Warning 1:  Many of the links were broken when the FASB changed all of its links.  If a link to a FASB site does not work , go to the new FASB link and search for the document.  The FASB home page is at http://www.fasb.org/ 

 

Warning 2:  In February 2008 the FASB for the first time allowed users free access to its "FASB Accounting Standards Codification" database. Access will be free for at least one year, although registration is required for free access. Much, but not all, information in separate booklets and PDF files may now be accessed much more efficiently as hypertext in one database. The document below has not been updated for the Codification Database. Although the database is off to a great start, there is much information in this document and in the FASB standards that cannot be found in the Codification Database. You can read the following at http://asc.fasb.org/asccontent&trid=2273304&nav_type=left_nav

Welcome to the Financial Accounting Standards Board (FASB) Accounting Standards Codification™ (Codification).

The Codification is the result of a major four-year project involving over 200 people from multiple entities. The Codification structure is significantly different from the structure of existing accounting standards. The Notice to Constituents provides information you should read to obtain a good understanding of the Codification history, content, structure, and future consequences.

Facebook is perhaps the ultimate example of the old, wise saying: If you aren’t paying for a product, then you ARE the product
Comparisons of Antivirus Software ---
http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

 

 Bob Jensen's Introduction to e-Business and e-Commerce
http://www.trinity.edu/rjensen/ecommerce/000start.htm

Bob Jensen at Trinity University

Top 25 Google e-searches of the month
          Most Popular Web Sites 2006 - 2007 --- http://www.webtrafficstation.com/directory/
          WebbieWorld Picks --- http://www.webbieworld.com/default.asp

How E-commerce Works --- http://money.howstuffworks.com/ecommerce.htm 

Who Really Started the Internet?

Revenue Recognition Accounting Fraud (much of this fraud is in ecommerce) --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm

Electronic Commerce:  The Fastest Growing Phenomenon in World Commerce

Electronic Commerce:  Special Problems Arising for Accountants and Auditors  

Electronic Commerce:  Webledgers  

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

Electronic Commerce:  Training and Education Issues 

Electronic Commerce:  Assurance Services Opportunities and Risks 

Illustration of Topics in a Continuous Assurance Symposium 

Investor Relations and Internet Reporting  

XBRL Will Change the World of Financial Reporting and Analysis --- 
http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended
 

Education and Online Training Issues  

A Special Section on Computer and Networking Security (including spam fighters)  

Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Facebook is perhaps the ultimate example of the old, wise saying: If you aren’t paying for a product, then you ARE the product
Comparisons of Antivirus Software ---
http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Introduction (with a personal account of my own problems)

"I challenged hackers to investigate me and what they found out is chilling," by Professor Adam L. Penenberg (NYU)

Social Scams

College Professor: I Lost Tons Of Critical Files Because Of Dropbox

Big Google Becomes Big Brother

How to track a stolen iPhone

Chinese Water Army

Cloud Security

How to make stolen laptop data useless to thieves

Is your data safe? Survey reveals scandal of snooping IT staff

Bad News for Wireless Routers at Home

Protecting security while using public a network in a library, cyber cafe, hotel, or wherever

Viruses and Worms and Malware

Spyware  (and SiteAdvisor)

Cell Phone Records are for Sale 

Identity Theft:  Phishing , Pharming, Vishing, Slurping, and Spoofing
Question
When might you want to run Linux on your Windows computer?
"E-Banking on a Locked Down (Non-Microsoft) PC," by Brian Krebs
http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Pretexting

Cookies 

Spam Blocking 

Searching Dangers:  Beware of Search Engines

Hacking Into Systems

Security on Public Wireless Networks

Denial of Service Attacks 

Spy Tools:  How safe are unlisted phone numbers?

Forget Big Brother, Now You Are Being Watched by Almost Anybody

Weapons of Information Warfare  

Threads on Firewalls --- Go to  http://www.trinity.edu/rjensen/firewall.htm 

Identity Theft http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Encryption

New Tech Tools to Combat Fraud

The Downside: Psychology of Electronic Commerce and Technology 

Intangibles Accounting Issues --- http://www.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes 

Managerial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm 

How Can Technology be Used to reduce Fraud? --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7 

ROI Issues --- http://www.trinity.edu/rjensen/roi.htm 

Implications for Auditing and Assurance Services --- 
http://www.trinity.edu/rjensen/ecommerce/assurance.htm
 

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk --- http://www.trinity.edu/rjensen/ecommerce/assurance.htm 

Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

The Controversial Electronic Commerce of Education --- http://www.trinity.edu/rjensen/000aaa/0000start.htm

Investor Relations and Internet Reporting   

Education and Training   

Evaluation of Websites 

Search for Internet, e-Commerce, or e-Business Phrases

Top Year 2002 Accounting Technologies 

Bob Jensen's Threads on Electronic Commerce --- 
http://www.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's Threads on Electronic Commerce in College Curricula --- 
http://www.trinity.edu/rjensen/ecommerce/curricula.htm
 

Accounting Threads

Bob Jensen's Threads on Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

Bob Jensen's Technology Glossary

Bob Jensen's threads on computer security are under "Security" (in the S-Terms) at http://www.trinity.edu/rjensen/245gloss.htm
Also look under the C-Terms for "Cookies."

Top 25 Google e-searches of the month
          Most Popular Web Sites 2006 - 2007 --- http://www.webtrafficstation.com/directory/
          WebbieWorld Picks --- http://www.webbieworld.com/default.asp

I created a timeline of major happenings (on a timeline) leading up to the eXtensible Business Reporting Language (XBRL) and On LIne Analytical Process (OLAP) systems.  Overviews of XML, VoiceXML, XLink, XHTML, XBRL, XForm, XSLT, RDF and the Semantic Web are also provided --- http://www.trinity.edu/rjensen/xmlrdf.htm

This is what Professor Jim Mahar says about ERisk in the March 24, 2003 edition of TheFinanceProfessor (an absolutely fabulous newsletter) --- www.FinanceProfessor.com 

Erisk.com. I simply love the site. I know it has been site of the week before, but it is so good, it earned it again. Try it, you’ll love the case studies and the newsletter! http://www.erisk.com


Security Hacker Who Used To Rob Banks (over 1,000 and never arrested) Is Giving Away His Secrets For Free ---
http://www.businessinsider.com/jim-stickley-on-security-2013-11

Jensen Comment
Especially note the "Library" of videos.

Current video's available for download

(Click on title to watch)

Video's currently being developed

Bob Jensen's threads on computer and networking security ---
http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

 


ERisk --- http://www.erisk.com/ 

ERisk is the leading provider of strategic solutions for risk and capital management. We deliver a unique combination of world-class analytics for risk-based capital, strategic risk management expertise, risk transfer advice and risk information.

You can find out more about our products and services in the Overview section. On this page, you can find out more about the people and ideas that power our company.

The ERisk Report --- http://www.erisk.com/about/about_company.asp?ct=n#report 

The ERisk Report is a concise monthly briefing for senior financial executives. Every month, contributors from ERisk's team of risk management experts address today's most pressing issues in strategic risk and capital management. Sign up today for your personal copy of this cutting-edge publication!

Vol 1.6: Measuring the return on risk management; leveraging the economic benefits of risk management

Vol 1.5: Putting the real value on customer relationships; rolling out risk management

Vol 1.4: Making risk more transparent; fed takes pulse of economic capital practices

Vol 1.3: Credit scoring: robots versus humans; James Lam's three lessons from Enron

Vol 1.2: Weathering credit losses; regulators line up behind economic capital

Vol 1.1: Revamping your credit ratings system; measuring bank profitability

The ERisk Portal --- http://www.erisk.com/portal/home.asp 
Resources for Enterprise Risk Management

ERisk today continues to successfully develop and install its analytics at client sites, conduct high-value consulting engagements, offer unbiased advice on risk transfer alternatives, and attract thousands of readers to the ERisk portal.

"New e-Accounting Advisor Network Debuts," SmartPros, September 29, 2003 --- http://www.smartpros.com/x40720.xml 

Insynq Inc., a provider of Internet-delivered online accounting solutions and services, has launched an online advisor network to assist the accounting professional by supporting back-office processing requirements on a highly cost-efficient basis.

The e-Accounting Advisor Provider Network (http://eaccounting.cpa-asp.com) has created a new cost-effective resource for practices of all sizes to use to expand their practice, or to provide the opportunity of higher gross margins, Insynq announced. Through the use of business process outsourcers -- such as call centers, payroll and HR processing services -- professional practices are able to improve client services, expand their practices, and improve practice profitability.

"These accountants have gained a comprehensive solution that combines our online accounting technology services with business process outsourcing models," said Insynq president John Gorst. "e-Accounting is one of the few providers in the industry with a service model that encompasses online accounting applications, data management, document management and workflow tools."

Insynq will co-sponsor a series of seminars in the top 25 U.S. markets over the next four months for CPAs, accountants and bookkeepers that explain the online accounting model. These seminars will detail the outsourced accounting opportunity, and demonstrate the benefits of using business process outsourcers in support of practice initiatives.


Who Really Started the Internet?

Internet History --- http://en.wikipedia.org/wiki/History_of_the_Internet

Question
Have I been wrong about crediting the ARPANET  in 1969 (and Al Gore) all these years?

By December 5, 1969, a 4-node network was connected by adding the University of Utah and the University of California, Santa Barbara. Building on ideas developed in ALOHAnet, the ARPANET grew rapidly. By 1981, the number of hosts had grown to 213, with a new host being added approximately every twenty days.

"Who Really Invented the Internet? Contrary to legend, it wasn't the federal government, and the Internet had nothing to do with maintaining communications during a war," by Gordon Crovitz, The Wall Street Journal, July 22, 2012 ---
http://professional.wsj.com/article/SB10000872396390444464304577539063008406518.html?mod=djemEditorialPage_t&mg=reno64-wsj

A telling moment in the presidential race came recently when Barack Obama said: "If you've got a business, you didn't build that. Somebody else made that happen." He justified elevating bureaucrats over entrepreneurs by referring to bridges and roads, adding: "The Internet didn't get invented on its own. Government research created the Internet so that all companies could make money off the Internet."

It's an urban legend that the government launched the Internet. The myth is that the Pentagon created the Internet to keep its communications lines up even in a nuclear strike. The truth is a more interesting story about how innovation happens—and about how hard it is to build successful technology companies even once the government gets out of the way.

For many technologists, the idea of the Internet traces to Vannevar Bush, the presidential science adviser during World War II who oversaw the development of radar and the Manhattan Project. In a 1946 article in The Atlantic titled "As We May Think," Bush defined an ambitious peacetime goal for technologists: Build what he called a "memex" through which "wholly new forms of encyclopedias will appear, ready made with a mesh of associative trails running through them, ready to be dropped into the memex and there amplified."

That fired imaginations, and by the 1960s technologists were trying to connect separate physical communications networks into one global network—a "world-wide web." The federal government was involved, modestly, via the Pentagon's Advanced Research Projects Agency Network. Its goal was not maintaining communications during a nuclear attack, and it didn't build the Internet. Robert Taylor, who ran the ARPA program in the 1960s, sent an email to fellow technologists in 2004 setting the record straight: "The creation of the Arpanet was not motivated by considerations of war. The Arpanet was not an Internet. An Internet is a connection between two or more computer networks."

If the government didn't invent the Internet, who did? Vinton Cerf developed the TCP/IP protocol, the Internet's backbone, and Tim Berners-Lee gets credit for hyperlinks.

But full credit goes to the company where Mr. Taylor worked after leaving ARPA: Xerox. It was at the Xerox PARC labs in Silicon Valley in the 1970s that the Ethernet was developed to link different computer networks. Researchers there also developed the first personal computer (the Xerox Alto) and the graphical user interface that still drives computer usage today.

According to a book about Xerox PARC, "Dealers of Lightning" (by Michael Hiltzik), its top researchers realized they couldn't wait for the government to connect different networks, so would have to do it themselves. "We have a more immediate problem than they do," Robert Metcalfe told his colleague John Shoch in 1973. "We have more networks than they do." Mr. Shoch later recalled that ARPA staffers "were working under government funding and university contracts. They had contract administrators . . . and all that slow, lugubrious behavior to contend with."

So having created the Internet, why didn't Xerox become the biggest company in the world? The answer explains the disconnect between a government-led view of business and how innovation actually happens.

Executives at Xerox headquarters in Rochester, N.Y., were focused on selling copiers. From their standpoint, the Ethernet was important only so that people in an office could link computers to share a copier. Then, in 1979, Steve Jobs negotiated an agreement whereby Xerox's venture-capital division invested $1 million in Apple, with the requirement that Jobs get a full briefing on all the Xerox PARC innovations. "They just had no idea what they had," Jobs later said, after launching hugely profitable Apple computers using concepts developed by Xerox.

Xerox's copier business was lucrative for decades, but the company eventually had years of losses during the digital revolution. Xerox managers can console themselves that it's rare for a company to make the transition from one technology era to another.

As for the government's role, the Internet was fully privatized in 1995, when a remaining piece of the network run by the National Science Foundation was closed—just as the commercial Web began to boom. Economist Tyler Cowen wrote in 2005: "The Internet, in fact, reaffirms the basic free market critique of large government. Here for 30 years the government had an immensely useful protocol for transferring information, TCP/IP, but it languished. . . . In less than a decade, private concerns have taken that protocol and created one of the most important technological revolutions of the millennia."

It's important to understand the history of the Internet because it's too often wrongly cited to justify big government. It's also important to recognize that building great technology businesses requires both innovation and the skills to bring innovations to market. As the contrast between Xerox and Apple shows, few business leaders succeed in this challenge. Those who do—not the government—deserve the credit for making it happen.

Personal Computer History
"Forgotten PC history: The true origins of the personal computer --- The PC's back story involves a little-known Texas connection," by Lamont Wood, Computer World, August 8, 2008 --- Click Here

Steve Jobs at the Smithsonian --- http://www.si.edu/Exhibitions/stevejobsputational Science Education Reference Desk --- http://www.shodor.org/refdesk/

Timeline of Computing History --- http://www.computer.org/computer/timeline/ 

Making the Macintosh --- http://library.stanford.edu/mac/index.html

History of Computing
Internet Archive: Computers & Technology --- http://archive.org/details/computersandtechvideos

History of Computing
Internet Archive: Computers & Technology --- http://archive.org/details/computersandtechvideos

The History of Computing --- http://ei.cs.vt.edu/~history/ 

Steve Jobs at the Smithsonian --- http://www.si.edu/Exhibitions/stevejobs

American University Computer History Museum --- http://www.computinghistorymuseum.org/ 

The Apple (Computer) Museum  --- http://www.theapplemuseum.com/ 

A History of Microsoft Windows (slide show from Wired News) --- http://www.wired.com/gadgets/pcs/multimedia/2007/01/wiredphotos31

Oldcomputers.com  --- http://www.old-computers.com/news/default.asp

Aesthetics + Computation Group: MIT Media Laboratory --- http://acg.media.mit.edu/projects/

Digital History - Multimedia --- http://www.digitalhistory.uh.edu/multimedia.cfm

Portland State University Digital Repository --- http://dr.archives.pdx.edu/xmlui/

Dartmouth Digital Collections: Books --- http://www.dartmouth.edu/~library/digital/collections/books.html

The University of Michigan Digital Humanities Series---
 http://www.digitalculture.org/books/book-series/digital-humanities-series/

From SUNY Albany: How to Improve Your Digital Photography
Interactive Media Center: Digital Image Information --- http://library.albany.edu/imc/tutimages.htm

Computational Science Education Reference Desk --- http://www.shodor.org/refdesk/

Digital Forensics and Cyber Security Center at the University of Rhode Island ---
http://www.dfcsc.uri.edu/

Cyberdeterrence and Cyberwar --- http://www.rand.org/pubs/monographs/MG877.html

Bob Jensen's threads on computing and network security ---
http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

 


 

Electronic Commerce

ONLINE SPENDING CLIMBED 25% during the holiday season from a year earlier, a survey found.
Desiree J. Hanford, The Wall Street Journal, January 4, 2005 --- http://online.wsj.com/article/0,,SB110478868075315675,00.html?mod=technology_main_whats_news


Question
What turns Web retailing into eCommerce?

Answer
A special feature about eCommerce is revenue collection over the Internet.  Today that revenue collection typically entails online credit card transacting.  

Bob Jensen's threads on accounting for electronic commerce are at http://www.trinity.edu/rjensen/ecommerce.htm 

"E-tailing Comes of Age," by Nick Wingfield, The Wall Street Journal, December 8, 2003 --- http://online.wsj.com/article/0,,SB10708342997640400,00.html?mod=technology%5Ffeatured%5Fstories%5Fhs 

Dot-com retailers had a message for bricks-and-mortar stores at the start of the 1999 holiday season: We're coming after you.

A year or two later, traditional retailers had their revenge, of course, when stock certificates of such companies as Pets.com Inc., eToys Inc. and Webvan Group Inc. were fit for little more than wrapping paper. With some notable exceptions -- including Amazon.com Inc. and eBay Inc. -- established stores and catalog companies ended up snaring most of the online sales.

But something surprising happened: Some small Web-only retailers refused to die. A handful in unlikely categories such as jewelry, shoes and luggage are profitable and growing far more quickly than their offline counterparts.

These specialty online retailers are prospering at a time when overall online sales are booming. Consumers are expected to spend $12.2 billion online this year in the Thanksgiving-to-Christmas period, up 42% from last year, according to Forrester Research of Cambridge, Mass. The growth reflects a steady shift of retail spending to the online world, as consumers grow more comfortable with the Internet and the spread of high-speed home connections makes browsing and ordering simpler. Online shopping also tends to be more weather-proof; many snowbound Northeasterners ventured out into cyberspace instead of the elements to continue their holiday shopping this past weekend.

Still, a mere 4.5% of total retail spending is expected online this year, compared with 3.6% in 2002. But even the small shift in retail sales represents a combined billions of dollars for Internet retailers.

Traditional retailers are doing their best to keep holiday customers clicking on their sites by offering good deals. Some are discounting heavily; free-shipping offers are commonplace. Gap Inc., for instance, is waiving standard delivery fees on orders of $100 or more until Dec. 15.

Continued in the article


There were 50 global online users of the new World Wide Web in 1990.  The worldwide growth is connected consumers, businesses, and other types of organizations is staggering.  A study conducted by IDC (2001) estimates the following at http://www.filmsoho.com/marketing/marketing_internet.html 

 Use of the Internet continues to grow rapidly worldwide. This growth is fuelling e-commerce transactions which are one barometer of the commercial success of the medium. Almost 1 billion people (about 15 percent of the world's population) are forecast by research firm International Data Corp to be using the Internet by 2005. IDC foresee a spending of more than $5 trillion in Internet commerce representing a staggering 70 percent compound annual growth rate from last year's Internet spending of $354 billion in 2000.

The adoption of the Internet as a communications tool is still undergoing explosive growth. In the developed world the proliferation of mobile phones and other Internet access devices will maintain these growth rates even once PC penetration has reached saturation.

Growth statistics are provided the following sites:

Web Data and Statistics
Builder.com --- http://builder.cnet.com/webbuilding/pages/Servers/Statistics/ 
This site is great for definitions and explanations.

Why Web usage statistics are (worse than) meaningless --- http://www.goldmark.org/netrants/webstats/ 

Internet Sizer http://www.netsizer.com/  
(This site has a link to a neat graph that shows the increase in Web use in a spinning real-time counter.  It resembles the counter on Times Square that used to show the increases in the U.S. National Debt.)

Web Characterization --- http://wcp.oclc.org/ 

Listings from Webreference.com --- http://webreference.com/internet/statistics.html 

Internet Statistics

CyberAtlas (*)
Internet market research and information site. Provides a periodic overview of Internet trends, demographics, marketing, and advertising information.
CyberGeography
Interesting collection of experiments and approaches in visualizing internet statistics and topology.
GVU WWW User Surveys
User surveys dating back to 1994. The surveys feature a wide variety of WWW usage and opinion-oriented questions.
The Internet Index
"An occasional collection of facts and statistics about the Internet and related activities." By Win Treese of Open Market.
ISC: Internet Domain Survey
Estimates the number of hosts and domains by doing a complete search of the Domain Name System. From the Internet Software Consortium.
Media Metrix
Web market research information and analysis service providing demographic data, measuring Internet and digital media audiences and usage since 1996.
MIDS: Matrix Information and Directory Services
MIDS provides statistics on about the Internet and estimates of its growth. Information is presented textually, graphically, and in geographic maps.
Netcraft
Conducts the Web Server Survey which tracks the usage of HTTP server software. Also offers a searchable hostname database.
Nielsen Net-Ratings
Online usage and popularity statistics.
Nua's Internet Surveys
An organized collection of Internet statistical surveys. Has digests of the important research reports and demographic surveys from the major research companies. Includes summary graphs and data of Internet statistics and trends. Offers a monthly newsletter.
StatMarket
In-depth statistics on a wide variety of Internet topics, and a sharp interface. StatMarket provides free global Internet usage statistics gathered from tens of thousands of web sites and and millions of daily visitors.
TheCounter.com
Detailed browser statistics, including information on monitor resolution, color depth and java/javascript usage.
Yahoo: Statistics and Demographics
Yahoo's collection of related sites.

Most popular Websites in the world --- http://www.webbieworld.com/ww/ 

 

Bob Jensen's Off-the-Wall Definitions
Electronic Business (B2B)and Commerce B2C)
Any computer-networked communications or transactions  that were formerly more apt to be transmitted by physical transfers such as in-store purchases and mail ordering and payment.  Electronic business makes it possible to eliminate paper documentation such as purchase orders, invoices, monthly account statements, and payment checks or credit card receipts.  Electronic communications and transactions with retail customers are generally referred to as e-Commerce.  Business-to-business (B2B) communications and transactions between business firms are generally called e-Business.

Includes electronic business, but electronicization encompasses other things as well such as Enterprise Resource Modeling (ERP), customer relations management (CRM), artificial intelligence/smart agents, and computerization/networking of virtually all elements of the supply chain.

 

M. Greenstein and M. Vasarhelyi Definition
Electronic Commerce:  Security, Risk Management and Control (McGraw-Hill, 2002, p. 3)
The use of electronic transmission mediums (telecommunications) to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location.

 

Electronic Commerce - A Leading Definition --- http://www-cec.buseco.monash.edu.au/links/ec_def.html 

A broad definition of 'electronic commerce' is provided by Electronic Commerce Australia (ECA, formerly EDICA) in its 1994 Annual Report as:

The process of electronically conducting all forms of business between entities in order to achieve the organisation's objectives.

The term 'electronic commerce' embraces electronic trading, electronic messaging, EDI, EFT, electronic mail (e-mail), facsimile, computer-to-fax (C-fax), electronic catalogues and bulletin board services (BBS), shared databases and directories, continuous acquisition and lifecycle support (CALS), electronic news and information services, electronic payroll, electronic forms (E-forms), online access to services such as the Internet (discussed later), and any other form of electronic data transmission.

For example, medical and clinical data, data related to taxation, insurance, vehicle registration, case information involving legal proceedings, immigration and customs data, data transmitted for remote interactive teaching, video-conferencing, home shopping and banking, EDI purchase orders and remittance advices - are all applications of electronic commerce.

The term 'electronic commerce' is sometimes incorrectly used as an alternative to EDI. EDI, a subset of electronic commerce, refers specifically to the inter-company or intra-company transmission of business data in a standard, highly structured format. Electronic commerce, however, includes structured business data and unstructured messages or data, such as electronic memos sent via e-mail.

