Is your private information safe?

With the growth of the Internet over the past few years and the Internet shopping boom its no wonder that identity theft statistics have risen to new levels as well. Global Internet usage has grown some 182% from 2000-2005 per Nielsen/NetRatings accumulated worldwide. Between January and December of 2005 alone, more than 685,000 consumer fraud and identity theft complaints were reported to the Federal Trade Commission's Sentinel Complaint Database. Since the database was launched in 1997 almost 3 million complaints have been registered there. In the 2005 statistics 37% of those 680,000 complaints were said to be identity theft cases. Some of the more significant identity theft complaints included credit card fraud (26%), phone or utilities fraud (18%), bank fraud (17%), employment fraud (12%), government documents/benefits fraud (9%), and loan fraud coming in at (5%).

As you can clearly see theft of personal information is a major problem and is getting worse every day. If you are doing business over the Internet the odds increase that you could fall prey to an Internet predator and become a victim of these type of malicious acts. There are however, some things that you can do to protect yourself from these crimes which we will discuss later in this document but for now we will discuss the term "hacker" and some of the methods used by these "hackers".

What is a hacker?

In the general media the term "hacker" describes a person that thrives on performing malicious acts with computer systems in order to gain public popularity with his or her peers. This might be someone that gains access to unauthorized computer systems via their extensive knowledge of their operating systems by means of finding exploits (bugs) in the code and using them to their advantage. Perhaps a person intends to disable computer systems by means of DoS (Denial of Service) attacks such that the resources are no longer available to the users making legitimate requests to the systems. We will discuss these types of attacks later on in this document in more detail.

In reality "hackers" are generally considered the good guys and would be someone that spent a vast amount of time learning about and building computer security systems. The term "cracker" would be what you would use to describe a person that would perform the types of malicious activity that we discussed previously. However, in the rest of this document we will use the more widely known term of "hacker" as an equivalent of the real term "cracker" to avoid confusion.

One of the most famous network hacking attacks in history was the 1994 attack of Tustomu Shimomura's computer network by the famous hacker Kevin Metnick on Christmas day. By using various types of Denial of Service and access attacks on the network Kevin Metnick was able to gain control of Shimomura's system. This was what you would call a "structured attack" because of the expertise required in order to perform the attack. Another type of "structured attack" that some of you might remember is the February 7-11 2000 attacks where web heavyweights like EBay, Amazon and CNN among others drastically slowed down and even denied access completely for hours at a time by use of Distributed Denial of Service attacks.

The more common types of attacks are the unstructured kind. Often these attacks start from within a network by a person that has no idea what they've even done. These type of attacks can also be executed by a "Script-Kiddy". A "Script-Kiddy" is a person that uses pre-made hacking scripts coded by a professional hacker and has little to no real knowledge of what they're doing. Some of these hacking tools require no more than the input of the address of the target host and a push of a button. This threat is very real due to the vast amount of hacking tools (scripts) readily available for download on the web like WinNUKE, SATAN, NMAP and Naptha. More complex hacking tools like Trinoo, TFN, TFN2K and Stracheldraht (used in the Feb 2K attacks) can also be found fairly easily but require more in-depth knowledge in order to use effectively. In order to break these attacks down for simplicity we can put them in two main categories.

DoS Denial of Service and Access attacks.

DoS (Denial of Service) attacks: The main purpose of a DoS attack is slow down or disable a system such that the services the system offers become unavailable to its users. These type of attacks are generally caused by exhaustion of the systems resources or by exploiting a known vulnerability (bug) on the system that stops it from functioning in a normal manner. A simple example of this would be sending so much garbage traffic to a system that legitimate traffic could not processed similar to phone lines being tied up from too many telephone calls at once. More complex versions of these attacks are known as DDoS or Distributed Denial of Service attacks where multiple devices launch the attack on the system at the same time.

Access attacks: The main purpose of an access attack is to gain access to unauthorized (protected) system resources such as data or to simply take over control of an interior network system to perform illegal activity. An access attack can often follow a Denial of Service attack but generally attacks of this nature with reconnaissance of some type in order to expose system exploits and exploitable systems. Amazingly enough the most common threat when considering an access attack is Social Engineering. Social Engineering is the most effective and the hardest access attack to control because it involves the manipulation of people. An example of Social Engineering would be a hacker gaining access to a system by learning a valid username and password from someone through the art of deception. IE: Claiming to be someone that one would trust, even though in reality they are not.

