ASA Research

Information
Security

J. Carlton Collins
ASA Research - Atlanta, Georgia
770.734.0950
Carlton@ASAResearch.com

InformationSecurity

TableofContents
Chapter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

ChapterTitle&PageCount

Locks(2Pages)
GovernmentCompliance(3Pages)
SecuringHardDrivesandLaptopComputers(16Pages)
Encryption(12Pages)
StrongPasswords(7Pages)
WindowsFilesandFolders(8Pages)
SystemRestore(3Pages)
Firewalls(7Pages)
WirelessSecurity(8Pages)
CheckingtheSecurityofyourPC(4Pages)
OnlineSecurityTests(3Pages)
WindowsUserAccounts&Groups(6Pages)
WindowsScreenSavers(4Pages)
Pornography(4Pages)
SampleContracts(9Pages)
ComputerBreadCrumbs(6Pages)
ComputerDisposal(5Pages)
BackupStrategy(14Pages)
Viruses(6Pages)
Phishing(7Pages)
SpyStuff(14Pages)
PrivacyTest(6Pages)
FakeIDs(7Pages)
NationalIDCards(4Pages)
FakeSocialSecurityCards(5Pages)
IdentityTheft(14Pages)
EmployeeTheft(6Pages)
BackgroundChecks(5Pages)
BondingEmployees(3Pages)
AsteriskKey(2Pages)
EncryptionAnalyzer&Passware(3Pages)
SecuringDesktopComputers(3Pages)
WindowsWindowsServices(6Pages)
RiskofFire(3Pages)
CreditCardFraud(11Pages)
CounterfeitMoney(9Pages)
CrackingandHackingPrimer(15Pages)

PageNumber

6
8
11
27
39
46
54
57
64
72
76
79
85
89
93
102
108
113
127
133
140
154
160
167
171
176
190
196
201
204
206
209
212
218
221
232
241

InformationSecurity
38
39
40
41
42
43
44

PiratedSoftware(4Pages)
15TopSecurity/HackingTools(4Pages)
SafetyOnline(6Pages)
Spam(11Pages)
SecurityBookReviews(3Pages)
FingerprintTechnology(6Pages)
AppendixAInstructorsBiography(1Page)

256
260
264
270
281
284
290

InformationSecurity

Information Security for CPAs

Course Information
Learning Objectives

Course Level
Pre-Requisites
Advanced Preparation
Presentation Method
Recommended CPE Credit
Handouts
Instructors

To make CPAs aware of the multitude of security

threats and to provide solutions for minimizing and
mitigating those threats.
All levels
None
None
Live lecture using full color projection systems and live
Internet access with follow up course materials
8 hours
Checklists, Web Links, Manual
J. Carlton Collins, CPA
AdvisorCPE is registered with the National Association of State Boards
of Accountancy (NASBA) as a sponsor of continuing professional
education on the National Registry of CPE Sponsors. State boards of
accountancy have final authority on the acceptance of individual
courses for CPE credit. Complaints regarding registered sponsors may
be addressed to the national Registry of CPE Sponsors, 150 Fourth
Avenue, Nashville, TN, 37219-2417. Phone: 615.880.4200.

Copyright July 2008, AdvisorCPE and Accounting Software Advisor, LLC

4480 Missendell Lane, Norcross, Georgia 30092 770.734.0450

All rights reserved. No part of this publication may be reproduced or transmitted in any form without the
express written consent of AdvisorCPE, a subsidiary of ASA Research. Request may be e-mailed to
marylou@advisorcpe.com or further information can be obtained by calling 770.734.0450 or by accessing
the AdvisorCPE home page at: http://www.advisorcpe.com/
All trade names and trademarks used in these materials are the property of their respective
manufacturers and/or owners. The use of trade names and trademarks used in these materials are not
intended to convey endorsement of any other affiliations with these materials. Any abbreviations used
herein are solely for the readers convenience and are not intended to compromise any trademarks.
Some of the solutions discussed within this manual apply only to certain operating systems or certain
versions of operating systems.
Some of the material herein has been consolidated and condensed based on research of numerous
security books, security articles and security web sites. AdvisorCPE makes no representations or
warranty with respect to the contents of these materials and disclaims any implied warranties of
merchantability of fitness for any particular use. The contents of these materials are subject to change
without notice.

Contact Information:
J. Carlton Collins
CARLTON@ASARESEARCH.COM

770.734.0950

InformationSecurity

WEB SITES MAINTAINED BY INSTRUCTOR:

Main Web Site
Mirrored Web Site
Accounting Software Advice Web Site
Top Accounting Software Consultants
Accounting Software News Web Site
Accounting Software Feature Reports
CPE Information Web Site
Hot List
Miscellaneous and Example Web Site
Technology Advice Web Site
Microsoft Excel Web Site
QuickBooks Web Site
Microsoft Accounting Systems Web Site
Microsoft SBA Web Site
Microsoft Office Web Site

www.ASAResearch.com
www.AccountingSoftwareAdvisor.com
www.AccountingSoftwareAnswers.com
www.AccountingSoftwareConsulting.com
www.AccountingSoftwareNews.com
www.AccountingSoftwareReports.com
www.AdvisorCPE.com
www.CarltonCollins/footer/hotlist.htm
www.CarltonCollins.com
www.CPAAdvisor.us
www.ExcelAdvisor.net
www.QuickbooksAdvisor.info
www.MBSAdvisor.com
www.SBAAdvisor.com
www.OfficeAdvisor.us

WepublishallofourmaterialsonthewebasaservicetotheCPAcommunity.Pleasefeelfree
tolearnaboutourothertopicsatthesegreatwebsites.Thankyou.

InformationSecurity

Locks
Chapter1

InformationSecurity

Locks
Virtually all computers, files, and data are protected behind locked doors, locked
cabinets, or locked files but how secure are those locks? It turns out that most
locks today are not very secure at all. Not only can most locks be picked by
professional locksmiths, but hundreds of YouTube clips teach novice people how
to pick locks as well. As examples, consider these YouTube clips and web sites:
Open any padlock with a beer can Learn how locks work
Open door locks with picking tools
Make your own pick tools
Pick a padlock with homemade pick
tools
Open door locks with a bump hammer
Open a door lock with a pick gun
Open a car with a tennis ball
Open car with wood wedge and pole
Open a tubular lock
Pick a club and pick a car ignition
Pick tools described
Order picking tools online
Order a pick gun online
Order a bump hammer online
Order car pick tools online

http://www.metacafe.com/watch/yt1eGxRQlWTrM/open_a_master_padlock_with_a_
beer_can/
http://www.metacafe.com/watch/ytcuLC9klMsRI/the_visual_guide_to_lock_picking_p
art_06_of_10/
http://www.metacafe.com/watch/877739/kwikset_d
oor_lock_picked/
http://www.metacafe.com/watch/1029493/home_
made_lock_picks/
http://www.metacafe.com/watch/1015152/how_to_
open_padlock_lockpicking/
http://www.metacafe.com/watch/ytzTfEwChCG0U/brockhage_bump_hammer_set/
http://www.metacafe.com/watch/884219/how_to_p
ick_locks_with_a_lock_pick_gun_lockpicking_tutor
ial/
http://www.metacafe.com/watch/410981/blondie_u
nlocks_car/
http://www.metacafe.com/watch/1078391/how_to_
unlock_car_without_keys/
http://www.metacafe.com/watch/1029502/lock_pic
king_tubular_locks/
http://www.metacafe.com/watch/1029496/lock_pic
king_club_and_car_ignition/
http://www.metacafe.com/watch/1363050/lock_pic
king_with_all_my_sets_tools/
http://www.lockpicks.com/index.asp?PageAction=
VIEWCATS&Category=204
http://www.lockpicks.com/index.asp?PageAction=
VIEWCATS&Category=215
http://www.lockpicks.com/index.asp?PageAction=
VIEWCATS&Category=324

InformationSecurity

GovernmentCompliance
FederallyRequiredSecurityMeasures

Chapter2

InformationSecurity

Gramm-Leach-Bliley Act
http://www.ftc.gov/os/2000/05/65fr33645.pdf
http://www.keytlaw.com/Links/glbact.htm
The Gramm-Leach-Bliley Act has been deemed to apply to CPA firms, and
nearly all financial institutions. Within this Act, the Safeguards Rule of GLB
requires CPAs and financial institutions to develop a written information
security plan that describes how the company is prepared for, and plans to
continue to protect clients nonpublic personal information. Then plan went
into effect as of March 2001. This plan must include:
1. Assign at least one employee to manage the safeguards.
2. Constructing a thorough [risk management] on each department handling the nonpublic
information.
3. Develop, monitor, and test a program to secure the information. and
4. Change the safeguards as needed with the changes in how information is collected, stored, and
used.

Do you have a Written Plan?

HIPPASecurityRequirements

The Administrative Simplification provisions of the Health Insurance Portability and

Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human
Services (HHS) to establish national standards for the security of electronic health care
information.TheActlimitsthewaysthathealthplans,pharmacies,hospitalsandothercovered
entities can use patients' personal medical information as follows: (For more detail see
http://www.castlemans.org/HIPPA/Fact%20Sheet1.htm)

1. AccesstoMedicalRecords(Patientscanseetheirownrecordsandcorrecterrors)
2. NoticeofPrivacyPractices(Patientsmustbeprovidednoticeofprivacymeasures)
3. LimitsonUseofPersonalMedicalInformation(Onlyminimalinformationcanbeshared)
4. ProhibitiononMarketing(Patientinformationcannotbeusedinmarketing)
5. StrongerStateLaws(Statelawsarenottrumped)
6. Confidentialcommunications(Communicationsmustbeconfidential)
7. Complaints(http://www.hhs.gov/ocr/hipaa/orbycalling(866)6277748)
8. WrittenPrivacyProcedures(Nowrequiredandmustbedetailed)
9. EmployeeTrainingandPrivacyOfficer(Botharenowrequired)
10. PublicResponsibilities(Disclosuresofhealthmustbemadeinaresponsiblemanner)
11. EquivalencyRequirements(Privateandgovernmenthospitalsmustbothcomply)
12. Penalties(Upto$250,000and10yearsinprison)

InformationSecurity
SarbanesOxleyCompliance
TheSarbanesOxleyActof2002(SOX)creatednewbusinessrulesregardingthestorageandmanagement
ofcorporatefinancialdata.SOXholdsmanypubliclyheldcompaniesandallRegisteredPublicAccounting
Firmstoarigoroussetofstandards.Theserulessetguidelinesforhowdatashouldbestored,accessed,
andretrieved.
SectionNumber

DescriptionofRule

Section103:
Auditing,QualityControl,
AndIndependence
StandardsAndRules

TheBoardshall:(1)registerpublicaccountingfirms;(2)establish,oradopt,
byrule,"auditing,qualitycontrol,ethics,independence,andother
standardsrelatingtothepreparationofauditreportsforissuers;"The
Boardrequiresregisteredpublicaccountingfirmsto"prepare,andmaintain
foraperiodofnotlessthan7years,auditworkpapers,andother
informationrelatedtoanyauditreport,insufficientdetailtosupportthe
conclusionsreachedinsuchreport."

Section104:
InspectionsofRegistered
PublicAccountingFirms

Qualityinspectionsmustbeconductedannuallyforfirmsauditingmore
than100issuesperyear,orevery3yearsforallotherfirms.TheSECorthe
Boardmayorderimpromptuinspectionsofanyfirmatanytime.

Section105(d):
InvestigationsAnd
DisciplinaryProceedings;
ReportingofSanctions

AlldocumentspreparedorreceivedbytheBoardareregarded"confidential
andprivilegedasanevidentiarymatter(andshallnotbesubjecttocivil
discoveryorotherlegalprocess)inanyproceedinginanyFederalorState
courtoradministrativeagency,unlessanduntilpresentedinconnection
withapublicproceedingor[otherwise]released"inconnectionwitha
disciplinaryaction.

TitleVIII:
"Knowingly"destroyingorcreatingdocumentsto"impede,obstructor
Corporate&CriminalFraud influence"anyfederalinvestigation,whetheritexistsoriscontemplated,is
AccountabilityActof2002 afelony.
Section802:
MandatoryDocument
Retention

Thissectioninstructsauditorstomaintain"allauditorreviewworkpapers"
forfiveyearsfromtheendofthefiscalperiodduringwhichtheauditor
reviewwasconcluded.ItalsodirectstheSecuritiesandExchange
Commission(SEC)todisseminateanynecessaryrulesandregulations
relatingtotheretentionofrelevantrecordsfromanauditorreview.This
sectionmakesitunlawfulknowinglyandwillfullytoviolatethesenew
provisionsincludinganyrulesandregulationsdisseminatedbytheSEC
andimposesfines,amaximumtermof10years'imprisonmentorboth.

Section802:
DocumentAlterationor
Destruction

Thissectioncriminalizesknowinglyaltering,destroying,mutilating,or
concealinganydocumentwiththeintenttoimpairtheobject'sintegrityor
availabilityforuseinanofficialproceedingortootherwiseobstruct,
influenceorimpedeanyofficialproceeding.

Section1102:
TamperingWithaRecordor
OtherwiseImpedingan
OfficialProceeding

10

InformationSecurity

SecuringHardDrives&
Laptops
Chapter3

11

InformationSecurity

StolenLaptops
Laptopcomputersarekeytargetsforthieves,andthesethievesarenotafterthelaptopforthe
valueofthecomputeritisthevalueonthedataandembeddedpasswordsthatenticethese
thieves.Laptopsareeasytargets.Theyaresmallandeasytograb,andoncestolentheyblend
in without attracting attention. In 2008, the Government Accountability Office found that at
least 19 of 24 agencies reviewed had experienced at least one breach that could expose
people'spersonalinformationtoidentitytheft.TheComputerSecurityInstitute/FBIComputer
Crime&SecuritySurveyfoundtheaveragetheftofalaptoptocostacompany$89,000.
Many laptops contain data which can be exploited or resold on the black market to
unscrupulous people. In particular, embedded passwords can allow hackers to access critical
systems and personal information that can be used to perpetuate identity theft and other
crimes. Presented below is a sampling of some laptop thefts that have been reported in the
newsinthepastfewyears.Alengthylistofbreachesviastolenlaptopsandhackscanbeseen
here:http://www.privacyrights.org/ar/ChronDataBreaches.htm.

Organization:NationalInstituteofHealth
DateofTheft:February2008
TypeofDataStolen: Patientdatafor2,500patientsovera7yearperiod
HowStolen:Fromanemployeeshome

12

InformationSecurity

Organization:Davidson County Election Commission - (Nashville, TN)

DateofTheft:December28,2007
TypeofDataStolen: Names and complete Social Security numbers for 337,000
registered voters
HowStolen:Someone broke into several county offices over Christmas and stole
laptop computers

Organization:CitibankStudentLoanCorporation
DateofTheft:March8,2006
TypeofDataStolen: Informationon3.9million
customers
HowStolen:Lostintransitwhilebeingshipped

Organization:TransportationSecurityAdministration(TSA)
DateofTheft:August10,2006
TypeofDataStolen: SocialSecuritynumbers,payrollinformation,andbank
accountdataforapproximately133,000employeerecords
HowStolen:Fromagovernmentvehicle

13

InformationSecurity
Organization:InternalRevenueService(IRS)
DateofTheft:June,2006
TypeofDataStolen: 291employeesandjobapplicants,including
fingerprints,names,SocialSecuritynumbers,anddatesofbirth
HowStolen:Intransitonanairlineflight

Organization:FederalTradeCommission(FTC)
DateofTheft:June22,2006
TypeofDataStolen: Dataonabout110peoplethatwas"gatheredinlaw
enforcementinvestigations
HowStolen:Stolenfromalockedvehicle

14

InformationSecurity

Organization:American Institute of Certified Public Accountants

(AICPA)
DateofTheft:June,2006
TypeofDataStolen: Unencryptedharddrivecontainingnames,
addressesandSocialSecuritynumbersof330,000AICPAmembers.
HowStolen:Lostduringshipping

Organization:USGovernmentVeteransAffairsAdministration
DateofTheft:May3,2006
TypeofDataStolen: 26.5millionveterans,theirspouses,andactiveduty
militarypersonnel
HowStolen:Laptopstolenfromemployeeshome

Thelistofsecuritybreachesduetolaptoptheftsseemsendless,herearetenmore:

1. A laptop that belonged to an Ernst & Young employee was stolen from a vehicle. The
computercontainedpersonalinformationof243,000Hotels.comcustomers.

2. American International Group, a major insurance company, became responsible for

private data of 970,000 potential customers when their file server and several laptop
computerswerestolenfromitsMidwestoffices.

15

InformationSecurity

3. An Equifax Inc., company laptop was stolen from a travelling employee. Information
compromisedincludedemployeenamesandSocialSecuritynumbers.

4. 13,000DistrictofColumbiaemployeesandretireeswereputindangerofidentitytheft
when a laptop belonging ING U.S. Financial Services was stolen from an employees
home.

5. A laptop containing debit card information and Social Security numbers of 65,000
personswasstolenfromYMCAsseeminglysafeadministrativeoffices.

6. Four laptop computers containing names, Social Security numbers, and addresses of
72,000 customers were stolen from the Medicaid insurance provider Buckeye
CommunityHealthPlan.

7. ABoeingemployeeslaptopwasgrabbedatanairport,compromising3,600employees
Social Security numbers, addresses and phone numbers. Again in 2006 Boeing lost an
unencryptedcomputerharddrivewhichheldthenamesandSocialSecuritynumbersof
approximately 382,000 workers and former employees, including addresses, phone
numbers,birthdatesandsalaryinformation.

8. StolenUCBerkeleylaptopexposedpersonaldataofnearly100,000.

16

InformationSecurity

9. A laptop computer stolen from an MCI employees automobile in 2005 included the
names and social security numbers of 16,500 MCI employees.

10. In2006FidelityInvestmentsreportedthetheftofalaptopcomputersharddrivewhich
containedpersonalinformationforapproximately196,000HPemployees.

These types of events raise many security concerns for the information contained on these
computerscouldbeusedbycriminalstoassumeothersidentitiesandabscondwiththeircash
andassets.Thedistressingpartisthatalloftheseeventscouldhavebeenminimizedifonlythe
computersownershadtakenafewminutestosetupapasswordencryptingthecomputers
contents. While setting up a computer BIOS password or a Windows Logon password will
thwartanovicethief,thesemeasuresareisnotenoughbecausethievescansimplyremovethe
harddriveandinstallitinadifferentcomputer(whichusesadifferentoperatingsystem)asa
secondarydrivewhichthenenablesthecriminaltoviewthedataonthestolendevice.Tofully
protect the system, you must encrypt the entire hard drive. For example, Microsoft Vista
includes a solution called BitLocker which once setup, automatically encrypts the contents of
entireharddrive.SimilarsolutionsareofferedbyPGP,GuardianEdge,andTruCrypt.

17

InformationSecurity

MeasuresyouCanTaketoProtectYourLaptopComputer
1. Physical Security - Physical devices can be used to secure your laptop computer,
ranging from chains and alarms to ID programs which clearly identify the computer
as belonging to you.
a. Cables - Targus and Kensington both manufacture cable devices that physically
secure your laptop by locking it to a table or other object. These cables are very
tough, but they can be cut with power tools or large clippers. While these
products can be circumvented, they are good for deterring crimes of opportunity.

b. Alarms - Motion sensing locking devices are also available, and these add an
extra layer of security by setting off a loud alarm if the cable is tampered with
or if the device goes out of range by a certain distance.

c. Fingerprint Security - Biometrics devices such as a the fingerprint readers

which are included in all IBM laptops or available from Microsoft encrypt your
passwords and associate them with your fingerprint. In the future, you
register your fingerprint and the appropriate password is then entered for
you.

Fingerprints can be hacked, it is not as hard as you might think. You can use
a gummy bear to pick up a print and then apply it to the fingerprint reader.

18

InformationSecurity
Of course you can also make a fingerprint using super glue as was
demonstrated in both Hollywood movies Beverly Hills Cops and National
Treasure.

TheCryptoGramNewsletterwasthefirsttopublicizetheGummyBearHackasfollows:
AJapanesecryptographerhasdemonstratedhowfingerprintrecognitiondevicescanbefooled
usingacombinationoflowcunning,cheapkitchensuppliesandadigitalcamera.FirstTsutomu
Matsumoto used gelatin (as found in Gummy Bears and other sweets) and a plastic mould to
createafakefinger,whichhefoundfooledfingerprintdetectorsfourtimesoutoffive.Flushed
with his success, he took latent fingerprints from a glass, which he enhanced with a
cyanoacrylate adhesive (superglue fumes) and photographed with a digital camera. Using
PhotoShop, he improved the contrast of the image and printed the fingerprint onto a
transparencysheet.Herecomesthecleverbit.
Matsumototookaphotosensitiveprintedcircuitboard(whichcanbefoundinmanyelectronic
hobbyshops)andusedthefingerprinttransparencytoetchthefingerprintintothecopper.From
thishemadeagelatinfingerusingtheprintonthePCB,usingthesameprocessasbefore.Again
thisfooledfingerprintdetectorsabout80percentofthetime.
d. Retina Scanners Similar to fingerprint technology discussed above, retina
scan products are also available, for example the Qritek mouse (pictured
below and to the right) is priced at $315 has a built-in retina scanner.

If your laptop did not come with a biometric security device built in, you will
need to purchase a third-party add on that connects through the USB or PC
card ports. Because these devices must function via the operating system,

19

InformationSecurity
they can be easily bypassed. They are most useful for securing data when
combined with encryption software, but biometric devices are viewed as more
of a password enhancement than an additional layer of security for your
laptop. While biometric devices are cool, they provide little additional benefit
over simply using passwords and encryption to protect your property.
2. Laptop Identification Programs
a.

Manufacturers Program - If your laptop is stolen, you will have a much

better chance of eventually getting it back if you registered the device with
the manufacturer. If the device is registered, when you report it as stolen,
many manufacturers can track the serial number of the device if and when it
is logged onto the Internet (in some cases); and if the laptop is subsequently
brought in for repairs, a record will exist. You should keep track of your
laptops serial number, even if you do not register it.

b.

The STOP Program - You can also enroll your laptop into the STOP Program.
In this case an identification tag provides proof of ownership and perhaps acts
as a deterrent to theft. Laptops protected with STOP plates are registered in a
Web-based database which increases the chances of the safe return of lost,
stolen, or misplaced laptops, notebooks and other equipment.

c.

Personalize Your Laptop - Personalizing your laptop can make it much

more likely for you to get it back in the event of theft. By engraving
identification information into the device itself, or by using a permanent
marker, you provide yourself with some very tangible descriptive information
which you can provide to police. You can also use Toshibas LapJacks
material which sticks firmly to the laptop cover, but can also be removed
cleanly if required. Similarly, Pixel Decal sells skins for $20. For those with
money to burn, NVousPC (pronounced "envious PC") makes custom
notebooks with a personalized paint job - customers work with graphic
designers to customize every panel not just the cover.

d.

Laptop Tracing Software - To increase the odds of having your laptop

returned, consider using a laptop tracing software solution. These products
work by stealthily sending out signals on the Internet. When your laptop is
stolen, simply report the theft to the maker of the tracing software and when
the laptops new owner connects to the Internet, the company can provide
tracking information to the police. Some tracking software also provides the

20

InformationSecurity
ability to delete selected data once the laptop has been reported as stolen.
Most of these software packages are difficult to detect and remove, and some
claim to be able to survive re-partitioning and reformatting of the hard drive.
If the hard drive is removed, so is the tracing software. Most of these services
work on a yearly subscription basis. Popular tracking software packages are
as follows:
i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
x.
xi.
xii.

ETrace
Computrace
GadgetTrak for Windows PC
The CyberAngel w/ Wi-Trac by CyberAngel Security Solutions, Inc.
BackStopp by Virtuity, Ltd.
XTool Laptop Tracker by XTool Mobile Security, Inc.
LoJack for laptops.
PC PhoneHome by Brigadoon Software, Inc.
nTracker by SyNet Electronics, Inc.
Inspice Trace by Inspice.
Verey Mac Theft Recovery Software
DataDots

3. Common Sense Measures Watch your laptop closely at the airport many

thieves target this venue and use decoys in order to steal laptop computers. They
know it will take you some time to travel to your destination before you can close
down password protected web sites. Don't leave your laptop visible in your car, your
trunk, your hotel room, or anywhere while traveling. Consider using a plain carrying
case or backpack to carry your laptop, as this can deter would be thieves.
4. Data Encryption - It is extremely hard, if not impossible, to effectively secure a

computer to which an intruder has physical access. There are four steps you can take
to make it rather frustratingly hard and time consuming for the bad guys to get at
your vital data however, as follows:
a.

BIOS Password Protection - Most computers can be password protected by

setting a password in the BIOS (Basic Input/Output System) built into the
motherboard of the computer. On desktop computers, password protecting
the BIOS is a poor security measure because a thief can simply open up the
case and use a jumper to reset the CMOS, or remove the battery for a few
minutes to erase the password. It's a different story with a laptop however.
Laptop computers are built on proprietary designs, using motherboards
created specifically for each model. It is often not possible to get at the CMOS
battery of a laptop without special tools and know-how, or at least not
without destroying the machine in the process. Generally speaking, if you
want to reset the BIOS password on a laptop, you will need to ship it back to
the manufacturer, something your average thief is going to be
understandably reluctant to do.
This makes BIOS password protection a rather good option for users who are
concerned about the possibility of data theft, as a BIOS password makes it
impossible to boot into any operating system until it is answered. It's not
foolproof, as many manufacturers have built 'backdoor' keystroke
combinations into their systems which can bypass even BIOS passwords, but
it's a great start. To set the BIOS password, press the DEL key several times
immediately after the POST screen comes up (some manufacturers use a
different key stroke, but this should be indicated on your screen during boot-

21

InformationSecurity
up, or in the manual) to enter the BIOS setup. You are looking for 'set
password' or something similar. Set it (write it down so you don't forget it)
and save and exit. The next time you boot, you will be prompted for a
password after POST. Make sure you keep a record of the password.

b. Use Strong Passwords - After stealing your laptop, a thief has an unlimited

time in which to crack your passwords. They will likely attempt to use the
SAM and SYSTEM file password hash extraction method in combination with
some sort of password cracking software to discover your password. Let's
assume that your password is happy' It would take them about 5 minutes or
less to crack using a fast computer. If the password were happy44 add
another 10 minutes maybe But what if your password was (hAP5py28)
You've just extended the time it will take them to crack your password to
several hours, perhaps days. The more numbers, uppercase letters, symbols
and digits in your password, the harder it is to discover. Microsoft
recommends using no less than 6-digit passwords with at least three of the
following: lower case, uppercase, numbers and special characters. I would
recommend using 16 digit passwords with a mixture of letters, characters and
numbers. To make it easier for you, you might always use the same
beginning or ending for all of your passwords such as an old phone number
you remember, followed by a strong password (ie: 9126388947happy7755).

Also, changing the 'administrator' account to an alternate name is also a good

measure to make it harder to break in. Everyone knows that Windows XP
uses an administrator account, and that it cannot be disabled, so it is the
prime target for data thieves. By renaming it 'Carlton' or something stranger
still, you can add some time and frustration to your thief's life. To accomplish
this:
1. Log into windows using an account that has administrative privileges (any
user created during install process or the administrator account itself)
2. Right click on 'my computer' and select 'manage.'
3. From the computer management window, Expand 'local users and groups'
then open the 'users' folder and highlight the 'administrator' account.

22

InformationSecurity
4. Right click and select 'rename' to change it.
c.

Encrypt Your Hard Drive (or Data Folder)

There are a multitude of utilities out there
that will easily boot your computer into an
alternate OS like Linux and then reset your
user passwords. It is also quite simple to
grab a portable operating system that boots
itself from CD (such as Knoppix), or a DOS
boot disk with an NTFS reader on it and then
copy the information straight off your laptop's
drive. For that matter, laptop hard disks are
generally easy to remove anyway. A thief
could purchase an adaptor or a USB case and
hook your laptop's hard drive up to his or her
own system and siphon off your files.
Windows XP Professional, like Windows 2000 before it, features built in strong
file encryption based on the identity of the user. When you use the Encrypting
File System (EFS), a file is encrypted with an algorithm derived from the
unique SID (System Identifier) number generated for each user account.
Once the file is encrypted, it cannot be decrypted except by the original user
(and anyone he chooses to grant access to the file). This means that any
other user account will not be able to view the file, period. The encryption is
permanent and remains on the file even when Windows is not running. It
doesn't matter if a new account with the exact same name and password is
created, only the original account with the original SID number can decrypt
and read the file.
The benefits of using file encryption should be obvious. The only feasible way
to break it without a supercomputer is to bypass it by gaining access to the
user account that did the encrypting. If you set strong passwords this is very
tough to do. None of the conventional methods of getting at secured data will
work on encrypted files. Of course, encryption carries its own set of dangers.
If the original user account is destroyed due to a system failure or user error,
you too will lose all access to the encrypted data. It is possible (and highly
recommended) to create a 'recovery agent' which provides a secondary
account with the ability to recover the data. This can be created as a digital
certificate which can be exported to a floppy disk, then applied to a user
account when needed.
a. How to encrypt files and folders in Windows XP - (Note that you
must be using the NTFS file system in order to use encryption.)
1. Right click on the file or folder and select 'properties.'
2. In the 'attributes' section at the bottom, click 'advanced.'

23

InformationSecurity

Check the 'encrypt contents to secure data' box, then click OK

twice. In the case of a file, you will be prompted to choose
between encrypting just that single file or the whole folder, and
in the case of a folder, whether you wish to also encrypt any
subfolders it may contain.
Creating a recovery agent:
1. Decide which user you wish to use as a data-recovery
agent. It is recommended that you use the built in
'administrator' account.
2. Login as this account.
3. Go to 'start\run' and type 'cmd' to bring up the command
prompt.
4. Type 'cipher /r:(pick a filename) to create a digital
certificate for a recovery agent. You will be prompted to set
a password. This creates two files in the 'my documents'
folder of the current user. Be aware that these files can be
used by anyone to become a data-recovery agent, so it is
wise to remove them after we are finished this procedure.
b. Windows Vista BitLocker BitLocker Drive Encryption is an integral new

security feature in the Windows Vista operating system that ensures that
data remains encrypted even if the computer is tampered with when the
operatingsystemisnotrunning.Thishelpsprotectagainstattacksmadeby
disabling or circumventing the installed operating system, or made by
physically removing the hard drive to attack the data separately. BitLocker
protects your data from theft or unauthorized viewing by encrypting the
entire Windows volume. Microsoft Vistas BitLocker tool encrypts
everything written to a BitLocker-protected volume, including the
operating system, the registry, the hibernation and paging files,
applications, and data used by applications, but not the boot sector, any
bad sectors, or the volume metadata. BitLockeristransparenttotheuser,

24

InformationSecurity
andtheuserlogonprocessisunchanged.However,iftheTPMismissingor
changed, or if the startup information has changed, BitLocker will enter
recovery mode, and you will need a recovery password to regain access to
thedata.

BitLockerisdesignedforsystemsthathaveacompatibleTPMmicrochipand
BIOS. For more information about TPM specifications, visit the TPM
Specifications section of the Trusted Computing Group's Web site
(http://go.microsoft.com/fwlink/?LinkId=72757).

c. TrueCryptTrueCryptisfreeopensourcediskencryptionsoftwareforWindows
Vista/XP, Mac OS X, and Linux . The software creates a virtual encrypted disk
withinafileandmountsitasarealdisk.Itencryptsanentirepartitionorstorage
devicesuchasUSBflashdriveorharddrive.Italsoencryptsapartitionordrive
where Windows is installed (preboot authentication). The encryption is
automatic, realtime (onthefly) and transparent. Two levels of plausible
deniabilityisprovidedasfollows,incaseanadversaryforcesyoutorevealthe
password:

1)Hiddenvolume(steganography)Itmayhappenthatyouareforcedby
somebody to reveal the password to an encrypted volume. There are
many situations where you cannot refuse to reveal the password (for
example, due to extortion). Using a socalled hidden volume allows you
25

InformationSecurity
tosolvesuchsituationswithoutrevealingthepasswordtoyourvolume.
The principle is that a TrueCrypt volume is created within another
TrueCryptvolume(withinthefreespaceonthevolume).Evenwhenthe
outer volume is mounted, it is impossible to prove whether there is a
hidden volume within it or not, because free space on any TrueCrypt
volume is always filled with random data when the volume is created*
and no part of the (dismounted) hidden volume can be distinguished
fromrandomdata.NotethatTrueCryptdoesnotmodifythefilesystem
(informationaboutfreespace,etc.)withintheoutervolumeinanyway.
The password for the hidden volume must be different from the
password for the outer volume. To the outer volume, (before creating
thehiddenvolumewithinit)youshouldcopysomesensitivelookingfiles
that you actually do NOT want to hide. These files will be there for
anyonewhowouldforceyoutohandoverthepassword.Youwillreveal
only the password for the outer volume, not for the hidden one. Files
thatreallyaresensitivewillbestoredonthehiddenvolume.
2) No TrueCrypt volume can be identified (volumes cannot be
distinguished from random data). As of TrueCrypt 4.0, it is possible to
write data to an outer volume without risking that a hidden volume
within it will get damaged (overwritten). When mounting an outer
volume, the user can enter two passwords: One for the outer volume,
andtheotherforahiddenvolumewithinit,whichhewantstoprotect.In
thismode,TrueCryptdoesnotactuallymountthehiddenvolume.Itonly
decrypts its header and retrieves information about the size of the
hidden volume (from the decrypted header). Then, the outer volume is
mountedandanyattempttosavedatatotheareaofthehiddenvolume
willberejected(untiltheoutervolumeisdismounted).

26

InformationSecurity

Encryption
Chapter4

27

InformationSecurity

Encryption
How Encryption Works Encryption is based on prime numbers two prime numbers to be
exact.Whenmultipliedtogether,twoprimenumberswillyieldaproductthatisonlydivisible
byoneanditselfandthosetwoprimenumbers.Theseprimenumbersareusedinacomplex
algorithm to scramble (encrypt) a message or file. Thereafter, the two prime numbers are
neededagaininordertounscramble(decrypt)themessageorfile.Anexampleisshownbelow:

Bits Explained All data stored on a computer (including prime numbers) is converted to
hexadecimal and then to binary format. A binary format is a 0 or a 1. The 0 or 1 is
representedasapositiveornegativechargeonacomputersharddrive,orasasmallof
largepit(hole)onaCDROM.FromexampletheletterAisrepresentedonyourcomputers
hard drive as 0100 0001. Here is the complete alphabet and numbers 1 through 15
representedinbinarycode.

28

InformationSecurity
As you can see in the chart above, 8 bits of data are required to record a single letter, or
numbergreaterthan15.Thereforeifyouhavea40bitencryptedpassword,youreallyhavea5
character password. 56 bit, 64 bit, and 128 bit encrypted passwords translate to 7, 8 and 16
characterpasswords.Inotherwords,whenyouuse128bitencryption,thismeansthatyouare
usingprimenumbersthatare16digitsinlengthtogeneratethebasisforscramblingyourdata.
TheSizeofthePrimeNumbersThesizeoftheprimenumbersuseddictatehowsecurethe
encryptionwillbe.Amessageencryptedwith5digitprimenumbers(40bitencryption)yields
about 1.1 trillion possible results. A message encrypted with 7 digit prime numbers (56bit
encryption)yieldsabout72quadrillionpossibleresults.Howeverusing128bitencryption(16
digit numbers) yields 340,282,366,920,938,463,463,374,607,431,768,211,456 possible results.
Mathematically, It would take a super computer testing 100 billion passwords per second,
107,829billionsyearstobreak128bitencryptionusingbruteforce.(Todaysfastestchipscan
handleabout256millionencryptionspersecond.)
Time Needed To Crack Mathematically speaking, based upon todays top computing power
40bit,56bit,64bit,and128bitencryptioncouldbebrokenin1second,19hours,7months
and11,000quadrillionyears,respectively.Thisiswhy128bitencryptionisthestandardused
worldwidetoprotectfinancialtransactionsandsensitivedata.
KeyLength
(bits)

1995

2000

2005

40

68seconds

8.6seconds

1.07seconds

56

7.4weeks

6.5days

19hours

64

36.7years

4.6years

6.9months

128

6.7e17millennia 8.4e16millennia 1.1e16millennia

Tableoftimeneededtobreakcertainkeysizesusinghardware
http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter3.html
Ithasbeenestimatedthat128bitencryptionwillbebreakableinabout105to125years(by
theyears2109to2129).
LettersversusNumbersYoumightbeinterestedtoknowthatfourwordsselectedatrandom
aremuchmoreeffectivethan56Bitencryption.AccordingtoJeremyBradleyoftheUniversity
ofBristol,a7characterpassword(56bit)has1,028,071,702,528possibleresults.Howeverfour
randomwordsyieldatotalof390,625,000,000,000,000possibleresults.Hisbasisforthisclaim
isexplainedhere:http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter3.html.

29

InformationSecurity
PGP(PrettyGoodPrivacy)
PGPorPrettyGoodPrivacywasreleasedonJune5,1991.DevelopedbyPhil
Zimmerman,PhilfirstsentPGPtoAllanHoeltjeandthenKellyGoenwhoin
turn released PGP through Internet user groups. This set offan unexpected
feedingfrenzy.VolunteersaroundtheworldofferedtohelpPhilportPGPto
other platforms, add enhancements, and generally promote the product. Fifteen months later, in
September1992,PGP2.0wasreleasedforMSDOS,Unix,CommodoreAmiga,Atari,andafewother
platforms, and in about ten foreign languages. Shortly thereafter US Customs took an interest in
thecase.AtfirstthegovernmenttriedtobuildacaseagainstPhilforexportingweaponsoutside
the US, and they frequently harassed him. By doing so the government helped propel PGP's
popularity by igniting controversy that would eventually lead to the demise of the US export
restrictionsonstrongcryptography.Today,PGPremainsjustabouttheonlywayanyoneencrypts
their email. And now there are a dozen companies developing products that use the OpenPGP
standard.YoucandownloadPGPforfree,orpurchaseamorefeaturerichversionatthiswebsite:
www.pgp.com.HereisaquickintroductionintousingPGP:

Once installed, PGP shows up as an

application in your Start Button, an Icon
in your System Tray, an icon in
Outlook, and as a right mouse click in
Explorer.

30

InformationSecurity
TostartusingPGP,launchtheproductandstartthewizardtogeneratetheencryptionkeysas
shownbelow:

ThePGPwizardshownabovewalksyouthroughtheprocessofcreatingyourencryptionkeys.
Onceyouhavecreatedanencryptionkey,youcanencrypttext,files,folder,oremailsusing
that newly created PGP encryption key. Presented below is an example of a simple message
beforeandafterencryptingwithPGP.
OriginalMessage

SameMessageasAboveEncryptedwithaPGP128BitKey

31

InformationSecurity
It is important to point out that an encrypted message is still naked and wideopen on the
internet or on a computer hard drive its just that now no one can make sense of that
message/file/emailwithouttheproperdecryptionkey.
PGPsTwoKeySystemPGPisbasedonpublickeycryptography,awidelyacceptedandhighly
trusted public key encryption system, by which you and other PGP users generate a key pair
consistingofa'privatekey'anda'publickey'.Asitsnameimplies,onlyyouhaveaccesstoyour
privatekey,butinordertoexchangefileswithotherPGPusersyouneedacopyoftheirpublic
keyandtheyneedacopyofyours.Youuseyourprivatekeytosignthefileattachmentsyou
sendtoothersandtodecryptthefilestheysendtoyou.Conversely,youusethepublickeysof
otherstosendthemencryptedfilesandtoverifytheirdigitalsignatures.PGPwon'trouteyour
emailoveraSecureSocketLayer(SSL),butitwillbeunreadablebyanyoneotherthanyouand
thepersontowhomitisaddressed.Keepinmindthatencryptionisforthemessagebodyonly
itdoesnothidethesubjectlineortheheaders.
SSLAWebBasedVersionofPGPsTwoKeySystemOnepopularimplementationofpublic
key encryption is the Secure Sockets Layer (SSL). Originally developed by Netscape, SSL is an
Internet security protocol used by Internet browsers and Web servers to transmit sensitive
information.SSLrecentlybecamepartofanoverallsecurityprotocolknownasTransportLayer
Security(TLS).

Look for the "s" after "http" in the address whenever you are about to enter sensitive
information,suchasacreditcardnumber,intoaformonaWebsite.Inyourbrowser,youcan
tellwhenyouareusingasecureprotocol,suchasTLS,inacoupleofdifferentways.Youwill
noticethatthe"http"intheaddresslineisreplacedwith"https,"andyoushouldseeasmall
padlockinthestatusbarinthebrowserwindow.

Thepadlocksymbolletsyouknowthatyouareusingencryption.Basicallywhatthismeansis
that a private key hasbeen generated by the serveryouare accessing, and hasbeen sent to
yourcomputerandisbeingheldinRAMuntilneeded.Onceyouhaveenteredtheinformation
youwanttosendandpresstheSUBMITbutton,thekeyisusedtoencryptthemessageandthe
dataissenttothewebserver,orinthecaseshownabovetheDeltaAirlineswebserver.
Publickeyencryptiontakesalotofcomputing,somostsystemsuseacombinationofpublic
key and symmetry. When two computers initiate a secure session, one computer creates a
symmetric key and sends it to the other computer using publickey encryption. The two
32

InformationSecurity
computers can then communicate using symmetrickey encryption. Once the session is
finished, each computer discards the symmetric key used for that session. Any additional
sessionsrequirethatanewsymmetrickeybecreated,andtheprocessisrepeated.
IsBigBrotherWatchingYouAnyway?WhenPGPwasfirstdeveloped,itwasunderstoodthat
the only person capable of reading an email encrypted with PGP was the email recipient.
While unconfirmed, it is suspected that since PGP was purchased from Phil Zimmermann, its
developer,byNetworkAssociates,Inc.(NAI)severalyearsago,thata'masterkey'existsinthe
handsofbothNAIandtheU.S.FederalGovernment.Evenwiththisinmind,PGPisjustabout
thesafestandmostreliablemethodofencryptionavailable.
In October, 2001, NAI put PGP up for sale. With no buyers, in March of 2002 NAI dropped
supportanddevelopmentofitsPGPdesktopencryptionsoftware.OnAugust19,2002,NAIsold
PGPtoPGPCorporation,anewlyformedcompany.Thedealgivesthenewcompanyalineof
encryption products based on the PGP algorithm, including PGPmail, PGPfile, PGPwireless,
PGPkeyserver,fortheWindowsandMacintoshoperatingsystems.AfullhistoryofPGPcanbe
foundatwww.pgp.com/company/pgphistory.html

ThoughafreewareversionofPGPdoesexist,theEndUserLicenseAgreement(EULA)israther
restrictive limiting it to homebased nonprofit use. Freeware PGP setup only takes a few
minutes,butusersshouldnotethesefactsaboutthefreeversionofPGP:

Doesnotincludeautomaticencryptionofemailfileattachments
Does not provide plugin integration with Outlook, Outlook Express, and other
emailapplications
DoesnotoperatewithPGPAdminorotherPGPdeploymenttools

33

InformationSecurity

SelfDecryptingFiles
Someimplementationsofencryptionareselfdecryptingwhichmeansthattheunlockingkey
neededisalreadyembeddedinthefileallyouneedisthepasswordtoactivatetheunlocking
key.Considerthefollowingtwoexamples:

YouSendaPGP
encryptedEMailto
aFriend.

Youemailan
encryptedWordor
Exceldocumenttoa
Friend.

You

YourFriendmust
havethePGP
unlockingkeyand
knowthepassword
inordertounlock
theemail.

YourFriend

YourFriendonly
needstoknowthe
passwordinorder
tounlockthefileas
theunlockingkeyis
alreadyembedded.

Athiefwho
interceptsthee
mailwillhaveno
wayofopeningthe
email,evenifthey
knoworguessthe
correctpassword
becausetheyhave
nounlockingkey.

AThief
34

Athiefwho
interceptsthee
mailneedstoonly
guessthecorrect
passwordtoopen
thefileas
unlockingkeyis
embedded.

InformationSecurity

EMailEncryptionSoftware

PKWAREsSecureZip(www.pkware.com)($30)Itdoesautomaticallyencryptemail,aswell
as Office files. Save and send files securely directly from Microsoft Office applications,
including Word, Excel, and PowerPoint Secure and compress emails and attachments in
MicrosoftOutlook.Encryptdatausingpassphrases,X.509digitalcertificates,orboth.

Google Message Encryption, (formerly Postini) (www.google.com) Hosted solution that

automaticallyencryptsemailbasedonyourpolicydefinitions,helpingyourorganizationavoid
the financial penalties and brand equity damage that can result from sending proprietary or
regulated data via unprotected email. Send encrypted messages to business partners and
customers.Noadditionalsoftware,hardwareortechnicaltrainingrequired.Automatedoruser
initiatedencryptionforconfidentialemailstoanyrecipient.Centralizedreportingofencrypted
messages and policy enforcement. Centrallymanaged content inspection, encryption policies
tohelpcomplywithGLBA,HIPAA,PCIDSSandDataprivacyregulations.

Entrust Email Encryption (www.entrust.com) Protects private, sensitive and valuable

informationcommunicatedviaemail.Emailencryptioncanbedeployedusingemailencrypting
software, secure email servers or secure webmail centers. Entrust email encryption solutions
work with a broad range of email applications including Microsoft Outlook/Exchange and
Lotus Notes/Domino. It can be used by mobile users including those with RIM BlackBerry
handheld devices and via secure web mail. Entrust email encryption software uses S/MIME,
PGP and Entrust encryption formats. Benefits: Transparent, easytouse email security;
Automatic encryption and digital signatures; Integration with content analysis tools for email
compliance;'Governmentstrength'securityvalidatedagainstNISTstandards.

ShyFile ($59) Make up a 32 character key entry, Enter the text you wish to encode, Attach
secureShyFiletoyouremail,Recipientsimplyusesabrowsertodecode.Theunlockingkeyis
embeddedinthefile.ShyFileencodesyourtext(txtandhtmlfiles)andpacksitintoanextra
filethatistobeattachedtoanoutgoingemailoruploadedtoawebsite.Therecipientthereof
35

InformationSecurity
does not need to have ShyFile installed to be able to decode since any Internet browser will
openitandprompttheusertoenterthematchingkeyphrasebeforedecodingit.ShyFilealso
encrypts binary files, which require a free demo version of ShyFile to decode though. Simple
1on1 symmetric key entries are used, no Public and Private Keys. ShyFile exclusively uses its
own independently developed TL6144D algorithm, offering a depth of encryption of up to
6144bit. That reaches or even tops military requirements. A File Shredder is included to
thoroughly delete a file on your hard drive in a way no undelete tool could ever restore it
again.ShyFileworksindependentlyfromallyourwebbasedemailaccountsanddesktopemail
applications.

AnchorMail (www.anchormail.com) Secure email solution provides a servicebased approach

for encrypting ad hoc emails and securely delivering the messages to any inbox, AnchorMail
enables any enterprise to enforce message policies and/or clientinitiated trusted e
communicationsthatcanbesecurelydeliveredtoanyrecipient,withoutrequiringthereceiving
party to download or install any software. The AnchorMail service isresponsiblefor the data
management,keymanagement,userenrollment,onlineopening,andsecurereply,inaddition
to related administrative functions (operations, backup, availability, etc.). This removes the
deploymentintegrationandlifecyclemanagementofatypicalsecureemailoffering,andthus
decreasesthecostsofresources,time,andadministration.

SecureHive(www.securehive.com)($86)SecureHiveisatoolforsecurearchivingandsharing
of files. It enables you to create encrypted archives and selfextracting .exe files for secure
storageandfilesharing.Italsoincludesameansofencryptingpartsof,orentire,documents,
email messages, etc. Secure Hive offers the enterprise a method of: Securing sensitive
documents;protectinginformationduringtransfer;Securingemails.
36

InformationSecurity

CenturionMail (www.centurionsoft.com) ($59) Windows based utility to send encrypted

information by email. Recipients of encrypted messages receive an attachment to the email
which when executed requires the user to enter a password to open it. CenturionMail is
integrated in MS Outlook. One button operation within the Outlook composing window is all
that is needed to send an encrypted email. Users of other email programs can still use the
program through the CenturionMail interface which calls to the default email program.
SupportsallversionofMSOutlookincludingOutlook2003.EncryptedfilescanbesentasZIP,
CAB, or our new custom defined extension. AES: Now offering stronger 256 bit, open source
encryption. Password Manager: Securely store and manage all the passwords to be used for
various recipients. When using the Microsoft Outlook plugin, it will prefill the default
password for any recipient in the Password Manager. Password hints can also be saved and
automatically sent. Shredder: Securely delete files and folders either during the encryption
process (deletes the nonencrypted originals) or separately. OntheFly Encryption:
Automaticallyencryptalocalcopyofthefilesorfoldersbeingsent.

GnuPGwww.gnupg.org (Free) Free Software Foundation, Inc.offersGnuPG, (GNU Privacy

Guard)acompleteandfreereplacementforPGP.BecauseitdoesnotusethepatentedIDEA
algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant
application.GnuPGitselfisacommandlinetoolwithoutanygraphicalstuff.Itistherealcrypto
engine which can be used directly from a command prompt, from shell scripts or by other
programs.Thereforeitcanbeconsideredasabackendforotherapplications.

37

InformationSecurity
Conclusions
1. You should assume that every email you send has been read by more than 1,000
people.Thisisbecauseallunencryptedemailsarenakedandwideopentotheworld.A
simplerSniffertoolcancaptureyourpacketsandreassembleyouremails.

2. PGP was the first computer based encryption tool, although the existence of coded
messages(orcryptography)hasbeenverifiedasfarbackastheRomanEmpire.

3. Encryption works on primed numbers. According to Bill Gates in his book The Road
Ahead, there are more prime numbers of adequate size and length than there are
Atomsintheuniverse.

4. Data on your computer is stored in binary code called bits, which means zeros and
ones. These Since it takes 8 bits to represent a number or letter, it takes 40 bits to
represent5numbersorletters,or128bitstorepresent16numbersorletters.Hence
whenyouworkwith128bitencryptionthismeansthatyouareactuallyworkingwith16
digitprimenumbers.

5. Usingtodaystechnology,itwouldtakeabout11,000quadrillionyearstobreaka128bit
encryptedmessage.

6. Toprotectyouremailswithencryption,youandyouremailpalcouldinstallPGP.

7. Upon installing PGP, you would need to generate a set of encryption keys, and send
your locking key (private key) to your pal. You pal would do likewise sending their
lockingkeytoyou.Thereafter,allemailssenttooneanother(includingattachments)
wouldbeabsolutelyencryptedwith128bitencryption.

8. It is widely rumored that the US government secretly holds a universal code for
unlockingallPGPkeys.Atleastthismakesforagoodconspiracytheory.

38

InformationSecurity

StrongPasswords
&Password
Management
Chapter5

39

InformationSecurity
OnePasswordorMultiplePasswords?

Doyouhaveonecatchallpasswordthatyouuseeverywhereordoyoucreateanewpassword
for every different account, website, file, and relationship you deal with? It is a perplexing
questionbutalmosteveryoneagreesthattheuseofasinglepasswordeverywhereisfoolish.
AnRSAsurveyshowsthat58%ofusershavemorethansixpasswords,andhalfofthosehave
thirteen.Hereswhy:

1. If one company can see the password you use for their account, an unscrupulous
employeemightattempttousethatsamepasswordandemailaddresstoaccessyour
Amazonaccount,PayPalaccount,orCreditcardaccount.