Another term, 'electronic trading', is commonly used to refer to electronic transactions which occur in the procurement of goods and services. Electronic trading uses structured and/or free-form messages. Electronic trading can also be considered a sub-set of electronic commerce.


Small Business Administration: Free Online Courses (video) ---  http://www.sba.gov/services/training/onlinecourses/index.html


"Amazon Finally Clicks:  Ten years old and profitable at last, it offers a textbook lesson on how to be both focused and flexible," by Russ Banham, CFO Magazine, Spring 2004 Special Issue, pp. 20-22 --- http://www.cfo.com/article/1,5309,12598||M|846,00.html 

The foosball tables are still there, as are the desks made from sawhorses, plywood, and old doors. And no one wears a tie, not even CFO Thomas J. Szkutak. But if some E-commerce trappings are alive and well at Amazon.com headquarters, others are not. Red ink, for example, has disappeared—at least for now. The company posted its first indisputably (that is, GAAP-based) profitable year in 2003, propelled by strong holiday sales and a weakened dollar, which boosted overseas results.

That has prompted plenty of backslapping in the halls of Amazon's headquarters, a former hospital with an improbable Art Deco design and a postcard view of downtown Seattle and Puget Sound. As it prepares to celebrate its 10th anniversary, Amazon.com is a very different company from the so-called E-tailer that, at the time of its initial public offering in 1997, had to caution would-be investors not to confuse it with Amazon Natural Treasures, a retailer and E-tailer of rain-forest products.

Few would make that mistake today. While still sometimes referred to as an online bookstore, Amazon now boasts a product line that staggers the imagination, from apparel, sporting goods, and jewelry to new services including a feature that lets customers make "1-Click" Presidential campaign contributions.

Behind Amazon's breadth of products and services are myriad business arrangements: some products the company owns, inventories, sells, and ships; others it sells on behalf of third-party retailers. Some of these third-party products Amazon ships and fulfills; others are shipped and fulfilled by the third parties themselves. Among those third parties are thousands of mom-and-pop E-tailers that collectively make Amazon's Marketplace division a perpetual online garage sale surpassed only by E-bay.

With 39 million active customer accounts (based on the number of E-mail addresses from which orders originated in 2003), Amazon seems to be making good on its promise to offer the "Earth's biggest selection of products," or as Szkutak puts it, "to build a place where people can find, discover, and buy anything they want online." To do that, he says, the company has learned—sometimes the hard way—to "start with the customer and work backward."

Working backward has changed Amazon from an online retailer to an E-commerce platform. Today, it is not a store so much as a channel, a place where brand-name third-party retailers, smaller businesses, and just plain folks can hawk their goods to a worldwide clientele. This past holiday season, shoppers traipsed through Amazon to buy products from Gap, Toys "R" Us, True Value Hardware, and Kitchen Etc.—and maybe some kid in Idaho who was trying to unload his slightly dog-eared Harry Potter library. Assembling such a vast collection of partners and building the systems that allow customers to buy from an individual as easily as they buy from a retail giant has not been easy, and analysts praise Amazon's achievements. "Amazon has knocked 10 steps down to 1," says Adam Sarner, a research analyst at Stamford, Connecticut-based technology research firm Gartner Inc. "This is what they mean by 'customer convenience.'"

Jonathan Gaw, a research manager at technology research firm IDC, says, "No one else has this kind of expertise, because no one else has invested the capital to build this kind of infrastructure."

Amazon.com was once viewed as a leading member of the E-commerce vanguard, but most of the followers have fallen by the wayside. True, the survivors—E-bay, MSN, AOL, Yahoo, and Google—have become household names, but success remains precarious and depends on, among other things, the ability to be nimble. Amazon built its brand initially on low-priced books and waited for customers to come bargain-hunting. Today it pulls out all the stops to get people to visit, from "never-before-seen" Bruce Springsteen concert footage to a "secret message" from Madonna. If that sounds like the sort of pop-culture gimmickry one might expect from, say, AOL, there's good reason: the E-commerce giants are out to eat one another's lunch. When Google, for example, announced Froogle, a new service that allows users to search for a product name and be directed only to sites that sell that product, Amazon launched a new subsidiary, A9, devoted to Web searching, and even located its offices close to Google in Silicon Valley. Similarly, the boundaries between the business models of E-bay, Yahoo, and even Microsoft can be hard to discern, as all of these companies seek to protect themselves and to copy whatever seems to work.

Continued in the article


Yahoo's Links to Electronic Commerce Sites

Yahoo Computer and Internet  Guides --- http://dir.yahoo.com/Computers_and_Internet/Internet/ 
Categories

 

 

 

Yahoo B2B (Business-to-Business Electronic Commerce) --- http://dir.yahoo.com/Business_and_Economy/Business_to_Business/ 
Categories

 

The U.S. Government Knows How to Sell Online (e-Commerce)
From InformationWeek Online May 30, 2001

Uncle Sam Rings Up $3.6B In Online Sales

Look out, Jeff Bezos. Amazon.com Inc.'s $2.8 billion in annual revenue has been eclipsed by another E-commerce contender--a purveyor of flame throwers, burros, and Lamborghini Diablos that generated $3.6 billion in sales last year. The mastermind behind this E-retailing juggernaut? Uncle Sam.

That revelation comes from a recent study by the Pew Internet & American Life Project and Federal Computer Week magazine, which tracked the government's E-commerce activity. Of course, straight revenue comparisons may not be fair. After all, it's not exactly a level playing field for Amazon since the government's $3.6 billion came from 164 sites. That was a bit of a shock for Allan Holmes, editor-in-chief of Federal Computer Week. "When we first started, I had no idea how many sites we would find. I thought maybe a few dozen." Plus, that revenue figure would be significantly lower without the Treasury Department, which generated $3.3 billion from the sale of bonds and notes.

But the remaining $300 million in sales is still a significant achievement, considering the government hasn't done much to promote its efforts. Looking to bid on luxury items such as helicopters or sports cars? Try Bid4Assets, which sells property seized by the U.S. Marshals Service in criminal raids. "The federal government has always had surplus property and auctioned off property seized in drug busts. Now they're able to do it more efficiently and reach more people," Holmes says.


 

Yahoo B2C (Business-to-Consumer Electronic Commerce) --- http://dir.yahoo.com/Business_and_Economy/Shopping_and_Services/ 

 

 

While so many others are still struggling to make the Web pay, Walt Disney's Internet ventures are thriving --- http://www.wired.com/news/business/0,1367,56314,00.html 

LOS ANGELES, November 11, 2002 -- Last year, the Walt Disney Co. surrendered in the Internet portal wars after spending hundreds of millions of dollars to compete against Yahoo!, America Online and others.

But it didn't give up entirely. In a strategic retreat, the company refocused on Web projects that highlighted its core brands, such as ABC News and ESPN, which is the exclusive provider of sports on the MSN service.

That strategy has started to pay off. Last week, Disney announced a modest milestone -- its Internet properties are profitable.

The company doesn't report the results of its Internet properties as a group, so Disney did not provide any profit figure when it reported fourth-quarter earnings. But the company said profits from individual sites, led by ESPN and Disney's online store; from licensing content to other Internet sites; and from advertising and subscriptions pushed online operations into the black.

Disney's Internet ventures contribute only about several hundred million dollars to the company's $25 billion in annual revenue. Nonetheless, Disney can say it is profiting online while so many others are still struggling to make the Internet pay.

"I feel good that we've been able to sort of figure it out," said Steve Wadsworth, president of the Walt Disney Internet Group.

What Disney learned and other companies are discovering is that it's best to abandon a one-size-fits-all approach to the Web.

"There is not one single formula that is going to work," said Charlene Li, principal analyst for Forrester Research, a technology consulting firm based in Cambridge, Mass. "What works for Disney.com and its characters isn't the same thing that will work for ESPN. Even The New York Times and The Boston Globe are completely different. They're owned by the same company, but they use completely different approaches."

Disney's announcement of its modest profit is a victory of sorts for chairman and CEO Michael Eisner. During the heyday of e-commerce, he resisted pressure to merge with Yahoo or Microsoft, even after AOL merged with Time Warner.

Today, AOL is struggling, weighed down by declining advertising revenue and a government investigation into its accounting practices. Chairman Steve Case reportedly has considered separating the companies.

Continued at http://www.wired.com/news/business/0,1367,56314,00.html 


Webledger alternatives are becoming a much bigger deal in accounting information systems.  I suspect that many accounting educators are not really keeping up to date with the phenomenal growth in vendor services.

I am a strong advocate of Webledger accounting and information systems.  
In my viewpoint they are the wave of the future for small and even medium-sized business and other organizations.  The main obstacle is overcoming the natural tendency to fret over having data stored with a Webledger vendor.  But the advantages of cost savings (e.g., savings not having to employ technical database and IT specialists. savings in hardware costs, and savings in software costs), advantages of worldwide access over the Internet, and advantages of security (due to the millions invested by vendors to ensure security) far outweigh the disadvantages until organization size becomes so overwhelming that Webledgers are no longer feasible for accounting ledgers, inventory controls, payroll processing, billings, etc.

Webledger software and databases offer accounting, bookkeeping, inventory control, billings, payrolls, and information systems that can be accessed interactively around the globe.  Companies and other organizations do not maintain the accounting systems on their own computers.  Instead, the data are stored and processed on vendor systems such as the Oracle database systems used by NetLedger.

NetLedger is part of the NetSuite described at http://www.netledger.com/portal/home.shtml

Click on the "See One System in Action" Link

NetSuite's all-in-one business management application allows each user to work off the same, real-time information, but with a user interface and functionality appropriate to them. Watch the role-based demo

As a project in Fall of 2000, a team of my students set up an accounting system on Netledger.  This team's project report is available at http://www.trinity.edu/rjensen/acct5342/projects/Netledger.pdf

Bob Jensen’s threads on Webledgers can be found at http://www.trinity.edu/rjensen/webledger.htm 


A Guide to E-Commerce at http://e-comm.internet.com/

An Electronic Encyclopedia  at http://e-comm.internet.com/library/glossary.html
A longer listing of this and similar glossaries can be found at http://www.trinity.edu/rjensen/245gloss.htm

U.S. Policy on E-Commerce at http://www.ecommerce.gov/

Electronic Books Directory (U. Mn.)

Electronic Commerce World: On-line journal for electronic commerce - Articles, Resource Directory, Discussions

Electronic Commerce:  Special Problems Arising for Accountants and Auditors  

Question
Were accountants responsible for the dotcom bubble and burst at the turn of the Century?

Jensen Answer
The article below fails to directly mention where auditors contributed the most to the 1990's bubble. The auditors were allowing clients to get away with murder in terms of recognizing revenue that should never have been recognized. The dotcom companies were not yet making profits but were full of promise as the bubble filled with hot air. In financial reporting (especially in pro forma reporting) dotcom companies shifted the attention from profit growth to revenue growth. But much of the revenue growth they got away with reporting was due to bad judgment on the part of their auditors. Corrections finally began to appear after the EITF belatedly made some bright line decisions --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm

I give auditors F grades when auditing the hot air balloons of dotcom companies. This shows what can happen when we let judgment overtake some of the bright line rules in accounting standards. Auditors were supposed to have "principles" when they had no bright lines to follow. The auditing firms demonstrated their lack of professional principles in the 1990s.
 

"Were accountants responsible for the dotcom bubble and burst?" AccountingWeb's U.K. Site, March 11, 2008 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=104768

"Were accountants responsible for the dotcom bubble and burst?" This worrying allegation emerged from a question two weeks ago at the ICAEW IT Faculty annual lecture.

During a thought-provoking talk on Second Life and related issues, Clive Holtham mentioned the dotcom bubble, which prompted the pointed follow-up question from one audience member.

The answer was that they weren't - which accorded with the general audience reaction. The reason? Accountants, Holtham argued, had not made the investment and business decisions that fuelled the boom and led to the bust.

Some would argue that this is exactly why accountancy, perhaps more than accountants, was responsible. Why weren't accountants more involved in these decisions? We would surely expect accountants to have been stressing the need to temper the wild enthusiasm with a bit of solid business analysis. It's hard to escape the conclusion that accountants either didn't put forward the right arguments, or were not sufficiently influential. Accountants either lacked the confidence to participate forcefully enough in the debate, or were viewed as not knowing enough about IT.

Either way, it suggests that the main accountancy bodies had allowed a major change in business to occur without preparing their members to deal competently and confidently with it. If technology had been seen as a natural competency of an accountant, accountants might have been more able to fight their corner over the excesses of the dotcom era.

Anyway, that was years ago. Surely things have changed. The recent AccountingWEB/National B2B Centre survey on accountants' involvement in ebusiness was introduced in the following terms: "In spirit accountants would like to get involved with ebusiness, but the reality of their current knowledge and workload means that only a small minority are able to help clients take advantage of new technology opportunities."

It's unfair to blame the accountants themselves. Their workload is a significant factor. Government has been piling regulation after regulation upon them and it must be a struggle to keep up with just what they consider their core skills and knowledge. Ethically, you would not expect accountants to offer advice in areas in which they do not consider themselves adequately qualified. Technology is such a vast and rapidly moving area that it's pretty hard for most full time IT professionals to keep up, let alone accountants with their myriad other responsibilities. Yet the need, and opportunity, certainly seems to be there. Various government initiatives in the past have sought to identify sources of competent advice to help companies succeed in ebusiness.

Usually, articles about accountants doing more in the field of IT elicit comments about "leaving it to the IT professionals". The worry is that accountants may not know enough to be able to do so confidently and therefore they withdraw from any involvement - this is what the AccountingWeb/NB2BC survey seems to suggest is happening. This is in nobody's interest. Businesses may fail to exploit key opportunities, accountants will lose out on income and probably credibility, and IT specialists will have fewer clients. A more ebusiness-confident accountancy profession should be able not only to offer advice itself, but also to recommend, trust and work with specialists where required.

To achieve this it's vital that the professional bodies help their members more than they are doing currently. What seems to be missing is a set of boundaries. What exactly do accountants need to know about IT and ebusiness in order to be able to confidently and competently advise their clients? How can you, as an accountant, assess your competence in this vital area?

It's not as if this is anything new, The International Federation of Accountants (IFAC) has been working on a revised Education Practice Statement regarding 'Information Technology for Professional Accountants' for years and in October 2007 released International Education Practice Statement 2 (IEPS 2) after consultation with accountancy bodies worldwide. This sets out "IT knowledge and competency requirements" for the qualification process, but also for continuing professional development.

So should accountants be more active in advising on ebusiness? Should they do it themselves or work with specialists? And are the professional bodies doing enough to help their members in this, and other IT related, areas? We look forward to hearing the views of AccountingWEB members so that we can carry this debate forward.

March 12, 2008 reply from Bob Jensen

With all due respects to Ed and Jagdish, I still think that inflated revenue reporting and other creative accounting ploys led to a bubble of artificially inflated stock prices of dotcom companies. It was more than the "premature revenue recognition" that Ed mentions. It was reporting of questionable revenues that would never be realized in cash. For example dotcomA contracts with dotcomB, dotcomC, ..., dotcomZ to trade advertising space on Websites and vice versa for all combinations of contracting dotcom companies. Each company counts the trade at estimated value as revenue and expense even though there will never be any cash flows for these advertising trades.

The dotcom companies did not inflate profits with this move but they dramatically inflated revenues which was all they cared about since the investing public never expected them to show a profit early on. You can read about how bad this bartering scam became --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm#Issue02
And auditors let the dotcom companies get away with this scam until EITF 99-17 made auditors finally recognize the errors of their ways.

Other revenue inflation scams and questions raised in the following issues resolved by by various EITF pronouncements --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm

Revenue Issue: Gross versus Net

Issue 01: Should a company that acts as a distributor or reseller of products or services record revenues as gross or net?
Examples of Creatively Reporting at Gross:

Priceline.com brokered airline tickets online and included the full price of the ticket as Priceline.com revenues. This greatly inflated revenues relative to traditional ticket brokers and travel agents who only included commissions as revenue.

eBay.com included the entire price of auctioned items into its revenue even though it had no ownership or credit risk for items auctioned online.

Land's End issued discount coupons (e.g., 20% off the price), recorded sales at the full price, and then charged the price discount to marketing expense.

Issue 02: Should a company that swaps website advertising with another company record advertising revenue and expense?

Issue 03: Should discounts or rebates offered to purchasers of personal computers in combination with Internet service contracts be treated as a reduction of revenues or as a marketing expense?

Issue 04: Should shipping and handling fees collected from customers be included in revenues or netted against shipping expense?

Discounts and rebates are traditionally deducted from gross revenues to arrive at a net revenue figure that is the basis of revenue reporting. Internet companies, however, did not always follow this treatment. Discounts and rebates have been reflected as operating expenses rather than as reductions of revenue.

Handling fees and pricing rebates throughout accounting history could not be included in revenues since the writing of the first accounting textbook. Auditors knew this very well from the history of accounting, but it took EITF 00-14 in Year 2000 to remind auditors that this bit of history applied to dotcom companies as well as mainstream clients.

Definition of Software

Issue 07: Should the accounting for products distributed via the Internet, such as music, follow pronouncements regarding software development or those of the music industry?

Issue 08: Should the costs of website development be expensed similar to software developed for internal use in accordance with SOP 98-1?

Revenue Recognition

Issue 9: How should an Internet auction site account for up-front and back-end fees?

Issue 10: How should arrangements that include the right to use software stored on another company’s hardware be accounted for?

Issue 11: How should revenues associated with providing access to, or maintenance of, a website, or publishing information on a website, be accounted for?

Issue 12: How should advertising revenue contingent upon “hits,” “viewings,” or “click-throughs” be accounted for?

Issue 13: How should “point” and other loyalty programs be accounted for?

Prepaid/Intangible Assets vs. Period Costs

Issue 14: How should a company assess the impairment of capitalized Internet distribution costs?

Issue 15: How should up-front payments made in exchange for certain advertising services provided over a period of time be accounted for?

Issue 16: How should investments in building up a customer or membership base be accounted for?

Miscellaneous Issues

Issue 17: Does the accounting by holders for financial instruments with exercisability terms that are variable-based future events, such an IPO, fall under the provisions of SFAS 133?

Issue 18: Should Internet operations be treated as a separate operating segment in accordance with SFAS 131?

Issue 19: Should there be more comparability between Internet companies in the classification of expenses by category?

Issue 20: How should companies account for on-line coupons?

In nearly every instance dotcom companies were inflating the promise of their new companies with creative accounting blessed by their auditors until the EITF and other FASB pronouncements set some bright lines that auditors had to stand behind. The investing public was nearly always misled by both the audited financial statements and the pro forma statements of dotcom companies in the 1990s. Then the bubble burst, in part, by bright line setting by the EITF and the FASB.

Bob Jensen

 

Especially note the revenue recognition issues at http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

 


You must be very careful when viewing a corporate Website that you think is authentic but is a total fraud.  One such site is http://www.dowethics.com/  which spoofs the genuine http://www.dow.com 

The site at dowethics.com is a very clever spoof site that mirrors the real corporate site but runs it with stories against the company.  It is interesting because it appears to be very authentic and illustrates how companies really do need authentication seals such as Verisign, the Better Business Bureau BBB seal, or the WebTrust Seal --- http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems 

 

Immense problems arise in accounting, auditing, and taxation as the world moves ever forward into electronic commerce.

 

  • Stewardship, control, and security problems such as the explosion of computer and Internet fraud
  • Auditing and information systems problems such as the loss of audit trails over global networks of transactions
  • Revenue accounting problems such as gross vs. net, bartering, and recognition timing.
  • Cost accounting problems such as accounting for the costs of intangibles
  • Managerial accounting problems apart from cost accounting, including evaluation of return on investment (ROI) that includes startup net losses in the numerator and excludes intangibles in the denominator.
  • Taxation problems such as the purchase and sale of merchandise and service outside accustomed taxation jurisdictions

 

 

Advantages and disadvantages of electronic commerce
Advantages Disadvantages
Convenience
Speed
Information Access Volume
Expense Savings (e.g., Marketing)
Reduced Transactions Cost
Improved Training & Education
(Army University and IRS University)
Revenue Enhancing
Reduced Barriers to Entry
Innovative Products & Services
Increased Price Competition
Increased Vendor Selection
Increased Access to Customers
Customer Behavior/Interest  Databases
(Like it or not, have a cookie!)
Increased Ability to Place Custom Orders
Improved Warranty & Customer Service
Customized & Personalized Feedback
Common Interest Virtual Communities
Globalization of Business and Labor

Ever-Changing Technologies
Geek Dependent Systems
Going Concern Risks
Risk of Service Disruptions
Customers Need Computers 
Customers Need Access
 Shortage of Bandwidth
Frauds & Error Risk
Highly Creative Deceptions
Security Nightmares
Privacy Risks
(Data sale, theft, sniffers)
Hacker Targets
Dehumanization of Life
Rise in Gambling & Porn
Cut-Throat Competion
(e.g., Encyclopedia Britannica)
Information Warfare
System-Wide Vulnerability
 

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

Common Electronic Risks
Disruption of service 

Hardware/software failure
Virus
Worm
Trojan Horse
Hoax
Logic Bomb

Unauthorized access 

Trap Door
Data theft 

Loss of data/information 

Privacy issues 

Pro-Forma Earnings (Electronic Commerce, e-Commerce, eCommerce)

From the Wall Street Journal's Accounting Educators' Reviews, October 4, 2001
Educators interested in receiving these excellent reviews (on a variety of topics in addition to accounting) must firs subscribe to the electronic version of the WSJ and then go to http://209.25.240.94/educators_reviews/index.cfm 

Sample from the October 4 Edition:

TITLE: Sales Slump Could Derail Amazon's Profit Pledge 
REPORTER: Nick Wingfield 
DATE: Oct 01, 2001 
PAGE: B1 
LINK: http://interactive.wsj.com/archive/retrieve.cgi?id=SB1001881764244171560.djm  
TOPICS: Accounting, Creative Accounting, Earnings Management, Financial Analysis, Net Income, Net Profit

SUMMARY: Earlier this year Amazon promised analysts that it will report first-ever operating pro forma operating profit. However, Amazon is not commenting on whether it still expects to report a fourth-quarter profit this year. Questions focus on profit measures and accounting decisions that may enable Amazon to show a profit.

QUESTIONS: 

1.) What expenses are excluded from pro forma operating profits? Why are these expenses excluded? Are these expenses excluded from financial statements prepared in accordance with Generally Accepted Accounting Principles?

2.) List three likely consequences of Amazon not reporting a pro forma operating profit in the fourth quarter. Do you think that Amazon feels pressure to report a pro forma operating profit? Why do analysts believe that reporting a fourth quarter profit is important for Amazon?

3.) List three accounting choices that Amazon could make to increase the likelihood of reporting a pro forma operating profit. Discuss the advantages and disadvantages of making accounting choices that will allow Amazon to report a pro forma operating profit.

SMALL GROUP ASSIGNMENT: Assume that you are the accounting department for Amazon and preliminary analysis suggest that Amazon will not report a pro forma operating profit for the fourth quarter. The CEO has asked you to make sure that the company meets its financial reporting objectives. Discuss the advantages and disadvantages of making adjustments to the financial statements. What adjustments, if any, would you make? Why?

