedicalrecords.Dependinguponthe
state where you operate, these topics and others may be off limits. To protect yourself, you
should make yourself familiar with the laws in your state, and you should obtain written
permissionfromtheapplicanttoconductabackgroundcheck.
Some employers say that asking for written permission from the applicant to conduct a
backgroundcheckoftenisallthatisneededforsomeapplicantstoadmittoadditionalhistory
thatmaybepertinenttothehiringdecision.
199
InformationSecurity
LettersofReference
You should always require letters of reference, and these letters of reference should be
investigatedtomakesurethattheyareauthenticbeforemakingthefinalhiredecision.
BackgroundCheckingServices
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
www.trudiligence.comManysearcheswithinstantresults.Free1weekTrial.
www.formi9.comElectronicI9s.ExpertI9Audits.InstantEmploymentEligibilityVerification.
find.intelius.com$29.95InstantCriminal&BackgroundCheck,SSNVerification,Sexualoffenderregistry,
andAddresstraceinone!FCRAcompliant.
www.Intelius.comInstantCriminal&BackgroundCheckSSNVerification/FCRA(877)9741500
www.CriteriaCorp.comScreenEmployeeswithPersonality,Aptitude,SkillsTests.
www.HireRight.comIndustry'sfastestturnaroundtime.TrustedbyFortune500.
www.infolinkscreening.comAccurateandcompliantemployeebackgroundchecks,drugtesting,physical
exams,andFormI9eSolutionsprovidedbyKroll.
www.sentrylink.comInstantonlineresultsforcriminalchecks,drivingrecords,andcreditreports.FCRA
compliant.Nationalcriminalcheckonly$19.95.
www.IntegraScan.com/EmployeeScreening$18.95Freepreliminaryresults.Instantlycheckmillionsof
records$18.95.Comprehensivestateandnationalbackgroundchecks.
www.backgroundsonline.comProfessionalemploymentbackgroundscreening,hirewithconfidence!
www.CorporateScreening.comMedical,Manufacturing,FinancialQualityCustomizedServices
www.absolutebackgrounds.comProviderofonlineapplicantscreeningservices.
www.backgroundcheckgateway.comSiteenablesvisitorstoperformfreebackgroundchecks,usingpublic
records.
www.backgroundchecks.comAservicewhichprovidesinstantdesktopdeliveryofcriminalrecords
information,socialsecurityvalidationandmore.
www.backgroundsonline.comProviderofwebbasedpreemploymentscreeningservicesandemployee
backgroundchecks,includingcriminal,reference,DMV,educationandemploymentverification.
www.brainbench.comProviderofInternetbasedapplicanttestingservices,includingtechnical,languageand
programmer/analystaptitudetesting.
www.corporatescreening.comProvidesnationalemployeeandbusinessbackgroundonline.
www.esrcheck.comFirmofferspreemploymentscreeningservicesforemployers,humanresourcesand
securitydepartments.
www.hireright.comProviderofonlinepreemploymentscreeningservices.
www.informus.comProvidesinternetbasedemployeescreening.
www.sentrylink.comInstantonlineresultsforcriminalchecks,drivingrecords,andcreditreports.FCRA
compliant.Nationalcriminalcheckonly$19.95.
www.trudiligence.comManysearcheswithinstantresults.Comparevendors.Free1weekTrial.
www.peoplewise.comProvideroflegallycompliant,employmentscreeningservicesovertheInternet.
www.prsinet.comProviderofpreemploymentscreeningthroughbackgroundchecks.Providesawebbased
orderandretrievalsystem.
www.reviewnet.netProviderofInternetbasedsolutionstoattract,screen,interviewandretaintechnology
professionals.
www.NetDetective.com
200
InformationSecurity
BondingEmployees
Chapter29
201
InformationSecurity
BondingEmployees
Bonding is "an insurance contract in which anagency guarantees payment to anemployer in
theeventofunforeseenfinanciallossthroughtheactionsofanemployee."
In a perfect world, employee theft would never happen. Unfortunately, it does. To protect
yourself, bonding helps assure that employees are trustworthy. And, if something should go
amiss, it will be replaced. How important is bonding? One report claims that onethird of all
bankruptciesarecausedbyemployeetheft,(accordingtoMarcLeclair,AssistantVicePresident
ofCorporateRiskwithLondonGuarantee).
WhentoBondYourEmployees
In general, you should consider bonding employees whenever they have access to expensive
inventoryorlargesumsofcash."Statisticallyspeaking,youmaybesurprisedtolearnthatthe
employeesmostlikelytostealfromyouarethelongstandingemployeeswhohavebeenwith
you for 10 to 15 years. The employees that have been at the same position for years
understand the accounting system to the point where they can actually play games with the
numbers without you seeing the changes. Bank employees and warehouse workers are
examplesofemployeesthataretypicallybonded.
WhyYouBondEmployees
Employeeswhohavebeenconvictedoffraudinthepastarenotusuallyabletogetcoverage,
sobondinghelpsavoidthewrongemployeestostartwith.Employersalsousefidelitybondsto
protectthemselvesfromtheft.Therearefourbasictypesoffidelitybonds,asfollows:
1. individual Covers one employee (usually purchased by small concerns or family
operatedbusinesseswithonlyoneemployee)
2. Name Schedule Fidelity Bond You designate a set amount of coverage for a list of
employees that you provide for the insurance company. Each time you hire a new
employee,youhavetocontacttheinsurancecompanytohavethatpersonaddedtothe
list,ifyouchoosetodoso.Collectionunderthiscoveragehingesonabsoluteproofthat
anemployeedidinfactstealfromyou.
3. Blanket Position Bond Under this type of bond, you specify coverage for a position
ratherthantheindividual.Eachemployeeofabusinessiscovered,andnewemployees
areaddedautomatically.Coverageisofferedforeachemployeeuptothemaximumset
outintheinsurancepolicy.Blanketpositionbondsdon'trequireproofoftheindividual
responsibleforthetheft.
4. Primary Commercial Blanket Bond Like the Blanket Position Bond, this bond covers
each employee in the company. This type of coverage does not accommodate each
employee, but rather treats the employees as one unit. In other words, it does not
202
InformationSecurity
matter if one or five people were involved in the crime, you will be able to claim the
sameamount.
TheFederalBondingProgram/FidelityBonding
A federal fidelity bond is NO COST insurance coverage meant to allow employers to hire job
applicantsconsidered"atrisk"duetotheirpastlifeexperiences,protectingemployersagainst
employee dishonesty, theft or embezzlement. Since the program's inception in 1966,
approximately 43,000 bonds have been issued with a 99% success rate. And, users have the
addedbenefitofturningunemployedapplicantsintotaxpayingworkers!Federalbondingmay
beprovidedtoanyindividualwho:
1.
2.
3.
4.
5.
mayhaveadishonorablemilitarydischarge,
mayhavearecordofarrest,convictionorimprisonment,
lacksworkhistory,
hasapoorcredithistory,and
hasanofferoffulltimeemployment
Note:Selfemployedindividualsarenoteligible
The process is simple and quick. Employers are not required to fill out forms. Employers, on
behalf of the job applicant can request Fidelity Bonding by contacting the appropriate local
departmentinpersonorviatelephone.Ifanapplicantandjobmeeteligibilitycriteria,bonding
become effective immediately following certification and on the applicant's first day of work.
Uponcertification,thecoverageprovidermailsthebonddirectlytotheemployer.
Coverage An employee can be bonded for at least $5,000. The bond initially covers a six
monthperiodbeginningthefirstdayofemployment.Afterthattime,ifabondstillremainsa
conditionofemployment,employerscanrequestarenewalforanadditionalsixmonths(only
onerenewalperbondissued)orpurchasethebondthroughthecontractedinsurancecompany
atcurrentcommercialrates.
Additional information on the Fidelity Bonding is available at your local Employment and
TrainingCenterinyourstate.Bondingcoordinatorsareavailabletohelpemployersmatchthe
amountofbondcoveragetotherequirementsoftheposition.Employersmayalsocontactthe
StateBondingCoordinatorat312/7939741.
KeyPoints
1. Bondingissimplyaformofinsuranceprotectingyoufromemployeetheft.
2. Bondingisrecommendedwhenemployeeshaveaccesstoexpensiveinventoryorlarge
sumsofcash.
3. Longstandingemployees(15to20years)aremorelikelytosteal.
4. Therearefourtypesofbonds.
5. Federalbondingissometimesavailableforfree.
203
InformationSecurity
AsteriskKey
Chapter30
204
InformationSecurity
AsteriskKey
This is a free utility that you can download (http://www.lostpassword.com/asterisk.htm) to
revealthepasswordshiddenunderasterisks.Itcaninstantlyrevealanyhiddenpasswordthatis
savedinapassworddialogboxorwebpage.
Of course you need access to the computer, and the computer must have the password
remembered in order for this to work. Still, the existence of tools like this shows the
vulnerabilitythatoccurswhenyousaveyourpasswordsonyourcomputer.
205
InformationSecurity
EncryptionAnalyzer&
PasswareKit
Chapter31
206
InformationSecurity
EncryptionAnalyzer
Encryption Analyzer is a free downloadable utility program that locates all of the password
protectedorencryptedfilesonaPCoronPCsacrossanetwork.Keyfeaturesareasfollows:
1. Scansfilesfastover4,000filesperminuteonanaveragePC.
2. Supportsover100differentfileformats.
207
InformationSecurity
PasswareKit
Passware Kit is priced starting at $195. The product includes over 25 password recovery
modules.Passwarekitclaimstocrackthefollowingfiles:
1. Windows
3. Excel
5. QuickBooks
7. FileMaker
9. OutlookExpress
11. WinZipPKZipZIP
13. NetworkConnections
15. BestCrypt
17. PowerPoint
19. InternetExplorer
21. Acrobat
23. Lotus123
25. LotusOrganizer
27. QuattroPro
29. Quicken2008
31. Backup
33. MYOB
35. Paradox
37. Mail
39. Money
2. Office
4. Word
6. Access
8. Outlook
10. Exchange
12. WinRARRAR
14. SQL
16. OneNote
18. VBAVisualBasicmodules
20. EFSEncryptedFileSystem
22. Quicken
24. LotusNotes
26. LotusWordPro
28. QuickBooks2008
30. Quickendatabasesupto2007
32. Project
34. Peachtree
36. ACT!
38. Schedule+
40. WordPerfect
208
InformationSecurity
Securing
DesktopComputers
Chapter32
209
InformationSecurity
DesktopComputerTheft
Whilelaptopcomputersaremostoftenstolen,desktopcomputerstendtobeleftunattended
inemptybuildings.Thisfactgivesrisetospecialconsiderationsforsecuringdesktopmachines.
Specifically, desktop computers should be locked up and bolted down as to deter or prevent
theft. Presented below are antitheft devices that may help you prevent the theft of your
desktopcomputers.
AntiTheftProducts
DesktopLockingDevices
SecurityGuard
BiometricSecurityDevice
BoltonAntiTheftCable
Systems
LockingAntiTheftCable
Systems
RetinalScannerstogainaccess
toOffices
LockingCables
UVMarkingKits
FakeSecurityCamera
210
InformationSecurity
SecurityCameraSystems
HiddenCamera
SeeThruMirrors
MirroredCeilingDomes
DeadBolts
OutdoorSecurityLighting
ComputerProtectionMeasures
Thereareseveralmeasuresyoucantaketobettersecureyourofficesandcomputersystems.
For example, you could make sure that your building is very secure to prevent intruders and
theft. Install extra window locks and door locks. Consider hiring a building guard. Install key
entrysystemsthatmonitorandrecordemployeeaccess.Installdoorlocksoninternaldoorsto
prevent access to file servers & systems. Use computer locks to bolt computers to desks and
tables.Usecomputerlockstoprotectlaptopcomputerswhentraveling.
PowerFailure
Powerfailuresrepresentthemostfrequentcauseofdataloss,
which is a sad fact to report considering how easy this problem is to avoid. All computer
systemsshouldbeequippedwithanuninterruptiblepowersupply(UPS)devicetoprotectfrom
poweroutagesandpowersurges.Forexample,AmericanPowerCorporationproducesawide
varietyofUPSdevicesandsurgesuppressors.
APC offers more than 150 of these devices ranging in price from $40 to more than $80,000.
Most businesses computers can be protected from power failure for about $60 to $250,
211
InformationSecurity
depending upon the amount of battery time you prefer. All APC UPS products include
PowerChutesoftwarethatcanbesettocloseyourapplicationsandshutdownyourcomputer
automaticallyandgracefullyintheeventofaprolongedpowerfailureinyourabsence.Another
benefit of using an APC device is the automatic insurance which covers any electricalrelated
damage to your computer up to $25,000. These UPS devices can also protect your phone
systemsandtelevisioncablehookupsaswell.
YoushoulduseaUPSdevicetoprotectyourentirecomputersystemincludingmonitors,hubs,
routers,andexternallyconnecteddevices.Theoneexceptiontothisruleisprintersbecause
theyaretypicallyabigdrainonpower.Therefore,unlessyouhaveapowerfulUPSdevice,you
shouldavoidpluggingyourprinterintoyourUPS,butbesuretoalwaysuseasurgeprotector.
ComputerFailure
Computer components can fail. The most common computer failures can be attributed to
power supplies, hard drives, and system mother boards. However other components such as
ramchips,processors,circuitboards,floppydiskdrives,CDdrives,andmonitorscangobadas
well. Today, most newer computers can be repaired quickly by replacing the damaged item;
however legacy computers may take time to repair as replacement parts are often only
availableontheusedmarket.Donotattempttooperateavisiblydamagedcomputer.Ifyour
computerismakinganunusualnoise,turnitoff.Thereisagoodchancethatanoisycomputer
hassufferedorwillsufferaheadcrash,hencethefasteritisdeactivated,thebetterthechance
fordatarecovery.
Ifyourcomputerdoesfail,donotautomaticallyturntorecoverysoftware.Ifyoususpectthat
you may have lost access to data due to electrical or mechanical failure, software can't help.
Usingfilerecoveryutilitiesonafaultyharddrivecandestroywhatwasrecoverabledata.When
adrivefailureissuspected,turnoffthemachine.Callinacomputersystemsrecoveryspecialist
withthepropertrainingandexperience.Lostdatacanbecomeunrecoverabledatawhenunor
underqualifiedpersonnelmisusefilerecoveryutilities,opendiskdrives,andlackthebasicskills
necessarytoproperlymaintainandrepaircomputerequipmentanddata.
212
InformationSecurity
WindowsSecurity
WindowsServices
Chapter33
213
InformationSecurity
WindowsServices
Widows Services are Windows components (or programs) that run in the background of
Windowstoperformspecificfunctions.TheygenerallystarteachtimetheMicrosoftWindows
operating system is booted and continue running in the background as long as Windows is
running.TheyappearintheprocesseslistinWindowsTaskManagerasshownbelow:
AsageneralruleyoushouldturnoffallWindowsServicesthatyoudonotneed,andcheckto
make sure that rouge applets are not running as a Windows Services. As a result of clearing
your Windows Services, your computer will perform faster, and there will be fewer services
whichmightgiveahackertunnelaccesstoyourcomputersystem.Toturnoffaservice,select
"Services" from the Windows Control Panel as circled above or run "Services.msc" using the
RunCommandontheStartMenu.
Asanexample,inthescreenbelowIhaveenteredWindowsServicesAdministrationTooland
rightclickedontheCarboniteService.HereIcanaccomplishthefollowing:
1. Start,stop,pauseorrestartservices.
2. Specifyserviceparameters.
3. ChangethestartuptypewhichincludesAutomatic,ManualandDisabled:
a. Automaticstartstheservicesatsystemlogon.
214
InformationSecurity
b. Manualstartsaserviceasrequiredorwhencalledfromanapplication.
c. Disabledcompletelydisablestheservice.
d. Automatic (Delayed) is a new startup type introduced in Windows Vista, that
startstheserviceashortwhileafterthesystemhasfinishedbootingandinitial
busyoperations,sothatthesystembootsupfaster.
4. Changetheaccountunderwhichtheservicelogson.
5. Configurerecoveryoptionsuponservicefailure.
6. ExportthelistofservicesasatextfileoraCSVfile.
Repeatthissteptodisableanyunusedservices.Theservicesyouusemaybedifferentfromthe
onesmycomputeruses;therefore,itisdifficulttoadviseyouastoexactlywhichservicesyou
should disable. Listed below are the most commonly unused services, but read through the
remainingservicesinyourComputerManagementwindowtoidentifyanyotherservicesyou
maynotbeusing.
WindowsVistaServicesthatMostUsersShouldConsiderDisabling
(55Outof154ServicesShouldBeDisabled)
1.
2.
3.
ApplicationExperience
ApplicationLayerGatewayService
ApplicationManagement
215
InformationSecurity
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
CertificatePropagation
DFSReplication
DiagnosticPolicyService
DiagnosticServiceHost
DiagnosticSystemHost
DistributedLinkTrackingClient
DistributedTransactionCoordinator
Fax
FunctionDiscoveryProviderHost
FunctionDiscoveryResourcePublication
HealthKeyandCertificateManagement
HumanInterfaceDeviceAccess
IKEandAuthIPIPsecKeyingModules
InteractiveServicesDetection**
InternetConnectionSharing(ICS)
IPHelper
IPsecPolicyAgent
KtmRmforDistributedTransactionCoordinator
LinkLayerTopologyDiscoveryMapper
MicrosoftiSCSIInitiatorService
Netlogon
NetworkAccessProtectionAgent
OfflineFiles
ParentalControls
PeerNameResolutionProtocol
PeerNetworkingGrouping
PeerNetworkingIdentityManager
PnPXIPBusEnumerator
PNRPMachineNamePublicationService
PortableDeviceEnumeratorService
ProblemReportsandSolutionsControlPanelSupport
QualityWindowsAudioVideoExperience
RemoteRegistry
SecureSocketTunnelingProtocolService**
SmartCard
SmartCardRemovalPolicy
SNMPTrap
TabletPCInputService
TerminalServicesUserModePortRedirector
VirtualDisk
WebClient
WindowsCardSpace
WindowsConnectNowConfigRegistrar
WindowsErrorReportingService
216
InformationSecurity
48.