2. From time to time it is necessary to provide a friend or associate with your password
informationforexampletoedityourwebsite.Ifyouusethesamepasswordforyour
web site and bank account, then your friend or colleague may be armed with
informationthatcouldbeusedtocompromiseyouridentity.

3. Passwordstendtolastforyearswithsomeaccountsifyourpassworddoesmanageto
getoutintheopen,itmightbeanightmaretochangeallknownpasswordsfor allof
youraccounts,emailsaddresses,websites,etc.

Althoughmanagingmultiplepasswordshasitsownsetofproblems,itiswidelyconsideredto
beabetterstrategythanusingoneorafewpasswordsacrossmultipleaccounts.

CreatingStrongPasswords

In most cases, when people who find out too late that their passwords have been
compromised,itisusuallybecausetheyweresimplytooeasytoguess.It'snotsohardtocreate
astrongpassword...herearesometipstomakethekeystoyouridentityatougherlocktopick.

1. Atleast12CharactersAsthelengthofyourpasswordincreasesit'shardertocrackit.
Most people recommend a minimum of 8 characters, but anything more than that
makesitevenmoresecure.Iliketouseatleast12characters.

2. Letters & Numbers Combining letters, numbers and special characters makes your
passwordmuchhardertoguess.Usingapasswordthat'seasyforyoutoremembermay
alsobeaneasypasswordforanidentitythieftoguess.Butthere'sadelicatebalance...
youwantpasswordsthatsimpleforyoutoremember,butdifficultforotherstoguess.

3. Use all Lower Case It is true that you can add complexity by alternating between
upper and lowercase letters. However, these will be harder to remember, read, and
typecorrectly.Further,uppercaselettersrequiretwohandstobeusedfortheshiftkey.
I find that this is too frustrating to mix case and therefore and I always try to use
lowercaselettersforallofmypasswords.
40

InformationSecurity

4. Somepeopleliketosubstitutingspecialcharactersforlettersandnumberssuchasthe
"$" instead of an "S" or a "1" instead of "I". Once again, I find this too frustrating to
remember,read,andtype.Idontrecommendthis.

5. Tomakepasswordbothhardtocrackandsimpletoremember,Ihavesomestandard
wordsthatIembedinfrontandbehindmypasswords.Forexample,myDeltaAirlines,
AVIS,andMarriottpasswordsmightlooksomethinglikethis:

a. delta5544summer6388947+
b. avis3319summer6388947+
c. marriott2298summer6388947+

Eachpasswordhas5parts:

1. thebeginningpartdeltaforDeltaAirlines;
2. thesecondpart5544isfourrandomlychosennumbers;
3. thewordsummerisacommonwordIalwaysthrowin,
4. thenumber6388947ismychildhoodtelephonenumber;
5. andforgoodmeasureIthrowa+signontheend.

Usingthisapproach,allIreallyhavetorememberisthe4randomnumbers(likeaPIN)in
part 2, the other 4 parts I can easily remember. This way I can usually recreate my
password from memory, but a hacker or hacking programwould takebillions of years to
breakthepasswordinitstotality.

The Microsoft Password Checker which is available online tells me that the strength of these
passwordsareexcellentseeforyourself:

http://www.microsoft.com/protect/yourself/password/checker.mspx

41

InformationSecurity
BadPasswords

Password pitfalls include using your name, child or pet's name, your birthday or other
informationthatmaybelinkedwithyouridentity.Alsosteerclearofnobrainerslike"abc123"
or "password" as your password. Hackers recently created a fake Myspace login page, and
collectedover34,000passwordsbeforetherusewasdetected.Becausethedatawasleftona
public server for some time, it proved to be an interesting realworld case study on BAD
passwords. Analysis of this data showed some surprising results almost one percent of
Myspace users had the word "password" in their password. With over 100 million Myspace
users,that'saMILLIONeasilyguessedpasswords!

Otherpopular"words"usedinpasswordsincluded:abc,baseball,football,iloveyou,myspace,
monkey,princess,qwerty,soccer,superman,and123456.Itwasalsocommontoaddanumber
totheendofthesewords,suchasabc123orbaseball1.Profanitiesalsooccurredwithahigh
frequency in passwords. Your takeaway: don't use these words, or variants of them in your
password, or you'll be making it that much easier for Evildoers to guess their way into your
privateinformation.

ChangingPasswordsRegularly

Changingpasswordsonaregularbasiswillhelptoensurethatyouaremaintainingahighlevel
ofsecurity.PersonallyIbelievethatthismeasureisnotcosteffectiveasittakesfartoomuch
time to change, record, and edit the proper documentation so that you can find the right
passwordlater.However,insomeworkplacesettings,loginpasswordsmustbechangedevery
30 days. Whatever interval you choose, be careful not to use a predictable pattern for your
passwords, such as AxxxxxA / BxxxxxB / CxxxxxC or JANxxxx / FEBxxxx / MARxxxx. This is
importantbecauseanintrudermaynotleavetracks.Ifsomeonehasguessedyourpassword,
youcanatleastmakesuretheywon'thavelongtermaccesstoyourdata.

ManagingPasswords

Storinganunprotectedlistofpasswordsonyourcomputerisnotagoodidea,howeverifyou
storetheminaverywellprotectedExcelorWorddocument(passwordprotectedwithavery
strongpassword),thenyouarefineinmyopinion.However,youalsohavetheoptionofusinga
Password Manager Tool to help you keep track of these passwords. A password manager is
softwarethathelpsauserorganizepasswordsandPINcodes.Thesoftwaretypicallyhasalocal
databaseorfilesthatholdtheencryptedpassworddata.Manypasswordmanagersalsowork
likeaformfiller,thustheyfilltheuserandpassworddataautomaticallyintoforms.Somehave
passwordgeneratorcapabilities.InviewoftherisingthreatofPhishing,passwordmanagersare
alsousedasthebestdefenseagainstsuchthreats.Unlikehumanbeings,apasswordmanager
program, which can handle automated login script, is notsusceptibleto visual imitations and
lookalikewebsites.Withthisbuiltinadvantage,theuseofapasswordmanagerisbeneficial
toeveryone,evenifheorsheonlyhasafewpasswordstoremember.However,onemustkeep
42

InformationSecurity
in mind that not all password managers can automatically handle the more complex login
proceduresnowimposedbybankingwebsites.

ForexampleRoboform(Freeto$35)isatopratedPasswordManagerandWebFormFillerthat
automates password entering and form filling. RoboForm was named PC Magazine Editor's
Choice,andCNETDownload.com'sSoftwareoftheYear.RoboFormdoesthefollowing:

1. MemorizesyourpasswordsandLogsYouInautomatically.
2. Fillslongregistrationandcheckoutformswithoneclick.
3. Encryptsyourpasswordstoachievecompletesecurity.
4. Generatesrandompasswordsthathackerscannotguess.
5. FightsPhishingbyfillingpasswordsonlyonmatchingwebsites.
6. DefeatsKeyloggersbynotusingkeyboardtotypepasswords.
7. Backsupyourpasswords,Copiesthembetweencomputers.
8. SynchronizespasswordsbetweencomputersusingGoodSync.
9. Searchesforkeywordsinyourpasswords,notesandInternet.
10. Portable:RoboForm2GorunsfromUSBkey,noinstallneeded.
11. PDAfriendly:syncyourpasswordstoPocketPCandPalm.
12. Neutral:workswithInternetExplorer,AOL/MSN,Firefox.
13. IE7andVistaarenowsupported.

43

InformationSecurity
PasswordManagerXPisaprogramtostorepasswords.Itclaimstorid
computer users of the headaches caused by lost passwords, forgotten
access codes and other sensitive information. With this program, you
safelystoreallyourlogins,passwords,PINcodes,creditcardnumbers,
accesscodes,files,andanyotherconfidentialinformationinoneplace.
Theproductallowsyoutocreateseveraldatabasesforstoringdesired
information. Each database has its own access password and is
encryptedwiththealgorithmsofyourchoice.Thismeanscapabilityto
apply several different encryption algorithms at a time, which
significantly increases protection against unauthorized access of your data. Besides, the
program comes with an option to automatically exit databases when idle for a set period of
time, which decreases the likelihood of stealing your data when leave your computer with
applicationrunning(forexample,youhavebeendistractedbyotherthingsorsimplyforgotto
quittheprogram).

KeePassisafree/opensourcepasswordmanagerorsafewhichhelpsyou
tomanageyourpasswordsinasecureway.Youcanputallyourpasswords
inonedatabase,whichislockedwithonemasterkeyorakeydisk.Soyou
onlyhavetorememberonesinglemasterpasswordorinsertthekeydisk
tounlockthewholedatabase.Thedatabasesareencryptedusingthebest
andmostsecureencryptionalgorithmscurrentlyknown(AESandTwofish).
It allows you to organize your entries into categories andoffers several ways to conveniently
enter your username/password; you can use drag and drop, copy to the clipboard, or create
autotypesequencesthatcanenterthelogininformationwithasingleclick.

TheFirefoxbrowseralsohasarudimentarypasswordkeeperandhasamaster
password option. Internet Explorer will remember passwords, but lacks the
master password option. Social engineering, phishing, and even careless
oversightbyinternetserviceprovidersareyetotherwaysthatahackersmight
get your password. Read more about Phishing Scams to avoid voluntarily
providingyourpasswordviadeceitandfallingvictimtoIdentityTheft.

PasswordFatigue

Passwordfatiguedescribesthesyndromewherepeoplearerequiredtorememberanexcessive
number of passwords as part of their daily living. The increasing prominence of information
technologyandtheInternetinemployment,finance,recreationandotheraspectsofpeople's
lives, and the ensuing introduction of secure transaction technology, has led to people
accumulating a proliferation of accounts and passwords. According to British onlinesecurity
consultant NTA Monitor the typical intensive computer user has 21 accounts that require a
password.

44

InformationSecurity
Asidefromcontributingtostresspasswordfatiguemayencouragepeopletoadopthabitsthat
reducethesecurityoftheirprotectedinformation.Forexample,anaccountholdermightuse
the same password for several different accounts, deliberately choose easy to remember
passwordsthatarevulnerabletocracking,orrelyonwrittenrecordsoftheirpasswords.

PasswordRecovery

Themajorityofpasswordprotectedwebsitesprovidepasswordrecoverythatallowsusersto
recover their passwords via email. Sometimes this is automated via the web site, although
somewebsites(especiallypaidforor'highvalue'websites)mayrequireadditionalchecksvia
customer service operators. According to a PBS report, a survey of customer service
representatives revealed that about 20% of the CS calls from users are about problems with
passwords.

Beawarethatifsomeonehasaccesstoyourcomputerforafewmoments,theycouldaccess
your online account, click the lost password button, and have the password resent to your
computersemail.Theretheycouldquicklylearnyourpassword,andthendeletetheemailto
erasetheirtracks.

45

InformationSecurity

WindowsSecurity
File&FolderSecurity

Chapter6

46

InformationSecurity

FAT32versusNTFS
1. You Must Choose When you format your hard drive, you must choose to use either
FAT32(FileAllocationTable32)orNTFS(theWindowsNTFileSystem).

2. DoNotChooseFAT32becauseFAT32doesnotofferanysecurity.

3. DoChooseNTFSNTFSallowsyoutopasswordprotectfiles,passwordprotectfolders,
andtoapplyencryptiontoyourharddriveusingEFS(EncryptionFileSystem).

4. Deleted Files When using FAT32, deleted files are not really deleted. They are only
renamed in the File Allocation Table (from Budget.xls to *udget.xls. The asterisk
prevents the file name from being viewed, but the file still exists on the hard drive.
Manyavailabletoolsenableyoutorenamethefilereplacingtheasteriskwithaletteror
number,andthenthefileiscompletelyvisibleagain.

WithNTFS,whenyoudeleteafile,thefileslocationontheharddriveisoverwritten,
andthereisnotrecoveryoption.

5. NoImpactonNetworkChoosingFAT32orNTFShasnoimpactonsharingdataacross
anetwork.

6. NTFSisAlsoBetterinOtherWaysNTFSsupportslargerfiles,largerdrivepartitions,
hasbetterdatacompression,andhaslessfilefragmentation.

47

InformationSecurity
7. ItsEasytoChangetoNTFSIfyouarenotalreadyusingNTFS,youcanchangetoNTFS
rathereasily.YoucanswitchtoNTFSwithoutreformattingyourharddiskandrestoring
your apps and data from a backup. Just choose Start, Run, type cmd.exe, and press
<Enter>toopenaCommandPromptwindow.Nowtype<convertc:/fs:ntfs>(without
thebrackets)toconvertyourC:drivetoNTFS.

File&FolderSecurity

To configure the security and permissions of a file or folder, rightclick the file or folder and
selecttheSharingandSecurityorPropertiesoption.

In the example above the folder named Carltons Private Folder has been protected by
denyingaccesstoeveryone(excepttheuserCarlton).Now,nooneonthenetworkoronthe
computerwillseethefolderorhaveaccesstothefolderanditscontentsunlesstheyarelogged
inastheuserCarlton.

WarningHiddenFilesandFoldersCanStillBeDeletedPleasebeawarethateventhoughthe
folderishiddenfromview,groupsoruserswhoaregrantedFullControlonaparentfoldercan
deleteanyfilesinthatfolderregardlessofthepermissionsprotectingthefilesaccess.

Warning Anonymous Users Do Not Belong to Everyone In Windows Vista and Windows
Server 2003, by default the Everyone group does not include the Anonymous group, so
permissionsappliedtotheEveryonegroupdonotaffecttheAnonymousgroup.Youmustapply
thosepermissionsseparately.

48

InformationSecurity

FileSharingPermissions

1. SharePermissionsversusNTFSPermissionsSharepermissionsandNTFSpermissions
are independent in the sense that neither changes the other. The final access
permissions on a shared folder are determined by taking into consideration both the
SharepermissionandtheNTFSpermissionentries.Themorerestrictivepermissionsare
thenapplied.

2. WindowsXPHomeandWindowsVistaHomeUsersArelimitedtoSharepermissions
only.

3. Using Share with FAT32 Share permissions are often used for managing computers
withFAT32filesystems,orothercomputersthatdonotusetheNTFSfilesystem.

4. Standard Operating Procedure Many experienced administrators prefer to set share

permissionstoFullControlforEveryone,andtorelyentirelyonNTFSpermissionsto
49

InformationSecurity
restrictaccess.ThisfreesyoufromhavingtothinkaboutSharepermissions,butNTFS
permissionsaremorecomplexthanSharepermissions.

5. FourFolderTypesFourdifferenttypesoffolderscanbesetupusingShareorNTFS
Permissions,withslightdifferencesasthetablebelowshows:

a. NTFSpermissionsaffectaccessbothlocalandremoteusers.

b. Sharepermissionsapplyonlytonetworkshares.

c. Share permissions do not restrict access to any local user, or to any terminal
server user, of the computer on which you have set Share permissions. Thus,
Sharepermissionsdonotprovideprivacybetweenusersonacomputerusedby
severalusers,noronaterminalserveraccessedbyseveralusers.

50

InformationSecurity

FolderSettings

You can apply many settings to each folder by selecting the Tools, Options from the Folder
menu.Fourofthesesettingshaveasecurityimpactasfollows:

1. Hide Hidden Files One option allows you to display or hide hidden files or hidden
folders. Hidden files are just like ordinary files in all other respects. You can choose
whetherafileishiddenorvisiblebychangingitspropertiestodesignateitashidden.
Hiddenfilesaregenerallyusedtoreduceclutter,buttheyalsomakeyoursystemmore
securetonovicehackersbecauseyoucanhideconfidentialfilesfromotherpeople,but
youshouldnotrelyonhiddenfilesasyouronlymeansofsecurityorprivacy.

2. Hide protected Operating System Files These files are hidden by default, and you
shouldkeepthemhidden.Hidingthesefilesisusuallyagoodidea,becauseithelpsyou
avoiddeletingthemaccidentally.Butforsomespecialpurposes,youllneedtodisplay
thesefilestemporarily.

3. ShowEncryptedFilesorFoldersinColorsThisoptioncouldtellahackerwhichfilesto
target;thereforeyoumightconsiderturningoffthisfeature.

4. UseSimpleFileSharingMostsecurityexpertsrecommendturningofftheSimpleFile
Sharing in Windows 95, 98, 2000 and XP and that you use the standard File Sharing
instead.(SimpleSharingisdisabledbydefaultinWindowsVista.)SimpleFileSharingis
usedprimarilyintheHomeeditionsofWindowsXPandWindowsVista.
51

InformationSecurity

EncryptingFileSystem(EFS)

There'sonlyonesurewaytomakeyourfilestrulyconfidentialyoumustencryptthem.The
Encrypting File System (EFS) in most versions of Windows Vista, XP, and 2000 scrambles the
contentsoffilesandfolders,makingitimpossibleforotherstoreadthem(assumingastrong
passwordisusedandkeptsecret).Presentedbelowarekeypoints:

1. WhereisEFS?EFSisincludedinWindowsVistaBusiness,Enterprise,andUltimate;XP
Pro; and Windows 2000; however, Windows XP Home lacks EFS, and Vista Home
Premium,VistaStarter,andVistaHomeBasiconlyallowdecryptionthisallowsusers
toreadencryptedfilesbutnotencryptthem.

2. Must Use NTFS As mentioned above, to use EFS on a hard drive partition, that
partitionmustfirstbeformattedusingtheNTFSfilesystem.

3. EncryptToencryptafileorfolder,rightclickitinanyfolderandchooseProperties
GeneraltabAdvanced.CheckEncryptcontentstosecuredata.Ifyou'reencryptinga
folder,you'llbeaskedifyouwanttoencryptitsfilesandsubfolders,aswell.

Onceencrypted,thefilesorfolderswillworklikeanyothersonyoursystem;youdon't
havetouseanyspecialpasswordstoopenorsavethem.However,otheruseraccounts
on the PC, and other PCs on the network, will not be able to view the file contents
unlesstheyareloggedintoyouraccountwithyourpassword.

52

InformationSecurity
TipYoucanaddtheEncryptcommandtoyourrightclickcontextmenuusingTweak
UI, a free PowerToy from Microsoft. To do this download Tweak UI for free, installed
andlaunchTweakUI,selectExplorerintheleftpane,andscrolltotheoptionandcheck
Show"Encrypt"oncontextmenu.

4. ColorCodedEncryptedfoldersandfileswillappearingreentextasanindicationthat
the contents are encrypted. You can change this by opening Explorer and choosing
Tools,FolderOptions.ClicktheViewtab,andintheAdvancedSettingsbox,makesure
thatShowencryptedorcompressedNTFSfilesincolorischecked.Encrypteditemswill
be shown in green and compressed ones blue. If you don't want others to see which
filesareencryptedorcompressed,uncheckthisoption.

5. Grant Permissions to Others You can grant users access to your encrypted files by
username.Dothisbyrightclickingasingleencryptedfile(notafolderormultiplefiles),
andchooseProperties.IntheGeneraltab,clickAdvanced,andnextto'Encryptcontents
tosecuredata',chooseDetails.Inthemiddleofthatdialogbox,clickAddtoopenthe
Select User dialog, which lists others who have a certificate (a digital document that
helps confirm authenticity) on your system. Users can acquire certificates in various
ways, but one of the simplest is by encrypting one of their own documents. Select a
trusteduserandclickOK.

6. DisableProfilesRatherthanDeletingThemDeletingaprofilemightpreventyoufrom
accessing an encrypted file. For example, if Steve goes on leave, you should disable
ratherthandeleteSteve'sprofile:TodothisinXP,chooseStart,Run,typelusrmgr.msc,
and press Enter. In Vista, click Start and enter the same command in the Start Search
field.ClicktheUsersfoldericonintheleftpaneanddoubleclickStevesprofileinthe
right pane. In the General tab, check Account is disabled and click OK; when Steve
returnstowork,simplyreversethisprocedure.

53

InformationSecurity

SystemRestore
Chapter7

54

InformationSecurity

System Restore

SystemRestoreisafeatureofMicrosoftWindowsXPandVistathatautomaticallysavesacopy
ofimportantsystemsettings(theregistry)andfilessothatyoucaneasilyrestorethosesettings
ifsomethinggoeswrong.SystemRestorecreatesabackupcopyeverydayandeverytimeyou
installnewhardwareorsoftware.

If your computer starts functioning poorly, System Restore can be used to returns system
settingsandsystemfilestothestatetheywereinonanearlierdatewhenthecomputerwas
workingproperly.

SystemRestorehassavedmybaconmanytimes,soIreserveasmuchdiskspaceaspossiblefor
its restore points. (Not everyone is a big restore point fan because it does not always work
properly,butmyexperiencehas100%great).Commentsfollow:

1. OnWindowsVistacomputers,youneedatleast300megabytes(MB)offreespaceon
eachharddrivethathasSystemProtectionturnedon.
2. SystemRestoremightuseupto15percentofthespaceoneachdisk.
3. As the amount of space fills up with restore points, System Restore will delete older
restorepointstomakeroomfornewones.
4. SystemRestorewillnotrunondiskssmallerthan1gigabyte(GB).
5. InWindowsXPcomputersonly,youcanadjusttheamountofdiskspaceSystemRestore
claims, rightclick My Computer in Explorer or on the desktop and choose Properties.

55

InformationSecurity
Click the System Restore tab and select a drive whose storage settings you want to
change.ChooseSettings,dragtheslidertothedesiredlevel,andclickOKtwice.
6. Restorepointsarecreatedautomaticallyeveryday,andjustbeforesignificantsystem
events,suchastheinstallationofaprogramordevicedriver.Youcanalsocreatea
restorepointmanually.
7. IfyouturnoffSystemProtection(thefeaturethatcreatesrestorepoints)onadisk,all
restore points are deleted from that disk. When you turn System Protection back on,
newrestorepointsarecreated.
8. System Restore doesn't protect FAT32 and other FAT disks because FAT disks don't
supporttheuseofshadowcopies.ShadowcopiesrequiretheNTFSfilesystem.Inthis
versionofWindows,SystemRestoreusesshadowcopiestocreaterestorepoints.Ifyou
storesystemfilesonaFATdisk,youcannotuseSystemRestoretoundochanges.

UnderstandingtheRegistry

The system registry is where Windows stores your computer settings and other information
abouthowyourcomputerruns.Theregistryisconstantlychangingasyouinstallnewprograms
andchangesettingsinControlPanelandelsewhere.Hereiswhattheregistrylookslike:

Ordinarily, you do not need to make changes directly to the registry because the registry
containscomplexsysteminformationthatisvitaltoyourcomputer,andanincorrectchangeto
your computer's registry could render your computer inoperable. However, you can run the
commandREGEDITtolaunchtheregistryandscrollitsthousandsoflinesofcontent.Windows
RestorePointtakessnapshotsofyourregistrywhichcanbeeasilyrestoredlaterifneeded.

56

InformationSecurity

Firewalls
Chapter8

57

InformationSecurity

Firewalls
Afirewallisadedicatedappliance,orsoftwarerunningonanothercomputer,whichinspects
networktrafficpassingthroughit,anddeniesorpermitspassagebasedonasetofrules.

TheconceptofneedingafirewallfirstoccurredwithCliffordStoll'sdiscoveryofGermanspies
tamperingwithhissystemin1988.Thatattackandothersledprogrammerstoapplyfilterrules
to their network routers. The term Firewall was widely
popularized when it was it was referenced in the movie war
games.

RoutersandFirewallsHaveOpposingObjectives
The whole point of the Internet is to allow for the free flow of information throughout the
world. The whole point of the computer security is to prevent the free flow of information
throughouttheworld.Giventhesetwodirectlyopposingobjectives,itiseasiertounderstand
whyairtightcomputersecurityissoelusive.Therealtrickistoallowauthorizedaccesstoyour
systems,andtopreventunauthorizedaccess.Thisispreciselywhatfirewalldevicescandofor
yourorganization.

58

InformationSecurity

FirewallsDevicesversusSoftware

Firewallscanbehardwaredevices,orsoftwareapplications.Hereareexamples:

In my opinion, hardware device firewalls are better because they set up a defense against
attackatthepointwhereyourInternetcableentersyourbuilding.Softwarebasedfirewallsset
up the defenses at the server (or worse at each computer), which potentially leaves your
routers,printers,faxmachinesandotherdevicesvulnerable.Becausejustonehardwarebased
firewall can protect your entire organizations computer systems, I recommend a firewall
device.

PleaseChangetheFirewall
Password

The default login name and password for

eachfirewalldeviceisprintedonthebottom
of the firewall device and is usually as
follows: 168.192.0.1. Please login in and
changethepassword.

59

InformationSecurity

WhatFirewallRoutersDo

Todaysfirewalldevicesprovideseveralsecurityfeatures,asfollows:

1. RestrictAccessFirewallsprovideNetworkAccessRulesthatallowtheadministratorto
blockalltrafficofacertaintype,suchasInternetChat(IRC).Rulescanbecreatedtogive
InternetusersaccesstoaspecificserveronaLAN.Mostimportantly,firewallsprovide
absolute control of your ports, Java, ActiveX, Cookie, Proxy blocking, etc. The
administratorcancustomizethefirewalldevicetoallowJava,ActiveXandcookiesfrom
trusted sites. When a proxy server is located on the WAN it is possible for LAN users
pointingtothisproxyservertocircumventcontentfiltering.

2. Hacker Attack Prevention Firewalls can inspect packets as they arrive to protect
private LANs from Internet hackers and vandals by detecting and thwarting Denial of
ServiceattackssuchasPingofDeath,SYNFlood,LANDAttack,IPSpoofing,etc.

3. AlertsMostfirewalldevicesmaintainalogofsecurityeventsforlaterreview.These
eventscanalsobesenttoappropriateusersviaemailforimmediatereview,depending
upontheseverityoftheevent.

4. Network Address Translation (NAT) Allows companies to use private addresses for
bettersecurity.

5. IP Address Management NAT also allows LANs to share low cost Internet accounts,
suchasxDSLorcablemodems,whereonlyoneIPaddressisprovidedbytheISP.

A good comparison chart of Firewall features is available at this URL:

http://en.wikipedia.org/wiki/Comparison_of_firewalls

When shopping for a firewall appliance, make sure to select on that has been ICSA Certified.
This internationally accepted certification means that the device has been subjected to a
rigorousseriesoftestsintendedtoexposevulnerabilitiestoattacksandintrusions.Thereare
manyfirewallsinthemarketplaceranginginpricefrom$95to$46,000.
60

InformationSecurity

HowFirewallsFilterData

All data transmitted over the Internet has a senders and

recipients IP address embedded in each packet. As an example,
considerthisemailIreceivedfromGodivaChocolates:

Status:U
ReturnPath:<godiva@email.godiva.com>
Received:fromnoehlo.host([127.0.0.1])bywhmx
tenant.pas.sa.earthlink.net(EarthLinkSMTPServer)withSMTPid
1jH4Y75i43NZFmB2;Wed,2Apr200808:33:430700(PDT)
Received:frommh.godiva.m0.net([209.11.164.74])
bywhmx
tenant.pas.sa.earthlink.net(EarthLinkSMTPServer)withESMTPid
1jH4Y73cx3NZFmB0 for<carlton@accountingsoftwareadvisor.com>;
Wed,2Apr200808:33:430700(PDT)

As you can see, the senders IP address is embedded in the email. With this information, I
could simply instruct my firewall device to block all packets to and from this IP address
(exclusivefiltering).Likewise,Icouldalsoinstructmyfirewalldevicetoblockallpacketsexcept
for those containing this IP address (inclusive filtering). The screen below shows where you
wouldsetuptheserulesonaNetGearFirewalldevice.

61

InformationSecurity

YoucanTestYourFirewallsEffectivenessThereareseveralwebsitesthatyoucanvisitthat
will test the vulnerability of your current internet connection and the effectiveness of your
firewalldevice.OnesuchwebsiteofferedbySymantecislocatedatthefollowingURL:

http://security.symantec.com/ssc/sc_ipcheck.asp?ax=1&langid=ie&venid=sym&plfid=23&pkj=
OBQXESLHFEPGEVVSDUX

Symantec publishes the results of this online security testing and based on more than 2.5
million tests, 16% to 21% of all users are vulnerable to network and NetBIOS attacks via the
internet.Theseresultsareshownbelow:

WindowsXP&WindowsVistaFirewalls

BothWindowsXPandWindowsVistahavefirewallsbuiltrightin,andtheyare
excellent.Toaccessthefirewallsettings,selectWindowsFirewallfromControl
Paneltodisplaythefollowingdialogboxes:

62

InformationSecurity
Followingareafewpointsofinterestregardingthesefirewallsolutions.
1. WindowsFirewallwasfirstintroducedaspartofWindowsXPServicePack2.

2. Everytypeofnetworkconnection,whetheritiswired,wireless,VPN,orevenFireWire,
hasthefirewallenabledbydefault,withsomebuiltinexceptionstoallowconnections
frommachinesonthelocalnetwork.

3. Systemadministrators are able to configure Windows Firewall settings on a company

widelevel.

4. XP'sWindowsFirewallcannotblockoutboundconnections;itisonlycapableofblocking
inboundones.

5. WindowsFirewallinWindowsVistasignificantlyimprovesthefirewallasfollows:

a. IPv6connectionfilteringisnowavailable.

b. Outboundpacketfilteringisnowavailable.

c. RulescanbespecifiedforsourceanddestinationIPaddressesandportranges.

d. Rulescanbeconfiguredforservicesbyitsservicenamechosenbyalist,without
needingtospecifythefullpathfilename.

e. IPsecisfullyintegrated,allowingconnectionstobeallowedordeniedbasedon
securitycertificates,Kerberosauthentication,etc.

f. Encryptioncanalsoberequiredforanykindofconnection.

g. AnewmanagementconsolesnapinnamedWindowsFirewallwithAdvanced
Securityprovidesaccesstomanyadvancedoptions,andenablesremote
administration.ThiscanbeaccessedviaStart>ControlPanel>Administrative
Tools>WindowsFirewallwithAdvancedSecurity.

h. Abilitytohaveseparatefirewallprofilesforwhencomputersaredomainjoined
orconnectedtoaprivateorpublicnetwork.

If you have a firewall device, and use Windows builtin firewall solution, you do end up with
redundant protection. This is fine; I see no significant problems or performance issues with
running these two layers of firewall protection. In fact, the Windows firewall protection
becomesimportantbecauseitprotectsyourcomputerfromattacksfromotheremployeesor
personswithinyourorganization.

63

InformationSecurity

WirelessSecurity
Chapter9

64

InformationSecurity

WirelessSecurity
Theuseofawirelessdeviceprovidesaninvisibleaccesspointintoyourcomputernetworkina
rangeupto300feetradiusfromyourwirelessdevice.Hackersuseemptytennisballcansto
builddevicesdesignedtodetectandboostyoursignal,likethedeviceshownbelow.

Many users setting up wireless home and small office networks rush through the job to get
their Internet connectivity working as quickly as possible, but the fail to take the additional
measures needed to properly lock down this new access point. The recommendations below
summarizethestepsyoushouldtaketoimprovethesecurityofyourhomewirelessnetwork.
1. ChangeDefaultAdministratorPasswords(andUsernames)Thefirstorderofbusiness
is to log into your wireless device settings and change the default username and
password. The default login name and password is usually admin and password
andallofthehackersoutthereknowthis.Thereforeyoushouldchangethesesettings
immediately.Hereshow:
a. First,youmustbeconnectedtothewirelessdevicewithaphysicalwire(suchas
anEthernetcable),youusuallycannotdothiswirelessly.
b. LogIntotheNetworkRouterbytypingthefollowingintoyourbrowser:
HTTP://192.168.0.1orwhateverIPaddressisprintedonthebottomofthe
wirelessdevice,ifdifferent.
c. NavigatethemenutotheRouter'sChangePasswordPage.
d. ChooseandEnteraNewPassword.
e. SavetheNewPassword.

65

InformationSecurity

2. Turn on WPA2 or WPA Encryption All WiFi equipment supports some form of
encryptionschemeasfollows:

a. WEP(WiredEquivalentPrivacy)Foundtohaveseriousshortcomingsin2001.
b. WEP2Also,founddeficient,WEP2mutatedintoTKIP.
c. WEPplusLucentsattempttocorrectWEPshortcomings,butthisfellshort.
d. DynamicWEP3COMsattempttocorrectWEPshortcomingswhichfellshort.
e. WPA(WiFiProtectedAccess)theanswertoWEP.
f. WPA2.0BetterthanWPA,butdoesnotalwaysworkwitholderdevices.
g. WPAPSKTKIPSoftwaredriven
h. WPA2PSKAESHardwaredriven
i. WPA2PSKTKIPSoftwaredriven

Encryption technology scrambles messages sent over wireless networks so that they
cannot be easily read. Several encryption technologies exist for WiFi today. Naturally
you will want to pick the strongest form of encryption that works with your wireless
network.However,thewaythesetechnologieswork,allWiFidevicesonyournetwork
mustsharetheidenticalencryptionsettings.Thereforeyoumayneedtofinda"lowest
commondenominator"setting.HereshowyousetupWPA:
j.

First,verifythateachcomputerisrunningWindowsXPServicePack1(SP1)or
later.

k. Oneachcomputer,verifythattheclient'snetworkadapteriscompatiblewiththe
WirelessZeroConfiguration(WZC)service.(Todothis,consulttheadapter's
productdocumentation,manufacturer'sWebsite,orappropriatecustomer

66

InformationSecurity
servicelinefordetails.Upgradethenetworkadapterdriverandconfiguration
softwaretosupportWZConclientswhereneeded).
l.

Foreachcomputer,downloadandinstalltheWindowsXPSupportPatchforWiFi
ProtectedAccess,walkthroughtheinstallationdialogboxesandfollowingthe
instructions.

m. ContinuefollowingtheinstructionsandconfigureallWirelessAccessPoints(your
wirelessdevices).
n. ContinuefollowingtheinstructionsandconfigureallWirelessNetworkAdapters
(yourLANcards).

67

InformationSecurity
3. ChangetheDefaultSSIDAccesspointsandroutersalluseanetworknamecalledthe
SSID.ManufacturersnormallyshiptheirproductswiththesameSSIDset.Forexample,
the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by
itself allow your neighbors to break into your network, but it is a start. More
importantly, when someone finds a default SSID, they see it is a poorly configured
network and are much more likely to attack it. Change the default SSID immediately
whenconfiguringwirelesssecurityonyournetwork.

a.
b.
c.
d.

LogIntotheNetworkRouter
NavigatetotheRouter'sBasicWirelessSettingsPage
ChooseandEnteraNewSSID
SavetheNewSSID

4. Enable MAC Address Filtering Each piece of WiFi gear possesses a unique identifier
calledthephysicaladdressorMACaddress.RouterskeeptrackoftheMACaddressesof
alldevicesthatconnecttothem.Manyroutersoffertheowneranoptiontokeyinthe
MAC addresses of their home or small business equipment which restricts network
connectionstothosedevicesonly.Hereshow:

a. TosetupMACaddressfiltering,firstpreparealistofcomputersanddevicesthat
willbeallowedtojointhenetwork.

68

InformationSecurity
b. Next,obtaintheMACaddressesofeachcomputerordevicefromitsoperating
systemorconfigurationutility.

c. Nextenterthoseaddressesintoaconfigurationscreenofthewirelessrouter.An
examplescreenisshownbelow.

d. Finally,switchonthefilteringoption.

e. Onceenabled,wheneverthewirelessrouterreceivesarequesttojoinwiththe
WLAN,itcomparestheMACaddressofthatclientagainsttheadministrator's
list.Clientsonthelistauthenticateasnormal;clientsnotonthelistaredenied
anyaccesstotheWLAN.

(While this feature represents yet another obstacle/deterrent to hackers, there are
manysoftwareprogramsavailablethatenablehackerstodefeatthismeasurebyeasily
fakingaMACaddresses.)

5. Disable SSID Broadcast In WiFi networking, the wireless router typically broadcasts
thenetworkname(SSID)overtheairatregularintervals.Thisfeaturewasdesignedfor
businesses and mobile hotspots where WiFi clients may roam in and out of range. In
the home or small business, this roaming feature is probably unnecessary, and it
increasesthelikelihoodsomeonewilltrytologintoyourhomenetwork.Fortunately,
mostWiFiaccesspointsallowtheSSIDbroadcastfeaturetobedisabledbythenetwork
administrator. To do this simply log into your wireless router device, navigate to the
SSIDmenu,andclickthedisablebuttonasshownbelow.

69

InformationSecurity

6. DoNotAutoConnecttoOpenWiFiNetworksConnectingtoanopenWiFinetwork
such as a free wireless hotspot or your neighbor's router exposes your computer to
securityrisks.Althoughnotnormallyenabled,mostcomputershaveasettingavailable
allowing these connections to happen automatically without notifying you (the user).
Thissettingshouldnotbeenabledexceptintemporarysituations.Hereshow:
a. ToverifywhetherautomaticWiFiconnectionsareallowed,openControlPanel.
b. Clickthe"NetworkConnections"optionifitexists(otherwisefirstclick"Network
andInternetConnections"andthenclick"NetworkConnections.")
c. Rightclick"WirelessNetworkConnection"andchoose"Properties."
d. Clickthe"WirelessNetworks"tabonthePropertiespage.
e. Clickthe"Advanced"button.
f. Findthe"Automaticallyconnecttononpreferrednetworks"setting.Ifchecked,
thissettingisenabled,otherwiseitisdisabled.

7. Assign Static IP Addresses to Devices Most home and small business networks use
dynamic IP addresses because DHCP technology is easy to set up and use.
Unfortunately,thisconvenienceworkstotheadvantageofnetworkattackers,whocan
thenobtainvalidIPaddressesfromyournetwork'sDHCPpool.Tobemoresecure,you
may want to turn off DHCP on the router, set a fixed IP address range instead, then
configure each connected device to match. Use a private IP address range (like
12.12.12.x) to prevent computers from being directly reached from the Internet. The
specific procedures to follow will vary on the devices you are using, therefore you
should refer to the user manual or web for detailed instructions for each device you
haveonyournetwork.
70

InformationSecurity
8. EnableFirewallsOnEachComputerandtheRouterWirelessrouterscontainbuiltin
firewallcapability,buttheoptionalsoexiststodisablethem.Ensurethatyourrouter's
firewall is turned on. For extra protection, consider installing and running personal
firewallsoftwareoneachcomputerconnectedtotherouter.Todothissimplyloginto
yourwirelessrouterdevice,navigatetotheFirewallmenu,andclicktheEnablebutton
asshownbelow.

9. Position the Router or Access Point Safely WiFi signals normally reach beyond the
walls of a home or small office. A small amount of signal leakage outdoors is not a
problem, but the further this signal reaches, the easier it is for others to detect and
exploit. WiFi signals often reach through neighboring homes and into streets, for
example.Wheninstallingawirelesshomenetwork,thepositionoftheaccesspointor
routerdeterminesitsreach.Trytopositionthesedevicesnearthecenterofthehome
ratherthannearwindowstominimizeleakage.

10. Turn Off the NetworkDuring Extended Periods of NonUse The

ultimateinwirelesssecuritymeasures,shuttingdownyournetwork
willmostcertainlypreventoutsidehackersfrombreakingin!While
impractical to turn off and on the devices frequently, at least
consider doing so during travel or extended periods offline.
Computerdiskdriveshavebeenknowntosufferfrompowercycle
wearandtear, but this is a secondary concern for broadband
modemsandrouters.
Ifyouownawirelessrouterbutareonlyusingitwired(Ethernet)
connections,youcanalsosometimesturnoffWiFionabroadband
routerwithoutpoweringdowntheentirenetwork.
71

InformationSecurity

CheckingtheSecurity
ofYourPC
Chapter10

72

InformationSecurity
1. FirewallTestAfirewalltestshouldbeconductedoftenandiseasytodo.Thistestwill
checkyourcomputerforportsthatarecommonlyleftopen.Openportscouldallow
yourcomputertobecompromised.Asanexample,youcouldrunafirewalltestinless
than10secondsat:http://www.auditmypc.com/firewalltest.asp.Thisfirewalltestwill
alsocheckforopenportsknowntobeusedbyVirusesandTrojans.

2. Anonymous Surfing Test Anonymous surfing is a key step to staying safe online. It
tested my computer at http://www.auditmypc.com/anonymoussurfing.asp, and
immediatelyitshowedmethefollowing:

ThismeansthatawebsiteorotherpersoncantellwhereIam
located(approximately).

HideYourIPTothwartthispossibility,Iwouldneedtohide
my IP address using an anonymous proxy. Be very careful
thoughasnotallproxyserversdoastheyclaim.Infact,many
junk proxy servers give people a false sense of security or
worse,andinsteadrecordeverythingyoudoinhopestoscore
apasswordortwo!YoucanhideyourIPwithmanyproducts
includingthisone:

73

InformationSecurity
Theproductclaimstoprovidethefollowingbenefits:

1.

EasilyConcealYourIPAddressJustclick"HideIP"andyourIPisinstantlyhidden!Otherpeoplesee
afakeIP,whichisnotassociatedwithyourrealIP.

2.

AnonymousWebSurfingProtectyourprivacyandcoveryourtracks!Selectfromoneofourmany
fakeproxyIPaddressesfortotallyanonymousbrowsing.

3.

Works with many Applications Hide My IP 2007 works with all major browsers and dozens of
instantmessengers,Emailclients,andgames.

4.

StopHackersIdentitythievescanpotentiallyuseyourIPaddressestocompromiseyourcomputer
byinstallingkeyloggers,Trojans,andothertools.

5.

Send Anonymous Emails Hide your IP in Email headers. Supports Webmail services like Yahoo,
Hotmail, and GMail. Mail clients supported with a Premium account include Outlook, Outlook
Express,andEudora.

6.

UnbanYourselfFromForums,Blogs,Etc...ByfakingyourIPyoucanoftenaccessmanysitesyou
werebannedfrom.CombinewithCookieCrumbleforthemosteffectiveness.

3. PopupTestAtaminimum,unwantedpopupadsstealtimeandprovideadistraction.
PopupTesttohelpyouverifyyouradblockingsoftwareisreallycapableofpreventing
pop
up
ads.
I
tested
my
computer
for
pop
ups
at
http://www.auditmypc.com/freescan/popup/popuptest.asp.Ididnothavemypopup
blockerturnedon,andthereforeIfailedthetest.ThenIturnedontheInternetExplorer
PopUpBlockerandreranthetest.Theresultsbeforeandafterwereasfollows:

74

InformationSecurity
AfterturningonthestandardInternetExplorerPopUpBlocker,IpassedthePopuptest
withflyingcolors.

4. InternetSpeedTestAslowInternetconnectioncanstealyourproductivity.Therefore
you should conduct an Internet Speed Test for Broadband, Cable, Satellite and DSL
Modems that helps determine your true bandwidth. I tested my speed here:
http://www.auditmypc.com/internetspeedtest.asp.Herearetheresults:

This test provides you with your true speed, rather than the speed claimed by your
provider.Thiswillhelpyouidentifytheproblemintheeventthatyouarenotgettingall
thespeedyouarepayingfor.IrecommendCableataminimum;inmyopinionDSLis
tooslowandshouldbeusedwhenitistheonlyoption.

75

InformationSecurity

OnlineSecurityTests
Chapter11

76

InformationSecurity

OnlineSecurityTests
ShieldsUp!PortAuthorityEditiongrc.com
InternetVulnerabilityProfiling,GibsonResearchCorporationbySteveGibson.[Freeservice]
Checksthesecurityofyourcomputer'sInternetconnectionbyperformingqueriesandprobing
commonportaddresses.Areportisissuedonyourhackervulnerability."PortAuthority"isthe
secondgenerationShieldsUP!!

BroadbandTestsandToolswww.broadbandreports.com/tools
BroadbandReports.com[Freeservice(limiteduse);Feerequiredforunlimiteduse]Internet
speedtests,tweaktest,linequality,linemonitor,whois,doctorping,routerwatch,andmore.

BrowserSpygemal.dk/browserspy
[Freeservice]Showsyouwhatdetailedinformationisrevealedaboutyouandyourbrowser
version,whatitsupports,JavaScript,Java,plugins,components,bandwidth,language,screen,
hardware,IP,cookies,webserver,andmore.

GFIEmailSecurityTestingZonewww.gfi.com/emailsecuritytest
GFISoftwareLtd[Freeservice]Findouthowsecureyouremailsystemisbydoinga
vulnerabilitycheck.

HackerWhackerwww.hackerwhacker.com
[Firsttestisfree;Subscriptionfeeappliesonsubsequentscans]Seeyourcomputertheway
hackersdo.Thefollowingissuesareaddressed:Aretherestrangersinyourcomputer?Could
yourwebserverbehijacked?Freesecurityscan.Hasyournetworkbeenbrokeninto?Areyou
secure?Arehackerstargetingyou?Wanttotestyourfirewall?Alsocontainsalistingofcurrent
newsarticlesonhacks,andalistingoflinkstoothersecuritysites.

PCFlankwww.pcflank.com
[Freeservice]TestYourSystemChoosefromQuickTest,StealthTest,BrowserTest,Trojans
Test,AdvancedPortScanner,andExploitsTest.(Kudostothewebmasterforgreatsitedesign!)

PCPitstopwww.pcpitstop.com
[Freeservice]InternetSecuritytest,InternetPingtest,Spywarecheck,Inmemoryviruscheck,
bandwidthtests,assortedbenchmarks,andmore.

Qualys'FreeBrowserCheckupbrowsercheck.qualys.com
Qualys[Freeservice]Aseriesofauditsdesignedtotestandfixyourbrowser'ssecurity
vulnerabilities.SupportsonlyMicrosoftInternetExplorer,andyoumusthavecookiesenabled.
Privacy.netprivacy.net/analyze
TheConsumerInformationOrganization[Freeservice]PrivacyanalysisofyourInternet
connectionperformstestsoninformationthatiscollectedaboutyouwhenvisitingawebsite
withexplanationsofwhateachtestisandhowitisperformed.
77

InformationSecurity

ScannerXscannerX.com
[Initialassessmentisfree;Choosefromavarietyofplanssubscriptionfeeapplies]
Vulnerabilityassessmentservicesprovidedetailedtesting,reportingandfixes.

Secuniawww.secunia.com
[Freeservice]Onlineservicesincludebrowserchecker,onlineantivirus,andvulnerability
scanner.

SecuritySpacewww.securityspace.com
EsoftInc.[Free"BasicAudit";First"DesktopAudit"isfree,subscriptionfeeapplieson
subsequenttests]"BasicAudit"Ourclassicportscanscans1500+knownserviceports
lookingforserviceshackersmightusetogetin."DesktopAudit"Acomprehensivesuiteof797
vulnerabilityteststolearnifyoursystem'ssecurityisatrisk.

SymantecSecurityChecksecurityresponse.symantec.comClickon"checkforsecurityrisks".
Symantec[Freeservice]Aservicedesignedtohelpyouunderstandyourcomputer'sexposure
toonlinesecurityintrusionsandvirusthreats.

TrendMicroHousecallhousecall.trendmicro.comClickon"checkforsecurityrisks".
TrendMicro[Freeservice]Anonlinevirusscanningservice.
FileAuthentication&LeakTests:

FireHolekeir.net/firehole.html
RobinKeir[Freeware]Anothertoolfortestingtheoutbounddetectionofpersonalfirewalls.
ForusewithNetscapeandInternetExplorer.

LeakTestFirewallLeakageTestergrc.com/lt/leaktest.htm
InternetConnectionSecurityforWindowsUsers,GibsonResearchCorporationbySteve
Gibson.[Freeware]Thissmallutilitywilltestforvulnerabilitiesthatmightallowamalicious
programtobypassyoursoftwarefirewall.

TooLeakytooleaky.zensoft.com
BobSundling[Freeware]Testyourfirewallwithaprogramthatcandefeattheoutbound
detectionofpersonalfirewalls.ForusewithInternetExplorer.

78

InformationSecurity

WindowsSecurity
UserAccounts&SecurityGroups

Chapter12

79

InformationSecurity

UserAccounts&SecurityGroups
8. The Login Screen When logging into Windows, you are greeted by the Welcome
screen.Youmustloginasausertocontinue.

9. No Security in W95 & W98 In Windows 95 and Windows 98, there was no security
becauseyoucouldsimplyhittheESCAPEtocontinue.

10. UserAccountsNowRequiredWindowsXPandWindowsVistaforceyoutocreatea
useraccount;youcancreateuptofiveuseraccounts.

11. AccessingUserAccountsTheControlPanelUserAccountsoptionallowsyoutosee
the user accounts that are allowed to log in; however there are other hidden user
accountsusedbytheoperatingsystemandapplicationsthatarenotshown.

12. LimitingUserAccountsThemoreuseraccountsyouhave,themoretargetsahacker
has. Therefore, you might consider limiting the number of user accounts using the
hiddenAdministrativeTools.

13. MakingAdministrativeToolsVisibleTodothis:

a. RightClicktheStartButton
b. SelectProperties
c. ClicktheStartMenuTab
d. ClicktheCustomizeButton
e. ClicktheAdvancedTab(inWindowsXPonly,Vistauserssimplyscrolldown)
f. SelectOptiontoDisplayAdministrativeTools

Thedialogboxandresultingadministrativetoolsareshownbelow.

80

InformationSecurity

14. Disable the Guest Account in W95, W98, W2000 and Vista Most security experts
adviseyoutodisabletheGuestaccountbecauseitservesnorealworldpurpose,ithas
no password by default, and hackers like to target the guest account. In Windows 95,
98, 2000, & Vista, disabling the Guest account is easily accomplished via a button
selectioninControlPanelsUserAccountdialogbox.

15. PasswordProtecttheGuestAccountinWindowsXPInWindowsXP,turningoffthe
Guest Account only hides it from the log in screen it still remains active behind the
scenesbecauseitisnecessaryforsharingresourcesonanetwork.Thereforeratherthan
turningofftheGuestAccount,youshouldapplyastrongpassword.Creatingapassword
fortheGuestaccountinWindowsXPiseasy,butitisalsonotaneasytaskinWindows
XP Home. When you open the User Accounts console from the Control Panel in
WindowsXPHomeandselecttheGuestaccount,CreateaPasswordisnotoneofthe
available options. To create a password for the Guest account in Windows XP Home,
youwillneedtoopenacommandlinewindow(clickStart|AllPrograms|Accessories|
Command Prompt). Enter the following: net user guest <password>. Leave off the
bracketsandsimplytypethepasswordyouwanttoassignattheendofthecommand
line and press Enter. Oddly, now that you have created a password for the Guest
account,theoptionsforchangingorremovingthepasswordwillnowappearintheUser
Accountsconsole.

16. Rename the Administrator Account To hack into your computer, a hacker needs to
knowboththeusernameandthepassword.Everyonealreadyknowsthenameofthe
administrator account. By changing the name of the administrator account, you
compound the hackers efforts. This is easy just log into Windows as the
Administrator, go to Control Panel User Accounts, Choose the Change Name
option,andenteranewnameasshownbelow:
81

InformationSecurity

17. Security Groups Just as you can create user accounts, you can also create security
groups.ThedefaultgroupsthatareincludedintheWindowsareasfollows:

a. AdministratorsCandoeverything
b. UsersCanusesystem,butcantinstallorchangesystem
c. PowerUsersGrantssomepowertoinstallandconfigurethesystem
d. GuestsLimitedaccess,canseesharedfoldersandprinters
e. HelpServicesAllowssupporttechnicianstoconnecttoyourcomputer
f. BackupOperatorsCanbackupandrestorefiles
g. ReplicatorsCancopyfiles
h. NetworkConfigurationOperatorsAdd,changeordeletenetworkconnections
i. RemoteDesktopUsersCanconnectremotely
Groupsarehelpfulinlargerorganizationsbecausetheadministratorcansimplyset
up a few groups, and then assign users to those security groups. They will
automatically inherent the security rights of the group they belong to. The use of
security groups is considered to be faster and more accurate. (Security groups are
notavailableintheHomeeditionsofWindowsXPandWindowsVista).
18. Administrator Rights Required in Vista Windows Vista allow users to be standard
users or administrators. Beginning in Windows Vista, you must be logged in as an
administratortoaccomplishmanythingssuchasinstallsoftwareortochangecomputer
settings. This can be frustrating because standard users will encounter this obstacle
frequently, and they will need to log in as an administrator frequently in order to
manage their computer system. This is actually a great security measure, but it
frustrates standard users and you should be aware of this problem. Following is an
examplescreenthatstandarduserswillseefrequently.