Reviewed 

By: Judy Beckman, University of Rhode Island Reviewed 
By: Benson Wier, Virginia Commonwealth University Reviewed 
By: Kimberly Dunn, Florida Atlantic University

Bob Jensen's threads on pro forma accounting issues can be found at 
http://www.trinity.edu/rjensen/theory.htm
 

 


Whatever happened to the AICPA's SysTrust initiative for expanding CPA firm revenues and services?
http://en.wikipedia.org/wiki/Certified_Information_Technology_Professional

"Compliance et al," by Jerry Trites, IS Assurance Blog, July 16, 2011 ---
http://uwcisa-assurance.blogspot.com/

Recently, ISACA conducted a survey of the top business issues facing enterprise It technology. The list is of course directed primarily to the concerns of IT Assurance providers and contains the following issues:
Compliance has been a big issue since the SOX days, but shows no sign of abating. Assurance providers can expect to spend more of their time in this area for the foreseeable future. Nothing really new or startling in the list, but it does provide a good high level overview of where we are in the world of IT Assurance. See the press release here and the survey here.

Bob Jensen's badly neglected threads on Assurance and Security Services
http://www.trinity.edu/rjensen/assurance.htm

Bob Jensen's threads on computer and networking security are are at
http://uwcisa-assurance.blogspot.com/

 


 

Links to Some of Bob Jensen's Documents on Electronic Commerce
Introduction

Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

Intangibles Accounting Issues --- http://www.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes 

Managerial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm 

How Can Technology be Used to reduce Fraud? --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7 

ROI Issues --- http://www.trinity.edu/rjensen/roi.htm 

Implications for Auditing and Assurance Services --- 
http://www.trinity.edu/rjensen/ecommerce/assurance.htm
 

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk --- http://www.trinity.edu/rjensen/ecommerce/assurance.htm 

Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

The Controversial Electronic Commerce of Education --- http://www.trinity.edu/rjensen/000aaa/0000start.htm

Investor Relations and Internet Reporting   

Education and Training   

Evaluation of Websites 

Search for Internet, e-Commerce, or e-Business Phrases

Top Year 2002 Accounting Technologies 

Bob Jensen's Threads on Electronic Commerce --- 
http://www.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's Threads on Electronic Commerce in College Curricula --- 
http://www.trinity.edu/rjensen/ecommerce/curricula.htm
 

Accounting Threads

 

Links to Some of Bob Jensen's Accounting Theory Documents
Introduction to Accounting Theory ---  http://www.trinity.edu/rjensen//theory/00overview/theory01.htm  

Accounting for Electronic Commerce, Including Controversies on Business Valuation, ROI, and Revenue Reporting --- http://www.trinity.edu/rjensen/ecommerce.htm 

State of Accountancy in the Year 2002: My Lectures for Germany (Augsburg and Rothenburg) in June 2002 --- http://www.trinity.edu/rjensen/FraudConclusion.htm 

Accounting Tricks and Creative Accounting Schemes Intended to Mislead Investors, Creditors, and Employees --- http://www.trinity.edu/rjensen//theory/00overview/AccountingTricks.htm

Letter to Senator Schumer --- http://www.trinity.edu/rjensen/theory/sfas123/jensen01.htm 

Links to the following accountancy documents:

Accounting Theory Course --- http://www.trinity.edu/rjensen/acct5341/index.htm 

Pro forma reporting ---  http://www.trinity.edu/rjensen/acct5341/theory/00overview/theory01.htm 

Accounting for Derivative Financial Instruments and Hedging Activities --- http://www.trinity.edu/rjensen/caseans/000index.htm 

Real Options, Option Pricing Theory, and Arbitrage Pricing Theory --- http://www.trinity.edu/rjensen/realopt.htm 

An Accounting Theory Final Examination, The Open Polytechnic of New Zealand Semester Two, 2000,  http://www.topnz.ac.nz/info/services/pdf/71300_00_2.pdf 

Bob Jensen's threads on e-Commerce and e-Business can be found at http://www.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's threads on XBRL are at http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended 

Bob Jensen's Helpers for Accounting Educators --- http://www.trinity.edu/rjensen/default3.htm 

Bob Jensen's Accountancy Bookmarks --- http://www.trinity.edu/rjensen/bookbob.htm 

Bob Jensen's Threads --- http://www.trinity.edu/rjensen/threads.htm

 

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

 

Accounting Issues Addressed by the SEC and FASB

DESCRIPTION OF THE PROPOSED PROJECT

This potential FASB project on disclosure about intangibles would focus on improving information about intangible assets that are seen by many as increasingly important to business success but are not currently recognized as assets in financial statements. Intangible assets are generally recognized only if acquired, either separately or as part of a business combination. Intangible assets that are generated internally, and some acquired assets that are written off immediately after being acquired, are not reflected in financial statements, and little quantitative or qualitative information about them is reported in the notes to the financial statements. The principal goals of the project would be to make new information available to investors and creditors and to improve the quality of information currently being provided—information vital to well-reasoned investment and credit resource allocation decisions. A secondary goal of the project would be to take a first step in what might become an evolution toward recognition in an entity’s financial statements of internally generated intangible assets. The balance of this Proposal discusses the problem to be addressed, the scope of the project, the issues that would have to be resolved, how practice might change, and the FASB agenda criteria. It concludes with a request for comments and several questions for constituents.


Dear Professor Jensen:

As you may know, Greenstein and Vasarhelyi's ELECTRONIC COMMERCE was the first book to combine accounting risk management and control issues with systems issues--in other words, the first book to really combine accounting and electronic commerce.  But it's not enough to be first once--you need to be first every time. And with ELECTRONIC COMMERCE 2/E, once again you get the newest and most up-to-date coverage available.

Just published this summer, ELECTRONIC COMMERCE, 2/E covers the hottest topics in e-commerce, including e-business strategy, XML and XBRL, and emerging supply chain e-commerce and e-revenue models. And a constantly updated Website will insure your course has access to the very latest developments.

To learn more about ELECTRONIC COMMERCE, 2/E or to request a complimentary copy, contact, Ray Lesikar, your McGraw-Hill/Irwin representative, at ray_lesikar_jr@mcgraw-hill.com. You may also visit the book's Website at this address: http://www.mhhe.com/webmaster/redirector.pl?p=1000001004457&c=938&a=4&s=1 .

Thank you for your time.

Regards,
Rich Kolasa
Marketing Manager, Accounting, McGraw-Hill/Irwin

 


How to Build Customer Relationships Online Marketing is not just about getting an order, it's about getting a customer and keeping them. Nurture your customer relationships with regular e-mails. With regular e-mails you can build relationships and gather market intelligence. http://www.newmedia.com/default.asp?articleID=3275 

Bob Jensen's small business links are at http://www.trinity.edu/rjensen/bookbob1.htm#SmallBusiness 


Top Year 2002 Technologies as Rated by the AICPA --- http://www.cpa2biz.com/ResourceCenters/Information+Technology/Top+10+Techs/default.htm 

Top 10 Techs
Top 10 Techs Categories
 
TopTechs provide information about cutting edge technologies that could impact your ability to compete effectively in the e-world.
 
TopTechs are presented in four categories:
  • Issues -- situations that result from technology  implementation
  • Applications -- business opportunities/objectives using  one or more technologies
  • Technologies -- end products (hardware, software, or   standard)
  • Emerging Technologies -- new developments currently under review
Certainly database technology has been around for a while. It made the list of top ten technologies ... [ Article ] Full Story
Technologies: Security Technologies
In the past year, nine out of 10 organizations experienced security breaches, according to a recent ... [ Article ] Full Story
Technologies: XML (Extensible Markup Language)
"Your tax dollars at work" could be the subtitle for this section, assuming you waited 20 years and ... [ Article ] Full Story
Technologies: Communications Technologies - Bandwidth
Here's a riddle for you: What doubles in demand every three to four months, but drops in price over ... [ Article ] Full Story
Technologies: Mobile Technologies
Convenience, Efficiencies are Hallmarks of Mobile Technologies What would Benjamin Franklin think o ... [ Article ] Full Story
Technologies: Wireless Technologies (includes wireless networks)
Are you on the cutting edge of wireless technology? If your first thoughts were of your beloved PDA ... [ Article ] Full Story
Technologies: Electronic Authorization
In a workflow system, documents move from one user to another as they are electronically processed. ... [ Article ] Full Story
Technologies: Encryption
We've come a long way from the "magical" times of the 17th century where works about ciphers and cry ... [ Article ] Full Story
Technologies: Remote Connectivity Tools
The information you need is in one place; you are in another place. Traditional solutions to remote ... [ Article ] Full Story
Technologies: Electronic Authentication
Are you who you say you are? That is, in fact, the question of authentication, which is one aspect o ... [ Article ] Full Story

 


Investor Relations and Internet Reporting

Jerry Trites from Canada and I conducted two workshops on electronic reporting and electronic commerce.  The first of these is for August 14 in San Antonio (AAA Annual Meetings) and November 23 in Los Angeles (Asian Pacific Conference).  I received the following message from Jerry on February 14, 2002:

Hi Bob,

Following is the URL for the website for my new e-business textbook. Thought you might be interested.

http://www.pearsoned.ca/trites/ 

Jerry,

p.s. When will we hear back from AAA re the San Antonio conference? 

Gerald Trites, CA*CISA, FCA 
Gerald Schwartz School of Business and Information Systems, 
St Francis Xavier University, 
Antigonish, Nova Scotia 
Phone: (902) 867-5410 Fax: (902) 867-3352 Cell: (902) 867-0977 
Home page: http://iago.stfx.ca/people/gtrites/index.html 


August 8, 2002 message from Miklos

I have posted on the Web pieces of my e-commerce course about hr + of clips,, .... be my guest to use them

http://raw.rutgers.edu/miklos/baxtermovies/baxter.html 

they can be used (not tightly coupled) with my e-commerce slides

http://raw.rutgers.edu/ecommerce2 

Miklos A. Vasarhelyi 
KPMG Professor of AIS
Rutgers University Director, Rutgers Accounting Research Center 
315 Ackerson Hall, 180 University Ave. Newark, NJ 07102 
tel: 973-353 5002 fax 973-353 1283 miklosv@andromeda.rutgers.edu 

Bob Jensen's related assurance services threads are at http://www.trinity.edu/rjensen/ecommerce/assurance.htm 


This appeared in one of my older documents that is no longer updated --- http://www.trinity.edu/rjensen/99aaa/updatefr.htm 

Online Financial Reporting

Ross A Kaplan, "Identity Crisis for Online Annual Reporting," Financial Executive, Jul/Aug 1999, 38-39.

Have traditional accounting and finance measures of corporate wealth "lost their Utility?"
http://www.zdnet.com/pcweek/stories/columns/0,4351,407222,00.html

However, I will provide some updates below:

Top Investor Relations and Internet Reporting Sites --- http://ids.csom.umn.edu/faculty/kauffman/courses/8420/Projects/POlson/page5.htm 

According to Ross Kaplan of the Off-line website, six attributes of a good IR web site are:
Investor Relations Magazine  provides the following advice on adding value to a corporate web site:
    • Investors are becoming more sophisticated and expect to be able to add their names to a mailing list and be kept updated on press releases.
    • The IR site should have different design considerations than the rest of a corporate web site.  Investors want detailed information and fast downloads, forget the spinning logos.
    • Make sure your server is adequate for traffic requirements.
    • Keep the IR web site  content and corporate values consistent with other communication with shareholders (annual reports, brochures, etc.).
In March, 1998 Investor Relations Magazine named Microsoft as the winner of its "Best World Wide Web Site" award.  The magazine holds an annual awards ceremony to recognize exellence in investor relations.  The Microsoft IR web site is a standard of excellence in using technology to promote investor relations.  Attributes of the web site include:
  • Basic offerings such as stock quotes, Frequently Asked Questions (FAQs), annual reports, and press releases
  • A daily update on the antitrust trial brought against it by the U.S. Department of Justice
  • Transcripts of speeches by company executives
  • Live internet broadcasts of its conference calls
  • Detailed historical data and analysis tools which allow an investor to analyze income statement line items dating back to 1985 or analyze revenue by product group
  • Stock information such as price and volume history, investment growth history, five year comparison to the S&P 500, history of stock splits and dividend information
  • The annual report is available in eleven languages
  • Its income statements can be viewed in accordance with accounting standards and in the local currencies of Australia, Canada, Germany, France, Japan, and the U.K.
Companies such as Intel, 3comXerox, Dell computer, and IBM are also frequently discussed as having exceptional IR web sites.

XBRL Will Change the World of Financial Reporting and Analysis --- http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended 


Data Binding

Data Binding as defined at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci991121,00.html

Data binding is a process that allows an Internet user to manipulate Web page elements using a Web browser. It employs dynamic HTML (hypertext markup language) and does not require complex scripting or programming. Data binding first became available with Microsoft Internet Explorer (MSIE) version 4. It can be used in conjunction with that and all subsequent versions of MSIE to create and view interactive Web sites with a minimum demand on authoring time, subscriber effort, server drive space, and server processing resources.

The data binding architecture consists of data source objects (DSOs) that supply the information to viewed pages, data consumers that display the DSO information, and agents that ensure that the data is synchronized between the DSOs and the consumers. Data binding is used in Web pages that contain interactive components such as forms, calculators, tutorials, and games. Pages are displayed incrementally so that portions of a page can be used even before the entire page has finished downloading. This makes data binding convenient when pages contain large amounts of data and bandwidth is limited.

Data binding has been used by hackers in attempts to gain access to the hard drives of Internet users. This is known as a DSO exploit.
 

XML Data Binding --- http://www.rpbourret.com/xml/XMLDataBinding.htm 

Data Binding for Java --- http://www-106.ibm.com/developerworks/xml/library/x-bindcastor/ 


From Builder.com --- http://builder.com.com/5100-6387-1058862.html?tag=grid 

Data binding 101: DataSets
In its simplest form, data binding involves attaching an ASP.NET Web control, say a ListBox, to a DataSet containing some database data. The ListBox.DataSource property lets you specify the DataSet to which the control should bind, and the DataBind method actually fills the control with data. Because a DataSet can contain multiple fields, Web controls with a single column (ListBox, DropDownList, etc.) all expose DataTextField and DataKeyField properties to let you specify the name of the field the control will display as text and use as a value, respectively.

Listing A contains a simple example that binds a ListBox to the Categories table of the Northwind sample database. After creating the DataSet, I bind it to ListBox1 using the DataSource property. I then set the DataTextField property to CategoryName, the field that ListBox1 should display (it will be used as SelectedItem.Text), and the DataKeyField property to CategoryId so that ListBox1 will use it as the key. (It will be returned as SelectedItem.Value.).

Data binding 201: Arrays and collections
Okay, so binding to a DataSet is child’s play. But what if the data you want isn’t contained in a database? What if you would like to allow the user to choose from an array of objects? Sure, you could manually create a DataSet containing the data, but that's kind of like building a mansion when all you need is a tool shed. Wouldn’t it be nice if you could just bind directly to the array?


Continued at  http://builder.com.com/5100-6387-1058862.html?tag=grid  
 

 


Education and Training Outlines

Electronic business education and training programs in various major universities are outlined at 
http://www.ehrlichorg.com/ibp/Undergraduate%20E%20BusE%20Com-0825.doc 


Note the sheer size of this operation --- "more than 1.5 million people already use its 15 e-Learning modules in three topic areas of leadership, strategy and general management."

From Syllabus News on October 2, 2001

Harvard B-School Expands Business Courses Via the Web

Harvard Business School Publishing said last week it would use the Internet to make available its electronic learning programs in best management and business practices to corporate groups and enterprises. HBSP said more than 1.5 million people already use its 15 e-Learning modules in three topic areas of leadership, strategy and general management. HBSP will now offer support for companies that wanted to make the modules available to company groups via the Internet.

For more information, contact Nancy O'Leary at Harvard Business School Publishing http://noleary@hbsp.harvard.edu 


Electronic commerce courses, including accounting courses, have been added to the curricula of many business schools.  As a sample, the courses at the University of Scranton are shown below --- http://matrix.scranton.edu/academics/ac_courses_electronic_commerce.shtml 

Electronic Commerce Program

Course Descriptions — Electronic Commerce

EC 251 —  Introduction to Electronic Business — 3 credits
(Prerequisite: C/IL 104) This introductory course in electronic business explores how the Internet has revolutionized the buying and selling of goods and services in the marketplace. Topics covered include: business-to-business and business-to-consumer electronic commerce, electronic commerce infrastructure, designing and managing online storefronts, payment acceptance and security issues, and the legal and ethical challenges of electronic commerce. Students will also gain hands-on experience in creating, editing, and enhancing a web site using an HTML editor.
EC 361 — Electronic Business Communication Networks — 3 credits
(Prerequisite: EC 251) The course is designed to provide students with networking and telecommunications fundamentals necessary to develop enterprise networks to conduct business on the Internet. Topics covered include: communication network media; processors and protocols; multimedia transmission; wireless networks; network design, management and security; and present capabilities and future trends in communication. Discussion of the technology is focused on business applications within and among organizations. Hands-on experience and case studies will be used to illustrate concepts and business use of enterprise networks.
EC 362 — Database Management for Electronic Business — 3 credits
(Prerequisites: EC 251, OIM 471) The course deals with database design, implementation and use of Database Management Systems to support Electronic Business. Topics covered include: database design and implementation; data modeling and structured query language (SQL); distributed data base management system, open data base connectivity, integration of web server and backend database server; data warehousing and mining; on-line analytical processing; and database application and management. Cases and DBMS software will be used to illustrate concepts and to gain hands-on experience.
EC 370 — Interactive Marketing — 3 credits
(Prerequisite: MKT 351, junior standing) This course focuses on the integration of state-of-the-art interactive technologies in the design and implementation of marketing programs for the new millenium. The functions of market identification through customer analysis, and the planning and implementation of conception, pricing, promotion and distribution of ideas, goods and services to satisfy the market benefit immensely from the capabilities of the rapidly developing information technology (IT) infrastructure.
EC 371 — Investments — 3 credits
(Prerequisite: FIN 351, junior standing) This course will provide students with an overview of the fundamentals of investing, with specific emphasis on the use of information technology tools. Topics will broadly cover the areas of stock selection and valuation, bond valuation, and the use of options and futures to hedge risk. Students will be taught to use resources available on the Internet in order to develop security selection rules and valuation models. For example Quicken.com and Hoovers have web sites that enable an investor to retrieve current financial data and build stock screens. Students will also learn to build a financial web site that contains features found in many professional web sites.
EC 372 — Accounting for Electronic Business — 3 credits
(Prerequisite: ACC 252 or ACC 254, junior standing) This course is intended to introduce E-Commerce students to the role of accounting in today’s business environment. Students will examine how technology has impacted the techniques of accounting and reporting. Computerized models of accounting will be used to explore the tools available to compile data for management decisions and reporting. Internet business and traditional business transactions will be evaluated in light of global markets. Thus students will see the effects of control features built into software systems and understand the role such systems play in running the company.
EC 461 — Internet Applications Development — 3 credits
(Prerequisites: EC 361, EC 362) The course introduces the student to existing and evolving Internet technologies needed for electronic commerce site development and management. Topics covered include: Windows NT, Internet information server, index and transaction servers, object-oriented paradigm, client and server side scripting, active server page, enterprise data access, domain name service, and trends in web development tools. The course emphasizes applications of the technology and provides hands-on experience by having students develop a working electronic business site. Cases will be used to illustrate concept and the role of each technology used to conduct business on the web.
EC 462 — Projects in Electronic Business — 3 credits
(Prerequisite: EC 461) In this course, students will develop an electronic commerce project that will be used to conduct online business. The purpose of this course is to synthesize the Internet related technologies and the business knowledge acquired in different courses to develop a working electronic commerce site. Students will work in a team-oriented environment under the guidance of the instructor. Students will design, develop, implement, and operate a secure content-rich electronic commerce web site to attract and retain customers.
EC 470 — Supply Chain Management — 3 credits
(Prerequisites: EC 361, EC 362) This course integrates two powerful trends that are critical management imperatives for the new millennium: Supply Chain Management & Electronic Business. The students will learn how the principles of supply chain management integrate into the “real-time” environment of e-business and examine case studies of such implementations. Latest software and technology will be discussed and examples demonstrated on the SAP R/3 platform available at KSOM.
EC 471 — Electronic Business Security Controls and Ethics — 3 credits
(Prerequisites: EC 361, EC 362) The course is designed to provide students with an understanding of the technical, managerial, legal and ethical issues to build, operate and manage e-commerce solutions. Topics covered include: web server and client security; secure transactions and payments; information security; digital certificates and practices; civil and criminal legal issues; morality and ethical issues; intellectual property and patents; governmental regulations and policies; and emerging technologies and standards. Appropriate cases will be used to illustrate the above concepts.
EC 472 — Electronic Business and Entrepreneurship — 3 credits
(Prerequisites: EC 361, EC 362) This course links electronic commerce with entrepreneurship. The convergence of information and communication technologies has created numerous opportunities to entrepreneurs to start new and innovative businesses based on electronic commerce. The course will examine the issues related to the starting and establishment of new businesses based on electronic commerce. The course comprises three parts. The focus of the first part is on issues related to the establishment of a new business and entrepreneurship. The second part examines the business issues related to electronic commerce including the development of business models and plans. The last part is a practical part where groups of students will develop and establish small electronic commerce businesses from start to finish. The learning will occur through study and discussion of conceptual reading material, analysis and discussion of cases, and through the development and implementation of an e-commerce business.

 


Question
What are the CERIAS programs in assurance services?

Answer
Certified Public Accountants over the past decade have be actively promoting the branching out of financial attestation services (especially auditing) into wider ranging "assurance services."  Especially noteworthy is the new service SysTrust where pubic accountants in the U.S. and Canada have partnered to extend assurance services into the areas of computing services and information systems.  For details and links, see http://www.trinity.edu/rjensen/ecommerce/000start.htm#AssuranceServices 

I mention this because, unlike auditing services by public accountants, where there is an SEC-mandated monopoly under SEC rules, there is no such monopoly on extended assurance services.  In assurance services other than auditing, CPAs face increasing competition from other professional bodies.  One such area is in the entire area of Information Assurance and Security.  I mention this, because an education and training center at Purdue University is generating courses and graduates in a program that is not a part of the Accounting Department or the School of Business.  I will now briefly summarize the CERIAS Center at Purdue University --- http://www.cerias.purdue.edu/ 

What I found interesting is the extent to which students can get both MS and PhD degrees in Information Assurance and Security.

The Center for Education and Research in Information Assurance and Security, or CERIAS, is the world's foremost University center for multidisciplinary research and education in areas of information security. Our areas of research include computer, network, and communications security as well as information assurance.

Mission Statement 
To establish an ongoing center of excellence which will promote and enable world class leadership in multidisciplinary approaches to information assurance and security research and education. This collaboration will advance the state and practice of information security and assurance. The synergy from key members of academia, government, and industry will promote and support programs of research, education, and community service.

Vision Statement 
The Center for Education and Research in Information Assurance and Security will be internationally recognized as the leader in information security and assurance research, education, and community service.

Internal Vision 
Build a well-supported community of scholars actively involved in: Evolution and offering of educational programs in information assurance and security. Solving fundamental questions of science, engineering and management as they relate to information security and assurance. Transfer of expertise and technology to organizations with real world needs. Assuming leadership roles in appropriate community and government organizations. Activities to enhance the public's understanding and acceptance of information protection. To accomplish this, the Center promotes research, education and community service programs in conjunction with various key groups. It also brings synergy to these diverse groups (consisting of members from academia, government agencies and industrial partners) to advance the philosophy of information security and assurance.

