Privacy and Identity Theft

Today the San Jose Mercury News reported that Hewlett Packard sent emails with “Spy Bugs” to reporters in an attempt to track their sources.

Basically they sent HTML email with a pixel image that tracked back to servers, reporting the IP address of the viewer. They crafted a fake email to a reporter, pretending to be from an HP whistle blower. They hoped that the reporter would forward this email to her real contact at HP, thus divulging the IP address of the leak.

This is a highly disturbing turn of events. Combined with Pretexting to get the phone records of employees, we are seeing a picture of investigative deceit. What’s next? Corporate keyloggers? Enterprise sanctioned spyware? Phone taps on corporate cell phones?

CNET News.com reports of people dying and taking their passwords with them to their graves.

While dying is not something that we like to give much thought about, this article definitely starts to shed light on some new issues that we face as our lives become increasingly digital.

All of our financial, medical and legal lives are or shortly will be managed, stored, created and shared on computers. These are typically protected by passwords to our computers, or increasingly to online services.

But if we die, how can our loved ones recover the access to the accounts (email, banking, blog, computers) that we want them to have, without necessarily giving everyone access to all our information?

As our lived become digital, so we will need to create the equivalent of a will for our data and our passwords. Challenges that we will face will be:
– how to manage these data assets
– how to keep these policies up-to-date
– how to maintain privacy of our passwords and information while we are alive

For example, I don’t want to have to notify my attorney or modify my will each time I update a password.

Interesting new challenges….

Somtimes in the security industry we belittle people who fall for phishing scams. We like to believe that we are all smart enough to not fall for such a scam. We sometimes also think that it’s only “dumb consumers” who fall for these scams, and give out their credit card numbers and such.

What we fail to realize is that *anyone* can fall for a well crafted phishing scam, and that sometimes it’s a matter of timing as to when a phishing email lands in our mailbox.

Last week the Northern Kentucky Chamber of Commerce announced that one of their accounting employees had received a phishing email purporting to be from the Chamber’s bank, Fifth Third Bank. The employee divulged the password to their online bank account to the phishing site.

About $163,000 was stolen from the Chamber’s bank account before the theft was discovered.

Clearly there is still some education to be done.

Many people have the problem of just too many usernames and passwords to manage. How many do you have?

Email, VPNs, banking sites, blogs, ecommerce sites, airline sites, brokerage, school, auction sites, the list goes on and on.

Some folks have started using password manager tools that allow you to track and manage all your passwords, and then submit them to the browser when you want to log in. These can be a life saver, as our online world gets more and more complex.

But, what if some miscreant writes some crimeware / malware that steals these password manager databases, and sends them to the bad guys? Sure, they are encrypted with a password (or SHOULD be!!!). But a simple program can do a “brute force” password guessing attack to break into these databases. A fast computer running against an encrypted password vault could crack your password in a matter of hours or days.

Something to think about…

Fortunately we’ve not seen such crimeware yet.