49.
50.
51.
52.
53.
54.
55.
WindowsImageAcquisition(WIA)
WindowsMediaCenterReceiverService
WindowsMediaCenterSchedulerService
WindowsMediaCenterServiceLauncher
WindowsMediaPlayerNetworkSharingService
WindowsRemoteManagement(WSManagement)
WindowsSearch
WinHTTPWebProxyAutoDiscoveryService
CommentsaboutAdjustingyourWindowsServices
Beforeadjustingyourservicesettings,firstinstallallWindowsUpdates.
Ifyouareunsurewhetheryouneedaspecificserviceornot,readtheDescriptionfield.
Ifyouarestillindoubt,myrecommendationistoleavethedefaultsetting.
Servicesettingsareglobal,meaningchangesapplytoallusers.
If you still unsure? Put your setting to "Manual" or the listing under "Safe." Manual
allowsWindowsVistatostarttheservicewhenitneedstobutnotatbootup.
7. Ifyouneedaservice,makeitAutomatic.
8. Afteradjustingyourservicesettings,rebootyourcomputer.
2.
3.
4.
5.
6.
ForabettersourceofinformationonWindowsServices,visithttp://www.blackviper.com/.This
websiteprovidesacurrentlistofWindowsservicesthatshouldbedisabledforeachversionof
Windows,andprovidesyourchoiceofSafe,TweakedandBareBonesrecommendations.
Shownbelowisasmallsampleofthiswebsitestables.
DEFAULT
HomeBasic
DEFAULT
Home
Premium
DEFAULT
Business
DEFAULT
Ultimate
Application
Experience
Automatic
(Started)
Automatic
(Started)
Automatic
(Started)
Automatic
Automatic Disabled* Disabled*
(Started)
Application
Information
Manual
(Started)
Manual
(Started)
Manual
(Started)
Manual
(Started)
Manual
Manual
Manual
Manual
Manual
Manual
Manual
ApplicationLayer
GatewayService
"Safe" "Tweaked"
Manual
"Bare
Bones"
Manual
Application
Management
NotAvailable NotAvailable
Similarservicesareofferedatwww.LabMice.netandwww.TheElderGeek.com.
217
InformationSecurity
RiskofFire
Chapter34
218
InformationSecurity
RiskofFire
Allofthepasswordsandsecuritysettingsintheworldwonthelpmuch
in the event that your facility burns down. Therefore in a discussion
about security, it is prudent to discuss the threat of fire and provide
possiblemeasuresforminimizingthatthreat.
As a service, your local Fire Marshall will usually visit your facility for
freeandinspectyourbuildinginordertoidentifypotentialfirethreats
and provide you with suggestions for minimizing the risk of fire.
Presented below is a sensible checklist that you should use to help you identify any obvious
measuresyoucantaketominimizetheriskoffire.IfyouanswerNotoanyoftheseitems,
thenperhapsyoushouldtakemeasurestobettersecureyourfacilities.
FirePreventionChecklist
1. Istheaddressofyourpropertyclearlyvisibleandmarkedinlargenumbersthatcanbeeasily
seenfromthestreet?
2. Arefireprooffilingcabinetsadequatelyusedtoprotectprintedinformation?
3. Arecomputerselevatedoffthefloorinordertopreventdamagefromwaterintheeventthat
sprinklersorfirehosesareusedtoputoutafire?
4. Arethereadequatesmokedetectorsinthebuilding?
5. Aresmokedetectorsoperational?
6. Aresmokealarmbatterieschangedatregularintervals?(twiceayear)
7. Aresmokealarmstestedregularly(twiceayear)?
8. Areevaluationsignsproperlyposted?
9. Areexitsignsproperlydisplayed?
10. Areallexitsaccessiblewithusingakey?(ie:notdeadbolted)
11. Doyouhaveemergencylightinganddoesitwork?
12. Doyouhaveatleasttwoplansofescape?
13. Doestheplancallforasafemeetingplaceoutsidethebuildingsoemployeescanbequickly
accountedfor?
14. Areplansofescapedpracticedregularly?
15. Arethereadequatefireextinguishersinthebuilding?
16. Aretheareasoutsideandaroundthebuildingfreeofweeds,debrisandtrash?
17. Istheuseofallextensioncordsandpowerstripsinspectedforproperuse?
18. Areextinguishersinplace,serviceableandclearofobstruction?
19. Areextinguishertagscurrent?
20. Arethereadequatesprinklersusedthroughoutthebuilding?
21. Isthere.5meterclearspacebelowallsprinklersheads?
22. Aretherefirehosesinthebuilding?
23. Arethosefirehosesincabinetproperlyrackedandingoodcondition?
24. Isthereafirewaterstoragetankinthebuilding?
25. Isthefirewaterstoragetanktoproperlevel?
26. Istheelectricalroomsecured?
219
InformationSecurity
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
Istheelectricalroomclearofcombustiblematerial?
Isthere3feetofclearspacearoundallelectricalpanels?
Isthemechanicalroomsecured?
Isthemechanicalroomcombustionairintakeclear?
Isthemechanicalroomclearofcombustiblematerial?
Arethereanyfuelspills/leaksinthemechanicalroom?
Arethereanyfuelspills/leaksinthegeneratorroom?
Areatticfireseparationsintact?
Istheatticclearofcombustiblematerial?
Istheatticaccesssecured?
Arecrawlspacefireseparatorsintact?
Isthecrawlspaceclearofcombustiblematerial?
Isthecrawlspaceaccesssecured?
Arethestorageareassecured?
Arethecustodialroomssecured?
Areemergencylightsoperational?
Isflammablematerialproperlystored?
Isanygaspoweredequipmentstoredinthebuilding?
Ifsmokingisallowed,arethereadequatefireproofreceptaclesavailableinallsmokingvenues?
Ifsmokingisnotallowed,arenosmokingsignsdisplayedandarenonsmokingrulesenforced?
Areallelectricalcoverplatesinplace?
Arekitchenexhaustfansoperationalandclean?
Iskitchenfiresuppressionsystemmaintainedtoschedule?
Iskitchenfiresuppressionsystemcharged?
Aretreebranchesproperlytrimmedannuallynearelectricalpowerlines?
Havetheproperfireresistantmaterialsbeenusedwherepossibleintheconstructionofthe
building?
Areallexteriorvents,atticsandeavescoveredwithmeshtopreventrodentsfromnestingor
chewingthroughwires?
Doyouknowyourlocalemergencynumberforfirepoliceambulance,anddoyouhaveitposted
nearyouphones?
Arefurnaces,stoves,andfluepipesproperlymaintainedandinspected?
Areportablespaceheatersproperlymaintainedandusedonlyincompliancewithcompany
policy?
Isthecentralheatingsysteminspectedannuallybyaqualifiedtechnician?
Haveyoucataloguedandupdatedyourinventorylistforinsuranceclaims?
220
InformationSecurity
CreditCardFraud
Chapter35
221
InformationSecurity
The strategy for generating credit card numbers is widely known, and the materials and
equipment for producing fraudulent credit cards is also available. Hopefully, this information
will make you more savvy when it comes to inspecting and accepting credit cards in your
business.
The concept of using a card for purchases was described in 1887 by Edward Bellamy in his
utopiannovelLookingBackward.Bellamyusedthetermcreditcardeleventimesinthisnovel.
How Valid Credit Card Numbers Are Generated Presented below is a brief explanation of
whatthenumbersonatypicalcreditcardnumbermean.
Account
Number
Typeof
Card
CheckDigit
Issuing
Bank
1.
Thereare16numbersonatypicalcreditcard.
2.
The first number indicates which type of card the number belongs to. 3 = American
ExpressorDinersClub,4=VISA,5=MasterCard,and6=DiscoverCard.
3.
Thenext5digitsidentifythebank,ortheissuer.
4.
Thenext9digitsformtheaccountnumber.(Theseninenumberpositionscanbeused
tocreate1billionpossibleaccountnumbers.)
5.
The last digit is known as the check digit which is generated to satisfy a certain
conditionknownastheLuhncheck.
222
InformationSecurity
6.
Witheachaccountnumber,thereisalwaysanuniquecheckdigitassociated(foragiven
issueridentifierandanaccountnumber,therecannotbemorethanonecorrectcheck
digit)
7.
AmericanExpressissuescreditcardswith15digits.Theaccountnumbersinthiscaseare
8digitslong.
The Luhn Check Digit In 1954, Hans Luhn of IBM proposed an algorithm to be used as a
validity criterion for a given set of numbers. Almost all credit card numbers are generated
followingthisvaliditycriterionalsocalledastheLuhncheckortheMod10check.Today,the
Luhncheckisalsousedtoverifyagivenexistingcardnumber.Ifacreditcardnumberdoesnot
satisfythischeck,itisnotavalidnumber.Fora16digitcreditcardnumber,theLuhncheckcan
bedescribedasfollows:
1. Working right to left (starting with the check digit), double the value of every second
digit. For example, in a 16 digit credit card number, double the 15th, 13th, 11th,
9thdigits(digitsinoddplaces).Inall,youwillneedtodoubleeightdigits.
2. Ifdoublingofanumberresultsinatwodigitnumber,addupthedigitstogetasingle
digitnumber.Thiswillresultineightsingledigitnumbers.
3. Now,replacethedigitsintheoddplaces(intheoriginalcreditcardnumber)withthese
newsingledigitnumberstogetanew16digitnumber.
4. Addupallthedigitsinthisnewnumber.Ifthefinaltotalisperfectlydivisibleby10,then
thecreditcardnumberisvalid(Luhncheckissatisfied),elseitisinvalid.
ExampleThecreditcardnumberusedaboveisinvalid.LetsapplytheLuhnalgorithmtothis
cardtofindoutwhy.
223
InformationSecurity
Inthiscase,whenwesumupthetotal,itcomesto61whichisnotperfectlydivisibleby
10,andhencethiscreditcardnumberisinvalid.
2. If such a credit card number is ever generated, the value of the check digit would be
adjustedinsuchawayastosatisfytheLuhncondition.Inthiscase,theonlyvalueofthe
checkdigit,thatwillcreateavalidcreditcardnumber,is7.Choosing7asthecheckdigit
willbringthetotalto60(whichisperfectlydivisibleby10)andtheLuhnconditionwill
besatisfied.Sothevalidcreditcardnumberwillbe4552720412345677.
1.
CreditCardFeatures
There are other ways to detect a fraudulent credit card. The four boxes below describe the
variousattributesthatappearoneachofthefourmajortypesofcreditcards.
CreditCardSecurityMeasures
The low security of the credit card system presents countless opportunities for fraud. This
opportunityhascreatedahugeblackmarketinstolencreditcardnumbers,whicharegenerally
usedquicklybeforethecardsarereportedstolen.Thegoalofthecreditcardcompaniesisnot
toeliminatefraud,butto"reduceittomanageablelevels".
224
InformationSecurity
Tomakecreditcardsmoresecure,thefollowingsecuritymeasuresarecommonlyavailable:
1. TheCardSecurityCode(CSC)SometimescalledCardVerificationValueorCode(CVVor
CVC),isasecurityfeatureforcreditordebitcardtransactions,givingincreasedprotection
againstcreditcardfraud.Thereareactuallytwosecuritycodes:
a. Thefirstcode,calledCVC1orCVV1,isencodedonthemagneticstripeofthecard
andusedfortransactionsinperson.
b. The second code, and the most cited, is CVV2 or CVC2. This CSC (also known as a
CCIDorCreditCardID)isoftenaskedforbymerchantsforthemtosecure"cardnot
present"transactionsoccurringovertheInternet,bymail,faxoroverthephone.In
many countries in Western Europe, due to increased attempts at card fraud, it is
nowmandatorytoprovidethiscodewhenthecardholderisnotpresentinperson.
Anadditional3or4digitcodeisprovidedonthebackofmostcreditcards,forusein
"cardnotpresent"transactions.
CVV2sAreEncryptGeneratedThesenumbersaregeneratedwhenthecardisissued,by
encrypting the card number and expiration date under a key known only to the issuing
bank. Supplying this code in a transaction is intended to verify that the customerhas the
cardintheirphysicalpossession.Todate,nocracksforthissystemareknown.
CVV2sVulnerabletoPhishingTheuseoftheCVV2cannotprotectagainstphishingscams,
where the cardholder is tricked into entering the CVV2 among other card details via a
fraudulentwebsite.
CVV2s May Not Be Stored By rule, CVV2 may not be stored by the merchant for any
length of time (after the original transaction in which the CVV2 was quoted and then
authorizedandcompleted);therefore,amerchantwhoneedstoregularlybillacardfora
regularsubscriptionwouldnotbeabletoprovidethecodeaftertheinitialtransaction.
225
InformationSecurity
2. PhotoSecurityThecardholderspictureisnowaffixedtomanycreditcards.However,the
logisticalcomplicationsoftakingaphoto,verifyingthephoto,andaffixingittoapersons
creditcardarestilltooburdensometorequirethisofallcreditcardsatthistime.
3. TransactionMonitoringCreditcardcompanieslookforredflagssuchas:
a. Shipping address is different from the billing address. Or the shipping address has
suddenlychanged.
b. Unusuallylargepurchasecomparedtonormalpurchasepatternsfortheaccountin
question.
c. Changeinnameontheaccount.
d. Changeindateofbirthorsocialsecuritynumber.
e. UnusualpurchasesovertheInternet.
f. Unusuallyhighnumberoftransactions.
4. PINsTheonlineverificationsystemusedbymerchantsisbeingenhancedtorequirea4
digitPersonalIdentificationNumber(PIN)knownonlytothecardholder.
5. Improved Material Credit cards are now being replaced with similarlooking tamper
resistant smart cards which are intended to make forgery more difficult. The majority of
smartcard (IC card) based credit cards comply with the EMV (Europay MasterCard Visa)
standard.
PayingtheMinimumBalance
Whilenotreallyasecurityrisk,itshouldbenotedthatpayingtheminimumbalanceonacredit
cardstatementcancostyoufarmorethanmostsecurityrisks.ThereforeIwillcommentbriefly
onthistopicasfollows:
Thetablebelowshowswhatwouldhappenifyouhavea$5,000outstandingbalanceonyour
creditcard (to keep things simple, we assumeyou make no additional purchases), an Annual
Percentage Rate (APR) of 18 percent, and you make only the minimum payment due ($100
initiallybutgraduallydecliningeachmonthbecauseminimumpaymentsusuallyarebasedona
percentageofthebalance,whichwilldecrease.)Usingthisexample,itwilltake46yearsand
cost $13,926 in interest charges before you've paid the $5,000, putting the total cost at
$18,926.
226
InformationSecurity
EasyCreditCardsforCollegeStudents
Credit card companies target college students more than any other single group because
collegestudentsareexcellenttargetsforrunninguphighbills,payingminimumbalances,and
havingtheresourcestoeventuallypayofftheentiredebt.Moreimportantly,thesecompanies
wanttolockcollegestudentsinnowtousingtheircardbrandsotheycanleveragetheirfuture
earnings potential. Upon entering college, you child will be barraged with credit card
applicationsandyouneedtohelpmakesurethattheydonotfallintothiscommontrap.
CreditCardDeadBeats
Inthecreditcardindustry,peoplewhopayofftheirentirecreditcardbalanceeachmonthare
calleddeadbeats.Theyaredeadbeatstothecreditcardissuersbecausetheygeneratefarless
revenuetothecreditcardcompaniesthandopeoplewhopaytheminimumbalance.
CommonCreditCardScams
While theft is the most obvious form of credit and charge card fraud, it is not the only way
fraud occurs. A more subtle form of fraud is misappropriation. The use of your card number
(notthecarditself)withoutyourpermission.Misappropriationmayoccurinavarietyofways.
Examplesare:
1. Aphonecallersaysthatyouneedonlyprovideyourcardnumberanditsexpirationdate
toqualifyforaspecialdiscountvacation.
2. Athiefriflesthroughtrashtofinddiscardedreceiptsorcarbonstousethecardnumbers
illegally.
3. Adishonestclerkmakesanextraimprintfromyourcreditorchargecardforhisorher
personaluse.
227
InformationSecurity
Fraudulentcreditcardinformationorcreditcardsthemselvesareusuallyobtainedthrough:
1. FakeWebSites
2. Theft
3. PickPocketing
4. Phishing
5. CreditCardSwappingatATMMachines
6. Skimming
SecurityTipsforEmployeesWhilethefollowingmeasuresarefairlyobvious,youshouldmake
surethatyouremployeesfollowtheguidelinessetforthbelowtohelpprotectyourcompany
fromcreditcardfraud:
1. HidekeypadwhenenteringaPINatanATM.
2.
Don'tleaveyourreceiptbehindattheATM.
3.
Destroyexpiredcards.
4.
Immediatelysignnewcards.
5.
Don'tkeepyourPINnumbersinyourwallet.
6.
Treatcreditcardsasiftheywererealmoney.
7.
Lostorstolencardsshouldbereportedimmediately.
8.
Becautiouswhengivingcreditcardinformationtowebsitesorunknownindividuals.
9.
Verifytransactiononyourcreditcardstatementwithyourreceipts.
10. Keepaneyeonthecreditcardwhenmakingtransactionsinshops.
11. Don'tsignablankcreditcardreceipt.
12. Don'tloancreditcardstootheremployees.
13. Always keep a list of your credit cards, creditcard numbers and tollfree numbers in
caseyourcardisstolenorlost.