82

InformationSecurity

BewaretheHackerTools
There are a multitude of hacker tools available for circumventing the user accounts and
passwords.Microsoftcontinuallyreleasespatchestoshutdownthesetools,butthecompanies
thatmakethesetoolskeepfindingnewwaystocircumventthem.

WindowsPasswordReset5.0isjustoneofmanysimilarprogramsdesignedforresettinglocal
administrator and user passwords on any Windows system. The company claims that if you
haveforgottenyourpassword,orarelockedout,oryoudonothaveaccesstothepasswordof
thesystem,youcaneasilygetbackin.Keyfeaturesclaimed:

1. 100%recoveryrate
2. Veryeasytouse(3stepsonly),withcompletescreenshots
3. Nootherinstallationrequired
4. SupportsFAT16,FAT32,NTFS,NTFS5filesystems
5. Supportslargeharddiskdrives(evengreaterthan200GB)
6. SupportsIDEATASATA&SCSIharddiskdrives
7. Supports Windows XP, XP+SP2, 2003, 2000, NT, Windows XP Professional x64 Edition
(64bit),WindowsServer2003x64
8. Edition(64bit)OperatingSystems,WindowsVISTA,WindowsVISTA(64bit)&Windows
Server2008
9. Allpasswordsareresetinstantly
10. 100%Moneybackguarantee

83

InformationSecurity
Presentedbelowareaseriesofscreensthatshowhowtheproductworks.

84

InformationSecurity

WindowsSecurity
PasswordProtectedScreenSavers

Chapter13

85

InformationSecurity

WindowsScreenSavers
Originally, a screensaver was a type of computer program designed to prevent a problem
knownas"Phosphorburnin"onCRTandplasmacomputermonitorsbyblankingthescreenor
fillingitwithmovingimageswhenthecomputerwasnotinuse.Today,newerflatpanelLCDs
monitorsdonotneedascreensaverprotection,butscreensaversareactuallyveryusefulfor
securitypurposes.

(The first screensaver (written for the original IBM PC by John Socha) was
publishedinDecember1983issueoftheSoftalkmagazine.Itsimplyblankedthe
screenafterthreeminutesofinactivity.)

Today most Windows screen savers can be configured to ask users for a password before
permitting the user to resume work. To do this, right click the Windows Desktop and select
personalize, Screen Saver. Indicate the number of minutes of inactivity desired before the
screensaverkicksin,andchecktheboxtitledOnResume,DisplayLogonScreen.

Now your computer screen will revert to the screen saver and will become locked until the
properpasswordisapplied.Ofcourseifthehackerrebootsyourcomputer,theywillencounter
theWindowslogonscreen.

86

InformationSecurity
Tripstothebathroomdohappen,briefdeparturesfromyourdeskdobecomeextended.For
thesereasonsandmanymore,itmakesgoodsensetoapplyapasswordProtectedscreensaver
toyourcomputer.

Therearemanygreatscreensaversoutthere.Windowsallowsyoutoturnyourphotosintoa
screen saver. PhotoImpression allows you to create a slide show screen saver set to music.
Therearealsomanycleverscreensaversouttherelikethese:

WindowsVistaBubbles

BeamingCows

Aquariums

87

NoahsArk

InformationSecurity

FancyCars

BeautifulScenery

Exciting

CuteAnimals

Sports

Be careful not to download a screen saver from an untrusted web site you could be
inadvertentlydownloadingavirus,spam,orTrojanhorseontoyourcomputer.
Funny

88

InformationSecurity

Pornography
Chapter14

89

InformationSecurity

Pornography
If you supply your employees with a computer and Internet access, and they use that
equipment view pornography at work, and another employees see it are you liable? The
answer is yes, you most are certainly liable unless you have taken reasonable measures to
protectemployeesfrompornography.Eveniflitigationisnotanissue,pornographycansteal
employeeproductivityandpornographicwebsitesareoftenasourceofspyware,malwareand
viruses.Presentedbelowisalistofpossiblemeasuresyoushouldtakeinyourorganizationto
blockpornography.
1. Written Policy Provide all employees with a written policy explaining that the
accessingorviewingpornographywithcompanycomputers,companyemailorduring
companyhoursorduringcompanyactivitiesisforbidden.Thisprovidesnotice.(Seethe
chapterondocumentsforanexample.)

2. SignedAgreementAskemployeestosignacontractinwhichtheyagreenottoaccess
or view pornography using company computers, company eamil or during company
hours or during company activities. This may help shield you from liability. (See the
chapterondocumentsforanexample.)

3. Require Safe Searches Only Most search tools such as Google, Yahoo! And MSN
provideanoptionwhichfilters99.99%ofallpornographyfromthesearchresults.You
shouldrequireyouremployeestoalwaysleavethesafeSearchsettingtoon.

4. Plain View You might require all employees to always work in plain view of others
with doors opened and computer screens visible to passerbys as a deterrent, unless
conductingaconfidentialmeeting.

5. Use A Router Based Content Filter Consider using a router based content filter to
block pornography. For example, the ContentProtect Security Appliance monitors
everythinggoinginandoutonarealtimebasis.Featuresinclude:

a.
b.
c.
d.
e.
f.
g.
h.
i.
j.

DynamicContentFiltering:Identifiesandblocksobjectionablewebmaterial.
BandwidthManagement:Monitorsbandwidthusagetoensuregoodperformance.
Spyware:Tracksspywaretoseewhoscatchingit,andneutralizesthethreat.
SlowInternet:Discovertheproblem,downtotheindividualuser.
BandwidthAbuse:Seewhoshoggingit,andwhattheyreusingitfor.
WebActivity:Seewhosvisitingwhatsiteswhen,andwhattheyredoingonthem.
PeertoPeer:FindoutwhatP2Pappsaredoingtoyournetwork.
InstantMessaging:Knowwhostalking,andwhattheyresaying.
Viruses:Preventviruses,includingthoseinwebbasedemails.
AnonymousProxies:Preventusersfrombypassingyourfiltersandsafeguards

90

InformationSecurity
6. CheckBreadCrumbsUsethechapteronBreadCrumbstorandomlycheckemployee
computersforinappropriatepornographicactivity.

7. MonitorEmployeeEMailsBylaw,companieshavetherighttoreademployeeemails
sentorreceivedoncompanyprovidedcomputersoratthecompanysplaceofbusiness
evenpersonalemails.Youshouldrandomcheckemailstogivenoticetoemployees
thattheirsystemsarebeingchecked,andpornographicactivitywillnotbetolerated.

8. EmployeeTrainingMakeemployeesawareofallaspectsrelatedtopornography.For
example, simply viewing a pornographic web site even for a moment will leave
pornographic images in the browser history files. If just one of those pictures is of an
underagedchild,thenyoucouldbelegallychargedasapedophile(Ithink).(TheChild
PornographyPreventionActof1996wasstruckdownin2002forbeingoverlybroad.)
Whatwouldachapteronpornographybewithoutapictureofsomenakedblondechicksora
nudethumbnailofBradPitt?Hereyougo:

NakedBlondeChicksNudeThumbnailofBradPitt

(Yes,thisisajoke)(Yes,Iknowitsnotthatfunny)
Pornography & Inappropriate Web Access The 1999 CSI/FBI Computer Crime and
SecuritySurveyindicatesthatninetysevenpercent(97%)ofcompaniesreportthattheir
employees abused Internet access. According to the Saratoga Institute of Human
Resources, more than 60 percent of American company employee have been
disciplinedand more than 30 percent have been terminated for inappropriate use of
theInternet.Commonabusesincludeaccessingpornography,chattingonline,gaming,
investing, or shopping at work. According to some statistics, employees spend more
than one hour per workday surfing the Web for personal reasons. The Institute
estimatesthatacompanywith1,000employeeswhousecompanyInternetaccessone
91

InformationSecurity
hourperdayforpersonalsurfingcancostacompanyupwardsof$35millioneachyear
inlostproductivity.

Recently, higher bandwidth internet activities such as Internet Radio, PointCast, stock
tickers, popup ads, music downloads, etc. are eating into corporate bandwidth. This
significant increase in traffic can adversely affect other business operations such as e
mail,printing,datasavingandretrieval,oroperatingbusinessapplications.

Ataminimum,herearesomestepsthatyoucantake:

1)Establishandpublishawrittenpolicythatstates:
a. Thecompany'saccesstotheInternetandcompanyemailshouldbeusedin
muchthesamewaythatthebusinesstelephoneisusedbriefpersonal
usageinfrequentlyisOK,butisnottobeabused.
b. Visitingpornographywebsitesisstrictlyprohibited.
c. Visitingwebsitesofterrorists,gangs,hategroups,etc.withcompany
equipmentisstrictlyprohibited.
d. EmployeesshouldbeawareoftheInternet'suniqueabilitytodistractthem
fromtheirnormalworkduties,accordingly,employeesshouldlearnto
recognizeandavoidthisproblem.
e. EmployeesareprohibitedfromplayinggamesontheInternet.
f. Employeesareprohibitedfromdownloadinganyfilethatisnotbusiness
related.
g. Employeesshouldusecautionwhenprovidingcompanyinformationacross
theweb.
h. Otherrestrictionsyoufeelarenecessary.
2)ConsideractivatingContentAdvisoronallemployeecomputers,therebylimiting
accesstoratedpornographicsites.
3)Considerinstallingablockingprogramtoblockselectedsites.
4)Routinelycheckemployeecomputersatrandomhistoryfiles,email,cookies
folder,links,andGIFs.
5)Establishanduseemailfilteringrulestocutdownontheamountofjunkmail
receivedbyemployees.

Conclusion

Inconclusion,itshouldbeobvioustoanyonethatthedangersarerealyourcomputer
systems are vulnerable in many ways. However, there are also a wide range of well
provenandaffordablesolutionsandreasonablestrategiesthatcanhelpyourcompany
minimizeyourrisk.

92

InformationSecurity

SampleContractsand
Documents
Chapter15

93

InformationSecurity

AcceptableUsePolicy

In the event that an employee uses company computer and communication systems to copy
copyrightedmaterial,accesspornography,copymoney,sendfraudulentcommunications,etc.
your company will be better protected from liability if you have an Acceptable Use Policy
Agreementinplace.Whilethereisnosinglecorrectpolicystatement,theexampledocument
belowreflectstheconceptscoveredinseveralgoodpolicycontracts.Asalways,thisisonlyan
exampleyoushouldseekadviceofcounselbeforeimplementingyourownversion.

The acceptable use policy defines the acceptable use of computer equipment, software,
communications, and equipment as provided by your company. Everyone in the company
should be expected to follow the written policy without exception. The policy should be
providedinwritingtoallemployees,andsignedcopiesofthisagreementshouldbekeptonfile.

So, what defines an Acceptable Use Policy? To provide guidance as to what to place in your
policystatement,letsdefineafewunauthorizedusesforacomputeraccount.

Thelistabovedefineseachofthespecificareasofconcernacompanyusuallyencounters.The
followingtakestheseconcernsandplacestheminanappropriatetextforapolicystatement.
Again, you should review your policies carefully, have them reviewed by legal counsel for
wordingandenforceabilityappropriatetoyourgeographicarea.

AcceptableUsePolicyStatementforExampleCompany

Example Company encourages the sharing of information, comprehensive access to local and
nationalfacilitiestocreateanddisseminateinformation,andfreeexpressionofideas.General
access facilities and infrastructure are provided to further these purposes. There is an
obligationonthepartofthoseusingthesefacilitiesandservicestorespecttheintellectualand
accessrightsofotherslocally,nationallyandinternationally.

ComputingresourcesandfacilitiesofExampleCompanyarethepropertyofthecompanyand
shallbeusedforlegitimateactivityrelatedtotheperformanceofthedutiesandresponsibilities
of the users only, administrative, public service, or approved contract purposes. Supervisors
may,attheirdiscretion,allowpersonalusebytheemployeeoftheseresourcesthatdoesnot
interfere with the institution or with the employees ability to carry out company business.
Individuals who disregard elements of this policy will be subject to appropriate disciplinary
and/or legal action by Sample Company. Use of company computing facilities for personal or
commercial use is not authorized. Use of company computing facilities for educational
purposes must be consistent with other training educational programs. The use of company

94

InformationSecurity
computingfacilitiesforhighereducationdegreeseekingorcertificationprogramsmayonlybe
donewiththespecificwrittenapprovaloftheappropriatesupervisor.

Individualsandnoncompanyorganizationsusingthecompanysfacilitiestogainaccesstonon
companyfacilitiesmustbecognizantofandobservetheacceptableusepoliciesofthecompany
atalltimes.

Failuretoobservethesepolicieswillresultinimmediatedisconnectionorlossofuseprivileges,
aswellaspossibledisciplinaryactionorterminationatthediscretionoftheoffendingparty's
supervisorordepartmentheadbasedonthenatureandseverityoftheoffense.

CompanyPolicies

1. Userswillnotviolatecopyrightlawsandtheirfairuseprovisionsthroughinappropriate
reproduction and/or distribution of music (MP3, etc.), movies, computer software,
copyrightedtext,images,etc.

2. Usersshallnotusecompanycomputersornetworkfacilitiestogainunauthorizedaccess
to any computer systems. Using programs intended to gain access to unauthorized
systemsforanyreasonorpurposeisstrictlyprohibited.

3. Usersshallnotconnectunauthorizedequipmenttothecompanysnetwork,toinclude
hubs, routers, printers or other equipment connected to the companys network
directlyorviaremoteattachment.

4. Usersshallnotmakeunauthorizedattemptstocircumventdataprotectionschemesor
uncover security loopholes. This includes creating and/or running programs that are
designedtoidentifysecurityloopholesand/ordecryptintentionallysecuredata.

5. Users will not associate unapproved domain name sites with a company owned IP
address.

6. Userswillnotknowinglyorcarelesslyperformanactthatwillinterferewiththenormal
operationofcomputers,terminals,peripherals,ornetworks.

7. Userswillnotknowinglyorcarelesslyrunorinstallonanycomputersystemornetwork,
orgivetoanotheruser,aprogramintendedtodamageortoplaceexcessiveloadona
computer system or network. This includes, but is not limited to, programs known as
computerviruses,TrojanHorses,andworms.

8. Users will refrain from activity that wastes or overloads computing resources. This
includesprintingtoomanycopiesofadocumentorusingexcessivebandwidthonthe
network.

95

InformationSecurity
9. Users will not violate terms of applicable software licensing agreements or copyright
laws.

10. Userswillnotusecompanyresourcesforcommercialactivity,suchascreatingproducts
orservicesforsale.

11. Userswillnotuseelectronicmailtoharassorthreatenothers,ortosendmaterialsthat
might be deemed inappropriate, derogatory, prejudicial, or offensive. This includes
sendingrepeated,unwantedemailtoanotheruser.

12. Users will not use electronic mail on companyowned, or companysponsored, or

companyprovided hardware or services to transmit any information, text, or images
thatwouldbedeemedoffensive,inappropriate,derogatory,prejudicial,oroffensive.

13. Userswillnotinitiate,propagateorperpetuateelectronicchainletters.

14. Users will not send inappropriatemass mailings not directly associated with, or in the
performance of, the routine course of duties or assignments. This includes multiple
mailings to newsgroups, mailing lists, or individuals, e.g. "spamming," "flooding," or
"bombing."

15. Userswillnotforgetheidentityofauserormachineinanelectroniccommunication.

16. Users will not transmit or reproduce materials that are slanderous or defamatory in
nature, or that otherwise violate existing laws, regulations, policies, or which are
consideredtogenerallybeinappropriateinaworkplace.

17. Userswillnotdisplayimagesortextthatcouldbeconsideredobscene,lewd,orsexually
explicit or harassing in a public computer facility or location that can be in view of
others.

18. Users will not attempt to monitor or tamper with another user's electronic
communications, or reading, copying, changing, or deleting another user's files or
softwarewithouttheexplicitagreementoftheowner.

19. Unauthorized viewing or use of another persons computer files, programs, or data is
prohibited.Allusersshouldalsobeawarethatallprogramsandallfilesaredeemedto
bethepropertyofthecompany,unlesstheindividualhasawrittenagreementsigned
by an appropriate representative or officer of the company. Federal or state law may
requiredisclosureofindividualcomputerfileswhicharedeemedpublicrecordsunder
the state public records statute and that state and federal law may prohibit the
disclosureofcertainrecordsaswell.

96

InformationSecurity
20. Entry into a system, including the network system, by individuals not specifically
authorized (by group or personally), or attempts to circumvent the protective
mechanisms of any system, are prohibited. Deliberate attempts to degrade system
performance or capability, or attempts to damage systems, software or intellectual
propertyofothersareprohibited.

21. Theelectronicmailsystemshallnotbeusedfor"broadcasting"ofunsolicitedmailorfor
sending chain letters,and the communication system shall not be used for sending of
materialthatreasonablywouldbeconsideredobscene,offensive,orthreateningbythe
recipientoranotherviewerofthematerial.

22. The company reserves the right to monitor and record the usage of all facilities and
equipment,andallsoftwarewhichisthepropertyofthecompanybyownership,lease,
rent, sponsorship or subsidy, if it has reason to believe that activities are taking place
thatarecontrarytothispolicyorstateorfederallaworregulation,andasnecessaryto
evaluateandmaintainsystemefficiency.Thecompanyhastherighttouseinformation
gainedinthiswayindisciplinaryorcriminalproceedings.

23. TheFederalCopyrightActnearlyalwaysprotectscommercialsoftware.Useofcompany
facilities or equipment for the purpose of copying computer software that does not
containspecificpermissiontocopy(somelicensesdoallowthemakingofonecopyfor
backup) is prohibited. The unauthorized publishing of copyrighted material on a
companyserverisprohibited,andusersareresponsiblefortheconsequencesofsuch
unauthorizeduse.

24. Anindividualsaccesstocomputerresourcesmaybesuspendedimmediatelyuponthe
discoveryofaviolationofthispolicy.

This policy contains the company's complete acceptable use policy and replaces any pre
existing policy issued before Month Day, Year. For questions about this policy, contact Name
andContactInformationhere.

Failure to comply with any of the above policies may result in termination of your Example
Company network services, disciplinary action, and/or criminal prosecution. The company
reserves the right to terminate any company network connection without notice if it is
determinedthatanyoftheabovepoliciesarebeingviolated.

97

InformationSecurity

SampleEmail/InternetUserAgreement

EmployeeAgreement:

I have received a copy of Example Company's Corporate Policy Guideline on email/Internet

acceptable use, policy #_______, dated, _________. I recognize and understand that the
company'semail/Internetsystemsaretobeusedforconductingthecompany'sbusinessonly.
Iunderstandthatuseofthisequipmentforprivatepurposesisstrictlyprohibited.

AspartoftheExampleorganizationanduseofExample'sgatewaytotheInternetandemail
system, I understand that this email/Internet corporate guideline applies to me. I have read
theaforementioneddocumentandagreetofollowallpoliciesandproceduresthataresetforth
therein.Ifurtheragreetoabidebythestandardssetinthedocumentforthedurationofmy
employmentwithExampleCompany.Iamawarethatviolationsofthiscorporateguidelineon
email/Internet acceptable use may subject me to disciplinary action, up to and including
dischargefromemployment.

I further understand that my communications on the Internet and email reflect Example
Company,worldwidetoourcompetitors,consumers,customersandsuppliers.Furthermore,I
understandthatthisdocumentcanbeamendedatanytime.

_______________________________________
EmployeeSignatureDate

______________________

EmployeePrintedName

______________________

ManagerSignature

Youshouldcommunicatethispolicyinseveralways,including:

1. Onlinemessagethatappearswhentheuserlogsontoemail/Internet.
2. Shortpolicystatementregardingemail/Internetacceptableuseintheemployeehandbook.
3. Orientationandhiringstatementnotifyingnewemployeesofemail/Internetpolicies.
4. Training Sessions on computer and Internet use and email policies. An employee who is
toldthatmonitoringwilloccurmaybeapprehensiveaboutusingthecompany'semailand
Internetsystems.Trainingsessionswherepoliciesareexplainedindetailcangoalongway
inallayingfears.

98

InformationSecurity

SamplePrivacyStatement
ExampleCompanyunderstandstheimportanceofprotectingtheprivacyofourcustomersand
otherswhovisitourWebsite.Weconsideranypersonalinformationyoumaysupplytousto
be personal and confidential, and we are committed to using this information solely for the
purposeofprovidingyouwithsuperiorserviceandconvenientaccesstotherightproductsand
services.
We take our commitment to safeguarding customer information seriously, which is why we
haveadoptedthefollowingprinciples:
1. ExampleCompanymakeseveryefforttocollect,retain,andusecustomerinformation
only where we believe it is useful (and as allowed by law) in administering Example
Company business and to provide products, services, and other opportunities to our
customers.
2. Example Company limits employee access to personally identifiable information to
thosewithabusinessreasonforknowingsuchinformation.ExampleCompanystresses
the importance of confidentiality and customer privacy in the education of its
employees.ExampleCompanyalsotakesappropriatedisciplinarymeasurestoenforce
employeeprivacyresponsibilities.
3. ExampleCompanydoesnotdiscloseourcustomerspersonaloraccountinformationto
unaffiliatedthirdparties,exceptforthetransferringofinformationtoreputablecredit
reporting agencies; or when the information is provided to help complete a customer
initiated transaction; the customer requested the release of the information; or the
disclosureisrequiredorallowedbylaw.
4. Example Company maintains appropriate security standards and procedures regarding
unauthorizedaccesstocustomerinformation.
5. If Example Company provides personally identifiable information to a third party, we
insist that the third party adhere to similar privacy principles that provide for keeping
suchinformationconfidential.

99

InformationSecurity

CompanyAcceptableInternetUsePolicy

If a user violates any of the acceptable use provisions outlined in this document, his/her
account will be terminated and future access will be denied. Some violations may also
constituteacriminaloffenseandmayresultinlegalaction.Anyuserviolatingtheseprovisions,
applicablestateandfederallaws,issubjecttolossofaccessprivilegesandanyotherCompany
disciplinaryoptions.

1)AcceptableUse

Must be in support of education and research consistent with company policy, and
employeesjobdescription
Mustbeconsistentwiththerulesappropriatetoanynetworkbeingused/accessed
Unauthorizeduseofcopyrightedmaterialisprohibited
Publishing,downloadingortransmittingthreateningorobscenematerialisprohibited
Distributionofmaterialprotectedbytradesecretisprohibited
Useforcommercialactivitiesisnotacceptable
Productadvertisementorpoliticallobbyingisprohibited

2)Privileges

AccesstotheInternetisnotaright,butaprivilege
Unacceptable usage will result in cancellation of account, and possible disciplinary
proceedings

3)Netiquette

Bepolite
Donotusevulgarorobscenelanguage
Usecautionwhenrevealingyouraddressorphonenumber(orthoseofothers)
Electronicmailisnotguaranteedtobeprivate
Donotintentionallydisruptthenetworkorotherusers
Abidebygenerallyacceptedrulesofnetworketiquette

4)Security

Ifyouidentifyasecurityproblem,notifyasystemadministratorimmediately
Donotshoworidentifyasecurityproblemtoothers
Donotrevealyouraccountpasswordorallowanotherpersontouseyouraccount
Donotuseanotherindividual'saccount
Attemptstologonasanotheruserwillresultincancellationofprivileges

100

InformationSecurity

Any user identified as a security risk or having a history of problems with other
computersystemsmaybedeniedaccess
Usermustnotifythesystemadministratorofanychangeinaccountinformation
User may be occasionally required to update registration, password and account
informationinordertocontinueInternetaccess
Companyhasaccesstoallmailanduseraccessrequests,andwillmonitormessagesas
necessarytoassureefficientperformanceandappropriateuse.

5)Vandalism/Harassment

Vandalism and/or harassment will result in the cancellation of the offending user's
account
Vandalismisdefinedasanymaliciousattempttoharmordestroydataofanotheruser,
the Internet or other networks. This includes, but is not limited to, creating and/or
uploadingcomputerviruses
Harassmentisdefinedasthepersistentannoyanceofanotheruserortheinterference
inanotheruser'swork.Thisincludes,butisnotlimitedto,thesendingofunwantedmail

6)Penalties

Anyuserviolatingtheseprovisions,applicablestateandfederallawsorpostedcompany
rulesissubjecttolossofnetworkprivilegesandanyotherCompanydisciplinaryoptions,
includingcriminalprosecution

All terms and conditions as stated in this document are applicable to all users of the
network. This policy is intended to be illustrative of the range of acceptable and
unacceptableusesoftheInternetfacilitiesandisnotnecessarilyexhaustive.

I understand and will abide by the Company Acceptable Internet Use Policy. I further
understand that any violation of this Acceptable Internet Use Policy is unethical and may
constitute a criminal offense. Should I commit any violation, my access privileges may be
revoked,disciplinaryactionand/orappropriatelegalactionmaybetaken.

UserSignature:__________________________________Date:________________

101

InformationSecurity

ComputerBread
Crumbs
Chapter16

102

InformationSecurity

ComputerForensics
Itisfairlyeasytoseewhatapersonhasbeendoingontheircomputer.Ofcoursetheremaybe
seriouslegalissuesrelatedtotheinspectionofanotherpersonscomputer,butforpurposesof
this chapter let us assume that you have the legal right to inspect the computer in question.
Whether it is an employee, a child, a spouse or some other person, you can inspect their
computerusageanumberofways,asfollows:
1. RecentApplicationsTheStartButtoninWindowsdisplaysrecentlyusedapplications.
Thereforeifanemployeehasbeenplayinggamesonthejob,youcanseethiseasilysee
the application icon displayed in the Program list. For example, the user below has
recentlylaunchedtheFreeCellapplication.

2. GameHighScoresIfanemployeedeniesplayinggames,youcancheckthehighscores
toseeifthegamehasindeedbeenplayed.Also,averyhighscoremighttellyouthatthe
employee has spent a great deal of time learning to play that particular game. (High
scorescanusuallyberesettodefeatthisbreadcrumb).

3. Search history Most search tools keep a log of recently searched terms. As shown
belowtheGoogletoolbardisplaysrecentlysearchforphrasesthroughthesimpledrop
downarrow.(SearchHistoriescanusuallyberesettodefeatthisbreadcrumb).

4. Browsing History In most browsers, you can drill to a cache of browsing history, as
showinthescreenbelow(InInternetExplorer,chooseTools,Options.Asshownbelow,
this Settings, View Files Buttons display a list of web site objects (webpages, pictures
andobjects)thathavebeenviewed.
103

InformationSecurity

The data in this screen is a little cryptic, but you generally can pick out the URLs that
havebeenvisited.Youcanalsodoubleclickonanyiteminthelisttodisplaythatweb
page,imageorobject.Ifapersonhasbeenvisitingandinappropriatewebsite,youcan
probably see those tracks here. In addition, the browser keeps track of the date and
timesthesewebsiteswerelastvisited,providingsolidproofastohowacomputerwas
beingusedduringbusinesshours.(BrowsingHistoriescanberesettodefeatthisbread
crumb.Furthertheamountofspaceusedforcapturingbrowsinghistoriescanbesetto
zeroinordertopreventthisbreadcrumb).
5. CookieHistoryManywebsitesdepositcookiesonyourcomputer.Cookiesareharder
toavoidbecausemanywebsitesrequirecookiesinordertoworkproperly.Thereforeif
auserdeletesorblockscookiesfromtheircomputer,thentheycannotaccesstheweb
site.TheCookiesscreenshownbelowshowsthatthisuserhasvisitedthewebsitesfor
FedEx, Earthlink, eCost, epinions, Yahoo Finance, and eNews among others. In
addition, the browser keeps track of the date and times cookies were last updated,
providingsolidproofastohowacomputerwasbeingusedduringbusinesshours.

(Cookiescanbeerasedindividuallytodefeatthisbreadcrumb,butdoingsoistedious.
Theuserisnotlikelytodeleteallcookiesassomeofthemareprobablyimportanttothe
accessibilityofwebsites.)
6. Temporary Internet Files Most browsers also keep a history of temporary internet
files,whichmakesitmuchfasterforausertobrowsebackwardstorecentlydisplayed
websitesusingthebackbutton.TemporaryInternetFilesarelikeBrowsingHistoryfiles,
104

InformationSecurity
but they are kept in a separate folder. In Internet Explorer, these files are accessed
throughtheTools,OptionsdialogboxunderBrowsingSettings.

(TemporaryInternetfilescanbesettozerodaysinordertodefeatthisbreadcrumb.)

7. Search for JPGs If an employee or child is viewing inappropriate pictures on the

Internet,theymightalsotakethenextstepofsavingthemtotheircomputer.Youcan
usethebuiltinsearchtoolsinWindowstosearchofJPGsorotherpictureformatssuch
asBMPsorTiffs.InthescreenbelowthesearchforJPGhasrevealsmorethan900such
pictures.Fromhereitiseasytoscanthepicturestodetermineifanyareinappropriate.

8. RecycleBinAnemployeeorchildtryingtocovertheirtracksmightdeletepicturesor
otherfilesfromtheircomputer,buttheymightnotbecleverenoughtorememberto
empty their recycle bin. When filesareerased in Windows, they are not reallyerased
untiltherecyclebinisemptied.Thereforeaquickpeekattherecyclebinmightbevery
revealing.(Thisbreadcrumbcanbedefeatedbyemptyingtherecyclebin).

9. PasswordProtectedFilesIfanemployeeorchildhaspasswordprotectedfilesontheir
computer,youmaybeabletoopenthemwithcommonlyavailablehackertools.Thisis
true particularly for Word and excel 2003 documents (and earlier). These tools are
discussedinthehackingandcrackingchapter.

10. RequestingLostPasswordsIntheeventthatyouwanttoreviewyourchildsMySpace
orFacebookaccounts,andthechildrefusestoprovideyouwiththeproperpassword,
105

InformationSecurity
youcouldattempttologintoanaccount,clicktheforgottenpasswordbutton,andane
mailwillmostlikelybesenttothatcomputerenablingyoutoresetthepassword.

11. Review Sent and Received EMail Of course it should be obvious that you could
review the sent and received email of an employee or child in an effort to identify
inappropriatecomputerusage.

12. ReviewDeletedEMailFolderOfcourseanemployeeorchildmaybecleverenough
to delete their inappropriate sent or received email messages, therefore you might
wanttoinspecttheDeleteEmailFolder.Liketherecyclebin,mostdeletedemailsare
notactuallydeleteduntiltheDeleteFolderisemptied.

13. ReviewJunkEMailFolderOfcourseanemployeeorchildmaybesmartenoughto
delete their sent or received email, therefore you might want to scan the deleted e
mailfolder.Liketherecyclebin,mostdeletedemailsarenotactuallydeleteduntilthe
DeleteFolderisemptied.

14. UseEMailRulestoTrackUsageAstrongermeasurewouldbetosetupemailrules
onthecomputerinquestion.Forexample,youcouldsetuparulethatforwardsacopy
of all email to your account, or just those emails from certain persons or those that
containcertainwords.Chancesaregoodthattheseruleswillbeundetectedbytheuser.

15. Use EMail Server Settings to Track Usage A better way to track the users emails
wouldbetosetupthemailservertoforwardacopyofallmessages,sentorreceived,
to your email address. You might also use a rule on your computer to send these
messagesautomaticallytoaspecifiedfolder.

16. ToolstohelpYouTrackComputerUsage

a. Key Loggers You could download and install a key logger on the computer in
question.Thistoolwouldcaptureallkeystrokestypedintothecomputerandwould
laterallowyoutoidentifypasswordsusedbytheuser.Thisisafairlysignificantstep,
butdownloadingandinstallingakeyloggerisrelativelyeasyittakesabout3to5
minutes. KGB (free), ActualSpy ($60), and Family Keylogger (free) are examples of
keyloggers.

b. PrintMonitorPro(free)Onceinstalled,thistoolcapturesascreenshotofevery
documentprintedfromthecomputerandstoresthoseimagesinadatabase.

c. Give Me Do (free) This tool captures all visited Web pages, sent and received
emailsandstoresthemtoafolderofyourchoice.

106

InformationSecurity
d. DesktopSpy(free)MonitorstheactivityofusersonaPCbyautomaticcapturingof
desktop/activeapplicationscreenshotsandsavingthemtoaspecifieddirectoryon
theharddrive.

e. Hardware Keylogger ($60) USB device plugs into a computer, and automatically
capturesallkeystrokesenteredintothekeyboard.Verystealth.

f. Internet Spy (free) Freeware utility that continuously monitors every Web page
accessedonthecomputerandmakesachronologicalrecordofallvisitedURLs.

g. EvidenceTrackerEvidenceTracker.com"ET"isoneoftheveryfirstentirelybrowser
basedevidencetrackingapplicationsforpoliceandlawenforcementagencies.This
software is ideal for agencies that track evidence from the point of delivery by an
officer until it is ordered to be destroyed. The ET system allows users to track
evidence through the entire process and to print out all the necessary reports for
internal or court purposes. Tracker Products Software is used in a variety of
industries including law enforcement, forensic analysis, legal, museums, gaming,
construction, manufacturing and hospitals just to name a few. The system
customizationfeatureallowsyourorganizationtotailorthesoftwaretomeetyour
particular needs. All item entry screens can be modified to collect the information
thatisimportanttoyou.Whysettleforasoftwarepackagethatrequiresexpensive
customizationupgrades?TrackerProductssoftwarewillworkforyou!

17. EvidenceBlaster($23)Nottobeoutdone,EvidenceBlasterisaproductthatdeletes
allevidenceofpornographyfromyourcomputer.

MicrosoftCOFEE Microsoft offers a small plugin device that investigators can use to
quicklyextractforensicdatafromcomputersthatmayhavebeenusedincrimes.TheCOFEE,
whichstandsforComputerOnlineForensicEvidenceExtractor,isaUSB"thumbdrive"thatwas
quietlydistributedtoahandfuloflawenforcementagenciesinJune,2007.Thedevicecontains
150commandsthatcandramaticallycutthetimeittakestogatherdigitalevidence,whichis
becomingmoreimportantinrealworldcrime,aswellascybercrime.Itcandecryptpasswords
andanalyzeacomputer'sInternetactivity,aswellasdatastoredinthecomputer.Thisdevice
eliminatestheneedtoseizeacomputer,whichtypicallyinvolvesdisconnectingfromanetwork,
turningoffthepowerandpotentiallylosingdata.Instead,investigatorscanscanforevidence
on site. More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany,
NewZealandandtheUnitedStates,areusingthedevice,whichMicrosoftprovidesfree.

107

InformationSecurity

ComputerDisposal
Chapter17

108

InformationSecurity

ComputerDisposal
Itisestimatedthat45millioncomputersbecomeobsoleteeachyear.Thissituationcreatestwo
problems protecting information and disposing of your old computers. Most organizations
store their old computers, which serve as backup equipment in case newer computers break
down.Theseoldcomputersoftensitinstoragewellbeyondtheirpotentialusefullife.Atsome
point,adecisionmustbemadeaboutdisposalofthisequipment.Continuingtostoreitisoften
notaviableoption,becauseiteventuallytakesupaconsiderableamountofspace.Theleast
desirable option is to throw old computers in the garbage. Not only are there the potential
liabilitiesanddisposalcostsimposedbystateandfederalenvironmentalagencies,thereisalso
thepossibilityofsomeoneremovingharddrivesandrecoveringsensitivedata.Tocombatthese
problems,youshouldfollowagooddisposalstrategy.

ComputerDisposalComments
1. FederalEnvironmentalLawTheResourceConservationandRecoveryAct(RCRA)has
been updated recently to include guidelines regarding the disposal of computer
monitors.
2. Sarbanes Oxley and HIPPA Sarbanes Oxley and HIPPA laws require that all data be
properlyremovedbeforeharddrivesareproperlydisposedof.
3. Hazardous Materials Computers contain hazardous materials such as mercury,
cadmium(aknowncarcinogen),andhexavalentchromium(associatedwithhighblood
pressure,ironpoorblood,liverdisease,andnerveandbraindamageinanimals).
4. CRTConcernsMostenvironmentalconcernsareassociatedwithmonitors.Specifically,
a color cathode ray tube (CRT) contains about four to five pounds of lead, which of
courseisconsideredhazardouswasteaccordingtotheEPA.

109

InformationSecurity
5. Computers in Landfills Outlawed California, Massachusetts, and Minnesota have
outlawedthedisposalofcomputerwasteinlandfills.
6. PonderThisSupposewhatmighthappenifgroundwaterbecomescontaminatedanda
search for the source finds that your old computer (identified by a control tag or
manufacturersnumber)hasbeendiscardednearby.Youcouldbesubjecttopotentially
costly criminal and civil litigation (i.e., SARA, formerly CERCLA, litigation). This could
happen even if the organization had donated the equipment to a charity or paid a
companytorecycleit.
7. License Considerations If you donate your computer, you should evaluate software
license agreements to determine if they preclude transfer of the software along with
thecomputer.

ComputerDisposalProcedures
1. RemoveDataandInformationBeforedisposingofyourcomputersyoumustremove
allinformationfromthecomputerbeforegivingitaway,donatingit,throwingitaway,
or shredding the computer. Simply deleting files does not prevent them from being
recoveredfromtheharddrive;sometimes,filescanevenberetrievedfromreformatted
drives,dependinguponwhichoperatingsystemisusedtoreformattheharddrive.Here
areyourlegitimateoptionsforremovingdata:

a. EraseFilesSimplyerasingfilesisnotgoodenough,yourdataisstillthereand
readable.

b. ReformatHardDriveReformattingtheharddriveisnotgoodenoughyour
dataisstillthereandreadable.

c. Hard Drive Eraser Tools To properly erase a hard drive, you must use a
softwareprogramdesignedtocleantheharddrive.Hereareafewsuchtools:

1.
3.
5.
7.

BCWipeFree
ParagonHardDiskManagerFree
DariksBoot&Nuke
PCInspectoremaxx

2. DriveScrubberFree
4. EraserforWindows
6. ActiveKillDiskFree

Thesetoolsworkusingoneofthefollowingerasuremethods:

i.
ii.

QuickErase:Fillsharddrivewith0's
Gutmann:27randomorderpassesusingspecificdatacombinedwitheight
passesusingrandomdata.Duetochangesinthedifferentdataencoding
schemesnowusedbymodernharddrives,Gutmannnolongerrecommends
35passes.Afewrandompassesshouldsuffice.
110

InformationSecurity
iii.

AmericanDoD522022.M:Asevenpasswipeusingrandomcharacters,
complementsofcharacters,andrandomdatastreams.
iv.
CanadianRCMPTSSITOPSII:8drivewipingpasseswitharandombyteinthe
overwritesequencechangedeachtime.
v.
PRNGStreammethods:OverwritesthedrivewithastreamfromaPseudo
RandomNumberGenerator(PRNG)

2. TaggingInlargerorganizations,computerequipmentthatisnotlikelytobeusedagain
shouldbetaggedfordisposal,anddisposedofinbulkeachyear.

3. Remove Company IDs You should consider removing all company insignia and
inventory control tags from computers to be disposed of. This step might hamper
hackersfromidentifyinganydatatowhichcompanyanyrecoveredinformationbelongs
ormightpreventliabilityintheeventthatthecomputersnewownerthrowsitinaland
fill.

4. KeeptheHardDrivesSomecompaniesfinditeasiesttosimplyremovetheharddrives
and keep them in storage forever rather than going through the trouble of removing
files. They are easy to remove and small enough to keep. Also, this may act as a
rudimentarybackupmeasure.

Ifyoudofollowthisprocedure,itmightbehelpfultonotateoneachharddrivethesize,
date,andbriefdescriptionofthecontentsoftheharddrivebeforestoring.

5. Recycling Programs Many computer manufacturers and computer hardware

manufacturesalsohavetheirownrecyclingand/ortradeinprograms.Belowisalistof
someofthemajormanufacturesandlinkstotheirrecyclingprograms.

a.
b.
c.
d.

Applerecyclingprogram
Dellrecyclingprogram
Epsonrecyclingprogram
Gatewayrecyclingprogram
111

InformationSecurity
e.
f.
g.
h.

HewlettPackardrecyclingprogram
IBM/Lenovorecyclingprogram
Lexmarkrecyclingprogram
NECrecyclingprogram

6. Recycling Companies Below is a short list of some of the major recycling companies
capableofrecyclingcomputers.

a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
p.
q.
r.

ETechRecycling(http://www.etechrecycling.com/)
GenesisRecycling(http://genesisrecycling.ca/)
IBMPCRecycling(http://www.ibm.com/ibm/environment/products)
InterconSolutions(http://www.interconrecycling.com/)
BackThruthefuture,Inc.(http://www.backthruthefuture.com)
EnvirocycleInc.(http://www.enviroinc.com)
TotalReclaim(http://www.totalreclaim.com/)
UnitedRecyclingIndustries(http://www.unitedrecycling.com)
NationalRevitalizationServices(http://www.natrs.com/)
ShareTheTechnology:(http://sharetechnology.org)
NationalCristinaFoundation:(http://www.cristina.org)
Recycles.org:(http://www.recycles.org/)
CompuMentor:(http://www.compumentor.org/)
RebootCanada:(http://www.reboot.on.ca)
RECONNECT:(http://www.reconnectpartnership.com/)
BatterySolutions(http://www.batteryrecycling.com)
RBRC(http://www.rbrc.com)
GNB(http://www.gnb.com)

7. Signed Agreement If using a recycling or disposal company, have the sign an

agreementacceptingresponsibilityforitsproperdisposal.Thisisnecessarywhetheritis
sold, given to an employee, or donated. In the event of future litigation, this
documentationsupportsthepositionthattherecipienthasacceptedresponsibilityfor
theequipmentsdisposal.

8. MaintainRecordsAskyourrecyclingcompanytoprovide
writtendocumentationoftheproperdisposalofcomputer
equipment. If a recycling company cannot or will not
providesuchdocumentation,thiscouldbeasignthatitis
not a reputable company. Finally, a written record of all
disposedof computers should track the serial number,
description,methodofdisposal,anddateofdisposal.This
information should be kept with all other documentation
regardingcomputerdisposal.

112

InformationSecurity

BackUpStrategy
Chapter18

113

InformationSecurity
IntroductiontoBackupStrategy
Acomputerbackupislikeinsuranceyousincerelyhopethattheeffortandmoneyinvestedin
bothyourinsuranceandbackupsarecompletelywasted.However,intheeventthattheworst
casescenariodoesoccur,youwillbegladthatyouhadinsuranceandbackups.Oneofthemost
importantaspectsofaninformationsecuritystrategyistocreateregularbackupsofcomputer
dataandapplications.Givenourtendencytofocusonmorefashionablesecuritysystemssuch
as firewalls, intrusion detection and prevention, and antivirus and antiSPAM solutions, just
wheredoesdatabackupfitinaneffectiveinformationsecuritystrategy?Quitesimply,routine
backup may be the most important element of all, because if these other systems and
strategiesfailtoprotectourdata,backupremainsourlastbastionofdefense.
Databackupisanessentialelementofanyinternalcontrolsystemanddisasterrecoveryplan.
Thischaptercoversbackupplanningandprocesses,issuestobeconsideredinimplementinga
backupplan,andbackupmediafromstreamingtape,CD,DVD,externalharddisks,network
attachedstorage,toonlinebackup.

DataOrganization

The process of backing up your data is facilitated by

organizingyourdataproperly.Someusersmakeitahabit
of saving files all over the place in numerous separate
foldersincludingtheDesktop,theProgramFilesfolder,
theMyDocumentsFolder,andotherfolderstheycreate.
This practice can lead to file duplication, unnecessary file
searching, and backup procedures that are more
complicated than they need to be. You can minimize
confusion and streamline backups by following these
strategies:

1. One Computer Situation In the case on one computer system, all data should be
organizedunderthesamefoldersuchasaDATAfolderortheMyDocumentsfolder.
2. FileServerSituationInthecaseofmultiplecomputerswhereafileserverispresent,
alldatashouldbesavedtothefileserver,onceagainunderthesamefoldersuchasa
DATAfolderortheMyDocumentsfolder.

3. Peer to Peer Situation Where there are multiple computers but no file server, you
shoulddesignateoneofthecomputerstoactasthefileserverpreferablytheonethat
hasthebiggestharddrive,bestperformance,andisrebootedlesfrequently.

Howyourdataisorganizedonyourharddiskthefolderordirectorystructurecanplaya
significantroleinthebackupprocess.Datathatisstoredinasinglefolderorsetofsubfolders
withinasingleparentfolderismucheasiertobackupthanafolderstructurethatstoresdatain
numerous locations scattered across multiple folders. Microsoft applications, including
MicrosoftOfficeSmallBusinessAccounting,routinelystorealldatainafolderorsetoffolders
114

InformationSecurity
within a single parent named My Documents. This makes it easy to create a backup plan
because all data is stored in a single location. Another critical factor is how often the data
changes.

YoushouldfurtherorganizeyourdataUndertheDATAfolder(orwhicheverfolderyouchoose
for your data) with subfolders. The particular subfolder strategy you use depends upon your
situation. If you have 50 large customers, you might set up a new folder for each customer.
HowevertheapproachIlikebestistosetupanewfolderforeachyear,asfollows:

Thisapproachwillmakeiteasiertolocateandfinddata,andmoreimportantly,thisapproach
willhelpyoudesignabackupstrategythatbacksupyourcurrentfoldermorefrequentlythan
otherfolders.

IdentifyDatatobeBackedUp

Most people seek to back up their data only, but the reality is that for each computer, you
shouldbackupyourentirecomputerwithallapplications.Thereforethequestionastowhich
datashouldbebackedupiseasilyansweredbackupallofyourcomputersintheirentirety.

115

InformationSecurity
WhentoBackUp

Data that changes frequently needs to be backed up frequently. Data that changes less
frequentlycanbebackeduplessoften.Sinceoperatingsystemsandapplicationsdonotchange
very often, full backups can be made less frequently. Therefore you might establish a time
frameforconductingyourvariousbackupsasfollows:

TypeofFiles
BackupFrequency
2008DataFiles(Word,Excel,etc.)

Daily

EMailFiles

Daily

EntireComputerwithallApplications

Monthly

You should also coordinate your backup procedures with your business processes. End of
monthandendofyearbackupsshouldcoincidewiththecompletionofwriteup,adjustment,
closing, and financial statement preparation processes performed by your accountant. That
wayyourfinalbackupswillincludeandpreserveaccuratefinancialinformation.

BackupMethods

There are three types of backups generally used by small businesses to protect their mission
critical data. The types of backup available are dependent upon the backup software used.
Amongthecommonlyusedbackuptypesavailableinclude:

Full Backup A procedure that backs up all files stored on a system, including the
operatingsystemandapplications.

Differential Backup A procedure that backs up all files that have been added or
changedsincethelastfullbackup.

Incremental Backup A procedure that backs up all files that have been added or
changed since the last backup, regardless of whether the backup was full or
incremental.

Nearly everyone understands the meaning of a full backup. The difference between a
differentialbackupandanincrementalbackuprequireselaboration.Adifferentialbackupisa
cumulative backup. It contains all files that have been added or changed since the last full
backup.Anincrementalbackupisnotcumulative.Eachincrementalbackuponlycontainsthe
filesthathavebeenaddedorchangedsincethelastincrementalbackup.

Letsexaminetwoexamplestounderstandthedifferencebetweenanincrementalbackupand
adifferentialbackup.ABCCompanyproducesafullbackupatthecloseofbusinesseachFriday.
116

InformationSecurity
Anincrementalbackupisproducedatthecloseofeachworkday,MondaythroughThursday.
ABCsuffersacatastrophicfailureofitsprimaryserveronThursday.Inordertofullyrecoverall
of their data, ABC must restore the last full backup and each of the incremental backups
performedsincethelastfullbackup.

Alternatively,ABCproducesafullbackupeachFridayandperformsadifferentialbackupeach
day.Torecoveralloftheirdatainthiscircumstance,ABCmustrestorethelastfullbackupand
the last differential backup only. Thats because a differential backup contains a cumulative
backupofeveryfileaddedorchangedsincethelastfullbackup.

Thedifferencebetweenanincrementalbackupandadifferentialbackupalsohasimplications
forrestoringsingleormultiplecorruptedfiles.Adifferentialbackupcontainsallfilesthathave
been added or changed since the last full backup. In order to restore a file that has become
corruptedinuse,justrestorethefilefromthelatestdifferentialbackup.Ifincrementalbackups
wereused,eachbackupwouldhavetobeexaminedinordertodeterminethelatestversionof
thefileinquestion,becausethelatestversionofafilecouldbeonanyoneoftheincremental
backups.

ConclusionYoushouldprobablyneverusetheincrementalbackupoption,asitdoes
not save much back up time and a restoration would be very complicated. The full
backupordifferentialbackupoptionsmakethemostsense.

SelectingtheRightMedia

Yourbackupmediaoptionsareasfollows:

1. StreamingTapeCartridge
2. CDs
3. DVDs
4. USBThumbDrive
5. SDCards
6. ExternalHardDrives
7. ServerBasedStorage
8. NetworkAttachedStorage
9. Onlinebackup

Notethat1.44MBdiskettesarenotincludedinthelist.Thesize
oftodaysdatabasesandthelimitedcapacityofdiskettesrender
them less suitable for use as backup media. These options are
discussedbelow:

1. Streaming Tape Cartridge Many large businesses use

streamingtapeasabackupmedia.Thesetapesolutions
are expensive to acquire, install and operate. You will
117

InformationSecurity
need to purchase a tape recording device as well such as the Dell PowerVault backup
device.Thisoptiondeliversisdesignedtoarchivemissioncriticaldatainanenterprise
environment.ShownbelowareexamplesofDellsPowerVaultoptions:

Theseunitsstartat$165andrampuptocapture102Terabytes.

2. CDs The most common permanent backup media in use

today by small businesses is writable CDs. Each CD can hold
from650MBtonearly800MBofdata.Therearetwotypesof
writable CDs CDR and CDRW. CDR can be written only
once.CDRWcanbewrittenmanytimes.Inotherwords,data
can be written to a CDRW, erased, and then rewritten
multiple times. The more times a CDRW disk is written, the
less reliable it becomes for permanent backup storage. Most technicians recommend
CDR as a superior backup media. CDR disks are inexpensive and very reliable when
goodqualitymediaareusedinthebackupprocess.

TheproblemwithusingCDsistheyareveryslow,butmightrepresentagoodmediafor
backingupthecurrentdatafolder.

3. DVDsDVDtechnologyandreliabilityaresimilartoCDs,buteachDVDcanhold4.7GB
ofdataonasinglelayerdiskandnearlydoublethatonadoublelayerdisk.Ifyouhave
largeamountsofdatatobackup,thenDVDsmaybeabettersolution.

118

InformationSecurity

4. USBThumbDrivesTodaysthumbdrivesarelarge,fastand
inexpensive. They are larger than CDs, far faster than CDs,
andtheyaremoreeasilyreused.

