A Beacon of Light

Testing a photo

2011-08-27T10:52:00.002-04:00

Microsoft's Free Windows Live Essentials Beta Debuts

2010-06-26T11:06:00.001-04:00

Microsoft's Free Windows Live Essentials Beta Debuts

By Jeff Bertolucci, PC World, Jun 24, 2010

The new Windows Live Essentials beta will be available for public testing starting Thursday, according to Microsoft. A collection of free Web-oriented applications and services for Windows Vista and Windows 7 PCs, Live Essentials is currently available in English, French, Dutch, Japanese, Portuguese, Simplified Chinese, or Spanish.

You can download the beta here. (The beta wasn't live as of 10 a.m. U.S. Pacific, although it should be available sometime today.)

Live Essentials programs include Windows Live Photo Gallery, Movie Maker, Mail, Writer, and Messenger. The new beta connects these apps to online services from Microsoft and other providers, including social networking sites such as Facebook, MySpace, and Linkedin; popular blogging tools like Spaces, WordPress, and Blogger; online storage and photo/video sharing sites including SkyDrive, Flickr, YouTube, and SmugMug; email sites such as Hotmail, Gmail, and Yahoo Mail; and Microsoft Office Web Apps, Redmond's new online productivity suite.

In addition, the new Windows Live Sync feature synchronizes your files across multiple PCs and on cloud-based (online) servers. Sync's new remote desktop feature also lets you access your PC via the Web.

More…

Twitter

2010-05-22T08:47:00.002-04:00

I hope no one thinks I am ignoring their requests in Twitter. I keep a protected account in Twitter and I have been experiencing this for almost the past two weeks. I receive an email saying that I have a new Follower Request at Twitter. When I click on the link, the page is blank. If you are experiencing this, post a reply at the link below so they can keep track of who is affected by this.

Empty Follower Request Page/Trouble Following Private Accts
Marc May 12
Do you have a protected account ?
If your are receiving new follower notifications via email, but your page appears empty when you go to http://twitter.com/friend_requests, what you are experiencing is a known issue.

More…

Will there ever be a “Facebook for Dummies” Book?

2010-05-17T04:35:00.002-04:00

There is never a dull moment at Twitter. Just yesterday someone asked, “When are they going to publish a "Facebook Privacy for Dummies" book.” My reply was that I would bet on never, but this got me thinking about all that has been written already about Facebook’s current Privacy challenges and we already have a book.
Here is the history of their ever changing Privacy Policy.
Evolution of Privacy Policies on Facebook – a Panel Chart in Excel

By Chandoo, May 13th, 2010
There is a chart called “Evolution of Privacy on Facebook” going around on the web. The chart made by Matt Mckeon, a developer in IBM’s visual communications lab has created quite a stir in the interwebs.

More……
Here is an article on what Facebook passwords not to use.

20 passwords to never use on Facebook
By Josh Smith, May 14th 2010
Excerpt....
In addition to those poorly-chosen passwords we've come up with our own list of 10 words or phrases not to use as your Facebook password.
Employer info
School name
School mascot
Names of groups, artists or shows you "Like" on Facebook
Spouses name or birthday
Banking passwords
E-mail password
No dictionary based words -- even those in a different language
Pet's name if you post captioned pictures to your profile
Anything you might answer in a Facebook quiz
Creating a strong password doesn't have to be a chore or difficult to remember. Simply adding a number and a punctuation mark greatly increase the strength of a password. You can also use a phrase, condensed to a string of words and numbers, as an easy-to-remember secure password. For example, "WalletPop is my #1 Personal Finance Blog!" becomes the "Wim#1PFb!".
More…….

and….
This article is jammed with links to more information on Facebook Privacy. First, to convince people that they are sharing information with the world there is Openbook.org and Zesty.ca. It links you to an article about how to delete your Facebook account. If deletion is something you choose not to do, it includes a chart that maps out how to find all the hidden Privacy settings in Facebook.

Facebook Privacy: Secrets Unveiled
By JR Raphael, PC World, May 16, 2010
Excerpt....
Thanks to a couple of handy new tools, you can now check out exactly what Facebook is telling the world about you -- and about everyone else. First up is Openbook, a project created by three computer geeks from San Francisco. Openbook lets you search through Facebook's publicly available user data to find out what everyone is saying.
Excerpt....
So what to do? You can always say so long to Facebook, of course. Or you can choose to stay with the site and simply be vigilant about protecting your privacy. It isn't easy, but it can be done.
You can see what Facebook shares with the world about you by using this free tool at zesty.ca; just input your Facebook user ID or account number (found by looking at the URL for your Facebook profile page), then click through the fields to see what's actually public. The tool won't take into account info that could be shared by applications or Facebook's "instant personalization" feature, but it's a start.
After that, get ready to dig. This daunting chart breaks down all of the categories of settings you'll need to review (hint: be sure to clear out a couple hours of your afternoon). This story provides a slightly less overwhelming summary of the main settings you should revisit. And this one goes through some additional steps you'll want to take to address the aforementioned new "instant personalization" options.

More.......
Now you have the start of a “Facebook for Dummies” book. That is of course until it changes again because change is the only constant in life or in Facebook Privacy.