14. Itdoesn'tmatterwhetherornottheirwebsiteisencrypted.Encryptionmeansthatyour
dataissecurebetweenyourcomputerandthemerchant,notbetweenyourcomputer
andthecreditcardprocessor.Themerchantwillhaveyourcardnumberregardless.If
you're buying from an unfamiliar or likely untrustworthy store, consider using a
temporary/virtualcardnumberthatcardcompanieslikeCitibankprovide.
Security Tips for Merchants Watch out for suspicious behavior of your customers. Some
characteristics are in common with fraudulent transactions, although none of this can be an
actual proof of credit card fraud it still remains a good measure of identifying suspicious
behavior.Thistypeoffraudcaneatupyourprofitssowatchoutwhenacustomer:
228
InformationSecurity
1. Buysapriceditemonanewcreditcard.
2.
Purchases large amounts of expensive items and doesn't seem to care for other
amountsthatcanoccurduringthetransaction(delivery,packaging...).
3.
Makingsmallpurchasestostayunderthefloorlimit.
4.
Askswhatthefloorlimitis.
5.
Makingrandompurchaseswithnoregardsize,priceorquality.
6.
Takesthecreditcardoutofhispocketinsteadofawallet.
7.
Awkwardlyorslowlysignsthereceipt.
8.
Ifasked,cannotprovideaphotoID.
9.
Creditcardvalidationdateexpired.
10. Creditcardseemscounterfeitedorinformationaltered.
11. Receiptsignaturediffersfromtheoneonthecard.
Common Types of Credit Card Fraud What are the common types of credit card fraud?
CounterfeitCreditCards,AccountTakeOverandSkimming.Wearegoingtolookateachone
anddescribeit.
1. Account TakeOver A thief does not need your credit card to empty your bank
account, all he needs is your personal credit card information. He will typically phone
yourcreditcardcompanyandchangeyouraddressinformation.Hewillthenreportthe
creditcardasstolenandrequestanewcreditcard;orhewillorderasecondcreditcard
while pretending to be you. This card will then be sent to the new address. Your
statements also will be sent to this new address, making you unaware of the fraud.
Therefore,ifyoudon'tgetstatementsonamonthlybasisataboutthesameday,you
shouldcontactyourfinancialinstitutionandcheckyourrecordsonfile.Askforaddress
changeorifanyinformationhasbeenchangedwithoutyourdirectapproval.
2. MailBoxTheftAthiefwillstealyournewcreditcardwhenitstillisinyourpostalbox
or anywhere on the way between the bank and you. This can be an organized crime
scenario involving assistants, such as a postman who intercepts your mail before it is
deliveredtoyouraddress.Afraudstermayevengetaholdofinformationwhencredit
cardsareissuedtoaparticularaddress,waitsnearyourmailboxandtakesyourmail.So
if you get a notification about an important delivery, collect it as soon as possible,
becausethelongeryouwait,thebiggerthechanceforafraudstertointerceptit.
InformationSecurity
lookingcreditcards.Totheuntrainedeyethesewillappearrealandyouwillnotbeable
torecognizethedifference,sinceacompletehologramaswellasthemagneticstripis
includedinthefakecreditcard.
A typical skimming device is about the size of a pager, connected in the phoneline
between the phonejack and credit card machine. A modern "skimmer" costs about
$300, compared to the $5,000$10,000 in equipment needed to make a counterfeit
credit card. When customers make a purchase, their cards are swiped through the
business'screditcardmachine,wherethecarddataisreadfromthemagneticstripand
phoned in for approval. During this normal approval process, the "skimmer" captures
the data and either duplicates it onto the magstrip of plastic creditcard "blank", or
storesitwithintheskimmingdevicetobedownloadedlater.(*Themagneticstripe
on credit cards is a "passive media", allowing creation of perfect copies of the digital
creditcardcontent.)
Inboththesemethods,therestaurantemployeeisathiefeitherlaterusingyourcard
datafraudulently,orsimplypaidaflatrate(percard)byathiefforobtainingcarddata.
230
InformationSecurity
Manyskimmersareevenequippedwithapanicbuttontoinstantlyeraseallcollected
data,eliminatingallevidenceincaseofdiscovery.
Anexample:Inthesummerof1999,twoNewYorkCityrestaurantserverswerecharged
withskimmingmorethan$300,000fromunsuspectingpatrons.
Another type of hightech skimmer can be secreted inside a business's normal credit
cardreader, and includes a wireless transmitter that allows skimmed numbers to be
secretly recorded on a laptop computer anywhere within about 300 feet. (With this
device, a thief can sit outside the restaurant in a car, skimming numbers, and no one
mayeverconnecthimwiththecrime.)Unlesstherestaurantstaffnoticessomeonehas
tamperedwiththeircardreader,thecrimemaynotbediscoveredforquitesometime!
A new and potentially far more dangerous form of pointofsale terminal skimming
involves implanting sophisticated software "skimmer bugs" into cardreader terminals
(and tiny "hardware" bugs for older terminals), allowing stolen information to be sent
overthephonelinesoflegitimateswipingmachines.These"skimmerbugs""canstore
numbers within the circuitry in the device and simply use the cardreader's modem to
dialoutto acomputerwherethethiefthiefsystemuploadsthenumbers.Afewdays
later,thethiefcanevenremovethebug,leavingvirtuallynosigntherehaseverbeen
anytampering.
AnnualU.S.skimmerrelatedlossesexceed$100million,andhavegrownfrom3percent
justafewyearsagotopresentlyaccountingforover25%ofallfraudinvolvinghightech
devices.
"Skimmingisthebiggestprobleminbankfraudtoday,"saysGregoryRegan,headofthe
U.S. Secret Service Financial Crimes Division. "It's the bank robbery of the future. It's
technicallysimple,pointandclicktechnology.Andtheequipmentischeap.Ifyouskim
15or20accounts,youcangenerate$50,000to$60,000worthoffraud,andnobodyis
goingtoknowaboutituntilthevictimsgettheirbills,30to60daysafterthecrime.So
theoddsofgettingcaughtarereduced."
231
InformationSecurity
CounterfeitMoney
Chapter36
232
InformationSecurity
CounterfeitMoney
HowtoDetectCounterfeitMoney
1. CompareCompareasuspectnotewithagenuinenoteofthesamedenominationand
series, paying attention to the quality of printing and paper characteristics. Look for
differences,notsimilarities.
2. FeelthePaperUSbanknotesareprintedonspecialpaperthat's75%cottonand25%
linen.Thelinengivesitanextrastiffnessthat'sdistinctive.
3. ColorShiftingBanknotesbiggerthanthe$5usecolorshiftinginktoprintthenumber
showing the denomination in the lowerrighthand corner. Just look at the numbers
headon,andthenfromanangle.Forgenuinenotesthecolorwillshift(coppertogreen
orgreentoblack).
4. Portrait The genuine portrait appears lifelike and stands out distinctly from the
background. The counterfeit portrait is usually lifeless and flat. Details on fake bills
usuallymergeintothebackgroundwhichisoftentoodarkormottled.
(Real)
(Fake)
5. Federal Reserve and Treasury Seals On a genuine bill, the sawtooth points of the
FederalReserveandTreasurysealsareclear,distinct,andsharp.Thecounterfeitseals
mayhaveuneven,blunt,orbrokensawtoothpoints.
(Real)
(Fake)
6. Border The fine lines in the border of a genuine bill are clear and unbroken. On the
counterfeit,thelinesintheoutermarginandscrollworkmaybeblurredandindistinct.
233
InformationSecurity
(Real)
(Fake)
7. SerialNumbersGenuineserialnumbershaveadistinctivestyleandareevenlyspaced.
The serial numbers are printed in the same ink color as the Treasury Seal. On a
counterfeit, the serial numbers may differ in color or shade of ink from the Treasury
seal.Thenumbersmaynotbeuniformlyspacedoraligned.
(Real)
(Fake)
8. Paper Fibers Genuine currency paper has tiny red and blue fibers embedded
throughout. Often counterfeiters try to simulate these fibers by printing tiny red and
blue lines on their paper. Close inspection reveals, however, that on the counterfeit
note the lines are printed on the surface, not embedded in the paper. It is illegal to
reproducethedistinctivepaperusedinthemanufacturingofUnitedStatescurrency.
(Real)
(Fake)
9. WatermarkAllbillsbiggerthana$2nowhaveawatermarkhold
thebilluptothelighttoseeit.Forthe$10,$20,$50,and$100,the
imagematchestheportrait.That'salsotrueofthecurrent$5bill,
butonthenew$5whichcameoutin2008,thewatermarkisabig
numeral5.
234
InformationSecurity
10. Security Thread All bills bigger than a $2 have a security thread running vertically
throughthebill.Likethewatermark,youholdthebilluptothelighttoseeit
11. RaisedNotesGenuinepapercurrencyissometimesalteredinanattempttoincrease
its face value. One common method is to glue numerals from higher denomination
notes to the corners of lower denomination notes. These bills are also considered
counterfeit, and those who produce them are subject to the same penalties as other
counterfeiters.Ifyoususpectyouareinpossessionofaraisednote:
b. Compare the suspect note to a genuine note of the same denomination and
series year, paying particular attention to the portrait, vignette and
denominationnumerals.
12. Counterfeit Detector Pens - Counterfeit detector pens (like the one shown below from
Risk Reactor) will help you spot counterfeit bills. Simply use the pen to draw a line or dot
across the bill. If the line or dot stays amber, the currency is genuine; if it turns black, the
money will be counterfeit. Marks fade to keep bills clean and useable.
235
InformationSecurity
CounterfeitCoins
1. PouredGenuinecoinsarestruck(stampedout)byspecialmachinery.Mostcounterfeit
coinsaremadebypouringliquidmetalintomoldsordies.Thisprocedureoftenleaves
diemarks,suchascracksorpimplesofmetalonthecounterfeitcoin.
(Real)
(Fake)
2. Rare Today counterfeit coins are made primarily to simulate rare coins which are of
value to collectors. Sometimes this is done by altering genuine coins to increase their
numismaticvalue.Themostcommonchangesaretheremoval,additionoralterationof
thecoin'sdateormintmarks.
DeathPenaltyforCounterfeitingTheCoinageActof1792mandatestheDEATHPENALTYfor
DEBASINGthecurrency.Readforyourself
"Andbeitfurtherenacted,Thatifanyofthegoldorsilvercoinswhichshallbestruckorcoined
at the said mint shall be debased or made worse as to the proportion of the fine gold or fine
silverthereincontained,orshallbeoflessweightorvaluethanthesameouttobepursuantto
the directions of this act, through the default or with the connivance of any of the officers or
personswhoshallbeemployedatthesaidmint,forthepurposeofprofitorgain,orotherwise
with a fraudulent intent, and if any of the said officers or persons shall embezzle any of the
metalswhichshallatanytimebecommittedtotheirchargeforthepurposeofbeingcoined,or
anyofthecoinswhichshallbestruckorcoinedatthesaidmint,everysuchofficerorpersonwho
shallcommitanyoreitherofthesaidoffenses,shallbedeemedguiltyoffelony,andshallsuffer
death"(Section19).
PhotographingMoneyorChecks
InformationSecurity
United States and foreign governments. Specifically, the Counterfeit Detection Act of 1992,
PublicLaw102550,inSection411ofTitle31oftheCodeofFederalRegulations,permitscolor
illustrationsofU.S.currencyprovided:
The illustration is of a size less than threefourths or more than one and onehalf, in
lineardimension,ofeachpartoftheitemillustrated.
Theillustrationisonesided.
All negatives, plates, positives, digitized storage medium, graphic files, magnetic
medium, optical storage devices, and any other thing used in the making of the
illustration that contain an image of the illustration or any part thereof are destroyed
and/ordeletedorerasedaftertheirfinaluse.
CounterfeitU.S.PostageStamps
2008BustInFebruary2008,anundergroundprintingoperationinNewYorkCitywascaught
producing $300,000 worth of highquality counterfeit U.S. postage stamps. The U.S. Postal
InspectionServicesayssuchoperationsarejustasmallpartofathrivingblackmarketinbogus
stamps.ThebustedprintingoperationwasbeingrunoutofanapartmentontheUpperWest
SideofManhattan.
237
InformationSecurity
CounterfeitU.S.PostageStamps
In the raid they also found USPS wrappers complete with barcodes, computer software,
industrialsized cutting boards, three industrial printers and other professional printing
supplies.Authoritiessaythequalityofthecounterfeitstampswasexcellentandthattheywere
destinedtobesoldatcutratesontheInternetoratsmallgrocerystoresinNewYork.TheUS
PostOfficereportedthatpeoplemostoftensellcounterfeitstampsonlineanddoortodoor.
Phosphor Security Feature The investigation into counterfeit stamps was triggered after
postalinspectorsdiscoveredthathundredsofletterswerebeingrejectedfordeliverybecause
thestampslackedtherequiredphosphortagging.
ItisIllegaltoReuseStampsAccordingtotheUSpostOfficewebsite,itisillegaltoreusea
stampthathasalreadybeenused,evenifthatstampwasnotproperlycancelled.Hereisthe
excerpt:
CounterfeitTaxStamps
AlsoinFebruary2008,millionsofdollarsworthofcounterfeitcigarettetaxstampswereseized
in New York, authorities announced Wednesday. The fake stamps would have allowed
unscrupulouscigarettedealerstoevadenearly$6.1millioninstateandcitytaxes.Taxstamps,
238
InformationSecurity
whichmustbeaffixedbydistributorstopacksoflegalcigarettes,cost$3eachinNewYorkCity,
$1.50intherestofthestateand$2.57inNewJersey.
SecurityFeaturesofU.S.TreasuryChecks
Counterfeiting of checks issued by the Federal Government has become a common problem.
Accordingly,severalsecurityfeatureshavebeenincorporatedintoU.S.Treasurychecksthatare
easytoauthenticateanddifficulttoreproduceonofficemachinecopiers/printers,asfollows:
1.
2.
3.
4.
PaperThepaperusedforTreasurychecksischemicallyresponsivetoallsolventsand
inkremovers,whichmakemostalterationseasytonotice.Italsocontainsacontinuous
patternwatermarkthatsays"U.S.Treasury."Thissecurityfeaturecannotbereproduced
onanofficemachinecopier.
PrintingThedryoffsetprintingprocessisusedtoprintTreasurychecks.Theinksreact
to leaching and bleaching. They fade when rubbed with water and dissolve when
exposedtoalcoholorbleach.Thismakesmostalterationsnoticeable.
CopyProof Colors The colors of the inks are of a low density, which makes them
difficulttoreproduceonanofficemachinecopier.
MicroprintedTextThesignaturelineonthereversesideofthecheckiscomprisedof
microprintedtextthatrepeatstheletters"USA."
239
InformationSecurity
5. FluorescentImageThecheckshaveafluorescentimageprintedinthecenterthatcan
beviewedunderultravioletlightbutcannotbereproducedbyanofficecopier.
6. BleedingInkBleedinginkintheTreasurySeal,whichwillsmudgeredwhenexposedto
moisture.
7. Dual Wavelength Bands The fluorescent image overprinted in the center has been
enhancedtocontaindualfluorescentwavelengthbands.
AlterationsForfeittheEntireGovernmentCheckIfalegitimatepayeealterstheamountona
government check, they forfeit the entire original amount of the check and are subject to
criminalprosecution.
Fake$1MillionBillIn2004,aCovington,Ga.womantriedtouseafake$1millionbilltobuy
$1,675 worth of merchandise at WalMart said it was all just a misunderstanding she
thoughtthebillwasreal.Herestrangedspousegavejokeshopcurrencytoher.
240
InformationSecurity
Cracking and
Hacking
Chapter37
241
InformationSecurity
Introduction
Hacking,Cracking,andPhreakingarealiveandwelltoday.TheInternetprovidesthecommunicationpipelinethat
allowstensofthousandsofhackers,crackers,andphreakerstoshareinformationandteachoneanotherhowto
bustintothelatesthardware,localareanetworks,operatingsystems,andsoftwareapplicationproducts.Today,
anyonewithadesiretodoso,canbecomeahacker,crackerorphreakerandtrytheirhandathacking,cracking,or
phreaking.Justsoyouknow:
1. The term "Hacker" refers to nondestructive, lawabiding people who are expert programmers and
systemswizards.Theyfancythemselvesas"computergurus"whousetheirtalentstomakethingswork.
Youarenotconsideredtobea"hacker"untilother"hackers"routinelyrefertoyouasa"hacker".Beinga
"hacker"issupposedtobe"COOL".
2. The term "Cracker" refers to destructive people who use their hackingskills (or hacking tools) tobreak
into systems, destroy systems, steal data, rip off application software, and perform a number of illegal
activities.Beinga"Cracker"issupposedly"CRIMINAL".
3. Theterm"Phreaker"referstopeoplewhobreakintotelephonesystemsinordertocalllongdistancewith
nocharge,totapphonelines,tobreakintovoicemailboxes,tostealinformation,toeavesdrop,tocause
damage,etc.Beinga"Phreaker"issupposedly"CRIMINAL".
WhyStudyHacking,Cracking&Phreaking?
The fact that virtually any intelligent person can easily become a hacker, cracker, or phreaker posses a security
threattoeveryorganization.Today'sSystemsInformationprofessionalsneedtobeawareofthetypethreatsthat
exist today in order to take the necessary measures to protect against these threats. In some cases, System
Information Professionals can use the same tools the crackers use in order to test the security of their own
systems.Inothercases,knowledgeinthisareacanhelptheSystemsInformationProfessionalidentifyemployees
orotherswhomaybeopenlydiscussingthesetools,searchingforthesetools,ordownloadingthesetoolsintime
totakecorrectivemeasures.FurtheranunderstandingofthesethreatsisnecessarytohelpSystemsInformation
Professionalsdeveloppoliciesandprocedurestohelppreventproblemsbeforetheyarrive.