5. SDCardsSDcardsandsimilarmediaworkwell,buttheyaremorecostly
than thumb drives. Further, every computer, including laptops has USB
ports, but not necessarily an SD Card port. Therefore USB thumb drives
areconsideredtobethebettersolutioncomparedtoSDcards.

6. ExternalHardDrivesExternalharddisksarebecomingincreasinglypopularforprimary
storageandfordatabackup.Unitsarecurrentlypricedfrom$49andaccommodateup
to4terabytesofdata.Examplesfollow:

DeviceImage

USBExternalHardDrive
BuffaloDriveStationQuattroTurboUSBHDQS4.0TSU2/R5Hard
drivearray4TB4bays(SATA150)4xHD1TBHiSpeedUSB,
SerialATA150(external)$1,950
GTechGRAIDminiHarddrivearray500GB2bays(SATA300)
2xHD250GBFireWire800,HiSpeedUSB,FireWire400
(external)
$980
IomegaUltraMaxProDesktopHarddrivearray1.5TB2bays2x
HD750GBHiSpeedUSB,SerialATA300(external)
$510
IomegaUltraMaxProDesktopHardDriveharddrivearray
Harddrivearray1.5TB2bays2xHD750GBHiSpeedUSB,
SerialATA300(external)
$375
LaCied2QuadraHardDisk500GBFireWire/FireWire800/
Harddrive500GBexternalFireWire/FireWire800/HiSpeed
USB/eSATA3007200rpmbuffer:16MB
$165

These devices support the higher transfer rates of USB 2.0. These units are also true
plugnplayifWindowsXPorWindowsVistaisinstalled(therearenodriverstoinstall
justplugitinandgo).TheexternalharddiskwillautomaticallyappearinMyComputer.

119

InformationSecurity
7. Network Attached Storage (NAS) Network Attached Storage (NAS) can be used for
backupinthesamewayasserverbasedstorage.Upuntilrecently,NASwasrelatively
expensive for small businesses. In the past year, several vendors have modified their
externalharddriveproductstoincludeanEthernetportfordirectconnectiontoalocal
area network. The storage is accessible as a mapped drive from any workstation
desktop on your network, very similar to the way a user would attach to a network
server.Examplesfollow:

DeviceImage
USBExternalHardDrive
IBMTotalStorageDS4800Model82harddrivearray.
$39,700

IntelEntryStorageSystemSS4000E.2TB.TheSS4000Ecan
connecttoaGigabitEthernetnetworkandsupportuptofourSerial
AdvancedTechnologyAttachment(SATA)harddisks.
$418
UnibrainFireNAS2U,NetworkAttachedStorageserver.Hotswap
drives,andRAIDprotection.12.0TB(12,000GB)ofstorage
managedbyaWindowsStorageServer2003R2.Easyinstallation
withplugnplayconnectivity.
$10,000

FireDisk800s:500GBharddrive.
$270

8. OnlineBackupThelatestinnovationinbackupmediaisnetworkbasedonlinebackup.
OnlinebackupissimilarinoperationtoafileserverorNAS,butthefiletransferspeedis
limited to the speed of your Internet connection. A typical DSL connection will have
about 1/100 of the throughput of a LAN. That means that backup times will be
considerablylongerusingonlinebackupthanbackinguptoafileserverorNAS.Because
oftheslowtransferspeeds,onlinebackupisnotwellsuitedforfullsystembackups,but
isanexcellentchoiceforfinancialdataanddocuments.Thechiefadvantagesofonline
backupare:

a. Thebackupisstoredoffsite
b. Thestoragelocationisprofessionallymanagedandbackedup
c. The process is convenient because users do not have to deal with handling,
storing,oradministeringbackupmedia
120

InformationSecurity
Prices range from as little as $10 per month for 4GB of managed backup storage
space. Plans typically include a backup application to schedule periodic backups
fromyourdesktop.

Asanexample,considerCarbonite:

Forjust$50peryear,Carbonitewillbackupallofyourdata.Justclickonthefilesor
foldersyouwanttobackup,andCarbonitewillworkinthebackgroundtokeepyour
datainsynconarealtimebasis.However,ItriedCarbonitewithacableconnection
totheInternet,andafter46days,Carbonitestillhadnobackedupmyentire53GBs
ofdata.ThereforeIcanconcludethatCarboniteisgreatforbackingupyourcurrent
data folder, but not your entire computer system. Following is an example screen
thatshowshowCarboniteworks:

AdvantagesofEachBackupMediaTypes

SuitabilityforBackingUp:
DataOnly
FullSystem
BackupSpeed
RestorationSpeed:
FullRestore
LimitedorSingleFile
Portability
SuitabilityforArchiving

Tape

CD/DVD

121

USB
Thumb

External
Disk

NAS

Online

InformationSecurity

XcentricOnlineLineBackup
In2008Itestednumerousbackupsolutionsincluding
Carbonite,QuickBooksOnlineBackup,eBackups,and
Xcentric.Myobjectivewastofindaninexpensiveonline
backupsystemthatIwashappywithformyownuse,andtherecommendtoattendeesofthe
securitycourse.ThesolutionthatIhavebeenmostpleasedwithisXcentricOnlineBackup.
Hereswhy:
1. Completelyautomatesthebackupprocess.
2. Upto2terabytesperday
3. About$2.50pergigabytepermonth(Free30daytrialavailable)
4. 128bitencryption
5. Notapes,nohardware
6. Eliminatesriskoftapesbeingcorrupted,misplaced,damaged,orstolen.
7. Usesstateoftheartbackup,security,anddatacentertechnologies.
8. Backupsarefullyoffsite.
9. Openfilebackupifneeded,youcanrestoredataimmediatelyevenasinglefile.
10. Noequipmenttobuy
11. Simple15minutesetup
12. Dailyemailreportingreportsareemailedtoyoueachdaytoacknowledgethesuccess
ofyourbackups.Thisreportalsoshowsdatabackupsize,remainingquota,retention
copies,uploadvolumes,andotherkeyinformation.
13. Webbasedmanagement
14. Upto8:1compression

122

InformationSecurity

XcentricContactInfo:
Xcentric(JasonHand),3015WindwardPlaza,Suite500,Alpharetta,GA300056782970066ext.514

123

InformationSecurity

BackupRotationScheme

Ifyouconstantlybackupyourdatabyoverwritingyourpreviousbackups,youarevulnerablein
theeventthatyourcomputercrashesduringthebackupprocess.Youwillbeleftwithnothing.
Forthisreason,aBackuprotationschememustbechosentofacilitateefficientandeffective
backupofyourmissioncriticaldata.Thereareseveralacceptablerotationschemesfromwhich
tochoose.AmongthemareGrandfatherFatherSon(GFS)andTowerofHanoi.2

GrandfatherFatherSon is the most widely used and easiest to understand media rotation
scheme.Anincrementalordifferentialbackupismadeeachdaywithafullbackupmadeatthe
end of each week and the end of each month. A three week version history is preferred by
informationsecurityprofessionals.Thatmeansthatdailybackupsarenotoverwrittenforthree
weeks.

Lets examine a practical example. ABC Company is open for business five days per week,
MondaythroughFriday.ABCusesstreamingtapewithGFSandathreeweekversionhistory.It
requires 12 (4 days x 3 weeks) daily tapes, up to 5 weekly tapes, 12 monthly tapes, and one
annual tape for a total of 30 tapes. The daily tapes are labeled D1 trough D12, the weekly
tapesarelabeledW1throughW5,andthemonthlytapesarelabeledM1throughM12.

ThetaperotationschemeforABCCompanyisillustratedinFigure1.NoticethatTapeD1isnot
reuseduntilthefirstdayofthefourthweekintherotation,inthiscaseMay22nd.TapeW1is
notreuseduntilthefollowingmonth,inthiscaseonJune2nd.
May - June 2006
Mon
1

Tue
2

Tape D-1
8

3
Tape D-2

9
Tape D-5

Wed

Tape D-6

Thu

Fri

Tape D-4

5
Tape W-1

4
Tape D-3

10
11
12
Tape D-7
Tape D-8 Tape W-2

15
16
17
18
19
Tape D-9 Tape D-10 Tape D-11 Tape D-12 Tape W-3
22
23
24
25
26
Tape D-1
Tape D-2
Tape D-3
Tape D-4 Tape W-4
29
30
31
1
2
Tape D-5
Tape D-6
Tape M-1 Tape D-8 Tape W-1

MonthlyGrandfatherFatherSonTapeRotationScheme

124

InformationSecurity
Themonthlytapes,suchasTapeM1usedonMay31st,aretakenoutoftherotationandare
neverreuseduntilthefollowingyear.Ascanbeseenfromthisexample,athreeweekversion
history means that three weeks of daily backups are produced before any tapes are
overwritten.

If the GrandfatherFatherSon rotation scheme is used, here are some simple rules to make
surethatyourmissioncriticaldataisfullyprotected.

1. Thedailybackupsshouldnotbeoverwrittenforaperiodofatleastthreeweeks.

2. Theweeklyfullbackupsshouldnotbeoverwrittenforatleastonemonth.

3. The monthly full backups should be maintained and not overwritten for at least one
year.

4. Theannualfullbackupshouldbemaintainedforatleastsevenyears,orasmandatedby
localregulatoryrequirements.Annualbackupsshouldbecataloguedandmaintainedoff
siteinadatavaultorafireandwaterproofsafedepositbox.Duplicatecopiesshouldbe
maintainedatdifferentoffsitelocations.

BackupArchive

Regardlessofyourbackupmethodsused,youshouldendtheyearwithacompletesnapshot
of all computers as of the end of each month or each quarter. This archive should be
maintainedoffsite.Ifyouareusingtapes,thenyoushouldbeabletoproduce12tapes,each
representingallcomputersasoftheendofeachmonthoreachquarter.IfyouareusingCDsor
DVDs, then you should be able to produce 12 sets of CDs or DVDs representing computer
systems as of the end of each month or each quarter. If you are using hard drives, then you
should have 12 folders representing snapshots of each computer every month or for every
quarter.Hereisanexampleofwhatthefinalproductshouldlooklike.

n b

125

InformationSecurity
OtherBackupConsiderations

Redundantbackupscanbeausefultechnique.Inotherwords,datacouldbebackedupdailyto
aseparateharddisk,fileserver,orNAS,aswellastopermanentstorage,suchasCDRorDVD.
Havingthesamebackupdatastoredinmultiplelocationsprovidesanadditionallevelofsafety
through redundancy. The greatest advantage of this technique is realized when it becomes
necessary to recover a single corrupted file. Daily data backups stored on highspeed media
with ready accessibility provides users with the ability to restore important files onthefly,
without the hassle of finding and loading the latest backup media. This is especially useful in
situationswherebackupmediaaretakenoffsiteforstorage.Dailybackupstoharddisk,afile
server,orNASshouldnotbeusedalone.Makesuretobackuptopermanentmediaandstore
thebackupsoffsiteformaximumprotection.

Offsite storage of backup media provides the greatest protection against unanticipated
disasters.Ifyourofficeisfloodedorburns,anybackupmediastoredinyourofficeislikelytobe
destroyed or rendered unusable. Storing backups in the same location as live data does not
provide sufficient protection from data loss when disaster strikes. Backup media should be
storedoffsite.Smallbusinessestypicallystorebackupsatthehomeoftheowneroratrusted
employee.Abetterpracticewouldbetostoreyourbackupmediainafireandwaterproofsafe
depositboxatyourlocalbank.

Everybusinessshoulddevelopadataretentionpolicyaspartofitsbackupplan.Governmental
entities and taxing authorities regulate the retention of certain types of data. The Internal
Revenue Service requires that financial and tax records be maintained for seven years.
Employee payroll, benefits, and HR records should be maintained from three to seven years.
Other federal agencies and some states require longer data retention periods. Your data
backupplanshouldaccommodatetheregulatoryframeworkimposedinyourbusinesslocation.
Ataminimum,longtermarchivemediashouldbegeneratedformonthend,quarterend,and
yearendfinancialrecords.Atleasttwocopiesofeacharchivemediashouldbemaintained,and
the copies should be stored in different physical locations. Natural disaster, mishandling of
media,storageininappropriateenvironmentalconditions,ormisplacementofasinglecopyof
criticaldataarchivescanputacompanyatrisk.

The data backup process is fraught with potential problems that could render your backups
unusable or incomplete. Media could be damaged, backup equipment may not be properly
maintained,oradefinedbackuproutinemaynotincludeanewlyinstalledharddisk.Whatever
the reason, backup is not successful unless you can get your data back! 3 The SANS Institute
reports that one of the worst security mistakes made by IT professionals is their failure to
maintain and test data backups.4 Test the integrity of your backup process by doing trial
restoresonaregularbasis.Onlythencanyoubeconfidentthatyourbackupswillfunctionin
theeventofhardwarefailure,datacorruption,ornaturaldisaster.

126

InformationSecurity

ComputerViruses
Chapter19

127

InformationSecurity

ComputerViruses

In1986,therewasonlyoneknowncomputervirus.By1989thereweresixandin1990there
were80confirmedcomputerviruses.InapressreleaseissuedinJuneof1999,AdamHarriss
and Catherine Huneke of Computer Economics, Inc., a research firm in Carlsbad, California,
stated,Theeconomicimpactofvirusandwormattacksoninformationsystemshasincreased
significantlythisyear,withbusinesseslosingatotalof$7.6billioninthefirsttwoquartersof
1999 as a result of disabled computers. Other surveys suggest that throughout the world,
morethan60%ofallcompaniesarehitbyatleastoneviruseachyear;thatnumberisgreater
than70%intheUnitedStates.Today,between10to15newvirusesappeareverydaycosting
an estimated 55 billion dollars in damages (according to antivirus company Trend Micro
Incorporated).Someestimatesarefarhigher.

Viruses come in many forms and with many different problems attached to each kind. Some
viruses are designed to mess up your entire computer and destroy all data; others are made
justtoshowyouunwantedadvertisementseveryonceinawhile.Eitherway,theyshouldn'tbe
onyourcomputerandcanberemovedbyyoumanuallyorbyvirusremovalsoftware.Themost
common types of computer viruses and what they can do to you or your computer are as
follows:

1. The Worm Virus This type of virus can duplicate itself and it will use the email
addresses from your address book, and send itself to those people. This means your
friendsandfamilycomputerscouldevenbecomeinfectedwiththisvirus.

2. TheTrojanVirusThisisasneakyviruswhichdisguisesitselfasaprogramthatprovides
a legitimate function. But really it is a virus that will damage your computer or steal
personalinformationlikepasswords.

3. TheBackdoorTrojanVirusIfyourcomputerwasinfectedwithit,someonecouldtake
controlofyourcomputerthroughyournetworkortheinternet.

4. File Virus File viruses can attach to real software, so that whenever you use the
software, it will load into your memory and infect other files that are associated with
that program. That means that the most important documents and data could be
destroyedbyonesimpleclick.

5. AdwareandSpywareAdwareisbasicallyjustadvertisementsthataresavedonyour
computer,andshowthemselvessometimesinarandompopuporwhenyoutypeina
webaddressthatisincorrect.Spywareisactuallytheworstofthetwobecausespyware
canlogyoureverykeystroke,recordeverywebsiteyougoto,andreportyourstatistics
backtoanindividualorcompany.

128

InformationSecurity

ImportantVirusTips

Torecoverfromacomputerfreezingvirus,youshouldtakethesesteps:

1. Makeabackupcopyofyourharddrivesdataeveryweek.
2. BackupyourBIOSeverytimeyouchangeitorapartonyourcomputer.
3. Runvirusprotectionsoftware.

Virusesareafactoflifethatweallmustcontendwith.Luckily,virusprotectiontechnologyhas
neverbeenbetter,andtherearedozensofsuchproductstochoosefrom.Presentedbelowisa
listingoftenofthebestantivirusproductsonthemarket,followedbyabriefdescriptionof3of
themostrecommendedsolutions.

1. BitDefender
24.95
2. CA
39.99
4. TheShieldDeluxe
29.99
5. Panda
39.95
6. TrendMicro
39.95
7. McAfee
39.99
8. NOD32
39.99
9. Norton
39.99
10. Kaspersky
59.95

The Shield Deluxe 2008 is a rather simple to use antivirus software and antispyware
program.Itisrelativelypainlesstodownload,installanduse.

129

InformationSecurity
TheShieldDeluxeantivirussoftwarecomeswithaninstallationutilitythatdetectsremnants
ofpreviouslyinstalledantivirussoftware,weedingthemoutbeforethedownloadbegins.The
Shield Deluxe 2008has automatic updatesand weekly virus scans are all prescheduled. It is
Vista Compatible and you can use this Special 20% Off Coupon PCSS20 (Apply Coupon in
shoppingcart).

CA antivirus software has

such a clean interface with
whatseemstobeaveryhigh
"install and forget rating".
There is no overload of
information and choices on
the interface which is good.
CA Antivirus's main software
component runs at less than
13mb RAM which is pretty
light and my overall system
scanwasprettyfast.

Trend Micro's Antivirus plus

Antispyware provides tools
to battle malicious spyware,
amongst things like trojans,
hackers, worms, and adware.
The
antivirus
software
component is an easy to use
product but after that, the
rest of their software can be
somewhat confusing for a
computer user with less
knowledge.

130

InformationSecurity

FreeAntiVirusPrograms

AVGisoneofthemostoftenrecommendfreewareantiviruspackages.WhileGrisoftoffersa
paidversion,thereisafreewareversionofthevirusprotectiononthewebsite.Itonlyoffers
virusprotection(noantispam,antispywareorfirewall)butissaidtobeveryeffectiveatthat
task. Highly recommended, but you'll need to add spyware protection separately. There is a
freeAVGAntiSpywareaddon,butitdoesn'tdoautomaticupdates,sounlessyouarediligent
tokeepitupdated,I'drecommendagainstit.

Avast!anotherfreebieantivirusprogramwithbasicfeatures,andeaseofuse.Itisupdated
regularly, also highly recommended. But again, it offers only antivirus protection, unless you
payfortheAvastProfessionalversion.

131

InformationSecurity

AviraAntiVirFreeAntivirusprogram,whichoffers:ExtensiveMalwareRecognitionofviruses,
Trojans, backdoor programs, worms, etc. Automatic incremental updates of antivirus
signatures,engineandentiresoftware.Permanentvirusprotection,withVirusGuardrealtime
monitoring.Installandconfigurationinjustacoupleofsteps.Virusprotectionagainstknown
and unknown threats, using an advanced heuristic system. Scheduler where you can set the
scannertomakeautomaticvirusscansorupdatesonyoursystem.Forumandphonesupport,
KnowledgeBasewithvirusdescriptionsavailableonwebsite.VistaSupport.RootkitDetection
and Removal. Version 8 adds an enhanced interface, a modularized AVsearch engine for
improvedscanperformance,andanfailsafesecuritysystem.

132

InformationSecurity

Phishing
Chapter20

133

InformationSecurity

Phishing
Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as
usernames,passwords and credit card details, by masquerading as a trustworthy entity in an
electronic communication. eBay, PayPal and online banks are common targets. Phishing is
typicallycarriedoutbyemailorinstantmessaging,andoftendirectsuserstoenterdetailsata
website, although phone contact has also been used. Phishing is an example of social
engineeringtechniquesusedtofoolusers.
In2007phishingattacksescalatedas3.6millionadultslost$3.2billioninthe12monthsending
inAugust2007upfrom1.2millioncomputerusersandanestimated$2billionbetweenMay
2004andMay2005.
The first recorded use of the term "phishing" was made in 1996 and alludes to the use of
increasingly sophisticated baits used in the hope of a "catch" of financial information and
passwords.
A phishing technique was described in detail as early as 1987, in a paper and presentation
delivered to the International HP Users Group, Interex in which phishing on AOL was closely
associatedwiththewarezcommunitythatexchangedpiratedsoftware.Thosewhowouldlater
phish on AOL during the 1990s originally used fake, algorithmically generated credit card
numbers to create accounts on AOL, which could last weeks or possibly months. After AOL
brought in measures in late 1995 to prevent this, early AOL crackers resorted to phishing for
legitimateaccounts.

TransitionToFinancialInstitutions
The capture of AOL account information may have led phishers to misuse credit card
information,andtotherealizationthatattacksagainstonlinepaymentsystemswerefeasible.
ThefirstknowndirectattemptagainstapaymentsystemaffectedEgoldinJune2001,which
wasfollowedupbya"post911idcheck"shortlyaftertheSeptember11attacksontheWorld
Trade Center. Both were viewed at the time as failures, but can now be seen as early
experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was
recognizedasafullyindustrializedpartoftheeconomyofcrime:specializationsemergedona
globalscalethatprovidedcomponentsforcash,whichwereassembledintofinishedattacks.

134

InformationSecurity

RecentPhishingAttempts
AchartshowingtheincreaseinphishingreportsfromOctober2004toJune2005.Morerecent
phishingattemptshavetargetedthecustomersofbanksandonlinepaymentservices.Emails,
supposedlyfromtheInternalRevenueService,havealsobeenusedtogleansensitivedatafrom
U.S.taxpayers.Targetedversionsofphishinghavebeentermed"spearphishing".

Socialnetworkingsitesarealsoatargetofphishing,sincethepersonaldetailsinsuchsitescan
be used in identity theft; in late 2006 a computer worm took over pages on MySpace and
altered links to direct surfers to websites designed to steal login details. Experiments show a
successrateofover70%forphishingattacksonsocialnetworks.
Almosthalfofphishingtheftsin2006werecommittedbygroupsoperatingthroughtheRussian
BusinessNetworkbasedinSt.Petersburg.

PhishingTechniques
1. Link manipulation Most methods of phishing use some form of technical deception
designed to make a link in an email (and the spoofed website it leads to) appear to
belong to the spoofed organization. Misspelled URLs or the use of subdomains are
commontricksusedbyphishers.Anothercommontrickistomaketheanchortextfora
linkappeartobevalid,whenthelinkactuallygoestothephishers'site.
Anoldmethodofspoofingusedlinkscontainingthe'@'symbol,originallyintendedasa
way to include a username and password. For example, the link
http://www.google.com@members.tripod.com/ might deceive a casual observer into
believing that it will open a page on www.google.com, whereas it actually directs the
135

InformationSecurity
browsertoapageonmembers.tripod.com,usingausernameofwww.google.com:the
pageopensnormally,regardlessoftheusernamesupplied.SuchURLsweredisabledin
Internet Explorer, while Mozilla and Opera present a warning message and give the
optionofcontinuingtothesiteorcancelling.
AfurtherproblemwithURLshasbeenfoundinthehandlingofInternationalizeddomain
names(IDN)inwebbrowsers,thatmightallowvisuallyidenticalwebaddressestolead
to different, possibly malicious, websites. Despite the publicity surrounding the flaw,
known as IDN spoofing or a homograph attack, no known phishing attacks have yet
takenadvantageofit.
2. Filter Evasion Phishers have used images instead of text to make it harder for anti
phishingfilterstodetecttextcommonlyusedinphishingemails.

3. Website Forgery Once the victim visits the website the deception is not over. Some
phishingscamsuseJavaScriptcommandsinordertoaltertheaddressbar.Thisisdone
either by placing a picture of a legitimate URL over the address bar, or by closing the
originaladdressbarandopeninganewonewiththelegitimateURL.
An attacker can even use flaws in a trusted website's own scripts against the victim.
These types of attacks (known as crosssite scripting) are particularly problematic,
becausetheydirecttheusertosigninattheirbankorservice'sownwebpage,where
everythingfromthewebaddresstothesecuritycertificatesappearscorrect.Inreality,
thelinktothewebsiteiscraftedtocarryouttheattack,althoughitisverydifficultto
spotwithoutspecialistknowledge.Justsuchaflawwasusedin2006againstPayPal.
A Universal Maninthemiddle Phishing Kit, discovered by RSA Security, provides a
simpletouse interface that allows a phisher to convincingly reproduce websites and
capturelogindetailsenteredatthefakesite.
Toavoidantiphishingtechniquesthatscanwebsitesforphishingrelatedtext,phishers
havebeguntouseFlashbasedwebsites.Theselookmuchliketherealwebsite,buthide
thetextinamultimediaobject.
4. PhonePhishingNotallphishingattacksrequireafakewebsite.Messagesthatclaimed
tobefromabanktolduserstodialaphonenumberregardingproblemswiththeirbank
accounts.Oncethephonenumber(ownedbythephisher,andprovidedbyaVoiceover
IP service) was dialed, prompts told users to enter their account numbers and PIN.
Vishing(voicephishing)sometimesusesfakecallerIDdatatogivetheappearancethat
callscomefromatrustedorganization.

5. Paypal Phishing Example As an example, the phishing email shown below targeted
PayPalusers.SpellingmistakesintheemailandthepresenceofanIPaddressinthelink
were both clues that this is a phishing attempt. Another giveaway is the lack of a
personalgreeting,althoughthepresenceofpersonaldetailswouldnotbeaguarantee
oflegitimacy.Othersignsthatthemessageisafraudaremisspellingsofsimplewords
136

InformationSecurity
and the threat of consequences such as account suspension if the recipient fails to
complywiththemessage'srequests.

137

InformationSecurity
InaJune2004experimentwithspearphishing,80%of500WestPointcadetswhowere
sentafakeemailweretrickedintorevealingpersonalinformation.

AntiphishingTechniques
Thereareseveraldifferenttechniquestocombatphishing,includinglegislationandtechnology
createdspecificallytoprotectagainstphishing,asfollows:
1. SocialResponsesOnestrategyforcombatingphishingistotrainpeopletorecognize
andtodealwithphishingattempts.

2. Check Legitimacy People can take steps to avoid phishing attempts by slightly
modifying their browsing habits. When contacted about an account needing to be
"verified"(oranyothertopicusedbyphishers),itisasensibleprecautiontocontactthe
company from which the email apparently originates to check that the email is
legitimate.

3. Look For Specifics Nearly all legitimate email messages from companies to their
customerscontainanitemofinformationthatisnotreadilyavailabletophishers.Some
companies, for example PayPal, always address their customers by their username in
emails, so if an email addresses the recipient in a generic fashion ("Dear PayPal
customer")itislikelytobeanattemptatphishing.Emailsfrombanksandcreditcard
companiesoftenincludepartialaccountnumbers.

4. Technical Responses Antiphishing measures have been implemented as features

embeddedinbrowsers,asextensionsortoolbarsforbrowsers,andaspartofwebsite
loginprocedures.Thefollowingaresomeofthemainapproachestotheproblem.

a. HelpingToIdentifyLegitimateSitesSincephishingisbasedonimpersonation,
preventing it depends on some reliable way to determine a website's real
identity.Forexample,someantiphishingtoolbarsdisplaythedomainnamefor
the visited website. The petname extension for Firefox lets users type in their
ownlabelsforwebsites,sotheycanlaterrecognizewhentheyhavereturnedto
the site. If the site is suspect, then the software may either warn the user or
blockthesiteoutright.

b. BrowsersAlertingUsersToFraudulentWebsitesAnotherpopularapproachto
fighting phishing is to maintain a list of known phishing sites and to check
websitesagainstthelist.Microsoft'sIE7browser,MozillaFirefox2.0,andOpera
all contain this type of antiphishing measure. The screen below shows Google
blockingasuspectedphishingwebsite.

138

InformationSecurity

5. EliminatingPhishingMailSpecializedspamfilterscanreducethenumberofphishing
emailsthatreachtheiraddressees'inboxes.Theseapproachesrelyonmachinelearning
andnaturallanguageprocessingapproachestoclassifyphishingemails.

6. Monitoring And Takedown Several companies offer banks and other organizations
likely to suffer from phishing scams roundtheclock services to monitor, analyze and
assist in shutting down phishing websites. Individuals can contribute by reporting
phishingtobothvolunteerandindustrygroups,suchasPhishTank.

LegalResponses
1. GoodinConvictedOn January26,2004,theU.S.FederalTradeCommissionfiledthe
firstlawsuitagainstasuspectedphisherandCalifornianteenagerJeffreyBrettGoodin.
Hewasthefirstdefendantconvictedbyajuryundertheprovisions of theCANSPAM
Act of 2003. He was found guilty of sending thousands of emails to AOL users, while
posingasAOL'sbillingdepartment,whichpromptedcustomerstosubmitpersonaland
creditcardinformation.Hewassentencedtoserve70months.

2. InBrazilPhishingkingpin,ValdirPaulodeAlmeida,wasarrestedforleadingoneofthe
largestphishingcrimerings,whichintwoyearsstolemorethan$18million.

3. IntheUKUKauthoritiesjailedtwomeninJune2005fortheirroleinaphishingscam,
in a case connected to the U.S. Secret Service Operation Firewall, which targeted
notorious"carder"websites.

4. In Japan In 2006 eight people were arrested by Japanese police on suspicion of

phishingfraudbycreatingbogusYahooJapanWebsites,nettingthemselves100million
yen ($870,000). The arrests continued in 2006 with the FBI Operation Cardkeeper
detainingagangofsixteenintheU.S.andEurope.

5. MicrosoftAttacksOnMarch31,2005,Microsoftfiled117federallawsuitsintheU.S.
District Court for the Western District of Washington. The lawsuits accuse "John Doe"
defendantsofobtainingpasswordsandconfidentialinformation.

139

InformationSecurity

SpyStuff
Chapter38

140

InformationSecurity
VMESpyPhoneEavesdroponConversations
FromAnywhereintheWorldThisproductoperates
asanormalmobilephonewheretheholdercansend
andreceivecallsasusual.However,whenyoucall
thephoneusingaspecialaccessnumber,it
automaticallyanswerswithoutanyringingorthe
holderbeingawarethatyouareconnectedtotheir
phonein"listeningmode".Therewillbenorecordof
thecallreceivedfromthespecialaccessnumberin
thephone'slistofreceivedcalls.Thereisalsoa
proximitylisteningdeviceenablingyoutolisten
directlytowhatisgoingonuptofivemetersaway
fromthephone.
VMECellPhoneInterceptorRealtimeinterception
andtrackingofcellphonecommunication*A
proprietarytechnologyallowingyoutoIntercept,
follow,trackandlistentocommunicationsusing
uniquetriangulationandotheradvancedtechnology.
ActiveorPassivesearchanddetection.Completely
undetectable.Followmultipletargetssimultaneously.
Laptopsizewithextendedrange.

ThePictureFrameBug
Thisisasneakywaytobugaroom,apictureframe
withabuiltinmicrophonethatyoucanphoneupand
listentowhatsgoingon.

TapyourownphonelinewithTeleport2.0

141

InformationSecurity
CellPhoneSIMCardSpy
Thisdeviceallowsyoutorecoverdeletedtext
messagesfromacellphone.Justplugitinanderased
messagesonthephonearerestoredtothedevice,
whichyoucanreadlaterbypluggingitintoyour
computer.

UnderDoorRemoteViewingKit
Theviewingkitallowsyoutoseebehindadoor
beforeyouopenit.Thescopesectionisusedtoslide
underthedoorandcanfitinaspacelessthen
quarterofaninch.Thefieldofviewis55whichcan
seefromthefloorrightuptotheceiling.Aswellas
seeingwhatitintheroom,thereisarightangle
adapterwhichallowsyoutoviewthebackofthe
doorsoyoucanobserveanybarricadesortraps.

MQ1Predator
TheUSGovernmenthasgiventheUniversityof
Michigana$10milliondollargranttocomeupwitha
sixinchroboticspyplanemodeledafterabat.

HoneywellHoveringSpyDrone
Spydronethatcanflya100waypointflightplanat57
MPH,ata10,500footaltitude.TheseMicroAir
Vehicles(MAVs)arealreadyinplaceoverIraqand
Afghanistan.TheyarewaitingforFAApermissionto
beusedhereinAmericansoil.$???

142

InformationSecurity
SpyTieandtheConcealedCameraSpyPenissure
toblendinbeautifullywhilstkeepingtabsonyourco
workersoremployees.

TheSpyCamOfficeCalculator
Thisisafullyfunctioningelectroniccalculator
completewithprintroll,comeswithahidden640x
480highresolutioncamerawhich,oncearmedvia
theunitswirelessremotecontrol,willentermotion
detectionmodeensuringthatthemomentsomeone
comeswithinrangeitwillbegincapturingvideo
footagetoanSDcardconcealedinahidden
compartmentwith2GBSDcardsstoringupto128
hoursofsurveillancevideo.$449

EstesXb30DigitalCameraSpyPlane
Aradiocontrolleddigitalcameraspyplanewithbuilt
indigitalcamerathatcantakeupto"26aerial
photographs"withthepushofabuttononthe
transmitter.Transferringtheimagestoyour
computerviaaUSBport.Poweredbyelectricfan
engineswithawingspanof55in.andis34in.long.

ShockingSuitcase
Keepallyoursecretdocumentssafewiththis
shockingsuitcase80,000voltstobeexact.The
electricshockalarmisactivatedatthepushofa
buttonviaremotecontrol.Abuiltinsecondary107db
alarmkeepswouldbethievesaway.Availablein
brownorblackcolors.

143

InformationSecurity
ShotgunFlashlight
Agrenadestylepinremovesthesafety,andthe
flashlightfiresa.410shotgunroundouttheback
whenabuttonispressed.AMiniMagsizefiresa.380
round.

ListenToConversations15FeetAway
NotyourordinarySL65,this"Interceptor"version
allowsusersto"dialupthedevice'ssupersecret
numbertoinstantlysurreptitiouslisteninon
whatever'shappeninguptofivemetersawayfrom
themic."Onedrawback,it'spricedatawhopping
$2,155.

MouseMicrophone
KeepacloseearonyourcomputerwiththeCP1.
Hiddeninsidethisotherwisenormallookingmouseis
acondensermicrophonecapableofpickingupon
anynearbyconversations.Itmeasures53x95x35
mmandweighsjust75g.

DigitalCameraWatch
Looksandworkslikeanormalwatch,howeveritcan
alsotakeVGAdigitalphotos!Sowhenyouareout
andabout,takesomecandidphotoswithyourwatch!
Perfectattradeshowsorevenjustoutwithyour
mates!Thebuiltin2MBofmemoryiscapableof
storingupto36photosanditincludessoftwareanda
serialcable(RS232)fordownloadingimagestoaPC.

SpyGlasses
Theyletyouseewhoisbehindyou!Thelenseson
thesespyglasseshaveaspecialcoatingthatallows
youtolookstraightaheadandstillseewhatisgoing
onbehindyou.Now,noonecansneakupbehind
you.

144

InformationSecurity
NoiseAmplifier
Theultimateinsurveillanceequipment,thishandy
littledevicefitsontheearandusesatinyamplifierto
increasethelevelofambientsoundinaroom.The
soundissenttotheearpieceallowingtheuserto
eavesdroponconversationsdiscretely.

KeySharkUSBKeylogger
Keystrokeloggingdevicewhichrecordseverykey
pressedonacomputerkeyboardstoringanexact
copyofeverythingtypedbytheuser!Withenough
capacitytostorehalfamillioncharacters(key
presses),itcanquietlyrecordtheaveragecomputer
userformanymonthsandstillhaveroomtospare.
Installationtakesjustseconds,andtheKeyShark
startstorecordautomatically.KeySharkworkswith
USBstylekeyboards.Itisasmallexternaldevice,
lookinglikeandadapterpluggedintoaUSBsocket.
U.S.$280.95

KeysharkPS/2PortKeylogger
TheKeyloggerisadevicethatcanbeconnectedtoa
keyboardtorecordallkeystrokesanddataentered.It
ispasswordprotected,andoffersakeywordsearch
facility,enable/disableoption,andwillstoreovera
yearsworthofdata!Keysharksitsbetweenthe
keyboardandyourcomputer.U.S.$280.95

WristWatchDigitalCamera
8MSDRAMallowsstorageofupto26VGAhigh
resolution350,000pixelpictures.Autoexposure,
autowhitebalance,edgedetectionwith
enhancementandbacklightcompensation.Upload
imagestoaPalmPDA,orPC.OneAAAbatterynot
included.ImagesaredisplayableonyourPCin16.7M
(32bit)colorComeswithaUSBwirelinkandaCD
Romsoyoucantransferandsavethepicturesinto
yourcomputer.U.S.$450.00

145

InformationSecurity
TeleMonitor2000
Discreetlylisteninonyourpremisesviaregular
telephonelinesfromanytelephoneintheworld!
Requiresnoactivatingbeeperorwhistleanddoesnot
affectnormalincomingandoutgoingcalls.Upto4
unitsperline.Sensitivemicrophonewillpickupeven
awhisperupto35feetaway.Tomonitor,justdial
yourphonenumberfromanytonetelephone.Size:
51/2"x31/2"x1"Thisisacompletelyselfcontained
unitnoactualtelephonerequired.Itcomeswith
modularplugsforinstantconnectiontotelephone
jacksneedsnobatteries.U.S.$379.95

SuperEar
Itincreasesyourabilitytohearthesoundsaround
youindoorsandout.Spyonsensitive
conversations.Handsfreelistening,deliversafull
50+dbofsoundgain.Measures31/2x13/4x3/4.
Comeswithearphonesandbinocularmountingclip.
U.S.$78.95

BugDetector
Moderndayminiature"bugs"canbehidden
anywhere.Listeningdevicescanbeeasilyplantedin
placeslikeyouroffice,residence,hoteletc.TheBug
Detectornotonlytellsifabugispresent,thereare3
LEDs:Level1(Weak),Level2(Medium),Level3
(Strong),indicatingthestrengthofthedetected
signal.Youcanzeroinonitsexactlocation.From50
Mhzto3Ghz,youchoosetoleavethebugordestroy
it.Allthiscanbedonewithoutalerting
eavesdroppers.Itcanalsodetectwirelesscamera,
wirelessphone,wirelesstap,andcellphones.Size:L
3.5"xW2.1"Power:(AAAbatteryx2)U.S.$239.95

146

InformationSecurity
TelephoneTapDetector
Instantlytellsyouifthereisataporeavesdropperon
theline.Automaticallymutesyourcallifatapis
enabledwhileyouaretalking.U.S.$269.95

CellularVoiceEncryption
TheCellularVoiceEncryptionsnapsontothe
dataportofanEricssoncellularphone(included)
workingovertheGSMnetwork.Ituses256BitAES
encryptionalgorithmwhichisthemostadvanced
encryptionstandardforvoicecommunication,even
moreadvancedthantheDESstandard.Transparency
operation,noactionrequiredbyuser.Military
strengthoffersvoiceprotectionagainstvirtuallyall
determinedlisteners.**Priceperunit2unitsare
needed(oneateachsideoftheconversation).U.S.$
2,200.00

ClockCamera
ClockCamerahidesawideanglelensbehindtheface
invisiblenomatterhowhardyoulook!Thecamera
hashighresolutionandhasanelectricirisforclear
viewinginlowlightsituations.Thecameraplugsinto
aTVmonitororVCR.12Vpowersupplyincluded.U.S.
$359.95

KeyChainAlcoholBreathAnalyzer
BreathAnalyzerisasensitiveinstrumentmeasures
breathalcoholcontenttoequivalentbloodalcohol
content(BAC)withinseconds.Shows5progressive
keyconcentrationlevelsdenotedbyacolorcoded
LEDdisplay.U.S.$149.00

147

InformationSecurity
50,000VoltsShockingBriefcase
TheRemoteControlShockingBriefcaseandMoney
Carrier,ifitispickedupto30degreesoutofits
horizontalposition,withoutbeingdisarmed,the
briefcasewillgivea5second85dBwarningsirenand
thenshockthewouldbethiefat50,000voltsof
power.Also,whenthebriefcaseisbeingcarried,a
thiefmayattempttostealit,howeverwithits'four
functionremote,youcanallowthewouldbethiefto
getwellawayfromyou,upto500ft.(welloverthe
lengthofafootballfield)toavoidconfrontationand
then...presstheremotecontrolkeytoshockthem
with50,000volts!!$699.00

DummySecurityVideoCamera
Authenticlookingcamerasimulatesahightech
securitysystemandmakescrooksthinktwice.
FlashingredLEDfoolsunwantedvisitorsintothinking
theyarebeingwatched.Uses2AAbatteries.U.S.$
39.95

MiniNightVision
Theworldsmallestnightvisionunitwithabuiltin
infraredilluminator.Youwillseeevenintotal
darkness!Goodforspying.Measures51/4x21/2
inches.1.6xmagnification.Amplifieslight15,000
times.Comeswithcarryingcase.RequiresAAA
batteries.U.S.$435.95

CobraVision
ThesegoggleswereoriginallydevelopedforSovietAir
Forcepilotswhorequiredhandsfreenightvision.
Helicopterpilots,paratroopersandtactops
commandosalsousethem.Theyamplifylight20,000
times.Infraredilluminatorallowsyoutoseeintotal
darkness.Wide,36deg.fieldofview.Adjuststofit
anysizehead.Dust,shockandwaterresistant.U.S.$
795.95

148

InformationSecurity
TheTruthMachine
Pocketsizeddevicethatmonitorsthetruthbehind
someoneswordsbyrespondingtovoicechangesand
inflections.Thedeviceisequippedwithahighly
sophisticatedprogramandcomputerchipthatallow
ittoworkonthesameprincipleasaliedetector.Itis
extremelysensitivetostressandsubtlechangesin
voiceinflectionasanindicatoroftruthfulness.U.S.$
89.95

AcousticalJammer
Secureyourroomconversation.Itworksby
generatingunfilterablerandomwhitenoise.This
desensitizesanymicrophonebasedeavesdropping.
TheJammeralsoprotectsyoufromtaperecorders,
shotgunmics,wireddevices,microwaveandlaser
pickups.U.S.$275

MiniStunGun
Theworld'ssmalleststungun(thesizeofapackof
gum).Ithasenoughjuicetostuna300lb.attacker
withoutpermanentdamage.Simplytouchthe
attacker'sskinorclothestodelivera400voltcharge!
Attachtobeltorkeyring,safetypinpreventsany
accidentaldischarge.U.S.$43.95

ProTrack1
DigitalVehicleTrackingSystem.Trackingrangeabout
3miles.Digitallyencryptedsignaling(confidentialto
owner).DisplaysIDcodeofyourtargettransmitter.
Simultaneousmonitoringofupto10targets.Displays
distancetotargetinfeet(from75to65,000)
Availableoptionaltransmitters:MagnetMount
VehicleTracker,BodyTransmitter,BeltClip
Transmitter,Childmonitoring(kidnap)Transmitter.
U.S.$2,850.00

149

InformationSecurity
PeepholeReverser
Developedtoassistlawenforcementofficialsto
assesspotentialthreatsoractivitybehindclosed
doors,theseunitsarenowavailabletothepublic.
Simplyplacethelensoverthepeepholeandyoucan
seeintotheroomwithoutalertinganyoneinsideby
negatingthepeephole'slens.Length:2.7"weight:1.5
oz.U.S.$89.95

SpyPhone
ItmaylooklikearegularNokiaCellularphone,
howeverthisSupertechnologygoesbeyondits
standardcapabilities.Itoperatesasanormalcellular
phonebutwhenthephoneiscalledinonaspecial
"Spy"mode(fromanywhereintheworld)itwill
automaticallyanswerwithoutanyringingorlights
comingonandthedisplaystaysthesameasifitison
a"StandbyMode".Whileonthe"Standbymode"it
willpickupthesoundsnearbyandtransmitthemback
toyou(thecaller).Allyouhavetodoistoactivateit
asifyouwouldactivateanycellularphone.TalkTime:
3to4Hours.StandbyTime:upto6Days.Weight:2.8
oz.Technology:GSMstandardsforU.S.Europe
Asia.
NOTE:ExceptforLawEnforcement,thisitemisnot
availabletoU.S.residents.U.S.$2,400.00

150

InformationSecurity
MicroUHFRoomTransmitter
TransmitterThispowerfullittledevicehasa5day
batterylifeandcanbeconcealedalmostanywhere.It
willpickuptheslightestwhisperfromupto40feet
awayandtransmittoourUHFreceiverwithamazing
clarityuptoadistanceof600meters.Dimensions:
6.5cm.x3cm.x1cm.
ReceiverAboutthesizeofacigarettepack,thisisa
stateofthearttwochannelUHFreceiver.Recently
upgraded,its'sensitivityisincredible.Itiscapableof
receivingthesignalfromourUHFtransmitterforlong
rangeusewithamazingclarity.Arecordercanbe
connectedtothereceiversotheusercanrecordall
conversationsandlisten,too.

PleasenotethisitemisNOTavailabletoU.S.
residentsU.S.
$1,370.00

EnvelopeXraySpray
EnvelopeXRAYSprayturnsopaquepaper
temporarilytranslucent,allowingtheusertoviewthe
contentsofanenvelopewithouteveropening.30
secondsafterapplication,theenvelopewillreturnto
its'originalstate,leavingabsolutelynomarkings,
discolorationorotherindicationsofuse.Eachcan
treatsseveralhundredsquareinches.Non
flammable,nonconductiveandnonphotochemically
reactive.Environmentallyfriendly(containsno
Freon).Netweight:8oz.WARNING:Nottobeused
onU.S.Mail,exceptbyorwiththeexpress
permissionoftheaddressee.CannotshipbyAir.U.S.
$45.95

151

InformationSecurity
AirTaser
TheAIRTASERisasmallhandheldselfprotection
systemwhichutilizescompressedairtoshoottwo
smallprobesupto15feetaway.Theseprobesare
connectedbywiretothelauncherwhichsendsa
powerfulelectricsignalintothenervoussystemofan
assailant.Thiscausesthebodytogolimpasthebrain
losescontrolovertherestofthebody.TheTASERis
highlyeffectivebecausetheelectricalsignal
penetratesthenervoussystemregardlessofthe
placementoftheprobes.U.S.$395.95

FiberOpticSnakeCamera
SnorkelCameraTubeCamera,SpyCamera,allinone.
Theremoteheadofthiscolorvideocameraisthe
smallestonthemarket,measuringonly.29"in
diameterand1.4"inlength,comeswithamicro
3.9mmlens.Optionalbuiltinlightsource(measures
.55"diameterand4"inlength).Theremoteheadis
connectedtotheminiaturecontrolunitbya38"
superflexiblecable.Greatforsurveillanceunderthe
door,tightplaces,machinevision,robotics,and
qualitycontrol.US$1,398

HiddenCamera
SmokeDetectorCamerahidesawideanglelens
behindthefaceplate.Totallyinvisiblenomatterhow
hardyoulook!Highresolutionwithelectricirisfor
clearviewinginlowlight.Italsocontainsahidden
microphoneforaudio.Comeswith12Vpower
supply,andhighceilingmount.Wirelessorwired,
colororB&Wcamera,yourchoice.US$389.95wired,
$689.95wireless.

152

InformationSecurity
MOBILTRACK

Monitordetailedinformationaboutavehiclestravel
activitiesusingasatellitepositioningnetwork(GPS)
crossreferencedwithdigitalstreetmapsproviding
proofofexactdate,time,speed,andlocationright
downtothestreetlevel.US$2,495

TelephoneVoiceChanger
TheTelephoneVoiceChangerincorporatesaneight
levelpitchadjustment.Atthehighrangeamans
voicewillsoundlikeawoman.Atlowrangeawoman
willsoundlikeaman.Abuiltinamplifiercanincrease
thesoundoftheincomingvoice.Itinstallsby
pluggingintothebaseandhandsetofthetelephone.
US$59.95

UVPen
Theinkinthispenisinvisibletothenakedeye,soany
paperyouwriteonwillappeartobeblank.However,
underaUVlightsource,your"secretmessage"will
appear.Possibletechniqueforsecuringpasswords
withoutleavingthemvisibleinworkspacearea.US
$5.95

CellularBlocker
Thesystemsutilizeauniquetransmissionmethod
thatconfusesthedecodingcircuitsofcellular
handsetsasifnocellularbasestationiswithinthe
servicearea.UponactivatingtheBlocker,allidle
phoneswillindicate"NOSERVICE".Consequently,all
cellularphonecallsalreadyinprogresswithinthe
definedareawillbecutoffandtheradiolinkwillbe
lost.US$1,948

153

InformationSecurity

PrivacyTest
Chapter22

154

InformationSecurity
PrivacyTest
AsusageoftheInternetandCRMproductsexpand,hugeamountsofdataarebeingcollected
on everyone. With each bulging database comes the increased possibility that tender
information will fall into the wrong hands or that erroneous information will be collected.
Everywhere you turn cameras are watching you, companies are building profiles on you and
your habits, software programs track where you go and what you read on the Internet. The
publichaspushedbackwithmanypeoplecryingenoughisenough.Thiswebpageaddresses
someoftheprivacyissuesandsomeofthemeasuresyoucantaketoprotectyourselfatleasta
little.Howeverpleasebeadvisedthatthiswebsitedoesnotpretendtoaddressalloftheissues
orsolvetheprivacydilemma.Youaloneareresponsibleforenactingprivacymeasureswhich
areconsistentwithyourowndesiresforprivacy.
TakethePrivacyTest

1.Haveyouorderedyourowncreditreportsfor$8.00each?

www.experian.com

Yes

No

www.equifax.com

Yes

No

Yes

No

www.transunion.com

2.Haveyouorderedyourmedicalhistoryreportfor$8.50?

Yes

No

www.mib.com

3.HaveyouorderedyourownSocialSecurityEarningsreport Yes
forfree?

No

www.ssa.gov

4.Haveyouorderedacopyofyourdrivingrecord?

No

155

Yes

InformationSecurity
http://www.ark.org/dfa/motorvehicle/driverservices.html

5.Doyoutaketimeto"OptOut"ofjunkmail?

Yes

No

http://www.thedma.org/

6.Doyouavoidfillingoutwarrantyandregistrationcardsor Yes
useanaliaswhendoingso?

No

7.Doyouavoidpubliclydonatingmoneytocharities?

Yes

No

8.Doyouavoidjoiningclubsandorganizations?

Yes

No

9.Doyouavoidsubscriptionstomagazinesoruseanalias?

Yes

No

10.Doyouhaveanunpublishedtelephonenumber?

Yes

No

11.Doyouavoidsweepstakes?

Yes

No

12.Doyouavoidgivingoutyoursocialsecuritynumber
wheneverpossiblewithpersistence?

Yes

No

13.Doyourefusetoallowyourcreditcardnumbertobe
writtenonyourchecks?(unlawfulinmanystatestodoso)

Yes

No

Yes
14.Doyourefusetoallowyourphonenumberandaddress
tobewrittenonyourcreditcardslips?(alsounlawfulinmany
states)

No

156

InformationSecurity

15.Doyouavoidcordlessphones?

Yes

No

16.Doyouavoidcellularphones?

Yes

No

17.Doyousubscribeto"CallerIDBlocking"?

Yes

No

18.DoyouhaveaPOBoxaddresstouseinallbutthemost
importantcircumstances?

Yes

No

19.DoyoushieldyourhandatATMmachineswhenentering Yes
yourPINnumber?

No

20.Doyoushieldyourhandwhenenteringcallingcard
numbersatpublictelephonestomakelongdistancecalls?

Yes

21.Doyoureadthefineprintonapplicationsandorder
forms?

Yes

No

Yes

22.Doyouencryptyouremail?

No

23.Doyouuseacombinationoflettersandnumbersinyour
passwords?

Yes

No

24.Doyouchangeyourpasswordsoccasionally?

Yes

No

25.Doyouusedifferentpasswordsforeveryaccount?

Yes

No

157

No

InformationSecurity
26.Isyourcomputerpasswordprotectedatthesystemlevel? Yes

No

27.Doyouhaveasecondemailaccountforpersonaluse?

Yes

No

28.Doyouhaveasecondemailaccountthatyouuseforless Yes
importantpurposes?

No

29.DoyousignyournamelegiblywhensigningSignature
CaptureDevices?

Yes

30.Doyoureadprivacypoliciesonwebsites?

Yes

No

31.Haveyoutaughtyourchildrennottogiveoutpersonal
informationontheinternet?

