I've gotten a few of these over the past couple of weeks.  Everyone knows this is a phishing scam, right? How many phishing flags can you spot here?  Unexpected email:  Check.  Offering me money out of the blue:  Check.  Link goes somewhere OTHER than where it claims:  Check.  References bogus law (I'm pretty sure the 19th Amendment to the Constitution didn't address IRS refunds).  Bad grammar: Check.  Do we need a refresher on Phishing?

One of the more interesting talks given at last week's CSI NetSec in Arizona was conducted by CSI editorial director Robert Richardson.  He gave us a preview of next month's release of the annual cybercrime survey conducted jointly by the FBI and CSI. The survey shows a continued decline in the money lost by companies due to cybercrime.  Compared to 2005, losses are down 18%, and down 68% compared to 2004.  This metric has been declining for 4 straight years actually. So.  Does that mean we're winning?  Does that mean that all the money we're spending on security is actually bearing fruit? Well,...

A lot of noise has been made of the Choicepoint debacle of last year that exposed the personal records of, at last count, 170,000 individuals in America.  What you may not realize is that, for all the attention the incident garnered, it wasn't one of the top breaches of the year, based on the number of records exposed. The top 5 were all million+ records exposed, including the grand daddy of them all, Card Systems, with 40 million records exposed when hackers penetrated their systems in early 2005.  Next in line was Citi Financial, with 3.9 million records lost on a...

I've been thinking for a long time how to get security ingrained into the psyche of the average home user.  I've been half heartedly trying to “expose some content”, as some of my colleagues would say, to spread the message of why computer security is important to everyone. But I haven't really made any progress, and it was getting pretty frustrating for me personally.  The problem was that the project could be all-encompassing, especially when I started considering what a state agency could distribute to all its residents. So a couple weeks ago I decided that doing it on a small scale...

Back in March, I noted briefly that I had attended a “Google Hacking Contest” put on by the AGORA organizers.  I can't say much about what goes on at AGORA, but since this hit the wires, I guess it's ok. Well in the audience that day was a reporter from the Seattle Post-Intelligencer, one of the two major newspapers for the greater Seattle area.  And then it was picked up and ran on page B1 (above the fold!) in a subsequent issue of the Wall Street Journal (the WSJ is subscription only, so I am providing a very curious free link...

Back in April of this year, Washington became the 6th state in the Union to pass a law requiring the disclosure of events resulting in the exposure of personal information to unauthorized entities.  Similar, if not identical, legislation is making its way through the governing bodies of at least 28 other states as I write this. This legislation follows closely California's own SB1386, which came as a result of the well known breach of California's government systems, which resulted in the exposure of the employee files of every one of California's state employees. More famously now though, California's SB1386 is the reason Choicepoint was...

If you watch the news lately, you can't help but hear about some of the recent high-profile hacks of major information clearing houses. Choicepoint, the most publicized victim, announced a few weeks ago that sensitive information on 30,000 Californians was given to hackers who were posing as Choicepoint customers.  What they failed to tell everyone initially, was that number of people whose personal information was exposed is closer to half a million. Choicepoint is an information aggregator, and about the biggest one there is.  They have dossiers on 10 BILLION individuals and businesses, and those dossiers include social security numbers, credit histories,...

I recently had the privilege to witness an organized Google Hacking Contest, inspired by Johnny Long's new book “Google Hacking for Penetration Testers”. The contest pitted 8 teams of local security folks (including a team from Intel and a team from Qualys) against each other, and gave them 60 minutes to use Google to find as much personal information about people as possible. The results, frankly, were astounding.  I went into it knowing Google was a one-stop identity theft shop, but I still left shaking my head. The highest scoring team found over 2.5 million bits of sensitive information, including social security numbers,...

Cellphone anti-virus developer SimWorks is reporting (pdf) that 2 new cell phone viruses have been identified, and they can render a cell phone completely inoperable to the point of having to replace it. Gavno.a infects the phone when a user downloads and installs an infected software package onto their phone.  Gavno.b on the other hand, attempts to spread itself over BlueTooth.  Both files claim to be a patch in an effort to trick unwary users into downloading and activating them. Once activated, the viruses halt a critical process on the phone, preventing it from making any calls, and often causing it to constantly reboot. ...

Last month Forbes ran a story called Cyber-nightmare, about how Al Qaeda and other terrorist organizations are increasingly using the Internet to further their purposes. Interesting stuff.