Sunday, May 31, 2009

The Webs from Connect Safely - Kate's Very Public Party

Connect Safely has a great series of eduational videos - The Webs. ConnectSafely is for parents, teens, educators, advocates - everyone engaged in and interested in the impact of the social Web. The videos discuss net safety in a fun, yet intelligent manner. I recommend them for the whole family.


Saturday, May 30, 2009

National Cyberspace Policy Review

President Obama released the nation’s new cyberspace policy review. This is the result of a sixty day review that call for a number of measures to improve computer security for both the government and private network. Obama said, "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient." Obama said. "We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage."

Obama will create a cyber security coordinator "responsible for orchestrating and integrating all cyber security policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response." This is new from previous administrations. Prior “Cybersecurity Czars” were low on the access list to the President. This position should have "regular access" to the President, will be a member of the National Security Council, and will work with the federal CTO and CIO. In politics, importance and attention is given to those with regular access to the chief executive. This should raise the focus on information security at the highest levels.

From the Executive Summary:

· It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution.

· The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well­ being of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that support government and private users alike.

· The United States needs a comprehensive framework to ensure a coordinated response by the Federal, State, local, and tribal governments, the private sector, and international allies to significant incidents. Implementation of this framework will require developing reporting thresholds, adaptable response and recovery plans, and the necessary coordination, information sharing, and incident reporting mechanisms needed for those plans to succeed.


· The government, working with key stakeholders, should design an effective mechanism to achieve a true common operating picture that integrates information from the government and the private sector and serves as the basis for informed and prioritized vulnerability mitigation efforts and incident response decisions.

· The Nation’s approach to cyber security over the past 15 years has failed to keep pace with the threat.

Some basic analysis of the document is that the government is moving to more a leadership role as in the "coordinated response “term. In previous discussions terms such as "information sharing" and "public-private partnership" were used. The general consensus is that that the government needs to assist in improving industry's cyber security posture, by either legislation blocking liability, spending money improving infrastructure or forcing security standards on industry through regulation. Simple market economics won’t resolve our security problems, and it appears that Obama is open to use other means as necessary.

Bargaineering.com on F-Secure Internet Security 2009


Bargaineering.com has a very good review on F-Secure Internet Security 2009. The price is comparable with some of the bigger competitors. F-Secure costs $59.99 for 12 months and 3 computers. Norton Internet Security 2009 retails for $59.99. AVG, has a fantastic free antivirus product, also has an AVG Internet Security product that costs $54.99 for one computer for 12 months. The free version of AVG can be a bit of a hassle to set up and keep running.
Go over to the Bargaineering.com site. The review is very comprehensive and there is a product giveaway.

Wednesday, May 27, 2009

Medical Identity Theft

Eight or nine years ago, I used to pooh-pooh identity theft. It was very prevalent and the media tended to hype the story. They tended to call every instance of credit card fraud an act of identity theft.

I don’t pooh-pooh it anymore. It is a serious problem and can affect almost anyone. While the cases of pure credit card theft still occur, a lot of cases of identities being taken over and used for nefarious purposes are definitely increasing. One such manner is medical identity theft. The World Privacy Forum labels medical identity theft as occurring when someone uses a person's name and sometimes other parts of their identity -- such as insurance information -- without the person's knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods.

The Federal Trade Commission estimates that approximately 3,000 – 5,000 cases occur each year. Where this is especially distributing is that the people who have their identities stolen are most often seriously ill and in no place to fight back.

The World Privacy Forum states that is very important to find out about medical identity theft, because fraudsters who use your identity for medical care or services can introduce changes to your medical record that can be nearly impossible to undo. These changes can range from small things that do not pose a risk to you to substantial erroneous information that can pose a medical risk to you.

Discovering medical identity theft is not like discovering financial identity theft: it can be harder to detect medical identity theft, and sometimes you need to look in different places. For example, some people find out about medical identity theft when a debt collector sends a letter or calls. But others only find out after an insurance investigator alerts them to the problem, or after they notice errors in their medical file, or after they get a strange bill for medical services they did not receive.

Here are links to the World Privacy’s Forum page on how to prevent and fight back on medical identity Theft.

