“I’d just like to say that tomorrow is my brother’s birthday. Lieutenant Colonel John Smith, of Oshkosh, Maryland is 50 years old.”

It’s interesting to note that we have a fair amount of info for piecing together… identity theft:

Name
Rank
Date of Birth
City and State

If you think this is being a little paranoid, remember this saying: Just because you’re paranoid, it doesn’t mean no one is out to get you. The real trouble here is the efficiency involved. It’s one thing to mention this information to a small group of people – perhaps some of whom you don’t know well. It’s quite another to divulge this information nationally, to millions of people (and that is this particular show’s audience numbers).

With a little diligence, an identity thief can cruise past this person’s mailbox, and steal even more critical identifying information. As a start, the info above is enough of a foundation to make that cruise a good investment in time. Also, “spoofing” then becomes more easily leveraged; the contact of this person, either via e-mail, USPS mail, or even in person.  One example is a spoof whereby someone poses as the representative of a veteran’s organization, and asks to “verify” information:

“Hello Colonel Smith, we have your city and state as Oshkosh, Maryland – is that correct?  Thank you.  We also have your date of birth as 12/16/62 – is that correct?  Would you please provide your Social Security Number for verification?  Thank you Sir.”  You get the idea.  It happens quite frequently.

The newscaster could have said, merely, “I’d like to wish my brother a Happy Birthday… tomorrow is his birthday” – and left it at that. However, if it were me, I would say nothing. In the first place, a national news audience doesn’t particularly care, and while the mention “on air” might please his brother, it’s really not worth it. It’s not that big a deal in personal terms – being that it’s likely that a phone call will be made (or can be made, in lieu of the on air greeting) later.

It’s time to think very carefully about what you do: What you reveal; to whom; where; and when (are others nearby who can overhear? Online – are systems truly secure?).

In divulging personal information, regardless of the reason, always ask yourself:  Is this something that I have to provide? If it is truly necessary, is this the superior way to do it?

What this newscaster did is fine… for the ‘50s, ‘60s, ‘70s… etc. – maybe. But in today’s times?

NO. WAY.  Be careful out there.

We know there are spurious websites offering products and services, while at the same time soliciting personal information:  Name; address; date of birth; credit card number; expiration; and so on.  There are many other websites, legitimate and otherwise, that make the simple divulging of e-mail address necessary – and frankly, that can be the beginning of identity theft.

Fortunately, most of us have robust malware protection, virus protection, and even spam guards in place.  But recognize that most data breaches and identity thefts are due to human error and misjudgments.  Even a routine online job search can have peril.

In particular, be wary of job proposals or company notices that come your way on an unsolicited basis.  Invitations to apply will include the divulging of highly personal information – and I don’t even give my name and address to someone or any entity that I don’t know, or can’t research to a very high degree of certainty for legitimacy.

As to that last point, it may in fact be difficult to certify a company as “legitimate.”  Social media and marketing make it easy for false-front organizations to pose as a legitimate enterprises, with products, services, and testimonials handily displayed on Facebook and social media accounts or fancy webpages.  However, regardless of your ability to certify the positive, you can dig for the negative:  Search the company’s name on the web with the word “scam” after it.  Other terms that come to mind are “ripoff,” “illegal,” “court action,” “shut down,” etc.  You get the idea.

These days, sad to say, you must limit personal information when sending a resume.  Even when sending to a trusted, known, entity or person, you cannot be entirely sure to whom that person will pass the information… and so on… through each iteration of pass.  So:  Don’t divulge your birthday or your social security number.  In the case of your present and past jobs, don’t reveal employee ID numbers.  Professional certifications, licenses, badge numbers, etc., are also a no-go.  Also keep in mind that there are websites that merely pose as known, high-profile, organizations:  Verify web addresses.  Search to any company’s legitimate website – for example, don’t take hyperlinks that are delivered in e-mails for granted.

You should also be very circumspect about your education.  Schools, years graduated, and other attendance information can give thieves a ready handle by virtue of alumni information, opening a view to all sorts of other data regarding you.

While online enablements offer broad powers to all sorts of human endeavor, be aware that these same deliver power to identity and data thieves.  Job seekers need to exercise extreme caution:  be sure to vet all sources and contacts.

 

Today, any organization is dead without its technical supports.  Even an attack on content – information, business intelligence, data – can put business at risk. 

By “business,” we mean the doing of the doing – your “busy-ness” in furthering and delivering within your mission:  Whether you’re a for-profit private-sector endeavor; a non/not-for-profit org; a government agency; or sole-proprietor.  You have business that needs to be conducted on a daily, ongoing, basis.