I just wanted to add that this will help you manage the instant personalization feature on Facebook.

ReclaimPrivacy.org

This website provides an independent and open tool for scanning your Facebook privacy settings.

and-

The scanner operates entirely within your own browser.

More.....

Bkis Blog » Skype – New target of the worm spreading via IM

2010-05-09T08:26:00.001-04:00

This worm uses social engineering techniques that trick users into thinking the link (URL) is only to a picture (JPG). It comes from people you know that have been infected and is spread to everyone in your Skype or Yahoo Messenger friend list. Please be careful if you use Skype or Yahoo Messenger.

An analysis and screen shots can be found here.

Bkis Blog » Skype – New target of the worm spreading via IM

Facebook - Privacy Controls & Targeted Malware

2010-05-04T03:47:00.001-04:00

Social media (like Facebook) is a great way to stay in touch with your family and friends. There is nothing wrong with this and it is free to use. Facebook has actually crossed generational gaps, where many of the young, old, and in-between love it. I remember writing letters and mailing them home when I was younger. The Privacy settings of the old fashioned letter writing was the envelope, but that did not protect you from the letter being delivered to the wrong person or the person on the other end publishing your letter in a newspaper.

Facebook's Privacy Controls Broken

By Dan Tynan, May 03, 2010, Analysis: Inconsistency in controls raises (more) questions about Facebook's privacy options.

I've spent a fair amount of time lately messing about with Facebook's privacy settings, which is almost like having a life, but not quite. Then I discovered something odd and disturbing: I cannot make all of my "likes and interests" private so that only my friends can see them. Even when I tell Facebook to do it, it won't -- they're still visible to anyone who looks up my Facebook profile.

Is it a bug? Was it something I said? Was it all those jokes about Facebook causing venereal disease or because I published a nude photo of Mark Zuckerberg? I dunno. But whatever the reason, even with every single Facebook setting turned to "friends only," anyone on Facebook can still see the 128 groups I have joined on the site.

More…..

-and this.

A HijackThis Toolbar from Facebook?

By AndyAtHull, May 03, 2010

The title will come across as shocking if you are a security expert. However don’t let the title scare you too much.

Symantec today blogged about spam e-mail making the rounds that looks like the following hoping to lure recipients into downloading a Facebook toolbar:

(see the article for the pictures)

Excerpt-

So as you can see, there is some mentioned this file to be associated with HijackThis, an analysis tool by Trend Micro. Symantec detect this file as a Trojan.Dropper. HijackThis is a legit tool and Facebook have not released a toolbar dubbed HijackThis.

Be careful what you click on as some disguise themselves differently to others. And should you come across a suspicious e-mail, report it.

More….

When I say Facebook is free to use, you have to be careful with your Privacy settings, suspicious emails, and the links you click on. Additionally, it seems like you have to re-check your Privacy settings frequently. Defensio will help protect you against malicious links while using Facebook. It is the one application that I will allow on Facebook. It can also be used on your blog.

Windows 7 Security

2010-05-02T08:50:00.001-04:00

This is a great guide to read if you are trying to understand Windows 7 Security. It does not go too far into the weeds (or details) that will confuse someone with a security background. If you want an easy to read overview of some of the new security features that are available in Windows 7, this is the place to start.

-Ultimate guide to Windows 7 security

Use AppLocker, BitLocker to Go and other Microsoft security tools
By Roger A. Grimes, InfoWorld, 21 April 10

Windows 7 has been warmly received and swiftly adopted by businesses, with the result that many IT admins are now struggling with the platform's new security features. In addition to changes to User Account Control, BitLocker, and other features inherited from Windows Vista, Windows 7 introduces a slew of security capabilities that businesses will want to take advantage of.

Windows 7 improves on Vista with a friendlier UAC mechanism, the ability to encrypt removable media and hard drive volumes, broader support for strong cryptographic ciphers, hassle-free secure remote access, and sophisticated protection against Trojan malware in the form of AppLocker, to name just a few.

In this guide, I'll run through these and other significant security enhancements in Windows 7, and provide my recommendations for configuring and using them. I'll pay especially close attention to the new AppLocker application control feature, which may be a Windows shop's most practical and affordable way to combat socially engineered Trojan malware.

More.......

ID Theft Protection Services

2010-04-05T04:56:00.001-04:00

I was researching a topic that was possibly related to fraud the other day. It was closer to the grey line of consumer fraud, but I refuse to draw any conclusions based solely on my opinion. Life has a way of teaching you that even if something grates on your nerves, there are always two sides to every story or even two, three, four sides, depending on who you are speaking to at that time.

What I ran into was some news about ID Theft Protection Services. I do not think that you will find anyone who will tell you that ID Theft is not a serious crime or that the documented cases have sky-rocketed in the past three years. When you look at this from a Risk Management point of view, you want to look at some options that will help mitigate this threat. One option that is available is ID Theft Protection Services.

When choosing an ID Theft Protection Service or Insurance, you have to read the fine print to see if it will be a benefit you. You have to watch out for consumer fraud and conduct research on the company. Personally, I would never accept an offer by way of phone marketing because there is an increased chance that you are being scammed. The person on the other end of the phone might not be who you think they are and if they really want your business they can provide a phone number that can be validated (searched for on the Internet). That way, you can call them back when you are ready to conduct business with them.

