security breach

Social Media and Identity Theft in 2010

Jabulani Leffall — Tue, 05 Jan 2010 15:00:04 +0000

In the next few days and weeks you will be bombarded with things to watch for in 2010 — you know, lists and such.

They will detail ways to save, what the best vacation destinations are, who's hot and who's not — you know, the important stuff.

Most of this important stuff, such as this blog post for example, you may wish to share via a social networking site: Facebook, Twitter, LinkedIn, MySpace — you know, the important sites.

But hark, hark I say, these sites are actually important sites because millions use them. And millions such as yourself, will be vulnerable to scams, trickery and tomfoolery that will at best lead to some embarrassing hijacking of your page or computer and at worse, help a hacker dial down into what in the data protection world is called PII or personally identifiable information. We've covered a little bit of this in this blog but never enough.

Allow me to pose this question: Would you walk into a dark alley that says "Check out this really cool video of you and your friends"? Would you& trust a Bobby D. like character who says "I got some nice dresses for ya, right around the corner if you walk into that alley"? Would you walk into that alley with your ID in hand, brandished for all to see?

Of course not. You are, after all, kind of sane. I mean you're reading this aren't you?

Yet so many people want to check out those cool videos and see which designer dresses that Bobby Digital has for them every time they log on. Sure they'd skipped the dark alley but only to do the same exact thing digitally on Facebook, et. al, every single day.

This is why Antivirus software firms such as McAfee and Symantec both see 2010 as a breakthrough year for social media sites — wait for it — surprise, uhh yeah, a breakthrough in terms of them being attacked by hackers.

What's alarming, if not brow-raising, is that most of the hacks on your favorite social portals for posting, partying, pandering, pithiness, and persiflage will take place because you or someone you know, walked into that dark digital alley in search of fun, just curious and also just plain careless.

“Mostly it's the users in an individual or small business environment through carelessness,” said David Bloom, a Los Angeles-based consultant specializing in social media. “Like Pogo said, ‘We have met the enemy and it is us.

Indeed most hacker intrusions count on curious users who they can snare by simply having the users click on web links or log in via fake web pages that look like the homepages of the most popular social media destinations.

Spoofing, for instance, involves hackers sending you phony alerts or messages supposedly from your friends, or in the case of Twitter, followers. But once you click on them there’s the possibility of being re-routed potentially malicious sites or triggering automated viruses or remote code execution, which gives a hacker control of your browsing session.

Phishing, meanwhile, also counts on user participation but usually uses more familiar subject matter to users as bait. Users might get an “emergency” message, or a “video of you” from a friend. Another method is a fake error message from your social networking site requiring your action.

With Phishing, users are most often lured into clicking on a spoofed link or page such as fake web pages that look like home pages of trusted web sites — i.e. Facebook — where users unwittingly type in login information or click on page links.

By extension, links are becoming an important component of social networking security. Recently the heavy use of condensed URLs or web addresses (tinyurl and bit.ly) to post links on Twitter and Facebook has made easier to access or cut and paste into a web browser. On the flip side, the URL shorteners can also make it nearly impossible to identify the domain or origin. This increases chances of clicking on a spoofed or malicious link. Also, URL shorteners can also help spammers to evade spam filters installed on personal computers.

“Whether its tinyurl or bit.ly technology, users are getting into the habit of clicking links that they don’t know or trust,” says Corey Thomas, Vice President of Product and Operations for IT security firm Rapid7. “This makes it much easier for a hacker to highjack the target’s system. The most important thing in a situation like this is letting users know the potential risks of tiny URLs and that they should not be clicked on unless absolutely necessary.”

Someone can easily Tweet this blog and shorten the url from Wise Bread to something that looks like an algebra equation and bam you now have "nice dresses."

So remember this year as you give status updates on where you are and what size shoes you're wearing while sitting there, people, perhaps even the wrong people, will be watching and waiting.

Cue ominous musical score and ring in 2010 with vigilance.

Written by Jabulani Leffall and published on Wise Bread. Read more articles from Wise Bread.

Lock bumping - your home isn't safe

Paul Michael — Tue, 06 Mar 2007 21:28:40 +0000

I heard about lock bumping last month from a friend. I figured it was all just a bunch of hokum. But I checked it out. It's not a myth, it's not an urban legend. Crooks can make a generic key to open any lock, including yours. And it's easy. As the video below will show, even a child can do it.

So, what is Lock Bumping?
It's a technique that's been around for many years (some say it dates back as early as the 1950s) and it's a simple way to 'pick' a pin tumbler lock using a bump key. And more scary is this...one bump key will work for ANY lock.