Education
 - - - - - - - - -
  • We have compiled resources for students, parents, and teachers on a host of topics including copyright, safe surfing, acceptable use, cryptography, and much more; we also offer teacher and student workshops on a variety of security topics, at a variety of levels.

     

  • Information about our graduate studies, including the Scholarship for Service program.

     

  • The post-secondary education site contains information about formal and informal information security and assurance educational initiatives, including workshops, multimedia product offerings, certification and faculty development efforts, and awareness activities.

     

  • A site created by CERIAS and several partners to raise awareness of Information Security in the state. Includes information for K-12, Home Computing, and Business and Industry.
 - - - - - - - - -
Introduction to CERIAS
So, you are interested in graduate studies in Information Security at Purdue University? That's great! You can take advantage of the infosec expertise present at Purdue and associated with CERIAS, but you can't actually get your degree from there. CERIAS is a research center, and not an academic department. However, there are other ways to get your degree and be associated with CERIAS.

There are currently 3 different approaches to graduate study in infosec here:

  1. The interdisciplinary MS specialization
  2. A standard MS in one of the involved departments, with a focus on infosec topics
  3. A PhD course of study in one of the involved departments, with a dissertation topic in infosec
We are currently offering an interdisciplinary Master's specialization in InfoSec. This is offered as an MS through a participating department, not CERIAS. While the program is multidisciplinary and requires (and recommends) courses in Computer Sciences as well as other fields, admission to the program is handled administratively by a participating department. The specialization on your diploma will, however, read "Information Security," independently of what department handles the admission. As of September 2000, the only department ready to admit students to the program is Philosophy. Computer Sciences, Education, and Electrical & Computer Engineering are all in the midst of the administrative process to join the program.

You can apply for the Program electronically for future sessions. Please select "Philosophy" on the application and indicate "Information Security" as your area of interest. Your default contact professor in the next field of the application is Eugene H. Spafford, Director of CERIAS and of the Program. Feel free to mention in that field any other professor in information security that you would like to work with if you have established such a contact already. You will eventually be contacted by the graduate school about your admission status.

 

Students can also receive graduate degrees in existing programs with a specialization in infosec areas. To do this, the students enroll in a traditional major, take a core of common courses, and then are able to take electives related to their interests. Masters students may choose to research and write a Master's thesis that involves further study in a particular area of interest, or they may simply take 30 or more credit hours of coursework. PhD students must choose a specialized topic for their dissertation research. The most common major for students interested in information security is Computer Sciences, but degrees are also associated with Electrical & Computer Engineering, Management, Philosophy, Political Science, and many other departments associated with CERIAS.

Note that specific requirements for individual department degrees are given in the course catalogs and on some departmental WWW pages. What follows is a summary of the requirements for a CS graduate degree, serving as an example of what is expected. You need to consult one of the definitive references to get the whole picture. (CS graduate degree requirements are available on the WWW; information on other graduate programs can be found by starting at the main Purdue WWW page.)

 

MS in CS Program
MS students are required to take a course in operating systems or networks (CS 503 or CS 536), one in programming language design or compilers (CS 565 or CS 502), and algorithm analysis (CS 580), plus another 7 courses of electives, or 5 courses and the thesis option. Normally, for infosec study, MS (and PhD) students would take CS 502 and CS 503, plus the courses in computer security (CS 526) and cryptography (CS 555) as electives, and consider taking the advanced security (CS 626) and cryptanalysis courses (CS 655), too.

There are many electives available to graduate students, including graphics, databases, numerical methods and distributed systems. Each year, several faculty also offer special topic courses in their areas of interest. Opportunities for directed reading or research courses are also available. In the last few years, we will have had seminars in Intrusion Detection and Incident Response, Penetration Analysis, Firewalls, Electronic Commerce, Network Security, and Security Tools. Additionally, we have had seminar courses in Wireless Networks, Advanced Operating Systems, and Internetworking.

 

Normally, a PhD program starts with 2 years of graduate study and passing a series of general exams in the area of study (the "qualifier exams"). The candidate then decides on an area of study, chooses an advisor, and takes an in-depth exam in the area of specialization (the "preliminary exam"). Next, the candidate performs in-depth research under the guidance of the advisor for a period of time ranging from 6 months to as many as 5 years. Finally, the candidate writes a detailed scientific account of his or her research (the dissertation) and defends it in a public exam before a committee of faculty, visitors, and members of the community. The average time to complete a PhD in CS at Purdue (assuming the student already has a good undergraduate background in CS) is 5 years.

Required courses for PhD students in CS include courses in operating systems, algorithm analysis, compilers and programming languages, numerical analysis, and theory of computation; this is a superset of the courses required for the MS degree, and almost all PhD candidates obtain their MS degree during their candidacy for the PhD.

 

MS & PhD Research
Currently, there is a large range of projects being conducted in information security at Purdue. We have almost 40 projects involving over 30 faculty in a dozen different academic departments. You can get a more complete picture of the faculty and research projects via the CERIAS WWW pages. These projects are normally open to graduate students and can be used to satisfy research requirements towards MS and PhD thesis work. Not all infosec projects are offered through CERIAS, either, and there is no requirement that students work on a CERIAS project to get an infosec-related degree.

 

Special Notes for CS
Students coming in to the graduate program are expected to be ready to pursue the degree upon arrival. There are limits as to how many semesters may be spent in residence before completing each of the steps towards the degree.

In particular, students are expected to:

  • have strong, basic skills in mathematics, including working knowledge of statistics, calculus and linear algebra
  • know how to write programs in some advanced computer language (C/C++/Java are languages of choice; Perl is also encouraged)
  • have mastery of spoken English sufficient to understand lectures and presentations, and to discuss assignments with faculty and TAs
  • have mastery of written English sufficient to document programs and write grammatical research papers. This is especially critical for MS and PhD
  • students who need to write a thesis and research papers
Students without adequate preparation, or who fall behind in assignments, may be tempted to take "shortcuts" on assignments to keep up. Cheating, plagiarism, and falsifying work are severe violations of both the student code of conduct and academic honesty, and discovered incidents are dealt with particularly harshly by faculty in the infosec arena. Graduate students in violation of these rules are routinely recommended to the dean of students for expulsion from the university; foreign students in this situation will lose their visas. Thus, it is strongly recommended that applicants be sure they have mastery of these basic skills prior to applying to graduate school at Purdue.

Financial Aid
Financial aid for graduate students is based on both scholarship and need. Some fellowships are available to exceptional incoming students. Others are supported by the departments or by research projects. It is unusual that a new student will get support from a faculty member's research funding; indeed, most faculty do not support students prior to their completion of some of the qualifying exams. Some incoming students qualify for selection as teaching assistants, however. Other information about financial aid is in the graduate student information documents.

For financial aid, contact the admitting department and not individual faculty members.

Disclaimer
The above is not an official document of Purdue University, but Professor Spafford's interpretation of Purdue policy. Interested parties should consult official University documents, available through the graduate school.
 
 

From Syllabus News on December 10, 2002

Compsec Firm Funds Purdue Info Assurance Degree

Internet security firm Symantec Corp. has endowed a fellowship for a student pursuing a degree at Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS. The Symantec Fellowship will provide up to $50,000 to cover the full tuition costs for two years and a stipend for a degree-seeking student enrolled at Purdue and working with CERIAS, a center for multidisciplinary research and education in information security. Applications will be accepted immediately with a deadline of March 1, 2003. The Fellowship recipient will be announced April 8, 2003 at the annual CERIAS Spring Symposium held on the West Lafayette, Ind., campus of Purdue University. The Fellowship will begin during the 2003-2004 school year and will be expanded to include a second student beginning the Fall of 2004.

December 11, 2002 reply from J. S. Gangolly [gangolly@CSC.ALBANY.EDU

Bob,

I wanted to brief AECMers on the happenings, with respect to Information Assurance in Albany.

The Department of Accounting & Law at SUNY ALbany is starting with the Fall semester 2003 an MBA track on Information Assurance (IA) based on our earlier efforts in AIS in the MS program in Accounting with an emphasis in AIS. When we have prepared the materials about the program, I'll post them on this listserv.

We have re-engineered all courses in AIS to have security/assurance permeate throughout the curriculum. This is now receiving the last review by us to ensure compliance with the curriculum recommendations of the National Security Agency.

The above is a part of our campus-wide forensics initiative (Departments of Accounting & Law, Management Science & Informatrion Systems, Department of Computer Science, School of Information Science & Policy, and in the future hopefully our very well regarded School of Criminal Justice) which has already received funding from the US Department of Education and is in partnership with the New York State Police, and CERIAS is also our partner in the efforts.

We are hoping to apply and receive next year the designation of Center of Excellence in Information Assurance Education. We hope more Accounting Departments will be hospitable to this "diversion" from our perceived central mission of educating future CPAs (currently there is no curriculum on IA in any Accounting Department that I am aware of).

It is important for me to brief the AECMers on the issue of "accountingness" of the curriculum in this respect, particularly since it became quite an issue even at Albany where our Department has traditionally been hospitable to off-the-wall curricular innovations. 'Accounting content' in much of the Information assurance curriculum usually is (and probably should be) expected to be very meager even though the assertions-based philosophy is rather similar.

I had a quite difficult time convincing my dyed-in-the-wool accounting colleagues (specially in Financial Accounting) that Information Assurance education can coexist peacefully in our Department. (Many Financial Accounting colleagues rightfully asked: since accounting content is minimal, why not have it in the MSIS or some other Department? My arguments were: 1. Such other departments do not have the tradition of scepticism that we in accounting/auditing have, and 2. we were better poised to offer a computationally intensive Information Assurance curriculum in the department because of the sophistication of our existing AIS curriculum). Ultimately, we did win the confidence of the department faculty, though in some instances it might have been grudging acceptance because of what we would lose in the long run if we chose to not have the program.

Jagdish S. Gangolly, 
Associate Professor (j.gangolly@albany.edu)  
Accounting & Law and Management Science & Information Systems 
State University of New York at Albany, Albany, NY 12222. 
Phone: (518) 442-4949 Fax: (707) 897-0601 
URL:
http://www.albany.edu/acc/gangolly 

December 11, 2002 reply from Bob Jensen

Hi Jagdish,

I appreciate your informative reply. It appears that Albany has avoided the vexing problem that Notre Dame and the University of Virginia faced with their Masters of Assurance Services Programs for Ernst & Young employees --- http://www.trinity.edu/rjensen/255wp.htm#ErnstandYoung 

The vexing problem arises when one of the goals is to have the graduates of the assurance services program also be eligible to sit for the CPA examination. It appears that assurance services masters programs at Albany and Purdue have no CPA examination goal. Hence there can be very little accounting, tax, and auditing in those programs. This was not the case for Notre Dame and the University of Virginia where a major goal is for the graduates to be eligible to sit for the CPA examination in most states.

This begs the question about what career paths students will take after graduating from assurance services programs. It would seem that Albany and Purdue University are envisioning graduates joining consulting firms, computer systems companies, etc. Graduates of the Notre Dame and UVA programs already work for the accountancy divisions of Ernst & Young.

It seems to me that for a career path in the accountancy divisions of a public accounting firm, there is very little future without becoming a CPA.

Hence, I anticipate two types of assurance services degree programs. One type is more focused on computer science and information systems. The other type is more focused on accountancy and accounting information systems.

I think there's room for both types of emerging programs.

Bob Jensen

December 12, 2002 reply from Calderon,Thomas G [tcalder@uakron.edu

Our entire grad program (at the University of Akron) is built around an IT security and assurance theme. Each course taught by acct dept faculty has security and assurance content and we attempt to tie everything together in our capstone IS Audit & Control Project (a hands-on project organized as a mini-internship and supervised by a faculty member and a "competent" professional in the field.)

Courses, 3 hrs each, in the program are: 1. Business Application Development (taught by MIS) 2. Applications Development for Financial Systems (taught by accounting -- uses skills learned in BAP to address assurance type problems) 3. Enterprise Resource Planning & Financial Systems (uses Oracle 11i to expose students to architecture, business process issues, & security and assurance issues in ERP environments) 4. Financial Data Communications & Enterprise Integration (focus on XML, XBRL, and security/assurance issues associated with enterprise integration) 5. Advanced Information Systems (database/data warehouse design/assurance issues; use Oracle 8i) 6. e-business foundations (general management issues in a distributed network environment--taught by MIS) 7. e-business technologies (exposure to networks, internet technologies, and application development for a web environment; use Windows OS, Cold Fusion, Oracle--taught by MIS) 8. e-business risk, control & assurance (business risk assessment, security, & assurance for entities that use distributed networks such as the Internet for business critical activities) 9. Assurance Services with Data Warehousing & Data Mining (a hands-on course that uses Classification & Regression Trees (CART), Multivariate Adaptive Regression Splines (MARS), neural networks, and ACL to identify red flags in quantitative data). 10. IS Audit & Control Project (the capstone hands-on project, structured as a mini-internship with a very specific deliverable).

All students admitted into the program must take the following courses if not taken in their undergrad program: 3 hrs of accounting information systems 3 hrs of intermediate accounting 3 hours of auditing 3 hours of cost & management accounting (beyond principles)

We encourage students to prepare for and take the CISA exams and CITP. The program does not attempt to prepare students for any specific professional examination.

 

 

Electronic Commerce:  Assurance Services Opportunities and Risks


Possible new assurance service clients for CPA firms
A number of major international charities are opening their doors for the first time to outside inspectors, allowing them to certify that donations are spent as advertised.  The charities say they hope thorough inspections and a new industry seal of approval will assuage public fears of donations being misused. The nonprofits are also trying to keep ahead of a movement in Congress to impose regulations on the fast-growing but largely unsupervised world of nongovernmental organizations.
Michael M. Phillips, "Big Charities Pursue Certification To Quell Fears of Funding Abuses," The Wall Street Journal, March 9, 2005; Page A1 --- http://online.wsj.com/article/0,,SB111033202546074217,00.html?mod=todays_us_page_one 
Bob Jensen's threads on charity frauds are at http://www.trinity.edu/rjensen/FraudReporting.htm#CharityFrauds 


Nobody has been more influential in moving the auditing profession toward expansion of scope of services than the former KPMG partner and former Past Chairman of the AICPA than Robert K. Elliott.  In the mid-1990s, Bob Elliott chaired the AICPA Special Committee on Assurance Services.  His basic argument was that the future auditing was becoming increasingly bleak without expansion into a broader scope of services that did not impair professional reputation for CPA integrity and independence.

First he argued that the traditional audited financial statements rooted in standards for industrial companies are rapidly becoming obsolete in terms of usefulness and timeliness to investors.  He stated the following in a November 2, 1998 Saxe Lecture at Baruch College: --- http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm 

Now let's focus, in this new environment, on the financial statements that we prepare under generally accepted accounting principles. These financial statements have been designed by the FASB and its predecessors to describe the industrial-era enterprise, the enterprise that creates value by physically manipulating tangible property like raw materials and turning them, by the application of energy and labor, into finished goods, then pushing the finished goods down the line to customers physically. What you see on those financial statements are the very tangible assets of that process. You see the raw material, the work in process, the finished goods. You see machinery and equipment. You see the buildings and the land.

That's what's on the financial statements, but post-industrial enterprises run on a different set of assets. They basically run on intangible assets, such as the capacity of innovation, research and development, human resources, information and know-how, brand equity, relations with customers and vendors, and relations with employees. These intangible assets drive the post-industrial firm, and none of them are on the balance sheet at all. We don't account for them.

Post-industrial enterprises run on intangible assets...

  • Information
  • Research and development
  • Capacity for innovation
  • Human resources

...which are not in the financial statements

Now you're thinking, "Okay, but those are just the post-industrial enterprises. Most of American economy is still making things-automobiles, steel, food." Well, let me tell you, two percent of the American work force is involved in growing things on farms, and ten percent of the American work force is involved in making things in factories. The rest of the work force is doing something else. Seventy percent are involved in the creation, distribution, or use of information. The economy has basically become information-oriented. Even industrial enterprises are no longer strictly tangible-goods companies.

Let me give you an example: Motorola. It's a manufacturing company, so it should be described by an industrial accounting model. Let's look into that. Say you go down to the store and buy a Motorola cellular phone that costs $100. How much of the $100 was for the physical content of the phone? There is less than a penny's worth of sand, turned into silicon. There is less than two cents worth of copper, to make the wires to connect things. There is less than a nickel's worth of oil, turned into a plastic box. What is the rest of the $100? Software, research and development, innovation, brand equity, information. Manufacturing companies are putting out more and more products that are post-industrial. They too run on assets that are not in the financial statements.

Let's took at it graphically, on this slide. In the past, a company's value-producing assets were largely tangible. There were intangible assets, but tangible assets dominated. So at this end of the spectrum, think of United States Steel. You've got steel mills, blast furnaces, land, piles of coal. But the emergent economy is basically working on intangible assets.

At the other end of the spectrum, think Microsoft and think of Microsoft's balance sheet. I guarantee you, Microsoft's balance sheet has nothing of interest on it whatsoever. What are the assets of Microsoft that comprise the balance sheet? A couple of diskettes, probably not even much land. Where is the some $300 billion of Microsoft's market value? It's between the ears of Microsoft's people, not on the balance sheet.

Don't get me wrong; I'm not saying that we should take these intangible assets and turn them into debit and credit entries, but I am saying that ignoring them in the accounting model is a fatal mistake, because what we're doing with these grand financial statements is producing what's in the left-hand column. We're producing periodic historical cost basis financial statements, five terms to describe what we provide as accountants, but look at the right-hand column and you will see the way in which people are used to getting information in every other information domain besides accounting.

Periodic? No. People don't want periodic information. They want to log on and get the information they want on demand. They want up-to-the-minute, if not forward-looking, cost bases. I'm not saying they want to know the current value of the assets as much as I'm saying they want to know the capacity of this basket of assets to make customers better off, to create value for customers.

Sure they want financial information, but they want much more than that: They want to be able to look behind it and see the operating data that lie behind those numbers, see the leading indicators, see the non-financial performance indicators that management itself is using increasingly to run the enterprise, things like customer satisfaction, product and process quality, measures of innovation-those types of things.

Then, the last word in this five-part set is the word statements." We're referring to general purpose financial statements. General purpose financial statements means the information is not exactly what the investors need, not exactly what the creditors need, not exactly what the managers need, not exactly what the regulators need, not exactly what the tax man needs. It's not exactly what anybody needs. It's a compromise.

But today, we actually have the capacity to go in and find out what we want on demand. This trick of summarizing a complex enterprise in two pages, a balance sheet and an income statement, is a neat trick we learned as accountants 500 years ago or so. It was a pretty good trick when people could hardly come into the enterprise, thumb through the journals and ledgers, and form their own impression of the enterprise.

But today, we actually have the capacity to go in and find out what we want on demand. This trick of summarizing a complex enterprise in two pages, a balance sheet and an income statement, is a neat trick we learned as accountants 500 years ago or so. It was a pretty good trick when people could hardly come into the enterprise, thumb through the journals and ledgers, and form their own impression of the enterprise.

But today, users can literally come in and thumb through the journals and ledgers themselves. I don't mean with their thumbs, but with their software. They have the ability to come in and express their information demands and get them met in the format that they need, drill down, and get whatever they want when they want it.

What I am saying is that this left-hand column is not a formula for success in the future. In fact, it leads to something we might call a loss of decision-information market share.

On this graph, what I show, over the extent of the 20th century, is the information content of financial statements available to decision makers. It has been going up somewhat during the century as a result of higher standards, better accounting, better practice, and so forth. Actually, those show a tailing off at the end of the century. That's what I was talking about earlier. These financial statements don't describe the Microsofts and the other post-industrial enterprises.

Looked at this way, the information content of financial statements is declining. At the same time, we have other information. At the beginning of the century, you would certainly need information outside the financial statements to decide whether to commit money to the enterprise as either an investor or a creditor, but a relatively large percent of what we needed could come from the financial statements. You always need some other information, but the financial statements supply a relatively large part of what is needed.

As the century goes on, though, low-tech information intermediaries emerged, people like Moodys, Standard & Poors, and Dun & Bradstreet. Later in the century, you get an explosion of other sources of information because of electronic databases now on line. So while the total information that creditors and investors have is exploding, the piece that we as accountants are involved in preparing and auditing is flat at best, perhaps even declining, but either way, it's a loss of relative market share.

That's why I say we're facing a parlous present. Yet, I have the temerity to tell you there is a great future in front of us. How so? How do I get there?

First, there are some enormous megatrends in our favor. One megatrend is the change from an industrial to an information or post-industrial economy. We as the information people should be able to figure out how to take advantage of the shift to an information economy. Unless we're foolish or lack creativity, that megatrend actually operates in our favor. A second megatrend is that all around the world, people of every type are expressing less and less trust in institutions, businesses, governments, and people. More and more, they want accountability for the money they are investing or contributing, for resources managed by others, and for relationships. They want to be told about what's happening with their trusted inputs.

These demands for accountability express themselves in many ways, but we as the accountability people should be able to figure out how to take advantage of the trend. That's what we supply. If people are demanding more of it, that's good for us.

The third megatrend is that information technology is making markets so much more competitive. You have probably heard this comparison: an Internet year to a regular year is like a dog year to a human year. This enormously speedy change creates turmoil everywhere. That should be good for us. We should be able to step in and help resolve the turmoil by bringing some information discipline to it. What we have to do is figure out how to harness these megatrends.

Continued at http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm 

The Special Committee under Elliott's leadership contacted a random sample of CPAs in all 50 states and concluded the following four bullet points as listed on pp. 11-12 of the above document:

Combining insight with integrity, CPAs deliver value. They listed four bullets: 

  1. One is communicating a total picture with clarity and objectivity. 
  2. Second is translating complex information into critical knowledge. 
  3. Third is anticipating and creating opportunities. That sounds a little more creative than what most people think of when they think of accountants. 
  4. And fourth is designing pathways that transform vision into reality.

Let me take those four bullets and recast them a bit for you. I want to start here with the information value chain. You have probably seen this in some form or another, but here's the idea. At the left end of this chain, we've got business events and transactions taking place, but we don't know anything about them yet, so the first thing we do is record them. Now we have data about them, and we can begin to take a look at what happened. We take the data, refine and combine it with other information, and we have more than data -- we have information, information from the outside and so forth. That turns into knowledge, and we use that knowledge in order to make wise decisions -- consumption decisions or welfare, political, and social decisions. Any type of decision.

So as you move up the information value chain, you get to higher and higher value activity. The person who sits there at shipping, taking down and recording things going in and out, creating data, is earning what? Perhaps ten dollars an hour. That's what you get for actually creating data. Then you move up to the 30 people who get $100 an hour because they are transforming data into information and refining information into knowledge.

Now let's take those four bullets that I showed you here and locate them on this value chain. The first was communicating the picture with clarity and objectivity. That's down here at this level. The conversion of data and information -- good work, pays decent, but a lot of that is being made redundant by technology. It's not going to be great work too far into the future. The next bullet is translating information into knowledge. That falls right here; that's higher value. People who do that get paid more.