Closely monitor any "Explanation of Benefits" sent by an public or private health insurer
Pro-actively request a listing of benefits from your health insurers
Request a copy of current medical files from each health care provider
File a police report
Correct erroneous and false information in your file
Keep an eye on your credit report
Request an accounting of disclosures

Saturday, May 23, 2009

Protecting You and Your Spouse on the Internet

Harassment

• Always select a gender-neutral username for your e-mail address or for chat, etc. Do not pick something cute, such as misskitty@someisp.com or use your first name if it is obviously female. Since the majority of online victims are female, this is what harassers look for.
• Keep your primary e-mail address private. Use your primary e-mail address only for people you know and trust.
• Get a free e-mail account and use that for all of your other online activity and be sure to select a gender-neutral username. There are many free e-mail providers, such as Hotmail, Goggle, and Yahoo!.
• Do not fill out profiles. When you sign up for an e-mail account, whether it is through your Internet Service Provider (such as Comcast) or a free provider (such as Yahoo!), fill out as little information about yourself as possible. The same goes for personal profiles in Instant Messenger programs and chat rooms as well.
• Do block or ignore unwanted users. Whether you are in a chat room or using Instant Messenger, you should always use the block and ignore options available to you. It is always better to ignore an harasser than to confront them.
• Do not defend yourself. Yes, this is the most common reaction when someone begins harassing you online. Most people naturally want to defend themselves, but a reaction from you is just what the harasser wants. The perpetrator is searching for someone to harass, so do not fall for their bait. When you reply to them, you are letting them know that you are upset, which is exactly what they want. Even though it might seem difficult to do, ignore these perpetrators. When they realize that they are not bothering you, they will go on to the next chat room, newsgroup, etc and try to find another victim.
• Never give your password to anyone. Your Internet Service Provider will never ask you for your password.
• Never provide any identifying information(full name, address, phone numbers, credit card numbers, etc)
• Be very cautious about putting pictures of yourself, your children, or anyone else you are close to.
DON'T
• Type anything online that you would not say to someone in person!
• Delete harassing messages, IM conversations, etc. Either print a copy or place them in a folder on your hard drive or disk. WHY?? This information can be helpful in finding the identity of your harasser (if unknown) & be evidence in a case (criminal or judicial).

Shopping Online


· Use a secure browser. This is the software you use to navigate the Internet. Your browser should comply with industry security standards, such as Secure Sockets Layer (SSL). These standards scramble the purchase information you send over the Internet, helping to secure your transaction. Most computers come with a browser installed. You also can download some browsers for free over the Internet.
· Shop with companies you know. Anyone can set up shop online under almost any name. If you're not familiar with a merchant, ask for a paper catalog or brochure to get a better idea of their merchandise and services. Also, determine the company's refund and return policies before you place your order. These should be posted on the company's Web site.
· Keep your password(s) private. Be creative when you establish a password, and never give it to anyone. Avoid using a telephone number, birth date, or a portion of your Social Security number. Instead, use a combination of numbers, letters, and symbols. Use a passphrase that has been described before. Don’t use the same one for all accounts.
· Pay by credit or charge card. If you pay by credit or charge card online, your transaction will be protected by the Fair Credit Billing Act. Under this law, consumers have the right to dispute charges under certain circumstances and temporarily withhold payment while the creditor is investigating them. In the event of unauthorized use of your credit or charge card, you are generally held liable only for the first $50 in charges. Some companies offer an online shopping guarantee that ensures you will not be held responsible for any unauthorized charges made online, and some cards may provide additional warranty, return and/or purchase protection benefits.
· Keep a record. Be sure to print a copy of your purchase order and confirmation number for your records. Also, you should know that the federal Mail/Telephone Order Merchandise Rule covers online orders. This means that unless states otherwise, merchandise must be delivered within 30 days; and if there are delays, the company must notify you.
· Pay your bills online. Some companies let you pay bills and check your account status online. Before you sign up for any service, evaluate how the company secures your financial and personal information. Many companies explain their security procedures on their Web site. If you don't see a security description, call or email the company and ask.