Lifelock claimed that it covered all types of ID Theft and basically it didn’t.

-This is a link to the FTC Case Information with a phone number to contact them for more information.

INFORMATION ON LIFELOCK SETTLEMENT

Here are some more newsworthy angles to the LifeLock controversy and the ID Theft Protection industry.

-Lifelock CEO Todd Davis Does Damage Control
By Dave Nielsen, March 16, 2010

If you hadn't heard, identity theft company LifeLock agreed to pay $12 million dollars to settle charges from the Federal Trade Commission and 35 states. The FTC felt that LifeLock ads were deceptive and overstated the protection provided by the service.

Personally, I think the charges are valid and I had to chuckle a bit when I read this email from CEO Todd Davis sent out to his partners. Mr. Davis certainly has his public relations firm working overtime to write something like this.

More....

and-

-Identity Theft Protection Industry: Divided we Stand, for Better or for Worse
By Denise Richardson, March 17, 2010, updated March 22, 2010

When have you ever seen one bank tear apart another? Never. Why? Because they unify as part of the same industry and work together, for good or ill. Think about it: the same could be said about any industry--the insurance, credit and debt collection industries to name a few. They band together in a sort of code of honor where one never knocks the other. They go about their business promoting their own products and services. It boggles my mind why the identity theft industry does things differently. Why is it so divided?

Last week's press conference by the FTC and 35 Attorneys General launched a media frenzy that left some of us shaking our heads and others scurrying about to see how best they can twist the news of this recent settlement with LifeLock into their own personal pot of gold.

More...

I have only found one ID Theft Protection Service that offers a Recovery service that covers all types of ID Theft (financial, criminal, social security, medical, etc) and Family Fraud. They are honest in claiming, “While we provide a comprehensive approach to help prevent the occurrence of Identity Theft for our members, no identity protection service can prevent identity theft from happening.” They do not even collect your SSN unless you need the Recovery service. Zander Insurance Group (FAQ) Also, check out the link to how they compare to other ID Theft Protection Services.

MSRC - Security Advisory 981374 Released

2010-03-10T02:14:00.001-05:00

Does not affect IE8 or Windows 7.

Security Advisory 981374 Released

Microsoft Security Response Center(MSRC) Blog, March 09, 2010

Hi everyone,

Today we released Security Advisory 981374 addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected.

At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. Please review the Security Advisory for additional workarounds which include modifying the Access Control List (ACL) on iepeers.dll (the affected component), setting the Internet and local Intranet security zones to "high", configuring Internet Explorer to prompt before running Active Scripting, and enabling Data Execution Prevention (DEP) where possible which makes it difficult to successfully exploit the vulnerability.

More.......

-Microsoft Security Advisory (981374)

Vulnerability in Internet Explorer Could Allow Remote Code Execution

Published: March 09, 2010

Link

The Economics of Spam & Botnets

2010-03-07T07:15:00.001-05:00

To state that it has been a while since my last blog post would be an understatement. I will quote a true unnamed mentor of mine and just say, “Life Happens.” My work changed and brought me into the world of Project Management. This subject almost interests me as much as Information Security. I want to highlight this TechRepublic article because it describes the most recent top 10 spam botnets. The economic reasons for spam and why the spammers use botnets became somewhat clearer to me.

The top 10 spam botnets: New and improved

by Michael Kassner, February 25th, 2010

While doing research for this project, I came across a blog series (first, second, third post) that forced me to rethink. Ranking spam botnets is not as simple as I thought. The blog author, Terry Zink, pointed out that there are several measurement philosophies:

The number of bot members

The number of bytes sent

The number of messages sent

In the grand scheme of things, it may not seem important. But techies like details. Counting the number of bot members or bytes sent is straightforward enough. You would assume that the number of messages would be, too.

Well, it’s not. Botnets are smart enough to create a spam message but address it to a lot of different recipients. That adds another factor when counting messages.

Confused? So am I. To make some sense out of it all, I juggled the different attributes (totally unscientifically, of course) and came up with the following list of the best of the breed.

More here……

Security Idiot: Impress Your Peers With Your Grasp of IT Security Terminology

2009-07-17T06:16:00.000-04:00

This is a funny IT Security Glossary. It is only meant as a joke because everyone needs a little humor in their lives, from time to time.

Security Idiot: Impress Your Peers With Your Grasp of IT Security Terminology

Nikola Tesla Day

2009-07-10T06:40:00.001-04:00

Nikola Tesla is the true unsung prophet of the electronic age; without whom our radio, auto ignition, telephone, alternating current power generation and transmission, radio and television would all have been impossible.

Ben Johnston, My Inventions : The Autobiography of Nikola Tesla (1983)

In my adult life, when I learn of some fact of history that has been twisted or omitted – it always takes me by surprise. The rock band Tesla was the first time that I heard about Nikola Tesla. That was in 1990, when their live acoustic album, Five Man Acoustical Jam was released, which contained the "Love Song." Around that same time, I was visiting Carlsbad, Czech Republic. The hotel room had a radio that actually had the name Tesla on it.