The third bullet is creating opportunities. That lies even further up the value chain, and those people get paid even more. The fourth is designing the pathways that permit people to achieve their vision, and that's where you're up at the top of the value chain. So 3,000 members told us they aspire to move their practice up the information value chain. We also asked, "What do you think are the core values of the accounting profession?" These were the top five that they listed: First, a commitment to continuing education and lifelong learning. Second, competence. They think that whatever they are doing, they must be highly competent at it. Third, integrity -- stands to reason. The reputation of the accounting profession rests on people believing that we have integrity, and that rests on CPAs having integrity. Fourth, they list attunement to broad business issues, not just narrow green-eye shade focus on the numbers, but a holistic view of the enterprise. Fifth, objectivity, which is different from integrity. You can have one or the other or both, but objectivity is the neutrality, trustworthiness. So these are the top five values.

Now look at what our numbers showed as the services with the highest potential in the future. The first one was assurance and information integrity services. They extend the historical audit function, taking in a much broader domain. The second is technology. They see technology services as something that's really going to be high value-added and demanded well into the future. Third, management consulting and performance management. Obvious, right? The fourth is financial planning, helping people to achieve their financial objectives. And fifth, they see the world economy as global and see in that enormous opportunities for international services, much more than we have exploited in the past.

Our members also identified the capabilities that CPAs would need to have in order to succeed in taking advantage of the opportunities they identified. Number one was communications and leadership skills. Number two, strategic and critical thinking skills. You can't get up the value chain if you're just thinking about the production of debits and credits; you have to think strategically, the way the management of the enterprise thinks.

The third needed competency is a focus on customer, client, and market. We talked earlier about mass production, where the producer tries to drive down the price and isn't too concerned whether the product meets specific customer needs. Demassification is where you turn around and face every problem from the customer's perspective. You have to turn around and face the whole thing from the customer's perspective or you won't get the right answer.

The fourth competency is the interpretation of convergent information, by which they mean the ability to interpret both financial and non-financial information. If you only see one side of the picture, you don't have the full story. Fifth, you have to have high technology skills to succeed in this environment. When vision-project participants talk technology skills, they are not talking about the ability to run a PC, do a spreadsheet, and make a Powerpoint presentation; they're talking about a fundamental understanding of how technology reshapes organizations, products, services, and markets, and about the risks of employing technology and the ways in which to control those risks. They are talking about business implications of technology, not just the ability to run applications or deploy software. Those are necessary, but not sufficient in order to succeed.

The vision-project participants mentioned obstacles to achieving this vision-problems we have to solve and issues we have to deal with. One is that we can't get anywhere if the customers don't believe we can do it. So they held that future success would be based on public perceptions of our ability and roles. The second issue is that we've got to become as a profession much more market-driven than we are. Third, we have to be less dependent on traditional accounting and auditing services and focus more on high-value services like consulting. Fourth, you can't face this marketplace as a generalist very well in the future. You've got to specialize in some area. You need the breadth to see problems as a whole, but you also have to have the skills to be able to solve problems in some specialized domain. Fifth, these CPAs are saying that as a profession, they don't think we're sufficiently global in our perspective and outlook. That's an issue as well.

So these are the things that our members are telling us. This is not the leadership of the AICPA telling us what to do; it's the members of the AICPA telling the leaders what to do. That doesn't mean that if the AICPA does those things, the game is won, because other actions are necessary as well. Some actions have to be taken at the level of firms, both industrial firms and CPA practice firms. Since I am in practice and I'm familiar with what we have to do in our firm and firms like it, I'll focus on them.

The first thing that firms have to do in order to realize these opportunities is to adopt a customer focus for the auditing product. The customers are not only the clients, but the investors and creditors out there who are the end users of the information. If we're not making those people better off, we're not going to have much of a job in the future. The second thing is that firms have to build competencies, particularly in the technology area but in some others as well. The third thing is that we have to take our existing product offerings and invest them with higher and higher value. We have to make them more valuable to the customers, and we have to show our customers and clients our capacity to create value.

When they think of CPAs, we don't want them to think only of people who prepare the financial statements and tax returns; we want them to think of CPAs as the people who help them shape their future. Those firms that don't have a research and development arm oriented to finding out customer needs and creating service opportunities to fulfill those needs will have to create one.

It should be stressed that Elliott and the Special Committee viewed assurance services to extend well beyond attestation services.  Attestation is usually associated with verification of past transactions such as attesting to a golfer's score or attesting to the fairness of a contest drawing outcome.  Assurances can be more forward looking in terms of design of systems that are "assured" to perform within specified tolerances.  For example, one type of assurance service proposed by the Special Committee is called WebTrust.  It is intended not so much as an "attestation" that a company in the past did not violate its data privacy policy with customers as it is intended to "assure" customers that the company will abide by its promises in the future.

I greatly admire Bob Elliott and the Special Committee for both giving us a vision for the future and for the boldness in the plan.  The disappointment, at least in the short-run, has been in the inability of CPA firms to undertake many new assurance service experiments.  And some of the experiments like WebTrust that have taken place have been largely disappointing in terms of perceived value in the eyes of potential customers.  

Then came the implosion of Enron and the explosion of the auditing firm, Andersen, that transpired in 2002.  Public respect for the independence and integrity of CPAs plummeted along with short-term prospects that the world was ready for a new type of professional.  Members of the AICPA resoundingly defeated the AICPA proposal that a new professional designation be developed such as the failed XYZ (unspecified) and Cognitor proposed designations.

Rather than focus more and more on expanded services, large CPA firms in the post-Enron era had to divest themselves of large chunks of the consulting practice in concerted effort to restore public confidence in CPAs and in their audit services.  The momentum for expanded assurance services has temporarily slowed, but it will come booming back over the longer term.


Virtually all colleges with accounting programs have added assurance service modules and/or complete courses.

The future of assurance services is so promising, that some major universities have initiated assurance service degree programs apart from traditional accounting and tax degree programs.  Several examples are listed below:



Assurance Services Updates

January 19, 2003 message from Lawrence Gordon [LGordon@rhsmith.umd.edu

Dear Bob:

The Journal of Accounting and Public Policy has initiated a new sub-section called "Accounting and Information Assurance Letters." The sub-section publishes short papers (not to exceed 6 printed pages, or approximately 2400 words) that link timely accounting (broadly defined) and information assurance issues to public policy and/or corporate governance. Papers submitted to this subsection of the journal will be reviewed within four weeks of receipt and revisions will be limited to one. Papers accepted for this subsection will be published within four months of acceptance.

We believe that this new section of the journal will help define the relationship between accounting and information assurance, and would be especially pleased to publish papers on this topic from members of the journal's Editorial Board. Accordingly, if you are working on research papers that seem to fit the new section of the Journal of Accounting and Public Policy ,we hope you will consider submitting it to the journal. More information about the new section can be found at: http://www.elsevier.com/inca/publications/store/5/0/5/7/2/1/ . We also hope you will bring this new section of the journal to the attention of your colleagues.

Sincerely,

Larry and Marty

Lawrence A. Gordon, Ph.D. Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance Director, Ph.D. Program The Robert H. Smith School of Business University of Maryland - College Park College Park, Maryland 20742 Phone: (301) 405-2255 Fax: (301) 314-9611 E-mail:lgordon@rhsmith.umd.edu       http://www.rhsmith.umd.edu/accounting/lgordon/ 

Martin P. Loeb Professor of Accounting and Information Assurance Deloitte & Touche Faculty Fellow The Robert H. Smith School of Business University of Maryland, College Park College Park, MD 20742-1815 e-mail: mloeb@rhsmith.umd.edu  phone: 301-405-2209 fax: 301-405-0359


The AICPA's main site of interest --- http://www.aicpa.org/assurance/index.htm 

Assurance Services are defined as "independent professional services that improve the quality or context of information for decision makers." Today's business environment is marked by increased competition and the need for quicker and better information for decisions. In addition, the complexity of systems and the anonymity of the Internet present barriers to growth. Businesses and their customers need independent assurance that the information on which decisions are based is reliable. By virtue of their training, experience and reputation for integrity, CPAs are the logical choice to provide this assurance.

The AICPA's movement into developing additional Assurance Services began with the 1993 Audit/Assurance Conference. The Conference had been concerned with the decline in the demand for audits and other attest services and that the users of Assurance Services had expressed dissatisfaction with their scope and utility. It analyzed why the audit and assurance function had come to this juncture and developed a broad plan for shaping the future of assurance to enhance its value.

The AICPA authorized the Special Committee on Assurance Services ("SCAS") to investigate the issues and what could be done to reposition CPAs for the future. The SCAS's report, The Report of the Special Committee on Assurance Services, was issued in 1997. The report called for the development of additional services to serve the needs of clients. For a complete understanding of the history of Assurance Services, follow the links under About Assurance Services.

The first four services that were developed are: ElderCare Services, Performance View, SysTrust Services, and WebTrust. This section of the AICPA's Web site provides information on each of these services, including: what the service encompasses; the necessary skills; information on developing a practice; and FAQs. In addition, links to the people to contact to request additional information are also provided.

Risk Advisory Services by CPA Firms --- http://www.aicpa.org/assurance/risk/index.htm 

What are Risk Advisory Services and Why Should I Get Involved?

Risk Advisory Services Task Force
Learn about the Task Force's mission, its members and highlights of meetings.

How to obtain a free copy of the new thought leadership document on Risk,
MANAGING RISK IN THE NEW ECONOMY  

Download URL --- http://ftp.aicpa.org/public/download/Managing%20Risk.pdf 

 

Update on SysTrust --- http://www.aicpa.org/assurance/systrust/index.htm 
The AICPA/CICA Trust Services principles and criteria will be released January 1, 2003. The effective date of the new Trust Services principles and criteria will be effective for engagements beginning on or after January 2003. Earlier implementation is encouraged.

 

What are SysTrust Services and Why Should I Get Involved?
A Brief Introduction on SysTrust Services

SysTrust Principles & Criteria

What Skills Do I Need to Provide SysTrust Services?
Find out what skills are necessary and what resources are available to enable you to offer SysTrust Services.

Getting Started
Learn about SysTrust licensing agreement and training opportunities.

Marketing and Managing a SysTrust Practice
Tips on Marketing and Managing Your SysTrust Practice.

What's New with SysTrust Services?
New standards, product developments, etc.

Systems Reliability Assurance Services Task Force
Learn about the Task Force's mission and its members.

Frequently Asked Questions about SysTrust

Press Room
Press Releases, Product News, Fact Sheets, Q&As, Case Studies, Spokesperson Biographies, etc.

Contact the AICPA

Give feedback on assurance services.

 

Update on WebTrust --- http://www.aicpa.org/assurance/webtrust/princip.htm 

The AICPA/CICA Trust Services principles and criteria will be released January 1, 2003. The effective date of the new Trust Services principles and criteria will be effective for engagements beginning on or after January 2003. Earlier implementation is encouraged.

Trust Services Principles and Criteria Exposure Draft Click here to view the Trust Services principles and criteria The Trust Services Principles and Criteria are intended to address user and preparer needs regarding issues of security, availability, processing integrity, online privacy and confidentiality within ecommerce and nonecommerce systems. The Principles and Criteria contained in this program supersede Version 2.0 of the SysTrust Principles and Criteria and Version 3.0 of the WebTrust Principles and Criteria and are effective for examination periods beginning after August 31, 2002.

The new and improved WebTrust 3.0 family of services provides best practices and eBusiness solutions for Business-to-Consumer and Business-to-Business Electronic Commerce, for Service Providers, and for Certification Authorities. Please review each to determine which would be best for your clients and their customers.

 

Update on EderCare Assurance Services --- http://www.aicpa.org/assurance/eldercare/index.htm


What are ElderCare Services and Why Should I Get Involved?

A brief introduction to ElderCare Services

CPA ElderCare Testimonials from Members and Their Clients

What Skills Do I Need to Provide CPA ElderCare Services?
Find out what skills are necessary and what resources are available to enable you to provide ElderCare Services.

Getting Started
Learn about ElderCare Training Opportunities, ElderCare Conferences and Practice Tools.

Marketing and Managing an ElderCare Practice
Tips on Marketing and Managing Your ElderCare Practice.

Resources & Links
Learn about the product and publications you need to assist you in performing ElderCare engagements including useful links to other Web sites.

What's New with CPA ElderCare Services?
Press Releases, new products, etc.

AICPA/CICA ElderCare Services Task Force
Learn about the Task Force's mission, its members and highlights of meetings.

Frequently Asked Questions about CPA ElderCare Services

Contact the AICPA!
List Names of ElderCare Team Members with Title, address, email and phone numbers.

Give feedback on assurance services.


 

Illustration of Topics in a Continuous Assurance Symposium

Fifth Continuous Assurance Symposium

November 22 and 23(AM), 2002

Rutgers Business School

190 University Ave.

Bove Lecture Hall – Engelhard Hall

Newark, NJ 07102

Web address- http://raw.rutgers.edu/continuousauditing/fifthaudit.htm

Sponsored by IMA, Artificial Intelligence and Emerging Technologies section of the AAA, ISACA.

November 22nd, 9am-6pm

INTRODUCTION: 9:00-10:30

Welcome to Rutgers: Dean Howard Tuckman

§         Update on the Center for Continuous Auditing, Don Warren(Texas A & M University)

§         Update on the European Center for Continuous Auditing, Robert Onions (Salford University, UK)

§         Principles of Analytic Monitoring, Mike Alles, Alex Kogan & Miklos Vasarhelyi, (Rutgers Business School)

§         Understanding the New Business Reporting Model for the Future, Tony Pugliese (AICPA)

Break: 10:30-10:45

RESEARCH PAPERS I: 10:45-12:15

·         James Hunton(Bentley College),Jackie Reck (Univ. of So. Florida) &Robert Pinsker (Old Dominion Univ.) , Investigating the Reaction of Relatively Unsophisticated Investors to Audit Assurance on Firm-released News Announcements

·         Ron Fritz, The Tax Department Is Well Positioned to Perform Independent Periodic Validation Checks

·          Roger Debreceny (Nanyang Technological University),  and Glen Grey: Embedded Audit Modules

 

Lunch in the Dean’s Lounge located in Ackerson Hall: 12:15-13:15

CORPORATE EXPERIENCE IN CONTINUOUS AUDITING: 13:15-14:15

§         HCA Healthcare, Chase Whitaker

§         KOLA: KPMG On-Line Audit:Practical Experiences From Piloting On-Line Continuous Audit Tools,  Kevin Handscombe, KPMGAssurance Innovation Centre, UK

RESEARCH PLANNING WORKSHOP:     14:15-15:15

·         Mary Curtis( University of North Texas), An Innovation Characteristics Approach to the Study of the Adoption of Continuous Auditing

·         Michael Fancher, National Consortium of Manufacturing Services, Research Opportunities in Continuous Auditing in the Manufacturing Area

Break: 15:15-15:30

SOFTWARE FOR CONTINUOUS AUDITING & CLIENT APPLICATION: 15:30-18:00

§         ACL, John Verver

§         AuditMaster, Ed Kress

§         Approva, Larry Roshfeld

§         Caseware, Alain Soubliere

§         Applimation and Ernst & Young, Rajesh Parthasarathy,  Value Added Auditing of Oracle Applications: How Ernst & Young Used Assessor  to Take Audits to the Next Level. A Case Study.

Dinner at Mediterranean Manor  (rodizio and others)  6:30

Located at 255-269 Jefferson Street, Newark, NJ  07105 – Telephone # 973-465-1966 or1967

 

Saturday Nov 23, 8 AM-1PM

RESEARCH PAPERS II:     8:00-9:00

·         Richard Dull (Clemson)  and David Tegarden (Virginia Tech), The Proposal of a Visual Approach to Implement Continuous Auditing

·         Rob Nehmer ( Berry College), Continuous Auditing Implications:Rethinking the Roles of Systems of Internal Controls

RESEARCH PAPERS III: … 9:10:30

·         Jim Hunton (Bentley College), Arnold Wright (Boston College) & Sally Wright (Univ. of MA), Assessing The Impact of More Frequent External Financial Statement Reporting and Independent Auditor Assurance on Quality of Earnings and Stock Market Effects

·         Michael Alles (Rutgers Business School), The Black Box Log Proposal

·         Bonnie Morris (West Virginia University), The Use of Legal Ontologies to Model Privacy Policies

Break: 10:30-10:45

RESEARCH PAPERS III: … 10:45:11:45

·         Vicky Arnold (University of Connecticut) , Clark Hampton(Uconn), Deepak Khazanchi (University of Connecticut) and Steve Sutton (UConn), Risk Analysis in B2B E-Business Relationships: A Model for Continuous Monitoring and Assurance in Partnering Relationships

·         Don Warren ( Texas A & M University), Data Mining As a Continuous Auditing Tool For Soft Information: A Research Question

 

CONCLUSION: THE ROLE XML – XBRL/GL IN CONTINUOUS AUDIT: 11:45-13:00

·         Eric Cohen, PWC, Data Level Assurance: Bringing Data into to Continuous Audit Using XML Derivatives

·         Michael Groomer,( U of Indiana) and Uday Murthy(Texas A&M University), Enhancing an XML Schema for Accounting Systems to Facilitate Continuous Auditing

Discussants

·         Jim Peters, (University of Maryland )

·         Charlie LeGrand, IIA

 

 


Financial Statement Assurance in an E-Business Environment
  • Risks uniquely present in an e-business environment.  

    • Networked transactions

    • Changing technologies that can tank a business overnight

    • Soft assets dominate hard assets

    • Ever-evolving series of mergers and acquisitions

    • Short and high-risk product life cycles

    • Young and inexperienced labor force

    • Success or failure may ride on one person or a few key people

    • Lack of management focus on cost control

  • Successions of losses do not necessarily impair a going concern (provided investors are willing to keep infusing the business with cash)

  • Substantive testing in audits may not be practical or feasible (see Statement on Auditing Standards [SAS] 80, Amendment to SAS 31, Evidential Matter)

 

 

New Forms of Assurance to Facilitate E-Business

AICPA formed the Special Committee on Assurance Services (SCAS) in 1994.  After a careful analysis of demographic and other trends, this committee concluded the following:

Your marketplace is changing.  Multibillion-dollar markets for new CPA services are being created.  Investors, creditors, and business managers are swamped with information, yet frustrated about not having the information they need and uncertain about the relevance and reliability of what they use.  CPA firms of all sizes--from small practitioners to very large firms--can help these decision makers by delivering new assurance services.  (AICPA Web site, "Assurance Services," www.aicpa.org).

The Elliott Committee (named after its chair, Robert K. Elliott) identified six new service areas considered to have high potential for revenue growth for assurance providers:

  1. Risk Assessment

  2. Business Performance Measurement

  3. Information Systems Reliability

  4. Electronic Commerce

  5. Health Care Performance Measurement

  6. ElderCare

The work of the Elliott Committee was followed by the appointment of the ongoing Assurance Services Executive Committee, chaired by Ronald Cohen.  This committee is charged with the ongoing development of new assurance services and the provision of guidance to practicing CPAs on implementing the services developed.

  • Information Systems Reliability Assurance 

  • Electronic Commerce Assurance. 

Business-To-Consumer Assurance

  • CPA/CA WebTrust (Joint Venture of AICPA and CICA)
    • Business Practices and Disclosure--The entity discloses its business and information privacy practices for e-business transactions and executes transactions in accordance with its disclosed practices.

    • Transaction Integrity--The entity maintains effective controls to provide reasonable assurance that customers' transactions using e-business are completed and billed as agreed.

    • Information Protection and Privacy--The entity maintains effective controls to provide reasonable assurance that private customer information obtained as a result of e-business is protected from uses not related to the entity's business.

  • Proprietary E-Business Audits

  • Privacy Audits

Business-to-Business Assurance

  • Assurances against service disruptions and product shipments

  • CPA/CA SysTrust (Joint Venture of AICPA and CICA)
    • Availability--The system is available during times specified by the entity.

    • Security--Adequate protection is provided against unwanted logical or physical entrance into the system.

    • Integrity--Processes within the system are executed in a complete, accurate, timely and authorized manner.

    • Maintainability--Updates (upgrades) to the system can be performed when needed without disabling the other three principles.

  • SAS 70 Reviews of Service Organizations (extended to B2B Risks)

SAS 70, Reports on the Processing of Transactions by Service Organizations, was issued to provide assistance in the auditing of entities that obtain either or both of the following services from an external third party entity.

  • Executing transactions and maintaining related accountability

  • Recording transactions and processing data

  • Internal Controls Risk

    • The financial statement assertions that are either directly or indirectly affected by the service organization's internal control policies and procedures.

    • The extent to which the service organization's policies and procedures interact with the user organization's internal control structure

    • The degree of standardization of the services provided by the third-party to individual clients.  In the case of highly standardized services, the service auditor may be best suited to provide assurance: however, when the third-party offers many customized services, the third-party auditor may be unable to provide sufficient assurance regarding a specific client.

SAS 70 provides for two reports the service auditor can provide to the user auditor concerning the policies and procedures of the service organization:

  • Reports on policies and procedures placed in operation.

  • Reports on policies and procedures placed in operation and tests of operating effectiveness.

Other Potential New Services to Facilitate E-Business

  • Value-Added Network (VAN) Service Provider Assurance

  • Evaluation of Electronic Commerce Software Packages

  • Trusted Key and Signature Provider Assurance

  • Criteria Establishment

  • Counseling Services

The AICPA's Assurance Services Website is at http://www.aicpa.org/assurance/index.htm 

 

Major Constraints and Considerations
Competencies Required

Competition

Jeopardy to Public Accountancy's Image of Independence and Professionalism

Legal Risks

 


One of the most significant and controversial professional practice areas where Bob Elliott led accounting profession into its new Song of SysTrust.  I don't know if all accountants have noticed the monumental and highly controversial change in attestation services being proposed by the AICPA and the CICA for the public accounting profession.  Most certainly the lyrics are not familiar to non-accountants other than attorneys who, while dancing in their briefs, have difficulty containing their enthusiasm for this new Anthem of the Auditors.  This is the first major shift of the accounting profession into the attestation of complete information services.  Financial audits may eventually be but a small part of the total attestation and assurance service symphony of services.  The proposed new "accounting"-firm service is called SysTrust at http://www.aicpa.org/assurance/systrust/index.htm  .  

Probably the best summary of SysTrust to date is "Reporting on Systems Reliability," by Efrim Boritz, Erin Mackler, and Doug McPhie in the Journal of Accountancy, November 1999, pp. 75-87.  The online version is at http://www.aicpa.org/pubs/jofa/nov1999/boritz.html.  (It might be noted that both Boritz and McPhie are from Canada --- SysTrust is a joint venture with the Canadian Institute of Chartered Accountants and the AICPA in the U.S.)  


How can you protect confidential documents at your Website?

Answer:  See http://www.w3.org/Security/Faq/wwwsf5.html#Q14 


Privacy in eCommerce


Playboy says hacker stole customer info," by Greg Sandoval and Robert Lemos, C|Net News Com, November 20, 2001 --- http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 

Playboy.com has alerted customers that an intruder broke into its Web site and obtained some customer information, including credit card numbers.

The online unit of the nearly 50-year-old men's magazine said in an e-mail to customers that it believed a hacker accessed "a portion" of Playboy.com's computer systems. In the e-mail, a copy of which was reviewed by CNET News.com, Playboy.com President Larry Lux did not disclose how many customers might have been affected.

Playboy.com encouraged customers to contact their credit card companies to check for unauthorized charges. New York-based Playboy.com also said it reported the incident to law enforcement officials and hired a security expert to audit its computer systems and analyze the incident.