Yes

No

32.Doyouclearyourcachefrequentlyafterbrowsing?

Yes

No

33.Doyoumakesuretousesecureconnectionswhen
transmittingsensitivedataovertheinternet?

Yes

No

34.Doyourejectunnecessarycookies?

Yes

No

35.Doyouuseanonymousremailerswhenappropriate?
(Hushmailforexample)https://www.hushmail.com/

Yes

No

Yes

36.Doyouuseanonymizerswhenbrowsing?
http://www.anonymizer.com/

No

158

No

InformationSecurity
37.Doyouuseapersonalfirewallonyourinternet
connection?

Yes

No

38.Haveyoureadyourcompany'sprivacypolicy?

Yes

No

39.Doyouperformduediligenceonanynewservice,
company,orwebsitethatyoupatronize?

Yes

No

40.Doyouavoidusingnewsgroupsorchatrooms,oratleast
useanalias?

Yes

No

41.DoyouuseadigitalIDtoauthenticateyouremail?

Yes

No

42.Doyouignorejunkemail?

Yes

No

Howdidyouscore?
MultipleYourYESresponsesby3.Inpreviousaudiencesurveys,theaudiencehasscoredon
averageasfollows:
Lessthan2027%;
20to4055%;
40to608%
(10%didnotreporttheirscore.)
Thehigheryouscore,themoremeasuresyouhavetakentoprotectyourprivacy.

159

InformationSecurity

FakeIDs
Chapter23

160

InformationSecurity

DoitYourselfFakeIDs
Formanyyearsthegraphicimagesneededtocreateyourowndriverslicenseforeachstate
werefreelyavailablefordownloadfromnumerouswebsites.Asaresult,millionsofcomputer
savvyteenagershavecreatedfakedriver'slicensesdespitethehologramsandotherhightech
securityfeaturesthatstatesnowputonlicensestothwartforgers.UsingtheInternet,anyone
willingtobreakafewlawscanbeamassproduceroffakeIDs.Fakelicensescanbemadeeasily
by downloading these templates, scanning a picture into the computer, editing the template
andprintingthefinishedproductwithaphotoqualityinkjetprinter.Since9/11,manyofthese
siteshavebeenshutdownbutnewsitespopupcontinuously.

AreFakeIDsHardertoObtain?
There are over 900,000 web sites offering to help you obtain a fake ID. These services offer
holograms,fullcolorphotos,professionallaments,andallthetrimmingtomakeafakeID.For
example,thiswebsiteforTheIDShopclaimstoprovidenearidenticalpassports.

161

InformationSecurity
InyearspasttherewerenoproceduresforverifyingtheauthenticityofanIDonlythepolice
had that capability. However today, online verification terminals are popping up everywhere.
Furtherthelawsaredifferentnow,forexampletodayjusthandingafakeIDtoabarbouncer
couldlandyouinjail.
SomereportsindicatethatitisactuallyfairlydifficulttogetyourhandsonhighqualityfakeIDs
today.TheyclaimthatmostofthoseenticingfakeIDsitesontheinternetaretotalripoffsthat
delivernothing,ortheydeliverpoorqualityIDswiththewordNoveltystampedontheback.
SomefakeIDsitespromisetodeliverfakedriverslicenses,butwhenyourlicensearrivesit'sa
worthlessgokartlicense.Theygetawaywiththisbecausewhomcanyoucomplainto?
WhiletherearenumerousFakeIDwebsitesontheInternetnow,mostdonotseemtooffer
actualreplicadriverslicensesorotherofficialgovernmentdocuments.Icanonlyconcludethat
theDepartmentofHomelandSecurityismonitoringtheInternetandtakingmeasurestoshut
downtheseoperations,oratleastpreventingthemfromproducingofficiallookinggovernment
issuedIDs.
However,theyarenotdoingagoodenoughjob.Inlessthan10minutesofsearching,Ifound
the following web site that allowed me to download drivers license templates for Florida,
Michigan,Arizona,NewHampshire,Idaho,NewYork,andSouthDakota.

IwasabletoeditthesetemplatesinPhotoShopinabout5minutestocreatethefollowingfake
IDusingmypictureandfakeinformation.

162

InformationSecurity

NowIonlyneedtoprintitoutandapplyatransparentlamentsheetandtrimtoproducethe
fakeID.ThenumbersandinformationcontainedontheIDwontmatchthedataintheFlorida
database,butthisIDwouldprobablybegoodenoughtoenableunderageddrinking,orfoola
doctorsofficeintoadmittingapersonandprovidingservices,toengageinanumberofother
crimes.

Algorithms
Todaymoststatesusesometypeofalgorithmtomakeduplicationofdriverslicensesharderto
achieve.Forexample,inGeorgia,thelastdigitintheyearofbirthalsoappearselsewhereon
thedriverslicenseinaninconspicuousplaceifthenumbersdonotmatch,theIDisobviously
a fake ID. Forgers who are not aware of this check have only a 10% chance of producing a
driverslicensethatwillpasscloseinspection.

163

InformationSecurity

OutsidetheInternet,FakeIDsSeemtobeEasytoObtain
DespitethefactthatmanyfakeIDwebsitesmayseemtobeclosedforbusiness,itappearsthat
thereareothersourcesforhighqualityfakeIDsotherthantheInternet.Frommyownpersonal
experienceIknowafriendwhosdaughterwenttocollegein2007andduringherfirstsorority
meeting,applicationsandfeesforfakeIDsweresolicitedat.TheresultingIDswerehighquality
likethisfakeIDshownbelow.

(A$100,000identitytheftandcheckfraudscamwas
perpetratedbythisthiefusingthisphonydriver'slicensein
OregonState,targetingconstructionrelatedbusinesses.)

Congressional investigators confirmed this when they easily convinced motor vehicle agency
employeesaroundthecountrytoissuegenuinedriverslicenses.Accordingtoareportfromthe
General Accounting Office, agents operating undercover in seven states and the District of
Columbia, ultimately obtained drivers licenses at every agency where they applied. The most
seriousvulnerabilitiesappearedinCalifornia,whereagentsmanagedtocompletetheprocess
to receive three temporary state drivers licenses within two days using the same fake
information.
FloridapolicealsoconfirmtheavailabilityoffakeIDs.Duringfourspringbreakweeks,Florida
police staked out bars, restaurants and nightclubs in Panama City and Daytona Beach. The
police looked for IDs with flawed holograms and incorrect letter and number codes that are
supposedtobeknownonlybypoliceandastate'smotorvehiclesdepartment.
Theyarrestedabout350teenagersforcarryingfakeIDsand1,200forunderagedrinkingand
confiscated10,000bogusIDs.That'sanindication,policesaid,oftheenormouspopularityof
counterfeitlicensesamonghighschoolandcollegestudents.IfyouextrapolatethePanamaCity
andDaytonaBeachfigures,hesays,"you'retalkingmillionsandmillions"offakeIDsaroundthe
country. Another police officer estimated that 50% of underage high school and college
studentshavefakeIDs.

164

InformationSecurity

FakeDiplomas,CollegeDegrees&OtherDocuments
Fakediplomasandcollegedegreesincludingfaketranscriptsalsoseemtobereadilyavailable
asthiswebsiteshows.

In fact there are many internet sources for many fake documents from Fake High School
Diplomas,Faketranscripts,fakebirthcertificates,fakebusinesscards,fakeIDbadges,etc.

TheSolutionBackgroundChecks
ThesolutiontothethreatoffakeIDsisrathersimpledobackgroundchecksoneverybodyyou
come in contact with including customers, suppliers, employees and subcontractors. Dont
giveanybodyaccesstoyourbuilding,youroperations,oryourdatauntilyouconfirmwhothey
are.Asanexample,NetDetectiveclaimsthatyoucansearchover3.1billionrecordstoobtain
Information on over 90% of residents in the U.S. They claim to have 843,000 users. They
provide instant access, no download is required. The information provided includes criminal
records, family history, birth, death, social security, adoption, DMV Records, unlisted phone
numbers, address, phone number, email Addresses, access to your own credit reports, and
yourownFBIfile.

165

InformationSecurity

KeyPoints
1.
2.
3.
4.
5.
6.
7.
8.

FakeIDanddriverslicensetemplatesareavailableontheweb.
ManyfakeIDwebsitesprovidepoorqualityIDs,GoKartIDs,orNOVELTYIDs.
AtleastonesororitysolicitsmoneyforfakeIDsattheirfirstchaptermeetings.
Codesandalgorithmsareusedtohelppreventdriverslicenseforgeries.
Fakediplomasandcollegetranscriptsarealsoavailable.
AbackgroundcheckisyourbestprotectionagainstfakeIDs.
IDauthenticationmethodsandwebsitesarebecomingmoreprevalent.
Today,thebestfakeIDsarebackedupbyarealidentityusingidentitytheft.

166

InformationSecurity

NationalIDCards
Chapter24

167

InformationSecurity
National ID cards are advocated by some as a means to enhance national security, unmask
potential terrorists, and guard against illegal immigrants. They are already in use around the
world including most European countries, Hong Kong, Malaysia, Singapore and Thailand. The
UnitedStatesandUnitedKingdomcontinuetodebatethemeritsofadoptingnationalIDcards.
Historically,Americanshave rejected the ideaof a national ID card. When the Social Security
Number (SSN) was created in 1936, it was meant to be used only as an account number
associated with the administration of the Social Security system. Though use of the SSN has
expanded considerably, it is not a universal identifier and efforts to make it one have been
consistentlyrejected.Forexample:
1. In 1971, the Social Security Administration task force rejected the extension of the
SocialSecurityNumbertothestatusofanIDcard.

2. In 1973, the Health, Education and Welfare Secretary's Advisory Committee on

Automated Personal Data Systems concluded that a national identifier was not
desirable.

3. In1976,theFederalAdvisoryCommitteeonFalseIdentificationrejectedtheideaofan
identifier.

4. In 1977, the Carter Administration reiterated that the SSN was not to become an
identifier.

5. In 1981 the Reagan Administration stated that it was "explicitly opposed" to the
creationofanationalIDcard.

6. TheClintonadministrationadvocateda"HealthSecurityCard"in1993andassuredthe
publicthatthecard,issuedtoeveryAmerican,wouldhave"fullprotectionforprivacy
andconfidentiality."Still,theideawasrejectedandthehealthsecuritycardwasnever
created.

7. In 1999 Congress repealed a controversial provision in the Illegal Immigration Reform

and Immigrant Responsibility Act of 1996 which gave authorization to include Social
SecurityNumbersondriver'slicenses.
In response to the tragic events of Sept. 11, 2001, there has been renewed interest in the
creation of national ID cards. Soon after the attacks, Larry Ellison, head of Californiabased
softwarecompanyOracleCorporation,calledforthedevelopmentofanationalidentification
systemandofferedtodonatethetechnologytomakethispossible.HeproposedIDcardswith
embeddeddigitized thumbprints and photographs of all legal residents in the U.S. There was
much public debate about the issue, and Congressional hearings were held. Former House
SpeakerNewtGingrichtestifiedthathe"wouldnotinstituteanationalIDcardbecauseyoudo
getintocivillibertiesissues."WhenitcreatedtheDepartmentofHomelandSecurity,Congress
168

InformationSecurity
madeclearintheenablinglegislationthattheagencycouldnotcreateanationalIDsystem.In
September 2004, thenDHS Secretary Tom Ridge reiterated, "The legislation that created the
DepartmentofHomelandSecuritywasveryspecificonthequestionofanationalIDcard.They
saidtherewillbenonationalIDcard."
The public continues to debate the issue, and there have been many other proposals for the
creationofanationalidentificationsystem,somethroughthestandardizationofstatedriver's
licenses. The debate remains in the international spotlight several nations are considering
implementing such systems. The U.S. Congress has passed the REAL ID Act of 2005, which
mandates federal requirements for driver's licenses. Critics argue that it would make driver's
licensesintodefactonationalIDs.
TheREALIDActof2005
TheREALIDActof2005isalawwhichimposesfederaltechnologicalstandardsandverification
procedures on state driver's licenses and identification cards, many of which are beyond the
currentcapacityofthefederalgovernment,andmandatingstatecompliancebyMay2008.As
of April 2, 2008, all 50 states haveeitherapplied for extensions of the original May 11, 2008
compliancedeadlineorreceivedunsolicitedextensions,meaningthattheREALIDActwillnot
becomeanissueatfederalfacilitiesandairportsuntilDecember31,2009.
Some claim that REAL ID turns state DMV workers into federal immigration officials, as they
must verify the citizenship status of all those who want a REAL IDapproved state driver's
licenseoridentificationcards.
InordertogetaRealIDyouwillberequiredtoshowyourbirthcertificate,proofofaddressand
citizenship,photoID,andSocialSecuritycardswhicharejustsomeofwhatyoumightbeasked
topresenttotheDMV.IfyouenteranestablishmentandarerequiredtoshowyourRealIDall
ofyourpersonalinformationcanbescannedanddigitallystoredfromtheRFIDorstriponyour
card, such as your: name, birth date, sex, ID number, a digital photograph (Notice that the
image above also shows the individuals religion. Why would the DHS want to know your
religiousbeliefs?)

169

InformationSecurity

HomelandSecuritymayalsoaddadditionalrequirementssuchasafingerprintorretinalscan
theywontissuetheirspecificationsfortheRealIDforseveralmonths.TheDepartmentof
HomelandSecurityisinchargeoftheRealIDandeachcardwillhavepersonaldataencodedon
astripand/oraRFIDchip.DHScontemplatesusingtheREALIDsystemaspartofitsFederal
bordersecurityprogramandrequestedcommentsonhowStatescouldincorporatelongrange
radiofrequencyidentification("RFID")technologyintotheREALIDcardsothatitcouldbeused
aspartoftheWesternHemisphereTravelInitiative.

Revelation14:911

170

InformationSecurity

FakeSocial
SecurityCards
Chapter25

171

InformationSecurity

SocialSecurityCardsAreRequired

TheUSfederalgovernmentrequiresalllegalresidentstohaveavalidsocialsecuritycard.
ThiscardisusedbytheInternalRevenueService(IRS)totrackofanindividual'searnings
andtaxes.

TheSocialSecurityNumber

ThedigitsintheSocialSecurityNumberaredividedintothreeparts:

1. TheAreaThefirstthreedigitsofasocialsecuritynumberarebasedonanalgorithm
appliedtotherecipientsZIPCode (basedonthemailingaddressshownonthesocial
securityapplication).Thefollowingtableshowshowareanumbershavebeenassigned.

172

InformationSecurity
SocialSecuritynumberscontainingareanumbersotherthanthosefoundonthetableabove
areimpossible.

Priorto1972,cardswereissuedinlocalSocialSecurityofficesaroundthecountryand
theAreaNumberrepresentedthelocationfromwherethecardwasissued(the
numberingschemewasdesignedin1936(beforecomputers)tomakeiteasierforSSA
tostoretheapplicationsinourfiles).In1972,SSAbeganassigningSSNsandissuing
cardscentrallyfromBaltimore;andtheareanumberassignedisbasedontherecipients
ZIPcode.Sincetheapplicant'smailingaddressdoesnothavetobetheplaceof
residence,theAreaNumberdoesnotnecessarilyrepresenttheStateofresidence.
However,generallyspeaking,areanumbershavebeenassignedbeginninginthe
northeastandmovingwestward.Sopeopleontheeastcoasthavethelowestnumbers
andthoseonthewestcoasthavethehighestnumbers.

2. The Group The middle two digits range from 01 to 99 but are not assigned in
consecutiveorder.Foradministrativereasons,groupnumbersissuedfirstconsistofthe
ODDnumbersfrom01through09andthenEVENnumbersfrom10through98,within
eachareanumberallocatedtoaState.Afterallnumbersingroup98ofaparticulararea
havebeenissued,theEVENGroups02through08areused,followedbyODDGroups11
through99.

BecausethisnumberingschemeisconfusingandsincetheapplicationformforanSSN
asksforidentifyinginformationsuchasdateofbirth,placeofbirth,parents'names,and
(optionally)theapplicant'srace,acommonmythisthatthegroupIDidentifiesthe
cardholderbyaspecificgroupsuchasrace.AccordingtotheSSA,thisisnottrue.

3. SerialNumbersThelastfourdigitsrunconsecutivelyfrom0001through9999.

ObtainingFakeSocialSecurityCards

According to an article in the Arizona Republic, within hours of crossing the border, illegal
immigrantscanbuythemfrom"runners"onvirtuallyeverystreetcorner."Mica,mica,"runners
brazenlysaytopotentialcustomers.Mica(pronouncedMEEka)isSpanishslangforthegreen
cards.Otherdealersaremorediscreetastheypassoutbusinesscardsforautomechanics,yard
work,taxicabsandotherservicesthatarereallyfrontsformakersoffraudulentdocuments.

EdwardOchoaisanundercoverinvestigatorwhobuysfakedocumentsaspartoftheArizona
Fraudulent Identification Task Force. He explains how the process of obtaining a fake social
securitycard,greencard,ordriverslicenseworks.TogetafakeID,abuyerprovidesapassport
photo then waits while a runner takes the image to a "manufacturer," usually another
undocumented immigrant holed up in an apartment nearby. If they don't have a photo, the
runner can usually take a picture with an instant camera. Reportedly, a "twopack" a green
card and a Social Security card costs as little as $70 on the street. A "threepack" a green
173

InformationSecurity
card, driver's license and Social Security card goes for $140 to $160. Those prices buy
documents with randomly generated numbers. Sometimes the numbers invented by a
manufacturercoincidentallybelongtoactualpeople.

BuyingfakedocumentsmadewithgovernmentissuedIDnumbersandamatchingnamestolen
fromsomeoneelseisfarmoreexpensive.Thosedocumentsaremoredifficulttogetandcost
threetofivetimesasmuchasonesusingbogusSocialSecurityandimmigrationnumbers.Some
numbersarestolen.Othersbelongtochildrenortopeoplewhodied.

MakingFakeSocialSecurityCards

Templates of driver's licenses, green cards and other documents can be bought on the black
market, downloaded from the Internet or produced from scratch with a graphics software
program.Producingfraudulentdocumentshasbecomemucheasierallyouneedisacomputer,
scanner,agraphicssoftwareprogramlikePhotoShop,andhighgradecardprinterliketheones
shownbelow.Theycostabout$1,000andprintonplasticorPVCblanks.Cardblankscostabout
$1.00each.

Within two hours of taking an order for fake documents, the runner returns with
documentsrealenoughtofoolunsuspectingemployersortosatisfyunscrupulousones.

SocialSecurityCardSecurityFeatures

1. The card contains a blue tint marbleized random pattern. Any attempt to erase or
removedataiseasilydetectablebecausethetintiserasable.

2. Smallmulticoloreddiscsarerandomlyplacedonthepaperstockandcanbeseenwith
thenakedeye.

174

InformationSecurity
3. IntaglioprintingofthetypeusedinUScurrencyisusedforsomeprintingonthecard
andprovidesaraisedeffectthatcanbefelt.
Bytodaysstandards,thesesecurityfeaturesareconsideredlame.BecauseSocialSecuritycards
arepaper,manypeoplelaminatetheircards.However,alaminatedcardcanhampertheability
ofthegovernmenttoutilizethesesecurityfeatures.Thegovernmentwillreplaceyourcardfree
ifincaseyouloseit.

StrongerSocialSecurityCardsontheWay
CongressmenintroducedlegislationinFebruary2008toenhancethesecurityfeaturesofSocial
Securitycards.Theproposednewcardswillfeature:

1. Aphotograph
2. Afingerprint
3. Acomputerchip
4. Abarcode
5. Amagneticstrip

ThecardswouldbemodeledaftertheCommon
Access Card issued by the Department of
Defense, mostly to active military reserve
members and their dependents, said U.S. Rep.
Mark Kirk (RIll.), a sponsor of the bill. Current Social Security cards have limited security
featuresandhavenophotoorbiometricdata,hesaid.

LoseYourBusinessHiringIllegals
InJuly,2008Arizonaenactedatoughemployersanctionslawwhichrevokesbusinesslicenses
ofemployerscaughtknowinglyhiringillegalworkersasecondtime.Italsorequiresthemore
than150,000licensedArizonaemployerstorunSocialSecuritynumbersandotherdatafornew
employeesthroughthefederalBasicPilotProgram,anelectronicverificationsystem.Twoother
states,ColoradoandGeorgia,havepassedsimilarlaws.

175

InformationSecurity

IdentityTheft
Chapter26

176

InformationSecurity

IdentityTheft
AccordingtoU.S.FederalTradeCommissionreport,itisestimatedthatmorethan50million
Americanswerevictimsofidentitytheft.Abouthalfofthevictimsknewhowtheiridentitywas
stolen.Thereportfoundevidencethatsuggeststhatquickdiscoveryofidentitytheftreduces
theriskofthievesopeningunauthorizedaccounts.Herearesomerelevantstatistics:
1.

Accountswereopenedin45percentofidentitytheftcasesinwhichatleastsixmonths
elapsedbeforevictimsnoticedtheirinformationwasmisused.Accountswereopenedin
fewerthan10percentofcaseswherevictimslearnedofmisusewithinamonth.

2.

33.4millionAmericanswerevictimsofidentitytheftfrom1990to2003.

3.

34% say someone obtained their credit card information, forged a credit card in their
name,andusedittomakepurchases.

4.

12%saysomeonestoleorobtainedimproperlyapaperorcomputerrecordwiththeir
personalinformationonitandusedthattoforgetheiridentity.

5.

11%saysomeonestoletheirwalletorpurseandusedtheiridentity.

6.

10%saysomeoneopenedchargeaccountsinstoresintheirnameandmadepurchases
asthem.

7.

7%saysomeoneopenedabankaccountintheirnameorforgedchecksandobtained
moneyfromtheiraccount.

8.

7%saysomeonegottotheirmailormailboxandusedinformationtheretostealtheir
identity.

9.

5%saytheylosttheirwalletorpurseandsomeoneusedtheiridentity.

10. 4% say someone went to a public record and used information there to steal their

identity.
11. 3% say someone created false IDs and posed as them to get government benefits or

payments.
12. 16%sayitwasafriend,relativeorcoworkerwhostoletheiridentity.
13. The seven million victims the survey identified in 2002 represent an 81% rise over

victimsin2001.
Security risks related to identity theft are on the rise. There are a number of ways in which
identitythievescouldthreatenyourcomputersystems.Forexample,theycoulduseemployee
badgestoenteryourpremises,ormasqueradeinthecommunityasyouremployeeorvendor.
Forexample,athiefmightassumetheidentityofavendorssalesrepresentativeandvisityour
accountspayabledepartmenttocollectcashorcheckpayments.Withtodaystechnology,itis
177

InformationSecurity
easytoreproducebusinesscards,badges,uniformsandevenvehicleidentification.Thatsame
thiefmightmasqueradeasoneofyouremployeesandattempttowithdrawmoneyfromyour
corporate bank accounts. An identity thief could republish your web site to a similar domain
name,andchangeonlythecontactinformation.Thepossibilitiesarefrightening.
Toprotectagainstidentityfraud,commonsenseisyourbestally.Someofthetopprevention
measuresincludethefollowing:
1. SettingupPINnumbersonallbankaccounts
2. Using finger print or retina scan technology instead of passwords and badges to
preventaccesstocomputersystemsorbuildings
3. Instructemployeesnottowritepasswordsdown
4. Forceuserstochangepasswordsmonthly
5. Safeguard employee information such as social security numbers or employee
numbersfromnonauthorizedpersonnel
6. Useshredderstodestroysensitivedocuments
7. Reconcileallstatementstimelytothepenny
8. Passwordprotectalltravelinglaptopsatthesystemlevel.
9. Have someone in your organization to search the internet for the use of your
corporate name or the names of key individuals regularly to protect against
improperuse.
Anotherkeythreatfromidentitytheftisthatofhiringamasqueradingemployee.Usingafalse
identity,athiefcouldbehiredintoyourorganizationandgivenaccesstocriticalsystemsand
areaswithinyourorganization.Oncetrusted,thispersoncouldthenarrangetostealcashand
equipment, and disappear into the night. For this reason, background checks and a certain
amountofduediligenceworkisnecessaryinordertoverifythatnewhiresarewhotheysay
theyare.Formoreinformationonpreventingidentifytheft,visittheIdentityTheftPrevention
ChecklistatthefollowingURL:

http://victimsassistanceofamerica.org/eduinfo/idtheft_prevention.cfm
178

InformationSecurity

IdentityTheftWhatToDoIfItHappensToYou
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.

Reportittothepolice
Cancelallcreditcards
CallfraudunitsExperian,Equifax,TransUnion
Notifybanks
Filloutfraudaffidavitstoproveinnocence
GetanewATMcard
HaveSSNchanged
Notifythepassportauthorities
ReportstolencheckstoTeleCheck,NationalProcessingCompany(NPC),andEquifax
Notifypostalinspectorifyoususpectmailtheft
Calltelephone,electricity,andgascompaniesandalertthem
Changedriverslicensenumber
CallConsumerCreditCounselingforhelpremovingfraudulentclaimsfromyourrecord
800.388.2227
Keepalogofallconversationsyouhavedealingwiththis,includingnamesanddates
Considerseekinglegalcounsel.
Payattentiontoyourmentalhealth
Changepasswordseverywhere
ChangePINnumbers
Changeemailaddresses
Usecommonsense

RecommendationsforPreventingIdentifyTheft
PreventIdentityTheft

You can't guarantee that you will never be a victim, butyou can minimize your risk with the
followingmeasures.

1. BigDuhDon'tgiveoutpersonalinformationonthephone,throughthemailorover
the Internet (through email or online forms, or any other manner) unless you have
initiatedthecontactoraresureyouknowwhoyou'redealingwith.

2. Resist Providing Personal Information Before revealing any personally identifying

information(forexample,onanapplication),findouthowitwillbeusedandsecured,
andwhetheritwillbesharedwithothers.Askifyouhaveachoiceabouttheuseofyour
information.Canyouchoosetohaveitkeptconfidential?

3. SecureYourHomeSecurepersonalinformationinyourhomeinsafesthatarebolted
to the floor, especially if you have roommates, employ outside help, or are having
179

InformationSecurity
serviceworkdoneinyourhome.Securelystoreextrachecks,creditcards,documents
thatlistyourSocialSecuritynumber,andsimilarvaluableitems.

4. Fool Burglars Don't advertise to burglars that you're away from home. Put lights on
timers,temporarilystopdeliveryofyournewspaper,andaskaneighbortopickupany
itemsthatmayarriveunexpectedlyatyourhome.

5. GuardYourMailPickupmailfromyourmailboxpromptly.Donotsendmailthrough
yourmailboxaredflagraisedonyourmailboxiswellaredflagforburglarsthata
checkisprobablywaitinginside.Ifyou'replanningtobeawayfromhomeandcan'tpick
upyourmail(orarecalledawayonanunexpectedbusinesstriporfamilyemergency),
calltheU.S.PostalServiceat18002758777torequesta"vacationhold"oraskyour
carrieroracounterclerkfora"AuthorizationtoHoldMail"form(PSForm8076).You
might also consider purchasing and installing a relatively secure "locking" mailbox for
eithercityorruraluse.

6. Guard Your Trash Protect your garbage. Identity thieves rummage through trash in
yourtrashcanoratlandfillslookingforpersonalinformation.Tothwartidentitythieves,
whomaypickthroughyourtrashorrecyclingbinstocaptureyourpersonalinformation,
tearorshredyour...

a.
b.
c.
d.
e.
f.
g.
h.
i.

chargereceipts,
copiesofcreditapplications,
insuranceforms,
physicianstatements,
checksandbankstatements,
creditcardstatements,
expiredchargecardsthatyou'rediscarding,
preapprovedcreditcardoffersyougetinthemail,and
anydocumentsthatcontainyoursocialsecuritynumber

180

InformationSecurity
7. OptOutIfyoudonotusetheprescreenedcreditcardoffersyoureceiveinthemail,
youcan"optout"bycalling18885OPTOUT(18885678688).Youwillbeaskedfor
yourSocialSecuritynumberinorderforthecreditbureaustoidentifyyourfilesothat
they can remove you from their lists and you still may receive some credit offers
because some companies use different lists from the credit bureaus' lists.

(Ifyoudoacceptacreditcardoffer,beawarethatsomecreditcardcompanies,when
sending out credit cards, have recently adopted security measures that allow a card
recipienttoactivatethecardonlyfromhis/herhomephonenumber,butthisisnotyet
auniversalpractice.)

8. Purchase a Shredder Shredders come in a variety of styles and prices, starting with
shreddingscissorsandexculpatingtopowerfulshreddersthatcanshredthroughbinder
clips.

9. Limit,protect,andbeawareofthetypeandamountof
personaldatayoucarryaround...

Keepyourpurse/walletandorganizer/briefcaseaswell
asanycopiesyoumayretainofadministrativeformsthat
containyoursensitivepersonalinformationinasafe
placeatwork.

10. UsePINS&PasswordsPlacepasswordsonyourcredit
card, bank, brokerage and phone accounts. Avoid using
easily available information like your mother's maiden
name,yourbirthdate,thelastfourdigitsofyourSSNor
yourphonenumber,oraseriesofconsecutivenumbers.Whenopeningnewaccounts,
you may find that many businesses still have a line on their applications for your
mother'smaidenname.Useapasswordinstead.

11. AtWorkKeepyourpurseorwalletinasafeplaceatwork.

181

InformationSecurity

12. Monitor Bills Pay attention to your billing cycles. Follow up

with creditors if your bills don't arrive on time. A missing bill
couldmeananidentitythiefhastakenoveryouraccountand
changed your billing address to cover his tracks.Check your
bills/statements carefully and call companies if you do not
receive regular bills in a timelymanner. Makeit your habit to
review your bank and credit card statements as soon as you
receivethemandreportanyunauthorizedtransactionspromptlysotheaccountscanbe
closed.

13. CreditCardPhotosSomeissuersofbankand/orcreditcardsoffertheoptionofadding
thePHOTO ofthenamedcustomeronthefaceofthecard.Ifyourissuer(s)offerthis
option, TAKE ADVANTAGE. It's certainly more difficult for someone else to use a card
withyourphotoonit.

14. Be Check Smart When ordering new checks, pick them up at the bank, rather than
havingthemsenttoyourhomemailbox.Considerusingonlyyourfirstinitial(s)rather
thanyourfullnamesoathiefwon'tknowwhattosign.Tosavetime,manypeoplehave
theirbankprinteverybitofpersonalinfotheycanfitonpersonalcheckstospeedup
checkapprovalinthecheckoutline(andminimizewhattheyhavetowriteinbyhand).
Resisttheurge.Don'tputanyinformationotherthanyournameandaddressonyour
checks. Also, keep a close watch on your checkbook both when you're writing checks
andwhenitislyingaround.

Somethievesusecleaningsolventtoremovewhatisalreadywrittenonacheck,making
itpayabletothemselves.Tomakethisharder,youshouldwritechecksusingapenwith
thick,darkink.Drawlinestofillingapsinthespaceswhereyoudesignatetowhoma
checkispayableandtheamount.

Ifyourcheckshavebeenstolenormisused,immediatelynotifyyourbank,placeastop
paymentorder,andcloseyourcheckingaccount.Also,immediatelyreporttoyourbank
182

InformationSecurity
any irregularities in your bank statements. Report mail theft or tampering to the U.S.
PostalInspectionService,whichislistedinyourphonebook

15. GUARD deposit slips as closely as you do checks. Not only do they have your name,
addressandaccountnumberprintedonthem,buttheycanalsobeusedtowithdraw
moneyfromyouraccount.Allathiefhastodoiswriteabadcheck,deposititintoyour
accountandusethe"lesscashreceived"linetowithdrawyourmoney.

183

InformationSecurity

16. AvoidShoulderSurfersA"shouldersurfing"identity
thief can memorize your name, address and phone
numberduringtheshorttimeittakesyoutowritea
check.Also,inmanypublicplaces"shouldersurfing"
criminals can stand nearby and watch you punch in
your phonecard number, debitcard PIN, credit card
number,orevenlisteninonyourconversationifyou
give your creditcard number over the phone for a
hotel room or rentalcar. Don't carry more checks
thatyouneed.Keepextrachecksinasecureplace.

17. Bolster Your Insurance ID theft already is covered

under some homeowners' policies; others will add it
for as little as $25 a year. A standalone policy costs
from$60to$200.

18. Be Careful in Job Searches Online recruiting

business giants like Monster.com, CareerBuilder.com and HotJobs.com caution users
aboutfalseonlinejoblistingsthataresometimespostedbyidentitythievestoillegally
collectpersonalinformationfromunsuspectingjobseekers.

19. CheckYourCreditReportsOrderacopyofyourcreditreportfromeachofthethree
major credit reporting agenciesevery year. Make sure it is accurate and includes only
thoseactivitiesyou'veauthorized.

20. BeCarefulatRestaurantsWhenpayingatstores,restaurants,andotherbusinesses,
be methodical at the payment counter, ensuring you retrieve your driver's license or
otherID,creditcardandyourcreditslipcopyafteryourpurchase.Makesurethatthe
personyougivethecreditcardtoreallyisthewaiterorproperperson.

21. Xerox Your Wallet or Purse Take a few minutes to make paper copies of all of the
cardsandIDsyoucarryinyourwalletorpurse,including
thebacksastheycontaincontactphonenumbersinthe
eventoftheft.Securethecopiesinasafepace.

22. ATM Crime "Shoulder surfers" aren't limited to

checkout stands and lines. Near ATMs, some
sophisticated thieves will watch the victim use the card
(perhaps using highpowered binoculars, or even hidden
cameras) and learn the victim's personal identification
number (PIN) and even the card number. Later, they'll
steal the card or make their own and use ATMs to
withdraw cash from your account. Watch for one or
184

InformationSecurity
more persons loitering around an ATM, often in a car, behind bushes or otherwise
nearby. Use your body, or cup your other hand over the keypad, to "shield" it as you
enteryourPINintotheATM.NeverwriteyourPINonthebackofyourcard;youcould
loseit,and someATM scamsinvolveascammer"distracting"thevictimandgrabbing
thecardbeforerunningaway.

23. DriveupATMsIfyouareusingadriveupATM,keepyourenginerunningandbesure
your passenger windows are rolled up and all doors are locked. Before you roll down
your window to use the ATM, observe the entire surrounding area; if anyone or
anything appears to be suspicious, drive away at once. When possible, leave enough
room between cars when you're in the ATM driveup queue to allow for a quick exit,
shoulditbecomenecessary.

24. CounterfeitCashier'sCheck
1. Inspectthecashier'scheck.
2. Ensuretheamountofthecheckmatchesinfiguresandwords.
3. Checktoseethattheaccountnumberisnotshinyinappearance.
4. Bewatchfulthatthedrawer'ssignatureisnottraced.
5. Officialchecksaregenerallyperforatedonatleastoneside.
6. Inspectthecheckforadditions,deletions,orotheralterations.
7. Contactthefinancialinstitutiononwhichthecheckwasdrawntoensurelegitimacy.
8. Obtainthebank'stelephonenumberfromareliablesource,notfromthecheck
itself.
9. Becautiouswhendealingwithindividualsoutsideofyourowncountry.

25. CreditCardFraud
a. Ensureasiteissecureandreputablebeforeprovidingyourcreditcardnumber
online.
b. Don'ttrustasitejustbecauseitclaimstobesecure.
c. Ifpurchasingmerchandise,ensureitisfromareputablesource.
d. Promptlyreconcilecreditcardstatementstoavoidunauthorizedcharges.
e. Doyourresearchtoensurelegitimacyoftheindividualorcompany.
f. Bewareofprovidingcreditcardinformationwhenrequestedthroughunsolicited
emails.

26. DebtElimination
a. Knowwhoyouaredoingbusinesswithdoyourresearch.
b. Obtainthename,address,andtelephonenumberoftheindividualorcompany.
c. Researchtheindividualorcompanytoensuretheyareauthentic.
d. ContacttheBetterBusinessBureautodeterminethelegitimacyofthecompany.
e. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
f. Ensureyouunderstandalltermsandconditionsofanyagreement.
g. BewaryofbusinessesthatoperatefromP.O.boxesormaildrops.
185

InformationSecurity
h. Askfornamesofothercustomersoftheindividualorcompanyandcontact
them.
i. Ifitsoundstoogoodtobetrue,itprobablyis.

27. DHL/UPS
a. BewareofindividualsusingtheDHLorUPSlogoinanyemailcommunication.
b. Besuspiciouswhenpaymentisrequestedbymoneytransferbeforethegoods
willbedelivered.
c. RememberthatDHLandUPSdonotgenerallygetinvolvedindirectlycollecting
paymentfromcustomers.
d. FeesassociatedwithDHLorUPStransactionsareonlyforshippingcostsand
neverforothercostsassociatedwithonlinetransactions.
e. ContactDHLorUPStoconfirmtheauthenticityofemailcommunications
received.

28. Employment/BusinessOpportunities
a. Bewaryofinflatedclaimsofproducteffectiveness.
b. Becautiousofexaggeratedclaimsofpossibleearningsorprofits.
c. Bewarewhenmoneyisrequiredupfrontforinstructionsorproducts.
d. Beleerywhenthejobpostingclaims"noexperiencenecessary".
e. Donotgiveyoursocialsecuritynumberwhenfirstinteractingwithyour
prospectiveemployer.
f. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
g. Bewarywhenreplyingtounsolicitedemailsforworkathomeemployment.
h. Researchthecompanytoensuretheyareauthentic.
i. ContacttheBetterBusinessBureautodeterminethelegitimacyofthecompany.

29. EscrowServicesFraud
a. Alwaystypeinthewebsiteaddressyourselfratherthanclickingonalink
provided.
b. Alegitimatewebsitewillbeuniqueandwillnotduplicatetheworkofother
companies.
c. Becautiouswhenasiterequestspaymenttoan"agent",insteadofacorporate
entity.
d. Beleeryofescrowsitesthatonlyacceptwiretransfersorecurrency.
e. Bewatchfulofspellingerrors,grammarproblems,orinconsistentinformation.
f. Bewareofsitesthathaveescrowfeesthatareunreasonablylow.

30. IdentityTheft
a. Ensurewebsitesaresecurepriortosubmittingyourcreditcardnumber.
b. Doyourhomeworktoensurethebusinessorwebsiteislegitimate.
c. Attempttoobtainaphysicaladdress,ratherthanaP.O.boxormaildrop.
d. Neverthrowawaycreditcardorbankstatementsinusableform.
e. Beawareofmissedbillswhichcouldindicateyouraccounthasbeentakenover.
186

InformationSecurity
f.
g.
h.
i.

Becautiousofscamsrequiringyoutoprovideyourpersonalinformation.
Nevergiveyourcreditcardnumberoverthephoneunlessyoumakethecall.
Monitoryourcreditstatementsmonthlyforanyfraudulentactivity.
Reportunauthorizedtransactionstoyourbankorcreditcardcompanyassoon
aspossible.
Reviewacopyofyourcreditreportatleastonceayear.

j.

31. InternetExtortion
a. Securityneedstobemultilayeredsothatnumerousobstacleswillbeintheway
oftheintruder.
b. Ensuresecurityisinstalledateverypossibleentrypoint.
c. IdentifyallmachinesconnectedtotheInternetandassessthedefensethat's
engaged.
d. Identifywhetheryourserversareutilizinganyportsthathavebeenknownto
representinsecurities.
e. Ensureyouareutilizingthemostuptodatepatchesforyoursoftware.

32. InvestmentFraud
a. Ifthe"opportunity"appearstoogoodtobetrue,itprobablyis.
b. Bewareofpromisestomakefastprofits.
c. Donotinvestinanythingunlessyouunderstandthedeal.
d. Don'tassumeacompanyislegitimatebasedon"appearance"ofthewebsite.
e. Beleerywhenrespondingtoinvesmentoffersreceivedthroughunsolicited
email.
f. Bewaryofinvestmentsthatofferhighreturnsatlittleornorisk.
g. Independentlyverifythetermsofanyinvestmentthatyouintendtomake.
h. Researchthepartiesinvolvedandthenatureoftheinvestment.
i. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
j. ContacttheBetterBusinessBureautodeterminethelegitimacyofthecompany.

33. Lotteries
a. Ifthelotterywinningsappeartoogoodtobetrue,theyprobablyare.
b. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
c. Beleeryifyoudonotrememberenteringalotteryorcontest.
d. Becautiousifyoureceiveatelephonecallstatingyouarethewinnerinalottery.
e. Bewareoflotteriesthatchargeafeepriortodeliveryofyourprize.
f. Bewaryofdemandstosendadditionalmoneytobeeligibleforfuturewinnings.
g. Itisaviolationoffederallawtoplayaforeignlotteryviamailorphone.

34. NigerianLetteror"419"
a. Ifthe"opportunity"appearstoogoodtobetrue,itprobablyis.
b. Donotreplytoemailsaskingforpersonalbankinginformation.
c. Bewaryofindividualsrepresentingthemselvesasforeigngovernmentofficials.
d. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
187

InformationSecurity
e. Bewarewhenaskedtoassistinplacinglargesumsofmoneyinoverseasbank
accounts.
f. Donotbelievethepromiseoflargesumsofmoneyforyourcooperation.
g. Guardyouraccountinformationcarefully.
h. Becautiouswhenadditionalfeesarerequestedtofurtherthetransaction.

35. Phishing/Spoofing
a. Besuspiciousofanyunsolicitedemailrequestingpersonalinformation.
b. Avoidfillingoutformsinemailmessagesthataskforpersonalinformation.
c. Alwayscomparethelinkintheemailtothelinkthatyouareactuallydirectedto.
d. Logontotheofficialwebsite,insteadof"linking"toitfromanunsolicitedemail.
e. Contacttheactualbusinessthatsupposedlysenttheemailtoverifyiftheemail
isgenuine.

36. Ponzi/Pyramid
a. Ifthe"opportunity"appearstoogoodtobetrue,itprobablyis.
b. Bewareofpromisestomakefastprofits.
c. Exercisediligenceinselectinginvestments.
d. Bevigilantinresearchingwithwhomyouchoosetoinvest.
e. Makesureyoufullyunderstandtheinvestmentpriortoinvesting.
f. Bewarywhenyouarerequiredtobringinsubsequentinvestors.
g. Independentlyverifythelegitimacyofanyinvestment.
h. Bewareofreferencesgivenbythepromoter.

37. Reshipping
a. Becautiousifyouareaskedtoshippackagestoan"overseashomeoffice."
b. Becautiouswhendealingwithindividualsoutsideofyourowncountry.
c. Beleeryiftheindividualstatesthathiscountrywillnotallowdirectbusiness
shipmentsfromtheUnitedStates.
d. Bewaryifthe"shipto"addressisyoursbutthenameonthepackageisnot.
e. Neverprovideyourpersonalinformationtostrangersinachatroom.
f. Don'tacceptpackagesthatyoudidn'torder.
g. Ifyoureceivepackagesthatyoudidn'torder,eitherrefusethemupondelivery
orcontactthecompanywherethepackageisfrom.

38. Spam
a. Don'topenspam.Deleteitunread.
b. Neverrespondtospamasthiswillconfirmtothesenderthatitisa"live"email
address.
c. Haveaprimaryandsecondaryemailaddressoneforpeopleyouknowandone
forallotherpurposes.
d. Avoidgivingoutyouremailaddressunlessyouknowhowitwillbeused.
e. Neverpurchaseanythingadvertisedthroughanunsolicitedemail.

188

InformationSecurity

39. ThirdPartyReceiverofFunds
1. Donotagreetoacceptandwirepaymentsforauctionsthatyoudidnotpost.
2. Beleeryiftheindividualstatesthathiscountrymakesreceivingthesetypeoffunds
difficult.
3. Becautiouswhenthejobpostingclaims"noexperiencenecessary".
4. Becautiouswhendealingwithindividualsoutsideofyourowncountry.

ChapterReviewKeyPoints

1.
2.
3.
4.
5.
6.
7.
8.

Identitythefthasbecomerampantinrecentyears.
Detectingidentitytheftwithinamonthhelpssignificantlytominimizelosses.
Youshouldreview/balanceallofyourstatementseachmonth.
12%ofallidentitytheftcomesfromdiscardedpapers.
11%ofallidentitytheftcomesfromstolenwalletsorpurses.
16%ofallidentitytheftiscommittedbyfriends,relativesorcoworkers.
Itiseasyforsomeonetomasqueradeasalegitimateemployeeorcoworker.
PINscanhelpminimizedamagefromidentitytheft.

189

InformationSecurity

EmployeeTheft
Chapter27

190

InformationSecurity

EmployeeTheft
The US Chamber of Commerce estimates that employee theft costs businesses $40 billion
dollarseachyear.ThistotalistentimesthevalueofstreetcrimelossesannuallyintheUSA.
Another study estimate employee theft and dishonesty costs U.S. businesses between $60
billion and $120 billion per year, not including the billions spent on protecting against theft.
Presentedbelowareafewstatistics:
1. Employeesoutstealshoplifters.

2. TheUSChamberofCommerceestimatesthat75%ofallemployeesstealatleastonce,
andthathalfofthesestealagain.

3. TheDepartmentofJusticereportscitelowernumbersestimatingthatnearlyonethird
ofallemployeescommitsomedegreeofemployeetheft.

4. Recent reports claim that employee theft is increasing at a rate of fifteen percent
annuallyandaccordingtotheFBI,employeetheftisoneofthefastestgrowingcrimesin
theUSA.

5. Someexpertsclaimthatonethirdofallnewbusinessesfailbecauseofemployeetheft.

6. Itisestimatedthatapproximatelytwopercentofallbusinesssalesarelosttoemployee
theft.

7. Thepercentageofresumesandjobapplicationsthatcontainliesandexaggerationshas
beenestimatedbetween30and80percent.(SecurityManagementMagazine)

8. 5%ofprofessionalhireshavecriminalrecords.(Source:HRLogic)

9. 75%ofinternaltheftisundetected.("HowtoIdentifyDishonestyWithinYour
Business")

10. Employeetheftamountsto4%offoodsalesatacostinexcessof$8.5billionannually.
75%ofinventoryshortagesareattributedtoemployeetheft.(NationalRestaurant
Association)

11. TheLaborLawIndustryhasincreasedby2200%.(EqualEmploymentOpportunity
Commission)

12. Employeetheftcostsbetween1/2%3%ofacompany'sgrosssales.Evenifthefigureis
1%,itstillmeansemployeesstealoverabilliondollarsaweekfromtheiremployers.
("HowtoIdentifyDishonestyWithinYourBusiness")

191

InformationSecurity
13. 30%ofbusinessfailuresareduetopoorhiringpractices.Annuallossesgeneratedby
poorhires,absenteeism,drugabuse,andtheftamountto$75billionperyear.(U.S.
DepartmentofCommerceAtlantaBusinessChronicle.)

EmployeeThefttakesManyForms
Employeetheftcanencompassmanyactivitiesincluding:
1.
2.
3.
4.
5.
6.
7.

Fakingonthejobinjuriesforcompensation.
Takingmerchandise.
Stealingsmallsumsofcash.
Forgingordestroyingreceipts.
Shippingandbillingscams.
Puttingfictitiousemployeesonthepayroll.
Falsifyingexpenserecords.

Employeetheftmaybeasimpleisolatedeventcarriedoutbyoneindividual,ahighlyorganized
schemetoacquiresubstantialfinancialormaterialgain,oranythinginbetween.

PreventingEmployeeTheft
Statistics indicate that only two percent of businesses that suffer losses from employee theft
takesubsequentstepstopreventfuturecasesofemployeetheft.
Todealwiththeproblemofemployeetheft,employerscan:
1. Better Hiring In general, establish a smart hiring process more likely to yield
trustworthyemployees(i.e.personalinterviews,backgroundchecks,creditchecks,etc.);

2. Better Accounting In general, improve accounting practices and record keeping,

establishaninternalemployeetheftdepartment,beefupsecuritymeasures,andmore.
3. PreScreenEmployeesForaslittleas$10youcancheckcriminalrecords,credithistory
orotherinformation.Backgroundchecksshouldinclude:

a. Criminalhistoryforcrimesinvolvingviolence,theft,andfraud;
b. Civilhistoryforlawsuitsinvolvingcollections,restrainingorders,andfraud;
c. Driver'slicensecheckfornumerousorseriousviolations;
d. Educationverificationfordegreesfromaccreditedinstitutions;
e. Employmentverificationofpositions,lengthofemployment,andreasonsfor
leaving.

4. ReferencesCheckanddocumentreferencesofeachnewhire.

192

InformationSecurity
5. ConductFrequentPhysicalInventoriesPilferageisoneofthemostcommonformsof
internalloss.Reconcilesalestoinventoryonaquarterlybasis,oratleastannually,with
thehelpofathirdparty.Conductsurpriseinventories.

6. Separate Bookkeeping Functions Misapplication of payments can lead to

embezzlement. Do not let the same person who processes checks also manage the
accountsreceivablerecords.

7. PersonallyApproveBookkeepingAdjustmentsApproveanyadjustmentstothebooks
nomatterhowslightevenadjustmentstocorrectanerror.

8. Control Check Signers Limit the number of signatories to yourself and one or two
highlytrustedassistants.Keepblankchecksunderlockandkey.

9. ReviewMonthlyBankStatementsInstructyourbanktosendthemonthlystatement
directly to you. Review the statement before passing it on to your bookkeeper. This
reviewallowsyoutospotanyimproperlyexecutedchecks.

10. TightenUpOnPettyCashAllowonlyoneortwotrustedemployeestodisbursepetty
cash. Require that a receipt and a signed voucher be submitted for all petty cash
disbursements.

11. Separate Buying and Bookkeeping To maintain a system of checks and balances,
assignorderingandpaymentresponsibilitiestodifferentemployees.

12. WatchCompanyCreditCardsRequireallcreditcardsbesignedoutandallcreditcard
expensesbeauthorizedbyapurchaseorder.

13. Document All Expense Reports Require strict documentation for all reimbursable
expensesincurredbyemployees.Subjecteveryexpenseaccountvouchertoapreaudit
reviewprocedurebeforepayment.

14. Have A Third Party Refund Policy Issue refunds only upon the approval of a third
party,preferablyatrustedassistant.

15. Culture of Honesty Try to cultivate a culture of honesty within your organization.
Short seminars, circulating articles, and recognizing and rewarding correct behavior. A
positive work environment encourages employees to follow established policies and
procedures,andactinthebestinterestsoftheorganization.Fairemploymentpractices,
written job descriptions, clear organizational structure, comprehensive policies and
procedures, open lines of communication between management and employees, and
positive employee recognition will all help reduce the likelihood of internal fraud and
theft.

193

InformationSecurity
16. SecurityCamerasInstallcamerasthroughoutyourfacilitiestorecordandcaptureall
activities.

17. BeOrganizedAwellorganizedstockroom,supplyroomorwarehousemakesiteasier
tospotmissingitems.

18. Test The System Remove some inventory, introduce a bogus invoice, etc see how
longittakesforyouremployeestodiscovertheerrors.

19. Closing Procedures Prepare a checklist of closing and lockup procedures for
employees.Makesureappropriateemployeesunderstandwhatisexpected.

20. Security Tags Make sure all equipment is marked. Take time to mark company
equipment with inventory tags or an electric pencil. Computers and computerrelated
equipmentisvulnerable,particularlylaptopcomputers.Useequipmentserialnumbers
orasimilarsystemtotrackequipment.

21. Employee IDs Use an employee identification system, if practical. If you have many
fullandparttimeemployeesoryouarehavingkeymanagementproblems,anaccess
systemthatrequirestheemployeetoinsertanelectronicallycodedcarduponentering
thebusinessorspecificareaswillgiveadditionalcontrol.