This really caught my interest and I have studied Nikola Tesla throughout the years. One fact that astonished me was that he sold his patents for the polyphase alternating current system of generators, motors and transformers to George Westinghouse. It would have made him a wealthy man, but he later released Westinghouse from the contract. Where would we be today without his inventions and lifelong work? While this has nothing to do with Information Assurance, sometimes it is good to remember the basics and somewhere in all of this is a lesson on patents or even copyrights. Happy Nikola Tesla Day!

WHAT ARE TESLA'S GREATEST INVENTIONS?

1. AC polyphase transmission and AC motor in 1887-1888 -- (the world's primary power--electrical and mechanical). (No, not Edison--Tesla has all the US patents for polyphase AC.)

2. Fundamental circuitry for radio in 1891 -- (providing worldwide communication). (No, not Marconi--Tesla has the defining US patents for radio, upheld by the US Supreme Court.)

More….

Oil Power, Nikola Tesla, A Prophet with Honor, Electricity's Great Radical, Volume V, No. 5, June 1930.

The Tesla Memorial Society - Links to Other Tesla-related Web Sites

The Tesla Foundation of North America (TFNA)

PBS: Tesla – Master of Lightning

The Complete Nikola Tesla U.S. Patent Collection - Title Order

Sunbelt Software – New Partner of StopBadware.org

2009-07-02T05:32:00.001-04:00

This is great news! I have been a longtime advocate for all the work that they do at Sunbelt Software.

StopBadware.org, Sunbelt Software partner to fight badware

New Data Will Allow Broader Reach, Richer Analysis

CAMBRIDGE, Mass., June 30, 2009 — StopBadware.org, the collaborative initiative to combat viruses, spyware, and other bad software, announced today that Sunbelt Software, developer of the VIPRE anti-malware product line, will participate in the effort as a data partner. Sunbelt Software joins Google in contributing data to the project, which is based at Harvard University’s Berkman Center for Internet & Society. The initiative is funded by Google, PayPal, Mozilla, AOL, and Trend Micro.

Hundreds of thousands of websites—some might count them in the millions—are associated with the distribution of badware. Some are deliberately malicious, trying to trick users into installing a virus on their computers, while others are legitimate websites that have been tampered with, putting the site’s visitors at risk. In the most egregious cases, such sites can infect computers with vulnerable software simply by a user browsing to the page, a practice known as drive-by downloads.

StopBadware.org collects the URLs of these badware websites, whether malicious or compromised, from its data partners. It uses the information to support and encourage site owners and web hosting companies in cleaning up and protecting their sites. The initiative also conducts analysis of infection trends, offers independent reviews of its partners’ findings, and operates a community website, BadwareBusters.org, that provides help to people who have been victims—or wish to avoid becoming victims—of badware.

“We are thrilled that a well-respected anti-malware company like Sunbelt Software has come on board as a data partner,” said Maxim Weinstein, manager of StopBadware.org. “The new data offers us a different view of the badware website landscape and will help us to extend our reach and to provide richer analysis.”

More………

Phishing Toolkits

2009-06-15T05:03:00.001-04:00

News-

Use of phishing toolkits on the rise

iTWire, by Peter Dinham, 14 June 2009

There’s been a huge increase in the use of phishing toolkits, with 42 percent of phishing URLs last month generated using the toolkits, and the emergence of a new trend of phishing attacks towards the popular social networking site, Facebook.

Symantec, in its June phishing report, says it observed an increase in URLs using phishing toolkits during May of 100 percent over the previous month, with a 14 percent decrease in non-English phishing sites compared to February.

The security firm also reports that during May, more than 98 Web hosting services were used, which accounted for six percent of all phishing attacks, which was a decrease of five percent from the previous month.

David Cowings, executive editor security response at Symantec, says phishing sites were categorized based upon the domains they leveraged and “a considerable increase was seen in the number of phishing sites using automated toolkits,” and, he adds, “this increase was a result of a large toolkit attack targeting an information services brand.”

More.......

Medical Identity Theft

2009-06-14T09:54:00.001-04:00

Medical identity theft is more devastating to the victim than traditional financial identity theft. This article from the New York Times explains some of the known affects of this crime and the bureaucratic process to fix the erroneous information in medical or health insurance records.

Medical Problems Could Include Identity Theft

New York Times

By Walecia Konrad, June 12, 2009

Excerpt……

The last time federal data on the crime was collected, for a 2007 report, more than 250,000 Americans a year were victims of medical identity theft. That number has almost certainly increased since then, because of the increased use of electronic medical records systems built without extensive safeguards, said Pam Dixon, executive director of the nonprofit World Privacy Forum and author of a report on medical identity theft.

And uncountable, Ms. Dixon said, are the people who do not yet know they are victims. They may not know that their medical information has been tampered with for months or even years until, as in Mr. Sharp’s case, it shows up in collections on a credit report.

Medical identity theft takes many guises. In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

and…..

And there are none of the consumer protections for medical identity theft victims that exist for traditional identity theft. Under the Fair Credit Reporting Act you can get a free copy of your credit report each year, put a fraud alert on your account and get erroneous charges deleted from your record. If your credit card is stolen and the thief goes on a spending spree, you’re not liable for more than $50 worth of the charges.