Continued at http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 


For a brief period, Ziff Davis published the personal information -- including credit card numbers -- of thousands of its subscribers on the Web. --- http://www.wired.com/news/ebiz/0,1272,48525,1162b6a.html 
"A Tell-All ZD Would Rather Ignore," by Declan McCullagh, Wired News, November 20, 2001

Because Ziff Davis' 1.3-MB text file included names, mailing addresses, e-mail addresses and in some cases credit card numbers, a thief who downloaded it would have enough information to make fraudulent mail-order purchases. An executive at one New York magazine firm called the error "a bush-league mistake for a major online publisher."

Zane said Ziff Davis relies on EDS and Omeda database technology to protect subscriber information. He refused to provide details, except to say that "we were doing a promotion not using the EDS and Omeda products."

In interviews, two people who appeared on the Ziff Davis list said they had typed in their information when responding to a promotion for Electronic Gaming Monthly.

"I went to the site and signed up for the free year, but did not sign up for the second year, which was not free," said Jerry Leon of Spokane, Washington, whose Visa number and expiration date appeared in the file. "I get the feeling that this was one huge scam, but that card is now dead, and any charges made on it will be refused."

"If it was just a stupid accident, they are going to regret failing a community that worries about this stuff ever happening, but if something less innocent has occurred, they may as well fold the tents," said Leon, who signed up through AnandTech's hot deals forum.

Rob Robinson, whose address information -- but not credit card number -- was on display, says he subscribed to Electronic Gaming Monthly through a promotion on ebgames.com.

"I'm annoyed that my home info as well as a valid e-mail is available to anyone. That's quite a valuable list of gamers' personal data up for grabs. I feel really bad for the poor folks who are going to have to cancel their credit cards," Robinson said.

It's not clear whether Electronic Gaming Monthly subscribers were the only ones affected by the security snafu, and Ziff Davis refused to provide details. The file appeared at the address http://www.zdmcirc.com/formcollect/ebxbegamfile.dat until around noon EST on Monday.

That address began circulating around Home Theater Forum discussion groups over the weekend, and Ziff Davis at first erased the contents of the database at around 9 a.m. EST Monday. But its system continued to add new subscribers to the public file until Ziff Davis administrators blocked access to that address around midday Monday.

"Every week we learn of new cases where companies used insecure technology or unsecure servers to handle business that utilizes financial information or customer information," says Jericho, who edits the security news site attrition.org. "In the rush to be e-appealing for e-business they e-screw up time and time again."

Jericho has compiled a list of miscreant firms whose shoddy security practices have exposed customer information. The hall of shame includes notables such as Amazon, Gateway, Hotmail and Verizon.

Ziff Davis Media publishes 11 print magazines. It is a separate company from ZDNet, which is owned by CNET Networks.

See also:
HQ for Exposed Credit Numbers
Students Expose Bank ATM Hole
E-Commerce Fears? Good Reasons


Privacy in eCommerce:  Personal Certificates

For discussion of cookies and how to Surf the Web anonymously, see Cookies.

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 

What is WebTrust?  What are its major competitors?  

Hint: See the following:

Question:  
What makes WebTrust more "trusted" vis-a-vis its competitors (aside from being CPA or CICA firms)?

Answer:  
WebTrust is the only service that requires random site visits by independent CPA firms to spot check if privacy policies are being adhered to by the WebTrust client.

Truste Network Authenication Security in Question

Even one of the originators of the Internet's wannabe consumer seal -- ubiquitous technologist Esther Dyson -- is disappointed in the way the service has panned out.

"Just How Trusty Is Truste?," by Paul Boutin, Wired News, April 10, 2002 --- http://www.wired.com/news/exec/0,1370,51624,00.html 

Enron had Arthur Andersen. Yahoo has Truste, the nonprofit privacy organization whose seal of approval is designed to assuage consumer fears about giving personal information to websites.

But Yahoo's recent announcement of sweeping changes in the way it will use customer data collected under previous policies has many calling Truste's seal as meaningless as an Andersen audit.

Even Esther Dyson, the high-profile technologist who played a major role in Truste's launch five years ago, says she is "disappointed in what ended up becoming of it."

By its own account, Truste was conceived at Dyson's industry-leading PC Forum conference in 1996. Dyson credits others with the concept, but she pushed both publicly and privately for the establishment of the nonprofit company and adoption of its "trustmark," which certifies that online companies comply with their own stated privacy policies.

Truste makes no attempt to set privacy policies. It merely ensures that companies clearly state their own rules for handling customer data, and then adhere to them.

"We thought disclosure would be enough," Dyson said.

Web surfers, her reasoning went, would read the various companies' policies themselves and make their own choices, letting companies use privacy policies as a competitive differentiator. Truste's seal would simply ensure that the policy was being followed, so that "between two sites I've never heard of, I'd rather pick the one that has the Truste logo," she explained.

But over the years, a series of Truste clients have managed to violate the spirit, if not the letter, of their Truste-approved policies.

Rather than revoking seals left and right, Truste officials often seemed to be covering for their clients -– explaining, in one case, that a Real Networks media player which reported users' video selections back to Real headquarters in Seattle was "outside of the scope of Truste's current privacy seal."

Their reasoning: The program uploaded data not to Real's website, but to a nearby set of servers.

"That symbol is meaningless, because of the number of institutions it has been associated with and the things they've gotten away with," said Yahoo user Jenifer Jenkins, who claims she stopped using Yahoo mail and other services last week after learning of the company's policy changes. "If (Yahoo) wants to be the first place people go on the Internet, they need to clean up their act."

Dyson agreed that, despite being co-founded by outspoken privacy advocates the Electronic Frontier Foundation, Truste's image has slipped from consumer advocate to corporate apologist. "The board ended up being a little too corporate, and didn't have any moral courage," she said.

"Clearly, if you're hostile all the time you're not very effective. But you have to have the moral courage to say, 'This is wrong, even if it's not in our contract.'"

Truste executive director Fran Maier argued that in Yahoo's case, critics don't recognize how much work her organization did to keep the megaportal in line -- not only with its own policy, but with generally acceptable behavior. "I can't tell you all the things they wanted to do, but believe me, we were there," she said.

"We reviewed a number of proposed changes, some of which were made, some weren't," she added. "It went through the highest level of oversight at Truste. Before they can launch or relaunch something with our seal on it, they have to deal with our review."

Continued at  http://www.wired.com/news/exec/0,1370,51624,00.html 


You must be when viewing a corporate Website that you think is authentic but is a total fraud.  One such site is http://www.dowethics.com/  which spoofs the genuine http://www.dow.com 

The site at dowethics.com is a very clever spoof site that mirrors the real corporate site but runs it with stories against the company.  It is interesting because it appears to be very authentic and illustrates how companies really do need authentication seals such as Verisign, the Better Business Bureau BBB seal, or the WebTrust Seal --- http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems 

 

Question:  What is the most popular and less costly privacy seal alternative relative to WebTrust?

Answer:  The Better Business Bureau --- http://www.bbbonline.org/privacy/index.asp 

 Of the many challenges facing the Internet, privacy has risen above them all as the number one concern (and barrier) voiced by web users when going online. Participants in the BBBOnLine Privacy Program are addressing this concern head-on with responsive and effective self-regulation. By subscribing to responsible information practices, BBBOnLine Privacy participants are promoting the vital trust and confidence necessary for their own and future success of the Internet.

Taking advantage of the significant expertise the Council of Better Business Bureaus wields in self-regulation and dispute resolution, the BBBOnLine Privacy Program features verification, monitoring and review, consumer dispute resolution, a compliance seal, enforcement mechanisms and an educational component. The BBBOnLine Privacy Program offers consumers a user-friendly tool that helps increase their comfort while on the Internet and is a reasonably priced and a simple, one-stop, non-intrusive way for business to demonstrate compliance with credible online privacy


Question on Website (Provider) Authentication
How can you find out that you are not at a phony site that pretends to be legitimate?

Answer:
Look for a logo verification seal on at the site.  Although the AICPA's WebTrust seal is primarily a Web privacy seal (credit card information, medical information, etc.), the WebTrust seal is also a seal that assures users that the site is not a phony imitation of a real site --- http://www.aicpa.org/assurance/webtrust/princip.htm 
The WebTrust privacy and logo verification seal contains the following image on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

 

A less costly  logo verification seal is the VeriSign seal if it appears on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

"VeriSign Delivers Protections for Digital CPA Documents," by Wayne Harding, Journal of Accountancy, May 2002 ---  http://www.aicpa.org/pubs/jofa/may2002/cpa2biz.htm 

CPA2Biz, the AICPA, and VeriSign are now offering Authentic Document Service to CPAs. Through the use of Authentic Document IDs CPAs can notarize electronic documents. This notarization prevents any changes— a paragraph being deleted, a sentence added, even a space changed.

VeriSign --- http://www.verisign.com/ 
Get VeriSign's free white paper at https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0714&toc=w093325300714000&email= .

Learn From the Experts VeriSign's Training Courses cover all areas of enterprise security including Firewalls, PKI, VPNs, Applied Hacking, and Web Security. Our small classes, hands-on labs, and world-class instructors ensure the highest level of security for your networks. Download our FREE White Paper, "VeriSign Internet Security Education: E-Commerce Survival Training" outlining the benefits of security education.



 Retail Services
  SSL Certificates
  Payment Services
  Domain Names
 
  Web Site Services
 
  Secure E-Mail Certificates
 
  Authentic Document IDs
 
  Code Signing IDs
 
  Wireless Server Certificates
 

 Enterprise Services
  SSL ID Management for
Multiple Servers

 
  Authentication and PKI
  Authorization Services
 
  Payment Services
  Online Brand Protection Services
  Managed DNS Services
 Professional Services
  Consulting
 
  Training

 Solutions
  Financial Services
  Government
  Healthcare
  Wireless
  B2B
  Smart Card
  Cable Modem

The Better Business Bureau (BBB):  Another Source of Website (Provider) Authentication --- http://www.bbb.org/ 

ADVERTISING REVIEW PROGRAMS    ADVERTISING/SELLING GUIDELINES  

 

 
   DISPUTE RESOLUTION    BUSINESS GUIDANCE  

 

   
   CONSUMER GUIDANCE    NEWS AND ALERTS  
   

 

Although the BBB is best known as a place where consumers and businesses can file complaints about unethical, deceptive, and illegal commerce and charitable practices, the BBB also provides an Internet seal of Website (Provider) Authentication.  


Reliability Seal Program --- http://www.bbbonline.org/reliability/index.asp   
Helping Web users find reliable, trustworthy businesses online, and helping reliable businesses identify themselves as such, through a voluntary self-regulatory program that promotes consumer trust and confidence on the Internet.

Privacy Seal Program --- http://www.bbbonline.org/privacy/index.asp 
Helping Web users identify companies that stand behind their privacy policies and have met the program requirements of notice, choice, access and security in the use of personally identifiable information.

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 


Advantages of and risks of cookies --- see Cookies.


What is user authentication?

Answer See Question 4 at http://www.w3.org/Security/Faq/wwwsf5.html#Q14 

User verification is any system that for determining, and verifying, the identity of a remote user. User name and password is a simple form of user authentication. Public key cryptographic systems, described below, provide a more sophisticated form authentication that uses an unforgettable electronic signature.

Continued at at http://www.w3.org/Security/Faq/wwwsf5.html#Q14  

What Dollar Rental Car Company now requires from persons who rent cars might be extended to people who conduct transactions on Websites.  Dollar Rent A Car is currently making customers give a thumbprint before they give them the keys, another example of biometrics being used for ID purposes.

"No Thumbprint, No Rental Car," by Julia Scheeres, Wired News, November 21, 2001 --- http://www.wired.com/news/privacy/0,1848,48552,00.html 


For more discussion of the above issues, go to the  document entitled "Opportunities of E-Business Assurance:  Risks in Assuring Risk" at http://www.trinity.edu/rjensen/ecommerce/assurance.htm 

My other electronic Business links are at http://www.trinity.edu/rjensen/ecommerce.htm 


Crime and Justice Data Online --- BJS http://149.101.22.40/dataonline/ 


"Conquering the Security Silos," by Jerry Trites, IS Assurance Blog, April 5, 2011 ---
http://uwcisa-assurance.blogspot.com/


Ten Ways to Reduce Chargebacks and Fraud Merchants' concern about online credit card fraud and chargebacks is rising at a significant rate. According to the 2001 Online Fraud Report conducted by Mindwave Research, 41 percent of merchants say the issue of online credit card fraud is "very serious" to their business. http://www.newmedia.com/default.asp?articleID=3443 

Bob Jensen's threads on fraud are at http://www.trinity.edu/rjensen/fraud.htm 

Bob Jensen's e-Commerce threads are at http://www.trinity.edu/rjensen/ecommerce.htm

 

A Special Section on Computer and Networking Security

Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Facebook is perhaps the ultimate example of the old, wise saying: If you aren’t paying for a product, then you ARE the product
Comparisons of Antivirus Software ---
http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

Introduction --- See Below

Top Security Threats of 2013 ---
https://mail.google.com/mail/u/1/?shva=1#inbox/143347ddcfff49f5

Social Scams

Big Google Becomes Big Brother

How to track a stolen iPhone

Chinese Water Army

Cloud Security

How to make stolen laptop data useless to thieves

Is your data safe? Survey reveals scandal of snooping IT staff

Protecting security while using public a network in a library, cyber cafe, hotel, or wherever

Viruses and Worms and Malware

Spyware  (and SiteAdvisor)

Cell Phone Records are for Sale 

Identity Theft:  Phishing , Pharming, Vishing, Slurping, and Spoofing
Question
When might you want to run Linux on your Windows computer?
"E-Banking on a Locked Down (Non-Microsoft) PC," by Brian Krebs
http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Pretexting

Cookies 

Spam Blocking 

Searching Dangers:  Beware of Search Engines

Hacking Into Systems

Security on Public Wireless Networks

Denial of Service Attacks 

Spy Tools:  How safe are unlisted phone numbers?

Forget Big Brother, Now You Are Being Watched by Almost Anybody

Weapons of Information Warfare  

Threads on Firewalls --- Go to  http://www.trinity.edu/rjensen/firewall.htm 

Identity Theft http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Encryption

New Tech Tools to Combat Fraud

2012 Internet Crime Report
IC3 via FBI, May 14, 2013
http://www.fbi.gov/news/stories/2013/may/internet-crime-in-2012/internet-crime-in-2012

Bob Jensen's Fraud Updates ---
http://www.trinity.edu/rjensen/FraudUpdates.htm

 

The Downside: Psychology of Electronic Commerce and Technology 

Intangibles Accounting Issues --- http://www.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes 

Managerial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm 

How Can Technology be Used to reduce Fraud? --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7 

ROI Issues --- http://www.trinity.edu/rjensen/roi.htm 

Implications for Auditing and Assurance Services --- 
http://www.trinity.edu/rjensen/ecommerce/assurance.htm
 

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk --- http://www.trinity.edu/rjensen/ecommerce/assurance.htm 

Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

The Controversial Electronic Commerce of Education --- http://www.trinity.edu/rjensen/000aaa/0000start.htm

Investor Relations and Internet Reporting   

Education and Training   

Evaluation of Websites 

Search for Internet, e-Commerce, or e-Business Phrases

Top Year 2002 Accounting Technologies 

Bob Jensen's Threads on Electronic Commerce --- 
http://www.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's Threads on Electronic Commerce in College Curricula --- 
http://www.trinity.edu/rjensen/ecommerce/curricula.htm
 

Accounting Threads


Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows


"Prevention Measures to Help Counter E-Commerce Fraud," Deloitte WSJ, February 21, 2014 ---
http://deloitte.wsj.com/cfo/2014/02/21/prevention-measures-to-help-counter-e-commerce-fraud/

Last year, U.S. prosecutors made public a sophisticated, almost “Ocean’s 11-type” scheme involving hackers who were part of an organized cybercriminal network and stole $45 million by penetrating the security of two credit card processors. The swindle compromised only 17 accounts belonging to two banks, with one of the accounts having been robbed of $12 million. Among other illicit actions, the hackers cracked the codes for the processor’s authorization system, set the account balance to infinite and changed security rules so information being sent through the system did not trigger alarms associated with unusual activity or withdrawal limits. The organized crime group kept a small portion of the funds, wiring most of it back to the hacker groups.

Such elaborate and organized hacker schemes are one reason why fraud detection and prevention have been elevated to the C-suite.

“Along with the positive impact of digital commerce comes the risk of fraud to businesses and customers,” explained David Williams, CEO, Deloitte Financial Advisory Services LLP, speaking during a Deloitte webcast, E commerce and Payments Fraud on the Rise: Protection Techniques for Banks and Consumers.

The rising concern about fraud was evident among webcast viewers. Nearly half (47.3%) of more than 2,400 executives and managers responding to an online poll question during the webcast reported that fraud protection ranks as a “high priority” for their organization, with an additional 8% citing fraud protection as their organization’s number one priority.

Continued in article


May 20, 2013 Message from Dennis Huber

Read about security research as it happens. Obtain in-depth security information including, research & statistics, white papers, presentations and the latest threat maps that display the most recent data collected by Websense Security Labs.

http://www.antiphishing.org/apwg-news-center/crimeware-map/


How to Protect Yourself Against Online Spying ---
http://getitdone.quickanddirtytips.com/how-to-protect-yourself-against-online-spying.aspx


Big Brother is Watching Your Kid
"Texas Schools Win Right To Track Students With Creepy, Invasive RFID Locators," by Adam Popescu, ReadWriteWeb, January 10, 2013
http://readwrite.com/2013/01/10/texas-schools-win-right-to-track-students-with-creepy-invasive-rfid-locators 

Jensen Comment
I wonder if similar devices will one day be implanted in every child at birth. Think of the good and bad possibilities.

 


"Java Is No Longer Needed. Pull The Plug-In," by Antone Gonsalves, ReadWriteWeb, September 5, 2012 ---
http://www.readwriteweb.com/hack/2012/09/java-is-no-longer-needed-pull-the-plug-in.php

For nearly everyone, it’s time to dump Java. Once promising, it has outlived its usefulness in the browser, and has become a nightmare that delights cyber-criminals at the expense of computer users.

 Java Today

Sun Microsystems released Java in 1995 as a technology for building applications that could run on any platform, including Windows, Macintosh and Linux. In its heyday, major browsers embraced Java for running applets within pages. All anyone needed was a browser plug-in for executing programs.

Today, that plug-in has become a top security risk, along with Adobe Flash. Partly to blame for the problem is Oracle, which acquired Sun and its invention in 2009. The database vendor has heightened the risk by failing to launch timely patches.

The latest security meltdown is a case in point. Despite being warned in April of critical vulnerabilities, Oracle did not get around to releasing an emergency patch until last week, after reports that cyber-criminals were exploiting the flaws. Security Explorations, the Polish firm that first reported the vulnerabilities to Oracle, later said the patch contained a flaw that could be used to circumvent the fix.

The Latest Threats

In the meantime, criminals are having a field day. Atif Mushtaq, security researcher at FireEye, says the number of computers infected with malware exploiting the flaws is growing. As of Tuesday, up to a quarter-million computers had been infected. Hackers are at an advantage because computers users are laggards when it comes to applying Java patches. Up to 60 percent of Java installations are never updated to the latest version, according to security vendor Rapid7.

Over the just-past Labor Day weekend, the SANS Institute’s Internet Storm Center and Websense reported finding separate phishing campaigns trying to lure people to malicious sites capable of exploiting the vulnerabilities. SANS discovered link-carrying emails that copied a recent Microsoft message about service agreement changes. Websense found emails disguised as order verification messages from Amazon.

Security experts rate the latest flaws as critical, because hackers can use them to commandeer a computer and take whatever data they want. Risking that kind of damage for a technology with little purpose makes no sense.

What Security Experts Advise

Security experts are hard pressed to say what Java does for most people. While some online games and business applications need a Java plug-in to run, nearly all modern sites, including Facebook and Twitter, use JavaScript, XML and HTML 5, which run natively in the browser. Therefore, people could happily surf the Web for years without ever running Java.

Those who are using a Java application, should run it in a dedicated browser that’s used for nothing else, Patrik Runald, director of security research at Websense, says. Another browser should be used for daily Web surfing. “I’ve run a browser with Java disabled for years,” he said.

Supporters once believed that Java would play a significant role in running Web applications. That never happened. Instead, browsers became the operating system for the Web. “(Java) never took off the way it was anticipated,” Runald said.

So the verdict is clear. Disable Java plug-ins in all browsers, whether Firefox, Chrome or Internet Explorer. Java’s glory days are over and it’s time to pull the plug.

Bob Jensen's threads on computer and networking security ---
http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection


"How Cybersleuths Took Down Spam King Grum," by Dan Rowinski, ReadWriteWeb, July 20, 2012 ---
http://www.readwriteweb.com/archives/how-cybersleuths-took-down-spam-king-grum.php

Governments, researchers and private companies are working overtime to root out spam from the Internet. Today brings good news: Grum, a botnet responsible for 18% of all spam, is no more. Here's how a team of crack cybersleuths took down the world's third-largest spammer.

The search-and-destroy stories that surface when a spam botnet is taken down are some of the juiciest to be found in any medium. Botnet takedowns have all the elements of a great plot: a global villain, exotic locales, despicable offenses, dedicated heroes who strive for the good of humanity, and a mystery that takes many steps to uncover. It is "Dick Tracy" meets "Hackers."

Grum was a devious mist of a network with no obvious central structure. The face of a botnet like Grum is a distributed sub-network of command-and-control (CnC) servers. These machines direct an army of zombie underlings, ordinary personal computers that have been infected with malware that takes orders from CnC to churn out spam. Grum marshaled at least 120,000 spam-spewing zombies, according to Spamhaus. The actual number of zombies in the network could have been a lot more.

Grum has been in existence for at least four years, an impressive lifespan for a botnet, according to Atif Mushtaq, senior staff scientist at security company FireEye. Mushtaq, along with Carel van Straten and Thomas Morrison from Spamhaus and Alex Kuzmin from CERT-GIB, tracked down the botnet. An anonymous security researcher who goes by the name Nova7 also helped track down the spammers. Their mission was to discover the CnC servers and systematically take them offline. 

By tracking IP addresses, FireEye and other researchers were able to track Grum to a central CnC location in the Netherlands. The team sent abuse notifications to the Dutch authorities telling them to cut off access to the servers through its Internet Service Provider (ISP). Authorities in the Netherlands acted fairly quickly and Grum's primary hub was taken down.

But Grum was not so easily stopped. Like Hercules battling the Lernaean Hydra, the team cut off one head only to watch two grow in its place. Its Dutch head having been decapitated, the botnet moved its resources to secondary servers in Panama and Ukraine. These servers were more difficult to deal with because ISPs in those countries often look the other way, making them notorious safe havens for botnets. “Shutting down any servers there has never been easy," Mushtaq said.

The sleuths applied pressure until the ISP hosting Grum in Panama shut off access to the botnet. It was a big success for the research team, but the battle was not yet over. 

“After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine," Mushtaq wrote. "I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine."

Mushtaq passed this information to the other researchers who then pressured their contacts in Ukraine and Russia to take down these servers. By 11:00 a.m. PST on July 18th, the servers had been taken offline and the battle to destroy Grum was won.

The Battle Against Botnets

For a long while, the primary agents against botnets were governments. These entities could use their power to force ISPs to sever access to CnCs that control the zombie armies. But governments are often not well equipped to do so. Moreover, they act slowly and do not always prioritize campaigns against botnets.