KeyHacking&CrackingTerms:
Term
A. Hacking(42,000,000)
B. Cracking(25,600,000)
C.
Phreak,Phreaking,
Phrack(1,060,000)
D. 40Hex(4,660)
E. Serialz(serial
numbers)(4,640,000)
F. Crackz(cracking
programs)(5,360,000)
ExampleWebSites
http://thehackingcommunity.iscool.net/
http://catb.org/~esr/faqs/hackerhowto.html
http://packetstorm.securify.com/Crackers/
http://www.antionline.com/cgibin/anticode/anticode.pl
http://www.ovnet.com/~p80/sample.htm
http://www.phrack.com/archive.html
http://www.fc.net/phrack/under/40hex.html
http://home.global.co.za/~odge/serialz.htm
http://www2.50megs.com/cpage/
http://www.crackstore.com/index2.htm
http://www.strega.org/zor/index.html
242
InformationSecurity
G. HackingTools
(1,270,000)
H. HackingMagazines
(444,000)
I. EMailTools(11,500)
J. AnonymousSenders
(381,000)
K.
L.
Bombers(11,000,000)
KeyGenerators
(1,540,000)
M. Flooders(411,000)
N. CrackingSearch
Engine
O. ICQTools(112,000)
P. SniffingTools
(163,000)
Q. KeyLoggers(397)
R. SpoofingTools
(146,000)
S. FakeIds(254,000)
T.
CreditCardMaking
Equipment(453,000)
U. LearningtoHack
V. HackedSites
W. Meetings
X.
Y.
Z.
HackingandCracking
termsindifferent
languages
ForeignLanguage
Conversion
DIRT(virus)(44,000)
http://www.8bn.com/jtb/
http://www.2600.com/
http://www.onworld.com/MUT/mutForum/messages/2913.html
http://help.mindspring.com/modules/g0000/g0086.htm
http://www.ecn.org/crypto/remailer/
http://nogov.org/Anonymous/
http://www.users.globalnet.co.uk/~firstcut/remail.html
http://www.interlinkbbs.com/anonremailer.html
http://www.escalix.com/freepage/freeworld/mailbomber.htm
http://home.luna.nl/~enigma/tex/
http://www.antionline.com/cgibin/anticode/anticode.pl?dir=denialof
service
http://astalavista.box.sk/
http://www.antionline.com/cgibin/anticode/anticode.pl?dir=icq
http://www.bellacoola.com/
http://www.lichtlabs.com/sniffer.html
http://www.lachniet.com/maeds/sld013.htm
http://ftp.castel.nl/~groor01/tools.htm
http://www.lichtlabs.com/ipspoof.html
http://www.chattownusa.com/Avenues/Teen/idfu/
http://serialns.8m.com/cgibin/framed/1940/samples.html
http://www.4.hactivist.net/
http://www.4.hactivist.net/
http://www.prestigiousimages.com/docs.html#ssa
http://www.4.hactivist.net/
http://www.idhouse.com/idsoft.htm
http://www3.sympatico.ca/the.chaser/CARD.HTM
http://www.zerberus.de/texte/ccc/ccc95/artikel/hackan_e.htm
http://www.2600.com/hacked_pages/prop/
http://www.2600.com/meetings/
http://www.dnai.com/~waxwing/wwwboard/messages/212.html
ftp://sable.ox.ac.uk/pub/wordlists/
http://www.pfu.co.jp/hhkeyboard/
http://babel.altavista.com/translate.dyn?urltext=http
%3a%2f%2fwww%2eaccountingsoftwarenews%2ecom%2f&language=en
http://www.netsurf.com/nsd/v05/nsd.05.21.html
243
InformationSecurity
Hacking,CrackingandPhreakingBooks
There are plenty of books available on the subjects of Hacking, Cracking and Phreaking. For example, the book
MaximumSecuritywaswrittenbyananonymoushackertohelpyouprotectyoursystemfrominvadersandthe
arsenaloftools,backendsecrets,andbugstheyhaveattheirdisposal.Wedon'tknowmuchabouttheauthorof
Maximum Securityonly that he was convicted of multiple crimes involving friendly neighborhoodATM systems
before deciding to use his talents in a more lawabiding fashion. Told from a hacker's perspective, Maximum
Security details methods for concealing identity, cracking passwords, and gaining access to systems running
everything from Unix to Windows NT to the Mac OS. He also explains how best to counter or prevent these
techniques.Everysystemadministratorshouldreadthisbookandsleepbetteratnightforhavingdoneso.
HowEasyIsItToBecomeACracker?
SimplysearchtheInternetforafilecalled"40HEX".Youwillfinditavailableonthousandsofwebsites.Thisfile
contains 40 deadly viruses, along with instructions for altering these viruses to make them more deadly. From
here,youcouldsimplysendthesefilestoanunsuspectingpersonviaadiskette,email,orwebpagedownloadable
file.Thediskette,emailmessage,orwebpagecouldassertthatthefilewillcleanupaharddrivetherebymaking
yoursystemrunupto30%faster.Manysuckerswouldfallvictimtosuchascheme.
Therearealsoguides,tutorials,textbooks,andlessonsalldesignedtohelpyoulearnhowtobecomeaCracker.All
youneeddoissearchtheInternetforthetermcomputercracker,andyouwillfindover579,000websiteswith
information on the subject incredible. Because of the criminal nature of these web sites, they are constantly
movingfromonewebservertoanotherastheyarecensuredbytheirwebpagehostingserviceoraslawsuitsare
filedagainsttheownersofthesewebsites.Still,thesecrackersseemtosimplymovetheirwebsitetoanewserver
244
InformationSecurity
forafewmonths,announcingtheirmovesinthecrackerchatroomsanddiscussiongroups.Censuringtheseweb
sitesisakintoherdingcatsit'sprobablynotgoingtohappen.
WhyDoHackersHackandCrackersCrack?
Hackersgenerallyhackformoney.Theyaregenerallyavailableforhiretowritecode,testcode,testsystems,
implementfirewalls,etc.TheproblemisthatbasedonmanyofthewebsitesIhavevisited,manyHackersarealso
CrackersalthoughthereappearstobeawellestablishedmovementamongHackerstodenouncecracking
activities.Asshownbelow,90%ofallhackersareconsideredtobeamateurswhichmeanstheyreallyhaven't
earnedtherighttobecalledahackerbuttheyareworkingatit.
Crackersappeartocrackforseveraldifferentreasonsasfollows:
JustasyouandIplaychessforthesheerintellectualchallengeofthegame,somecrackerscrackforthe
sheerchallengeaswell.Itisasifsomeexpertouttherehasestablishedsecuritydefensesandstated"I
dareyoutobreakthroughthesedefenses".Somecrackersenjoybreakingthroughthissecurityandhave
no evil intentions of stealing data or destroying data once they have achieved their goal. They obtain
immensesatisfactioninhavingproventheirskilltooneself.
Other Crackers are just plain evil and they get a kick out of sabotaging someone's systems, destroying
their data, or otherwise making someone's life miserable. Trying to understand this motive is akin to
understandingwhyajuvenilesmashesmailboxesit'sjustplainstupidandmostmaturepeopleseeit
thatway.
Manycrackerscrackinordertosavemoney.Insteadofpurchasingthelatestsoftware,theysimplysteal
it,copyit,orbreakthroughtheevaluationcopydefenses.Crackersalsoattempttoobtainfreeaccessto
theinternet,payperviewwebsites,andsubscriptionwebsites.
The final reason a Cracker cracks is for money. Some professional crackers crack in order to steal
informationthattheycanuseorsellalmostalwaysinacriminalmanner.Forexample,alistofnames,
addresses and credit card numbers would be easy to sell on the black market as evidenced by the fact
thatcreditcardmakingmachinesandblanksarewidelyavailablethroughcrackingwebsites.Atleastthe
motiveisplaintoseeandeasytounderstand.
WhyDoPhreakersPhreak?
Phreakersphreakforthesamereasonsthatcrackerscracksomeforthechallenge,otherstocausehavoc,some
toavoidphonecharges,andyetothersarelookingforinformationthatcanbeusedtoturnaprofit.Italsoappears
that phreaking technology is used moderately by private detectives and possibly company securityofficials who
245
InformationSecurity
want to keep an eye on someone. Learning to Phreak is as simply as visiting Phrack magazine located at:
http://www.phrack.org/
Hereyouwillfindhundredsofdetailedarticlesdescribinghowtobreakintophonesystems,makelongdistance
callswithoutbeingcharged,buildequipmentthatcanbeusedtotapaphone,purchaseadevicethatlet'syoudial
anyphonenumberintheworld,thephoneyoudialwillnotring,butthenyoucanlistentotheconversationsgoing
onintheroom.Usingthisinformation,anyemployee,customerorpersonwithaccesstoyourconferenceroom
couldeavesdropinonyournextBoardofDirectorsmeeting.
SampleHacking,Cracking&PhreakingWebSites
246
InformationSecurity
Thispageprovidesabasicintroductiontohackinghttp://catb.org/~esr/faqs/hackerhowto.html.
Hackingrunsthegambitfromharmlessprankstoviciousbreachesofsecurity.Forexample,onewebsiteexplains
howtoedittheWindowsXPhostfiletogetInternetExplorerpointtopointtoadifferentwebsiteotherthanthe
oneentered.Herearethesteps:
1. Visitwww.ipaddress.comandobtaintheIPaddressforthetargetwebsite.
2. Search for the file called hosts" (in Windows Vista, XP and 2000 it is in
C:/windows/system32/drivers/etc/.)
3. OpentheHostsfilewithNotePad.
4. Addthistexttothebottom:206.61.52.30www.cia.gov.
5. Inthefuture,typinginwww.cia.govwillinsteadtaketheusertothewebsite206.61.52.30,butthe
URLwillstillreadwww.cia.gov.
6. YouwillneedadministratorrightstoedittheHostsfile.
FamousHackingWebSite
http://www.2600.com/mindex.html2600TheHackingQuarterly.
CrackingandHackingTools
Therearehundredsoftoolsthatyoucandownloadfreeofchargeanduseforhacking,cracking,andphreaking.
CAUTIONIfyoudownloadanyofthesefilesyoushouldrunthemonlyonasingleusercomputerdonotrun
themonaworkstationonyourlocalareanetwork.Youshouldscanallfilesforvirusesfirstmakingsurethatyou
havethelatestversionofyourvirusprotectionsoftware.Youshouldbeadvisedthattheuseofsomeofthesetools
mayconstituteillegalactivityandcouldcausedamageinadvertentlytoyourcompany'scomputersystemsforwith
youcouldgotojail.Pleasebecarefulandtakeallofthenecessarycautionsbeforedownloadinganyofthefiles
discussedbelow:
247
InformationSecurity
Viruses
Viruses come in many different flavors including, Boot viruses, File viruses, Macro viruses, Multipartite viruses,
NewExeviruses(Windows95,Windows,OS/2,Unix),Trojans,VirusConstructors,andJokeprograms.Youcankeep
trackofthelatestlistofknownvirusesincludingdetaileddescriptionsofthosevirusesatmanywebsitesincluding
McAfee,Dr.Solomon,NortonAntiVirus,andtheAVPVirusEncyclopediawebsiteshownbelow:
Virusesaredividedintoclassesaccordingtothefollowingfourcharacteristics:
1.Environment;
2.Operatingsystem(OS);
3.Differentalgorithmsofwork;and
4.Destructivecapabilities.
Theenvironmentofavirusmayaffecteitherthefile;boot;macro;ornetwork.Filevirusesinfectexecutables.Boot
viruses save themselves in disk boot sector or to the Master Boot Record. Macro viruses infect document,
spreadsheets,anddatabasesfiles.Networkvirusesuseprotocolsandcommandsofcomputernetworkoremailto
spreadthemselves.EachfileornetworkvirusinfectsfilesofoneparticularorseveralOperatingSystemssuchas
DOS,Windows 3.xx, Windows95/NT,OS/2etc. Macro viruses infect the Word, Excel,Office97 format files. Boot
viruses are also format oriented, each attacking one particular format of system data in boot sectors of disks.
AmongOPERATINGALGORITHMSthefollowingfeaturesstandout:TSRcapability;theuseofStealthalgorithms;
self encryption and polymorphic capability; and the use of nonstandard techniques. A viruses destructive
capabilitiescanbedividedasfollows:
1. Harmless,
2. Notdangerous,limitingtheireffecttoloweringoffreedisk
3. Dangerous,whichmayseriouslydisruptthecomputer'swork;
4. Very dangerous, the operating algorithms intentionally contain routines which may lead to losing
data,datadestruction,orerasureofvitalinformationinsystemareas.
248
InformationSecurity
Many of the hacking, cracking, and phreaking tools are really just instructions rather than actual programs you
downloadandrun.Forexample,assumethatyourclient'sbookkeeperquitbutbeforetheyleft,theyinserteda
newpasswordintoQuickBooks.Yourclientcannolongeraccesstheirdataandthedisgruntledemployeeislong
gone.Inthiscase,hackershavesolvedthisproblemandtheinstructionsarereadilyavailableontheInternet,as
showninthescreenbelow:
Inthiscase,thiswebsitecalledPasswordRecoveryTacticsdescribestheprocedureinwhichyoucanuseNorton's
Tools to peek into the hexadecimal code for QuickBooks and replace the encrypted password with your own
password. Notice that while this example appears to be a hackers constructive use of this information, an evil
employeeorotherpersoncouldusethisinformationtoaccessconfidentialfinancialdata.Theborderlinebetween
hackerandcrackerisverynarrowindeed.
SATAN (Security Analysis Tool for Auditing Networks). In default mode, SATAN gathers as much information
aboutremotehostsandnetworksaspossiblebyexaminingsuchnetworkservicesasfinger,NFS,NIS,ftpandtftp,
rexd,andotherservices.Theinformationgatheredincludesthepresenceofvariousnetworkinformationservices
aswellaspotentialsecurityflawsusuallyintheformofincorrectlysetuporconfigurednetworkservices,well
knownbugsinsystemornetworkutilities,orpoororignorantpolicydecisions.Itcantheneitherreportonthis
data or use a simple rulebased system to investigate any potential security problems. Users can then examine,
query, and analyze the output with anHTML browser, suchas Mosaic, Netscape, or Lynx. While the program is
primarily geared towards analyzing the security implications of the results, a great deal of general network
informationcanbegainedwhenusingthetoolnetworktopology,networkservicesrunning,typesofhardware
andsoftwarebeingusedonthenetwork,etc.
However, the real power of SATAN comes into play when used in exploratory mode. Based on the initial data
collectionandauserconfigurableruleset,itwillexaminetheavenuesoftrustanddependencyanditeratefurther
datacollectionrunsoversecondaryhosts.Thisnotonlyallowstheusertoanalyzeherorhisownnetworkorhosts,
butalsotoexaminetherealimplicationsinherentinnetworktrustandservicesandhelpthemmakereasonably
educateddecisionsaboutthesecuritylevelofthesystemsinvolved.SATANcanbedownloadhere:
http://jackets.gt.ed.net/satan1.1.1/docs/satan_overview.html
249
InformationSecurity
CrackerJack
PasswordCrackingPrograms
Password cracking programs are designed to break into various programs using a variety of methods. Some of
these programs use dictionary attacks by systematically trying thousands of popular passwords such as spring,
summer,baseball,12/25/98,etc.Theseprogramswillalsotesttoseeifcommondefaultusernameandpasswords
will work (such as ADMIN, PASSWORD). Other password cracking programs use brute force attacks where all
possiblecombinationsoflettersandnumbersaresystematicallycheckedagainstalogonscreen.
Crackamibios1.1
AMIReadthepassword
AMIbiosfornewerbiosw/source
ShowBIOSpassword
RemoveSETUPpassword
AMIbiospasswordviewer
ARJpasswordcrackerfromRussia
BreakZIP
Bruteforcecracking
Findazippassword
PKziparchivecrackerfast!
PasswordguesserforZIPfile
CrackZipFilePasswords
Claymoreforwindowsisabruteforcecracker
CrackerMateisagamecrackingprogram
Intruder 2.1 will remove ANY protection from
BP/TP/BCPP/TC/MSC/CLIPPERprogram
Delam'sElitePasswordLeecher
Jill2.0CrackingutilityforCrackerJack
PreparelistsforCrackerJack
NovellPasswordcrack
Passwordbreakergeneric
Permutisasimpletooltogeneratepasswords
POPcrackpopmailpasswordcracker
TrumpetWinsockPasswordCracker
AutomatedPasswordGenerator
RemoteAccessuerlistpasswordhacker
NetwarePasswordcatcher
TherionsPasswordUtilityWordlistmanipulationtool
Unixpasswordhacker
MicrosoftWordPasswordcracker
WordforWindowsPasswordcracker
crackWinCryptfiles
EMailTools
Filesrelatedtocausingdestructionoveremail(bombing)
andrecoveryfromsaidbombing.
AnonymousSenders:
Win95AnonymailAnonymousemailer
SendFakeSendemailfromaddressesofyourchoosing
Bombers:
Avalanche3.6Thenewestversionofagreatbomber
CompuServeBasedEMailBomberEMailbomber
Death'nDestruction:4.0EMailbomberIncludestools
toresolveIPs,sendOOBpackets,finger,andlistonports.
ExtremeMailBeta1NewMailBomber,Decent
HomicideGoodmailbomber
Kaboom v3 An easy to use email bomber Includes
mailinglists
MailBomberv.02bMailbomber
MailFlashSendsmailtoscrewoverUNIXmailterminals
Nemesis Mail Bomber 1.0 Anonymous bomber Uses
telnet.exetosendmail
QuickFryeBomber&Anonymousmailer
The Unabomber Mail bomber with great anonymizing
capability
Up Yours 4 Beta 3 Bomber & Anonymous sender
SupportsHELOspoofing
CleanUp:
BombSquad v2.0 Clean up after you've been email
bombed
MailCheckCheckserversforanonymousmail
250
InformationSecurity
FlooderTools
ICQTools
ProgramsdesignedtokillICQandpeopleoverICQ.ICQis
an instant messaging, chat, and file transfer program by
Mirabilis.