22. Screen New Customers A common ploy occurs when employees sell goods to their
friends, who in turn disappear and never pay. Take time to perform reasonable
background checks on new customers to ensure their authenticity. Look up their
address on Google maps, call the phone number to make sure it is valid, ask for
letterhead and business cards, review the customers web site, call and welcome the
customer,visitthecustomer.

23. EscalateLargerAccountingTransactionsImplementmeasurestoholdtheprocessing
of larger transactions until approved by a third party within your organization. The
escalationthresholdcanbeincreasedasemployeesearnmoretrust.

24. ImplementAnAnonymousReportingSystemProvideaconfidentialreportingsystem
foremployees,vendors,andcustomerstoanonymouslyreportanyviolationsofpolicies
andprocedures.

25. Perform Regular and Irregular Audits Perform regular and random unannounced
financial audits and fraud assessments to help identify new vulnerabilities, and to
measure the effectiveness of existing controls. This lets employees know that fraud
preventionisahighpriorityfortheorganization.

194

InformationSecurity
26. Investigate Every Incident A thorough and prompt investigation of policy and
procedure violations, allegations of fraud, or warning signs of fraud will give you the
factsyouneedtomakeinformeddecisionsandreducelosses.

27. EliminateTemptationsEliminateasmanytemptationsasyoucanbysecuringgoods
andcash,lockingdoorsanddrawers,andimplementingwellknowncontrols.

28. KeysBecarefulwithkeys.Signoutallkeysandcollectthemwhenemployeesleavethe
company.Betteryet,movetoelectroniccardkeysthatcanbedisabledwhenemployees
leave.

29. Lead By Example Senior management and business owners set the example for the
organization's employees. A cavalier attitude toward rules and regulations by
management will soon be reflected in the attitude of employees. Every employee
regardlessofpositionshouldbeheldaccountablefortheiractions.

30. Use Consecutive Numbers Make sure all checks, purchase orders, and invoices are
numberedconsecutively,andregularlycheckformissingdocuments.

31. For Deposit Only Stamp Use a "for deposit only" stamp on all incoming checks to
preventanemployeefromcashingthem.

32. UnopenedMailUnopenedbankstatementsandcanceledchecksshouldbereceived
by the business owner or outside accountant each month and they should carefully
examineforanyredflagitemssuchasmissingchecknumbers.Theyshouldalsolookat
thechecksthathavebeenissuedtoseeifthepayeesarelegitimate,andmakesurethat
thesignaturesarenotforgeries.

33. Reconcile Statements The purpose of the bank statement reconciliation is to prove
that the cash on the books agrees with the cash at the bank. It is difficult for an
employee to hide theft when bank reconciliations are prepared monthly. Of course,
bankreconciliationsshouldbepreparedbyanoutsidepersonandneedtobereviewed
bymanagement.

34. Two Signatures Require all large checks to have two signatures. Never sign a blank
check.Signeverypayrollcheckpersonally.Avoidusingasignaturestamp.

35. InsuranceConsiderobtaininganinsurancepolicythatcoversoutsidecrime,employee
theftandcomputerfraud.Itwillbethereasasafetynetincaseyourfraudprevention
tacticsdon'twork.

36. Look for Stress Be alert to disgruntled or stressed employees, or those who have
indicated that they are having financial difficulties. Also look for any unexplained
significantrisesinanemployee'slivingstandards.
195

InformationSecurity

Employee
BackgroundChecks
Chapter28

196

InformationSecurity

EmployeeBackgroundChecks
Withidentitytheftandcybercrimeontherise,andtheeaseinwhichFakeIDsandfakecollege
diplomas can be obtained via the internet, it is more important than ever to conduct a
backgroundcheckonpotentialemployees,ifnotallpotentialvendorsandcustomers.Thereare
dozensofbackgroundcheckcompaniestochoosefromchargingfeesrangingfrom$20to$200
perbackgroundcheck.Someofthesourcestheycommonlycheckareasfollows:
1. County Criminal Checks Search of superior, upper, lower, and/or municipal court
records,acrossthecountrytodetermineifasubjecthasafelonyormisdemeanorfiling
within the last seven years, or longer if the record includes a legally reportable
conviction.

2. National Criminal Database Search Search of aggregate databases of millions of

recordsfromvarioussourcesintheUnitedStatesobtainedbycommercialvendorsfrom
thefollowingsources:

a. CountyCourtHouses
b. StateDepartmentsofIncarcerations
c. StateRecordRepositories
d. ProbationDepartments
e. Townships
f. SexOffenderRegistries

3. SocialSecurityNumberTracesAcommonmistakeemployersmakeisfailingtocross
check the identity of their applicants with a Social Security Number Trace using credit
historyinformation.AproperbackgroundcheckshouldemploySSNTraceinformation
toauthenticatethattheSocialSecurityNumberprovidedbyyourapplicantisassociated
withanindividualofthesamename,thattheapproximatedateofissuerangeofthe
SSN equates with your applicants birth date, and that the address history associated
withthatSSNcorrespondswiththeareasofthecountrywhereyourapplicanthaslived,
worked, attended school, or spent other significant time. This type of SSN Trace will
usuallyturnupanyaliasnamesthathavebeenassociatedwiththatSSN.

4. Driver's License History Search This is an important search for applicants who are
required to operate their vehicle for business purposes and/or driving a company
vehicle. Records will show history over the past 37 years and are available in all 50
states and Washington DC. Reports will include all personal identifiers as well as
offensesandcitations.

5. PreEmployment Credit Reports Full credit report from one of the three nationwide
creditbureaus.Thisreportwillofferinsightintotheapplicant'sreliabilityandasenseof
their personal responsibility. This report will include derogatory credit information,
publicfilings(bankruptcies,liensandjudgments)aswellaspreviousaddresses.Thiscan
197

InformationSecurity
be another great tool for identifying other counties that the applicant may have lived
and is especially useful for companies whose candidates will have checkwriting
privilegesorotheraccesstocompanyfunds.

6. Reference Interviews A verification of business and/or personal credentials is a

valuable source of information about the applicant's general image as perceived by
others. Results may offer insight into the candidate's trustworthiness, reliability,
competencyandintegrity.

7. SubstanceAbuseScreeningIncorporatingSubstanceAbuseScreeningintoyourhiring
processisnowfairlyeasy.MostservicesofferUrine,HairandSalivatestingatthousands
of Patient Service Centers across the United States. Screens can be used for pre
employment, random and postaccident programs. Results are typically reviewed by
boardcertified Medical Review Officers (MRO), and handled in full compliance with
federalDOTregulationsandguidelines.Negativeresultsaretypicallydeterminedin12
days.

8. Homeland Security Check A Homeland Security Check is cross reference of your

applicants name against over 45 worldwide databases of known terrorists, fugitives,
individuals, organizations and companies considered to be a threat to global and
nationalsecurity.TheHomelandSecurityCheckdatabaseisupdateddailyasthevarious
individualdatabasesaremodified.

9. Education Verifications When hiring an individual, companies often base salary

packages and positions on the individual's education. Failing to verify important
informationcanresultinappointingunqualifiedpeopletopositionstheydon'tdeserve,
which in turn affects your company's ability to compete. An Education Verification
confirms schools attended, diplomas, degrees & certificates awarded, dates of
attendance,andadditionalinformationasavailable.

10. Employment Verifications Some candidates may be less than truthful about their
employment history. Research shows this to be the number one discrepancy on
resumesandjobapplications.Aproperbackgroundcheckshouldverifyinformationon
your applicant's resume. Dates of employment, starting and ending positions and
salaries, reason for termination, and eligibility for rehire are examples of the
information employers should be asked to verify. If possible, the background check
should include an interview of the candidates supervisor to gain more personal
knowledgeoftheapplicant'sskillsandfunctionalityintheworkplace.

11. Federal Criminal Court Searches There are many crimes that don't necessarily fall
under local laws, they fall under federal jurisdiction. These crimes may include: tax
evasion, embezzlement, counterfeiting, bank robbery and many other "white collar"
crimes.Thissearchlistscriminalfilingsinanyofthenation'sfederaldistrictcourts.

198

InformationSecurity
12. Sex Offender Registry A Sex Offender Registry Search should be conducted to see if
yoursubjectisaregisteredoffender.

13. Global Screening Services Some background checks include searches on applicants
thathavelivedorresideoutsideoftheUS.ManyservicesareabletoexecuteaCriminal
Records Search in over 150 countries and Employment and Education Verifications in
over200countriesthroughouttheworld.

14. WorkersCompensationAcheckofthestate(s)worker'scompensationcommissionsin
the area(s) where the candidate has resided, to locate any claim history. The
investigationisconductedincompliancewiththeAmericansForDisabilitiesAct(ADA).

15. ElectronicEmploymentEligibilityProcess(I9)Thisprocesstypicallyincludesa"smart"
errordetecting I9 form, electronic archival of completed forms and instant
confirmation of Employment Eligibility Status. This program is in compliance with the
government'sEVerifyprogram.

16. Professional Licenses & Certifications Includes a review and verification of

professional license and registration status of any license or certification required by
industryororganizationalstandards.Weverifyalllicensesandcertificationsprovidedby
thecandidatedirectlywiththeissuingoraccreditingorganization.

17. Neighbor Checks Some background checks include locating and interviewing
neighborswhohavelivednexttoorneartheapplicant.

18. Military Records Verification Military records can be searched to confirm military
service,includingdatesofserviceandranksreached.

BackgroundCheckPrivacy

There are some questions that cannot be asked, and information that cannot be relied upon
whenhiringanemployee.Ingeneral,thesequestionsrevolvearounddisabilities,bankruptcy,
criminalconvictionsafteracertainnumberofyears,andmedicalrecords.Dependinguponthe
state where you operate, these topics and others may be off limits. To protect yourself, you
should make yourself familiar with the laws in your state, and you should obtain written
permissionfromtheapplicanttoconductabackgroundcheck.

Some employers say that asking for written permission from the applicant to conduct a
backgroundcheckoftenisallthatisneededforsomeapplicantstoadmittoadditionalhistory
thatmaybepertinenttothehiringdecision.

199

InformationSecurity

LettersofReference

You should always require letters of reference, and these letters of reference should be
investigatedtomakesurethattheyareauthenticbeforemakingthefinalhiredecision.

BackgroundCheckingServices

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.

www.trudiligence.comManysearcheswithinstantresults.Free1weekTrial.
www.formi9.comElectronicI9s.ExpertI9Audits.InstantEmploymentEligibilityVerification.
find.intelius.com$29.95InstantCriminal&BackgroundCheck,SSNVerification,Sexualoffenderregistry,
andAddresstraceinone!FCRAcompliant.
www.Intelius.comInstantCriminal&BackgroundCheckSSNVerification/FCRA(877)9741500
www.CriteriaCorp.comScreenEmployeeswithPersonality,Aptitude,SkillsTests.
www.HireRight.comIndustry'sfastestturnaroundtime.TrustedbyFortune500.
www.infolinkscreening.comAccurateandcompliantemployeebackgroundchecks,drugtesting,physical
exams,andFormI9eSolutionsprovidedbyKroll.
www.sentrylink.comInstantonlineresultsforcriminalchecks,drivingrecords,andcreditreports.FCRA
compliant.Nationalcriminalcheckonly$19.95.
www.IntegraScan.com/EmployeeScreening$18.95Freepreliminaryresults.Instantlycheckmillionsof
records$18.95.Comprehensivestateandnationalbackgroundchecks.
www.backgroundsonline.comProfessionalemploymentbackgroundscreening,hirewithconfidence!
www.CorporateScreening.comMedical,Manufacturing,FinancialQualityCustomizedServices
www.absolutebackgrounds.comProviderofonlineapplicantscreeningservices.
www.backgroundcheckgateway.comSiteenablesvisitorstoperformfreebackgroundchecks,usingpublic
records.
www.backgroundchecks.comAservicewhichprovidesinstantdesktopdeliveryofcriminalrecords
information,socialsecurityvalidationandmore.
www.backgroundsonline.comProviderofwebbasedpreemploymentscreeningservicesandemployee
backgroundchecks,includingcriminal,reference,DMV,educationandemploymentverification.
www.brainbench.comProviderofInternetbasedapplicanttestingservices,includingtechnical,languageand
programmer/analystaptitudetesting.
www.corporatescreening.comProvidesnationalemployeeandbusinessbackgroundonline.
www.esrcheck.comFirmofferspreemploymentscreeningservicesforemployers,humanresourcesand
securitydepartments.
www.hireright.comProviderofonlinepreemploymentscreeningservices.
www.informus.comProvidesinternetbasedemployeescreening.
www.sentrylink.comInstantonlineresultsforcriminalchecks,drivingrecords,andcreditreports.FCRA
compliant.Nationalcriminalcheckonly$19.95.
www.trudiligence.comManysearcheswithinstantresults.Comparevendors.Free1weekTrial.
www.peoplewise.comProvideroflegallycompliant,employmentscreeningservicesovertheInternet.
www.prsinet.comProviderofpreemploymentscreeningthroughbackgroundchecks.Providesawebbased
orderandretrievalsystem.
www.reviewnet.netProviderofInternetbasedsolutionstoattract,screen,interviewandretaintechnology
professionals.
www.NetDetective.com

200

InformationSecurity

BondingEmployees
Chapter29

201

InformationSecurity

BondingEmployees
Bonding is "an insurance contract in which anagency guarantees payment to anemployer in
theeventofunforeseenfinanciallossthroughtheactionsofanemployee."
In a perfect world, employee theft would never happen. Unfortunately, it does. To protect
yourself, bonding helps assure that employees are trustworthy. And, if something should go
amiss, it will be replaced. How important is bonding? One report claims that onethird of all
bankruptciesarecausedbyemployeetheft,(accordingtoMarcLeclair,AssistantVicePresident
ofCorporateRiskwithLondonGuarantee).

WhentoBondYourEmployees
In general, you should consider bonding employees whenever they have access to expensive
inventoryorlargesumsofcash."Statisticallyspeaking,youmaybesurprisedtolearnthatthe
employeesmostlikelytostealfromyouarethelongstandingemployeeswhohavebeenwith
you for 10 to 15 years. The employees that have been at the same position for years
understand the accounting system to the point where they can actually play games with the
numbers without you seeing the changes. Bank employees and warehouse workers are
examplesofemployeesthataretypicallybonded.

WhyYouBondEmployees
Employeeswhohavebeenconvictedoffraudinthepastarenotusuallyabletogetcoverage,
sobondinghelpsavoidthewrongemployeestostartwith.Employersalsousefidelitybondsto
protectthemselvesfromtheft.Therearefourbasictypesoffidelitybonds,asfollows:
1. individual Covers one employee (usually purchased by small concerns or family
operatedbusinesseswithonlyoneemployee)

2. Name Schedule Fidelity Bond You designate a set amount of coverage for a list of
employees that you provide for the insurance company. Each time you hire a new
employee,youhavetocontacttheinsurancecompanytohavethatpersonaddedtothe
list,ifyouchoosetodoso.Collectionunderthiscoveragehingesonabsoluteproofthat
anemployeedidinfactstealfromyou.

3. Blanket Position Bond Under this type of bond, you specify coverage for a position
ratherthantheindividual.Eachemployeeofabusinessiscovered,andnewemployees
areaddedautomatically.Coverageisofferedforeachemployeeuptothemaximumset
outintheinsurancepolicy.Blanketpositionbondsdon'trequireproofoftheindividual
responsibleforthetheft.

4. Primary Commercial Blanket Bond Like the Blanket Position Bond, this bond covers
each employee in the company. This type of coverage does not accommodate each
employee, but rather treats the employees as one unit. In other words, it does not
202

InformationSecurity
matter if one or five people were involved in the crime, you will be able to claim the
sameamount.

TheFederalBondingProgram/FidelityBonding
A federal fidelity bond is NO COST insurance coverage meant to allow employers to hire job
applicantsconsidered"atrisk"duetotheirpastlifeexperiences,protectingemployersagainst
employee dishonesty, theft or embezzlement. Since the program's inception in 1966,
approximately 43,000 bonds have been issued with a 99% success rate. And, users have the
addedbenefitofturningunemployedapplicantsintotaxpayingworkers!Federalbondingmay
beprovidedtoanyindividualwho:
1.
2.
3.
4.
5.

mayhaveadishonorablemilitarydischarge,
mayhavearecordofarrest,convictionorimprisonment,
lacksworkhistory,
hasapoorcredithistory,and
hasanofferoffulltimeemployment

Note:Selfemployedindividualsarenoteligible
The process is simple and quick. Employers are not required to fill out forms. Employers, on
behalf of the job applicant can request Fidelity Bonding by contacting the appropriate local
departmentinpersonorviatelephone.Ifanapplicantandjobmeeteligibilitycriteria,bonding
become effective immediately following certification and on the applicant's first day of work.
Uponcertification,thecoverageprovidermailsthebonddirectlytotheemployer.
Coverage An employee can be bonded for at least $5,000. The bond initially covers a six
monthperiodbeginningthefirstdayofemployment.Afterthattime,ifabondstillremainsa
conditionofemployment,employerscanrequestarenewalforanadditionalsixmonths(only
onerenewalperbondissued)orpurchasethebondthroughthecontractedinsurancecompany
atcurrentcommercialrates.
Additional information on the Fidelity Bonding is available at your local Employment and
TrainingCenterinyourstate.Bondingcoordinatorsareavailabletohelpemployersmatchthe
amountofbondcoveragetotherequirementsoftheposition.Employersmayalsocontactthe
StateBondingCoordinatorat312/7939741.

KeyPoints
1. Bondingissimplyaformofinsuranceprotectingyoufromemployeetheft.
2. Bondingisrecommendedwhenemployeeshaveaccesstoexpensiveinventoryorlarge
sumsofcash.
3. Longstandingemployees(15to20years)aremorelikelytosteal.
4. Therearefourtypesofbonds.
5. Federalbondingissometimesavailableforfree.

203

InformationSecurity

AsteriskKey
Chapter30

204

InformationSecurity
AsteriskKey
This is a free utility that you can download (http://www.lostpassword.com/asterisk.htm) to
revealthepasswordshiddenunderasterisks.Itcaninstantlyrevealanyhiddenpasswordthatis
savedinapassworddialogboxorwebpage.

Of course you need access to the computer, and the computer must have the password
remembered in order for this to work. Still, the existence of tools like this shows the
vulnerabilitythatoccurswhenyousaveyourpasswordsonyourcomputer.

205

InformationSecurity

EncryptionAnalyzer&
PasswareKit
Chapter31

206

InformationSecurity

EncryptionAnalyzer
Encryption Analyzer is a free downloadable utility program that locates all of the password
protectedorencryptedfilesonaPCoronPCsacrossanetwork.Keyfeaturesareasfollows:
1. Scansfilesfastover4,000filesperminuteonanaveragePC.

2. Supportsover100differentfileformats.

3. Lists recovery options and launches appropriate password recovery modules if

necessary.Providesdetailedinformation:fileformats,protectionmethods.
Legitimately, you can use this product to verify that you have applied passwords to your
important files. IT Professionals can also use the product to ensure that users are applying
proper password protection. Legitimately, Encryption Analyzer solves the common problem
whenemployeesleaveacompanywithoutprovidingacompletelistoftheirpasswords.
I used Encryption Analyzer on my computer and found 541 protected files in 41 minutes, as
shown in the screen below. Once identified, the files can then be opened using the affiliated
Passwarekitdiscussedonthefollowingpage.

207

InformationSecurity

PasswareKit
Passware Kit is priced starting at $195. The product includes over 25 password recovery
modules.Passwarekitclaimstocrackthefollowingfiles:
1. Windows
3. Excel
5. QuickBooks
7. FileMaker
9. OutlookExpress
11. WinZipPKZipZIP
13. NetworkConnections
15. BestCrypt
17. PowerPoint
19. InternetExplorer
21. Acrobat
23. Lotus123
25. LotusOrganizer
27. QuattroPro
29. Quicken2008
31. Backup
33. MYOB
35. Paradox
37. Mail
39. Money

2. Office
4. Word
6. Access
8. Outlook
10. Exchange
12. WinRARRAR
14. SQL
16. OneNote
18. VBAVisualBasicmodules
20. EFSEncryptedFileSystem
22. Quicken
24. LotusNotes
26. LotusWordPro
28. QuickBooks2008
30. Quickendatabasesupto2007
32. Project
34. Peachtree
36. ACT!
38. Schedule+
40. WordPerfect

208

InformationSecurity

Securing
DesktopComputers
Chapter32

209

InformationSecurity

DesktopComputerTheft
Whilelaptopcomputersaremostoftenstolen,desktopcomputerstendtobeleftunattended
inemptybuildings.Thisfactgivesrisetospecialconsiderationsforsecuringdesktopmachines.
Specifically, desktop computers should be locked up and bolted down as to deter or prevent
theft. Presented below are antitheft devices that may help you prevent the theft of your
desktopcomputers.

AntiTheftProducts

DesktopLockingDevices

SecurityGuard

BiometricSecurityDevice

BoltonAntiTheftCable
Systems

LockingAntiTheftCable
Systems

RetinalScannerstogainaccess
toOffices

LockingCables

UVMarkingKits

FakeSecurityCamera

210

InformationSecurity
SecurityCameraSystems

HiddenCamera

SeeThruMirrors

MirroredCeilingDomes

DeadBolts

OutdoorSecurityLighting

ComputerProtectionMeasures
Thereareseveralmeasuresyoucantaketobettersecureyourofficesandcomputersystems.
For example, you could make sure that your building is very secure to prevent intruders and
theft. Install extra window locks and door locks. Consider hiring a building guard. Install key
entrysystemsthatmonitorandrecordemployeeaccess.Installdoorlocksoninternaldoorsto
prevent access to file servers & systems. Use computer locks to bolt computers to desks and
tables.Usecomputerlockstoprotectlaptopcomputerswhentraveling.

PowerFailure

Powerfailuresrepresentthemostfrequentcauseofdataloss,
which is a sad fact to report considering how easy this problem is to avoid. All computer
systemsshouldbeequippedwithanuninterruptiblepowersupply(UPS)devicetoprotectfrom
poweroutagesandpowersurges.Forexample,AmericanPowerCorporationproducesawide
varietyofUPSdevicesandsurgesuppressors.
APC offers more than 150 of these devices ranging in price from $40 to more than $80,000.
Most businesses computers can be protected from power failure for about $60 to $250,
211

InformationSecurity
depending upon the amount of battery time you prefer. All APC UPS products include
PowerChutesoftwarethatcanbesettocloseyourapplicationsandshutdownyourcomputer
automaticallyandgracefullyintheeventofaprolongedpowerfailureinyourabsence.Another
benefit of using an APC device is the automatic insurance which covers any electricalrelated
damage to your computer up to $25,000. These UPS devices can also protect your phone
systemsandtelevisioncablehookupsaswell.
YoushoulduseaUPSdevicetoprotectyourentirecomputersystemincludingmonitors,hubs,
routers,andexternallyconnecteddevices.Theoneexceptiontothisruleisprintersbecause
theyaretypicallyabigdrainonpower.Therefore,unlessyouhaveapowerfulUPSdevice,you
shouldavoidpluggingyourprinterintoyourUPS,butbesuretoalwaysuseasurgeprotector.

ComputerFailure
Computer components can fail. The most common computer failures can be attributed to
power supplies, hard drives, and system mother boards. However other components such as
ramchips,processors,circuitboards,floppydiskdrives,CDdrives,andmonitorscangobadas
well. Today, most newer computers can be repaired quickly by replacing the damaged item;
however legacy computers may take time to repair as replacement parts are often only
availableontheusedmarket.Donotattempttooperateavisiblydamagedcomputer.Ifyour
computerismakinganunusualnoise,turnitoff.Thereisagoodchancethatanoisycomputer
hassufferedorwillsufferaheadcrash,hencethefasteritisdeactivated,thebetterthechance
fordatarecovery.
Ifyourcomputerdoesfail,donotautomaticallyturntorecoverysoftware.Ifyoususpectthat
you may have lost access to data due to electrical or mechanical failure, software can't help.
Usingfilerecoveryutilitiesonafaultyharddrivecandestroywhatwasrecoverabledata.When
adrivefailureissuspected,turnoffthemachine.Callinacomputersystemsrecoveryspecialist
withthepropertrainingandexperience.Lostdatacanbecomeunrecoverabledatawhenunor
underqualifiedpersonnelmisusefilerecoveryutilities,opendiskdrives,andlackthebasicskills
necessarytoproperlymaintainandrepaircomputerequipmentanddata.

212

InformationSecurity

WindowsSecurity
WindowsServices

Chapter33

213

InformationSecurity

WindowsServices
Widows Services are Windows components (or programs) that run in the background of
Windowstoperformspecificfunctions.TheygenerallystarteachtimetheMicrosoftWindows
operating system is booted and continue running in the background as long as Windows is
running.TheyappearintheprocesseslistinWindowsTaskManagerasshownbelow:

AsageneralruleyoushouldturnoffallWindowsServicesthatyoudonotneed,andcheckto
make sure that rouge applets are not running as a Windows Services. As a result of clearing
your Windows Services, your computer will perform faster, and there will be fewer services
whichmightgiveahackertunnelaccesstoyourcomputersystem.Toturnoffaservice,select
"Services" from the Windows Control Panel as circled above or run "Services.msc" using the
RunCommandontheStartMenu.

Asanexample,inthescreenbelowIhaveenteredWindowsServicesAdministrationTooland
rightclickedontheCarboniteService.HereIcanaccomplishthefollowing:

1. Start,stop,pauseorrestartservices.
2. Specifyserviceparameters.
3. ChangethestartuptypewhichincludesAutomatic,ManualandDisabled:
a. Automaticstartstheservicesatsystemlogon.
214

InformationSecurity
b. Manualstartsaserviceasrequiredorwhencalledfromanapplication.
c. Disabledcompletelydisablestheservice.
d. Automatic (Delayed) is a new startup type introduced in Windows Vista, that
startstheserviceashortwhileafterthesystemhasfinishedbootingandinitial
busyoperations,sothatthesystembootsupfaster.
4. Changetheaccountunderwhichtheservicelogson.
5. Configurerecoveryoptionsuponservicefailure.
6. ExportthelistofservicesasatextfileoraCSVfile.

Repeatthissteptodisableanyunusedservices.Theservicesyouusemaybedifferentfromthe
onesmycomputeruses;therefore,itisdifficulttoadviseyouastoexactlywhichservicesyou
should disable. Listed below are the most commonly unused services, but read through the
remainingservicesinyourComputerManagementwindowtoidentifyanyotherservicesyou
maynotbeusing.
WindowsVistaServicesthatMostUsersShouldConsiderDisabling
(55Outof154ServicesShouldBeDisabled)
1.
2.
3.

ApplicationExperience
ApplicationLayerGatewayService
ApplicationManagement
215

InformationSecurity
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.

CertificatePropagation
DFSReplication
DiagnosticPolicyService
DiagnosticServiceHost
DiagnosticSystemHost
DistributedLinkTrackingClient
DistributedTransactionCoordinator
Fax
FunctionDiscoveryProviderHost
FunctionDiscoveryResourcePublication
HealthKeyandCertificateManagement
HumanInterfaceDeviceAccess
IKEandAuthIPIPsecKeyingModules
InteractiveServicesDetection**
InternetConnectionSharing(ICS)
IPHelper
IPsecPolicyAgent
KtmRmforDistributedTransactionCoordinator
LinkLayerTopologyDiscoveryMapper
MicrosoftiSCSIInitiatorService
Netlogon
NetworkAccessProtectionAgent
OfflineFiles
ParentalControls
PeerNameResolutionProtocol
PeerNetworkingGrouping
PeerNetworkingIdentityManager
PnPXIPBusEnumerator
PNRPMachineNamePublicationService
PortableDeviceEnumeratorService
ProblemReportsandSolutionsControlPanelSupport
QualityWindowsAudioVideoExperience
RemoteRegistry
SecureSocketTunnelingProtocolService**
SmartCard
SmartCardRemovalPolicy
SNMPTrap
TabletPCInputService
TerminalServicesUserModePortRedirector
VirtualDisk
WebClient
WindowsCardSpace
WindowsConnectNowConfigRegistrar
WindowsErrorReportingService
216

InformationSecurity
48.
49.
50.
51.
52.
53.
54.
55.

WindowsImageAcquisition(WIA)
WindowsMediaCenterReceiverService
WindowsMediaCenterSchedulerService
WindowsMediaCenterServiceLauncher
WindowsMediaPlayerNetworkSharingService
WindowsRemoteManagement(WSManagement)
WindowsSearch
WinHTTPWebProxyAutoDiscoveryService

CommentsaboutAdjustingyourWindowsServices
Beforeadjustingyourservicesettings,firstinstallallWindowsUpdates.
Ifyouareunsurewhetheryouneedaspecificserviceornot,readtheDescriptionfield.
Ifyouarestillindoubt,myrecommendationistoleavethedefaultsetting.
Servicesettingsareglobal,meaningchangesapplytoallusers.
If you still unsure? Put your setting to "Manual" or the listing under "Safe." Manual
allowsWindowsVistatostarttheservicewhenitneedstobutnotatbootup.
7. Ifyouneedaservice,makeitAutomatic.
8. Afteradjustingyourservicesettings,rebootyourcomputer.
2.
3.
4.
5.
6.

ForabettersourceofinformationonWindowsServices,visithttp://www.blackviper.com/.This
websiteprovidesacurrentlistofWindowsservicesthatshouldbedisabledforeachversionof
Windows,andprovidesyourchoiceofSafe,TweakedandBareBonesrecommendations.
Shownbelowisasmallsampleofthiswebsitestables.

Black Viper's Windows Vista SP1 Service Configurations

(Sample Only)
DisplayName

DEFAULT
HomeBasic

DEFAULT
Home
Premium

DEFAULT
Business

DEFAULT
Ultimate

Application
Experience

Automatic
(Started)

Automatic
(Started)

Automatic
(Started)

Automatic
Automatic Disabled* Disabled*
(Started)

Application
Information

Manual
(Started)

Manual
(Started)

Manual
(Started)

Manual
(Started)

Manual

Manual

Manual

Manual

Manual

Manual Disabled* Disabled*

Manual

Manual

Manual Disabled* Disabled*

ApplicationLayer
GatewayService

"Safe" "Tweaked"

Manual

"Bare
Bones"

Manual

Application
Management

NotAvailable NotAvailable

Similarservicesareofferedatwww.LabMice.netandwww.TheElderGeek.com.

217

InformationSecurity

RiskofFire
Chapter34

218

InformationSecurity

RiskofFire
Allofthepasswordsandsecuritysettingsintheworldwonthelpmuch
in the event that your facility burns down. Therefore in a discussion
about security, it is prudent to discuss the threat of fire and provide
possiblemeasuresforminimizingthatthreat.
As a service, your local Fire Marshall will usually visit your facility for
freeandinspectyourbuildinginordertoidentifypotentialfirethreats
and provide you with suggestions for minimizing the risk of fire.
Presented below is a sensible checklist that you should use to help you identify any obvious
measuresyoucantaketominimizetheriskoffire.IfyouanswerNotoanyoftheseitems,
thenperhapsyoushouldtakemeasurestobettersecureyourfacilities.

FirePreventionChecklist
1. Istheaddressofyourpropertyclearlyvisibleandmarkedinlargenumbersthatcanbeeasily
seenfromthestreet?
2. Arefireprooffilingcabinetsadequatelyusedtoprotectprintedinformation?
3. Arecomputerselevatedoffthefloorinordertopreventdamagefromwaterintheeventthat
sprinklersorfirehosesareusedtoputoutafire?
4. Arethereadequatesmokedetectorsinthebuilding?
5. Aresmokedetectorsoperational?
6. Aresmokealarmbatterieschangedatregularintervals?(twiceayear)
7. Aresmokealarmstestedregularly(twiceayear)?
8. Areevaluationsignsproperlyposted?
9. Areexitsignsproperlydisplayed?
10. Areallexitsaccessiblewithusingakey?(ie:notdeadbolted)
11. Doyouhaveemergencylightinganddoesitwork?
12. Doyouhaveatleasttwoplansofescape?
13. Doestheplancallforasafemeetingplaceoutsidethebuildingsoemployeescanbequickly
accountedfor?
14. Areplansofescapedpracticedregularly?
15. Arethereadequatefireextinguishersinthebuilding?
16. Aretheareasoutsideandaroundthebuildingfreeofweeds,debrisandtrash?
17. Istheuseofallextensioncordsandpowerstripsinspectedforproperuse?
18. Areextinguishersinplace,serviceableandclearofobstruction?
19. Areextinguishertagscurrent?
20. Arethereadequatesprinklersusedthroughoutthebuilding?
21. Isthere.5meterclearspacebelowallsprinklersheads?
22. Aretherefirehosesinthebuilding?
23. Arethosefirehosesincabinetproperlyrackedandingoodcondition?
24. Isthereafirewaterstoragetankinthebuilding?
25. Isthefirewaterstoragetanktoproperlevel?
26. Istheelectricalroomsecured?

219

InformationSecurity
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.

Istheelectricalroomclearofcombustiblematerial?
Isthere3feetofclearspacearoundallelectricalpanels?
Isthemechanicalroomsecured?
Isthemechanicalroomcombustionairintakeclear?
Isthemechanicalroomclearofcombustiblematerial?
Arethereanyfuelspills/leaksinthemechanicalroom?
Arethereanyfuelspills/leaksinthegeneratorroom?
Areatticfireseparationsintact?
Istheatticclearofcombustiblematerial?
Istheatticaccesssecured?
Arecrawlspacefireseparatorsintact?
Isthecrawlspaceclearofcombustiblematerial?
Isthecrawlspaceaccesssecured?
Arethestorageareassecured?
Arethecustodialroomssecured?
Areemergencylightsoperational?
Isflammablematerialproperlystored?
Isanygaspoweredequipmentstoredinthebuilding?
Ifsmokingisallowed,arethereadequatefireproofreceptaclesavailableinallsmokingvenues?
Ifsmokingisnotallowed,arenosmokingsignsdisplayedandarenonsmokingrulesenforced?
Areallelectricalcoverplatesinplace?
Arekitchenexhaustfansoperationalandclean?
Iskitchenfiresuppressionsystemmaintainedtoschedule?
Iskitchenfiresuppressionsystemcharged?
Aretreebranchesproperlytrimmedannuallynearelectricalpowerlines?
Havetheproperfireresistantmaterialsbeenusedwherepossibleintheconstructionofthe
building?
Areallexteriorvents,atticsandeavescoveredwithmeshtopreventrodentsfromnestingor
chewingthroughwires?
Doyouknowyourlocalemergencynumberforfirepoliceambulance,anddoyouhaveitposted
nearyouphones?
Arefurnaces,stoves,andfluepipesproperlymaintainedandinspected?
Areportablespaceheatersproperlymaintainedandusedonlyincompliancewithcompany
policy?
Isthecentralheatingsysteminspectedannuallybyaqualifiedtechnician?
Haveyoucataloguedandupdatedyourinventorylistforinsuranceclaims?

220

InformationSecurity

CreditCardFraud
Chapter35

221

InformationSecurity
The strategy for generating credit card numbers is widely known, and the materials and
equipment for producing fraudulent credit cards is also available. Hopefully, this information
will make you more savvy when it comes to inspecting and accepting credit cards in your
business.
The concept of using a card for purchases was described in 1887 by Edward Bellamy in his
utopiannovelLookingBackward.Bellamyusedthetermcreditcardeleventimesinthisnovel.

How Valid Credit Card Numbers Are Generated Presented below is a brief explanation of
whatthenumbersonatypicalcreditcardnumbermean.
Account
Number
Typeof
Card

CheckDigit
Issuing
Bank

1.

Thereare16numbersonatypicalcreditcard.

2.

The first number indicates which type of card the number belongs to. 3 = American
ExpressorDinersClub,4=VISA,5=MasterCard,and6=DiscoverCard.

3.

Thenext5digitsidentifythebank,ortheissuer.

4.

Thenext9digitsformtheaccountnumber.(Theseninenumberpositionscanbeused
tocreate1billionpossibleaccountnumbers.)

5.

The last digit is known as the check digit which is generated to satisfy a certain
conditionknownastheLuhncheck.

222

InformationSecurity
6.

Witheachaccountnumber,thereisalwaysanuniquecheckdigitassociated(foragiven
issueridentifierandanaccountnumber,therecannotbemorethanonecorrectcheck
digit)

7.

AmericanExpressissuescreditcardswith15digits.Theaccountnumbersinthiscaseare
8digitslong.

The Luhn Check Digit In 1954, Hans Luhn of IBM proposed an algorithm to be used as a
validity criterion for a given set of numbers. Almost all credit card numbers are generated
followingthisvaliditycriterionalsocalledastheLuhncheckortheMod10check.Today,the
Luhncheckisalsousedtoverifyagivenexistingcardnumber.Ifacreditcardnumberdoesnot
satisfythischeck,itisnotavalidnumber.Fora16digitcreditcardnumber,theLuhncheckcan
bedescribedasfollows:

1. Working right to left (starting with the check digit), double the value of every second
digit. For example, in a 16 digit credit card number, double the 15th, 13th, 11th,
9thdigits(digitsinoddplaces).Inall,youwillneedtodoubleeightdigits.
2. Ifdoublingofanumberresultsinatwodigitnumber,addupthedigitstogetasingle
digitnumber.Thiswillresultineightsingledigitnumbers.
3. Now,replacethedigitsintheoddplaces(intheoriginalcreditcardnumber)withthese
newsingledigitnumberstogetanew16digitnumber.
4. Addupallthedigitsinthisnewnumber.Ifthefinaltotalisperfectlydivisibleby10,then
thecreditcardnumberisvalid(Luhncheckissatisfied),elseitisinvalid.
ExampleThecreditcardnumberusedaboveisinvalid.LetsapplytheLuhnalgorithmtothis
cardtofindoutwhy.

223

InformationSecurity
Inthiscase,whenwesumupthetotal,itcomesto61whichisnotperfectlydivisibleby
10,andhencethiscreditcardnumberisinvalid.

2. If such a credit card number is ever generated, the value of the check digit would be
adjustedinsuchawayastosatisfytheLuhncondition.Inthiscase,theonlyvalueofthe
checkdigit,thatwillcreateavalidcreditcardnumber,is7.Choosing7asthecheckdigit
willbringthetotalto60(whichisperfectlydivisibleby10)andtheLuhnconditionwill
besatisfied.Sothevalidcreditcardnumberwillbe4552720412345677.
1.

CreditCardFeatures
There are other ways to detect a fraudulent credit card. The four boxes below describe the
variousattributesthatappearoneachofthefourmajortypesofcreditcards.

CreditCardSecurityMeasures
The low security of the credit card system presents countless opportunities for fraud. This
opportunityhascreatedahugeblackmarketinstolencreditcardnumbers,whicharegenerally
usedquicklybeforethecardsarereportedstolen.Thegoalofthecreditcardcompaniesisnot
toeliminatefraud,butto"reduceittomanageablelevels".
224

InformationSecurity

Tomakecreditcardsmoresecure,thefollowingsecuritymeasuresarecommonlyavailable:
1. TheCardSecurityCode(CSC)SometimescalledCardVerificationValueorCode(CVVor
CVC),isasecurityfeatureforcreditordebitcardtransactions,givingincreasedprotection
againstcreditcardfraud.Thereareactuallytwosecuritycodes:

a. Thefirstcode,calledCVC1orCVV1,isencodedonthemagneticstripeofthecard
andusedfortransactionsinperson.

b. The second code, and the most cited, is CVV2 or CVC2. This CSC (also known as a
CCIDorCreditCardID)isoftenaskedforbymerchantsforthemtosecure"cardnot
present"transactionsoccurringovertheInternet,bymail,faxoroverthephone.In
many countries in Western Europe, due to increased attempts at card fraud, it is
nowmandatorytoprovidethiscodewhenthecardholderisnotpresentinperson.
Anadditional3or4digitcodeisprovidedonthebackofmostcreditcards,forusein
"cardnotpresent"transactions.
CVV2sAreEncryptGeneratedThesenumbersaregeneratedwhenthecardisissued,by
encrypting the card number and expiration date under a key known only to the issuing
bank. Supplying this code in a transaction is intended to verify that the customerhas the
cardintheirphysicalpossession.Todate,nocracksforthissystemareknown.
CVV2sVulnerabletoPhishingTheuseoftheCVV2cannotprotectagainstphishingscams,
where the cardholder is tricked into entering the CVV2 among other card details via a
fraudulentwebsite.
CVV2s May Not Be Stored By rule, CVV2 may not be stored by the merchant for any
length of time (after the original transaction in which the CVV2 was quoted and then
authorizedandcompleted);therefore,amerchantwhoneedstoregularlybillacardfora
regularsubscriptionwouldnotbeabletoprovidethecodeaftertheinitialtransaction.

225

InformationSecurity
2. PhotoSecurityThecardholderspictureisnowaffixedtomanycreditcards.However,the
logisticalcomplicationsoftakingaphoto,verifyingthephoto,andaffixingittoapersons
creditcardarestilltooburdensometorequirethisofallcreditcardsatthistime.

3. TransactionMonitoringCreditcardcompanieslookforredflagssuchas:

a. Shipping address is different from the billing address. Or the shipping address has
suddenlychanged.
b. Unusuallylargepurchasecomparedtonormalpurchasepatternsfortheaccountin
question.
c. Changeinnameontheaccount.
d. Changeindateofbirthorsocialsecuritynumber.
e. UnusualpurchasesovertheInternet.
f. Unusuallyhighnumberoftransactions.

4. PINsTheonlineverificationsystemusedbymerchantsisbeingenhancedtorequirea4
digitPersonalIdentificationNumber(PIN)knownonlytothecardholder.

5. Improved Material Credit cards are now being replaced with similarlooking tamper
resistant smart cards which are intended to make forgery more difficult. The majority of
smartcard (IC card) based credit cards comply with the EMV (Europay MasterCard Visa)
standard.

PayingtheMinimumBalance
Whilenotreallyasecurityrisk,itshouldbenotedthatpayingtheminimumbalanceonacredit
cardstatementcancostyoufarmorethanmostsecurityrisks.ThereforeIwillcommentbriefly
onthistopicasfollows:
Thetablebelowshowswhatwouldhappenifyouhavea$5,000outstandingbalanceonyour
creditcard (to keep things simple, we assumeyou make no additional purchases), an Annual
Percentage Rate (APR) of 18 percent, and you make only the minimum payment due ($100
initiallybutgraduallydecliningeachmonthbecauseminimumpaymentsusuallyarebasedona
percentageofthebalance,whichwilldecrease.)Usingthisexample,itwilltake46yearsand
cost $13,926 in interest charges before you've paid the $5,000, putting the total cost at
$18,926.
226

InformationSecurity

EasyCreditCardsforCollegeStudents
Credit card companies target college students more than any other single group because
collegestudentsareexcellenttargetsforrunninguphighbills,payingminimumbalances,and
havingtheresourcestoeventuallypayofftheentiredebt.Moreimportantly,thesecompanies
wanttolockcollegestudentsinnowtousingtheircardbrandsotheycanleveragetheirfuture
earnings potential. Upon entering college, you child will be barraged with credit card
applicationsandyouneedtohelpmakesurethattheydonotfallintothiscommontrap.

CreditCardDeadBeats
Inthecreditcardindustry,peoplewhopayofftheirentirecreditcardbalanceeachmonthare
calleddeadbeats.Theyaredeadbeatstothecreditcardissuersbecausetheygeneratefarless
revenuetothecreditcardcompaniesthandopeoplewhopaytheminimumbalance.

CommonCreditCardScams

While theft is the most obvious form of credit and charge card fraud, it is not the only way
fraud occurs. A more subtle form of fraud is misappropriation. The use of your card number
(notthecarditself)withoutyourpermission.Misappropriationmayoccurinavarietyofways.
Examplesare:

1. Aphonecallersaysthatyouneedonlyprovideyourcardnumberanditsexpirationdate
toqualifyforaspecialdiscountvacation.
2. Athiefriflesthroughtrashtofinddiscardedreceiptsorcarbonstousethecardnumbers
illegally.
3. Adishonestclerkmakesanextraimprintfromyourcreditorchargecardforhisorher
personaluse.
227

InformationSecurity

Fraudulentcreditcardinformationorcreditcardsthemselvesareusuallyobtainedthrough:

1. FakeWebSites
2. Theft
3. PickPocketing
4. Phishing
5. CreditCardSwappingatATMMachines
6. Skimming

SecurityTipsforEmployeesWhilethefollowingmeasuresarefairlyobvious,youshouldmake
surethatyouremployeesfollowtheguidelinessetforthbelowtohelpprotectyourcompany
fromcreditcardfraud:

1. HidekeypadwhenenteringaPINatanATM.
2.

Don'tleaveyourreceiptbehindattheATM.

3.

Destroyexpiredcards.

4.

Immediatelysignnewcards.

5.

Don'tkeepyourPINnumbersinyourwallet.

6.

Treatcreditcardsasiftheywererealmoney.

7.

Lostorstolencardsshouldbereportedimmediately.

8.

Becautiouswhengivingcreditcardinformationtowebsitesorunknownindividuals.

9.

Verifytransactiononyourcreditcardstatementwithyourreceipts.

10. Keepaneyeonthecreditcardwhenmakingtransactionsinshops.
11. Don'tsignablankcreditcardreceipt.
12. Don'tloancreditcardstootheremployees.
13. Always keep a list of your credit cards, creditcard numbers and tollfree numbers in

caseyourcardisstolenorlost.
14. Itdoesn'tmatterwhetherornottheirwebsiteisencrypted.Encryptionmeansthatyour

dataissecurebetweenyourcomputerandthemerchant,notbetweenyourcomputer
andthecreditcardprocessor.Themerchantwillhaveyourcardnumberregardless.If
you're buying from an unfamiliar or likely untrustworthy store, consider using a
temporary/virtualcardnumberthatcardcompanieslikeCitibankprovide.

Security Tips for Merchants Watch out for suspicious behavior of your customers. Some
characteristics are in common with fraudulent transactions, although none of this can be an
actual proof of credit card fraud it still remains a good measure of identifying suspicious
behavior.Thistypeoffraudcaneatupyourprofitssowatchoutwhenacustomer:
228

InformationSecurity

1. Buysapriceditemonanewcreditcard.
2.

Purchases large amounts of expensive items and doesn't seem to care for other
amountsthatcanoccurduringthetransaction(delivery,packaging...).

3.

Makingsmallpurchasestostayunderthefloorlimit.

4.

Askswhatthefloorlimitis.

5.

Makingrandompurchaseswithnoregardsize,priceorquality.

6.

Takesthecreditcardoutofhispocketinsteadofawallet.

7.

Awkwardlyorslowlysignsthereceipt.

8.

Ifasked,cannotprovideaphotoID.

9.

Creditcardvalidationdateexpired.

10. Creditcardseemscounterfeitedorinformationaltered.
11. Receiptsignaturediffersfromtheoneonthecard.

Common Types of Credit Card Fraud What are the common types of credit card fraud?
CounterfeitCreditCards,AccountTakeOverandSkimming.Wearegoingtolookateachone
anddescribeit.

1. Account TakeOver A thief does not need your credit card to empty your bank
account, all he needs is your personal credit card information. He will typically phone
yourcreditcardcompanyandchangeyouraddressinformation.Hewillthenreportthe
creditcardasstolenandrequestanewcreditcard;orhewillorderasecondcreditcard
while pretending to be you. This card will then be sent to the new address. Your
statements also will be sent to this new address, making you unaware of the fraud.
Therefore,ifyoudon'tgetstatementsonamonthlybasisataboutthesameday,you
shouldcontactyourfinancialinstitutionandcheckyourrecordsonfile.Askforaddress
changeorifanyinformationhasbeenchangedwithoutyourdirectapproval.

2. MailBoxTheftAthiefwillstealyournewcreditcardwhenitstillisinyourpostalbox
or anywhere on the way between the bank and you. This can be an organized crime
scenario involving assistants, such as a postman who intercepts your mail before it is
deliveredtoyouraddress.Afraudstermayevengetaholdofinformationwhencredit
cardsareissuedtoaparticularaddress,waitsnearyourmailboxandtakesyourmail.So
if you get a notification about an important delivery, collect it as soon as possible,
becausethelongeryouwait,thebiggerthechanceforafraudstertointerceptit.

3. Counterfeit Credit Cards Counterfeit or altered credit cards is in short, duplicating

legitimate credit cards which are then used for fraudulent activities. The latest
technology is used in accordance with lamination and embossing to create realistic
229

InformationSecurity
lookingcreditcards.Totheuntrainedeyethesewillappearrealandyouwillnotbeable
torecognizethedifference,sinceacompletehologramaswellasthemagneticstripis
includedinthefakecreditcard.

4. Credit Card Skimming Electronic card readers, or

Skimmers, are used in stores legitimately when
processing a transaction. However in the hands of a
thiefsuchatoolcanbeusedtogatherinformationfor
later usage in criminal activities. Usually a small
electronic device is plugged into the real electronic
readerandnowgatheringinformationofeveryonewho
purchasedatthestoreordoneamoneyrequestatthe
ATMmachine.Oraportableskimmerisusedtoquickly
swipe your card through the magnetic reader while you are not looking. Such
information will be used for later unauthorized purchases or making of a new
counterfeit credit card. Usually done in restaurants or similar institutions where you
usuallytemporarylosesightofyourcreditcard.

A typical skimming device is about the size of a pager, connected in the phoneline
between the phonejack and credit card machine. A modern "skimmer" costs about
$300, compared to the $5,000$10,000 in equipment needed to make a counterfeit
credit card. When customers make a purchase, their cards are swiped through the
business'screditcardmachine,wherethecarddataisreadfromthemagneticstripand
phoned in for approval. During this normal approval process, the "skimmer" captures
the data and either duplicates it onto the magstrip of plastic creditcard "blank", or
storesitwithintheskimmingdevicetobedownloadedlater.(*Themagneticstripe
on credit cards is a "passive media", allowing creation of perfect copies of the digital
creditcardcontent.)

Credit card skimming can also occur any time that

your card leaves your direct possession. Another
common skimmerscam involves locating a portable
skimmer cardswipe device near the business's own
cardscanner,orevenaportabledevicecarriedinthe
pocket of a server. For example, your server brings
yourbillonthetiptrayattheendofyourmeal.You
placeyourcreditcardonthetiptrayandtheserver
returnstotakeyourcard/billtotheregisterforyou.Whenyourcardisswipedthrough
the business's cardreader to approve your "authorized" purchase, it's also secretly
swipedthrougha"skimmer"tostealyourcard'sdata,thentheserverreturnsyourcard
toyou.

Inboththesemethods,therestaurantemployeeisathiefeitherlaterusingyourcard
datafraudulently,orsimplypaidaflatrate(percard)byathiefforobtainingcarddata.
230

InformationSecurity

Manyskimmersareevenequippedwithapanicbuttontoinstantlyeraseallcollected
data,eliminatingallevidenceincaseofdiscovery.

Anexample:Inthesummerof1999,twoNewYorkCityrestaurantserverswerecharged
withskimmingmorethan$300,000fromunsuspectingpatrons.

Another type of hightech skimmer can be secreted inside a business's normal credit
cardreader, and includes a wireless transmitter that allows skimmed numbers to be
secretly recorded on a laptop computer anywhere within about 300 feet. (With this
device, a thief can sit outside the restaurant in a car, skimming numbers, and no one
mayeverconnecthimwiththecrime.)Unlesstherestaurantstaffnoticessomeonehas
tamperedwiththeircardreader,thecrimemaynotbediscoveredforquitesometime!