Any business can go out of business if it loses any measure of its technical enablements, and/or corresponding content.  Lose it all, and it most definitely will go out of business.

And now comes word of cyber-terror.  What the heck does the local organization do about that??  Eugene Kaspersky is a Russian math genius who founded an internet security apparatus that has been characterized as having a global reach.  He’s a thought leader as regards emerging perils.  According to Sky News, Kaspersky believes “…we are close, very close, to cyber terrorism.  Perhaps already the criminals have sold their skills to the terrorists – and then… oh, God.”

That doesn’t sound too hopeful.  Further, Kaspersky, while attending the London Cyber Conference, told Sky that he believes cyber-terror to be the biggest threat to nations such as China and the U.S.

“There is already cyber espionage, cyber crime, hacktivism (whereby activists attack systems and content for political ends) – soon we will be facing cyber terrorism,” he said.

So – what’s the local organization to do?  There is a need to protect yourself.  With ever-more power and knowledge being available to individuals and small groups, imagine:  Imagine a disgruntled ex-employee wiping out your organization’s assets, for example.  But further:  Can the average organization make a contribution to the larger, surrounding, public security?

I propose a business/tech roundtable in given locales, that meet semi-annually, or perhaps quarterly in high-risk areas (Washington, DC, for example).  Here, business and technology folks, from all levels of diverse organizations, can brainstorm and share ideas of protection, prevention, and where necessary – recoveries.

It’s going to become a necessity:  Already, the Pentagon is on record to state that the U.S. reserves the right to retaliate with military force against any cyber attack.  In a 12-page report to Congress, made public, the Pentagon said:

“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country.  We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”

The vulnerability is large, being that the Defense Department alone operates more than 15,000 computer networks, with 7 million computers worldwide.

But, again, what of your locale?  What if simple everyday “hacktivists” decided to take down some service providers that were key to you?  It would be awfully uncomfortable to live without e-mail, your online presence, and the services of any other providers such as Cloud hosting, processing, storage, and communications.

It’s something worth thinking about… at least start to think about it –  and where effective, efficient, contributions by your org might be made.

NP:  Black Sabbath, We Sold Our Soul for Rock ‘n’ Roll, original vinyl LP.

You may have heard about the man being prosecuted for using his wife’s password to access her e-mail account.  Many news reports indicate that he “hacked” in to her account.  However, the couple kept a small notebook of passwords next to the computer; he logged in.

Still, the man faces charges under a Michigan statute that, when boiled down, bars access to computers and associated resources without proper authorization.

Without going into the detail or merits of this specific legal case, it serves to remind us of something very important.  If you don’t want your information  read, breached, misused, or otherwise accessed and possibly disseminated, then don’t write your passwords down, and definitely don’t have them laying around for easy access.

Which brings us to the real concern:  I’m aware of several environments that have shared accounts – system accounts – for controls, setups, configurations, etc.  The accounts are shared amongst several, authorized, people.  Sometimes there are multiple shared accounts; each having its own class of personnel availing themselves of specific avenues of access and system influence via this means. 

Reasons for having shared accounts include:

1.     Fewer accounts (and passwords) to create and maintain.

2.     Personnel absences easily covered.

3.     Fewer instances of forgotten passwords and resultant resets…

…and so on.  Whatever the reasons, they are not good ones.  Shared accounts represent a problem on several fronts:

What if there is a data breach due to a human error that occurred within the domain of a shared system account?  Who is at fault and will they own up?

Suppose there is fraudulent activity… who is the guilty party?  This could even include embezzlement, or directing too much authority to a specific user, for example.

If there are setup or configuration errors, it’s important to readily identify the transgressing party for purpose of training, or discipline in the case of sloppy work.

Each person in the organization should have a unique account name and associated password.  Network supervisory roles and other special accounts (for the aforementioned setups, fiscal management programs, etc.) should be tethered to one specific person.  If additional accounts with similar roles and authorities are required, create them with unique names and passwords.

As to people who keep passwords in notebooks next to their computer, be advised:  You’re practically soliciting a breach.  Don’t share passwords, don’t write them down (unless they’re in a locked safe, with a discreet list of access), and for certain don’t have them written somewhere in the vicinity of data’s access point (the computer).

NP:  The Red Garland Trio, Manteca, original 1958 LP.  Wonderful album.

I see where the University of Wisconsin–Madison campus had a recent breach necessitating the contact of 60,000 people (according to the Milwaukee Journal Sentinel).  There are interesting twists to this particular breach.

First, to set the stage:  A database was “compromised,” and it contained names and social security numbers.  Oops; compromising names and SSNs is rather an embarrassing violation of data’s security – no question. 

