How to Protect your Identity from Identity Theft
October 8, 2007
IDENTITY THEFT
What is identity theft?
How it happens?
What to do if it happens to you?
How to prevent it?
WHAT IS IDENTITY THEFT?
Identity theft occurs when a person’s identity is stolen for the purpose of opening credit accounts, stealing money from existing accounts, applying for loans, even renting apartments or committing crimes.
Victims of identify theft often aren’t aware that they’ve been targeted until they find unknown charges on their bank or credit card statements, are called by a collections agency or are denied credit.
HOW IDENTITY THEFT HAPPENS
Here are some of the most common ways identity thieves can gain access to your information. They:
• Steal wallets and purses containing your identification, credit and bank cards
• Steal your mail, including bank and credit card statements, phone bills and tax information
• Complete a “change of address form” to divert your mail to another location
• Steal or illegally purchase personal information you share on the Internet
• Call you claiming to be a well know reputable company, asking for personal information.
• Send you an email, which appears to be from a reputable company, asking to respond or go to a web site and provide your personal information. This practice is know as “phishing” (pronounced “fishing”)
• Set up bogus web sites that look like familiar legitimate sites and ask you to provide personal information. This practice is known as “spoofing”.
How to Protect yourself from Identity Theft
This guide will help you take action to protect yourself against identity theft. If you’ve already been victimized, this guide will provide information about restoring your credit profile and minimize the potential for any future occurrences of identify theft.
WHAT TO DO IF YOU’VE BECOME A VICTIM OF IDENTITY THEFT?
1. Contact one of the three credit bureaus to request that an initial 90-day fraud alert be added to your personal file. By requesting a 90-day fraud alert, anyone seeking credit in your name will have to have their identity verified. The credit bureau you contact will forward the fraud alert to the remaining two credit bureaus automatically. Once you place the fraud alert in your file you are entitled to a free credit report.
The information for each of the three bureaus is as follows:
Equifax
(800) 525-6285
Post Office Box 740241
Atlanta, GA 30374-0241
http://www.equifax.com
Experian
(888) 397-3742
Post Office Box 9532
Allen, TX 75013
http://www.experian.com
TransUnion
(800) 680-7289
Fraud Victim Assistance Division
Post Office Box 6790
Fullerton, CA 92834-6790
http://www.transunion.com
If you liked this article, click here to buy me a beer!Dear visitor, if you enjoyed reading this post, you may want to subscribe to my RSS feed. Thanks for visiting!
Monster.com Resume Database Hacked, information Stolen
September 3, 2007
You may not be surprised to know that of all the hacking attempts made on companies, the companies which hold and maintain large databases of information such as those of credit card companies, banks etc are online targets for hackers and opportunistic criminals who attempt to extract information from such databases. One such company which maintains such large databases of information is Monster, the largest and most popular Job portal on the Internet.
At Monster, they keep information of Job applicants and this information includes Name, current address, phone number, information about employers, past employment history(which can give away location of previous addresses) and other confidential information, all very appetizing for Internet Trolls and malicious hackers.
Recent reports coming out from Monster suggests that the Monster resume database was hacked into and information such as names, addresses, phone numbers and email addresses of job seekers with resumes posted on Monster including MonsterTRAK were stolen and illegally downloaded. Apparently there was a rogue server within the Monster Network which was used for downloading all this information from job seekers.
While the company claims to have conducted its own investigation, it still cannot say for sure which individual job seekers have their information stolen.
How can Hackers use this confidential information?
When your personal information has been stolen from the monster.com resume database, you can be a prime target for a phishing email. You may get an email stating that there are issues with your account and need immediate attention. You might be asked to click on a malicious/spoofed website. Worse yet, you may get a phishing email saying that you have obtained a job with the company you applied for and you need to click on a spoofed site which might ask you to enter more personal information or download some malicious software.
An example of such an email could be one show below. Notice the spelling mistakes
If you liked this article, click here to buy me a beer!How to Encrypt a File and apply Image Steganography
August 30, 2007
Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message. Generally, a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message. A Steganographic message (plaintext) is often first encrypted by some traditional means, and then a covertext is modified in some way to contain the encrypted message (ciphertext) , resulting in stegotext.
In this article, we will teach you how to do this. First to encrypt a message and then apply image steganography techniques to hide this encrypted message in an image.
PHASE # 1: How to encrypt a text/message
When Concealing data within encrypted data, the data to be concealed is first encrypted before being used to overwrite part of a much larger block of encrypted data. This technique works most effectively when the decrypted version of data being overwritten has no special meaning or use. Some cryptosystems, especially those designed for filesystems, add random looking padding bytes at the end of a ciphertext so that its size can’t be used to know what was the plaintext size. We will be applying this encryption technique using TrueCrypt.
TrueCrypt is a free open source disk encryption software that works on both Windows and Linux platforms. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. TrueCrypt does this by creating a virtual hard drive that will read and write encrypted files on the fly. The advantage of using TrueCrypt is that you need not download it everywhere. All you need are the files truecrypt.exe, truecrypt.sys and the volume file you create which you can carry on your flash drive.
Step by Step Tutorial on how to encrypt your Hard disk or data or message using TrueCrypt
Step # 1: Download and install TrueCrypt
Step # 2: Once you Launch TrueCrypt, Click on “Create Volume” button. This launches the Volume Creation wizard that prepares the encryped drive location. Next, choose ” Create a Standard TrueCrypt Volume” and hit Next. Next, click on “Select File” button. Browse to a place where you want to store your encryped files. In this case, I am selecting askstudent.secret Note: This is not the file you want to encrypt. Think of this as a Folder Name which in turn would contain the files you want to encrypt later on. Hit Next
If you liked this article, click here to buy me a beer!Remove url.cpvfeed.com spyware and core.sys rootkit
August 14, 2007
url.cpvfeed.com is a nasty browser hijacker that is doing the rounds in the Internet today. Luckily for us, our resident security expert Ajit has outlined a detailed and foolproof method on how to get rid of the url.cpvfeed.com browser hijacker from your computer and get rid of the popups that come with that piece of computer spyware.