Ok, then what's a bump key?
I don't want to go into explicit detail here, for obvious reasons, but a bump key is basically a blank key that has been filed down to the lowest level in each groove. It will slide into any pin tumbler lock and enable the would-be thief to gain entry to your home in seconds.

How does it work?
Again, without delving too deep into specifics, the technique involves sliding the 'bump key' into the lock and giving it a thump. The tumblers inside will align, you give the key a turn, and quicker than you can say 'where's my DVD player?' the thieves are in to your home and ripping you off. The video below is quite scary, and shows you just how easy it really is.

Scared? You should be. So, how do you protect yourself?
Fortunately, Lock Bumping does have counter measures. And believe it or not, more expensive locks are actually more vulnerable and open to attack. Because they are more precisely machined, expensive locks will turn more easily after a bump. The same goes for locks made of hardened steel, as they will sustain less damage during a bump. A cheaper lock may not withstand the force of the knock and refuse to turn.

Bump-Proof Locks
They do exist. They range in price from just under $100 to, well, several hundred dollars. But when you consider the financial costs of replacing your valuables or your identity, that's not so bad really.

The most affordable bump-proof lock I discovered was at a site called wholesalelocks.com. Their Bump-roof BiLock can be found here and it looks like it's tough as nails. That's one serious looking lock. Other bump-proof locks that I've found, although not quite as affordable, include Medeco , Videx Cyberlocks , Mul-T-Lock , and GoKeyless . I'm sure there are a few other secure locks on the market too. Just pop down to your local DIY store and ask if they have any Bump-Proof locks. If they don't (which is likely) they can certainly point you in the direction of someone who does sell them.

Is there a quick-fix solution?
There are a few. Your local locksmith is well aware of Lock Bumping, and can come out to your home and make your current locks more secure. If you don't fancy the call out charge, you could always fit an additional Mortise or Deadbolt lock to each exterior door. Unlike cylinder locks, these are far more difficult to bypass (although nothing is impossible), and two locks on a door is also a good deterrent.

Finally, if it's so prevalent, why aren't lock manufacturers doing anything?
Good question, right. The answer is an old one. Money. Right now, less than 5% of the population knows about Lock Bumping, and even fewer really give it the attention it deserves. The cost of making bump-proof locks is much higher, which means the cost to buy them is higher. And ultimately, that higher price point affects the bottom line.

So, that's the scoop on Lock Bumping. Much more information is out there on the web if you really want to find it. More worrying, if you can find out how to make a bump key, so can any thief. Yikes. Now, I'm off to buy a Doberman with sharp teeth and an appetite for criminals.

Written by Paul Michael and published on Wise Bread. Read more articles from Wise Bread.

UCLA security breach affects 800,000 people (not just students)

Will Chen — Wed, 13 Dec 2006 04:06:33 +0000

LA Times reported this morning that "hackers have gained access to a UCLA database containing personal information on about 800,000 of the university's current and former students, faculty and staff members, among others."

The personal information stolen include names, birth dates, social security numbers, home addresses, and other contact information.

There are two things you have to know that are not widely reported by the media:

Breach Also Affects Applicants and Parents

According to UCLA's information website, the breach also affects "student applicants and some parents of students or applicants who applied for financial aid.

The database also includes current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing"

This could potentially affect a lot of people. If you applied to UCLA or had a standardized test score sent to UCLA, you may be affected by this breach.

Don't Wait for UCLA to Contact You

While UCLA claims that it will attempt to contact all those who are affected, don't hold your breath.

I know many people who are personally affected by this security breach who did NOT receive a notice from UCLA. They had to call the UCLA hotline (877 533-8082) to verify that they were indeed a victim.

When the victims asked why they did not receive the notice, UCLA hotline operators said that they only sent out information to the most recent contact info listed on URSA, UCLA's online records system. Not surprisingly, most alumni, parents, and applicants do NOT constantly update UCLA with their latest mailing or e-mail addresses.

Call the hotline (877 533-8082) right now and check whether you have been affected.

If You are a Victim What Should You Do?

According to UCLA:

"As a precaution, UCLA recommends that you contact one of the three national credit bureaus to place a fraud alert on your consumer credit file and obtain a copy of your personal credit report. Once a credit bureau places a fraud alert on your credit file, the two other credit bureaus will automatically do the same. Each bureau will then send you a copy of your credit report. The fraud alert and credit reports are free. Here is the contact information for the fraud divisions of the national credit bureaus:

Equifax: (888) 766-0008 http://www.equifax.com
Experian: (888) 397-3742 http://www.experian.com/fraud
TransUnion: (800) 680-7289 http://www.tuc.com

Written by Will Chen and published on Wise Bread. Read more articles from Wise Bread.