a rock drops in a pond

Last I heard good credit card numbers were going for about $40 each, and good user name/password combinations were $15 ... add a bunch of those up, and voila! $275,000,000!

The ripple effect of stolen user id/passwords can be astounding. I've seen where one (a $15 dollar purchase by Attackers, Inc) user name password was used to control over 200K.

... the report puts the market value of the traded goods, including financial credentials, at around $275M. This total market value is dwarfed by the potential amount of cash that can be extracted by the underground using these accounts.

see the full report here -->

Symantec puts value of underground transactions at $275M | Zero Day | ZDNet.com

Virtual Fitness!

Virtual Fitness - Cyber Fitness ... doing things to make yourself online presence safer. I compare it to physical fitness because there are so many different ways a person can try to be healther - yet I've never met anyone in "perfect health" - there is always a chance of disease, physical attack, or just aging. It's the same with your computer - one can add a firewall, anti-malware, a password vault and many other facets of security - but they'll just improve their chances - not elminate them.


Question - do you live in a good neighborhood? and do you still lock the doors?? Well, not to scare you, but while you're online you are NOT in a good neighborhood, and the drive-bys could change your financial health! A 'drive-by' is just seeing a website on your browser - NOT selecting a thing on it, and still getting infected.

"Identity theft victimized 8.1 million Americans last year and 8.4 million in 2006, according to data compiled by Javelin Strategy & Research, a financial services research firm in Pleasanton, California. Unauthorized transactions cost consumers as much as $45 billion in 2007, Javelin reported."

Bloomberg.com: Invest:

what should I do? from the article above they cited an excellent resource - CERT.

This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited Information Technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity.

if you've read their recommendations and have questions - email me - Dave@myinternetsecurityguy.com

spying for dummies

I wish I could make up stuff like this - it's actually so strange, it MUST be true!

A well known commercial vendor of software, basically was selling a 'how to' kit to collect information from anyone that would open up your email!

Just like every decent marketer out there, vendors of commercial malware tools are very good at positioning their tools. However, their pitches often contradict with themselves in a way that what’s promoted as a Remote Administration Tool, has in fact built-in antivirus software evading capabilities, rootkit functionality and tutorials on how to remotely infect users over email.

check out the full scoop here
Commercial vendor of spyware under legal fire | Zero Day | ZDNet.com

like the brooms in Fantasia

Sometimes in this line of work, I feel like Mickey Mouse in fantasia. Just when he thought he had the broom under control, (by smashing it) there was another one, and another, and another!

Like other Trojans, Sinowal uses an HTML injection feature that effectively injects new Web pages or information fields into the affected victim's Internet browser -- and these injections seem like legitimate pages to the victim.

Trojan Caught Stealing Data From Hundreds of Thousands - Trojan horse/Vulnerabilities - DarkReading

what to do?
If you're the owner of the webpages -

1. Regularly schedule penetration tests.
2. Validate all new code being published is tested and secure.
3. Establish credential management programs

If you're the consumer, use something like McAffee SiteAdvisor to validate a webpage is ok before you go to it.

...but I already have a firewall

I talk to a lot of people about identity theft and fraud these days. Most individuals and companies don't really know, but somehow think they are protected.

"I'm pretty sure we have a good firewall - our IT guy is great!"

He/she might be great - but then why do I keep reading statistics about the millions of compromised computers? hmm - something to think about!

This morning I'm getting ready to go see a new prospect. On the phone she said that they had a good firewall so they should be ok. But then I asked her if she and her fellow employees had the ability to

• to install their own software?
• view attachments in email?
• use their personal phones to text clients?
• what are they doing with wi-fi?

These are all areas where even with a solid firewall you still may be exposed. The only way to determine if a business is 'secure enough' is to analyze all the potential threats for that specific company, and create a threat matrix.

In building a threat matrix I have to look at all the inbound and outbound data sources. This includes cell phones, networks, all the devices an employee uses, usage patterns, the employees themselves as well as normal internet usage. (eg. the things an up to date firewall could potentially stop)

Oh, here's one more thing to think about as a consumer of online services - the bad guys are now using text messaging to persuade people to call them and give up their NPI!

... text message phishing, occurs when customers receive a text message from what seems to be a reputable financial institution prompting them to call a telephone number due to a possible fraudulent transaction on their account.

SourceWire | Press Releases - Mobile phone identity theft on the increase