With medical identity theft, though, the fraudulent charges can remain unpaid and unresolved for years, permanently damaging your credit rating. Under the federal law known as HIPAA — the Health Insurance Portability and Accountability Act — you are entitled to a copy of your medical records, but you may have to pay a hefty fee for them.

Worse, HIPAA privacy rules can actually work against you. Once your medical information is intermingled with someone else’s, you may have trouble accessing your files. Privacy laws dictate that the thief’s medical information now contained in your records must be kept confidential, too.

Even when you are able to correct a record, say in your doctor’s office, the erroneous information may have been passed on to dozens of other health care providers and insurers. Victims must track down and resolve these errors largely on a case-by-case basis, Ms. Dixon says.

More…….

The FTC Red Flags rule require entities with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. This will add another layer of consumer protection against identity theft and greatly expand the reach of the FTC, helping consumers fight fraud.

I would think that the providers of health care would be the first line of defense in preventing medical identity theft. The American Medical Association (AMA) is making efforts to persuade the FTC that doctors are not “creditors.” While the enforcement of the Red Flags rule has been postponed twice (November 2008 – original date, May 2009, and August 2009), the FTC has made it clear (see below: The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft) that the Red Flags rule is based on each individual business. Only after considering the definition of a “creditor” and “a covered account” can they determine the type of program that must be implemented, based on the risk of identity theft.

These are references that relate to the Red Flags rule.

Health care and the Red Flags rule-

-The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft

The FTC, by Steven Toporoff, May 2009

-Hot Issues Alerts - Law Firms: Do The FTC Red Flag Rules Apply To You? What Health Care Companies Should Know About The New FTC Requirements To Prevent Identity Theft

The Metropolitan Corporate Counsel, H. Carol Saul and EpsteinBeckerGreen, 1 June, 2009

The FTC -

Fighting Fraud with the Red Flags rule

Do-It-Yourself Program for Businesses at Low Risk For Identity Theft

The World Privacy Forum - The Medical Identity Theft Information Page

An unanswered question - Do ID Theft protection services even provide coverage for medical identity theft?

Why I Fight Phish

2009-06-03T10:15:00.002-04:00

Volunteering to help other people comes naturally to me. At a point, I had been researching Volunteerism and came upon this quote: I am only one, but still I am one. I cannot do everything, but still I can do something. And because I cannot do everything, I will not refuse to do something that I can do. Edward Everett Hale, Ten Times One is Ten (1870) The funny (ironically speaking) part of it was that it was a 13-year old boy, Trevor Ferrell of Philadelphia, Pennsylvania that repeated that quote to President Regan as he received a Presidential certificate for Volunteerism. He started out by taking blankets to the homeless on a cold winter’s day and that spark grew into Trevor’s Place. The point is that anyone can make a difference in the life of others and when you volunteer for something, it is better if it is for something you are interested in. This is even true when you apply that interest to learning or work.

Back in 2006 when the PIRT initiative was announced, I knew that it was something that I wanted to contribute my time to. The first reason was that it was in my opinion a great idea: to send out take-down notices for phishing and keep a public repository of the reports. Private citizens could submit email that is only normally deleted, erasing valuable evidence of a crime. Secondly, it was the military MyPay phishes that hit home for me. To target these Soldiers who give up so many things just to serve our country is like a slap in the face. Last but not least, I had the desire and willingness to learn. What I learned from the experience is that even the little guy (a figure of speech - small business owner, forums, personal websites, etc.) needs help from time to time and no one reached out to them in this aspect for free (at that time).

This PC World article highlights Gary Warner’s career up to 2007. It also backs up my claim that even one private citizen can make a difference.

Digital Vigilantes: The White Knight of Phish-Busting
PC World, 24 Dec 2007
Warner is now focusing on fighting cyber-crime full-time and on training a new generation of network forensics investigators. "You wouldn't believe the looks on their eyes the first time they got an email back from a Webmaster saying, 'Thanks for letting me know. I just shut that down.'"
When he spoke with IDG News, it was five days after final exams at the University of Alabama at Birmingham and though it would have no effect on their marks, four students were still coming into the labs to help shut down phishers.
"That idea that as a private citizen, you can help, that's the kind of thing we're trying to inspire," he said.
More………

I am a member at PhishTank and Digital PhishNet (DPN). I do support the Anti‐Phishing Working Group (APWG), just not as member because I do not belong to any of the member organizations or have the required email address. I wish that they would allow independent security researchers that are not a non-profit organization. The APWG does provide expert advice to the little guy.

What to Do if Your Web Site Has Been Hacked by Phishers

APWG, January 2009
You may receive a notice by phone or email from an individual or organization that claims knowledge of an attack. Obtain as much information from the third party as possible, including:
a) The person’s name
b) Name of their organization
c) Return contact information (phone, email, postal address, organization’s web site)
d) Web page(s), including the URL (link) the party alleges to be a phish web site
e) Nature of attack (attempt to steal personal information, to complete a bogus credit card transaction, to obtain user account credentials, etc.)
f) A description of any malicious content that appears to be downloadable from your web site (e.g., spyware)
and……
APWG encourages you to report the phishing site URL to the APWG via the email address reportphishing@antiphishing.org. Reporting to this address will cause most anti‐phishing organizations to receive a notification of the phishing web site. Security products, e.g., anti‐phishing toolbars, will be updated with the offending URL, thus offering protection to thousands, if not millions of potential victims.
and…..
The APWG provides a standard “you've been phished!” redirection page and instructions for its use at http://education.apwg.org/r/about.html. This strategy will prevent further use of the phishing site, keep your customers informed, keep your web site online for real time analysis, and afford you additional time to perform containment actions.
More………..