Privacy

· Keep your personal information private. Don't disclose personal information--such as your address, telephone number, Social Security number or email address--unless you know who's collecting the information, why they're collecting it and how they'll use it. If you have children, teach them to check with you before giving out personal --or family-- information online.
· Look for a company's online privacy policy. Many companies with privacy practices post their privacy policy on their Web site. This policy should disclose what information is being collected on the Web site and how that information is being used. Before you provide a company with personal information, check its privacy policy. If you can't find a policy, send an email or written message to the Web site to ask about its policy and request that it be posted on the site.
· Make choices. Many companies give you a choice on their Web site as to whether and how your personal information is used. These companies allow you to decline--or "opt-out" of--having personal information, such as your email address, used for marketing purposes or shared with other companies. Look for this choice as part of the company's privacy policy.

Wednesday, May 20, 2009

Protecting Your Children on the Internet

Let’s talk about the risks to your children. We have to put these in context of the child’s age nd maturity level. I would encourage my son when he was younger to look at some of the political cartoons and commentary, but he was definitely not ready for some other types of material out there.

Exposure to Inappropriate Material

Normally when you think of inappropriate material you think of pornographic images. These definitely exist in abundance, but there is a lot of other stuff that is inappropriate depending on age and maturity level. It’s not all just photos. There is erotic written material, hate sites, radical religion, and violent images or ideas.

There are sites based on Japanese anime’ and have cool cartoon that attract kids. Just because you see your child just reading text, doesn’t mean you shouldn’t check the material. On some hate sites, it might take a bit of digging before the real message comes through.

Physical Molestation


Predators do exist. They exist on the streets and on the Internet. The Internet makes it extremely convenient for them to screen out potential victims. They will seduce the victim chat, email and instant messaging. The predator will attempt to drive a wedge between the victim and their family, moving control to the predator. While not every mail your child receives is from a predator, you need to be aware of who your child is communicating with.

Harassment

There are mean people. Your child might stumble on one these during their web surfing. These people can say and do some very hurtful things. Your child needs to know that these people exist and how to keep their anonymity on the Internet.

Legal and Financial Exploitation

Children can be tricked into giving out information that can lead to identity theft or credit card abuse.
Also your child might engage in illegal activity. The courts have become more and more un accepting of such behavior. You or child might suffer civil or criminal fines or even jail time.

Danger Signs

· Your child spends large amounts of time on-line, especially at night.
· You find pornography on your child's computer.
· Your child receives phone calls from men you don't know or is making calls, sometimes long distance, to numbers you don't recognize.
· Your child receives mail, gifts, or packages from someone you don't know.
· Your child becomes withdrawn from the family.
· Your child is using an on-line account belonging to someone else.

How do I Protect my Children

The computer needs to have monitoring software on it and/or be in a room where the parents are most often. Otherwise this is negligence! I will keep harping on this. You need to talk to your child and supervise their activities. I know the last statement is a bit draconian. It is meant to get your attention and start some thought processes that might help your children. A good monitoring program is Spector. Spector provides screen shots of what the child is viewing a given point in time. You can set it for every five seconds and up. Content filtering is based on either web ratings or a commercial developed list of acceptable sites. Once again, you can set for the child’s age and maturity level.

Tips

· Place home computers in the family room or kitchen where the screen is in view of a parent for much of the time.
· Supervise! Supervise! Supervise!
· Do not allow children to use adult chat room and instant messaging services such as MSN Instant Messenger, AOL Instant Messenger, Yahoo! Messenger and IRC. Even "child-safe" versions of these services should only be used under parental supervision.
· Do not allow children to use inappropriate handles or ID's for email or chat forums. Anything ending in 69 (very commonly seen) or xxx_name_xxx, for example.
· Do not allow children to have email accounts on web-based free email services such as Hotmail, Yahoo Mail, Netscape Mail, etc. Restrict email usage to conventional email accounts provided by your internet service provider.
· Teach children not to pass personal details such as their name, address, school or other information to strangers by email, via web forms, or in chat rooms.
· Do not allow children to perform Web searches without adult supervision. Use Google, with the Google SafeSearch option turned on.
· Review the history of web sites viewed in a web browser, as well as the contents of the "Bookmarks" or "Favorites".
· Do not allow children to register at web sites without carefully checking the site's privacy policy.
· Do not allow children to download and install programs without parental supervision, virus scanning and knowledge of what the program will do.