CleanUp:
ICQ DeFlooder v1.0 Deletes all unread messages after a
bomb
ICQBombsquadCleansupafterreceivingabomb
ICQSWATDeletesbombmessages
ICQFlooders:
IcnewQSpoofmessages,bomb,killICQ
ICQ Message Flooder Sends large numbers of messages
fromspoofedUINs
ICQFlooder'95BombstargetfromrandomUINs
IcKiLLeRSendsmassmessagesfromrandomUINs
ICQZapMessagebombfromrandomUINs
ICQRevengeMessagebomber
IPSniffers:
ICQIPAddressUnmaskerShowsIPdespitehiding
ICQIPSnifferShowsIPsofevenhiddenICQusers
Protection:
WarforgeICQProtectProtectsfromICQBombs
ICQ Bomb/Hacking Utility Protector Opens 14 ports to
confusescanners
WarForge ICQBomb Protection System v2 Protects ICQ
frombeingbombed
Miscellaneous:
ICQ Auto Authorize Adds anyone to your contact list
withouttheirpermission
ICQPortSniff!FindstheportthatICQisrunningon
ICQSourceUINSpooferSendanonymousICQmessages
Floodersareprogramsdesignedtoseverelylagaperson's
connection, sometimes to the point of them being
disconnected.
ICMPFlooders:
TechnophoriaBattlePongICMPflooder
Kaput1.0beta1.5ICMPandFingerflooder
FinalFortune2.4ICMPcloneflooder
Hak Tek Version 1.1 ICMP Flooder, Mail bomber, Anti
bomber,Portscanner
ICMPBomber!ICMPflooder
ICMPFlooderv0.2ICMPflooder
IPing32PingTool
IWDSimpeICMPBomberICMPflooder
PingICMPtool/flooderComeswithWindows9x
Sonarv1.0.2ICMPtool
TrumpetPingICMPflooder
Vaite j ICMP ToolKit v2.01 (English Version) ICMP
Bomber,Nuker,NukeDetector,andanOOBAttacker
Vaite j ICMP ToolKit v2.01 (Portugese Version) ICMP
Bomber,Nuker,NukeDetector,andanOOBAttacker
XScriptICMPBomberv0.3ByCodeICMPflooder
UDPFlooders:
PepsiUDPflooder
UDPPortNukeUDPFlooder
UDP2v10.2UDPFlooder
UDPBlasterv1.53UDPFlooder
UDPFlooderUDPFlooder
surgeUDPPortFlooderUDPFlooder
RebellionUDPFlooderUDPFlooder
UDPPROv2.0UDPFlooder
surgeUDPPortSpammerUDPSpammer
UDPDatastormUDPFlooder
WpepsiUDPflooderforDOS
PortBombers:
BeerMassconnectionportflooder
Bmb2Massdataportflooder
BoomPortbomber
Gewse97Massdataportflooder
InternetPacketToolsv1.00Build300FloodsTCPorUDP
Ports
MutilateMassconnectionportflooder
OctopusMassconnectionportflooder
DOS Panther Modern Mode 1 Port bomber for 56k
connection
DOS Panther Modern Mode 2 Port bomber for T3
connection
PortFuch1.0b2Massconnectionportflooder
PounderAlpha1Massconnectionportflooder
IRCTools
Internet Relay Chat tools are programs designed to
generallyknockpeopleoffIRCanywaypossible.
CloneFlooders:
ExcessFlood2.9Loadsclonestofloodusers
FloodbotsFlooder2.0Cloneflooder
Floodbot Front End v0.2 Companion shell for Floodbots
Flooder2.0
iRC kiLLer pRO! Combines Flash, Floods v2.4, Multi
CollideBot95,andSUMO/95v1.1LagKiller!
SUMO/951.1LagKillerFlooder
WaKoFloodBots2.5(7thSphere)CloneFlooder
DCCAttacks:
DCCFuker1.2DCCFloodersformIRC
DCCLocker'97CanlockdccchatsinmIRC
DCCUnferLocksDCCChatsinmIRC
251
InformationSecurity
HansonPrograms:
BugExploit1.5AttacksmIRC5.3x
DeePFreeZeIIAttacksmIRC5.3x
DCCofDeathKillsmIRC5.4
mIRCFreezeFreezesmIRC
mIRCSlapAttacksmIRC5.3x
ICMPUnreachDisconnectors:
Click 1.4 Uses the ICMP_Unreach bug to disconnect
clientsfromIRC
Click2.2NewversionforWinsock2.2
WnewkSimpledisconnector
WnewkXNewerversionofWnewk
WNuke(WinNukev1)Unreachdisconnector
WNuke][Updatedversion
WNuke4Newestversion
LinkLookers:
LinkLookerforWindows95Ver1.61(GOLDBETA)Looks
forIRCServerSplits
LinkLookerforWindows95Ver2.2LooksforIRCServer
Splits
xLinkLookerVersion1.0aLooksforIRCServerSplits
Miscellaneous:
Lynch0 Floods IRC servers with bogus server login
attempts
MultiCollideBot95CollidesnicknamesoffIRC
ninX'sPortBlockerb100Blockschosenports
XNetStatShowsyouyouractiveinternetconnections
PortScanners:
Cabral'sDomainScannerFinalScansCblockofaddresses
Cha0scannerv2.0Portscanner
FTPScanAnonymousportscanner,worksthroughanFTP
server
HostScannerScanschosendomainforallhostnames
Mirror Universe 2.1 Gives NetBios information about a
targetsystem
Netcopv1.6DNSResolving,DomainWHOISData
NetGhost DomainScanner Scans domain for a chosen
port
Ogre Checks servers for open FTP, HTTP, SMTP, Telnet,
etc...&formisconfigurations
OstroNet Whois client, Finger client, Port scanner,
DomainScanner
PortProv0.93Portscannerthatcanfloodopenports
PortSagePortscanner
Rebellionv2.0portscannerPortscanner
PortSurveillancev.05Scansaport
PortScanner1.1ScansagroupofIPaddresseslookingfor
certainopenports
SiteScan Scans for exploits: PHP, Finger Flaws, PHF,
Handler,_vti_pvt,Service.pwd,IISAdmin,Wrap,aglimpse,
test.cgi,*.pwl,*.pwd
NukerTools
KeyLoggers
BitchSlapv1.0Port139OOBNuker
BloodLustChosenPortOOBNuker
BlueRain'sPort139OOBAttackProgVersion1.0Chosen
PortOOBNuker
CGSi OOB Message GFP Gen Chosen Port, MultiIP OOB
Nuker
DIEPort139OOBNuker
DIE3ChosenPortOOBNuker
DIE3NTKillsWindowsNTRunningDNSonPort53
Divine ]I[ntervention 3 OOB Attack, ICMPer, Icq Killer,
Mail Bomber, Mass Subscriber, DCC Flood Bot, and Text
FloodBot
Death'nDestruction:DoSOOBAttack,Portprotector
Calvin's Labs NetAttact Chosen Port, Size and Number
OOBNuker
FedUp2.0ChosenPortOOBNuker
KiLLmEv1.0Port139OOBNuker
KillWinChosenPortandNumberOOBNuker
Knewk'emAllv1.0ChosenPortandNumberOOBNuker
Meliksah Nuker v1.0 Chosen Port and Number OOB
Nuker
MSNukePort139OOBNuker
Programstologallkeystrokesonacomputertofile.They
areusuallyusedtocaptureusernamesandpasswords.
IK
KeyLog2
KeyLog'95
NetworkTools
Programsbuilttogiveyouanyinformationpossibleabout
a target address, or to help you find an address that has
certaincharacteristics.
PortListeners:
ICMP Monitor Version 0.92 ICMP detector with a DNS
lookuptool
ICMPScanv2.0ScansforconnectedIPs
ICMP Datagram Sniffer v1.0 Alpha 5 ICMP detector for
DOS
ICMPWatchv1.37thSphereDetectincomingICMPs
NukeNabber2.9Listenson50chosenportsforTCPand
UDPattack+ICMP_UNREACH
NukeDetectorv1.0Port139NukeDetector
NukeNabber2.5Catches&logsincomingnukes
ThePortBlockvo.o5bBlockschosenports
Skream'sPortListenerv2.3Listensonachosenport
PortListenerv2.2aListensonachosenport
Port139WatcherPort139NukeDetector
252
InformationSecurity
MuerteThefirst,best,andonlyOOBexploityouwillever
needIP,Portscanning
Nukev2.3OOBAttack,deathconfirm
NukeAttackChosenPortOOBNuker
Nuker1.02BetaPort139OOBNuker
WinNUKEPort139OOBNuker
WinNukerv0.2MultiPortOOBNuker
WinNukeV95Port139OOBNuker
WNUKE32(Build69)Port139OOBNuker
WinNuke for Win95 v1.1 OOB to port 135 or 139
Includespatch
alt.binaries.warez.ibmpcGetsomeWareZ.
alt.binaries.warez.ibmpc.dGetsomeWareZ.
alt.binaries.warez.ibmpc.gamez Get some Gaming
WareZ.
alt.binaries.warez.ibmpc.oldGetsomeOlderWareZ.
KeyGenerators&RegistrationTools
AbsoluteFTPv1.0b9Time/Nagcrack
ACDSee322.xKeygenerator
Age Of Empires Microsoft Age Of Empires 1.0a update
crack
AgeOfEmpiresMicrosoftAgeOfEmpiresCDcrack
Agent0.99xSerial#generatorforAgent0.99ek
Agent1.5Agent1.5build452xheaderpatch
Agent1.xSerial#generatorforAgent1.x
Andretti98Andretti98CrackPatch
Bryce2Bryce2demoUpdate
Catz1.00kCatzDemo1.00kCrack
CDQuick3KeyGenerator
CD/Spectrum pro 3.2.327 CD/Spectrum Pro Version :
3.2.327Patch
CDDA1.7CDDA(DA2WAV)1.7keyfilemaker
CleanSweep3.0TrialCleanSweep3.0Trialcrackpatch
ClockManagerKeyGenerator
ComSpywin98/95Keyfilemaker
CoolEdit96Cooleditv.1.52KeyGenerator
CuteFTP32HiddenFiles&FoldersPatch
CuteFTP32v1.7/1.8KeyfilebuilderforCuteFTP
CuteFTP32v2.0CuteFTP2.0FINALkeyfilecreator
DarkReignCDROMcheckcrack
DarkReignDarkReignCDcheckcrack
DogzADOPTDOG.03RegistrationGeneratorforDOGZ
Dogzv1.8QDOGZv1.8QREgistrationCrackz
Ecopad32v3.31KeyGenerator
EmailAddressSniffer2.1Patch
EudoraEudoraXHeadereditor
EudoraPro4Demoexpirationpatch
F22LightningIIF22LightningIIcrack
GameSpy1.01GameSpy1.01registrationpatch
GameSpy1.50GameSpy1.50FINALregistrationpatch
GameSpy1.52GameSpy1.52keygenerator
GameSpy1.52GameSpy1.52regpatch
GearReplicator1.2UnlockGenerator
GhostGHOSTv2.1.4"KEYMAKER"[JAM/UCF]
GIF Construction Kit GIF CONSTRUCTION SET
*KEYMAKER*
GraphicsWorkshopBruteforcereghacker
GraphicsWorkshop95KeyGenerator
HardDiskSleeper1.4KeyGenerator
Hexen2Hexen2CDcrack
HomeSitev2.0HomeSitev2.0KeyGenerator
HomeSitev3.0HomeSitev3.0patch
HotDogPro4.5+KeyGenerator
HotDog321.0CRACKPATCH
HyperSnap2.64KeyGenerator
ImageView951.2KeyGenerator
InternetConferenceProfessional1.2KeyGenerator
InternetPhonev4.5.03InternetPhonev4.5.0.3crack
SpoofingTools
Programstomakeyoulooklikeyou'recomingfromsome
otheraddressontheInternet(mostlyusedonIRC)
IdentDSpoofers(IdentitySpoofers):
DCInternetServices
EyeDent
WinSpoof'97
DNSSpoofers:
cha0s IP Spoofer Cache a "ghost connection" on an IRC
server
Erect'97DOSportof"erect"spoofer,requiresaccessto
nameserver
Jizz DOS port of "jizz" spoofer, requires access to name
server
SpewfyCachea"ghostconnection"onanIRCserver
WinGateTools
WinGate is a program that allows a computer to act as a
gateway between networks. These programs exploit
WinGate.
wGateScanv2.2ScansBandCblocksforactiveWinGates
zFnLoadsIRCfloodclonesthroughWinGate
PhreakingTools
beigeboxInstructionsformakingalinemanshandset.
blueboxGenerates2600Mhztones.
chartreuseboxLetsyoutakepowerfromaphoneline.
chromeboxAllowsmanipulationoftrafficlights.
crimsonboxLetsyouputpeopleonhold.
goldboxI'mnotsurewhatthisisfor.
neonboxGoodforrecordingtones,oranythingelse
white box Change a normal touchtone keypad into a
portableunit
Cracking&HackingNewsgroups:
alt.cracksGreatPlacetogetCracks.
alt.crackerCracksForum,getandrequestCracks.
alt.hackersHackersForum.
alt.hackintoshForumonHackingMacintosh.
alt.hackers.maliciousMaliciousHackersForum.
253
InformationSecurity
InternetPhonev4+InternetPhonev4+[CraCkPatCh]
InternetPhonev5.0InternetPhonev5.0build114patch
InternetPhonev5.0InternetPhonev5.0build135patch
Kaleidoscope95KeyGenerator
LiveImage1.26crackpatch
LViewProKeyGenerator
LViewPro95KeyGenerator
MagicFolders97.10aKeyfile
MagicNotes1.6KeyGenerator
MDaemonRegistrationCodeGenerator
MicroangeloMicroangelo95v2.x*Keymaker*
MicrosoftMSCodeGenerator1.01(allproducts)
MicrosoftFreecellUndoenablerpatch
MicrosoftProject98(8.0)EvaluationPatch
mIRC5.3keygenerator
mIRCV4.52+mIRCV4.52+*kEYMAKER*
mIRCV5.00+KeymakerformIRC5.00onwards.
MOD4Win2.30Mod4Win2.30+KeyMakerPatch
Money98MSMoney98(6.0)crackpatch
MotoRacerMoToRaCeR*uNiVeRSaLCRaCK*
NearsideBuild554Regpatch
Netbar2.0KeyGenerator
NetTerm2.8.9KeyGenerator
NetToolsKeyGenerator
NortonAntiVirus2.01TrialCrackPatch
NTcrt1.0B6KeyGenerator
Office97MicrosoftKeyGenerator2.0
PaintShopPro4.14Sharewarecrack
PersonalStockMonitor1.1KeyGenerator
PGPManager321.6bKeyGenerator
PKZIPAuthenticityVerification
PowerDeskkEYmAKER
PrettyGoodSolitaire3.97.2KeyGenerator
Quake2Quake2v3.09UpdateCDcheckremoval
Quake2Quake2v3.10UpdateCDcheckremoval
RAS+95KeyGenerator
SciTechDisplayDoctor5.2uNIVBEv5.2*kEYmAKER*
SciTechDisplayDoctor6.0KeyGenerator
SciTechDisplayDoctor6.0RetailKeyGenerator
SciTechDisplayDoctor6.0TrialPatch
SecretAgent1.12KeyGenerator
ServUFTPsERVu2.xX*kEYMAKER*
SideKick98Unlockcodegenerator
Snapshot/322.55KeyGenerator
SoundGadgetProKeyGenerator
Stiletto96aKeyGenerator
SubSinkPro97KeyGenerator
ThumbPlus2.0KeyGenerator
Thumbs+Plusv3.0cPatch
ThumbsPlus32v3.10TimeLimit/NagScreenCrack
TrumpetWinSock95KeyGenerator
Uedit324.0KeyGenerator
UNIVBE5.xuNIVBEv5.2*kEYmAKER*
VirtualCDROMUnlockCodeGenerator
VisualBasic5.0MicrosoftKeyGenerator2.0
VisualC++5.0MicrosoftKeyGenerator2.0
VisualC++5.0MicrosoftKeyGenerator2.0
WebImage95KeyGenerator
WinArj95regcodegenerator
WinArj95WinArj95v4.1.0xcrack
Windows95MSCodeGenerator1.01(allproducts)
Windows Commander v3.0 Windows Commander 32bit
CRACK
WindowsNT4.0MicrosoftKeyGenerator2.0
Windows NT 4.0 120 day trial NT 4.0 Server 120 Day
DemoCrackKit
WinGate1.xKeyGeneratorforv.1.3.08onwards
WinGate2.0KeyGeneratorforProandLite
Winimage2.25KeyGenerator
WinPack32dKeyGenerator
WinPGP4.0KeyGenerator
WinPlay3v2.0NOTACRACK!Patchtoturnpanelgreen
WinPlay3v2.0WiNPLaY3VeRSioN2.0crack
WinRar2.00WinRAR2.00bKeyGenerator
WinZipWinZipRegNumberGenerator
WinZipSelfExtractorWinZipSelfExtractRegKeyMaker
WipeoutXLCrack
WSFtpPro4.50Cracktoremovetheexpiration
Xara3D1.05CrackPatch
XingMPEGEncoderv2.0keymaker
XWingvsTieCrackpatchesfor1.1&3Dupdates
254
SerialLists
SerialListsarerampantontheInternet.Thesesitescontainknownaccesscodesthatallowyoutoinstallanduse
virtually any software applications you could name today. The distribution of these access codes are of course
illegal,andthereforenoneoftheseillegalcodesare
OtherTools
Ping(PacketInternetGroper)abasicInternetprogramthatletsyouverifythataparticularInternet(IP)address
exists and can accept requests. The verb ping means the act of using the ping utility or command. Ping is used
diagnosticallytoensurethatauser'sPCisproperlyconnectedtotheInternet.If,forexample,ausercan'tpinga
host,thentheuserwillbeunabletouseabrowseroranyotherTCP/IPapplicationwiththathost.Pingcanalsobe
usedtolearnthenumberformoftheIPaddressfromthesymbolicdomainname.