Even with CastleCops and PIRT gone, there are still ways to fight phishing on a daily basis. The volunteer opportunities do exist as long as the volunteer is interested and willing to learn. If ten people send a take-down request to the ISP for ten different phish, ten fraudulent websites will be able to remove that content, investigate the crime, and update their servers. If a modest estimate that each phish could have led to twelve cases of ID Theft, 120 people could be spared this. Ten Times One is Ten.

The Word Hacked

2009-05-29T06:29:00.001-04:00

The Scrap Value of a Hacked PC

Security Fix - Brian Krebs, May 26, 2009

Computer users often dismiss Internet security best practices because they find them inconvenient, or because they think the rules don't apply to them. Many cling to the misguided belief that because they don't bank or shop online, that bad guys won't target them. The next time you hear this claim, please refer the misguided person to this blog post, which attempts to examine some of the more common -- yet often overlooked -- ways that cyber crooks can put your PC to criminal use.

More here

I think that I understand why Brian Krebs used the word hacked in this blog post on Security fix. He wanted to reach out to the public and especially to people who say, I don’t have anything on my computer that is of any value to a cyber-criminal. To reach out to them with this very useful information, it is understandable that you must use basic terms. Terms that anyone can relate to in order to gain knowledge.

The word hacked brings up the controversy of the word hacker or cracker to me. My personal opinion is that you should call people by their name. An example of this is that an Identity Thief steals identities. An Identity Thief can be further categorized as a cyber-criminal, if they use a computer to commit the crime. The word hacker is best described by Bruce Schneier in his book “Beyond Fear.”

Hackers are as old as curiosity, although the term itself is modern. Galileo was a hacker. Mme. Curie was one, too. Aristotle wasn't. (Aristotle had some theoretical proof that women had fewer teeth than men. A hacker would have simply counted his wife's teeth. A good hacker would have counted his wife's teeth without her knowing about it, while she was asleep. A good bad hacker might remove some of them, just to prove a point.) Bruce Schneier

My husband had a great idea of getting out of Canada as fast as we could on way home from Alaska. His plan was to cut down to the United States from Calgary instead of Winnipeg. We came out in Montana and drove Highway 90 through Wyoming and South Dakota. I will never forget that leg of the journey because we ended up driving through Sturgis, South Dakota in August. I do not know anything about motorcycles , but to see that many Harleys in one location is a breathtaking event. The reason I mention this story was that the motorcycle enthusiasts that flock to Sturgis once a year come from all different professions and have had bad encounters with the media. This led me to realize that they could be compared to hackers in the sense that you cannot judge the entire group only by the ones that receive bad press.

I could name just as many good hackers as bad hackers, but understand that anyone can learn many valuable lessons from both of them. This in itself is a double edged sword. Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams

Gmail - Enabling the HTTPS setting

2009-05-28T05:38:00.001-04:00

I have been wanting to write about this for a while. When you send an email without the encrypted settings set in Gmail, your email messages can be read in plain text during transit. If you use web-based email it is better from a security or privacy perspective to use HTTPS (if it is available). This point can be can be argued both ways, but the basis of Defense in Depth is that your use a layered approach and avoid a single point of failure.

Updated 29 April 2009

If you sign in to Gmail via a non-secure Internet connection, like a public wireless or non-encrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. We recommend selecting the 'Always use https' option in Gmail any time your network may be non-secure. HTTPS, or Hypertext Transfer Protocol Secure, is a secure protocol that provides authenticated and encrypted communication.

-To enable this feature in Gmail:

Sign in to Gmail.

Click Settings at the top of any Gmail page.

Set 'Browser Connection' to 'Always use https.'

Click Save Changes.

Reload Gmail.

More here

Please read the warnings and incompatibilities from the Gmail support page. Number three of the steps above is under the General tab and located at the bottom of the page.

TechBite Highlights PC Pitstop

2009-05-22T05:52:00.001-04:00

TechBite Technology is Steve Bass's Weekly Newsletter. I have read and enjoyed many of his PCWorld articles over the years. This week he highlights PC Pitstop’s Full Tests and other free tools. If you are familiar with PC Pitstop, they are in the process of transitioning from the old Full Tests to OverDrive.

Free Super Sites and Tools to Test Your PC

By Steve Bass, Newsletter #29, 20 May 2009

Are you sure your PC's healthy? Think back to when you heard that kerchunk sound coming from your hard drive. Or the last time your Internet connection was down -- and I don't mean just suffering from the blues. My advice: Check inside your computer's case with these free diagnostic tools and see if anything's amiss before disaster strikes.

