US CERT warns against Mississippi disaster scams

Originally posted 05/18/2011 on lubbockonline.com

The U.S.Computer Emergency Readiness Team (CERT) reports that scammers are exploiting the flooding in Mississippi, sending out emails claiming to be from relief organizations. To help us protect ourselves from that, and from some of the other scams floating around the internet they provide links to informative web pages and PDF's:

 

• Do not follow or open unsolicited web links or attachments in email messages.
  Maintain up-to-date antivirus software.
• Review the Recognizing Fake Antivirus document for additional information on recognizing fake antivirus.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for additional information on social engineering attacks.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for additional information on avoiding email scams.
• Review the Federal Trade Commission's Charity Checklist.
• Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.*

 

Whenever a disaster occurs anywhere the scammers come out in force, but with good information and a little thought you can safely donate online with confidence that your money will be used the way you intended.

*Information from US-CERT

A few steps to staying more private online.

Originally published 04/08/2011 at lubbockonline.com

The breach at Epsilon has started discussion on how serious having your email address stolen really is. The fact is, having your email address stolen is as dangerous as you allow it to be. To help with keep the danger level down, here are some things you can do to protect yourself:

1. Don't click on links in email. If you want to go to the site, type in the URL in your browser yourself. With HTML email it is childs play to disguise an email as being from someone you trust and hide malicious links behind what looks like a legitimate link.

2. Use the latest version of Firefox for your web browser. You can argue over what is the most secure browser, but Firefox has some very handy addons.

3. Once you have Firefox, there are two very helpful addons: https-everywhere and NoScript. Noscript can be found using the Firefox addons and https everywhere can be downloaded from the eff.org website.

4. Update your software.

5. Keep your mouth shut and your fingers off the keyboard. Before you give anyone any information about yourself, think about whether you need to.

6. Open a garbage email account. Give it to websites that require you to register. Use your main email account for friends and family.

7. Install anti-virus and anti-spyware and keep them updated.

These are just a few of the things you can do to protect your identity online, but they are a good start.

updated to add important information

Kroger, Chase suffer data breach

Originally published 4/04/11 on lubbockonline.com/glasshouses

Emily Fox of Dallasnews.com reports that Epsilon, a marketing firm based in Irving, TX, suffered a data breach including email addresses of customers of Kroger and JP Morgan Chase. Supposedly that is all that was stolen, but Chase is investigating further.

If you are a customer of either company you can learn more by going to their respective websites at: http://www.chase.com and http://www.kroger.com

Researchers identify anonymous emails with 80-90% accuracy - I say not good enough

Originally published 3/14/11 on lubbockonline.com/glasshouses

At first glimpse it looks like a good thing. Researchers at Concordia University have devised a way to identify the authors of anonymous email. This is a great boon to prosecutors seeking to identify people using anonymous email accounts for illegal activity. Unlike an IP address, which can only be used to determine where an email was authored, this system will identify the author, and will do it with 80-90% accuracy.

Wait a minute. 80-90% accuracy is pretty good in some contexts, but in criminal cases? The reason for the research is sound:

“In the past few years, we’ve seen an alarming increase in the number of cybercrimes involving anonymous emails,” says study co-author Benjamin Fung, a professor of Information Systems Engineering at Concordia University and an expert in data mining – extracting useful, previously unknown knowledge from a large volume of raw data. “These emails can transmit threats or child pornography, facilitate communications between criminals or carry viruses.”

On an emotional level 80-90% seems pretty good, but is that good enough when you may be taking years from a persons life? In some cases, you could be taking their life. The case of Tim Coles is one the most prominent examples, both locally and nationally, of a person convicted on evidence that jurors thought was better than 90% accurate, but turned out to be 100% wrong. Further reading of the press release from Concordia shows that, once criminals become aware of this technique, 80-90% might be optimistic:

“Let’s say the anonymous email contains typos or grammatical mistakes, or is written entirely in lowercase letters,” says Fung. “We use those special characteristics to create a write-print. Using this method, we can even determine with a high degree of accuracy who wrote a given email, and infer the gender, nationality and education level of the author.”

So all I have to do to fool this system is to vary my writing style. Add intentionally misspell words in some emails, be meticulously correct in others. Make grammatical mistakes in some, not in others. Or just always make mistakes when using anonymous email that I don't usually make in my signed email.

Worse, given only 80-90% accuracy, how hard would it be for someone who receives a lot of email from me - or maybe even someone who reads this blog - to frame me using email? When it comes to criminal cases, 80-90% doesn't cut it.

EFF wins Privacy case in Third Circuit

The Electronic Frontier Foundation has won a major victory protecting your cell phone location data from unreasonable seizure by the government. The decision by the Third Circuit Court of Appeals says that judges can deny requests for "D Orders and require a warrant to avoid possible Fourth Amendment complications.

This is more important than it looks at first glance. Though the case deals with cell phone location data, "D Orders" are used for a variety of communications related, including email. In the Third Circuit the government can no longer assume it will be able to demand communications from ISP's or other communications companies and automatically be granted access by the courts. The EFF is intending to use the decision in similar cases in other circuits, and expects others will, too.

This is a good decision. The governments position on "D Orders" is that they should be granted automatically. Now the government has to be sure of it's case before seeking information. They can still get information using "D Orders" but they have to make sure they won't run afoul of the Fourth Amendment by doing so. At least in the Third Circuit. That will decrease the number of cases that can be disputed on Fourth Amendment grounds, saving time and money. We can only hope other Circuits (or the Supreme Court) will agree with this decision.

McDonalds suffers data breach

Salon.com reports that McDonalds has suffered a data breach. According McDonald's the servers breached contained email addresses, birthdates and other info, but no social security numbers or financial information.

That's very nice, but with an email address and birthdate you can probably steal an identity. If the email address includes a full name, you can definitely steal an identity. With an identity you can get driver's license, credit cards, jobs, etc. In the modern connected world, there is no minor data breach.