Sniffer A sniffer is a program that monitors and analyzes network traffic, detecting bottlenecks and problems.
Using this information, a network manager can keep traffic flowing efficiently. A sniffer can also be used
illegitimatelytocapturedatabeingtransmittedonanetwork.Anetworkrouterreadseverypacketofdatapassed
toit,determiningwhetheritisintendedforadestinationwithintherouter'sownnetworkorwhetheritshouldbe
passedfurtheralongtheInternet.Arouterwithasniffer,however,maybeabletoreadthedatainthepacketas
wellasthesourceanddestinationaddresses.
Spoof 1) To deceive for the purpose of gaining access to someone else's resources (for example, to fake an
InternetaddresssothatonelookslikeacertainkindofInternetuser)2)Tosimulateacommunicationsprotocolby
aprogramthatisinterjectedintoanormalsequenceofprocessesforthepurposeofaddingsomeusefulfunction
Warez(pronouncedasthoughspelled"wares"orpossiblybysomepronouncedlikethecityof"Juarez")isaterm
usedbysoftware"pirates"todescribesoftwarethathasbeenstrippedofitscopyprotectionandmadeavailable
ontheInternetfordownloading.Peoplewhocreatewarezsitessometimescallthem"warezsitez"anduse"z"in
otherpluralizations.
Exploits an Exploit is a program that 'exploits' a bug in a specific software. All exploits are different, they do
differentthingsandexploitdifferentbugs,that'swhyexploitsarealwaysprogramspecific.Exploitsaremadeto
get root on different operating systems. They achieve this by exploiting a bug in software when the software is
runningasroot.InUNIXtypeOS's,softwaremayhavetorunasroot(orUID0)inordertoperformaspecifictask
thatcannotbeperformedasanotheruser.Sobasicallytheexploitcrashesthesoftwarewhilerunningasrootto
giveyouthebeautifulrootprompt.
InformationSecurity
PiratedSoftware
Chapter38
256
InformationSecurity
AreYouatRisk?
Has your company illegally installed multiple copies of a software program on multiple
computers?Isyourcompanyusingpiratedsoftware?Ifso,youareatrisk.Ifyouarecaught,the
penaltiescanbehuge.Forexample,oneLouisianahospitalwasfoundtoberunning500copies
of WordPerfect, and copied from a single copy of WordPerfect which itself was pirated. The
companywascaughtandfinedmorethan2.5milliondollars.
PenaltiesforUsingPiratedSoftware
Illegaldistributionofsoftwarecansubjectasellertoarrestandfelonychargeswithfinesupto
US$250,000 and prison terms of up to 5 years. If the copyright owner brings a civil action
againstyou,theownercanseektostopyoufromusingitssoftwareimmediatelyandcanalso
requestmonetarydamages.Thecopyrightownermaythenchoosebetweenactualdamages,
which includes the amount it has lost because of your infringement as well as any profits
attributabletotheinfringementandstatutorydamages,whichcanbeasmuchas$150,000for
eachprogramcopied.
WhoisResponsible?
Companyofficialscanbeheldresponsibleiftheyknowabouttheuseofpiratedsoftware,orif
theytakenomeasurestotrackanddetertheuseofpiratedsoftware.Simplylookingtheother
way is not good enough in some states and jurisdictions. Under "vicarious liability" of the US
CopyrightAct,anemployerisliableforactscommittedbyitsemployeeswhenthoseactsare
within the scope of their employment duties. Another theory of liability is the doctrine of
contributory copyright infringement, whereby a party who does not do an infringing act but
whoaidsorencouragesitisliablefortheinfringement.
SourcesforPiratedSoftware
257
InformationSecurity
2. TheBlackMarketThestreetsofHongKongarefullofpiratedsoftwareproductsthat
sellforhundredsofdollarsintheUSarewidelyavailablefor$5.00ontheblackmarket.
3. WAREZ & SERIALZ (Pronounced wears, this term is hacker slang for illegal
software). Tens of thousands web sites exist where you can download virtually any
software on the planet. Once downloaded, thousands more SERIALZ (pronounced
cereals,thistermishackerslangforillegalserialnumbers)provideserialnumbers
thatyoucan(attempt)touseinordertoinstalltheproduct.
258
InformationSecurity
4. CounterfeitSoftwareYes,counterfeitershavegottenthatgood,andsomecounterfeit
softwarefindsitswayintothemainstream.Theindustryisfindingwaystofightback
(suchastheedgetoedgehologramsforOfficeXP,Windows2000andWindowsXPCD
ROMs).
HowtoFindPiratedSoftwareinYourOrganization
Both Microsoft and theBusiness SoftwareAlliance provide software management guides and
tools that can help you organize and maintain your software inventory. You will get a better
handleonwhatyouneedtopurchaseandwhatyouneedtoeliminatetobecomecompliant.
These resources will help you determine if you have purchased genuine or counterfeit
software.
Asanexample,theMicrosoftSoftwareInventoryAnalyzertoolgeneratesaninventoryofthe
coreMicrosoftproductsinstalledonyourlocalcomputer,orthroughoutanetwork.TheMSIAis
builtspecificallytobeastartingpointtoworkingwithMicrosoftsSoftwareAssetManagement
(SAM)tools,andtothatend,itwillworkwithnetworksthathave250computersorless;and
willlocateonlyMicrosoftsoftware.TheresultsofthescanperformedbyMSIAareconfidential
theyarenotsenttoMicrosoft.Asamplereportisshownbelow.
You should update and clean up your software inventory at least once a year. Whether you
outsourcethejobtoaresellerorITspecialist,ordoitinhouse,makereviewingyourinventory
an annual event. Purchase the software and sign up for the licenses you really need, and
complywiththeterms.Getridoftherest.
http://www.microsoft.com/resources/sam/msia.mspx?lm=
259
InformationSecurity
15TopSecurity/
HackingTools&
Utilities
Chapter39
260
InformationSecurity
1.NmapNmap(NetworkMapper)isafreeopensourceutilityfornetworkexplorationor
securityauditing.Itwasdesignedtorapidlyscanlargenetworks,althoughitworksfineagainst
singlehosts.NmapusesrawIPpacketsinnovelwaystodeterminewhathostsareavailableon
the network, what services (application name and version) those hosts are offering, what
operatingsystems(andOSversions)theyarerunning,whattypeofpacketfilters/firewallsare
inuse,anddozensofothercharacteristics.Nmaprunsonmosttypesofcomputersandboth
consoleandgraphicalversionsareavailable.Nmapisfreeandopensource.
Canbeusedbybeginners(sT)orbyprosalike(packet_trace).Averyversatiletool,onceyou
fullyunderstandtheresults.
2.NessusRemoteSecurityScannerRecentlywentclosedsource,butisstillessentiallyfree.
Workswithaclientserverframework.Nessusistheworldsmostpopularvulnerabilityscanner
used in over 75,000 organizations worldwide. Many of the worlds largest organizations are
realizing significant cost savings by using Nessus to audit businesscritical enterprise devices
andapplications.
3.JohntheRipperJTR1.7wasrecentlyreleased!JohntheRipperisafastpasswordcracker,
currentlyavailableformanyflavorsofUnix(11areofficiallysupported,notcountingdifferent
architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix
passwords. Besides several crypt(3) password hash types most commonly found on various
Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM
hashes,plusseveralmorewithcontributedpatches.
4. Nikto Nikto is an Open Source (GPL) web server scanner which performs comprehensive
tests against web servers for multiple items, including over 3200 potentially dangerous
files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers.
Scanitemsandpluginsarefrequentlyupdatedandcanbeautomaticallyupdated(ifdesired).
NiktoisagoodCGIscanner,therearesomeothertoolsthatgowellwithNikto(focusonhttp
fingerprintingorGooglehacking/infogatheringetc,anotherarticleforjustthose).
5. SuperScan Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the
highlypopularWindowsportscanningtool,SuperScan.
IfyouneedanalternativefornmaponWindowswithadecentinterface,Isuggestyoucheck
thisout,itsprettynice.
6.p0fP0fv2isaversatilepassiveOSfingerprintingtool.P0fcanidentifytheoperatingsystem
on:
machinesthatconnecttoyourbox(SYNmode),
machinesyouconnectto(SYN+ACKmode),
machineyoucannotconnectto(RST+mode),
machineswhosecommunicationsyoucanobserve.
261
InformationSecurity
Basicallyitcanfingerprintanything,justbylistening,itdoesntmakeANYactiveconnectionsto
thetargetmachine.
7. Wireshark (Formely Ethereal) Wireshark is a GTK+based network protocol analyzer, or
sniffer,thatletsyoucaptureandinteractivelybrowsethecontentsofnetworkframes.Thegoal
oftheprojectistocreateacommercialqualityanalyzerforUnixandtogiveWiresharkfeatures
thataremissingfromclosedsourcesniffers.WorksgreatonbothLinuxandWindows(witha
GUI),easytouseandcanreconstructTCP/IPStreams!WilldoatutorialonWiresharklater.
8. Yersinia Yersinia is a network tool designed to take advantage of some weakeness in
different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the
deployednetworksandsystems.Currently,thefollowingnetworkprotocolsareimplemented:
SpanningTreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),
DynamicHostConfigurationProtocol(DHCP),HotStandbyRouterProtocol(HSRP),IEEE802.1q,
InterSwitchLinkProtocol(ISL),VLANTrunkingProtocol(VTP).
ThebestLayer2kitthereis.
9.EraserEraserisanadvancedsecuritytool(forWindows),whichallowsyoutocompletely
remove sensitive data from your hard drive by overwriting it several times with carefully
selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free
softwareanditssourcecodeisreleasedunderGNUGeneralPublicLicense.
An excellent tool for keeping your data really safe, if youve deleted it..make sure its really
gone,youdontwantithangingaroundtobiteyouintheass.
10.PuTTYPuTTYisafreeimplementationofTelnetandSSHforWin32andUnixplatforms,
along with an xterm terminal emulator. A must have for any h40r wanting to telnet or SSH
fromWindowswithouthavingtousethecrappydefaultMScommandlineclients.
11.LCP
Main purpose of LCP program is user account passwords auditing and recovery in Windows
NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session
distribution,Hashescomputing.
AgoodfreealternativetoL0phtcrack.
LCPwasbrieflymentionedinourwellreadRainbowTablesandRainbowCrackarticle.
12.CainandAbelMosthackersfavoriteforpasswordcrackingofanykind.
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy
recovery of various kind of passwords by sniffing the network, cracking encrypted passwords
usingDictionary,BruteForceandCryptanalysisattacks,recordingVoIPconversations,decoding
scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing
262
InformationSecurity
routingprotocols.Theprogramdoesnotexploitanysoftwarevulnerabilitiesorbugsthatcould
notbefixedwithlittleeffort.
13. Kismet Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion
detection system. Kismet will work with any wireless card which supports raw monitoring
(rfmon)mode,andcansniff802.11b,802.11a,and802.11gtraffic.
Agoodwirelesstoolaslongasyourcardsupportsrfmon(lookforanorinoccogold).
14.NetStumblerYesadecentwirelesstoolforWindows!SadlynotaspowerfulasitsLinux
counterparts,butitseasytouseandhasaniceinterface,goodforthebasicsofwardriving.
NetStumblerisatoolforWindowsthatallowsyoutodetectWirelessLocalAreaNetworks
(WLANs)using802.11b,802.11aand802.11g.Ithasmanyuses:
Verifythatyournetworkissetupthewayyouintended.
FindlocationswithpoorcoverageinyourWLAN.
Detectothernetworksthatmaybecausinginterferenceonyournetwork.
Detectunauthorizedrogueaccesspointsinyourworkplace.
HelpaimdirectionalantennasforlonghaulWLANlinks.
UseitrecreationallyforWarDriving.
15. hping To finish off, something a little more advanced if you want to test your TCP/IP
packetmonkeyskills.
hpingisacommandlineorientedTCP/IPpacketassembler/analyzer.Theinterfaceisinspiredto
thepingunixcommand,buthpingisntonlyabletosendICMPechorequests.ItsupportsTCP,
UDP, ICMP and RAWIP protocols, has a traceroute mode, the abilityto send files between a
coveredchannel,andmanyotherfeatures.
263
InformationSecurity
SafetyOnline
Chapter40
264
InformationSecurity
SafetyOnline
Usingtheinternetandsurfingthewebcanbeassweetandeasy.Unfortunatelyatothertimes,
online surfing can put you at risk. This chapter discusses a few common sense
recommendationstohelpyoustaysafeduringyouronlineactivities.
1. NoPersonalInformationDonotgiveoutyourpersonalinformation(fullname,address,or
phone number) to anyone online that you don't know or trust because they might not be
whotheyclaimtobe.
2. Verify That Friends Are Who They Say They Are To avoid confusing your friends with
strangers online, consider using a password or code word. Or you could simply call your
friendtomakesuretheyareonline.
3. FinancialDataOnlygiveoutyourbankaccountorcreditcardinformationtowebsitesyou
trust,andmakesurethattheyareusingencryption(ie:thegoldlockandhttps://isusedto
indicatethatthewebsiteissecure.
4. Never Open EMail Attachments Never open email attachments from strangers unless
youcantrustthemandyouhavesecuritysettingsonyourcomputer.Unknownemailsmay
containvirusesorspywarethatcanharmyourcomputer.
5. BewareOfSpoofEmailBewareofspoofemailclaimingtobefromeBay,PayPal,orabank
or a company name you know asking for personal or sensitive information. This is called
phishing.Theemailmayinformyouthatthereisaproblemwithyouraccount/password.
Theremaybealinktoclickinside,orevenaphonenumbertocall.
6. OnlineArrangedMeetingsIfyoudecidetomeetsomeoneinpersonfromonline,gotoa
publicplaceandletfriendsandfamilyknowyourplans.Haveanalternateplanifthingsturn
outbadly.
7. AntiVirusSoftwareGetagoodantivirusprogram,spywareremover,andfirewall.There
are free programs available online, such as Avast! antivirus, Grisoft's AVG Free, Microsoft
AntiSpywareandSpybot,andSygatepersonalfirewall.Theywillblockmostattemptsand
alertyouifproblemsarefound.
8. ReadTheFinePrintTherearemanysurveysitesthatpayyouforansweringquestionsand
fillingoutforms.Ifyoudonotwanttoreceivejunkmailorgetputonatelemarketerlist,
lookforasmallboxnearthebottomofthepagethatasksifyouwanttoreceiveinformation
andoffersfromothercompanies.Thebestsiteswillhaveastatementlistedthattheywill
notsellyournametoothercompanies.Somesitesrequireyoutogiveallyourinformation
to get the product. Although sometimes, you may get a ton of spam. Only fill in required
265
InformationSecurity
fieldsthataremarkedwitha*.Iftheinfoboxdoesnothaveanasterisk,itisoptionaland
youcanleaveitblank.
9. Monitor Children Monitor young children's (under 16) activities closely and use parental
controls when available. Use a password a child will not guess. Install parental control
software.TheInternetisnotchildfriendly.
10. UseStrongPasswordsAsdiscussedintheUsestrongpasswordsChapter.
11. Limit Your Buddy List Web services such as SYPE, AOL, Yahoo, or MSN have messengers
that allow you to chat with others with an instant message (IM) or private message (PM)
box.Gotothepreferencesoroptionsmenuandcarefullychoosesettings.Itisbesttoturn
offmessagesfromallusersandonlyaddpeopletoyourbuddylistthatyouknowverywell
orsomeoneyouchoosetotalkto.
12. Use Addon Messaging Programs YTunnelPro and YahElite are very good and helpful
companions to Yahoo Messenger, and similar solutions are available for other messaging
services.
13. Subscribe To Unimportant Things With A Secondary EMail Address This will help keep
you from getting spam to your regular address,and will protectyour identity. A good site
whichallowsyoutocreatetemporaryemailaddressesontheflyisSpamMotel.Whenyou
register on an unknown site, go to Spam Motel and create an emailaddress and delete it
whenyouhavenofurtheruseforit.
Gmail and Hotmail also offer free email addresses that work good in temporary or less
importantpurposes.
266
InformationSecurity
14. Prepaid Credit Cards If you feel uncomfortable giving away your credit card number
online, consider using a prepaid credit card or use a gift credit card instead. These often
workthesameasaregularcreditcard,buttheyonlyhaveasetamountonthem,sothatif
someonegetsaholdoftheprepaidcard'snumber,theydon'tdoasmuchdamage.
15. WOT & NoSCRIPT If you`re using firefox, download the extensions WOT, which tells you
how trustworthy sites are, and NoScript, which denies Javascript and other potentially
maliciousaddonsexceptontrustedsites.
16. Watch Your Mouth Be careful what you say on the internet and understand that it is
becomingcommonpracticeforemployerstoresearchwhatyouhavesaidonlineaspartof
thehiringprocess.Whatyousaytodaycouldkeepyoufromgettinghiredtoyourdreamjob
fiveyearsfromnow.
17. No Birthdates Online If you mention that you had a birthday recently, don't be specific
aboutthedate,oryourexactage.Thesetwoitemsareenoughtofigureoutyourdateof
birth,apieceofinfothebanksusetohelpidentifyyou.
18. WatchtheDownloadsBecarefulofwhatyoudownload.Ifit'snotopensource/GNU,then
make sure it's from a reputable site (widgets.yahoo.com, cNet's Download.com, etc.)*.