A new and potentially far more dangerous form of pointofsale terminal skimming
involves implanting sophisticated software "skimmer bugs" into cardreader terminals
(and tiny "hardware" bugs for older terminals), allowing stolen information to be sent
overthephonelinesoflegitimateswipingmachines.These"skimmerbugs""canstore
numbers within the circuitry in the device and simply use the cardreader's modem to
dialoutto acomputerwherethethiefthiefsystemuploadsthenumbers.Afewdays
later,thethiefcanevenremovethebug,leavingvirtuallynosigntherehaseverbeen
anytampering.

AnnualU.S.skimmerrelatedlossesexceed$100million,andhavegrownfrom3percent
justafewyearsagotopresentlyaccountingforover25%ofallfraudinvolvinghightech
devices.

"Skimmingisthebiggestprobleminbankfraudtoday,"saysGregoryRegan,headofthe
U.S. Secret Service Financial Crimes Division. "It's the bank robbery of the future. It's
technicallysimple,pointandclicktechnology.Andtheequipmentischeap.Ifyouskim
15or20accounts,youcangenerate$50,000to$60,000worthoffraud,andnobodyis
goingtoknowaboutituntilthevictimsgettheirbills,30to60daysafterthecrime.So
theoddsofgettingcaughtarereduced."

231

InformationSecurity

CounterfeitMoney
Chapter36

232

InformationSecurity

CounterfeitMoney

HowtoDetectCounterfeitMoney

1. CompareCompareasuspectnotewithagenuinenoteofthesamedenominationand
series, paying attention to the quality of printing and paper characteristics. Look for
differences,notsimilarities.

2. FeelthePaperUSbanknotesareprintedonspecialpaperthat's75%cottonand25%
linen.Thelinengivesitanextrastiffnessthat'sdistinctive.

3. ColorShiftingBanknotesbiggerthanthe$5usecolorshiftinginktoprintthenumber
showing the denomination in the lowerrighthand corner. Just look at the numbers
headon,andthenfromanangle.Forgenuinenotesthecolorwillshift(coppertogreen
orgreentoblack).

4. Portrait The genuine portrait appears lifelike and stands out distinctly from the
background. The counterfeit portrait is usually lifeless and flat. Details on fake bills
usuallymergeintothebackgroundwhichisoftentoodarkormottled.

(Real)
(Fake)

5. Federal Reserve and Treasury Seals On a genuine bill, the sawtooth points of the
FederalReserveandTreasurysealsareclear,distinct,andsharp.Thecounterfeitseals
mayhaveuneven,blunt,orbrokensawtoothpoints.

(Real)

(Fake)

6. Border The fine lines in the border of a genuine bill are clear and unbroken. On the
counterfeit,thelinesintheoutermarginandscrollworkmaybeblurredandindistinct.
233

InformationSecurity

(Real)

(Fake)

7. SerialNumbersGenuineserialnumbershaveadistinctivestyleandareevenlyspaced.
The serial numbers are printed in the same ink color as the Treasury Seal. On a
counterfeit, the serial numbers may differ in color or shade of ink from the Treasury
seal.Thenumbersmaynotbeuniformlyspacedoraligned.

(Real)

(Fake)

8. Paper Fibers Genuine currency paper has tiny red and blue fibers embedded
throughout. Often counterfeiters try to simulate these fibers by printing tiny red and
blue lines on their paper. Close inspection reveals, however, that on the counterfeit
note the lines are printed on the surface, not embedded in the paper. It is illegal to
reproducethedistinctivepaperusedinthemanufacturingofUnitedStatescurrency.

(Real)

(Fake)

9. WatermarkAllbillsbiggerthana$2nowhaveawatermarkhold
thebilluptothelighttoseeit.Forthe$10,$20,$50,and$100,the
imagematchestheportrait.That'salsotrueofthecurrent$5bill,
butonthenew$5whichcameoutin2008,thewatermarkisabig
numeral5.

234

InformationSecurity
10. Security Thread All bills bigger than a $2 have a security thread running vertically
throughthebill.Likethewatermark,youholdthebilluptothelighttoseeit

11. RaisedNotesGenuinepapercurrencyissometimesalteredinanattempttoincrease
its face value. One common method is to glue numerals from higher denomination
notes to the corners of lower denomination notes. These bills are also considered
counterfeit, and those who produce them are subject to the same penalties as other
counterfeiters.Ifyoususpectyouareinpossessionofaraisednote:

a. Compare the denomination numerals on each corner with the denomination

writtenoutatthebottomofthenote(frontandback)andthroughtheTreasury
seal.

b. Compare the suspect note to a genuine note of the same denomination and
series year, paying particular attention to the portrait, vignette and
denominationnumerals.

12. Counterfeit Detector Pens - Counterfeit detector pens (like the one shown below from

Risk Reactor) will help you spot counterfeit bills. Simply use the pen to draw a line or dot
across the bill. If the line or dot stays amber, the currency is genuine; if it turns black, the
money will be counterfeit. Marks fade to keep bills clean and useable.

235

InformationSecurity
CounterfeitCoins

1. PouredGenuinecoinsarestruck(stampedout)byspecialmachinery.Mostcounterfeit
coinsaremadebypouringliquidmetalintomoldsordies.Thisprocedureoftenleaves
diemarks,suchascracksorpimplesofmetalonthecounterfeitcoin.

(Real)

(Fake)

2. Rare Today counterfeit coins are made primarily to simulate rare coins which are of
value to collectors. Sometimes this is done by altering genuine coins to increase their
numismaticvalue.Themostcommonchangesaretheremoval,additionoralterationof
thecoin'sdateormintmarks.

DeathPenaltyforCounterfeitingTheCoinageActof1792mandatestheDEATHPENALTYfor
DEBASINGthecurrency.Readforyourself
"Andbeitfurtherenacted,Thatifanyofthegoldorsilvercoinswhichshallbestruckorcoined
at the said mint shall be debased or made worse as to the proportion of the fine gold or fine
silverthereincontained,orshallbeoflessweightorvaluethanthesameouttobepursuantto
the directions of this act, through the default or with the connivance of any of the officers or
personswhoshallbeemployedatthesaidmint,forthepurposeofprofitorgain,orotherwise
with a fraudulent intent, and if any of the said officers or persons shall embezzle any of the
metalswhichshallatanytimebecommittedtotheirchargeforthepurposeofbeingcoined,or
anyofthecoinswhichshallbestruckorcoinedatthesaidmint,everysuchofficerorpersonwho
shallcommitanyoreitherofthesaidoffenses,shallbedeemedguiltyoffelony,andshallsuffer
death"(Section19).

PhotographingMoneyorChecks

The law sharply restricts photographs or other printed reproductions

ofpapercurrency,checks,bonds,revenuestampsandsecuritiesofthe
236

InformationSecurity
United States and foreign governments. Specifically, the Counterfeit Detection Act of 1992,
PublicLaw102550,inSection411ofTitle31oftheCodeofFederalRegulations,permitscolor
illustrationsofU.S.currencyprovided:

The illustration is of a size less than threefourths or more than one and onehalf, in
lineardimension,ofeachpartoftheitemillustrated.

Theillustrationisonesided.

All negatives, plates, positives, digitized storage medium, graphic files, magnetic
medium, optical storage devices, and any other thing used in the making of the
illustration that contain an image of the illustration or any part thereof are destroyed
and/ordeletedorerasedaftertheirfinaluse.

Photographing Foreign Money Photographs or reproductions of foreign currencies are

permissible for any nonfraudulent purpose, provided the items are reproduced in black and
whiteandarelessthanthreequartersorgreaterthanoneandonehalftimesthesize,inlinear
dimension, of any part of the original item being reproduced. Negatives and plates used in
makingthelikenessesmustbedestroyedaftertheiruseforthepurposeforwhichtheywere
made. This policy permits the use of currency reproductions in commercial advertisements,
providedtheyconformtothesizeandcolorrestrictions.

CounterfeitU.S.PostageStamps
2008BustInFebruary2008,anundergroundprintingoperationinNewYorkCitywascaught
producing $300,000 worth of highquality counterfeit U.S. postage stamps. The U.S. Postal
InspectionServicesayssuchoperationsarejustasmallpartofathrivingblackmarketinbogus
stamps.ThebustedprintingoperationwasbeingrunoutofanapartmentontheUpperWest
SideofManhattan.

237

InformationSecurity

CounterfeitU.S.PostageStamps

In the raid they also found USPS wrappers complete with barcodes, computer software,
industrialsized cutting boards, three industrial printers and other professional printing
supplies.Authoritiessaythequalityofthecounterfeitstampswasexcellentandthattheywere
destinedtobesoldatcutratesontheInternetoratsmallgrocerystoresinNewYork.TheUS
PostOfficereportedthatpeoplemostoftensellcounterfeitstampsonlineanddoortodoor.
Phosphor Security Feature The investigation into counterfeit stamps was triggered after
postalinspectorsdiscoveredthathundredsofletterswerebeingrejectedfordeliverybecause
thestampslackedtherequiredphosphortagging.
ItisIllegaltoReuseStampsAccordingtotheUSpostOfficewebsite,itisillegaltoreusea
stampthathasalreadybeenused,evenifthatstampwasnotproperlycancelled.Hereisthe
excerpt:

CounterfeitTaxStamps

AlsoinFebruary2008,millionsofdollarsworthofcounterfeitcigarettetaxstampswereseized
in New York, authorities announced Wednesday. The fake stamps would have allowed
unscrupulouscigarettedealerstoevadenearly$6.1millioninstateandcitytaxes.Taxstamps,
238

InformationSecurity
whichmustbeaffixedbydistributorstopacksoflegalcigarettes,cost$3eachinNewYorkCity,
$1.50intherestofthestateand$2.57inNewJersey.

SecurityFeaturesofU.S.TreasuryChecks

Counterfeiting of checks issued by the Federal Government has become a common problem.
Accordingly,severalsecurityfeatureshavebeenincorporatedintoU.S.Treasurychecksthatare
easytoauthenticateanddifficulttoreproduceonofficemachinecopiers/printers,asfollows:

1.

2.

3.

4.

PaperThepaperusedforTreasurychecksischemicallyresponsivetoallsolventsand
inkremovers,whichmakemostalterationseasytonotice.Italsocontainsacontinuous
patternwatermarkthatsays"U.S.Treasury."Thissecurityfeaturecannotbereproduced
onanofficemachinecopier.

PrintingThedryoffsetprintingprocessisusedtoprintTreasurychecks.Theinksreact
to leaching and bleaching. They fade when rubbed with water and dissolve when
exposedtoalcoholorbleach.Thismakesmostalterationsnoticeable.

CopyProof Colors The colors of the inks are of a low density, which makes them
difficulttoreproduceonanofficemachinecopier.

MicroprintedTextThesignaturelineonthereversesideofthecheckiscomprisedof
microprintedtextthatrepeatstheletters"USA."

239

InformationSecurity
5. FluorescentImageThecheckshaveafluorescentimageprintedinthecenterthatcan
beviewedunderultravioletlightbutcannotbereproducedbyanofficecopier.

6. BleedingInkBleedinginkintheTreasurySeal,whichwillsmudgeredwhenexposedto
moisture.

7. Dual Wavelength Bands The fluorescent image overprinted in the center has been
enhancedtocontaindualfluorescentwavelengthbands.

AlterationsForfeittheEntireGovernmentCheckIfalegitimatepayeealterstheamountona
government check, they forfeit the entire original amount of the check and are subject to
criminalprosecution.

Fake$1MillionBillIn2004,aCovington,Ga.womantriedtouseafake$1millionbilltobuy
$1,675 worth of merchandise at WalMart said it was all just a misunderstanding she
thoughtthebillwasreal.Herestrangedspousegavejokeshopcurrencytoher.

240

InformationSecurity

Cracking and
Hacking
Chapter37

241

InformationSecurity

Introduction

Hacking,Cracking,andPhreakingarealiveandwelltoday.TheInternetprovidesthecommunicationpipelinethat
allowstensofthousandsofhackers,crackers,andphreakerstoshareinformationandteachoneanotherhowto
bustintothelatesthardware,localareanetworks,operatingsystems,andsoftwareapplicationproducts.Today,
anyonewithadesiretodoso,canbecomeahacker,crackerorphreakerandtrytheirhandathacking,cracking,or
phreaking.Justsoyouknow:

1. The term "Hacker" refers to nondestructive, lawabiding people who are expert programmers and
systemswizards.Theyfancythemselvesas"computergurus"whousetheirtalentstomakethingswork.
Youarenotconsideredtobea"hacker"untilother"hackers"routinelyrefertoyouasa"hacker".Beinga
"hacker"issupposedtobe"COOL".

2. The term "Cracker" refers to destructive people who use their hackingskills (or hacking tools) tobreak
into systems, destroy systems, steal data, rip off application software, and perform a number of illegal
activities.Beinga"Cracker"issupposedly"CRIMINAL".

3. Theterm"Phreaker"referstopeoplewhobreakintotelephonesystemsinordertocalllongdistancewith
nocharge,totapphonelines,tobreakintovoicemailboxes,tostealinformation,toeavesdrop,tocause
damage,etc.Beinga"Phreaker"issupposedly"CRIMINAL".

WhyStudyHacking,Cracking&Phreaking?

The fact that virtually any intelligent person can easily become a hacker, cracker, or phreaker posses a security
threattoeveryorganization.Today'sSystemsInformationprofessionalsneedtobeawareofthetypethreatsthat
exist today in order to take the necessary measures to protect against these threats. In some cases, System
Information Professionals can use the same tools the crackers use in order to test the security of their own
systems.Inothercases,knowledgeinthisareacanhelptheSystemsInformationProfessionalidentifyemployees
orotherswhomaybeopenlydiscussingthesetools,searchingforthesetools,ordownloadingthesetoolsintime
totakecorrectivemeasures.FurtheranunderstandingofthesethreatsisnecessarytohelpSystemsInformation
Professionalsdeveloppoliciesandprocedurestohelppreventproblemsbeforetheyarrive.

KeyHacking&CrackingTerms:

Term
A. Hacking(42,000,000)
B. Cracking(25,600,000)

C.

Phreak,Phreaking,
Phrack(1,060,000)
D. 40Hex(4,660)
E. Serialz(serial
numbers)(4,640,000)
F. Crackz(cracking
programs)(5,360,000)

ExampleWebSites

http://thehackingcommunity.iscool.net/
http://catb.org/~esr/faqs/hackerhowto.html
http://packetstorm.securify.com/Crackers/
http://www.antionline.com/cgibin/anticode/anticode.pl
http://www.ovnet.com/~p80/sample.htm
http://www.phrack.com/archive.html
http://www.fc.net/phrack/under/40hex.html
http://home.global.co.za/~odge/serialz.htm
http://www2.50megs.com/cpage/
http://www.crackstore.com/index2.htm
http://www.strega.org/zor/index.html

242

InformationSecurity
G. HackingTools
(1,270,000)
H. HackingMagazines
(444,000)
I. EMailTools(11,500)
J. AnonymousSenders
(381,000)

K.
L.

Bombers(11,000,000)
KeyGenerators
(1,540,000)
M. Flooders(411,000)
N. CrackingSearch
Engine
O. ICQTools(112,000)
P. SniffingTools
(163,000)
Q. KeyLoggers(397)
R. SpoofingTools
(146,000)
S. FakeIds(254,000)

T.

CreditCardMaking
Equipment(453,000)

U. LearningtoHack
V. HackedSites
W. Meetings
X.

Y.
Z.

HackingandCracking
termsindifferent
languages
ForeignLanguage
Conversion
DIRT(virus)(44,000)

http://www.8bn.com/jtb/
http://www.2600.com/
http://www.onworld.com/MUT/mutForum/messages/2913.html
http://help.mindspring.com/modules/g0000/g0086.htm
http://www.ecn.org/crypto/remailer/
http://nogov.org/Anonymous/
http://www.users.globalnet.co.uk/~firstcut/remail.html
http://www.interlinkbbs.com/anonremailer.html
http://www.escalix.com/freepage/freeworld/mailbomber.htm
http://home.luna.nl/~enigma/tex/
http://www.antionline.com/cgibin/anticode/anticode.pl?dir=denialof
service
http://astalavista.box.sk/
http://www.antionline.com/cgibin/anticode/anticode.pl?dir=icq
http://www.bellacoola.com/
http://www.lichtlabs.com/sniffer.html
http://www.lachniet.com/maeds/sld013.htm
http://ftp.castel.nl/~groor01/tools.htm
http://www.lichtlabs.com/ipspoof.html
http://www.chattownusa.com/Avenues/Teen/idfu/
http://serialns.8m.com/cgibin/framed/1940/samples.html
http://www.4.hactivist.net/
http://www.4.hactivist.net/
http://www.prestigiousimages.com/docs.html#ssa
http://www.4.hactivist.net/
http://www.idhouse.com/idsoft.htm
http://www3.sympatico.ca/the.chaser/CARD.HTM
http://www.zerberus.de/texte/ccc/ccc95/artikel/hackan_e.htm
http://www.2600.com/hacked_pages/prop/
http://www.2600.com/meetings/
http://www.dnai.com/~waxwing/wwwboard/messages/212.html
ftp://sable.ox.ac.uk/pub/wordlists/
http://www.pfu.co.jp/hhkeyboard/

http://babel.altavista.com/translate.dyn?urltext=http
%3a%2f%2fwww%2eaccountingsoftwarenews%2ecom%2f&language=en
http://www.netsurf.com/nsd/v05/nsd.05.21.html

243

InformationSecurity

Hacking,CrackingandPhreakingBooks

There are plenty of books available on the subjects of Hacking, Cracking and Phreaking. For example, the book
MaximumSecuritywaswrittenbyananonymoushackertohelpyouprotectyoursystemfrominvadersandthe
arsenaloftools,backendsecrets,andbugstheyhaveattheirdisposal.Wedon'tknowmuchabouttheauthorof
Maximum Securityonly that he was convicted of multiple crimes involving friendly neighborhoodATM systems
before deciding to use his talents in a more lawabiding fashion. Told from a hacker's perspective, Maximum
Security details methods for concealing identity, cracking passwords, and gaining access to systems running
everything from Unix to Windows NT to the Mac OS. He also explains how best to counter or prevent these
techniques.Everysystemadministratorshouldreadthisbookandsleepbetteratnightforhavingdoneso.

HowEasyIsItToBecomeACracker?

SimplysearchtheInternetforafilecalled"40HEX".Youwillfinditavailableonthousandsofwebsites.Thisfile
contains 40 deadly viruses, along with instructions for altering these viruses to make them more deadly. From
here,youcouldsimplysendthesefilestoanunsuspectingpersonviaadiskette,email,orwebpagedownloadable
file.Thediskette,emailmessage,orwebpagecouldassertthatthefilewillcleanupaharddrivetherebymaking
yoursystemrunupto30%faster.Manysuckerswouldfallvictimtosuchascheme.

Therearealsoguides,tutorials,textbooks,andlessonsalldesignedtohelpyoulearnhowtobecomeaCracker.All
youneeddoissearchtheInternetforthetermcomputercracker,andyouwillfindover579,000websiteswith
information on the subject incredible. Because of the criminal nature of these web sites, they are constantly
movingfromonewebservertoanotherastheyarecensuredbytheirwebpagehostingserviceoraslawsuitsare
filedagainsttheownersofthesewebsites.Still,thesecrackersseemtosimplymovetheirwebsitetoanewserver

244

InformationSecurity
forafewmonths,announcingtheirmovesinthecrackerchatroomsanddiscussiongroups.Censuringtheseweb
sitesisakintoherdingcatsit'sprobablynotgoingtohappen.

WhyDoHackersHackandCrackersCrack?

Hackersgenerallyhackformoney.Theyaregenerallyavailableforhiretowritecode,testcode,testsystems,
implementfirewalls,etc.TheproblemisthatbasedonmanyofthewebsitesIhavevisited,manyHackersarealso
CrackersalthoughthereappearstobeawellestablishedmovementamongHackerstodenouncecracking
activities.Asshownbelow,90%ofallhackersareconsideredtobeamateurswhichmeanstheyreallyhaven't
earnedtherighttobecalledahackerbuttheyareworkingatit.

Crackersappeartocrackforseveraldifferentreasonsasfollows:

JustasyouandIplaychessforthesheerintellectualchallengeofthegame,somecrackerscrackforthe
sheerchallengeaswell.Itisasifsomeexpertouttherehasestablishedsecuritydefensesandstated"I
dareyoutobreakthroughthesedefenses".Somecrackersenjoybreakingthroughthissecurityandhave
no evil intentions of stealing data or destroying data once they have achieved their goal. They obtain
immensesatisfactioninhavingproventheirskilltooneself.

Other Crackers are just plain evil and they get a kick out of sabotaging someone's systems, destroying
their data, or otherwise making someone's life miserable. Trying to understand this motive is akin to
understandingwhyajuvenilesmashesmailboxesit'sjustplainstupidandmostmaturepeopleseeit
thatway.

Manycrackerscrackinordertosavemoney.Insteadofpurchasingthelatestsoftware,theysimplysteal
it,copyit,orbreakthroughtheevaluationcopydefenses.Crackersalsoattempttoobtainfreeaccessto
theinternet,payperviewwebsites,andsubscriptionwebsites.

The final reason a Cracker cracks is for money. Some professional crackers crack in order to steal
informationthattheycanuseorsellalmostalwaysinacriminalmanner.Forexample,alistofnames,
addresses and credit card numbers would be easy to sell on the black market as evidenced by the fact
thatcreditcardmakingmachinesandblanksarewidelyavailablethroughcrackingwebsites.Atleastthe
motiveisplaintoseeandeasytounderstand.

WhyDoPhreakersPhreak?

Phreakersphreakforthesamereasonsthatcrackerscracksomeforthechallenge,otherstocausehavoc,some
toavoidphonecharges,andyetothersarelookingforinformationthatcanbeusedtoturnaprofit.Italsoappears
that phreaking technology is used moderately by private detectives and possibly company securityofficials who

245

InformationSecurity
want to keep an eye on someone. Learning to Phreak is as simply as visiting Phrack magazine located at:
http://www.phrack.org/

Hereyouwillfindhundredsofdetailedarticlesdescribinghowtobreakintophonesystems,makelongdistance
callswithoutbeingcharged,buildequipmentthatcanbeusedtotapaphone,purchaseadevicethatlet'syoudial
anyphonenumberintheworld,thephoneyoudialwillnotring,butthenyoucanlistentotheconversationsgoing
onintheroom.Usingthisinformation,anyemployee,customerorpersonwithaccesstoyourconferenceroom
couldeavesdropinonyournextBoardofDirectorsmeeting.

SampleHacking,Cracking&PhreakingWebSites

246

InformationSecurity

Thispageprovidesabasicintroductiontohackinghttp://catb.org/~esr/faqs/hackerhowto.html.

Hackingrunsthegambitfromharmlessprankstoviciousbreachesofsecurity.Forexample,onewebsiteexplains
howtoedittheWindowsXPhostfiletogetInternetExplorerpointtopointtoadifferentwebsiteotherthanthe
oneentered.Herearethesteps:
1. Visitwww.ipaddress.comandobtaintheIPaddressforthetargetwebsite.
2. Search for the file called hosts" (in Windows Vista, XP and 2000 it is in
C:/windows/system32/drivers/etc/.)
3. OpentheHostsfilewithNotePad.
4. Addthistexttothebottom:206.61.52.30www.cia.gov.
5. Inthefuture,typinginwww.cia.govwillinsteadtaketheusertothewebsite206.61.52.30,butthe
URLwillstillreadwww.cia.gov.
6. YouwillneedadministratorrightstoedittheHostsfile.

FamousHackingWebSite

http://www.2600.com/mindex.html2600TheHackingQuarterly.

CrackingandHackingTools

Therearehundredsoftoolsthatyoucandownloadfreeofchargeanduseforhacking,cracking,andphreaking.
CAUTIONIfyoudownloadanyofthesefilesyoushouldrunthemonlyonasingleusercomputerdonotrun
themonaworkstationonyourlocalareanetwork.Youshouldscanallfilesforvirusesfirstmakingsurethatyou
havethelatestversionofyourvirusprotectionsoftware.Youshouldbeadvisedthattheuseofsomeofthesetools
mayconstituteillegalactivityandcouldcausedamageinadvertentlytoyourcompany'scomputersystemsforwith
youcouldgotojail.Pleasebecarefulandtakeallofthenecessarycautionsbeforedownloadinganyofthefiles
discussedbelow:

247

InformationSecurity

Viruses
Viruses come in many different flavors including, Boot viruses, File viruses, Macro viruses, Multipartite viruses,
NewExeviruses(Windows95,Windows,OS/2,Unix),Trojans,VirusConstructors,andJokeprograms.Youcankeep
trackofthelatestlistofknownvirusesincludingdetaileddescriptionsofthosevirusesatmanywebsitesincluding
McAfee,Dr.Solomon,NortonAntiVirus,andtheAVPVirusEncyclopediawebsiteshownbelow:

Virusesaredividedintoclassesaccordingtothefollowingfourcharacteristics:

1.Environment;
2.Operatingsystem(OS);
3.Differentalgorithmsofwork;and
4.Destructivecapabilities.

Theenvironmentofavirusmayaffecteitherthefile;boot;macro;ornetwork.Filevirusesinfectexecutables.Boot
viruses save themselves in disk boot sector or to the Master Boot Record. Macro viruses infect document,
spreadsheets,anddatabasesfiles.Networkvirusesuseprotocolsandcommandsofcomputernetworkoremailto
spreadthemselves.EachfileornetworkvirusinfectsfilesofoneparticularorseveralOperatingSystemssuchas
DOS,Windows 3.xx, Windows95/NT,OS/2etc. Macro viruses infect the Word, Excel,Office97 format files. Boot
viruses are also format oriented, each attacking one particular format of system data in boot sectors of disks.
AmongOPERATINGALGORITHMSthefollowingfeaturesstandout:TSRcapability;theuseofStealthalgorithms;
self encryption and polymorphic capability; and the use of nonstandard techniques. A viruses destructive
capabilitiescanbedividedasfollows:

1. Harmless,
2. Notdangerous,limitingtheireffecttoloweringoffreedisk
3. Dangerous,whichmayseriouslydisruptthecomputer'swork;
4. Very dangerous, the operating algorithms intentionally contain routines which may lead to losing
data,datadestruction,orerasureofvitalinformationinsystemareas.

248

InformationSecurity

Many of the hacking, cracking, and phreaking tools are really just instructions rather than actual programs you
downloadandrun.Forexample,assumethatyourclient'sbookkeeperquitbutbeforetheyleft,theyinserteda
newpasswordintoQuickBooks.Yourclientcannolongeraccesstheirdataandthedisgruntledemployeeislong
gone.Inthiscase,hackershavesolvedthisproblemandtheinstructionsarereadilyavailableontheInternet,as
showninthescreenbelow:

Inthiscase,thiswebsitecalledPasswordRecoveryTacticsdescribestheprocedureinwhichyoucanuseNorton's
Tools to peek into the hexadecimal code for QuickBooks and replace the encrypted password with your own
password. Notice that while this example appears to be a hackers constructive use of this information, an evil
employeeorotherpersoncouldusethisinformationtoaccessconfidentialfinancialdata.Theborderlinebetween
hackerandcrackerisverynarrowindeed.

SATAN (Security Analysis Tool for Auditing Networks). In default mode, SATAN gathers as much information
aboutremotehostsandnetworksaspossiblebyexaminingsuchnetworkservicesasfinger,NFS,NIS,ftpandtftp,
rexd,andotherservices.Theinformationgatheredincludesthepresenceofvariousnetworkinformationservices
aswellaspotentialsecurityflawsusuallyintheformofincorrectlysetuporconfigurednetworkservices,well
knownbugsinsystemornetworkutilities,orpoororignorantpolicydecisions.Itcantheneitherreportonthis
data or use a simple rulebased system to investigate any potential security problems. Users can then examine,
query, and analyze the output with anHTML browser, suchas Mosaic, Netscape, or Lynx. While the program is
primarily geared towards analyzing the security implications of the results, a great deal of general network
informationcanbegainedwhenusingthetoolnetworktopology,networkservicesrunning,typesofhardware
andsoftwarebeingusedonthenetwork,etc.

However, the real power of SATAN comes into play when used in exploratory mode. Based on the initial data
collectionandauserconfigurableruleset,itwillexaminetheavenuesoftrustanddependencyanditeratefurther
datacollectionrunsoversecondaryhosts.Thisnotonlyallowstheusertoanalyzeherorhisownnetworkorhosts,
butalsotoexaminetherealimplicationsinherentinnetworktrustandservicesandhelpthemmakereasonably
educateddecisionsaboutthesecuritylevelofthesystemsinvolved.SATANcanbedownloadhere:

http://jackets.gt.ed.net/satan1.1.1/docs/satan_overview.html

249

InformationSecurity

CrackerJack

PasswordCrackingPrograms

Password cracking programs are designed to break into various programs using a variety of methods. Some of
these programs use dictionary attacks by systematically trying thousands of popular passwords such as spring,
summer,baseball,12/25/98,etc.Theseprogramswillalsotesttoseeifcommondefaultusernameandpasswords
will work (such as ADMIN, PASSWORD). Other password cracking programs use brute force attacks where all
possiblecombinationsoflettersandnumbersaresystematicallycheckedagainstalogonscreen.

Crackamibios1.1
AMIReadthepassword
AMIbiosfornewerbiosw/source
ShowBIOSpassword
RemoveSETUPpassword
AMIbiospasswordviewer
ARJpasswordcrackerfromRussia
BreakZIP
Bruteforcecracking
Findazippassword
PKziparchivecrackerfast!
PasswordguesserforZIPfile
CrackZipFilePasswords
Claymoreforwindowsisabruteforcecracker
CrackerMateisagamecrackingprogram
Intruder 2.1 will remove ANY protection from
BP/TP/BCPP/TC/MSC/CLIPPERprogram
Delam'sElitePasswordLeecher
Jill2.0CrackingutilityforCrackerJack
PreparelistsforCrackerJack
NovellPasswordcrack
Passwordbreakergeneric
Permutisasimpletooltogeneratepasswords
POPcrackpopmailpasswordcracker
TrumpetWinsockPasswordCracker
AutomatedPasswordGenerator
RemoteAccessuerlistpasswordhacker
NetwarePasswordcatcher
TherionsPasswordUtilityWordlistmanipulationtool
Unixpasswordhacker
MicrosoftWordPasswordcracker
WordforWindowsPasswordcracker
crackWinCryptfiles

EMailTools

Filesrelatedtocausingdestructionoveremail(bombing)
andrecoveryfromsaidbombing.

AnonymousSenders:
Win95AnonymailAnonymousemailer
SendFakeSendemailfromaddressesofyourchoosing

Bombers:
Avalanche3.6Thenewestversionofagreatbomber
CompuServeBasedEMailBomberEMailbomber
Death'nDestruction:4.0EMailbomberIncludestools
toresolveIPs,sendOOBpackets,finger,andlistonports.
ExtremeMailBeta1NewMailBomber,Decent
HomicideGoodmailbomber
Kaboom v3 An easy to use email bomber Includes
mailinglists
MailBomberv.02bMailbomber
MailFlashSendsmailtoscrewoverUNIXmailterminals
Nemesis Mail Bomber 1.0 Anonymous bomber Uses
telnet.exetosendmail
QuickFryeBomber&Anonymousmailer
The Unabomber Mail bomber with great anonymizing
capability
Up Yours 4 Beta 3 Bomber & Anonymous sender
SupportsHELOspoofing

CleanUp:
BombSquad v2.0 Clean up after you've been email
bombed
MailCheckCheckserversforanonymousmail

250

InformationSecurity

FlooderTools

ICQTools

ProgramsdesignedtokillICQandpeopleoverICQ.ICQis
an instant messaging, chat, and file transfer program by
Mirabilis.

CleanUp:
ICQ DeFlooder v1.0 Deletes all unread messages after a
bomb
ICQBombsquadCleansupafterreceivingabomb
ICQSWATDeletesbombmessages

ICQFlooders:
IcnewQSpoofmessages,bomb,killICQ
ICQ Message Flooder Sends large numbers of messages
fromspoofedUINs
ICQFlooder'95BombstargetfromrandomUINs
IcKiLLeRSendsmassmessagesfromrandomUINs
ICQZapMessagebombfromrandomUINs
ICQRevengeMessagebomber

IPSniffers:
ICQIPAddressUnmaskerShowsIPdespitehiding
ICQIPSnifferShowsIPsofevenhiddenICQusers

Protection:
WarforgeICQProtectProtectsfromICQBombs
ICQ Bomb/Hacking Utility Protector Opens 14 ports to
confusescanners
WarForge ICQBomb Protection System v2 Protects ICQ
frombeingbombed

Miscellaneous:
ICQ Auto Authorize Adds anyone to your contact list
withouttheirpermission
ICQPortSniff!FindstheportthatICQisrunningon
ICQSourceUINSpooferSendanonymousICQmessages

Floodersareprogramsdesignedtoseverelylagaperson's
connection, sometimes to the point of them being
disconnected.

ICMPFlooders:
TechnophoriaBattlePongICMPflooder
Kaput1.0beta1.5ICMPandFingerflooder
FinalFortune2.4ICMPcloneflooder
Hak Tek Version 1.1 ICMP Flooder, Mail bomber, Anti
bomber,Portscanner
ICMPBomber!ICMPflooder
ICMPFlooderv0.2ICMPflooder
IPing32PingTool
IWDSimpeICMPBomberICMPflooder
PingICMPtool/flooderComeswithWindows9x
Sonarv1.0.2ICMPtool
TrumpetPingICMPflooder
Vaite j ICMP ToolKit v2.01 (English Version) ICMP
Bomber,Nuker,NukeDetector,andanOOBAttacker
Vaite j ICMP ToolKit v2.01 (Portugese Version) ICMP
Bomber,Nuker,NukeDetector,andanOOBAttacker
XScriptICMPBomberv0.3ByCodeICMPflooder

UDPFlooders:
PepsiUDPflooder
UDPPortNukeUDPFlooder
UDP2v10.2UDPFlooder
UDPBlasterv1.53UDPFlooder
UDPFlooderUDPFlooder
surgeUDPPortFlooderUDPFlooder
RebellionUDPFlooderUDPFlooder
UDPPROv2.0UDPFlooder
surgeUDPPortSpammerUDPSpammer
UDPDatastormUDPFlooder
WpepsiUDPflooderforDOS

PortBombers:
BeerMassconnectionportflooder
Bmb2Massdataportflooder
BoomPortbomber
Gewse97Massdataportflooder
InternetPacketToolsv1.00Build300FloodsTCPorUDP
Ports
MutilateMassconnectionportflooder
OctopusMassconnectionportflooder
DOS Panther Modern Mode 1 Port bomber for 56k
connection
DOS Panther Modern Mode 2 Port bomber for T3
connection
PortFuch1.0b2Massconnectionportflooder
PounderAlpha1Massconnectionportflooder

IRCTools
Internet Relay Chat tools are programs designed to
generallyknockpeopleoffIRCanywaypossible.

CloneFlooders:
ExcessFlood2.9Loadsclonestofloodusers
FloodbotsFlooder2.0Cloneflooder
Floodbot Front End v0.2 Companion shell for Floodbots
Flooder2.0
iRC kiLLer pRO! Combines Flash, Floods v2.4, Multi
CollideBot95,andSUMO/95v1.1LagKiller!
SUMO/951.1LagKillerFlooder
WaKoFloodBots2.5(7thSphere)CloneFlooder

DCCAttacks:
DCCFuker1.2DCCFloodersformIRC
DCCLocker'97CanlockdccchatsinmIRC
DCCUnferLocksDCCChatsinmIRC

251

InformationSecurity
HansonPrograms:
BugExploit1.5AttacksmIRC5.3x
DeePFreeZeIIAttacksmIRC5.3x
DCCofDeathKillsmIRC5.4
mIRCFreezeFreezesmIRC
mIRCSlapAttacksmIRC5.3x

ICMPUnreachDisconnectors:
Click 1.4 Uses the ICMP_Unreach bug to disconnect
clientsfromIRC
Click2.2NewversionforWinsock2.2
WnewkSimpledisconnector
WnewkXNewerversionofWnewk
WNuke(WinNukev1)Unreachdisconnector
WNuke][Updatedversion
WNuke4Newestversion

LinkLookers:
LinkLookerforWindows95Ver1.61(GOLDBETA)Looks
forIRCServerSplits
LinkLookerforWindows95Ver2.2LooksforIRCServer
Splits
xLinkLookerVersion1.0aLooksforIRCServerSplits

Miscellaneous:
Lynch0 Floods IRC servers with bogus server login
attempts
MultiCollideBot95CollidesnicknamesoffIRC

ninX'sPortBlockerb100Blockschosenports
XNetStatShowsyouyouractiveinternetconnections

PortScanners:
Cabral'sDomainScannerFinalScansCblockofaddresses
Cha0scannerv2.0Portscanner
FTPScanAnonymousportscanner,worksthroughanFTP
server
HostScannerScanschosendomainforallhostnames
Mirror Universe 2.1 Gives NetBios information about a
targetsystem
Netcopv1.6DNSResolving,DomainWHOISData
NetGhost DomainScanner Scans domain for a chosen
port
Ogre Checks servers for open FTP, HTTP, SMTP, Telnet,
etc...&formisconfigurations
OstroNet Whois client, Finger client, Port scanner,
DomainScanner
PortProv0.93Portscannerthatcanfloodopenports
PortSagePortscanner
Rebellionv2.0portscannerPortscanner
PortSurveillancev.05Scansaport
PortScanner1.1ScansagroupofIPaddresseslookingfor
certainopenports
SiteScan Scans for exploits: PHP, Finger Flaws, PHF,
Handler,_vti_pvt,Service.pwd,IISAdmin,Wrap,aglimpse,
test.cgi,*.pwl,*.pwd

NukerTools

KeyLoggers

Programs that exploit the Out of Band Data and Invalid

FragmentationbugsinWindowsandsomeUN*Xvariants.
These programs do everything from killing the TCP/IP
subsystemuntilthenextrestarttodisableyouroperating
system.

BitchSlapv1.0Port139OOBNuker
BloodLustChosenPortOOBNuker
BlueRain'sPort139OOBAttackProgVersion1.0Chosen
PortOOBNuker
CGSi OOB Message GFP Gen Chosen Port, MultiIP OOB
Nuker
DIEPort139OOBNuker
DIE3ChosenPortOOBNuker
DIE3NTKillsWindowsNTRunningDNSonPort53
Divine ]I[ntervention 3 OOB Attack, ICMPer, Icq Killer,
Mail Bomber, Mass Subscriber, DCC Flood Bot, and Text
FloodBot
Death'nDestruction:DoSOOBAttack,Portprotector
Calvin's Labs NetAttact Chosen Port, Size and Number
OOBNuker
FedUp2.0ChosenPortOOBNuker
KiLLmEv1.0Port139OOBNuker
KillWinChosenPortandNumberOOBNuker
Knewk'emAllv1.0ChosenPortandNumberOOBNuker
Meliksah Nuker v1.0 Chosen Port and Number OOB
Nuker
MSNukePort139OOBNuker

Programstologallkeystrokesonacomputertofile.They
areusuallyusedtocaptureusernamesandpasswords.

IK
KeyLog2
KeyLog'95

NetworkTools
Programsbuilttogiveyouanyinformationpossibleabout
a target address, or to help you find an address that has
certaincharacteristics.

PortListeners:
ICMP Monitor Version 0.92 ICMP detector with a DNS
lookuptool
ICMPScanv2.0ScansforconnectedIPs
ICMP Datagram Sniffer v1.0 Alpha 5 ICMP detector for
DOS
ICMPWatchv1.37thSphereDetectincomingICMPs
NukeNabber2.9Listenson50chosenportsforTCPand
UDPattack+ICMP_UNREACH
NukeDetectorv1.0Port139NukeDetector
NukeNabber2.5Catches&logsincomingnukes
ThePortBlockvo.o5bBlockschosenports
Skream'sPortListenerv2.3Listensonachosenport
PortListenerv2.2aListensonachosenport
Port139WatcherPort139NukeDetector

252

InformationSecurity
MuerteThefirst,best,andonlyOOBexploityouwillever
needIP,Portscanning
Nukev2.3OOBAttack,deathconfirm
NukeAttackChosenPortOOBNuker
Nuker1.02BetaPort139OOBNuker
WinNUKEPort139OOBNuker
WinNukerv0.2MultiPortOOBNuker
WinNukeV95Port139OOBNuker
WNUKE32(Build69)Port139OOBNuker
WinNuke for Win95 v1.1 OOB to port 135 or 139
Includespatch

alt.binaries.warez.ibmpcGetsomeWareZ.
alt.binaries.warez.ibmpc.dGetsomeWareZ.
alt.binaries.warez.ibmpc.gamez Get some Gaming
WareZ.
alt.binaries.warez.ibmpc.oldGetsomeOlderWareZ.

KeyGenerators&RegistrationTools
AbsoluteFTPv1.0b9Time/Nagcrack
ACDSee322.xKeygenerator
Age Of Empires Microsoft Age Of Empires 1.0a update
crack
AgeOfEmpiresMicrosoftAgeOfEmpiresCDcrack
Agent0.99xSerial#generatorforAgent0.99ek
Agent1.5Agent1.5build452xheaderpatch
Agent1.xSerial#generatorforAgent1.x
Andretti98Andretti98CrackPatch
Bryce2Bryce2demoUpdate
Catz1.00kCatzDemo1.00kCrack
CDQuick3KeyGenerator
CD/Spectrum pro 3.2.327 CD/Spectrum Pro Version :
3.2.327Patch
CDDA1.7CDDA(DA2WAV)1.7keyfilemaker
CleanSweep3.0TrialCleanSweep3.0Trialcrackpatch
ClockManagerKeyGenerator
ComSpywin98/95Keyfilemaker
CoolEdit96Cooleditv.1.52KeyGenerator
CuteFTP32HiddenFiles&FoldersPatch
CuteFTP32v1.7/1.8KeyfilebuilderforCuteFTP
CuteFTP32v2.0CuteFTP2.0FINALkeyfilecreator
DarkReignCDROMcheckcrack
DarkReignDarkReignCDcheckcrack
DogzADOPTDOG.03RegistrationGeneratorforDOGZ
Dogzv1.8QDOGZv1.8QREgistrationCrackz
Ecopad32v3.31KeyGenerator
EmailAddressSniffer2.1Patch
EudoraEudoraXHeadereditor
EudoraPro4Demoexpirationpatch
F22LightningIIF22LightningIIcrack
GameSpy1.01GameSpy1.01registrationpatch
GameSpy1.50GameSpy1.50FINALregistrationpatch
GameSpy1.52GameSpy1.52keygenerator
GameSpy1.52GameSpy1.52regpatch
GearReplicator1.2UnlockGenerator
GhostGHOSTv2.1.4"KEYMAKER"[JAM/UCF]
GIF Construction Kit GIF CONSTRUCTION SET
*KEYMAKER*
GraphicsWorkshopBruteforcereghacker
GraphicsWorkshop95KeyGenerator
HardDiskSleeper1.4KeyGenerator
Hexen2Hexen2CDcrack
HomeSitev2.0HomeSitev2.0KeyGenerator
HomeSitev3.0HomeSitev3.0patch
HotDogPro4.5+KeyGenerator
HotDog321.0CRACKPATCH
HyperSnap2.64KeyGenerator
ImageView951.2KeyGenerator
InternetConferenceProfessional1.2KeyGenerator
InternetPhonev4.5.03InternetPhonev4.5.0.3crack

SpoofingTools
Programstomakeyoulooklikeyou'recomingfromsome
otheraddressontheInternet(mostlyusedonIRC)

IdentDSpoofers(IdentitySpoofers):
DCInternetServices
EyeDent
WinSpoof'97

DNSSpoofers:
cha0s IP Spoofer Cache a "ghost connection" on an IRC
server
Erect'97DOSportof"erect"spoofer,requiresaccessto
nameserver
Jizz DOS port of "jizz" spoofer, requires access to name
server
SpewfyCachea"ghostconnection"onanIRCserver

WinGateTools
WinGate is a program that allows a computer to act as a
gateway between networks. These programs exploit
WinGate.
wGateScanv2.2ScansBandCblocksforactiveWinGates
zFnLoadsIRCfloodclonesthroughWinGate

PhreakingTools
beigeboxInstructionsformakingalinemanshandset.
blueboxGenerates2600Mhztones.
chartreuseboxLetsyoutakepowerfromaphoneline.
chromeboxAllowsmanipulationoftrafficlights.
crimsonboxLetsyouputpeopleonhold.
goldboxI'mnotsurewhatthisisfor.
neonboxGoodforrecordingtones,oranythingelse
white box Change a normal touchtone keypad into a
portableunit

Cracking&HackingNewsgroups:

alt.cracksGreatPlacetogetCracks.
alt.crackerCracksForum,getandrequestCracks.
alt.hackersHackersForum.
alt.hackintoshForumonHackingMacintosh.
alt.hackers.maliciousMaliciousHackersForum.

253

InformationSecurity
InternetPhonev4+InternetPhonev4+[CraCkPatCh]
InternetPhonev5.0InternetPhonev5.0build114patch
InternetPhonev5.0InternetPhonev5.0build135patch
Kaleidoscope95KeyGenerator
LiveImage1.26crackpatch
LViewProKeyGenerator
LViewPro95KeyGenerator
MagicFolders97.10aKeyfile
MagicNotes1.6KeyGenerator
MDaemonRegistrationCodeGenerator
MicroangeloMicroangelo95v2.x*Keymaker*
MicrosoftMSCodeGenerator1.01(allproducts)
MicrosoftFreecellUndoenablerpatch
MicrosoftProject98(8.0)EvaluationPatch
mIRC5.3keygenerator
mIRCV4.52+mIRCV4.52+*kEYMAKER*
mIRCV5.00+KeymakerformIRC5.00onwards.
MOD4Win2.30Mod4Win2.30+KeyMakerPatch
Money98MSMoney98(6.0)crackpatch
MotoRacerMoToRaCeR*uNiVeRSaLCRaCK*
NearsideBuild554Regpatch
Netbar2.0KeyGenerator
NetTerm2.8.9KeyGenerator
NetToolsKeyGenerator
NortonAntiVirus2.01TrialCrackPatch
NTcrt1.0B6KeyGenerator
Office97MicrosoftKeyGenerator2.0
PaintShopPro4.14Sharewarecrack
PersonalStockMonitor1.1KeyGenerator
PGPManager321.6bKeyGenerator
PKZIPAuthenticityVerification
PowerDeskkEYmAKER
PrettyGoodSolitaire3.97.2KeyGenerator
Quake2Quake2v3.09UpdateCDcheckremoval
Quake2Quake2v3.10UpdateCDcheckremoval
RAS+95KeyGenerator
SciTechDisplayDoctor5.2uNIVBEv5.2*kEYmAKER*
SciTechDisplayDoctor6.0KeyGenerator
SciTechDisplayDoctor6.0RetailKeyGenerator
SciTechDisplayDoctor6.0TrialPatch
SecretAgent1.12KeyGenerator
ServUFTPsERVu2.xX*kEYMAKER*
SideKick98Unlockcodegenerator
Snapshot/322.55KeyGenerator
SoundGadgetProKeyGenerator
Stiletto96aKeyGenerator
SubSinkPro97KeyGenerator
ThumbPlus2.0KeyGenerator
Thumbs+Plusv3.0cPatch
ThumbsPlus32v3.10TimeLimit/NagScreenCrack
TrumpetWinSock95KeyGenerator
Uedit324.0KeyGenerator
UNIVBE5.xuNIVBEv5.2*kEYmAKER*
VirtualCDROMUnlockCodeGenerator
VisualBasic5.0MicrosoftKeyGenerator2.0
VisualC++5.0MicrosoftKeyGenerator2.0
VisualC++5.0MicrosoftKeyGenerator2.0
WebImage95KeyGenerator

WinArj95regcodegenerator
WinArj95WinArj95v4.1.0xcrack
Windows95MSCodeGenerator1.01(allproducts)
Windows Commander v3.0 Windows Commander 32bit
CRACK
WindowsNT4.0MicrosoftKeyGenerator2.0
Windows NT 4.0 120 day trial NT 4.0 Server 120 Day
DemoCrackKit
WinGate1.xKeyGeneratorforv.1.3.08onwards
WinGate2.0KeyGeneratorforProandLite
Winimage2.25KeyGenerator
WinPack32dKeyGenerator
WinPGP4.0KeyGenerator
WinPlay3v2.0NOTACRACK!Patchtoturnpanelgreen
WinPlay3v2.0WiNPLaY3VeRSioN2.0crack
WinRar2.00WinRAR2.00bKeyGenerator
WinZipWinZipRegNumberGenerator
WinZipSelfExtractorWinZipSelfExtractRegKeyMaker
WipeoutXLCrack
WSFtpPro4.50Cracktoremovetheexpiration
Xara3D1.05CrackPatch
XingMPEGEncoderv2.0keymaker
XWingvsTieCrackpatchesfor1.1&3Dupdates

254

SerialLists
SerialListsarerampantontheInternet.Thesesitescontainknownaccesscodesthatallowyoutoinstallanduse
virtually any software applications you could name today. The distribution of these access codes are of course
illegal,andthereforenoneoftheseillegalcodesare

OtherTools
Ping(PacketInternetGroper)abasicInternetprogramthatletsyouverifythataparticularInternet(IP)address
exists and can accept requests. The verb ping means the act of using the ping utility or command. Ping is used
diagnosticallytoensurethatauser'sPCisproperlyconnectedtotheInternet.If,forexample,ausercan'tpinga
host,thentheuserwillbeunabletouseabrowseroranyotherTCP/IPapplicationwiththathost.Pingcanalsobe
usedtolearnthenumberformoftheIPaddressfromthesymbolicdomainname.
Sniffer A sniffer is a program that monitors and analyzes network traffic, detecting bottlenecks and problems.
Using this information, a network manager can keep traffic flowing efficiently. A sniffer can also be used
illegitimatelytocapturedatabeingtransmittedonanetwork.Anetworkrouterreadseverypacketofdatapassed
toit,determiningwhetheritisintendedforadestinationwithintherouter'sownnetworkorwhetheritshouldbe
passedfurtheralongtheInternet.Arouterwithasniffer,however,maybeabletoreadthedatainthepacketas
wellasthesourceanddestinationaddresses.
Spoof 1) To deceive for the purpose of gaining access to someone else's resources (for example, to fake an
InternetaddresssothatonelookslikeacertainkindofInternetuser)2)Tosimulateacommunicationsprotocolby
aprogramthatisinterjectedintoanormalsequenceofprocessesforthepurposeofaddingsomeusefulfunction
Warez(pronouncedasthoughspelled"wares"orpossiblybysomepronouncedlikethecityof"Juarez")isaterm
usedbysoftware"pirates"todescribesoftwarethathasbeenstrippedofitscopyprotectionandmadeavailable
ontheInternetfordownloading.Peoplewhocreatewarezsitessometimescallthem"warezsitez"anduse"z"in
otherpluralizations.
Exploits an Exploit is a program that 'exploits' a bug in a specific software. All exploits are different, they do
differentthingsandexploitdifferentbugs,that'swhyexploitsarealwaysprogramspecific.Exploitsaremadeto
get root on different operating systems. They achieve this by exploiting a bug in software when the software is
runningasroot.InUNIXtypeOS's,softwaremayhavetorunasroot(orUID0)inordertoperformaspecifictask
thatcannotbeperformedasanotheruser.Sobasicallytheexploitcrashesthesoftwarewhilerunningasrootto
giveyouthebeautifulrootprompt.

InformationSecurity

PiratedSoftware
Chapter38

256

InformationSecurity

AreYouatRisk?