Some of the methods discussed previously can be used in order forcefully obtain access to unauthorized data and unfortunately it could be yours. Fortunately however, most major networks of the more prominent companies that one might do business with are generally secured from most threats that we've talked about by means of physical equipment security, monitoring, data encryption and constant updating. Obviously a threat to these type of systems always exist but is much less likely due to the vast amount of money and time spent by these companies in order to protect their networks and their customer's information. This should make you feel somewhat more comfortable but wait a minute, what about your system? Now, we will talk about some things that you can do in order to protect yourself a little better.

1: Perhaps one of the most important things that you should remember is to never give out any of your personal information to someone unless you have gone through means to verify their identity. This includes your email and any usernames and passwords that could lead to the discovery of your other personal information. As we discussed previously Social Engineering is the leading cause of unauthorized access attacks. Phishing, banding or carding is a very popular form of private information theft. This is when you might receive what appears to be a legitimate email or instant message claiming that you need to "update your account information" or something similar and provides a link to a site to input this data in order to steal it. The link is often masked such that it appears to come from this legitimate source and the site it sends you to also looks legitimate because they've matched the source code to the actual site in question. The best thing to do in this instance is call the customer support number that would come on your real statement. Most major organizations will never ask you this information outside of initial signup. Most companies will have a specific email address that you can forward such scams available on their website. This type of attack can also come via a phone call, so in this case I would suggest that you disconnect the call and contact the customer support department directly with the phone number listed from a statement to inquire about the situation.

2: Be careful what type of information that you send via email. Where you send it is important but what you send is also important. Email by default is sent with clear text. An experienced hacker that might be sniffing or intercepting traffic to a service provider (man-in-the-middle attack) can easily read anything sent across standard email. There are some methods for encrypting email like Entrust (digital certificates) and PGP (pretty good privacy) that can be used when properly configured but your best bet is to never send any personal information via email.

3: Make sure you are doing business with a company that you know to be secure. Generally you won't have problems when dealing with major companies like Wal-Mart or Gap but you should still read their privacy and security policies such that you have a good understanding of the information that they collect and what they do with it, as well as the means that they use to secure their transactions. If a site doesn't have this information readily available then I would not recommend doing business with them. Most private web transactions are secured with SSL or Secure Socket Layer encryption. This is primary standard for encrypting web transactions and it is approved by the Internet Engineering Task Force. You will know that your connection is secured if you look in the address field of your browser and see https:// in front of the web address. Note: The S in https which signifies that the session is secured with SSL.

4. Use strong passwords. Typically you will want to use at least 8 characters, use a mix of letters and numbers, do not use complete words, do not use sequential numbers, do not use your username and try not to use any personal information that could be guessed by someone like your birthday.

Here is a link to a document on generating strong passwords on SANS site:

Its also never a good idea to store passwords or cache them on your local system. If your system is somehow compromised, then so are your account passwords.

5. If you are using a wireless network, secure it. Wireless networks can be easily sniffed out remotely by "war drivers" or even your neighbor. Change any default settings like the SSID that might be easily guessable. Disable remote administrator to the router and password protect local administration. Use MAC address filtering to only allow your trusted connections to the router. Enable the strongest encryption available on your router. Here is an article I wrote previously on securing a wireless network when using one of the more common Linksys wireless G routers.

6. Use a personal firewall to protect your computer from traffic originating from the outside world. IE: Traffic that you didn't initiate a request to come to you.

7. Use virus software and keep it up to date. Remember, if your virus definitions are old the software is all but useless. Scan your email in real-time (upon download or prior to opening attachments). Scan your drive regularly. Its also a good idea to never open attachments from unknown sources. Virus software relies on matching patterns a virus must exist before an updated pattern can be created so there is always a chance of becoming infected even if your software is up to date.

8. Use spyware removal software and keep it up to date. Remember, if your spyware removal definitions are old the software is all but useless. Scan your drive regularly. Spyware can not only be annoying but also dangerous in some cases.

If you follow the simple steps listed above you will be better protected against identity theft and personal fraud. I hope you've enjoyed the article and learned a thing or two along the way.
Here is a link to a document on generating strong passwords on SANS site: