Social Engineering Expert Quoted in CSO Article
Quoted from the original CSO Online story:
Social engineering stories: The sequel
Two more social engineering scenarios demonstrate how hackers still use basic techniques to gain unauthorized access, and what you can do to stop them
By Joan Goodchild, Senior Editor
May 27, 2010 —
John Sileo, an identity theft expert who trains on repelling social engineering, knows from first-hand experience what it’s like to be a victim. Sileo has had his identity stolen—twice. And both instances resulted in catastrophic consequences.
The first crime took place when Sileo’s information was obtained from someone who had gained access to it out of the trash (yes, dumpster diving still works). She bought a house using his financial information and eventually declared bankruptcy.
“That was mild,” said Sileo, who then got hit again when his business partner used his information to embezzle money from clients. Sileo spent several years, and was bankrupt, fighting criminal charges.
Now that he has come out of it all innocent, he spends his time assisting organizations train employees on what social engineering and identity theft techniques look like.
ow that he has come out of it all innocent, he spends his time assisting organizations train employees on what social engineering and identity theft techniques look like.
FTC Red Flags Rule: Is Your Business Ready?
FTC Red Flags Rule Goes into Effect June 1st, 2010
The FTC will begin enforcing the Red Flag Rule on June 1st, which states that certain businesses and creditors must help fight identity theft as well as create an identity theft prevention plan. This applies to a very broad class of businesses: those defined as “financial institutions” and those that extend any type of credit to their customers.
In other words, if you don’t receive cash the moment you deliver your product or service to your customer, your business most likely falls under the umbrella of the Red Flags Rule. If you do any billing after the fact (i.e., accounts receivable), you are considered a creditor, and therefore in the group of companies governed by Red Flags.
This includes:
- Any Business that Extends Credit
- All Banks
- Most Brokerage Firms
- Credit Card Companies
- Mortgage Lenders
- Non Traditional lenders (utilities, dealerships, health care providers)
Building an Identity Theft Prevention Plan
According to the FTC, the identity theft prevention plan consists of four main parts:
- Identification: The plan needs to provide a process to identify patterns, activities or transactions (i.e. red flags, hence the name) that appear to be leading to identity theft.
- Detection: The plan needs to specifically call out processes and procedures that will be used to detect the previously defined red flags.
You are Facebook’s Inventory
This quote by Daniel Lyons in Newsweek establishes exactly why Facebook drags it’s feet on privacy. Why write more when he has summarized it so eloquently (emphasis mine)?
The most important thing to understand about Facebook is that you are not Facebook’s customer, you are its inventory. You are the product Facebook is selling. Facebook’s real customers are advertisers. You, as a Facebook member, are useful only because you can be packaged up and sold to advertisers. The more information Facebook can get from you, the more you are worth.
Read the full Newsweek article: Who Needs Friends Like Facebook?.
Order the Facebook Safety Survival Guide to make sure you and your children are protected online.
Facebook Changing Privacy Settings – Again!
Facebook faced major backlash last month after they implemented a new tool that linked your interests to sites across the Internet and allowed third parties access to your information unless you specifically deny such access. As we mentioned in yesterday’s blog about an easy way to configure your privacy settings in Facebook, there are 50 different settings with more than 170 options!
Many Facebook users have been extremely vocal about their frustrations, even organizing efforts to quit the quickly growing site. According to CNN Facebook will be reversing these changes today to make them simpler for the user with the intent of increasing user privacy.
“I can confirm that our new, simpler user controls will begin rolling out tomorrow. I can’t say more yet,” Facebook spokesman Andrew Noyes told CNN in an e-mail Tuesday.
In a piece on Monday in The Washington Post, Zuckerberg said upcoming tweaks — which could be implemented as early as Wednesday — will make it simpler to use these privacy controls and and provide an easy way to turn off all third-party services. Keep your eye out for these changes, but if you are concerned about your current privacy settings try this new Facebook Privacy Tool.
Read more on the CNN article: Facebook to Announce Changes after Privacy Settings Backlash
A Facebook Privacy Tool, Finally
We need a Facebook Privacy Tool that isn’t written by Facebook. Currently, to effectively manage your privacy on Facebook, you’ve got to alter 50 settings with more than 170 options.
Maybe that is why Facebook’s CEO Mark Zuckerberg confessed on Monday that the quickly expanding social network had “missed the mark” when it comes to its complex privacy controls — and pledged to do better.
Can you imagine keeping up with all your Privacy Settings every time Facbook makes a change? Until Facebook figures it out, a new Privacy Awareness Group—ReclaimPrivacy.org, has developed a tool that scans your Facebook privacy settings to tell you how secure your personal information is. The tool comes in the form of a bookmark for your web browser. Start by dragging the bookmark from the website above to your bookmarks/favorites. Then, log into your Facebook account, go to the privacy settings screen and click on the bookmark. After the tool scans your privacy settings in six areas—Facebook’s Instant Personalization feature; your personal data; contact information; friends, tags, and connections; what your friends can share about you; and whether applications can leak your personal data—it tells you what areas are secure and where you may want to consider tweaking your settings.
Identity Theft Threat from Copiers
Your business-class photocopier is essentially a computer that can be hacked. It has a hard drive and saves an image of everything you copy. Customer data, invoices, employee records, intellectual capital, personal identity. This is not new information – we’ve been writing about it for years. But the press is finally beginning to pay attention because they have seen for themselves the type of data that can be extracted from corporations by purchasing their used copiers (see the excellent CBS video to the left).
If you’ve attended on of my Privacy Survival Boot Camps or have seen me speak for your organization, you will recognize the spy terminology used below that I use to train on effectively evaluating privacy risks. Here is a brief primer to help you get started on protecting your business from this threat:
Stopping Photo Copier Information Leakage
- Verify whether or not your existing copier has a hard drive. You should contact the business that sold you the copier for details. If you do have a hard drive, ask them if it is password protect and encrypted (unless you paid something extra when you bought it, it is not).
- Ask them how you can take control of the situation. Is there a way to regularly scrub the hard drive (e.g., after each copy job, once the hard drive is through speeding up that particular job)?
Harvard Identity Theft Has Lessons for CEOs
The story about the Harvard student who fraudulently gained access into Harvard University is an excellent lesson in repelling fraud. Watching the video to the left, you will be struck by how many opportunities there were to catch him in the act of lying. But it didn’t happen for a long time. The underlying reason he didn’t get caught is the same for prestigious universities like Harvard, Fortune 500 Companies and small businesses alike:
No one verified his claims (until recently). Verification is a learned skill that is under-utilized and under-
trained in corporate America.
Apparently the university, the financial aid office and a list of other responsible parties didn’t double check any of the claims he made – his grades, his transfer from MIT, his financial status, nothing. This happens inside of businesses everyday. New hires are processed without so much as a background check, reference check or educational check actually taking place. It is on the HR checklist of to-dos, but that doesn’t mean it is getting done. As a matter of fact, this is a similar case to the Bernie Madoff case – had the SEC taken just a few hours to verify his claims, his victims wouldn’t be out $54 billion. At some point, businesses are going to begin taking notice, and will train their executives and employees on detecting the human side of fraud. It’s not that difficult.
Facebook Launches New Security Feature
Facebook has announced a new security feature that focuses on keeping users’ information safe from hackers attempting to gain access into your account.
The feature was announced last Thursday, and is similar to how secured banking sites work — they only let you access the site from approved computers. If you are attempting to log onto your Facebook account from an unknown computer, device, or location, Facebook will notify you via email and lock down your account in case it is under attack. To regain access, you will have to follow the link in the email which will lead you through a security check to verify your identity. They will ask you a few security questions and have you acknowledge that it was in fact YOU (or if it wasn’t you, then you notify Facebook at this point) trying to access your account.
This change comes on the heels of one of the largest Facebook privacy issues to date. The social networking site that services over 400 million people made headlines recently when they chose to link users’ likes and interests to organizations and others on Facebook. This raised major concerns that they were no longer acting in the users’ best interest.
Boil the Frog Slowly: A Facebook Privacy Map
You are the frog and Facebook is the slowly boiling water. Here is an excellent visual representation of how your default Facebook Privacy Settings have changed over the years. If you want to see the interactive version, click on the picture below and it will take you to the website where you can click on the image year by year and watch your privacy erode. Essentially, the amount of blue on the chart is how much of your information Facebook is sharing with the outside world. Can you say boil the frog slowly?
I found this map in a revealing article on Facebook’s founder, Mark Zuckerburg published by The Register (U.K.).
The first source for the disturbing comments attributed to Zuckerburg were pointed out to me by my lead researcher, Liz. This article on Mr. Zuckerburg calling his first Facebook users dumbf*&%#$. appeared on Gawker.com.
The article points out that we cannot be certain how the comments were intended (as a joke?) or if they were actually said by Zuckerburg, but if they were, it demonstrates what the rest of us know in our hearts and minds – we are sharing too much about ourselves on social networking sites. Thanks to these articles and others for the wake up call. See yesterday’s post on deleting your Facebook profile.
Sileo In the Media
Privacy Project Newsletter
Tools and tips for bulletproofing yourself against identity theft, data breach and corporate espionage. Subscribe to the newsletter and get John Sileo's 7 Survival Strategies for Starving Data Spies for FREE!