Here’s the really interesting – and quite dismaying – part:  UofW used to embed the students’ social security numbers in their student ID numbers.  Hmmm.  That’s bad enough – really unwise.  But further, their present system contained an old file with old photo IDs, names, and the student ID number with the embedded SSN.  You know, just hanging ‘round in case – or maybe because no one remembered it was there… and no system existed that could throw up a flag.

Content management anyone?  A tenet:  If data no longer has business value, relevancy, and use – get rid of it.  Archive it or delete it.  This is a perfect example of legacy data’s liability. 

Lessons of Legacy:  It’s reported that the identities of those who accessed the file remains unknown.  But consider:  There are all manner of systems out there, with “dead wood” files just hanging around.  Who knows what measures of security awareness existed at the time of creation and accumulation of records in those files?  What vulnerabilities exist that we wouldn’t even consider looking for today?  I’d never have thought someone would embed an entire SSN in a larger ID number- seems rather crazy, but I’d just about bet they weren’t the only ones to do something like this back in the day.

Going back and surveying legacy systems and files for larger enterprises can represent a mountain of work – and it’s no small task for SMB and their corresponding smaller staffs – and once undertaken, you might not even expose and correct vulnerabilities to a 100% standard.  This is why it is so critically important these days to mount security from a whole-view perspective, with a whole-view of content.  It is far easier, and much more efficient, to manage as you go.  Construct and secure data within solid systems, and have a CMS system with destruct-dates and archive-dates well established. 

For stuff that no longer has active business or historical value, get it out of the active system; be certain the actions you take are legal - and in accordance with governance (business sanction) – archive it if you must; if you can, delete (destruct) it.

Don’t wait because, today, violating data’s security attains a much higher profile, becomes much wider-spread, and is increasingly unaffordable. 

NP:  Haitian Fight Song, Charles Mingus – Jazz24.org – online; (10:36:02 in length, and it’s jammin’ – I’ll cleanse myself with vinyl/analog later tonight).

Something interesting happened to me the other day.  There was an unauthorized debit made to my checking account in the amount of $150 and some change by an entity that was unknown to me.  I was reasonably certain that I hadn’t conducted any business with any such business.

These days, as most here probably know, breaches involving bank accounts usually involve modest amounts; the “breachers” hope that this allows an unauthorized withdrawal to fly under the radar, and they’d rather hit several accounts for these modest amounts than to hit one account for a massive withdrawal – sure to garner unwanted attention and, hopefully (for us), thwart.

When I called my bank of 30+ years to report an unauthorized transaction, the initial contact was with a representative who was concerned with telling me what he (and the bank) could not do for me – their customer.  He explained that he could “delete” the transaction, but that the offending party could simply resubmit.  He suggested that I call the entity and discuss the transaction with them.  I patiently explained that they might not be the originating party – that it could be someone spinning the unauthorized transaction through them.  His counsel was to contact them none-the-less.  Having already Googled them, I called…

That entity, a web services company, was sympathetic – and of course, in order to validate whether I was a customer or not, they wanted… my name and address; the last six digits of the debit card; the three security digits on the back – as well as other things.  All of this to “look me up” in determining if I was even a customer of theirs – before getting to the question of the transaction.

My question to them was – how do I know you are who you say you are?  And, how do I know you’re a legitimate company, and not simply gleaning personal details and financial authentication information from people?  Fortunately, they were ultimately able to determine that I was not a customer with my name, primarily, and that they had not issued the charge to my account.

I called my bank back, and I’d like to credit the second representative with some intelligence.  He deleted the transaction and, in his words, “blew the bridge” to the card by cancelling the card and reissuing a new one.  Thank you.  I wish I had thought of it.  But that first rep had me thinking that the transaction had to be honored by the bank.  Hmmm… after all, what good is my word?  I’m just a customer in good standing for more than 30 years.

But – my question to you, dear reader, is… when you call your bank, or any business such as the one I had to contact, or any agency that wants things such as address, last four of SSN, mother’s maiden name, birth date – and essentially wants exposure of all sorts of security data and answers to security questions:  How do you know to whom you are speaking?  What is your security question to them?- with attendant, and correct, security answer(s) as provided to you for your comfort and identification of them? 

Phone numbers can be hijacked – what if, when you call your bank’s number, you instead reach a nefarious party out to harm you?  Consider:  What if your bank’s web page is taken over, or substituted, and you dial a number posted there that goes to a hacking agency out to grab your details, and your money?

As breaches and thefts become ever more clever, watch for breaches to be mere springboards:  A theft that causes an individual to launch a call, which in-turn may be hijacked into some spurious realm for further gleaning of confidential information. 

