computer security

This piece of laptop security advice from Lifehacker is a well written, easy to understand (for non-geeks too) list of how to keep your data safe. It also gives you tips on how to track down your computer if the worst should happen.

lifehacker, laptop, security

Benjamin Wright posted a comment about TJX case been an over reaction. He has also posted on this on his own blog.

First things first: let me welcome you to the blogosphere! Taking your expertise as a laywer, I probably should just shut up and not start to argue, but then again, what is the point of a discussion if we cannot share our opinions?

To you comment, I do not agree that there has been an over reaction. I think this depends on your point of view. If you consider only the known theft of money, you might be right.

However, if you consider the theft of privacy, the costs related to renewing CCs and the potential threat to the CC holder, I think the reactions so far has been anything but over reaction. I also think it is necessary to consider the time frame of the attack - this went on for quite a while, and I think it is important to consider that this was an important "wake-up" call to many shops.

You say that the Credit card issuers over reacted. I disagree. Their alternatives where:

• say nothing (and wait for the press to find out...ticking, expensive bomb)
• say "your credit card info is just lost, but hey, who cares? It is way too expensive to issue a new card" (and wait for customer to yell, call the press and cancel their cards manually; adding potential expensive law suits to the cost)
• do as they did - cancel all cards, issue new ones. High initial cost, but low cost & risk in the long run. Just imagine the cost of loosing the trust of the credit card user...

The TJX case, one of the largest ID- and CC-theft cases so far, has finally gone to court.

The Feds rolled up a large, international circle of criminals who are charged for hacking their way to access a wide array of personal data. According to Attorney General Michael Mukasey, this is the single largest and most complex identity theft case that's ever been charged in the US.

Companies that got hacked include major brands like the OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.

"They used sophisticated computer hacking techniques that would allow them to breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Mukasey said. "They caused widespread losses by banks, retailers and customers."

The TJX Senior Vice President Sherry Lang ensures that TJX has gone a long way in order to assist the investigation:

"With our customers always being our primary focus, TJX has gone to great lengths to secure its customers' data," Lang said. "However, broader action beyond retailers alone is required to protect consumer data. Banks and the U.S. payment card industry must join retailers and work together, including installing the proven card security measures in the U.S. that are already in use throughout much of the rest of the world."

I like Lang's request - there is no doubt in my mind that the more we integrate and consolidate technology, solutions and tools - into what we consider efficient communication - the easier it is to exploit those tools. Remember - a few years back, you had to hack into each shop. A little later, you could reach the HQ, as the shops started to interconnect. Today, you can reach almost anything, anywhere - just using your brains and a computer.

Compliance is one thing that may help, better understanding of the technology and it's potential is equally important. From a business point of view, I think it is very important to consider the upside of adopting new (young) technology against the potential damage the new technology may inflict.

I am looking forward to following this case!

Other TJX related information

• TJX – you have done a great job!

• TJX gives CC advice to their customers!!!

• TJX update and "How it was done"
  

• TJX economics - the price it is easy to calculate
  

• TJX - the Wall Street Journal article
  

• All posts tagged: TJX

Chris Pirillo made an update regarding his loosing US$450,- from his PayPal account.

The post of his includes some tips (known to most of us, but no harm in repeating) on how to stay (more) secure when it comes to PayPal and online shopping:

(cut'n'pasted from Chris' post)

1. The first thing, it all starts with a clean computer system. A computer system with viruses or keyloggers may be the cause unauthorized people to be inside of your PayPal account. Use security programs on your computer.
2. Make sure the site you are in is the verified PayPal site, and not a Phishing site. You can check this out by checking the domain name in the browsers url bar. You should see PayPal’s actual site address, and not something else.
3. Don’t keep large amounts of money in your PayPal account, because people can easily send your money to other accounts in a blink of an eye if they gain access to it. Instead of keeping it on PayPal, keep it inside your bank account.
4. Check your Paypal history on a daily basis. This way, you can stop money from being transfered if you see it happening when and where it shouldn’t be.
5. This may be common sense, but use a strong password! Use a mixture of lowercase, uppercase, symbols, and numbers. Make it harder for a hacker to guess to begin with! Reading this post by Chris may help.
6. When you’re buying something with PayPal, be sure to check that the site you are on is secure. Do this by checking the url bar. The site should contain “HTTPS”. This will help you determine if the site is fraudulent or not. You can also do research on Google about certain sellers that you may not be sure of.
7. Shop with well-known companies who have established a good reputation.

He explains the case here:



Do You Have a Problem with PayPal?

Today, John Sheesley amused me with his attempt to use Windows 3.1 (actually 3.11 Windows for Workgroups) as a workstation of 2008. Those of us who remembers WFW, may wonder why on earth he would do that for, but I leave it to that.

One should think that using a software that was designed only 15 - 20 years ago should be quite possible today. After all, a PC is still a PC, right?

Not so. A PC of today (2008) is based upon the same principles as back in the early 1990's, but the technology has reach a maturity point where backwards compatibility hardly exists.