-PC Pitstop: The Best of the Best

There are lots of testing sites around, but if you want to visit just one site to test your PC, I'd recommend PC Pitstop.

More here…..

PC Pitstop has a great forum with friendly staff and members. Even if you think that you cannot learn anything about computers, PC Pitstop is the place to go to learn. If you encounter problems running OverDrive, this is their forum for help. If you need help interpreting the results or have any questions about the test, go here. They allow you to run the test anonymously, but if you wish to post in these forums or provide a TechExpress link you must be a registered member first.

This is from Steve’s Time Waster section. The video shows lighthouses in a very different light.

http://stevebass.posterous.com/so-you-want-to-live-in-a-lighthouse

You can subscribe to TechBite here.

SpywareHammer – Social Media Security Forum

2009-05-15T05:47:00.001-04:00

SpywareHammer is a great new anti-spyware forum. They went live in September 2008 and currently have over 2000 registered members. The experts will happily assist you with malware removal and more. They have HJT, Rootkit Removal, Hardware, and Software troubleshooting. Bugbatter is an Administrator at SpywareHammer and a fellow Microsoft Consumer Security MVP. She has created a dedicated forum for Social Media Security at SpywareHammer. Her latest two posts highlighted Facebook and were from the article excerpts below.

New Websense Security Labs Research Finds Cybercriminals Imitating Social Networks to Spread Malware

Fraudsters Create Hundreds of Thousands of Facebook Clones to Target Users at Work

SAN DIEGO, CA, May 13, 2009 (MARKETWIRE via COMTEX News Network) -- Websense, Inc. (NASDAQ: WBSN) today released the results of new research conducted by Websense Security Labs^™ that reveals a growing domain-name cloning trend among cybercriminals seeking to take advantage of the huge number of social networking users, particularly those using Facebook, MySpace and Twitter.

Criminals are increasingly using domain names that include words like Facebook, MySpace and Twitter, with no official connection to the real sites, to trick unsuspecting visitors to visit fake Web sites and lure them to input sensitive information or download malicious code. In fact, Websense Security Labs research indicates that in a research sample taken from the Websense URL database, more than 200,000 phony copycat sites were found, all using the terms Facebook, MySpace or Twitter in their URLs. Examples similar to samples found include, unblock.facebookproxy.com, buy.viagra.twitter.1234.com or hotbabesofmyspace999.com (note these are just sample site names that are similar to the sites researchers found).

Further research shows that the hackers are taking steps to create these cloned domains to circumvent security measures put in place by organizations to filter the original domain in a business setting. Many of the domains are proxy avoidance sites which are used to try to evade traditional Web filtering technology.

More……

and-

The Inside Facebook Guide to Protecting Your Privacy on Facebook

by Jessica Lee May 13th, 2009

Now that everyone from family to colleagues are connecting on Facebook, how do you continue sharing freely while maintaining your privacy and reputation in the years to come?

Facebook allows users to customize their privacy settings at a granular level, but a surprisingly low percentage of users actively manage their privacy settings. Many users who complain about the lack of privacy on Facebook aren’t even aware of the privacy configurations available to them. Below, Inside Facebook guides you through all the steps you need to know to protect your privacy on Facebook.

More…..

While these articles are about FaceBook, the discussions can cover any Social Media applications. I will see a news article and go to post it only to find that Bugbatter has beaten me to it. Keep up the great work! Please feel free to register at SpywareHammer and comment, discuss any concerns, contribute your own lessons learned, or ask questions.

Microsoft Windows 7 Release Candidate

2009-05-03T08:04:00.001-04:00

I am very interested in Beta Testing. The valuable lesson that I learned from Office 2007 Beta was that in no circumstances should you ever Beta Test anything on a computer that you are not ready to reformat before installing the final application. Due to the availability of Windows 7 Release Candidate (RC) and the fact that it will be free for at least a year, I will definitely be testing it.

You can follow the Windows Springboard Series on Twitter (MSspringboard) and this is a link to the Featured Windows 7 Resources on Microsoft TechNet. Just keep in mind that you are forewarned that the Windows 7 RC will expire June 1, 2010 and the bi-hourly shutdowns will begin on March 1, 2010.

These are two interesting articles that relate to Windows 7 RC.

Windows 7 setup secrets
Ed Bott, May 1st, 2009

On May 5, the general public will finally be allowed to download the official Windows 7 Release Candidate. It’s been up on BitTorrent networks for more than a week, and developers with MSDN or TechNet subscriptions have had access to it since early this morning. But those groups constitute a tiny fraction of the people who will be seeing the Windows 7 release candidate for the first time next week.

For the benefit of the early adopters and those who patiently wait, I’ve been gathering information on the right and wrong ways to set up Windows 7. For the past week or so I’ve been installing and upgrading the RC code on a wide variety of systems—notebooks and desktops, with and without touch and tablet capabilities, with and without TV tuners and Blu-ray drives, as clean installs and upgrades, in x86 and x64 flavors, documenting the process.

In this post, I want to share seven of the lessons I’ve learned along the way, including a few setup secrets that even some Windows experts don’t know about.