Security needs to be a two-way street.  Presently, in these circumstances, it is one-way and therefore only mounted half-way.  True security demands a face-to-face meeting in a physical location, to establish security questions that the bank, for example, must answer correctly to YOUR satisfaction when dealing with a disembodied voice on the phone. 

Of course, even that authenticating standard can be breached, but every layer helps.

August 21^st:  On this date in 1841, John Hampson patents the venetian blind.

Continuing with our exposure of services and associated liabilities from the other day: 

After a resume and any cover letters are crafted, they are e-mailed to the client’s personal e-mail account.  This is so they can maintain their own resume and letters and get access to them elsewhere:  Public library, home, etc.  This has led to a couple problems.  Frequently, clients have no e-mail account.  Many of the clients are blue collar workers who have no computer experience or skills; it’s been quite eye-opening.   In these cases, the Center creates a Yahoo  e-mail account for the client.

Many clients forget their e-mail passwords, and even their account ID.  So, the Center has these little business-sized cards, with the agency’s name proud and centered, and a line for e-mail ID, and a line for password.  Do any of these cards get lost?  You bet.  It’s rather confounding that, in 2010, modern system and data security measures have long held that you should NEVER write passwords down – and even login IDs should be protected, in my opinion.  Pairing the two on a card, with an e-mail account that contains a trove of personal information, and formalizing the process with the production of agency-approved cards (with agency name!), is bad practice on steroids.  And… we’re just getting started.

Nearly all clients return to the Resource Room on a regular basis:  To perform online job searches, to make application to jobs online, to tweak resumes, to write more cover letters.  Sometimes a returning client’s resume is unavailable – either through a lost e-mail account or the fact that a resume was never sent to an account – sometimes the client ends up with a folder of hardcopy resumes and somehow the electronic version didn’t make it to e-mail.  In these circumstances, which are all too frequent, there manifests a need to get the resume from a “resume bank” – this is a network drive that is unavailable for access in the Resource Room – even by the people staffing the room. 

Up until April, the drill was to go to another room (a classroom with an open door) containing a physically unsecured fileserver.  A resume for retrieval was put on a thumb drive – that thumb then taken into the Resource Center and plugged into the client’s workstation, and resume transferred to that PC’s Desktop.  Can you guess what had been happening?

An estimate by staff members is that over a hundred thumb drives have gone missing – “lost” – with all sorts of client data.  I myself observed various “transfer thumbs” with a dozen or more records each.  It is conceivable that over 1200 records have been breached.  One staff member said that “perhaps hundreds” of thumbs had been lost.

It was only upon my mention of this security problem that the practice was stopped.  The procedure now is to e-mail the resume from the “bank” to the client’s e-mail account, and then to access the client’s e-mail, and thus resume, out in the Resource Center.  Why a mapped drive to the resume bank, with simple authentication, isn’t available to staff in the Resource Center is a total mystery.

Incredibly, upon my initial entrée, there existed no User’s Manual.  Upon initial contact with the Center clients must:  1)  Create a system identity and login credentials;  2)  Create (or have) an e-mail account;  3)  Access ResumeMaker and build a resume;  4)  Convert the resume from the native ResumeMaker format to MS-Word;  5)  Access various online jobsites – the primary being the state-run jobsite; and  6) Logout properly – to include a complete Shutdown – to scrub any work from the PC workstation they were using.

The lack of documentation, a simple user’s manual, meant that even savvy people needed a hand-hold through the process.  I was able to produce a very robust manual in an afternoon’s time – and am happy to say that many people  use it.  This frequently frees staff so that they can help those who most need it.  Further, the last part of the manual, is perhaps the most important:  The Logout procedure…

The Logout remains an incredible breach situation at this Resource Center – it is an ongoing liability now.  Upon login, a small window on the PC (which gets minimized on the Taskbar) indicates who is logged on to that PC.  A gray bar in the window states “I am finished using this computer – sign me out.”  All clients click that when leaving – the screen goes to a login state.  HOWEVER – the desktop and other data storage areas of the PC are not yet scrubbed!  The PC must be completely shut down:  Only achievable in this environment by hitting a Microsoft “Flag” key on the keyboard, and then clicking “Turn Off” above the Start button, and a subsequent “Turn Off” option in a popup box.

This Shutdown procedure was completely undocumented.  Further, and particularly when the room is busy, clients aren’t told to completely shut down their session by insuring the computer was off – nor are they aware of the potential for their data’s breach.

Next:  Part III – No documentation, no policies, no security training/meetings, no wireless security.  A culture with an almost adversarial posture regarding best practices and best progressions; no maintenance of a responsible forward edge for a secured environment.  AND –  what we’re gonna do about it.