Wednesday, December 21, 2011

If it can happen to the U.S. Government...

Ever wonder what could possibly happen if you click on a link within an email you receive from an unknown and untrusted source? The U.S. Chamber of Commerce found out the hard way, many years after the fact. Read details about the spearphishing attack here.

It seems that an employee of this government branch was the victim of a "spearphishing" email back in 2009. "Spearphishing" is when an email is sent to a specific individual, rather than a general "phishing" email which casts a wide net to any user. The desired result of opening the email is that the user can be duped into clicking links or downloading spyware which is then used to gather personal information, such as passwords or bank account numbers. This employee either clicked a link within the email, or opened a document which did contain spyware and gave the hackers access to the servers.

Over the course of the next year, Chinese hackers were able to collect passwords which granted administrative rights. This then allowed the hackers to place additional software code, known as a "backdoor", onto the U.S. Chamber of Commerce's servers. This code would then allow the hackers to steal data.

The lesson here? If it's this easy to dupe a government employee into opening a document or clicking a link within an email, you, as a private citizen can be just as easily deceived into putting your own organization or your own personal information at risk. Anti-virus protection remains a must, even more so now than ever before. These types of attacks are becoming increasingly popular. ID thieves will stop at nothing to get any type of information they can use to commit fraud at any level.

The next time you receive an email from an untrusted source that wants you to click a link or open a document, "just say no." You have plenty of other junk mail to read.

Tuesday, October 4, 2011

Busted in a Medical Gown

Talk about getting caught with your pants down! A recent article in the Sacremento Bee highlights the humbling arrest of a Bay Area woman who stole the identities of several employees from one company that she obtained while working as a benefits clerk for Service Employees International Union-United Healthcare Workers office. She went on several spending sprees and was even arrested once, but managed to get out on bail, only to rack up thousands more in stolen property. She even racked up $300,000 in one person's name.

What eventually led to the arrest of this individual was the $12,000 payment for a liposuction appointment using a credit card she opened in the name of one of these employees. Authorities were able to catch up with the identity thief while she was in a surgical gown waiting to have the liposuction. That walk to the police car must have been a bit drafty! Probably not the best outfit for a mugshot either. Nevertheless, she was sentenced to 12 years and 4 months in prison. Meanwhile, other victims are just now beginning to feel the results of this individual's actions and coming forth.

I hope that restitution is forthcoming for the remainder of her victims. It seems to me that some justice must be served for those victims who have yet to be identified or notified that something is wrong with their credit or unexplained bills, etc.

Identity Theft - An Inside Job

Identity theft is quite often an inside job. That is to say, that when a data breach or identity theft event occurs, it is often not the result of a hacker breaking into a secure data system and stealing sensitive information. Rather, the threat comes from employees (disgruntled or otherwise) within the company who have access to sensitive information and have a motive to steal that information to use for their own nefarious purposes. This type of threat is not merely limited to large corporations and does not always involve data. Inside jobs can happen at the smallest of companies and often involve the theft of money, products or company belongings. Even our public schools are not immune to inside jobs.

An article in The Daily Stamford I read today illustrates just this point. A teacher's aide apparently took the same "we need to learn to share" idea our parents try and impress upon us while we are young, just a little too far. She helped herself to the purse of the teacher to whom she was providing aide and managed to take the cash and a credit card when the teacher was not looking. Share and share alike! She then decided to pay a cellphone bill and then do some online shopping.

Luckily, the observant teacher noted the disappearance of her items and alerted the authorities, also noting that only herself and the aide would have had access to her purse at the school where the items seemed to have disappeared. It didn't take authorities long to trace the online purchases to the aide, the prime suspect, who was then promptly arrested, though not before she racked up $700 in online purchases at Victoria's Secret.

So does this story illustrate that we should not trust our co-workers? Hardly. It merely points out that there will always be some bad apples out there, so keep your eyes open. Although you'd like to trust those you work closely with, you should still exercise caution and develop some habits of your own to secure your belongings and Personally Identifiable Information (PII) while at work. Here are just a few simple and helpful suggestions. Had this teacher applied just some of these, this inside job could have been avoided.

  • When it comes to your purse or wallet, leave these items either locked up or in your pocket when possible and out of the site or reach of those with prying eyes, and hands.
  • If you have a lockable drawer in your desk, use that to secure your belongings and keep it locked at all times.
  • If you have an office and need to leave for whatever reason, lock the door when you leave for any length of time.
  • Lock your computer with a secure password when you step away from it for any period of time. Your email and other digital files may provide that sensitive information someone can use to open up new credit accounts and steal your identity, leaving you with damaged credit and hefty bills to pay.

An ounce of prevention is worth a pound of cure.