Has your company illegally installed multiple copies of a software program on multiple
computers?Isyourcompanyusingpiratedsoftware?Ifso,youareatrisk.Ifyouarecaught,the
penaltiescanbehuge.Forexample,oneLouisianahospitalwasfoundtoberunning500copies
of WordPerfect, and copied from a single copy of WordPerfect which itself was pirated. The
companywascaughtandfinedmorethan2.5milliondollars.

PenaltiesforUsingPiratedSoftware

Illegaldistributionofsoftwarecansubjectasellertoarrestandfelonychargeswithfinesupto
US$250,000 and prison terms of up to 5 years. If the copyright owner brings a civil action
againstyou,theownercanseektostopyoufromusingitssoftwareimmediatelyandcanalso
requestmonetarydamages.Thecopyrightownermaythenchoosebetweenactualdamages,
which includes the amount it has lost because of your infringement as well as any profits
attributabletotheinfringementandstatutorydamages,whichcanbeasmuchas$150,000for
eachprogramcopied.

WhoisResponsible?

Companyofficialscanbeheldresponsibleiftheyknowabouttheuseofpiratedsoftware,orif
theytakenomeasurestotrackanddetertheuseofpiratedsoftware.Simplylookingtheother
way is not good enough in some states and jurisdictions. Under "vicarious liability" of the US
CopyrightAct,anemployerisliableforactscommittedbyitsemployeeswhenthoseactsare
within the scope of their employment duties. Another theory of liability is the doctrine of
contributory copyright infringement, whereby a party who does not do an infringing act but
whoaidsorencouragesitisliablefortheinfringement.

SourcesforPiratedSoftware

1. Illegal Copies Legitimate software copied illegally on additional computers becomes

pirated software. Most license agreements allow the same user to install software on
both their laptop and desktop computers, provided they use only one copy of the
softwareatatime.

257

InformationSecurity
2. TheBlackMarketThestreetsofHongKongarefullofpiratedsoftwareproductsthat
sellforhundredsofdollarsintheUSarewidelyavailablefor$5.00ontheblackmarket.

3. WAREZ & SERIALZ (Pronounced wears, this term is hacker slang for illegal
software). Tens of thousands web sites exist where you can download virtually any
software on the planet. Once downloaded, thousands more SERIALZ (pronounced
cereals,thistermishackerslangforillegalserialnumbers)provideserialnumbers
thatyoucan(attempt)touseinordertoinstalltheproduct.

258

InformationSecurity

4. CounterfeitSoftwareYes,counterfeitershavegottenthatgood,andsomecounterfeit
softwarefindsitswayintothemainstream.Theindustryisfindingwaystofightback
(suchastheedgetoedgehologramsforOfficeXP,Windows2000andWindowsXPCD
ROMs).

HowtoFindPiratedSoftwareinYourOrganization

Both Microsoft and theBusiness SoftwareAlliance provide software management guides and
tools that can help you organize and maintain your software inventory. You will get a better
handleonwhatyouneedtopurchaseandwhatyouneedtoeliminatetobecomecompliant.
These resources will help you determine if you have purchased genuine or counterfeit
software.

Asanexample,theMicrosoftSoftwareInventoryAnalyzertoolgeneratesaninventoryofthe
coreMicrosoftproductsinstalledonyourlocalcomputer,orthroughoutanetwork.TheMSIAis
builtspecificallytobeastartingpointtoworkingwithMicrosoftsSoftwareAssetManagement
(SAM)tools,andtothatend,itwillworkwithnetworksthathave250computersorless;and
willlocateonlyMicrosoftsoftware.TheresultsofthescanperformedbyMSIAareconfidential
theyarenotsenttoMicrosoft.Asamplereportisshownbelow.

You should update and clean up your software inventory at least once a year. Whether you
outsourcethejobtoaresellerorITspecialist,ordoitinhouse,makereviewingyourinventory
an annual event. Purchase the software and sign up for the licenses you really need, and
complywiththeterms.Getridoftherest.

http://www.microsoft.com/resources/sam/msia.mspx?lm=

259

InformationSecurity

15TopSecurity/

HackingTools&
Utilities
Chapter39

260

InformationSecurity
1.NmapNmap(NetworkMapper)isafreeopensourceutilityfornetworkexplorationor
securityauditing.Itwasdesignedtorapidlyscanlargenetworks,althoughitworksfineagainst
singlehosts.NmapusesrawIPpacketsinnovelwaystodeterminewhathostsareavailableon
the network, what services (application name and version) those hosts are offering, what
operatingsystems(andOSversions)theyarerunning,whattypeofpacketfilters/firewallsare
inuse,anddozensofothercharacteristics.Nmaprunsonmosttypesofcomputersandboth
consoleandgraphicalversionsareavailable.Nmapisfreeandopensource.
Canbeusedbybeginners(sT)orbyprosalike(packet_trace).Averyversatiletool,onceyou
fullyunderstandtheresults.
2.NessusRemoteSecurityScannerRecentlywentclosedsource,butisstillessentiallyfree.
Workswithaclientserverframework.Nessusistheworldsmostpopularvulnerabilityscanner
used in over 75,000 organizations worldwide. Many of the worlds largest organizations are
realizing significant cost savings by using Nessus to audit businesscritical enterprise devices
andapplications.
3.JohntheRipperJTR1.7wasrecentlyreleased!JohntheRipperisafastpasswordcracker,
currentlyavailableformanyflavorsofUnix(11areofficiallysupported,notcountingdifferent
architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix
passwords. Besides several crypt(3) password hash types most commonly found on various
Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM
hashes,plusseveralmorewithcontributedpatches.
4. Nikto Nikto is an Open Source (GPL) web server scanner which performs comprehensive
tests against web servers for multiple items, including over 3200 potentially dangerous
files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers.
Scanitemsandpluginsarefrequentlyupdatedandcanbeautomaticallyupdated(ifdesired).
NiktoisagoodCGIscanner,therearesomeothertoolsthatgowellwithNikto(focusonhttp
fingerprintingorGooglehacking/infogatheringetc,anotherarticleforjustthose).
5. SuperScan Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the
highlypopularWindowsportscanningtool,SuperScan.
IfyouneedanalternativefornmaponWindowswithadecentinterface,Isuggestyoucheck
thisout,itsprettynice.
6.p0fP0fv2isaversatilepassiveOSfingerprintingtool.P0fcanidentifytheoperatingsystem
on:
machinesthatconnecttoyourbox(SYNmode),
machinesyouconnectto(SYN+ACKmode),
machineyoucannotconnectto(RST+mode),
machineswhosecommunicationsyoucanobserve.
261

InformationSecurity
Basicallyitcanfingerprintanything,justbylistening,itdoesntmakeANYactiveconnectionsto
thetargetmachine.
7. Wireshark (Formely Ethereal) Wireshark is a GTK+based network protocol analyzer, or
sniffer,thatletsyoucaptureandinteractivelybrowsethecontentsofnetworkframes.Thegoal
oftheprojectistocreateacommercialqualityanalyzerforUnixandtogiveWiresharkfeatures
thataremissingfromclosedsourcesniffers.WorksgreatonbothLinuxandWindows(witha
GUI),easytouseandcanreconstructTCP/IPStreams!WilldoatutorialonWiresharklater.
8. Yersinia Yersinia is a network tool designed to take advantage of some weakeness in
different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the
deployednetworksandsystems.Currently,thefollowingnetworkprotocolsareimplemented:
SpanningTreeProtocol(STP),CiscoDiscoveryProtocol(CDP),DynamicTrunkingProtocol(DTP),
DynamicHostConfigurationProtocol(DHCP),HotStandbyRouterProtocol(HSRP),IEEE802.1q,
InterSwitchLinkProtocol(ISL),VLANTrunkingProtocol(VTP).
ThebestLayer2kitthereis.
9.EraserEraserisanadvancedsecuritytool(forWindows),whichallowsyoutocompletely
remove sensitive data from your hard drive by overwriting it several times with carefully
selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free
softwareanditssourcecodeisreleasedunderGNUGeneralPublicLicense.
An excellent tool for keeping your data really safe, if youve deleted it..make sure its really
gone,youdontwantithangingaroundtobiteyouintheass.
10.PuTTYPuTTYisafreeimplementationofTelnetandSSHforWin32andUnixplatforms,
along with an xterm terminal emulator. A must have for any h40r wanting to telnet or SSH
fromWindowswithouthavingtousethecrappydefaultMScommandlineclients.
11.LCP
Main purpose of LCP program is user account passwords auditing and recovery in Windows
NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session
distribution,Hashescomputing.
AgoodfreealternativetoL0phtcrack.
LCPwasbrieflymentionedinourwellreadRainbowTablesandRainbowCrackarticle.
12.CainandAbelMosthackersfavoriteforpasswordcrackingofanykind.
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy
recovery of various kind of passwords by sniffing the network, cracking encrypted passwords
usingDictionary,BruteForceandCryptanalysisattacks,recordingVoIPconversations,decoding
scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing
262

InformationSecurity
routingprotocols.Theprogramdoesnotexploitanysoftwarevulnerabilitiesorbugsthatcould
notbefixedwithlittleeffort.
13. Kismet Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion
detection system. Kismet will work with any wireless card which supports raw monitoring
(rfmon)mode,andcansniff802.11b,802.11a,and802.11gtraffic.
Agoodwirelesstoolaslongasyourcardsupportsrfmon(lookforanorinoccogold).
14.NetStumblerYesadecentwirelesstoolforWindows!SadlynotaspowerfulasitsLinux
counterparts,butitseasytouseandhasaniceinterface,goodforthebasicsofwardriving.
NetStumblerisatoolforWindowsthatallowsyoutodetectWirelessLocalAreaNetworks
(WLANs)using802.11b,802.11aand802.11g.Ithasmanyuses:

Verifythatyournetworkissetupthewayyouintended.
FindlocationswithpoorcoverageinyourWLAN.
Detectothernetworksthatmaybecausinginterferenceonyournetwork.
Detectunauthorizedrogueaccesspointsinyourworkplace.
HelpaimdirectionalantennasforlonghaulWLANlinks.
UseitrecreationallyforWarDriving.
15. hping To finish off, something a little more advanced if you want to test your TCP/IP
packetmonkeyskills.
hpingisacommandlineorientedTCP/IPpacketassembler/analyzer.Theinterfaceisinspiredto
thepingunixcommand,buthpingisntonlyabletosendICMPechorequests.ItsupportsTCP,
UDP, ICMP and RAWIP protocols, has a traceroute mode, the abilityto send files between a
coveredchannel,andmanyotherfeatures.

263

InformationSecurity

SafetyOnline
Chapter40

264

InformationSecurity

SafetyOnline

Usingtheinternetandsurfingthewebcanbeassweetandeasy.Unfortunatelyatothertimes,
online surfing can put you at risk. This chapter discusses a few common sense
recommendationstohelpyoustaysafeduringyouronlineactivities.
1. NoPersonalInformationDonotgiveoutyourpersonalinformation(fullname,address,or
phone number) to anyone online that you don't know or trust because they might not be
whotheyclaimtobe.
2. Verify That Friends Are Who They Say They Are To avoid confusing your friends with
strangers online, consider using a password or code word. Or you could simply call your
friendtomakesuretheyareonline.
3. FinancialDataOnlygiveoutyourbankaccountorcreditcardinformationtowebsitesyou
trust,andmakesurethattheyareusingencryption(ie:thegoldlockandhttps://isusedto
indicatethatthewebsiteissecure.
4. Never Open EMail Attachments Never open email attachments from strangers unless
youcantrustthemandyouhavesecuritysettingsonyourcomputer.Unknownemailsmay
containvirusesorspywarethatcanharmyourcomputer.
5. BewareOfSpoofEmailBewareofspoofemailclaimingtobefromeBay,PayPal,orabank
or a company name you know asking for personal or sensitive information. This is called
phishing.Theemailmayinformyouthatthereisaproblemwithyouraccount/password.
Theremaybealinktoclickinside,orevenaphonenumbertocall.
6. OnlineArrangedMeetingsIfyoudecidetomeetsomeoneinpersonfromonline,gotoa
publicplaceandletfriendsandfamilyknowyourplans.Haveanalternateplanifthingsturn
outbadly.
7. AntiVirusSoftwareGetagoodantivirusprogram,spywareremover,andfirewall.There
are free programs available online, such as Avast! antivirus, Grisoft's AVG Free, Microsoft
AntiSpywareandSpybot,andSygatepersonalfirewall.Theywillblockmostattemptsand
alertyouifproblemsarefound.
8. ReadTheFinePrintTherearemanysurveysitesthatpayyouforansweringquestionsand
fillingoutforms.Ifyoudonotwanttoreceivejunkmailorgetputonatelemarketerlist,
lookforasmallboxnearthebottomofthepagethatasksifyouwanttoreceiveinformation
andoffersfromothercompanies.Thebestsiteswillhaveastatementlistedthattheywill
notsellyournametoothercompanies.Somesitesrequireyoutogiveallyourinformation
to get the product. Although sometimes, you may get a ton of spam. Only fill in required

265

InformationSecurity
fieldsthataremarkedwitha*.Iftheinfoboxdoesnothaveanasterisk,itisoptionaland
youcanleaveitblank.
9. Monitor Children Monitor young children's (under 16) activities closely and use parental
controls when available. Use a password a child will not guess. Install parental control
software.TheInternetisnotchildfriendly.
10. UseStrongPasswordsAsdiscussedintheUsestrongpasswordsChapter.
11. Limit Your Buddy List Web services such as SYPE, AOL, Yahoo, or MSN have messengers
that allow you to chat with others with an instant message (IM) or private message (PM)
box.Gotothepreferencesoroptionsmenuandcarefullychoosesettings.Itisbesttoturn
offmessagesfromallusersandonlyaddpeopletoyourbuddylistthatyouknowverywell
orsomeoneyouchoosetotalkto.
12. Use Addon Messaging Programs YTunnelPro and YahElite are very good and helpful
companions to Yahoo Messenger, and similar solutions are available for other messaging
services.
13. Subscribe To Unimportant Things With A Secondary EMail Address This will help keep
you from getting spam to your regular address,and will protectyour identity. A good site
whichallowsyoutocreatetemporaryemailaddressesontheflyisSpamMotel.Whenyou
register on an unknown site, go to Spam Motel and create an emailaddress and delete it
whenyouhavenofurtheruseforit.

Gmail and Hotmail also offer free email addresses that work good in temporary or less
importantpurposes.

266

InformationSecurity
14. Prepaid Credit Cards If you feel uncomfortable giving away your credit card number
online, consider using a prepaid credit card or use a gift credit card instead. These often
workthesameasaregularcreditcard,buttheyonlyhaveasetamountonthem,sothatif
someonegetsaholdoftheprepaidcard'snumber,theydon'tdoasmuchdamage.
15. WOT & NoSCRIPT If you`re using firefox, download the extensions WOT, which tells you
how trustworthy sites are, and NoScript, which denies Javascript and other potentially
maliciousaddonsexceptontrustedsites.
16. Watch Your Mouth Be careful what you say on the internet and understand that it is
becomingcommonpracticeforemployerstoresearchwhatyouhavesaidonlineaspartof
thehiringprocess.Whatyousaytodaycouldkeepyoufromgettinghiredtoyourdreamjob
fiveyearsfromnow.
17. No Birthdates Online If you mention that you had a birthday recently, don't be specific
aboutthedate,oryourexactage.Thesetwoitemsareenoughtofigureoutyourdateof
birth,apieceofinfothebanksusetohelpidentifyyou.
18. WatchtheDownloadsBecarefulofwhatyoudownload.Ifit'snotopensource/GNU,then
make sure it's from a reputable site (widgets.yahoo.com, cNet's Download.com, etc.)*.
When using P2P software such as Limewire, only download music and age appropriate
video.Anythingelsecouldbefilledwithvirusesandwhoknowswhat.
19. Clear Your Browser's Cache Periodically The cache stores web pages, images, and even
someinformationaboutyouonyourcomputer,andshouldbeclearedfromtimetotime.
20. Block Cookies Disable cookies permanently, or from time to time if you are surfing
questionablewebsites.Forexample,whenresearchingthissecuritycourse,Iturnedoffmy
cookiesoftenasIaccessedwebsitesthatIwasnotsureof.
21. ChecktoseeifYourComputerHasBeenTrackedThereisnosurefirewaytoknowifyour
computerisbeinghacked;however,therearemanywaystodistinctlyreducethechancesof
itbeingcompromisedasfollows:
22. Install a Firewall Device Install a firewall as discussed in the Firewall Chapter of these
materials. (Especially if connected to broadband via network card, consider installing a
router between the DSL or Cable modem and the computer's network interface. This will
move the public IP address from the computer to the router. The computer will receive a
private IP address (provided by the router) and cannot be detected by hackers casually
probing.
23. UseAntiSpamSoftwareTurnonJunkMailFilteringinOutlookoruseSpybotoranother
similartool.

267

InformationSecurity
24. RemoveAntiVirusSoftwareThatYouAreUnhappyWithDisconnectyourcomputerfrom
theInternetwhendownloadsarefinished,asitwillbevulnerablewhilewedothisnextstep.
Go into control panel, and choose add/remove hardware. Uninstall any poorly performing
antivirussoftwareyouhavecurrentlyinstalled.Installanewantivirussolution.Connectyour
computertotheInternetagain,andallowthemtoupdatefully.
25. Install KeyScrambler Consider installing KeyScrambler Personal addon for FireFox. This
addon encrypts your keystrokes to protect your login information from key logging
programs. If a hacker has a program inside your computer logging all your keystrokes to
steal your passwords, all they will get from password fields on web pages is scrambled
garbage.
26. InstallHijackThisIfyouwantextrasecurityfromhackersinstallHijackThisatoolthatis
designedasextrasecurityagainsthomepagehijacking
27. Install Comodo BOclean This is a realtime antimalwarescanner which works at registry
leveltostopmalwareinstalls.
28. UpdateyourAntivirusSoftwareVerifythatyourAntiVirussoftwareisuptodateatleast
once a week if it is the automatically updating type. Check daily if it must be manually
updated.Windowswillallowagreatdealoftimetoelapsebeforealertingyouthatitisout
ofdate. Most reputable antivirus developers release updates every couple of days; more
oftenthanthatifwarranted.It'safalsesenseofsecurityrunningacomputerwithoutof
dateantivirusdefinitionfiles.
29. ActiveXDon'tinstallactiveXcontrolsfromawebsiteyoudon'ttrust.
30. Be Suspicious of Thumbdrives Don't run applications or copy content from disks,
thumbdrives,CDs,etc.thathavebeenprovidedbyothers(includingfriends);orbelongto
youiftheyhavepreviouslybeenconnectedtoanothercomputer,unlessscannedwithyour
antivirus program first. If an infected computer has accessed the data on the media, the
dataislikelytobeinfectedaswell.
31. BeSuspiciousofWebSitesWatchoutforanywebsitesrequestingpersonalinformation.
Unlessyoutrustthesite,itisunwisetogiveoutyouremail,address,phonenumber,oreven
name.
32. BewareOfSightsWithPopUpsTypicallythey'llbeputtingotherthingsonyourcomputer.
33. BlockPopUpsUsetheBlockPopupsettingsorInstallpopupdeletingsoftware.
34. BrowseTheInternetUsingProxiesThiswillgetridofthosenastyscriptsthatpeopleuseto
identifyyourIPaddressamongotherthings.Itdoesn'tmatterwhetheryouuseaCGI,PHP,
268

InformationSecurity
or anonymous proxy, they all have about even advantages and disadvantages. A good
CGI/PHPproxyisAnonymouse.AlsoProxy.orghasalonglistofthiskindofproxy,whichcan
beuseful.
35. Prevent Peeping It is extremely unlikely someone is watching you through a physical
camera,binoculars,(orworse;asniperscope)orscreenrecordingdevice,butjusttobeon
thesafesideyoumightwanttofollowthesomeoftheseobvioussteps:
a. Close all blinds and drapes through which someone could watch your computer
monitor.
b. Don'tletanyoneyouwouldn'ttrustwithyourlifenearyourcomputerunsupervised.
c. Lookforanythingunfamiliarthatispluggedintoyourcomputer.
d. Buy one of these or use the equivalent of a small red eyepiece surrounded by red
LEDs,andscantheareaaroundyourcomputer.
36. AlwaysAssumeThatYourOnlineActivityIsBeingMonitoredIfyouareusingtheinternet
on a network that isn't private (such as at work, school, a library, or cybercafe), you are
almostcertainlybeingmonitored.Don'tdoanythingyouwouldn'twanttheadministrator(s)
ofthatnetworkseeing.
37. Avoid Clicking on Advertisements Never click on an advertisement that isn't Google
Adsense,andmanytimesnoteventhose.Doingsoisagoodwaytogetspywareandviruses
onyourcomputer.
38. Encrypt Wireless Connections If you are using a wireless network to connect to the
internet,encryptitasstronglyasyoucan.32bitisOK,64bitisgood,128bitisbetter,andI
sincerelydoubtthatyou'llhaveaccessto256bitencryption,butifyoudo,Iwoulduseit.
39. SecureyourPasswordsKeepyourpasswordssecure.
40. NeverRememberPasswordsNeverletyourbrowserrememberyourpasswords.Likewise,
don'ttellsitestorememberyou.Someformsofspywarecanreadcookiesthatsiteswillgive
youwhentheystoreyourpasswords.
41. Keep Ports Closed Don't open ports in your firewall or use UPNP. Crackers have found
ways to break through your firewall using open ports, allowing them to monitor your
computer.

269

InformationSecurity

BlockingSpam
Chapter41

270

InformationSecurity

SPAM
ThewordSPAMwasoriginallycreatedbyHormelFoods,makerofthecanned"ShoulderPork
and hAM. Later Monty Python's Flying Circus performed a spam skit in which a restaurant
serves its food with loads of spam, and the waitress repeats the word several times in
describinghowmuchspamisintheitems.Whenshedoesthis,agroupofVikingsinthecorner
start a song: "Spam, spam, spam, spam, spam, spam, spam, spam, lovely spam! Wonderful
spam!"Thusthemeaningofthetermisatleastsomethingthatkeepsrepeatingandrepeating
togreatannoyance.(1)

HowBigistheSpamProblem?TheCalifornialegislaturefoundthatspamcostUnitedStates
organizationsalonemorethan$13billionin2007,includinglostproductivityandtheadditional
equipment, software, and manpower needed to combat the problem. Ferris Research
estimatesthe2007costofSpamat$100billionworldwide,and$35billionintheUSmore
thandoublethecostin2005.Presentedbelowareafewstatistics:

SpamStatistics

NonSpam

Spam

1. TotalEmailssentin2006

6Trillion(25
billionperday)

18trillion(75billion
perday)

2. Average number of Emails sent and

receivedbyeachbusinessuserin2006

600perweek

1,800perweek

3. Thevastmajorityofspammessagesarearound5KB.
4. Around10%ofspammessagesareinthe100K1MBrange.
5. Around5%ofspammessagesarebiggerthan1MB.
6. Costofauserdeletingaspammessage:$0.04
7. Costofauserretrievingabonafidemessageerroneouslydeletedasspam(false
positive):$3.50

271

InformationSecurity

WhereYouMightEncounterSpam
1.
2.
3.
4.
5.
6.
7.
8.
9.

EmailSpamUnsolicitedemail,usuallypromotional.
InstantMessagingUnsolicitedchatssenttoAOL,ICQorWindowsLive.
ChatRoomsOnlinewebsiteswhereuserscommunicateinrealtime.
NewsgroupsandForumsWebsiteswhereuserspostcomments.
MobilePhoneSpamtextmessagessenttoyourmobilephonenumber.
OnlineGameMessagingMessagingbetweengamers.
SearchEngines(Spamdexing)HTMLcodemakesapagerankhigherthanitshould.
Blog,Wiki,andGuestbooksSpamtakesadvantageofopennatureofcommentpages.
VideoWebSites(likeYouTube)Spamusuallyappearsincommentssection.

SpamLaws
In 2004, the United States passed the CANSPAM Act
of 2003 which provided ISPs with tools to combat
spam. For example, this act allowed Yahoo! to
successfully sue Eric Head reportedly one of the
biggest spammers in the world. The laws primary
provisionsareasfollows:
1. Bans false or misleading header information.
Your email's "From," "To," and routing
informationincludingtheoriginatingdomain
name and email address must be accurate
and identify the person who initiated the
email.
2. Prohibitsdeceptivesubjectlines.Thesubjectlinecannotmisleadtherecipientaboutthe
contentsorsubjectmatterofthemessage.
3. Requiresthatyouremailgiverecipientsanoptoutmethod.
4. Anyoptoutmechanismyouoffermustbeabletoprocessoptoutrequestsforatleast
30daysafteryousendyourcommercialemail.
5. It's illegal for you to sell or transferthe emailaddresses ofpeople who choose not to
receiveyouremail,evenintheformofamailinglist,unlessyoutransfertheaddresses
soanotherentitycancomplywiththelaw.
6. Requires that commercial email be identified as an advertisement and include the
sender'svalidphysicalpostaladdress.
Eachviolationoftheaboveprovisionsissubjecttofinesofupto$11,000.
272

InformationSecurity

SpammingSeemstoWork
If everyone ignored spam, then spamming would stop. However,
because spammers find it rewarding, they keep spamming. Spam is
growing,notshrinking.

SpamCop
SpamCop is a free spam reporting service where you can report offenses to the senders'
Internet Service Providers (ISPs), and sometimes their web hosts. This feedback is used to
compile the "SpamCop Blocking List" (SCBL) and other lists. Those whose IP addresses are
included on these lists have their mail rejected by servers that subscribe to the SCBL.
Comments:
1. Backscatter SpamCop is controversial in that it automatically lists IP addresses that
send mail to spamtrap email addresses. Since these addresses may be falsely used as
return addresses on spam messages, backscatter causedby these messages (including
vacation messages and other autoreplies) can result in an otherwise innocent server
beingblocklistedifitfailstoemploybackscatterpreventiontechniques.

2. Blocks Expire One of the unique features of the SCBL is that a listing expires
automaticallywhennospamisreportedfromthatsourcefor24hours.

3. FilterSpamCoprecommendsthattheSCBLbeusedasafilter,ratherthanablock.

SpammersGetNastywithBlueFrog
Antispammer Blue Frog software provided a Firefox and
Internet Explorer plugin allowing email users to report their
spamautomatically,asaresult,BlueFrogthensentcomplaints
tothewebsitesbeingpromotedinthespammessagesone
complaint for each spam incident. In May 2006, Blue Security
underwentaretaliatoryDDoSattackinitiatedbyspammersand
their servers folded under the load and caused the entire
hosting providers (Six Apart) server farm to collapse. Blue
SecurityidentifiedtheattackersasPharmaMasterAKAsChristopherBrown,Swank,"Dollar",
JoshuaBurch,"zMACk","someRussians",LeoKuvayev,andAlexBlood.BlueSecurityceasedits
antispamoperationonMay16,2006.TheSpammerswon.

273

InformationSecurity

SPAMBlockingSolutions
Presented below is a comparison list of some of the more popular SPAM blocking utilities
availabletodayascompiledbySpamFilterReview(http://www.spamfilterreview.com/).These
productsrangeinpricefrom$5to$40.

274

InformationSecurity

HowSpamBlockerProgramsWork
Everydayspammersfindnewroutestotrytogetintoyouremailinbox.Mostspamconsistsof
unwantedadvertising,butsomecantransmitviruses,adwareorspywareontoyourcomputer
andcauseproblems.Ofcourse,itisalsoextremelyannoyingtogotoyourinboxandhaveto
lookthroughawholelistofemailstofindonelegitimateemail.

275

InformationSecurity
Aneffectiveantispamprogramcansolvemanyofyouremailproblems.Notonlydotheyblock
unwantedspambuttheycanalsoorganizeyouremailsintofolders,soyourinboxonlyincludes
wantedemail.So,whatdoesaqualityspamfilterdoexactly?Hereisasummary:
1. Establishes White Lists and Black Lists A white list is a specific list of approved
addresses that you set. Items not on the approved list and "known" spammers
automaticallygototheblacklistandareblocked,deletedorfiled.

2. Blocks"Sporn"Allgoodprogramsallowyoutoblockahighpercentageofspammed
pornography.Somewillalsofilterout"adult"contentedemailsorblockadultoriented
images.

3. OrganizesEmailsNoteveryonewantstoblockalloftheiremails.Mostprogramswill
allowuserstobuildfolders,suchasfinancial,adultoriented,gamesorothersandthe
program will put incoming emails into assigned folders. This gives the user a choice
aboutwhichemailstheywanttolookat.
Presentedbelowisadiagramhighlightingthevarioustypesofinformation,data,andattributes
todaystopspamblockingsystemscheckinordertoblockspam.

276

InformationSecurity

BayesianSPAMFilters
Some argue that a better approach for identifying SPAM is to
employ a Bayesian filter system in which your current spam
messages are statistically analyzed to create a basis for
rejectingfutureSpam.ThisisimportantbecauseaCPAfirmwill
not want to use the same filtering methodology as a doctors
officethatreceivesnumerousemailsdiscussingbreastcancer.
With Bayesian filtering, a unique and individual algorithm is
created and continually updated based on the emails you
receive and those you reject. Over time, your system learns
whichtypesofemailstorejectautomatically.
Yet,anothermeasureyoucantaketoblockSPAMistosetuprulesinyouremailorturnon
spamandadultcontentfilteringinyouremailclient.Thisisdiscussedinmoredetailundere
mailtipsandtricks.

WhattoLookforinSpamFilterSoftware
Spamfiltersshouldworkwithyouremailserviceandofferthefollowingfeatures.
1. Rules A good spam filtering program gives you the ability to set rules about which
emailsyouwanttoreceive,rejectordelete.

2. QuarantineYourspamfiltershouldmovemailtoaquarantinefolderandallowyouto
lookthroughitatyourowndiscretion.

3. BlacklistsYoushouldbeabletosetupblacklistsandwhitelists.

4. Compatible Most importantly your spam filter should work with the email service
thatyouuse.

5. EaseofUseTheproductshouldbeeasytouseevenforaninexperiencedcomputer
operator.

6. EaseofInstallation&SetupTheproductshouldinstallquicklyandwithouterrors.

7. Stability The spam filtering software should offer dependable performance and be
compatiblewithyourotherprograms.

8. BlockSpamThesoftwareshouldhavetheabilitytoblockunwantedspam.

277

InformationSecurity
9. Blocking Levels The software should allow the user to decide what level of filtering
theywant,andbeincontrolofhowtheemailsareorganized.Highfilteroptionsblock
anddeleteallemailsthatarenotonanapprovedlist.Lowerfilterlevelssortallemails
andsavetheminfolderstolettheuserdecidewhichonestoopenordelete.

10. KeepsYourInboxCleanYourspammailfiltershouldgothroughanddeleteunwanted
emailforyou.

UsingOutlooksJunkEMailFilter
TheJunkEmailFilterinMicrosoftOfficeOutlook2007isdesigned
to catch the most obvious spam and send it to your Junk Email
folder. The Outlook Junk Email Filter evaluates each incoming
messagebasedonseveralfactors,including:
1. Thetimewhenthemessagewassent,and
2. Thecontentofthemessage.
Thefilterdoesnotsingleoutanyparticularsenderormessagetype,butinsteadanalyzeseach
messagebasedonitscontentandstructuretodiscoverwhetherornotitisprobablyspam.The
Junk Email Filter is turned on by default, and the protection level is set to Low. This level is
designedtocatchthemostobviousspam.Youcanmakethefiltermoreaggressivebychanging
thelevelofprotection.

278

InformationSecurity
Also,theJunkEmailFiltercanbeupdatedperiodicallytoprotectagainstthelatesttechniques
thatspammersusetospamyourInbox.AnymessagethatiscaughtbytheJunkEmailFilteris
movedtoaspecialJunkEmailfolder.ItisagoodideatoreviewthemessagesintheJunkE
mailfolderfromtimetotimetomakesurethattheyarenotlegitimatemessagesthatyouwant
to see. If they are legitimate, you can move them back to the Inbox by marking them as not
junk.Youcanalsodragthemtoanyfolder.

10TipstoHelpReduceSpam
1. UsetheJunkEmailFilterinOutlookOutlook2007helpstomitigatetheproblemof
spam by providing the Junk Email Filter, which automatically evaluates incoming
messagesandsendsthoseidentifiedasspamtotheJunkEmailfolder.

2. BlockPicturesThatSpammersUseAsWebBeaconsOfficeOutlook2007hasananti
spamfeaturethatblocksautomaticpicturedownloadswhenthecontentislinkedtoa
server.Ifyouopenamessagethathasexternalcontentwhenthisfeatureisturnedoff,
theexternalcontentdownloadsautomatically,inadvertentlyverifyingtotheserverthat
youremailaddressisavalidone.Youremailaddresscanthenbesoldtoaspammer.
Youcanunblockexternalcontentformessagesthatcomefromsourcesthatyoutrust.

3. TurnOffReadAndDeliveryReceiptsAndAutomaticProcessingOfMeetingRequests
Spammers sometimes resort to sending meeting requests and messages that include
requestsforreadanddeliveryreceipts.Respondingtosuchmeetingrequestsandread
receiptsmighthelpspammerstoverifyyouremailaddress.Youmaywanttoturnoff
thisfunctionality.
To turn off read receipts, on the Outlook Tools menu, click Options, Email Options,
TrackingOptions,andclickNeversendaresponse.Toturnoffautomaticallyacceptance
of meeting requests, Click the Outlook Tools menu, Options, Calendar Options,
Advanced options, Resource Scheduling, and clear the automatically accept meeting
requestsandprocesscancellationscheckbox.
4. ProtectYourEMailAddressBecautiousaboutpostingyouremailaddressonpublic
Websites,suchasnewsgroups,chatrooms,bulletinboards,andsoforth.Whenvisiting
publicsites,youmightwanttouseanemailaddressthatisdifferentfromyourmaine
mailaddress.RemoveyouremailaddressfromyourpersonalWebsite.Wheneveryou
listorlinktoyouremailaddress,youincreaseyourchancesofbeingspammed.

5. Review The Privacy Policies Of Web Sites When you sign up for online banking,
shopping, or newsletters, review the privacy policy of the site carefully before you
reveal your email address or other personal information. Look for a link or section
(usuallyatthebottomoftheWebsite'shomepage)called"PrivacyStatement,""Privacy
Policy,""TermsandConditions,"or"TermsofUse."IftheWebsitedoesnotexplainhow
yourpersonalinformationwillbeused,considernotusingtheservicesatthatsite.
279

InformationSecurity
6. Watch Out For Check Boxes That Are Already Selected When you shop online,
companiessometimesaddacheckboxthatisalreadyselected,whichindicatesthatitis
finewithyouifthecompanysellsorgivesyouremailaddresstootherbusinesses(or
"thirdparties").Clearthischeckboxsothatyouremailaddressisnotshared.

7. Don't Reply To Spam Never reply to an email message not even to unsubscribe
from a mailing list unless you know and trust the sender, such as when the email
messagecomesfromaservice,anonlinestore,ornewsletterthatyouhavesignedup
with. Answering spam just confirms to the spammer that your email address is an
activeone.

8. DontsendpersonalinformationviaEMailMostlegitimatecompanieswillnotaskfor
personalinformationtobesentinemail.Besuspiciousiftheydo.Sucharequestcould
beaspoofedemailmessagedisguisedtolooklikealegitimateone.Thistacticisknown
asphishing.Ifthepossiblespamappearstobesentbyacompanythatyoudobusiness
withforexample,yourcreditcardcompanythencallthecompanytoverifythat
theysentit,butdon'tuseanyphonenumberthatisprovidedintheemail.Instead,use
anumberthatyoufindbyusingothermeans,suchasdirectoryassistance,astatement,
or a bill. If the request is a legitimate one, the company's customer service
representativeshouldbeabletoassistyou.

9. Don'tContributeToACharityInResponseToARequestSentInEMailUnfortunately,
somespammerspreyonyourgoodwill.Ifyoureceiveanemailappealfromacharity,
treatitasspam.Ifthecharityisonethatyouwanttosupport,locatetheirtelephone
numberorWebsitetofindouthowyoucanmakeacontribution.

10. Don't Forward Chain EMail Messages Besides increasing overall email volume, by
forwardingachainemailmessageyoumightbefurtheringahoaxandmeanwhile,
youlosecontroloverwhoseesyouremailaddress.

280

InformationSecurity

SecurityBookReviews
Chapter42

281

InformationSecurity

InformationSecurityBookReviews
ThereareseveraldozenbooksavailableonInformationSecurity,ranginginpricefrom$22to
over$795.Manyofthesebooksfocusonspecificaspectsofsecuritysuchassecuringnetwork
routers,protectingagainstidentitytheft,orimplementingsecuritypolicies.Foryourbenefit,I
havebrieflyreviewedseveralofthesebooksforyoubelow.
$7952005,700+pages+CDROM.,byCharlesCressonWood

This book focuses a great deal on policies and provides over 1,350
written policies and 18 policy documents including Electronic Mail
Policy, Internet Security, Policy for End Users and Web Privacy
Policy, HighLevel Security Policy, Privacy policy, Information
Ownership Policy, Firewall Policy, Data Classification Policy and
Network Security Policy. If you want to CYA and inundate your
peoplewithdocumentsandrules,thisbookwillhelpyouaccomplish
thesegoals.

$1672007,3,280pages,byHaroldF.TipsonandMickiKrause

This book is a collection of dozens of articles written on a wide

varietyofsecuritytopics.Somearticlesaremuchbetterthanothers,
and the information contained is overlapping in some areas, and
missing in other areas. Selected topics included are as follows:
identity management, intrusion detection, rolebased networking,
legislative and privacy requirements, compliance and governance,
riskassessmentandmanagement,andforensics.

$852007,600pages,byMichaelE.Whitman,andHerbertJ.
Mattord

Thisbookisusedmoreasatextincollegelevelcourses.Itfocuses
primarily on the Common Body of Knowledge in the area
of information security management as compiled by
Certified Information Systems Security Professionals
(CISSP).

282

InformationSecurity

$312007,400pages,byAndrewJaquith

Based primarily on Yankee Group methods, the book focuses on

how to establish effective metrics such as quantifying hardto
measuresecurityactivities,compilingandanalyzeallrelevantdata,
identifying strengths and weaknesses, setting costeffective
priorities for improvement, and crafting compelling messages for
seniormanagement.AlsowrittenfromaCYApointofview,thebook
is slow to get to practical security steps in an easy to understand
fashion.

$262006,400pages,byMarkOsborne

Usinglesstechnicallanguage,thisbookiswrittenforsmalleroffice
environments, this book focuses less on policies and security
governance,andmoreonpracticalmeasurescompaniescantaketo
securetheirinformation.Itisalittleeasiertoreadandfollowthan
thebooksreviewedabove.

Conclusion
As is the case with so many books I read, many of these books seem to take a really good
lengthyarticleandturnitintoabookthatmakesthereaderworkhardtoferretoutthevarious
tidbits of information. There are far too few checklists of action items, and far too much
discussionofsecuritytheory.

283

InformationSecurity

Finger Print
Technology
Chapter43

284

InformationSecurity

FingerprintScannersReplaceEmployeeTimeClocks
An increasing number of businesses are using biometric scanners to log the precise time of
employeearrivalanddeparture.SomeworkersaredoingitatDunkin'Donuts,atHiltonhotels,
even at Marine Corps bases. Employees at a growing number of businesses are starting and
endingtheirdaysbypressingahandorfingertoascannerthatlogstheprecisetimeoftheir
arrival and departureinformation that is automatically reflected in payroll records.
Manufacturers say these biometric devices improve efficiency and streamline payroll
operations.Employersbigandsmallbuythemwiththedualgoalsofkeepingworkershonest
and automating outdated recordkeeping systems that rely on paper time sheets. Example
devicesareshownbelow.

CitiesasbigasChicagoandassmallasTahlequah,Okla.,haveturnedtofingerprintdrivenID
systems to record employee work hours in recent few years. And the systems have been
introducedintoplentyofotherworkplaceswithoutmuchgrumblingbyemployees,especially
thosealreadyusedtopunchingaclock.
SomeWorkersDontLikeIt
Someworkersseetheeffortstotracktheirmovementsviafingerprintsasexcessiveorcreepy.
RicardoHinkle,alandscapearchitectstated:"Psychologically,Ithinkithashadahugeimpact
ontheworkforceherebecauseitisdemeaningandbecauseit'sasystembasedonmistrust".
He called the fingerprint timekeeping systems a bureaucratic intrusion on professionals who
neverusedtothinktwiceaboutputtinginextratimeonaprojecttheycaredabout,andcould
rely on human managers to exercise a little flexibility on matters regarding work hours.
ProtestsoverusingpalmscannerstologemployeetimehavebeenespeciallyloudinNewYork
City, where officials have spent $410 million to install an automated attendance tracking
system that may eventually be used by 160,000 city workers. The city expects to save $60
million per year by modernizing a complicated record keeping system that now requires one
fulltimetimekeeperforevery100to250employees.Thenewsystem,calledCityTime,would
freeupthousandsofcityemployeestodolesspaperpushing.Anotherbenefitofthesystemis
curtailingfraud.Severaltimeseachyear,NewYorkCity'sDepartmentofInvestigationcharges
cityemployeeswithtakingunauthorizedtimeoffandfalsifyingtimecardstomakeitlookedas
thoughtheyworked.Othercitieshaveembracedsimilartechnology.
285

InformationSecurity
TheconsultingfirmInternationalBiometricGroupestimatesthat$635 millionworthofthese
hightechdevicesweresoldlastyear,andprojectsthattheindustrywillbeworthmorethan$1
billionby2011.IngersollRandSecurityTechnologies,aleadingmanufacturerofhandscanners
basedinCampbell,Calif.,saidithassoldatleast150,000ofthedevicestoDunkin'Donutsand
McDonald'sfranchises,HiltonhotelsandtoMarineCorpsbases,whousethemtotrackcivilian
hours.

Jon Mooney, Ingersoll Rand's general manger of biometrics, said the privacy concerns are
unfounded. The hand scanners don't keep large databases of people's fingerprintsonly a
record of their hand shape, he said. Still, union officials inNew York said theyare concerned
thatthemachinescouldeventuallybeusednotjusttocrackdownonemployeesskippingwork,
but to nitpick honest workers or invade their privacy. "The bottom line is that these palm
scannersaredesignedtoexercisemorecontrolovertheworkforce,"saidClaudeFort,president
ofLocal375."Theyaren'tthereforsecuritypurposes.Ithasnothingtodowithproductivity....
Itisaboutcontrol,andthatiswhatmakesusnervous."
NewSystemsPreventTimeCardFraud
Thenewfingerprinttimeclockspreventfraudbecauseemployeescannolongerclockinorout
foroneanother.Theoldtrickistosneakoutofworkearly,askingacoworkertopunchoutfor
youattheendoftheshiftwhilepromisingtoreturnthefavorinthefuture.Employeeswho
complainbitterlyaboutthenewfingerprinttimeclocksseemtoworrymostthattheywillno
longerbeabletoproducefraudulenttimecards.
NewSystemsareFasterandPaperless
The bottom line is that the new systems are faster and paperless, thereby saving time and
reducing administration hassles. Fingerprint time clocks are now integrated with accounting
systems.ForexampleaproductcalledCountMeIn(costing$300forupto50employees)can
feedinformationdirectlytoQuickBooksandotherpayrollandaccountingprograms.Rulescan
alsobesetinthesystemscalendarsothatanemployeecannotclockinunlessheisscheduled
toworkatthattime.NealA.Katz,avicepresidentatCountMeIn,acknowledgesthatsome
workersmaybeskittishaboutprovidingafingerprint.Butheexplainsthathissystemdoesnot
store fingerprint images. Rather, it converts a fingerprint into a mathematical code based on
the distance between the lines and curves on the print. Your fingerprint cant be given to
someoneelse,hesays.
FingerprintControlledDoorLocks
TheBioCertiQBioGuardianXLFingerprintBiometricDoorLockrunsexclusivelyonbattery
power. Powered by 4 AA batteries, it can be operated for up to a year without changing the
batteries.Fingerprintenrollmentisquickandeasy.Upto30userscanbeenrolledandremoved
from enrollment immediately directly on the BioCert iQBio GuardianXL Fingerprint
BiometricDoorLockatthedoor.Benefits:

286

InformationSecurity

1. Whensomeonelosestheirkeyor,worseyet,whenakeyislostorstolen,regulardoor
lockscauseproblems.

2. With the BioCert iQBio GuardianXL fingerprint door lock you can program up to
138 individuals fingerprints into the lock , and then grant access to whomever you
choose.
3. Walkers&Joggersdontlikecarryextraitemslikewallets,pursesandkeysandoftenthe
solutionistosimplyleaveyourfrontdooropenorleaveakeyunderthemat.

4. Entrustingeventhemostresponsiblechildwithakeycanbeproblematic.Keysthatare
lost,stolenorsimplyleftinadeskatschoolwillnotensurethatyourchildarrivessafely
inside the house after a day at school. With a fingerprint door lock, your child can
alwaysentertheirhomeevenwhenyoucan'tbethere.

5. SharedResidence,Condos,Apartments&TimeSharesIfyouownapieceofproperty
where you share ownership such as a condo, leased apartment or vacation home,
fingerprint door lock will allow you to grant access to all ownership parties while
maintainingabsolutecontroloverwhohasaccess.Youcanbeguaranteedthattherewill
be no key swapping or sharing and that only the authorized individuals have access
usingthesecurityofFingerprintBiometricTechnology.

6. ITRoomsandServerClosetsTheUnitedStatesAirForce,ArmyandNavyareallusing
the BioCert iQBio GuardianXL to secure their local IT Closets and remote server
rooms.

7. Executive Suites or Executive Bathrooms Designed around the need of small and
medium business, the Guardian XL Biometric Doorlock is capable of holding 2
administratorsandupto97additionalusers.

8. HumanResourceOffices&FinancialRecordsRoom

9. Medical Records, Pharmacies, Regional Clinics and Doctors Offices The Guardian XL
doorlockisHIPAAcomplianceenabled.
287

InformationSecurity
FingerprintSystemsareNotAlwaysSecure
Therearewaystohackfingerprintsystems.
1. Employeescouldbeforcetoprovidefingerprintswhereaspasswordsystemscanutilize
secondarypasswordswhichtriggerhiddenalarms.

2. Fingers can be severed or chopped off; however, in March 2008 a new fingerprint
reader from Futronic was released which verifies that the finger is a living finger by
measuringheat,sweatandaheartbeatbeforeactivating.

3. MythBusters proved that even these new readers can be fooled. They were able to
recreate a latex fingerprint, install it on a live person, and lick the fingerprint to
reproducesweat.Evenaphotocopyofafingerprintthatwaslickedalsobeatthelock.

HereistheYouTubeClip:http://www.youtube.com/watch?v=LA4Xx5Noxyo

4. Fingerprintscanbeduplicated.OnescientistinJapanwasabletouseagummybearto
successfullyduplicateafingerprint.

5. Fingerprints can be reproduced. This web site walks you through the process for
capturingandrecreatingafingerprint:http://www.stdot.com/pub/ffs/hack3.html.

288

InformationSecurity

Perhapsthemorecommonapproachistohackthefingerprintreader.Onthiswebpagetwo
hackersexplainonemethodforachievingthisgoal:http://www.securityfocus.com/news/6717.
Stillanotherapproachistoinstallafakefingerprintreaderwhichcapturespeoplesfingerprints
inmuchthesamewaycriminalsusefakeATMdevicestocaptureATMnumbersandPINs.

289

InformationSecurity

Biography&ContactInformation
J.CarltonCollins,CPAASAResearchCarlton@ASAresearch.com770.734.0950

J. Carlton Collins is an accounting software analyst and the editor of the Accounting
SoftwareAdvisorwebsite.Since1984,Carltonhasworkedintheaccountingsoftware
industry installing systems, consulting with end users, lecturing to more than one
hundredthousandbusinesses,consultingtoaccountingsoftwarecompanies,publishing
books,articlesandwebsites.Carltonisexperiencedwithmanyofthetopaccounting
software packages such as MAS 500, BusinessWorks, Great Plains, Navision, Axapta,
ACCPAC Advantage Series, Epicor, Open Systems Traverse, MAS 90, MAS 200, Exact's
Macola ES, Peachtree Complete Accounting, SouthWare, SAP R/3, QuickBooks,
MicrosoftOfficeAccounting,BusinessVision32,andmore.

In1983,Carltondevelopedspreadsheettemplatesforfinancialfeasibilitystudiesthat
wereusedasabasisformorethan$3billioninbondissues,includingratedbonds,privateplacements,andjunk
bonds. In 1989 Carlton became an advisor to Lotus Development Corporation where he helped Lotus develop
spreadsheet templates and marketing strategies. In 1992 Carlton took 2 entire days to personally demonstrate
over500pagesofsuggestionsforimprovingMicrosoftExceltotheentireExceldevelopmentteammanyofthose
features made their way into Excel 4.0, and shortly thereafter Excel became the dominate spreadsheet tool
surpassingLotus123.

SelectedPositions,Awards&Accomplishments:
1. 2008ChairmanoftheSoutheastAccountingShowthesouth'slargestCPAevent.
2. NamedTopTenCPATechnologistsbyAccountingTechnologiesMagazine.
3. NamedTop100MostInfluentialCPAsbyAccountingTechnologiesMagazineinmultipleyears.
4. RecipientoftheAICPALifetimeTechnicalContributiontotheCPAProfessionAward.
5. 1995RecipientoftheOutstandingDiscussionLeaderAwardfromtheGeorgiaSocietyofCPAs.
6. 2008RecipientoftheOutstandingDiscussionLeaderAwardfromtheAlabamaSocietyofCPAs.
7. Haspersonallydeliveredover2,000technologylecturesaroundtheworld.
8. Haspublished94+pagesoftechnologyarticlesintheJournalofAccountancy.
9. SelectedbyMicrosofttodevelop27hourCPEtrainingmaterialsonMicrosoftOfficeAccounting.
10. LeadauthorforPPC'sGuidetoInstallingMicrocomputerAccountingSystems.
11. Hasinstalledaccountingsystemsformorethan200companies.
12. Hasassistedthousandswiththeselectionofanappropriateaccountingsystem.
13. PastChairpersonoftheAICPATechnologyConference.
14. PastChairmanoftheGeorgiaSocietyofCPAsPCAdvisoryCommittee.
15. FounderandpastfivetermPresidentofthePCConsultantsGroupofAtlanta.
16. Haslecturedinmorethan40Statesandfivecountries.
17. Hasdeliveredkeynoteandsessionlecturesatdozensofaccountingsoftwareconferencesincludingseven
MicrosoftPartnerConferences,fiveSageConferences,andmultipleconferencesforEpicor,OpenSystems,
ExactSoftware,SageACCPACERP,Dynamics.NAN,Dynamics.AX,SouthWare,Axapta.
18. Hasprovidedconsultingservicestomanycomputercompanies(includingCompaq,IBM,Microsoft,Apple,
Novell,Peachtree,Epicor,SageSoftware,Softline,Exact,ACCPAC,Intuit,Peachtree,GreatPlains,andothers).

Carltons diverse background is an asset in providing his specialized consulting skills. He has six years of
accounting, auditing and tax experience in the areas of health care, construction, distribution, automobile
dealerships, insurance, manufacturing, and general business. His tax experience includes corporate, individual,
partnership,fiduciary,andestatetaxplanningwork.Carltonalsohasbeenheavilyinvolvedintheotherareasof
financial forecasts, bond issues, Medicare and Medicaid reimbursement, conventional financing, pension and
profitsharingplans,andbusinessplanning.

290