Monday, May 18, 2009

Privacy and the Web - Scalia

Students at Fordham Law School taught Supreme Court Justice Antonin Scalia a lesson on privacy on the web. The New York Times reported in a story that Scalia who has been dismissive of privacy on the web cases in the past was the “target” in that the students would attempt to gather as much online material about him as possible. They were able to create a dossier of 15 pages. Some of the material included his home address and telephone number, his wife’s personal email address, and the TV shows and food he prefers.

Privacy Rights Clearinghouse reports that the main ways to get information online about you are:

- Marketing
- Official use: Court Records / employer / government (law enforcement and foreign intelligence)
- Illegal activity and scams
- Other common scams

To keep your activity as private as possible, make sure you understand a site’s privacy policy before you give it your information. Read the policy. If you can’t find it, it is better to pass on the site rather than to have your information sold for mass marketing.

Keep your computer secure. Use a firewall, anti-virus and anti-spyware applications. Use an auto update program and update your computer with security patches as soon as they become available.

Once again, as we have discussed before, no one is looking to give anyone free money over the Internet. Do not open or even look at emails that promise riches.

I remember when I was a child there was a 60 Minutes story how someone could profile a person by their cancelled checks in their bank account. They could tell if they were married, what kind of products they bought and how pretty much they lived. We are much more beyond that now.

Sunday, May 17, 2009

Book Review - “The Gift of Fear” by Gavin De Becker

One of my favorite books to introduce people to thinking about personal safety and security is “The Gift of Fear” by Gavin De Becker available from Amazon. Gavin De Becker runs a consulting firm that consults with celebrities and others that might be threatened. He was twice appointed to a Presidential Board dealing with security, is a senior fellow at UCLA and is an advisor to the Rand Corporation.

The basic premise of the book is that fear is a protective mechanism that has developed over eons of evolution. Most times when we feel fear, there is a reason for this. A good example is a woman at lone at night in a parking garage walking to her car. Current thought is to dismiss the fear. It is a normal reaction to be scared of this scenario. Being alone, at night, in a parking garage where predators are known to look for victims are all items that make the probability of something happening higher (remember our talk about risk). Basically what he is talking about is harnessing intuition.

De Becker shows you how to spot the small signs of dangerous behavior and what to do about it. He spends a lot of time talking about stalking and how to handle it. This should be required reading for anyone going through a situation such as this.

De Becker uses a lot of case histories and techniques for dealing with similar situations. He talks about a cycle of violence and how to spot it before it fully develops. I definitely recommend this as a first time read on safety and security.

Saturday, May 16, 2009

Measuring Risk

Before we get to far into a discussion of security, we should talk about measuring risk. Risk Analysis is a term you hear often in business and IT circles. But do you realize that Risk Analysis is a process that you follow in your daily life?

First you have to understand what constitutes risk. Risk normally comes from some sort of threat or danger. A good example is the threat of a flood to your house. Next you have to determine how often are the chances of this occurring in your neighborhood. This called the probability of occurrence. Let’s say in this example, that your house is on a hill. Being on a hill means the chances of a flood in your neighborhood is improbable.

Back to the house, now you have to look and see what the possible damage would be. This is termed severity. While a flood would be devastating, it most likely would not totally destroy your house or cause a loss of life. So we can classify the severity of a flood as high, but not extreme. Generally speaking, you might then think of this as a medium risk.

Once we have the overall risk to us, we have to decide how much we are willing to accept. In this case, you could say that you are willing to accept a medium risk. If you couldn't’t sleep at night because of flood worries, you could transfer the risk– this time to an insurance company for a fee of course. Or you could avoid risk by moving to someplace like Arizona.

Another way to manage risk is to mitigate it. You either try to reduce the severity or probability of it. For example, hopefully when you ride a bicycle you wear a helmet. You are reducing the severity of an accident in case you are hit. To reduce the probability of a bicycle accident you might wear a fluorescent band so that drivers can see you.

You are probably saying that will this is all well and good , you don’t practice it in your life. But you do. Take your children for instance. You would not leave a young child alone on the sidewalk by a busy street. The probability of them running out into the street is high. If they were hit, the severity would be extreme. When your children get older, you don’t have as much risk. The severity is still extreme, but the chance of them running in front of a car is much lower, hence lower risk.

As we live our lives, we should incorporate risk assessment and management into our daily practices. On large life events, the risk assessment process needs to be a formal process. Buying a house, going on a vacation to a danger filled place in the world should have some risk management involved. In the choices you make everyday, you should look at the chance of something occurring and the severity of the action if it occurs. Only then can you make an informed choice.