Yes, you may get WfW to actually work, if you like many others keep an old 486, or even a P1/P2 in a closet nearby. The challenge will be to render it useful, as John realises:


And IE 5 is not 15 years ago - it is more like 5.

Now, why should you, a security minded reader, care about the fact that John failed this project?

Several reasons comes to mind:

• From a continuency point of view - if you rely on some old hard-/software, make sure you have the tools and systems available in case of a failure.

It is not enough to dust off the old software boxes, you need to set up a system in parallel and see that you have all the bits it takes. I even suggest you make this a routine thing - once every year, month or week - depending on the criticallity. I also suggest you start plan to change the old system for something a bit more modern.

• From a data storage point of view - if a software can become totally obsolete in less than 5 years, you need to make very sure that your backup systems; long-time storage; and other data you may require access to in the future; uses technology you are able to access.
  

If you have a bundle of old tapes from a streamer that got replaced some time back - will you be able to access that data? Also consider the long-time effect light, magnetizm and dust has on equipment. CDs and DVDs are not safe for more than 10 years storing - but even that is no guarrantee. (Opposed to the advertisments in the midle of the 1990's, claiming CDs to be the best long-term datastorage available...could last for a houndred years, they claimed...)

• From a compliance point of view - if you are obligued to store information for a periode of time - 3, 5, 7 or 10 years - you are also obligued to be able to access the same data in the future. It is your responsibility, and it is usually a good idea to plan the technology at the same time you plan what and where to store your data.

I find one of the comments to the article particularly nice:



Yes, XP, 2000 and many others will be out of date. 2000 actually did this summer, when MS pulled the support for it. Anyone remember OS/2? DOS I guess most still remember, but only hardcore, old-guys still uses it to some extent. The world (and the technology with it) moves on.

To keep up with changes, you need to keep track on what is going on, as well as on your own requirements. You are required to update once in a while, but you do not need to jump on the latest versions of everything - unless you have special requirements. It is simply a matter of balancing your needs.

Many of my readers are curious about hacking, testing and the ins and outs of setting up a security testing facility.

So here goes a nice white paper authored by Harry Bulbrook at the Durham Technical Community college, explaining how to set up a secure lab for testing and learning. It is a year old, but it still is a great resource that enables you to easily set up and maintain your lab without interfering with your production network.

Earlier this year, I posted about my experience with 0ww and the HiPoint Ltd hijackers.

This post has generated a few e-mails with requests for help to remove the threat. So here goes a mock-up of one of the answers:

 Steve H. sent me an email asking how to remove the HiPoint tools from his computer. This is my reply: 

### 

From your message, I believe that only one computer is exploited, and that your request is not regarding a business network. Please correct me if I am wrong, as that would require a different approach.

What the HiPoint tools is doing to your computer, I can only guess (as I have no intention of actually trying it currently).
To remove it, you may want to try tools like Spybot Search and Destroy from Kolla in Germany: www.kolla.de - this is free tool, which I use much myself. Make sure you download from Kolla himself - as there are a few rouge versions out there.
There are alternatives that may or may not work better - among those Lavasoft Ad-Aware is well known. http://www.lavasoftusa.com/
It is not free, however.

If it is not possible to remove it (either the tools do not find it, or finds it again and again), then I suggest you low-level format your hard drive, and reinstall your OS. Make sure you do have backups of your data before the formatting, though, or the data is gone.

The re-installation process takes a few hours, and you need to patch your OS after the installation.

The true challenge is in the future - to avoid these kind of attacks. They get smarter by every day, and very few, if anyone, can expect to keep their computer clean all the time. So I hope you do not feel that you have done somethings stupid by clicking the button - remember I almost did the same, and I deal with these things as my job... :)

###

Steve also had some issues with the file MGRS.exe. 

This thread gives valuable input: http://forums.techguy.org/malware-removal-hijackthis-logs/591494-solved-mgrs-exe-startup.html

###

And of course - why not just use the Microsoft own malware scanner? After all, they made the OS, so they should be in control of what is what? Right?  One of the bonuses of using the Microsoft OneCare tools, is that they are free, and you know you can trust the publisher. 

 ###

To end this post, five tips on how to avoid the malware:

1. Keep an updated and trusted AntiVirus tool running at all times. Make sure it focuses on doing its job, and not telling you what it is about all the time. It is a generally good idea to combine it with a software firewall and antispam. 

2. Keep you OS updated at all times. If you run windows, make sure Windows Update is on, and configured for automatic download and update. If you run Linux, make sure you set it up to download and install updates automatically (how? depends on the distros - usually pretty simple by adding an update source and setting it to check automatically)

3. Use common sense when surfing, downloading and running software. Not sure? Then don't do it!  

4. Learn how to deal with it - how to spot a hoax, how to recognize a bad website, and how to see the bad guys. Remember that if an offer sounds too good to be true, it is! Even on the Internet! 

5. Have fun! After all, what is the use of computers and Internet if you cannot have some fun with it? And when you are protected, and know how to deal with the threats, you can surf in confidence!