Secret #1: Choose the right Setup option
Secret #2: Start with a clean disk
Secret #3: Back up your old drivers first
Secret #4: Do a nondestructive clean install
Secret #5: You need less disk space than you think
Secret #6: Unblock the upgrade path for Windows 7 beta
Secret #7: Unlock those extra editions

More......... here

and

Microsoft to give away free Windows 7 Release Candidate for a year
Son Huynh, April 30th 2009

On May 5th, general users will have access to an entire year of Microsoft's brand new operating system, Windows 7 RC, for free! It is already available to download for MSDN and TechNet subscribers. This version is only the Release Candidate and will expire June 1, 2010. The Release Candidate is merely the near finished product and is basically the final stage in testing. It's supposed to have all the features of the final version. We don't know when the final version will be released but rumors say it'll be either late 2009 or early 2010.

A beta version of Windows 7 was released some time ago, and from using it for a short time, I can gather that it was much faster and more friendly than Windows Vista. Indeed for those of you who hated Vista, Windows 7 is Vista done right. Windows 7 boasts a lot of new features including a new taskbar, libraries, jump lists, etc. Windows 7 will also come packaged with the newest Internet Explorer (IE8).

The biggest improvement with Windows 7 is the performance. It will no longer take 5-10 minutes to boot up your machine. Windows 7 now has a much faster startup time, beating out both Vista and XP. We will also see a new feature called Windows XP mode which lets you run native XP programs on your machine.
People are saying good things about this Windows. Microsoft hopes it will make up for all the bad things about its previous version. I've heard news about IT developers leap-frogging Vista and going straight to 7 in their companies.

More.... here

MVP Spotlight - Hosts File & Other Helpful Topics

2009-05-02T08:22:00.001-04:00

This is the Microsoft MVP Spotlight for Mike Burgess.

Security MVP Offers Malware Protection

Consumer Security MVP Mike Burgess's Hosts file continues to lead the fight against malware and security threats from around the world. The internet can be a harsh place to surf, but Mike’s Hosts file for Windows, can be used to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most web browser hijackers. This is accomplished by blocking the internet connection to malware sites.

Currently, he has over 10,000 mailing list members, with 126 updates last year, and accolades from Pricelesswarehome.org, and the "Hype-Free" security blog. Mike's contribution towards Windows is a strong piece of armor in the constant fight for internet security.

Learn more about how the Hosts file can protect Windows users by clicking here.

http://www.mvps.org/winhelp2002/hosts.htm

From URL: http://blogs.msdn.com/mvpawardprogram/archive/2009/04/30/security-mvp-offers-malware-protection.aspx

What I thought was neat was that you can select from 11 different helpful topics with the drop down arrow (at the top of the page). This is just a small example of what Mike Burgess has to offer, in addition to the invaluable information about the Hosts file.

Security Issues for Windows and IE

Practice Safe Hex! - Browsing the Internet without protection is just plain foolish!

It can't be stressed enough on how important it is to keep your system up-to-date. This not only involves Windows Update, but also all the other programs on your machine. The vast majority of user problems (hijacks, adware/spyware) I see are due to failure to keep Windows patched, and lack of a proper "Layer of Protection".

-Preventing Vulnerabilities in Windows and Internet Explorer

* Tighten the Settings in Internet Explorer

* Do NOT run as Administrator or an account with Administrator privileges

* Build a Layer of Protection - there are enough freeware products available on the Internet that there is no excuse for not having an adequate defense. Add an anti-spyware program that has "real-time" protection such as Microsoft's Windows Defender (freeware)

More......

From URL: http://www.mvps.org/winhelp2002/security.htm

A Beacon of Light

2009-04-19T08:00:00.001-04:00

I have many mentors because I believe that you can learn something from everyone that will make you better or worse. The choice is yours to make, along with the consequences of that choice. One of my mentors once said, “Sunlight is the best disinfectant.” To me that means exactly that. Shine a light into the darkness and try to share what is discovered. In the world of information security this process has been proven time after time. Change is the only constant.

This is where the name of my blog came from. Like a lighthouse sitting on top of a cliff, shining it’s light into the dark sea to safely guide the ships away from the danger. Another well respected mentor of mine told me to write about what interests you. While I believe in responsible disclosure, if the information is already being written about all over the Internet – the information is already disclosed. My interests are Information Assurance, Privacy, Information Security, Incident Response, Risk Management, Security Awareness Training, Security Policies, Log Analysis, Security Research, Security Metrics, ID Theft Prevention, Anti-Phishing, Anti-Spam, Anti-Malware, Social Media Security, Ethics in Computing, Beta Testing, and Writing.

When CastleCops moved on in December 2008, it was a sad day in my life. Paul, Robin, and all of the staff/members put a great amount of time (along with blood, sweat, & tears) to build CastleCops. In my opinion, it became a place on the front lines of the never ending and always changing fight against cyber-criminals. The team efforts of PIRT, MIRT, and SIRT were amazing. I am very proud of my time as a PIRT Handler and fought the good fight every day. Now that I have had the time to adjust to this change, I have realized that even with CastleCops gone - the fight still continues.

I do not know one person who knows everything. Some professionals may have more expertise in one area, but weaknesses in other areas. My point is that we need to work together as a community and share that expertise because that is exactly what the cyber-criminals are doing.