Thursday, May 14, 2009

Spam

WAR! SEX! MONEY!

“Did one of these words get your attention? This is what virus writer, con artists, and identity thieves use to get your attention and tempt you to open an email. They offer you stimulating photos, current events or incredible proposals. They might want to take over your computer, add your name to spam lists, or try to steal your money. Whatever you do, don’t follow up on their offers. Definitely don’t open attachments from unknown people. Don’t open these Spam messages and definitely don’t reply to them. Just remember no one will give you a lot of money for nothing.
Spam makes up close to 100 percent of all e-mail traffic on the Internet, according to Microsoft. Just delete them and forget about it.

Reducing Spam

•The primary rule: Never make lists of e-mail addresses, and if you do, do not e-mail the list. Only send out individual emails
•Never respond to a spam email.
•Never respond to the spam e-mail's instructions to reply with the word "remove." This is just a trick to get you to react to the e-mail.
•Never sign up with sites that promise to remove your name from spam lists. These sites are of two kinds: (1) real, and (2) spam address collectors. The first kind of site is ignored (or exploited) by the spammers, the second is owned by them -- in both cases your address is recorded and valued more highly because you have just identified it as read by a human.

Passwords

Your password is a lot like your credit card. Your credit card is how your bank or credit union determines whether you are who you say you are. This is a called authentication. The same principle is used with logging in on your computer or account.

Normally when the authentication process takes place we need a combination of two of three factors, either who you are, what you have, or what you know. With credit cards, when you are in the store they require the card (what you have) and your signature (what you are). When you use the ATM, your card is required (what you have) and a PIN (what you know). Most accounts online use only a password (what you know) to authenticate you. No, your user id is not what you are (we could use biometrics for this). This makes it extremely important that you use a strong password.

If someone else steals your password, it is basically the same as giving them your credit card and PIN. When someone uses a credit card at a bank ATM, they are
accountable for the withdrawals. When your user id and password is used to access an account, you are accountable for the actions performed.

Passwords can be guessed if you use information from yourself or family. There is software that is very effective at cracking passwords. The reason that a lot of accounts require you to change passwords regularly is to defeat ever-increasing processor capability. All passwords can and will be cracked. However if you have a strong password, it may take over six months to crack. If you use a strong passowrd, most password thieves will move on to someone else. You can see that it is important that you create strong passwords and protect them as much as you would protect your credit cards.

How do I create a strong password?

It does no good if your password is so complex that you have to write it down to remember it. Our present standard for passwords is that they be eight characters and contain a mix of alphabet and number characters. You can also use upper and lower case and special characters
to make it even stronger. Special characters include the space bar, all the characters above the
numbers, and brackets.

The best way to remember all this is to use a pass phrase. Simply create a sentence to remember. However, don't pick a well known phrase like `An apple a day keeps the doctor
away' (Aaadktda). Instead, pick something like `My dog's first name is Rex' (MdfniR) or even better `My sister Peg is 24 years old' (MsPi24#yo). Once you have your password, change it and lock your workstation. Then practice logging in and out. If you mess up, you won’t lock yourself out. Keep your password in your wallet (next to your credit card) for a few days before
destroying it.

Wednesday, May 13, 2009

Intro

There is an old saying “you don’t know what you don’t know.” These days with warnings over pandemic flu or Teflon pans, carjacking or improperly installed car seats, you really don’t know what is truth and what is not. Some things have been hyped in the media far beyond what is really hazardous, others have been ignored when they really do present a danger to you and your family. This blog is an attempt to sort out the hype from the truth on topics dealing with security, safety, privacy and other related issues.

I bring to the discussion a twenty-year military career with the majority of it as a commissioned Special Forces Officer. My training and experience range from bodyguard work, recovery and rescue, competition shooting, risk management and interpersonal negotiations. I lived over thirteen years in Europe and traveled extensively across the continent. I also have traveled to the Middle East, Africa, Latin America and Asia.

After the military, I was able to leverage my experience, along with degrees in Computer Science and Information Technology and worked as a computer security expert. Over time, I have worked physical security, safety and computer privacy issues of many different types. I am a husband, father, homeowner, and manager. We will talk about how to keep ourselves and our family safe and secure.