When using P2P software such as Limewire, only download music and age appropriate
video.Anythingelsecouldbefilledwithvirusesandwhoknowswhat.
19. Clear Your Browser's Cache Periodically The cache stores web pages, images, and even
someinformationaboutyouonyourcomputer,andshouldbeclearedfromtimetotime.
20. Block Cookies Disable cookies permanently, or from time to time if you are surfing
questionablewebsites.Forexample,whenresearchingthissecuritycourse,Iturnedoffmy
cookiesoftenasIaccessedwebsitesthatIwasnotsureof.
21. ChecktoseeifYourComputerHasBeenTrackedThereisnosurefirewaytoknowifyour
computerisbeinghacked;however,therearemanywaystodistinctlyreducethechancesof
itbeingcompromisedasfollows:
22. Install a Firewall Device Install a firewall as discussed in the Firewall Chapter of these
materials. (Especially if connected to broadband via network card, consider installing a
router between the DSL or Cable modem and the computer's network interface. This will
move the public IP address from the computer to the router. The computer will receive a
private IP address (provided by the router) and cannot be detected by hackers casually
probing.
23. UseAntiSpamSoftwareTurnonJunkMailFilteringinOutlookoruseSpybotoranother
similartool.
267
InformationSecurity
24. RemoveAntiVirusSoftwareThatYouAreUnhappyWithDisconnectyourcomputerfrom
theInternetwhendownloadsarefinished,asitwillbevulnerablewhilewedothisnextstep.
Go into control panel, and choose add/remove hardware. Uninstall any poorly performing
antivirussoftwareyouhavecurrentlyinstalled.Installanewantivirussolution.Connectyour
computertotheInternetagain,andallowthemtoupdatefully.
25. Install KeyScrambler Consider installing KeyScrambler Personal addon for FireFox. This
addon encrypts your keystrokes to protect your login information from key logging
programs. If a hacker has a program inside your computer logging all your keystrokes to
steal your passwords, all they will get from password fields on web pages is scrambled
garbage.
26. InstallHijackThisIfyouwantextrasecurityfromhackersinstallHijackThisatoolthatis
designedasextrasecurityagainsthomepagehijacking
27. Install Comodo BOclean This is a realtime antimalwarescanner which works at registry
leveltostopmalwareinstalls.
28. UpdateyourAntivirusSoftwareVerifythatyourAntiVirussoftwareisuptodateatleast
once a week if it is the automatically updating type. Check daily if it must be manually
updated.Windowswillallowagreatdealoftimetoelapsebeforealertingyouthatitisout
ofdate. Most reputable antivirus developers release updates every couple of days; more
oftenthanthatifwarranted.It'safalsesenseofsecurityrunningacomputerwithoutof
dateantivirusdefinitionfiles.
29. ActiveXDon'tinstallactiveXcontrolsfromawebsiteyoudon'ttrust.
30. Be Suspicious of Thumbdrives Don't run applications or copy content from disks,
thumbdrives,CDs,etc.thathavebeenprovidedbyothers(includingfriends);orbelongto
youiftheyhavepreviouslybeenconnectedtoanothercomputer,unlessscannedwithyour
antivirus program first. If an infected computer has accessed the data on the media, the
dataislikelytobeinfectedaswell.
31. BeSuspiciousofWebSitesWatchoutforanywebsitesrequestingpersonalinformation.
Unlessyoutrustthesite,itisunwisetogiveoutyouremail,address,phonenumber,oreven
name.
32. BewareOfSightsWithPopUpsTypicallythey'llbeputtingotherthingsonyourcomputer.
33. BlockPopUpsUsetheBlockPopupsettingsorInstallpopupdeletingsoftware.
34. BrowseTheInternetUsingProxiesThiswillgetridofthosenastyscriptsthatpeopleuseto
identifyyourIPaddressamongotherthings.Itdoesn'tmatterwhetheryouuseaCGI,PHP,
268
InformationSecurity
or anonymous proxy, they all have about even advantages and disadvantages. A good
CGI/PHPproxyisAnonymouse.AlsoProxy.orghasalonglistofthiskindofproxy,whichcan
beuseful.
35. Prevent Peeping It is extremely unlikely someone is watching you through a physical
camera,binoculars,(orworse;asniperscope)orscreenrecordingdevice,butjusttobeon
thesafesideyoumightwanttofollowthesomeoftheseobvioussteps:
a. Close all blinds and drapes through which someone could watch your computer
monitor.
b. Don'tletanyoneyouwouldn'ttrustwithyourlifenearyourcomputerunsupervised.
c. Lookforanythingunfamiliarthatispluggedintoyourcomputer.
d. Buy one of these or use the equivalent of a small red eyepiece surrounded by red
LEDs,andscantheareaaroundyourcomputer.
36. AlwaysAssumeThatYourOnlineActivityIsBeingMonitoredIfyouareusingtheinternet
on a network that isn't private (such as at work, school, a library, or cybercafe), you are
almostcertainlybeingmonitored.Don'tdoanythingyouwouldn'twanttheadministrator(s)
ofthatnetworkseeing.
37. Avoid Clicking on Advertisements Never click on an advertisement that isn't Google
Adsense,andmanytimesnoteventhose.Doingsoisagoodwaytogetspywareandviruses
onyourcomputer.
38. Encrypt Wireless Connections If you are using a wireless network to connect to the
internet,encryptitasstronglyasyoucan.32bitisOK,64bitisgood,128bitisbetter,andI
sincerelydoubtthatyou'llhaveaccessto256bitencryption,butifyoudo,Iwoulduseit.
39. SecureyourPasswordsKeepyourpasswordssecure.
40. NeverRememberPasswordsNeverletyourbrowserrememberyourpasswords.Likewise,
don'ttellsitestorememberyou.Someformsofspywarecanreadcookiesthatsiteswillgive
youwhentheystoreyourpasswords.
41. Keep Ports Closed Don't open ports in your firewall or use UPNP. Crackers have found
ways to break through your firewall using open ports, allowing them to monitor your
computer.
269
InformationSecurity
BlockingSpam
Chapter41
270
InformationSecurity
SPAM
ThewordSPAMwasoriginallycreatedbyHormelFoods,makerofthecanned"ShoulderPork
and hAM. Later Monty Python's Flying Circus performed a spam skit in which a restaurant
serves its food with loads of spam, and the waitress repeats the word several times in
describinghowmuchspamisintheitems.Whenshedoesthis,agroupofVikingsinthecorner
start a song: "Spam, spam, spam, spam, spam, spam, spam, spam, lovely spam! Wonderful
spam!"Thusthemeaningofthetermisatleastsomethingthatkeepsrepeatingandrepeating
togreatannoyance.(1)
HowBigistheSpamProblem?TheCalifornialegislaturefoundthatspamcostUnitedStates
organizationsalonemorethan$13billionin2007,includinglostproductivityandtheadditional
equipment, software, and manpower needed to combat the problem. Ferris Research
estimatesthe2007costofSpamat$100billionworldwide,and$35billionintheUSmore
thandoublethecostin2005.Presentedbelowareafewstatistics:
SpamStatistics
NonSpam
Spam
1. TotalEmailssentin2006
6Trillion(25
billionperday)
18trillion(75billion
perday)
600perweek
1,800perweek
3. Thevastmajorityofspammessagesarearound5KB.
4. Around10%ofspammessagesareinthe100K1MBrange.
5. Around5%ofspammessagesarebiggerthan1MB.
6. Costofauserdeletingaspammessage:$0.04
7. Costofauserretrievingabonafidemessageerroneouslydeletedasspam(false
positive):$3.50
271
InformationSecurity
WhereYouMightEncounterSpam
1.
2.
3.
4.
5.
6.
7.
8.
9.
EmailSpamUnsolicitedemail,usuallypromotional.
InstantMessagingUnsolicitedchatssenttoAOL,ICQorWindowsLive.
ChatRoomsOnlinewebsiteswhereuserscommunicateinrealtime.
NewsgroupsandForumsWebsiteswhereuserspostcomments.
MobilePhoneSpamtextmessagessenttoyourmobilephonenumber.
OnlineGameMessagingMessagingbetweengamers.
SearchEngines(Spamdexing)HTMLcodemakesapagerankhigherthanitshould.
Blog,Wiki,andGuestbooksSpamtakesadvantageofopennatureofcommentpages.
VideoWebSites(likeYouTube)Spamusuallyappearsincommentssection.
SpamLaws
In 2004, the United States passed the CANSPAM Act
of 2003 which provided ISPs with tools to combat
spam. For example, this act allowed Yahoo! to
successfully sue Eric Head reportedly one of the
biggest spammers in the world. The laws primary
provisionsareasfollows:
1. Bans false or misleading header information.
Your email's "From," "To," and routing
informationincludingtheoriginatingdomain
name and email address must be accurate
and identify the person who initiated the
email.
2. Prohibitsdeceptivesubjectlines.Thesubjectlinecannotmisleadtherecipientaboutthe
contentsorsubjectmatterofthemessage.
3. Requiresthatyouremailgiverecipientsanoptoutmethod.
4. Anyoptoutmechanismyouoffermustbeabletoprocessoptoutrequestsforatleast
30daysafteryousendyourcommercialemail.
5. It's illegal for you to sell or transferthe emailaddresses ofpeople who choose not to
receiveyouremail,evenintheformofamailinglist,unlessyoutransfertheaddresses
soanotherentitycancomplywiththelaw.
6. Requires that commercial email be identified as an advertisement and include the
sender'svalidphysicalpostaladdress.
Eachviolationoftheaboveprovisionsissubjecttofinesofupto$11,000.
272
InformationSecurity
SpammingSeemstoWork
If everyone ignored spam, then spamming would stop. However,
because spammers find it rewarding, they keep spamming. Spam is
growing,notshrinking.
SpamCop
SpamCop is a free spam reporting service where you can report offenses to the senders'
Internet Service Providers (ISPs), and sometimes their web hosts. This feedback is used to
compile the "SpamCop Blocking List" (SCBL) and other lists. Those whose IP addresses are
included on these lists have their mail rejected by servers that subscribe to the SCBL.
Comments:
1. Backscatter SpamCop is controversial in that it automatically lists IP addresses that
send mail to spamtrap email addresses. Since these addresses may be falsely used as
return addresses on spam messages, backscatter causedby these messages (including
vacation messages and other autoreplies) can result in an otherwise innocent server
beingblocklistedifitfailstoemploybackscatterpreventiontechniques.
2. Blocks Expire One of the unique features of the SCBL is that a listing expires
automaticallywhennospamisreportedfromthatsourcefor24hours.
3. FilterSpamCoprecommendsthattheSCBLbeusedasafilter,ratherthanablock.
SpammersGetNastywithBlueFrog
Antispammer Blue Frog software provided a Firefox and
Internet Explorer plugin allowing email users to report their
spamautomatically,asaresult,BlueFrogthensentcomplaints
tothewebsitesbeingpromotedinthespammessagesone
complaint for each spam incident. In May 2006, Blue Security
underwentaretaliatoryDDoSattackinitiatedbyspammersand
their servers folded under the load and caused the entire
hosting providers (Six Apart) server farm to collapse. Blue
SecurityidentifiedtheattackersasPharmaMasterAKAsChristopherBrown,Swank,"Dollar",
JoshuaBurch,"zMACk","someRussians",LeoKuvayev,andAlexBlood.BlueSecurityceasedits
antispamoperationonMay16,2006.TheSpammerswon.
273
InformationSecurity
SPAMBlockingSolutions
Presented below is a comparison list of some of the more popular SPAM blocking utilities
availabletodayascompiledbySpamFilterReview(http://www.spamfilterreview.com/).These
productsrangeinpricefrom$5to$40.
274
InformationSecurity
HowSpamBlockerProgramsWork
Everydayspammersfindnewroutestotrytogetintoyouremailinbox.Mostspamconsistsof
unwantedadvertising,butsomecantransmitviruses,adwareorspywareontoyourcomputer
andcauseproblems.Ofcourse,itisalsoextremelyannoyingtogotoyourinboxandhaveto
lookthroughawholelistofemailstofindonelegitimateemail.
275
InformationSecurity
Aneffectiveantispamprogramcansolvemanyofyouremailproblems.Notonlydotheyblock
unwantedspambuttheycanalsoorganizeyouremailsintofolders,soyourinboxonlyincludes
wantedemail.So,whatdoesaqualityspamfilterdoexactly?Hereisasummary:
1. Establishes White Lists and Black Lists A white list is a specific list of approved
addresses that you set. Items not on the approved list and "known" spammers
automaticallygototheblacklistandareblocked,deletedorfiled.
2. Blocks"Sporn"Allgoodprogramsallowyoutoblockahighpercentageofspammed
pornography.Somewillalsofilterout"adult"contentedemailsorblockadultoriented
images.
3. OrganizesEmailsNoteveryonewantstoblockalloftheiremails.Mostprogramswill
allowuserstobuildfolders,suchasfinancial,adultoriented,gamesorothersandthe
program will put incoming emails into assigned folders. This gives the user a choice
aboutwhichemailstheywanttolookat.
Presentedbelowisadiagramhighlightingthevarioustypesofinformation,data,andattributes
todaystopspamblockingsystemscheckinordertoblockspam.
276
InformationSecurity
BayesianSPAMFilters
Some argue that a better approach for identifying SPAM is to
employ a Bayesian filter system in which your current spam
messages are statistically analyzed to create a basis for
rejectingfutureSpam.ThisisimportantbecauseaCPAfirmwill
not want to use the same filtering methodology as a doctors
officethatreceivesnumerousemailsdiscussingbreastcancer.
With Bayesian filtering, a unique and individual algorithm is
created and continually updated based on the emails you
receive and those you reject. Over time, your system learns
whichtypesofemailstorejectautomatically.
Yet,anothermeasureyoucantaketoblockSPAMistosetuprulesinyouremailorturnon
spamandadultcontentfilteringinyouremailclient.Thisisdiscussedinmoredetailundere
mailtipsandtricks.
WhattoLookforinSpamFilterSoftware
Spamfiltersshouldworkwithyouremailserviceandofferthefollowingfeatures.
1. Rules A good spam filtering program gives you the ability to set rules about which
emailsyouwanttoreceive,rejectordelete.
2. QuarantineYourspamfiltershouldmovemailtoaquarantinefolderandallowyouto
lookthroughitatyourowndiscretion.
3. BlacklistsYoushouldbeabletosetupblacklistsandwhitelists.
4. Compatible Most importantly your spam filter should work with the email service
thatyouuse.
5. EaseofUseTheproductshouldbeeasytouseevenforaninexperiencedcomputer
operator.
6. EaseofInstallation&SetupTheproductshouldinstallquicklyandwithouterrors.
7. Stability The spam filtering software should offer dependable performance and be
compatiblewithyourotherprograms.
8. BlockSpamThesoftwareshouldhavetheabilitytoblockunwantedspam.
277
InformationSecurity
9. Blocking Levels The software should allow the user to decide what level of filtering
theywant,andbeincontrolofhowtheemailsareorganized.Highfilteroptionsblock
anddeleteallemailsthatarenotonanapprovedlist.Lowerfilterlevelssortallemails
andsavetheminfolderstolettheuserdecidewhichonestoopenordelete.
10. KeepsYourInboxCleanYourspammailfiltershouldgothroughanddeleteunwanted
emailforyou.
UsingOutlooksJunkEMailFilter
TheJunkEmailFilterinMicrosoftOfficeOutlook2007isdesigned
to catch the most obvious spam and send it to your Junk Email
folder. The Outlook Junk Email Filter evaluates each incoming
messagebasedonseveralfactors,including:
1. Thetimewhenthemessagewassent,and
2. Thecontentofthemessage.
Thefilterdoesnotsingleoutanyparticularsenderormessagetype,butinsteadanalyzeseach
messagebasedonitscontentandstructuretodiscoverwhetherornotitisprobablyspam.The
Junk Email Filter is turned on by default, and the protection level is set to Low. This level is
designedtocatchthemostobviousspam.Youcanmakethefiltermoreaggressivebychanging
thelevelofprotection.
278
InformationSecurity
Also,theJunkEmailFiltercanbeupdatedperiodicallytoprotectagainstthelatesttechniques
thatspammersusetospamyourInbox.AnymessagethatiscaughtbytheJunkEmailFilteris
movedtoaspecialJunkEmailfolder.ItisagoodideatoreviewthemessagesintheJunkE
mailfolderfromtimetotimetomakesurethattheyarenotlegitimatemessagesthatyouwant
to see. If they are legitimate, you can move them back to the Inbox by marking them as not
junk.Youcanalsodragthemtoanyfolder.
10TipstoHelpReduceSpam
1. UsetheJunkEmailFilterinOutlookOutlook2007helpstomitigatetheproblemof
spam by providing the Junk Email Filter, which automatically evaluates incoming
messagesandsendsthoseidentifiedasspamtotheJunkEmailfolder.
2. BlockPicturesThatSpammersUseAsWebBeaconsOfficeOutlook2007hasananti
spamfeaturethatblocksautomaticpicturedownloadswhenthecontentislinkedtoa
server.Ifyouopenamessagethathasexternalcontentwhenthisfeatureisturnedoff,
theexternalcontentdownloadsautomatically,inadvertentlyverifyingtotheserverthat
youremailaddressisavalidone.Youremailaddresscanthenbesoldtoaspammer.
Youcanunblockexternalcontentformessagesthatcomefromsourcesthatyoutrust.
3. TurnOffReadAndDeliveryReceiptsAndAutomaticProcessingOfMeetingRequests
Spammers sometimes resort to sending meeting requests and messages that include
requestsforreadanddeliveryreceipts.Respondingtosuchmeetingrequestsandread
receiptsmighthelpspammerstoverifyyouremailaddress.Youmaywanttoturnoff
thisfunctionality.