How to remove url.cpvfeed.com
Is your Internet Explorer showing a “page cannot be displayed” but occasionally you are directed to an unknown site? Would your search term if you try to do a Google search … display a popup ad showing Ebay or some other site? You are infected by the core.sys Rootkit which also contains the url.cpvfeed.com browser hijacker popups
Click on the link to remove url.cpvfeed.com browser hijacker and also remove core.sys rootkit
If you liked this article, click here to buy me a beer!How to use the .htaccess file. Frequently Asked Questions
May 5, 2007
What is an htaccess file?
The htaccess file is a simple ASCII file which you can create using a regular text editor like NotePad. This file allows us to make configuration changes on a per directory basis. This file works on both Windows and Unix/Linux platforms with Apache Web Server.
Note: htaccess is not the name of a file. It is simple a file extension like .mp3. Only in this case, it is not something.htaccess or file.htaccess. It is simply named .htaccess. Also, if you are modifying an existing .htaccess file,make sure you make a backup of it somewhere before proceeding.
What can I use the htaccess file for?
There are several benefits of using the htaccess file for webmasters and developers. Most of them provide enhanced security to your site. You can prevent directory browsing, password protection for directories, change the default index page of a directory, redirect visitors for one page or directory to another and also prevent hot linking of images on your website.
How to create the htaccess file?
Open up a simple text editor, say Notepad and save it as .htaccess. While saving in say Notepad, remove under the save as option for .txt and save it under all files. Also remember to save under the ASCII mode and not Binary. Once uploaded to your server, make sure the permissions for your .htaccess file are 644 or (RW-R–R–). Having this makes the file writable by the server but not by others including visitors to your site.
Once created, where do I upload my .htaccess file?
Since the .htaccess allows us to drill down and implement changes on a per directory basis , there are multiple options for you to place this file. The only thing you need to remember is that a htaccess file in the root of your site affects your whole site whereas an htaccess file in your images folder is unique to that folder and its subdirectories if any.
/.htaccess(in the root of your site)
/content/.htaccess(in any content site, say membersonly/.htaccess)
/content/images/.htaccess(in an images folder)
If you liked this article, click here to buy me a beer!The best career paths for nerds and the colleges offering them
May 1, 2007
Online University Lowdown has an excellent article on the 25 best colleges for nerds and some of the cool courses being offered at these colleges.
From colleges with video game design majors to artificial intelligence, to majors in ‘ethical hacking’, colleges around the world are starting to appeal to the nerds in all of us. This list of 25 courses and programs offered at colleges around the world identifies some of the nerdiest coursework, starting with the most obvious, and winding up with the most obscure…
Note: Most of the courses listed below are full 4 year courses. Also, clicking on the links below will take you straight to the course listing whether at physical universities or online schools. A lowdown according to them …
# 1: Game Software Design and Production at DigiPen Insititute of Technology
# 2: Ethical Hacking at the University of Abertay in Dundee, Scotland and InfoSec Institute
# 3: Open Source Development at University of California Berkeley and online equivalent at University of Illinois
# 4: Cryptography at Stanford University, MIT and University of Washington
# 5: Network Security at the University of Tennessee Knoxville and an online equivalent at The American Intercontinental University
If you liked this article, click here to buy me a beer!Second Annual Collegiate Cyber Defense Competition
March 18, 2007
Informit.com is providing a good coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning.How many times have you heard a commercial telling you how much money an Information Technology professional can earn in a year? Well, trust me; the job is not as easy as it sounds. Just ask the eight teams that participated in the annual Collegiate Cyber Defense Competition (CCDC). During the event they are under immense pressure to a build web application, maintain a web server with an ecommerce system, manage an Exchange server, keep a DNS server up and running and more — all while protecting their network from four seriously determined hackers.
From the article: “When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours.”
The rules were fairly simple — at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.
Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called over for an investigation and the Red Team was allowed to try to talk to the teams to put a social engineering twist on the games. Finally, all business objectives and administrative requests are sent to the CEO via email.
I’m all for this and from TFA, this sounds like a great thing (and lots of fun!). It seems that this includes even the social enginnering aspect. In other words, it’s a trivial matter to get into somebody’s system; it takes a whole another skill set to convince that person to hand you the keys to their data. That is to say, attempting to gain access to a computer system through it’s weakest link: THE USERS! It’s one thing to pit technical skill againt the threat of hacking, but it’s been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky – on their MONITOR! Users must be educated and kept up to task on things like this, and it’s my opinion that the IT/Security industry does not place enough emphasis in that area.
In this contest, Social engineering was allowed. It seems that a few members of the Hacker/Red team would often walk around the room and try and to watch what people were doing. A few times they even stopped and tried to get information out of the student/blue teams. However, they had to leave our team area when asked. It seems that one team actually left sheets with the wrong passwords on the tables in hopes that they(Red Team) would waste their time.
Even GoogleFight thinks that the Red Team actually whupped the Blue Team with the Red Team(Hackers) returning 267,000,000 results compared to the Blue Team(Students) which returned 146,000,000 results.
For those who read French here is a press release [web.crim.ca] about a team of Scheme hackers headed by Marc Feeley [umontreal.ca] participating in a Quebec security competition who won both the first prize for keeping the other nine teams out and the second prize for finding the most security problems in the other teams’s servers.
According to a member of the student team
If you liked this article, click here to buy me a beer!
Recent Comments