To turn off read receipts, on the Outlook Tools menu, click Options, Email Options,
TrackingOptions,andclickNeversendaresponse.Toturnoffautomaticallyacceptance
of meeting requests, Click the Outlook Tools menu, Options, Calendar Options,
Advanced options, Resource Scheduling, and clear the automatically accept meeting
requestsandprocesscancellationscheckbox.
4. ProtectYourEMailAddressBecautiousaboutpostingyouremailaddressonpublic
Websites,suchasnewsgroups,chatrooms,bulletinboards,andsoforth.Whenvisiting
publicsites,youmightwanttouseanemailaddressthatisdifferentfromyourmaine
mailaddress.RemoveyouremailaddressfromyourpersonalWebsite.Wheneveryou
listorlinktoyouremailaddress,youincreaseyourchancesofbeingspammed.
5. Review The Privacy Policies Of Web Sites When you sign up for online banking,
shopping, or newsletters, review the privacy policy of the site carefully before you
reveal your email address or other personal information. Look for a link or section
(usuallyatthebottomoftheWebsite'shomepage)called"PrivacyStatement,""Privacy
Policy,""TermsandConditions,"or"TermsofUse."IftheWebsitedoesnotexplainhow
yourpersonalinformationwillbeused,considernotusingtheservicesatthatsite.
279
InformationSecurity
6. Watch Out For Check Boxes That Are Already Selected When you shop online,
companiessometimesaddacheckboxthatisalreadyselected,whichindicatesthatitis
finewithyouifthecompanysellsorgivesyouremailaddresstootherbusinesses(or
"thirdparties").Clearthischeckboxsothatyouremailaddressisnotshared.
7. Don't Reply To Spam Never reply to an email message not even to unsubscribe
from a mailing list unless you know and trust the sender, such as when the email
messagecomesfromaservice,anonlinestore,ornewsletterthatyouhavesignedup
with. Answering spam just confirms to the spammer that your email address is an
activeone.
8. DontsendpersonalinformationviaEMailMostlegitimatecompanieswillnotaskfor
personalinformationtobesentinemail.Besuspiciousiftheydo.Sucharequestcould
beaspoofedemailmessagedisguisedtolooklikealegitimateone.Thistacticisknown
asphishing.Ifthepossiblespamappearstobesentbyacompanythatyoudobusiness
withforexample,yourcreditcardcompanythencallthecompanytoverifythat
theysentit,butdon'tuseanyphonenumberthatisprovidedintheemail.Instead,use
anumberthatyoufindbyusingothermeans,suchasdirectoryassistance,astatement,
or a bill. If the request is a legitimate one, the company's customer service
representativeshouldbeabletoassistyou.
9. Don'tContributeToACharityInResponseToARequestSentInEMailUnfortunately,
somespammerspreyonyourgoodwill.Ifyoureceiveanemailappealfromacharity,
treatitasspam.Ifthecharityisonethatyouwanttosupport,locatetheirtelephone
numberorWebsitetofindouthowyoucanmakeacontribution.
10. Don't Forward Chain EMail Messages Besides increasing overall email volume, by
forwardingachainemailmessageyoumightbefurtheringahoaxandmeanwhile,
youlosecontroloverwhoseesyouremailaddress.
280
InformationSecurity
SecurityBookReviews
Chapter42
281
InformationSecurity
InformationSecurityBookReviews
ThereareseveraldozenbooksavailableonInformationSecurity,ranginginpricefrom$22to
over$795.Manyofthesebooksfocusonspecificaspectsofsecuritysuchassecuringnetwork
routers,protectingagainstidentitytheft,orimplementingsecuritypolicies.Foryourbenefit,I
havebrieflyreviewedseveralofthesebooksforyoubelow.
$7952005,700+pages+CDROM.,byCharlesCressonWood
This book focuses a great deal on policies and provides over 1,350
written policies and 18 policy documents including Electronic Mail
Policy, Internet Security, Policy for End Users and Web Privacy
Policy, HighLevel Security Policy, Privacy policy, Information
Ownership Policy, Firewall Policy, Data Classification Policy and
Network Security Policy. If you want to CYA and inundate your
peoplewithdocumentsandrules,thisbookwillhelpyouaccomplish
thesegoals.
$1672007,3,280pages,byHaroldF.TipsonandMickiKrause
$852007,600pages,byMichaelE.Whitman,andHerbertJ.
Mattord
Thisbookisusedmoreasatextincollegelevelcourses.Itfocuses
primarily on the Common Body of Knowledge in the area
of information security management as compiled by
Certified Information Systems Security Professionals
(CISSP).
282
InformationSecurity
$312007,400pages,byAndrewJaquith
$262006,400pages,byMarkOsborne
Usinglesstechnicallanguage,thisbookiswrittenforsmalleroffice
environments, this book focuses less on policies and security
governance,andmoreonpracticalmeasurescompaniescantaketo
securetheirinformation.Itisalittleeasiertoreadandfollowthan
thebooksreviewedabove.
Conclusion
As is the case with so many books I read, many of these books seem to take a really good
lengthyarticleandturnitintoabookthatmakesthereaderworkhardtoferretoutthevarious
tidbits of information. There are far too few checklists of action items, and far too much
discussionofsecuritytheory.
283
InformationSecurity
Finger Print
Technology
Chapter43
284
InformationSecurity
FingerprintScannersReplaceEmployeeTimeClocks
An increasing number of businesses are using biometric scanners to log the precise time of
employeearrivalanddeparture.SomeworkersaredoingitatDunkin'Donuts,atHiltonhotels,
even at Marine Corps bases. Employees at a growing number of businesses are starting and
endingtheirdaysbypressingahandorfingertoascannerthatlogstheprecisetimeoftheir
arrival and departureinformation that is automatically reflected in payroll records.
Manufacturers say these biometric devices improve efficiency and streamline payroll
operations.Employersbigandsmallbuythemwiththedualgoalsofkeepingworkershonest
and automating outdated recordkeeping systems that rely on paper time sheets. Example
devicesareshownbelow.
CitiesasbigasChicagoandassmallasTahlequah,Okla.,haveturnedtofingerprintdrivenID
systems to record employee work hours in recent few years. And the systems have been
introducedintoplentyofotherworkplaceswithoutmuchgrumblingbyemployees,especially
thosealreadyusedtopunchingaclock.
SomeWorkersDontLikeIt
Someworkersseetheeffortstotracktheirmovementsviafingerprintsasexcessiveorcreepy.
RicardoHinkle,alandscapearchitectstated:"Psychologically,Ithinkithashadahugeimpact
ontheworkforceherebecauseitisdemeaningandbecauseit'sasystembasedonmistrust".
He called the fingerprint timekeeping systems a bureaucratic intrusion on professionals who
neverusedtothinktwiceaboutputtinginextratimeonaprojecttheycaredabout,andcould
rely on human managers to exercise a little flexibility on matters regarding work hours.
ProtestsoverusingpalmscannerstologemployeetimehavebeenespeciallyloudinNewYork
City, where officials have spent $410 million to install an automated attendance tracking
system that may eventually be used by 160,000 city workers. The city expects to save $60
million per year by modernizing a complicated record keeping system that now requires one
fulltimetimekeeperforevery100to250employees.Thenewsystem,calledCityTime,would
freeupthousandsofcityemployeestodolesspaperpushing.Anotherbenefitofthesystemis
curtailingfraud.Severaltimeseachyear,NewYorkCity'sDepartmentofInvestigationcharges
cityemployeeswithtakingunauthorizedtimeoffandfalsifyingtimecardstomakeitlookedas
thoughtheyworked.Othercitieshaveembracedsimilartechnology.
285
InformationSecurity
TheconsultingfirmInternationalBiometricGroupestimatesthat$635 millionworthofthese
hightechdevicesweresoldlastyear,andprojectsthattheindustrywillbeworthmorethan$1
billionby2011.IngersollRandSecurityTechnologies,aleadingmanufacturerofhandscanners
basedinCampbell,Calif.,saidithassoldatleast150,000ofthedevicestoDunkin'Donutsand
McDonald'sfranchises,HiltonhotelsandtoMarineCorpsbases,whousethemtotrackcivilian
hours.
Jon Mooney, Ingersoll Rand's general manger of biometrics, said the privacy concerns are
unfounded. The hand scanners don't keep large databases of people's fingerprintsonly a
record of their hand shape, he said. Still, union officials inNew York said theyare concerned
thatthemachinescouldeventuallybeusednotjusttocrackdownonemployeesskippingwork,
but to nitpick honest workers or invade their privacy. "The bottom line is that these palm
scannersaredesignedtoexercisemorecontrolovertheworkforce,"saidClaudeFort,president
ofLocal375."Theyaren'tthereforsecuritypurposes.Ithasnothingtodowithproductivity....
Itisaboutcontrol,andthatiswhatmakesusnervous."
NewSystemsPreventTimeCardFraud
Thenewfingerprinttimeclockspreventfraudbecauseemployeescannolongerclockinorout
foroneanother.Theoldtrickistosneakoutofworkearly,askingacoworkertopunchoutfor
youattheendoftheshiftwhilepromisingtoreturnthefavorinthefuture.Employeeswho
complainbitterlyaboutthenewfingerprinttimeclocksseemtoworrymostthattheywillno
longerbeabletoproducefraudulenttimecards.
NewSystemsareFasterandPaperless
The bottom line is that the new systems are faster and paperless, thereby saving time and
reducing administration hassles. Fingerprint time clocks are now integrated with accounting
systems.ForexampleaproductcalledCountMeIn(costing$300forupto50employees)can
feedinformationdirectlytoQuickBooksandotherpayrollandaccountingprograms.Rulescan
alsobesetinthesystemscalendarsothatanemployeecannotclockinunlessheisscheduled
toworkatthattime.NealA.Katz,avicepresidentatCountMeIn,acknowledgesthatsome
workersmaybeskittishaboutprovidingafingerprint.Butheexplainsthathissystemdoesnot
store fingerprint images. Rather, it converts a fingerprint into a mathematical code based on
the distance between the lines and curves on the print. Your fingerprint cant be given to
someoneelse,hesays.
FingerprintControlledDoorLocks
TheBioCertiQBioGuardianXLFingerprintBiometricDoorLockrunsexclusivelyonbattery
power. Powered by 4 AA batteries, it can be operated for up to a year without changing the
batteries.Fingerprintenrollmentisquickandeasy.Upto30userscanbeenrolledandremoved
from enrollment immediately directly on the BioCert iQBio GuardianXL Fingerprint
BiometricDoorLockatthedoor.Benefits:
286
InformationSecurity
1. Whensomeonelosestheirkeyor,worseyet,whenakeyislostorstolen,regulardoor
lockscauseproblems.
2. With the BioCert iQBio GuardianXL fingerprint door lock you can program up to
138 individuals fingerprints into the lock , and then grant access to whomever you
choose.
3. Walkers&Joggersdontlikecarryextraitemslikewallets,pursesandkeysandoftenthe
solutionistosimplyleaveyourfrontdooropenorleaveakeyunderthemat.
4. Entrustingeventhemostresponsiblechildwithakeycanbeproblematic.Keysthatare
lost,stolenorsimplyleftinadeskatschoolwillnotensurethatyourchildarrivessafely
inside the house after a day at school. With a fingerprint door lock, your child can
alwaysentertheirhomeevenwhenyoucan'tbethere.
5. SharedResidence,Condos,Apartments&TimeSharesIfyouownapieceofproperty
where you share ownership such as a condo, leased apartment or vacation home,
fingerprint door lock will allow you to grant access to all ownership parties while
maintainingabsolutecontroloverwhohasaccess.Youcanbeguaranteedthattherewill
be no key swapping or sharing and that only the authorized individuals have access
usingthesecurityofFingerprintBiometricTechnology.
6. ITRoomsandServerClosetsTheUnitedStatesAirForce,ArmyandNavyareallusing
the BioCert iQBio GuardianXL to secure their local IT Closets and remote server
rooms.
7. Executive Suites or Executive Bathrooms Designed around the need of small and
medium business, the Guardian XL Biometric Doorlock is capable of holding 2
administratorsandupto97additionalusers.
8. HumanResourceOffices&FinancialRecordsRoom
9. Medical Records, Pharmacies, Regional Clinics and Doctors Offices The Guardian XL
doorlockisHIPAAcomplianceenabled.
287
InformationSecurity
FingerprintSystemsareNotAlwaysSecure
Therearewaystohackfingerprintsystems.
1. Employeescouldbeforcetoprovidefingerprintswhereaspasswordsystemscanutilize
secondarypasswordswhichtriggerhiddenalarms.
2. Fingers can be severed or chopped off; however, in March 2008 a new fingerprint
reader from Futronic was released which verifies that the finger is a living finger by
measuringheat,sweatandaheartbeatbeforeactivating.
3. MythBusters proved that even these new readers can be fooled. They were able to
recreate a latex fingerprint, install it on a live person, and lick the fingerprint to
reproducesweat.Evenaphotocopyofafingerprintthatwaslickedalsobeatthelock.
HereistheYouTubeClip:http://www.youtube.com/watch?v=LA4Xx5Noxyo
4. Fingerprintscanbeduplicated.OnescientistinJapanwasabletouseagummybearto
successfullyduplicateafingerprint.
5. Fingerprints can be reproduced. This web site walks you through the process for
capturingandrecreatingafingerprint:http://www.stdot.com/pub/ffs/hack3.html.
288
InformationSecurity
Perhapsthemorecommonapproachistohackthefingerprintreader.Onthiswebpagetwo
hackersexplainonemethodforachievingthisgoal:http://www.securityfocus.com/news/6717.
Stillanotherapproachistoinstallafakefingerprintreaderwhichcapturespeoplesfingerprints
inmuchthesamewaycriminalsusefakeATMdevicestocaptureATMnumbersandPINs.
289
InformationSecurity
Biography&ContactInformation
J.CarltonCollins,CPAASAResearchCarlton@ASAresearch.com770.734.0950
J. Carlton Collins is an accounting software analyst and the editor of the Accounting
SoftwareAdvisorwebsite.Since1984,Carltonhasworkedintheaccountingsoftware
industry installing systems, consulting with end users, lecturing to more than one
hundredthousandbusinesses,consultingtoaccountingsoftwarecompanies,publishing
books,articlesandwebsites.Carltonisexperiencedwithmanyofthetopaccounting
software packages such as MAS 500, BusinessWorks, Great Plains, Navision, Axapta,
ACCPAC Advantage Series, Epicor, Open Systems Traverse, MAS 90, MAS 200, Exact's
Macola ES, Peachtree Complete Accounting, SouthWare, SAP R/3, QuickBooks,
MicrosoftOfficeAccounting,BusinessVision32,andmore.
In1983,Carltondevelopedspreadsheettemplatesforfinancialfeasibilitystudiesthat
wereusedasabasisformorethan$3billioninbondissues,includingratedbonds,privateplacements,andjunk
bonds. In 1989 Carlton became an advisor to Lotus Development Corporation where he helped Lotus develop
spreadsheet templates and marketing strategies. In 1992 Carlton took 2 entire days to personally demonstrate
over500pagesofsuggestionsforimprovingMicrosoftExceltotheentireExceldevelopmentteammanyofthose
features made their way into Excel 4.0, and shortly thereafter Excel became the dominate spreadsheet tool
surpassingLotus123.
SelectedPositions,Awards&Accomplishments:
1. 2008ChairmanoftheSoutheastAccountingShowthesouth'slargestCPAevent.
2. NamedTopTenCPATechnologistsbyAccountingTechnologiesMagazine.
3. NamedTop100MostInfluentialCPAsbyAccountingTechnologiesMagazineinmultipleyears.
4. RecipientoftheAICPALifetimeTechnicalContributiontotheCPAProfessionAward.
5. 1995RecipientoftheOutstandingDiscussionLeaderAwardfromtheGeorgiaSocietyofCPAs.
6. 2008RecipientoftheOutstandingDiscussionLeaderAwardfromtheAlabamaSocietyofCPAs.
7. Haspersonallydeliveredover2,000technologylecturesaroundtheworld.
8. Haspublished94+pagesoftechnologyarticlesintheJournalofAccountancy.
9. SelectedbyMicrosofttodevelop27hourCPEtrainingmaterialsonMicrosoftOfficeAccounting.
10. LeadauthorforPPC'sGuidetoInstallingMicrocomputerAccountingSystems.
11. Hasinstalledaccountingsystemsformorethan200companies.
12. Hasassistedthousandswiththeselectionofanappropriateaccountingsystem.
13. PastChairpersonoftheAICPATechnologyConference.
14. PastChairmanoftheGeorgiaSocietyofCPAsPCAdvisoryCommittee.
15. FounderandpastfivetermPresidentofthePCConsultantsGroupofAtlanta.
16. Haslecturedinmorethan40Statesandfivecountries.
17. Hasdeliveredkeynoteandsessionlecturesatdozensofaccountingsoftwareconferencesincludingseven
MicrosoftPartnerConferences,fiveSageConferences,andmultipleconferencesforEpicor,OpenSystems,
ExactSoftware,SageACCPACERP,Dynamics.NAN,Dynamics.AX,SouthWare,Axapta.
18. Hasprovidedconsultingservicestomanycomputercompanies(includingCompaq,IBM,Microsoft,Apple,
Novell,Peachtree,Epicor,SageSoftware,Softline,Exact,ACCPAC,Intuit,Peachtree,GreatPlains,andothers).
Carltons diverse background is an asset in providing his specialized consulting skills. He has six years of
accounting, auditing and tax experience in the areas of health care, construction, distribution, automobile
dealerships, insurance, manufacturing, and general business. His tax experience includes corporate, individual,
partnership,fiduciary,andestatetaxplanningwork.Carltonalsohasbeenheavilyinvolvedintheotherareasof
financial forecasts, bond issues, Medicare and Medicaid reimbursement, conventional financing, pension and
profitsharingplans,andbusinessplanning.
290