That has changed. In the last several years, the fighting of botnets has become a private-sector effort, with researchers such as those at FireEye leading the charge. Microsoft has also entered the fray. In July 2011, Microsoft offered $250,000 for information leading to the capture and conviction of the individuals responsible for Rustock. This makes sense: Microsoft’s Windows operating system is the most installed computer software in the world. Malicious hackers who launch botnet malware have historically focused on Windows for this reason. It behooves Microsoft to be as proactive as possible in helping track down the people responsible.

Continued in article

September 13, 2012 reply from Jagdish Gangolly

Bob,

It is true that the use of java applets never did take-off as expected. Many started developing swing applications and server-side scripting instead, to avoid incompatibility problems with applets. Development of languages such as PHP also was a factor. Another factor was the reluctance of companies to relegate any aspect of computing to the browser, coupled with the decreases in hardware costs.

Java remains the language of choice to date, Gonsalves notwithstanding. It is a very safe language, safer than all others I know and have programmed in. It is nowadays the first language that most students study. It is also the language of choice in teaching and in developing industrial applications.

I have taught AIS courses using prolog, C, C++, as well as Java. Java was the language that gave me and the students least headaches. I also have worked with research labs in industry, and Java is the language of choice, and the only language that comes even close is C++.

Mr Gonsalves is mixing up java as a language and java applets as a browser plug-in.

Regards,

Jagdish

 


"Technology 2012 Preview: Part 2 Experts explore hot topics in software, hardware, security, social media and video," by Jeff Drew,  Journal of Accountancy, December 2011 ---
http://www.journalofaccountancy.com/Issues/2011/Dec/20114544.htm

"Technology 2012 Preview: Part 1 Experts explain what should be at the top of your tech wish list for the new year,"  by Jeff Drew,  Journal of Accountancy, November 2011 ---
http://www.journalofaccountancy.com/Issues/2011/Nov/20114310.htm

Bob Jensen's neglected threads on accounting software ---
http://www.trinity.edu/rjensen/Bookbob1.htm#AccountingSoftware

Digital Forensics and Cyber Security Center at the University of Rhode Island ---
http://www.dfcsc.uri.edu/


Stay Safe Online --- http://www.staysafeonline.info/ 


"Endpoint Security is Changing Fast," by Richi Jennings, Computer World, December 14, 2011 ---
http://blogs.computerworld.com/19426/the_endpoint_protection_you_need_in_2012
Thank you Jerry Trites for the heads up ---
http://uwcisa-assurance.blogspot.com/

Sophisticated social engineering techniques for hacking are becoming the norm. And it is moving fast, such that traditional tools don't do the job any more. Advanced Persistent Threat (APT) is one of the manifestations of this trend. It involves sending malware to people disguised in something that is likely to appear to them and to fool them. APT messages are very customized, based on knowledge of a person that is obtained from information available in the internet, through such social media as Facebook and perhaps other sources.They can even follow shortly after a person performs some action, such as paying bills on their bank website. In such a case, they might receive a message that their transaction has failed, or that their account has gone into an overdraft and they should log in (to a bogus account) and verify it. There are countless variations.

Most of us are aware of many of these messages and don't get fooled by them. However, there is a possibility that one variation might be sufficiently relevant that we are fooled, and it might only take once to cause a lot of damage.

Companies are exposed because all of their employees are exposed, and might inadvertently expose corporate assets to theft or damage.

Various solutions are available, many cloud based, that are particularly designed to keep up with the rapidly changing trends in this area. It is imperative to keep up with these tools. Such knee jerk reactions as prohibiting employees from using Facebook and the like just won't work. But some clearly defined and carefully designed policies around the use of corporate computers, resources and IDs are badly needed.

Continued in article


Databuse: Digital Privacy and the Mosaic --- http://www.brookings.edu/papers/2011/0401_databuse_wittes.aspx


"Social Networking Threats to Security," by Jerry Trites, IS Assurance Blog, August 25, 2011 ---
http://uwcisa-assurance.blogspot.com/

This article links to
"Social networking security threats by the numbers," IT World of Canada, August 15, 2011 --- Click Here
http://www.itworldcanada.com/news/social-networking-security-threats-by-the-numbers/143741?sub=1520550&utm_source=1520550&utm_medium=top5&utm_campaign=TD+


Question
Don't you wish Microsoft Autorun would've run aground in 1995?

As a feature first introduced way back in Windows 95, Autorun had...well, a pretty good run, particularly considering how long malware has used it as a propagation method. Frankly, I'm surprised that Microsoft kept Autorun as the default option for as long as it did, given the company's Trustworthy Computing security initiative, launched in January 2002 with a memo from Chairman Bill Gates that memorably stated, "When we face a choice between adding features and resolving security issues, we need to choose security."

"What Windows Autorun Has Wrought," by Brian Krebs, The Washington Post, November 3, 2009 ---
http://voices.washingtonpost.com/securityfix/2009/11/what_windows_autorun_hath_wrou.html?wprss=securityfix

In its latest "Security Intelligence Report," Microsoft counted the number of threats detected by its anti-malware desktop products, and found that the Conficker worm, along with a Trojan horse program called Taterf which steals passwords and license keys for popular computer games, were detected on 5.21 million and 4.91 million Windows computers, respectively.

The original version of Conficker emerged nearly a year ago, and initially it spread by exploiting a networking vulnerability in Windows. But Conficker infections soared by the millions in January with the arrival of Conficker B, which introduced the ability to spread via the Autorun capability in Windows. Taterf spreads exclusively via Autorun.

Together, these two threats accounted for more than 35 percent of the top 10 malicious software infections in first six months of this year, Microsoft found (click the chart below for a breakdown of those threats). According to the previous Security Intelligence Report, more than 17 percent of infections in the second half of 2008 were by malware that can spread via AutoRun.

In April, after the third version of Conficker became front-page news and even fodder for feature story on 60 Minutes, Microsoft announced that its AutoPlay function would no longer support AutoRun for USB drives. Autorun is disabled for USB drives in Windows 7 (the new OS still automatically plays any inserted CDs and DVDs). In late August, Microsoft released a patch that similarly disables Autorun on Windows XP, Vista, Windows Server 2003 and Server 2008 systems.

However, this patch does not appear to have been pushed out through Microsoft's Automatic Updates or Windows Update, so if you'd like to install it, you'll need to visit this link and download the appropriate version for your operating system. Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB thumb drives. Wilders Security Forum has a nice writeup on this patch, and offers some harmless sample code to test whether your Windows box has this feature enabled.

As a feature first introduced way back in Windows 95, Autorun had...well, a pretty good run, particularly considering how long malware has used it as a propagation method. Frankly, I'm surprised that Microsoft kept Autorun as the default option for as long as it did, given the company's Trustworthy Computing security initiative, launched in January 2002 with a memo from Chairman Bill Gates that memorably stated, "When we face a choice between adding features and resolving security issues, we need to choose security."

On a more positive note, Microsoft found that the number of infections associated with rogue security software fell to 13.4 million in the first six months of this year, down from 16.8 million in the latter half of 2008. Microsoft also tracked a tenfold decrease in infections from Zlob, a Trojan that masquerades as a video player plug-in. Redmond said Zlob infections fell from 21.1 million at its peak in 2007 to 2.3 million in the first half of 2009.

The key findings from Microsoft's Security Intelligence Report Version 7 are available here (PDF).

 


Questions that have stumped the experts at Snopes --- http://www.snopes.com/humor/question/requests.asp


Apple is Slow When Patching Security Flaws

Six months may seem like a long time to address a particularly dangerous vulnerability, but it's about par for the course with Apple and its record on patching Java flaws. I have reviewed the last three Java updates that Apple shipped during the past 18 months, and found that Apple patched Java flaws on average about 166 days after Sun had shipped its own patch to fix the same vulnerabilities.
Brian Krebs, "Apple Slow To Fix Java Flaws," The Washington Post, May 22, 2009 --- Click Here


Internet Fraud Prevention Helpers from the Federal Trade Commission
OnGuard Online --- http://www.onguardonline.gov/default.aspx

Federal Trade Commission (Then and Now) --- http://www.ftc.gov/index.html

Bob Jensen's fraud prevention helpers --- http://www.trinity.edu/rjensen/FraudReporting.htm


Introduction to Security Edition 7, by Robert J. Fischer and Gion Green (Elsevier, 2004)
Note that this link provides a very generous preview --- Click Here
Parts could be used by students for free and other readers gainfully for no charge.


Question
What are some of the pop-up advertisements to avoid at all times?
What Bob Jensen found out the hard way that legitimate adware programs often fail in permanently deleting an adware Trojan virus!

"How to Stop Operating-System Attacks Ads for DriveCleaner, WinFixer, Antivirus XP, Antivirus 2009 and others pop up on PCs all the time, but the software may be fraudulent or ineffective. Also: Mac users need security updates, too.," by Andrew Brandt, PC World via The Washington Post, January 29, 2009 --- http://www.washingtonpost.com/wp-dyn/content/article/2009/01/27/AR2009012701528.html?wpisrc=newsletter&wpisrc=newsletter

A legitimate malware remover--one that independent testing has objectively demonstrated to be effective--should be able to deal with the immediate problem of an adware program that won't let you remove it. Check your security software to see if it will do the trick. But the real fix may be concerted government action: Late last year the Federal Trade Commission asked a federal court to stop some perpetrators of this type of scam. It may be that prison terms or massive fines are the only useful deterrents.

Putting a condom around the computer also does not help!

Learn the fundamentals of the game and stick to them. Band-aid remedies never last.
Jack Nicklaus as quoted by Mark Shapiro at http://irascibleprofessor.com/comments-01-12-09.htm

My Recent Saga With Malware
Since viruses vary in terms of how difficult they are to disinfect from your computer, some of the remedies that failed for my deep-seated infections may not fail in all instances. In my case I had to give up and rebuild the hard drive, which is tantamount to getting a new computer.

I tried a number of different software downloads (some free and some fee-based) to rid my computer of infections that kept returning even when my main computer was disconnected from any network. Some of the disinfectants worked, but they also created more problems than the malware itself.

In the end I gave up and had the hard drive cleaned and started over with the same hardware and re-installed software. I suspect the problem is that I just don't know enough fundamentals of the game when it comes to disinfecting malware from the system, although the pros tell me that some malware just cannot be disinfected without cleaning out (called rebuilding) the entire hard drive and starting over. That's like killing the patient to rid her of chronic headaches. Sometimes the bad guys win. Sigh!

In my case I think I got the infection from a site that pretends to improve computer efficiency and security. Since I can't be certain, the site will remain anonymous. I'm told the most dangerous sites to visit include gambling sites, porn sites, and computer protection sites from sources other than trusted sources. Except when a computer-protection site is recommended by a trusted magazine like PC Magazine, a trusted newspaper like the tech section of The Washington Post, or trusted friends like your employer's tech support team, don't go there and most certainly don't download anything from that site even though it promises improved computer security and efficiency. Remember that some bad guys put up Web documents claiming some downloads are safe when in fact they are not at all safe. Don't trust all Google or Yahoo hits in this regard. The bad guys have Web documents and YouTube videos that lie big time.

Google searches can be hazardous to your computer's health. Of course there's a gray zone where I think taking chances are necessary to scholarship. Be more cautious about downloading files than merely visiting a site. Also some types of download files are more dangerous than others.

Don't be led into complacency that your anti-virus shields stop all the serious bad stuff. Wikipedia has a pretty good module on computer security --- http://en.wikipedia.org/wiki/Computer_security

I think my next new computer will be a Mac where computer and networking security is enormously better than PCs operating under Windows, but certainly Mac security is not perfect. The most popular Mac browser, Safari, had had some known security problems in the past. Before buying a Mac I will further investigate the current Safari risks. Fortunately Firefox makes a browser version for Mac computers. Unfortunately I will still mostly use a Windows machine since my Web servers, LAN servers, and email server are all at Trinity University. The Trinity University network service is only Windows-friendly. And I can only get Trinity's free and excellent tech support for a Windows computer.

In my case it's not the cost of a new computer that frustrates me. What frustrates me is that all the installed software must be dug out of my barn or repurchased. Training a new computer is even more frustrating than training a new puppy.

By Comparison, My Malware Problems are Rather Insignificant
Tens of millions of credit cards could be at risk of fraudulent use thanks to a serious computer-security breach at financial-transactions company Heartland Payment Systems. Earlier this week, Heartland revealed that a piece of malicious software, apparently installed inside the company's transaction-processing system last year, had compromised credit-card data as it crossed the network. The breach was announced on Tuesday--the day of the U.S. presidential inauguration--and, according to some experts, it shows that attackers are successfully defeating the financial industry's tough computer-security rules. "The potential is certainly there for this to be one of the biggest, if not the biggest breach we've seen," says Rich Mogull, founder of computer-security consulting company Securosis. "Something huge had to have gone wrong here." It's not clear precisely what kind of malicious software was used, or how many credit-card accounts were compromised. But company president Robert Baldwin has said that Heartland handles as many as 100 million transactions per month.
John Borland, "Malware Swipes Millions of Credit Cards A security breach shows failings in security rules," MIT's Technology Review, January 22, 2009 --- http://www.technologyreview.com/computing/22007/?nlid=1714&a=f


Engaging Privacy and Information Technology in a Digital Age --- http://books.nap.edu/catalog.php?record_id=11896 


Remember those trackers who rode ahead of the posses of the wild west

"How Do I Track My Kid's Surfing? Tammy Setzer wants a way to keep her children from deleting their Web browsing history," by Lincoln Spector, PC World via The Washington Post, May 5, 2009 --- Click Here

The browsers, like Internet Explorer and Firefox, won't let you do that. In fact, they're going in the opposite direction. They're adding features to help users cover their tracks. (I discuss these tools in Selectively Delete Some of Your Browsing History.) That's wonderful for adults, but it's problematic if you need to protect your children.

What you need is child protection software--a program that will operate in the background, keeping track of what your kids are doing, blocking stuff you want blocked, and reporting back to you.

Before I recommend a program, I want to discuss the best way to use such software. I'm writing this not as a technical expert, but as a father with a grown son and two teenage daughters.

If you tell your children that you're going to monitor their Internet access, they're going to hate you for it (at least temporarily). But if you don't tell them, it will be far, far worse when they finally find out. It's best to be open with them, weather the storm, and seriously listen to their objections. Let them be part of the decision-making process about what will and will not be allowed, even though you, of course, must retain the last word.

And tracking their surfing habits makes more sense than blocking sites. If they know that you can see every site they visit, they'll learn to make wise choices, and isn't that what this is all about?

I recommend a brand-new program from Symantec called OnlineFamily.Norton, in large part because it encourages feedback between parents and children. It won't even let you hide the fact that you're spying on them. If they visit a site that falls into a category you object to (last I counted there were 47 categories), they will be told why they can't visit that site, and they'll get an opportunity to write you about it. You can block sites in the undesirable categories, merely monitor them, or have Online.Family warn the kids then allow them to proceed.

Online.Family can also block certain searches, monitor instant messaging, and control how much time your children spend on their computers. That last one is important. Too much time on a computer can be worse for a child than what they do on it.

The actual program is quite small, and runs in the background on your child's PC. You can monitor their activity from the Online.Family Web site, or be alerted to problems via e-mail.

OnlineFamily.Norton is free through the end of the year. Symantec isn't saying what it will cost after that. I suspect they'll charge for it as an ongoing service, rather than a one-time purchase.

Bob Jensen's technology bookmarks are at http://www.trinity.edu/rjensen/Bookbob4.htm

 


Also see Also see http://www.google.com/search?hl=en&lr=&q=parental+control+software

"Keeping Kids Safe Online," by Johanna Ambrosio, InformationWeek Newsletter, March 15, 2006

I'm no expert, but I am a parent of three teenagers who, thankfully, have been safe so far. My reaction to the news about Microsoft jumping into the monitoring space with a free tool to be available this summer is that it sounds great, but I hope parents realize that the use of any monitoring software isn't by itself enough to guarantee kids' safety.

I think anyone in the computer industry already knows this and certainly understands the dangers that lurk. But I worry there may be some parents who too readily trust a tool to take the place of their (human) care and concern. Parents must still be parents, and older teens especially must be made aware of their responsibility in this, too. With great freedom comes great personal responsibility, both online and offline, and kids need the adults in their lives to both explain and model this.

We've certainly been lucky, and we've done some things to help. (For the fuller story, please check out my blog entry.)


"Human error and criminal cleverness still beating data security," AccountingWeb, September 2007 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=104033


Computer-based fraudsters are finding new ways to trick people—not technology—to get the information they seek

"Tech Special Report," Business Week, June 13, 2007 --- Click Here

Phisher Kings Court Your Trust
Computer-based fraudsters are finding new ways to trick people -- not technology -- to get the information they seek

What I Learned at Hacker Camp
It's easy to create malicious code, penetrate firewalls, and steal personal and financial information. "Ethical hacker" Andrew Whitaker can show you how

A Guide to PC Security Products
Slide show: Concerned about your computer, but confused about how to keep it safe? Here's a look at some helpful hardware and software

This Bug Is Nasty, Brutish, And Sneaky
Cyberthieves have raised the stakes with a clever new program almost immune to detection

Stopping a Scam from Spreading
Thwarted by bigger banks, ID thieves are taking aim at smaller financial institutions. One credit union provides a model for fighting back

Dazed and Confused: Data Law Disarray
A profusion of legislation regarding privacy and data breaches puts businesses in a bind and consumers at risk

Gator is Dead. Long Live Claria
The company that annoyed countless Net surfers with its adware is reinventing itself with a new custom portal service


"The 25 Worst Web Sites," by Dan Tynan, PC World, September 21, 2006 --- http://www.pcworld.com/article/id,127116/article.html

  • People say hindsight is 20/20. When it comes to the Web, hindsight is more like X-ray vision: In retrospect, it's easy to see what was wrong with dot coms that tried to make a business out of giving stuff away for free (but making it up later in volume), or to make fun of venture capitalists who handed millions to budding Web titans who had never run a lemonade stand before, let alone an enterprise.

    It's so easy, in fact, we can't help doing it ourselves. So as venture capitalists scramble to throw money at anything labled Ajax or Web 2.0, and Web publishing becomes so simple that anyone with a working mouse hand can put up a site, we offer our list of the 25 worst Web sites of all time.

    Many of our bottom 25 date from the dot-com boom, when no bad idea went unfunded. Some sites were outright scams--at least two of our featured Net entrepreneurs spent some time in the pokey. Others are just examples of bad design, or sites that got a little too careless with users' information, or tried to demand far too much personal data for too little benefit.

    And to prove we're not afraid to pick on somebody much bigger than us, our pick for the worst Web site may be the hottest cyberspot on the planet right now.

    Feel free to start at the bottom and work your way up, or jump ahead and read about the worst of the worst.

  •  


    Center for Systems Security and Information Assurance ---] http://www.cssia.org/


    NetVeda Safety. Net 3.62 http://www.netveda.com/consumer/safetynet.htm 

    The idea behind the NetVeda Safety Net application is a simple one: to allow users to control access to certain websites on their computer and to maintain firewall protection in the process. Users of the application can define user access based on the time of day and for content, if they so desire. As might be expected, the application also contains privacy controls that block the sending of personal information and that can also generate activity reports. This version is compatible with all computers running Windows 95 and newer.

     


    "Laptop Security, Part 2:  Tips on protecting your data, should fate--or a criminal--separate you and your notebook," by James A. Martin, PC World via The Washington Post, June 9. 2006 --- Click Here

    My guess is that your notebook is worth several thousand dollars. I'd also guess that the data stored on it is worth much, much more--and that you'd be entering a world of woe if your notebook were stolen or lost.

    Last week I offered tips on how to protect and physically secure your notebook when you're out of the office. This week, I've got tips on protecting your data, should fate--or a criminal--separate you and your notebook.

    Windows XP gives you the option of requiring a user password to log on. Though certainly far from bulletproof, a relatively complex password provides more protection than none at all.

    A complex password includes upper- and lowercase letters, numbers, and one or more special characters. For example, suppose your name is Pat. You wouldn't use "Pat" as your password, would you? (You would? My, aren't we feeling lucky?) A better password would be something not easily identified with you.

    The more complex your password, the more difficult it is to crack--and, potentially, for you to remember. Don't make your password so complex you can't remember it. Or, if you must store your passwords, keep them somewhere safe. Some software programs for PCs and PDAs give you the ability to manage and secure passwords. One example: DataViz's Passwords Plus ($30), which lets you manage and secure passwords on your notebook as well as your Palm OS PDA.

    To create a password for your account in Windows XP, go into Control Panel, then open User Accounts. Select the account you want to protect with a password and click the "Create a password" button.

    For more about passwords, read Scott Dunn's June " Windows Tips ."

    Some laptops now come equipped with biometric fingerprint scanners, as an alternative or enhancement to Windows password-protection. For more on this, see number 3, below.

    Another option is to encrypt any files on your notebook that contain sensitive data, such as customer Social Security numbers. (Of course, as I said last week, it's best not to place any sensitive data on a mobile system.)

    In essence, encryption scrambles data into code that only an authorized user can access. However, encrypting files, or your entire drive, can be time-consuming, slow system performance, and increase the likelihood you'll lose access to the data.

    Windows XP Professional (but not XP Home) includes an option that lets you encrypt files on an NTFS-formatted hard drive. After encrypting a file, you can open it just as you would any file or folder. However, someone who gains unauthorized access to your computer cannot open any encrypted files or folders.

    To encrypt a folder in Windows XP Professional, right-click it in Windows Explorer, choose Properties, click Advanced, select the "Encrypt contents to secure data" check box, and click OK twice. In the Confirm Attribute Changes dialog box, do one of the following: To encrypt only the folder, click "Apply changes to this folder only," and click OK; to encrypt the folder contents as well as the folder, click "Apply changes to this folder, subfolders, and files," and click OK.

    Continued in article


    "First-Ever Virus Hits Mac OS X:  There are many signs that Apple computers are finally becoming vulnerable to Internet-based viruses and other attacks," MIT's Technology Review, May 2, 2006 --- http://www.technologyreview.com/read_article.aspx?id=16758

    Benjamin Daines was browsing the Web when he clicked on a series of links that promised pictures of an unreleased update to his computer's operating system.

    Instead, a window opened on the screen and strange commands ran as if the machine was under the control of someone else. Daines was the victim of a computer virus.

    Such headaches are hardly unusual on PCs running Microsoft Corp.'s Windows operating system. Daines, however, was using a Mac -- an Apple Computer Inc. machine often touted as being immune to such risks.

    He and at least one other person who clicked on the links were infected by what security experts call the first-ever virus for Mac OS X, the operating system that has shipped with every Mac sold since 2001 and has survived virtually unscathed from the onslaught of malware unleashed on the Internet in recent years.

    ''It just shows people that no matter what kind of computer you use you are still open to some level of attack,'' said Daines, a 29-year-old British chemical engineer who once considered Macs invulnerable to such attacks.

    Apple's iconic status, growing market share and adoption of same microprocessors used in machines running Windows are making Macs a bigger target, some experts warn.

    Apple's most recent wake-up call came last week, as a Southern California researcher reported seven new vulnerabilities. Tom Ferris said malicious Web sites can exploit the holes without a user's knowledge, potentially allowing a criminal to execute code remotely and gain access to passwords and other sensitive information.

    Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the computer maker to Microsoft three years ago, when the world's largest software company was criticized for being slow to respond to weaknesses in its products.

    ''They didn't know how to deal with security, and I think Apple is in the same situation now,'' said Ferris, himself a Mac user.

    Apple officials point to the company's virtually unvarnished security track record and disputed claims that Mac OS X is more susceptible to attack now than in the past.

    Apple plans to patch the holes reported by Ferris in the next automatic update of Mac OS X, and there have been no reports of them being exploited, spokeswoman Natalie Kerris said. She disagreed that the vulnerabilities make it possible for a criminal to run code on a targeted machine.

    In Daines' infection, a bug in the virus' code prevented it from doing much damage. Still, several of his operating system files were deleted, several new files were created and several applications, including a program for recording audio, were crippled.

    Behind the scenes, the virus also managed to hijack his instant messaging program so the rogue file was blasted to 10 people on his buddy list.

    ''A lot of Mac users are in denial and have blinders on that say, 'Nothing is ever going to get to us,''' said Neil Fryer, a computer security consultant who works for an international financial institution in Britain. ''I can't say I agree with them.''

    Continued in article


    Video Tutorials

    Protecting Your PC --- Digital Duo --- http://www.pcworld.com/digitalduo/video/0,segid,35,00.asp


    A ray of hope for the new Internet Explorer
    Firefox may still be better at repelling spyware

    "Internet Explorer 7.0 makes waves," PhysOrg, March 1, 2006 --- http://www.physorg.com/news11306.html

    After winning the browser wars and vanquishing its chief competitor, Netscape, the folks at Microsoft decided it was time to take a break from improving its industry standard browser. Without competition the company felt that there was no need to release any new updates. But an upstart open-source group funded in part by Mozilla (the same folks who originally created Netscape) created a new browser called "Firefox" that sparked the brand-new browser wars. While the folks at MS won't admit that Firefox spurred them into action, it's hard to deny that the new beta release of Internet Explorer 7.0 doesn't have more than a passing resemblance to the Firefox browser.

    "Microsoft welcomes competition because it drives innovation which benefits customers. That's a good thing," said a spokesperson for Microsoft. "Ultimately, customers will choose the browser that best meets their needs, and we are confident that most will continue to use Internet Explorer when they evaluate factors such as end-user functionality, site and application compatibility, developer extensibility, enterprise manageability, and security backed by the processes and engineering discipline employed by Microsoft."

    Maybe it's the new interface, or the fact that it's been over three years since the last major release of I.E., but the new version just "feels" different and fresh. It could be the idea that MS has finally added tabbed browsing to Explorer -- one of the key features that made me go with and stick with Firefox -- I always felt Explorer was the better browser, but I became addicted to my precious tabs. Another nice addition to I.E. 7.0 is it now handles bookmarks (or as I.E. calls it "favorites") the same way as Firefox does. Instead of exporting all of your bookmarks as individual folders, I.E. now places everything into a single html index file. Which can be imported into Firefox, and you can now import Firefox bookmarks into I.E., which makes moving between both browsers painfully simple.

    "I.E. 7.0 is the right product, though late in the market. This demonstrates Microsoft's approach to the Internet browser market as being more laid back and reactionary rather than leading the development of new features," said Razvan Neagu, president and chief executive officer of KOMOTION Inc., developer of Web Gallery Wizard.

    One of the major complaints about I.E. has been its lack of compliance with Web standards, part of the problem is, as stated before, it's been three or four years since there was a major release of I.E. And in that time Web development standards have progressed exponentially. While playing around with I.E., I noticed that some Web sites didn't display properly in the new release, while they displayed perfectly fine in the current version. I'm hoping against hope that these are isolated incidents and not a sign of the future, and an indication that 7.0 still has a way to go to be completely standards based.

    A spokesperson for Microsoft said "The IE7 beta 2 preview for Windows XP, which was released to Windows XP testers on 1/31, is considered feature complete. We do however expect to continue development work based on tester feedback and expect to do additional design work and enhancements to application compatibility and fit and finish. At this point we are targeting to release the final product in the second half of 2006."

    Another main draw of the new version of I.E. is all of the new built in security features, starting with its new anti "phishing" filter. The new trend in e-mail spam is for scam artists to create fake websites that resemble popular sites like eBay, PayPal, etc. in attempt to get users to submit their personal account information. I.E. 7.0 anti-phishing filter successfully warned and blocked these sites from showing up. While this is a fantastic new feature, it has a major drawback, the validity of Web sites appears based on whether or not a site has a valid SSL Certificate or not, and you would be surprised at the number of websites that don't have these certifications. Eventually, I had to deactivate the filter, although you can change the settings in the tools menu.

    "IE's top priority is security. While we made great progress with support for CSS 2.0, we knew that we would have to trade off full compatibility with CSS 2.0 for additional work on security," added the Microsoft spokesperson. "We will not pass CSS 2.0, but certainly will evaluate doing that in the future."

    Other new security features include ActiveX Opt-In. This is a malware protection feature that disables nearly all pre-installed ActiveX Controls, and helps prevent potentially vulnerable controls from being exposed to attack. Users can easily enable or disable ActiveX Controls as needed through the Information Bar and the Add-on Manager. Cross-domain script barriers. This feature limits the ability of Web page script to interact with content from other domains or windows to help users keep their personal information out of potentially malicious hands. This new safeguard further protects users against malware by limiting the potential for malicious Web sites to manipulate flaws in other Web sites, or cause users to download undesired content or software onto their PCs.

    International Domain Name Anti-Spoofing. In addition to adding support for International Domain Names in URLs, Internet Explorer 7.0 also notifies the user when similar characters in the URL are not expressed in the same language -- even when the characters look similar across several languages -- thus helping protect the user against sites that would otherwise appear as a known trustworthy site.

    When a new version of I.E. is released everyone has to take notice, it's impact on Web development and business owners can't be underestimated.

    "Business strategy always needs to take into account market forces and competitive threats; so, the direction that Microsoft takes is very important," said Neagu. "Unless you're a 100-pound gorilla yourself, you don't want to compete directly with Microsoft. So, there are really two strategies. You can either add value to the marketplace by working with their products, or you must make sure you're in a space that is either small enough or removed enough from Microsoft's strategic interests so that you minimize the possibility of conflict.

    "With our product, Web Gallery Wizard, we maximized both of these strategies. We took advantage of Microsoft's solid .Net framework for rapid development, and we targeted digital photo enthusiasts offering functionality which is underserved by the big players in the market."

    Continued in article


    Video Guide To Securing Your Computer

    I wanted to call attention to a new resource on washingtonpost.com for people who need a little help getting started in securing their computers. We produced a series of "screencasts" or video guides demonstrating some of the basic steps users need to take to stay safe online, including brief primers on choosing and using firewall and anti-virus software, downloading and installing the latest Microsoft Windows patches, and taking advantage of free anti-spyware tools.

    These videos are by no means definitive guides, but I hope they will be of some use to those who find themselves completely intimidated by computer security.
    Brian Krebs, "ideo Guide To Securing Your Computer," The Washington Post --- http://blogs.washingtonpost.com/securityfix/2005/05/video_guide_to_.html?referrer=email


     


    Video Tips of the Week for Windows XP

    Enabling the Internet Firewall --- http://channels.lockergnome.com/windows/videotips/1/
    Customizing the Window Taskbar --- http://channels.lockergnome.com/windows/videotips/2/
    Disabling Windows Messenger Service (to reduce spyware) ---
                        http://channels.lockergnome.com/windows/videotips/3/
    Sending E-mail from a Different Address --- http://channels.lockergnome.com/windows/videotips/4/
    Managing Windows Updates --- http://channels.lockergnome.com/windows/videotips/5/
    Selecting a Different Image Viewer --- http://channels.lockergnome.com/windows/videotips/6/
    Logging Security Events --- http://channels.lockergnome.com/windows/videotips/7/
    Using Remote Desktop --- http://channels.lockergnome.com/windows/videotips/8/
    Exploring With Process Explorer --- http://channels.lockergnome.com/windows/videotips/9/
    Defragging With Task Scheduler --- http://channels.lockergnome.com/windows/videotips/10/
    Killing Spyware With Spybot --- http://channels.lockergnome.com/windows/videotips/11/
       Also see (you can change the video number at the end to go to video1, video2, etc.)
       http://www.homenetworkhelp.info/popup.php?popup=podcast-2005-06-11-spyware-video1
    Managing .Net Passports With Windows XP ---
                        http://channels.lockergnome.com/windows/videotips/12/
    Managing E-mail With Outlook Rules (guard against spam) ---
                        http://channels.lockergnome.com/windows/videotips/13/
    Exploring Windows XP Security Center ---              
                        http://channels.lockergnome.com/windows/videotips/14/
    Windows XP Firewall Helper Video --- http://channels.lockergnome.com/windows/videotips/15/
    Internet Explorer's Add-On Manager --- http://channels.lockergnome.com/windows/videotips/16/
    Internet Explorer's Popup Blocker --- http://channels.lockergnome.com/windows/videotips/17/

    The FBI's Internet Fraud and Complaint Center (IFCC FBI) --- Report Internet frauds and crimes here.
    To thwart fraud on the Internet and terror in general, check in and/or report to http://www1.ifccfbi.gov/index.asp

    National Infrastructure Protection Center (NIPC) --- Report infrastructure security incidents here.
    Located in the FBI's headquarters building in Washington, D.C., the NIPC brings together representatives from U.S. government agencies, state and local governments, and the private sector in a partnership to protect our nation's critical infrastructures.
    http://www.nipc.gov/
     

    Computer Emergency Response Team (CERT) --- Report computer invasions and viruses here.
    The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. We study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems, and develop information and training to help you improve security at your site.  http://www.cert.org/

    Center for Systems Security and Information Assurance ---] http://www.cssia.org/

    Stay Safe Online http://www.staysafeonline.info /

    Bob Jensen's threads on Identity Theft --- http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

    Pop Up Blocker --- http://www.synergeticsoft.com/

    Recommended Reading:  Getting Smart About Information Security
    Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc., has spent much of his career educating people about digital security. His book, Secrets and Lies: Digital Security in a Networked World, serves as a non-technical introduction to the full, messy complexity of digital security.
    "Recommended Reading:  Getting Smart About Information Security," The Wall Street Journal,   July 18, 2005; Page R2 --- http://online.wsj.com/article/0,,SB112060620712177906,00.html?mod=todays_us_the_journal_report

    Information Warfare Weapons --- http://www.trinity.edu/rjensen/acct5342/infowar.pdf

    The World Wide Web Security FAQ ---  http://www.w3.org/Security/Faq/www-security-faq.html

    Trinity students may access this at
    J:\courses\ACCT5342\readings\WWWsecurity\The WWW Security FAQ.htm

    CIAC Notes

    http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-01.html
     

    http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-02.html

    2005 Anti-Virus product comparison guide ---
    http://www.tips-it.com/product.php?x_user_number=305788&pid=13&smb=1&emailid=WNN081605


    All you have to do is open the message, nothing else
    Microsoft's Newest Bug Could Be Awful, Researcher Says

    Forget the WMF problems; the really big issue could be with the flaw in Outlook and Exchange that Microsoft disclosed on Tuesday. All that's required to exploit this is an e-mail message.
    Gregg Keizer, "Microsoft's Newest Bug Could Be Awful, Researcher Says," InformationWeek, January 11, 2006 ---  http://www.informationweek.com/story/showArticle.jhtml?sssdmh=dm4.163111&articleID=175803695
    "What I find bizarre is that there's still all this focus on the WMF [Windows Metafile] bug," said Mark Litchfield, the director of NGS Software, a U.K.-based security company, and one of the two researchers credited by Microsoft with the discovery of the TNEF (Transport Neutral Encapsulation Format) vulnerability.

    "This one has massive financial implications if someone exploits it," Litchfield said.

    The TNEF vulnerability, which Microsoft spelled out in the MS06-003 security bulletin, is a flaw in how Microsoft's Outlook client and older versions of its Exchange server software decode the TNEF MIME attachment. TNEF is used by Exchange and Outlook when sending and processing messages formatted as Rich Text Format (RTF), one of the formatting choices available to Outlook users.

    "All that's required to exploit this is an e-mail message," said Litchfield. No user interaction is needed to compromise an Exchange 5.0, 5.5, or 2000 server; all that's necessary is to deliver a maliciously-crafted e-mail to the server.

    It's that characteristic, as well as the ease with which an attack could spread, that has Litchfield so worried.

    "You could take over an Exchange server with a single, simple e-mail," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books.

    Continued in article

    "Unknown Attacks: A Clear and Growing Danger,"  by Secure Computing, InformationWeek, January 2006 --- http://snipurl.com/UnknownAttacks 

    More on security threats and hoaxes --- http://www.trinity.edu/its/virus/


    "Everyone Wants to 'Own' Your PC," by Bruce Schneier, Wired News, May 4, 2006 --- http://www.wired.com/news/columns/0,70802-0.html?tw=wn_index_4

    You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.

    Using the hacker sense of the term, your computer is "owned" by other people. 

    It used to be that only malicious hackers were trying to own your computers. Whether through worms, viruses, Trojans or other means, they would try to install some kind of remote-control program onto your system. Then they'd use your computers to sniff passwords, make fraudulent bank transactions, send spam, initiate phishing attacks and so on. Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned.

    Now, things are not so simple. There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer.

    Some examples:

    • Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit with several music CDs -- the same kind of software that crackers use to own people's computers. This rootkit secretly installed itself when the music CD was played on a computer. Its purpose was to prevent people from doing things with the music that Sony didn't approve of: It was a DRM system. If the exact same piece of software had been installed secretly by a hacker, this would have been an illegal act. But Sony believed that it had legitimate reasons for wanting to own its customers’ machines.

       

    • Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong.

       

    • Internet services: Hotmail allows you to blacklist certain e-mail addresses, so that mail from them automatically goes into your spam trap. Have you ever tried blocking all that incessant marketing e-mail from Microsoft? You can't.

       

    • Application software: Internet Explorer users might have expected the program to incorporate easy-to-use cookie handling and pop-up blockers. After all, other browsers do, and users have found them useful in defending against internet annoyances. But Microsoft isn't just selling software to you; it sells internet advertising as well. It isn't in the company's best interest to offer users features that would adversely affect its business partners.

    Business-Technology: Security Threats Galore, But No Worries Here
    Taken together, you begin to get the full, unsettling picture of information security today. Automated bot attacks, Windows bulletins by the dozen, a new breed of business worms, risk of heap overflow in Cisco's IOS, the underground's new fascination with unpatched holes in 20 types of applications and devices. And that doesn't even include problems caused by spyware or phishing, or customer-data breaches, or the complications of wireless networks and devices, or CDs with hidden rootkits, or the Sober worm variants spreading again. With all of this going on, how do you explain the fact that so few security and IT professionals feel things have gotten worse? It's possible they have systems in place to ward off ill-intended probes, keep software patched, and protect customer records. Maybe the bullets are bouncing off. That, or maybe security at their companies isn't as good as it seems.
    John Foley, "Business-Technology: Security Threats Galore, But No Worries Here," InformationWeek Newsletter, November 29, 2005

    "Two More Ways to Fight Viruses, for Free," by Rob Pegoraro, The Washington Post, November 28, 2005 --- http://snipurl.com/PegoraroNov28

    But you don't have to. For several years, two Czech software developers have offered free versions of their anti-virus programs to home users. These no-charge downloads don't offer every feature provided by McAfee Inc. and Symantec Corp., the two security developers whose programs come pre-installed on most Windows PCs. But when put to the same tests as software from the Big Two, they did the job almost as well and with less fuss.

    Both of these freebies -- Avast 4 Home Edition, from Prague's Alwil Software, and AVG Free Edition, from Brno-based Grisoft Inc. -- can be installed only on home computers that aren't put to any business or commercial use. (Income from sales to businesses and organizations covers the cost of this exercise in Internet charity.)

    These two programs share a few welcome traits. Both are relatively small downloads -- almost 10 megabytes for Avast, just under 15 for AVG -- that tout compatibility with systems as old as Windows 95. And both automatically download updates every day and allow quick manual updates.

    With Avast ( http://www.avast.com/eng/free_virus_protectio.html ), the major selling point is a greater sense of security. After a refreshingly fast install, Avast automatically scans your computer for trouble before allowing Windows to boot up -- a helpful precaution if the computer may already be infected.

    Continued in article

    Auntie Spam's Net Patrol ---
    http://www.aunty-spam.com/deleting-email-leads-to-145billion-judgement-against-company/

    Cagey Consumer --- http://cc.edumacation.com

    Latest security threats and hoaxes --- http://www.trinity.edu/its/virus/

    25 Hottest Urban Legends (hoaxes) --- http://www.snopes.com/info/top25uls.as

    JUNKBUSTERS Anti-Telemarketing Script http://www.junkbusters.com/script.html 

    From the Scout Report on July 14, 2005

    Powerful Cookies 1.0.7
    http://www.freewebs.com/powerfulcookies/


    For those people who are concerned about erasing evidence of their Internet activity stored in their browser, Powerful Cookies 1.0.7 may be worth taking a look at. Visitors can use this program to delete cookies, clean index.dat files, clean the cache, remove temporary files, and erase typed URLs. This application is compatible with Windows 95 or newer.


    The Sorry State of ID Theft
    One of the most popular stories on our site over the last two weeks was PIN Scandal 'Worst Hack Ever'; Citibank Only The Start, followed closely by International Citibank Customers Shaken By Data Breach. Day after day, one or both made our list of the five most popular headlines.I'm guessing another story, about two large botnets hacking into users' online shopping carts to steal credit card numbers, bank account details, and log-on passwords, will grab similar reader interest.Little wonder. The banks involved in the first story were huge, with huge IT budgets and even bigger data stores. We all bank and use ATMs, and many use debit cards. And regards the second story, most of us shop, to varying degrees, online. It just isn't hard to imagine yourself as one of the current--or future--victims of these scams or dubious security policies.
    Patricia Keefe, "Securing A Solution To Data Theft," InformationWeek Daily, March 21, 2006

    The High Cost Of Data Loss
    Sensitive personal data has been misplaced, lost, printed on mailing labels, posted online, and just left around for anyone to see. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.
    Elena Malykhina et al., InformationWeek, March 20, 2006

    How many ways are there to expose sensitive personal data? One company misplaces a backup tape; another puts customers' Social Security numbers onto mailing labels for anyone to see. Others lose laptops, inadvertently post private information online, or leave documents exposed to prying eyes. The possibilities are endless-- as we're learning with every new revelation of a data breach or hack or inexcusable lapse in secure business practices. By one estimate, 53 million people--including consumers, employees, students, and patients--have had data about themselves exposed over the past 13 months.

    This sorry state of affairs is taking its toll: fines, lawsuits, firings, damaged reputations, spooked customers, credit card fraud, a regulatory crackdown, and the expense of fixing what's broken. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about

    Continued in a long article


    In parts to follow, I will define and elaborate on various terminologies of computer and networking security.  For help in preventing and overcoming invasions, I especially recommend the links provided by Yahoo below:

     

    Yahoo Security and Encryption Guides --- http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/ 
    Categories

     

     

     

     


    Microsoft to Bundle Anti-Spyware App With Windows
    Microsoft said Friday that it plans to bundle its "Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next version of the company's operating system. Microsoft also decided to rename the program "Windows Defender," in part to give it "a more positive name." The announcement, like others of late, was posted on one of the numerous blogs on Microsoft's site that catalog the daily doings of the software giant's many technical divisions. But this news -- for me, anyway -- was more than just a press release issued via a breezy blog post. It offered a glimpse of something Redmond hinted it was going to do years ago, but which has only recently become more of a reality: ship antivirus and anti-spyware updates to hundreds of millions of Windows computers every day through its Windows/Microsoft Update feature.
    Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The Washington Post, November 7, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email




    This module may seem a little off topic.  But it fits nicely into past AECM threads about Big Brotherism in the age of technology.  David Fordham expressed it well by stating that almost anything about a person is either available for free or for sale.  It is in the spirit of those threads that I forward the following tidbit.  Those of you with liberal arts backgrounds may especially like this tidbit.  My threads on this are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#Cellphones

    Bob

    "Making Ideas Beautiful:  Do art and ideas mix? It depends on who's stirring the pot," by Terry Teachout, The Wall Street Journal, December 10, 2005; Page P15 ---
     http://online.wsj.com/article/SB113416176976318692.html?mod=todays_us_pursuits

    Sometimes a heartfelt compliment can blow up in the recipient's face, as when T.S. Eliot said of Henry James that he had "a mind so fine that no idea could violate it," thus making him sound like a plot-spinning idiot savant. What Eliot really meant was that James understood how an artist who dabbles in ideas can lose sight of the true purpose of art, which is (as Renoir said) to "make everything more beautiful." You can't paint a picture of E = mc2, or compose a symphony about the law of supply and demand. Nevertheless, art is so effective at swaying men's minds that there have always been cultural commissars prepared to enlist it in the service of ideas by any means necessary -- including brute force.

    To see what happens when politicians ram ideas down artists' throats, take a trip to "Russia!" This once-in-a-lifetime blockbuster show of Russian art from the 12th century to the present, on display at the Guggenheim Museum through Jan. 11, is billed as "the most comprehensive and significant exhibition of Russian art outside Russia since the end of the Cold War." It's that, for sure, but it's also an object lesson in the power of ideas to hijack a great culture.

    In the '30s and '40s, Russian artists were expected not merely to toe the Marxist line, but to embody it in their work. Unless you wanted to end up in the Gulag -- or worse -- you did what Stalin said. The deliberately anti-modern style that resulted, known as "socialist realism," was a crude burlesque of 19th-century realism in which the Soviet Union was portrayed as a proletarian paradise. Visual artists had an especially tough time of it, for the once-thriving Russian avant-garde was replaced overnight by a school of simple-minded poster artists who specialized in cheery canvases with titles like "Collective Farm Worker on a Bicycle." To stroll through "Russia!" is to be stupefied by the sheer banality of the assembly-line art these brush-wielding apparatchiks cranked out.

    That's one kind of idea-driven art in which the artist illustrates ideas, often with the intention of bludgeoning others into embracing them. But there's another kind, in which an idea is so radically transformed by the artist that the resulting work of art floats free from its initial inspiration, taking on the haze of ambiguity that is part and parcel of beauty.

    I saw a wonderful example of the latter kind of art last week at Brooklyn's BAM Harvey Theater. "Super Vision" is an evening-long piece of performance art created by the Builders Association, a New York-based touring experimental theater troupe, in collaboration with dbox, the multidisciplinary design studio. On paper it sounds like a "Nineteen Eighty-Four"-style documentary about how governments and corporations misuse the mountains of personal data they collect from private citizens. In the theater, though, "Super Vision" blossoms into something completely different, a computer-enhanced visual poem about the pitfalls and promise of life in the information age.

    "Super Vision," which is being performed this weekend at Montclair State University in Montclair, N.J. (for a tour itinerary, go to www.superv.org ), consists of three interwoven stories in which six actors move through a breathtakingly complex series of digitally generated three-dimensional projections. In one story line, a computer-savvy swindler named John steals his young son's identity, uses it to run up $400,000 in debt, then vanishes. John and his wife are played by real-life actors, but John Jr. exists only as a video image, while the suburban house in which they live is entirely animated.

    Again, this bald description makes "Super Vision" sound like a technical tour de force -- which it is. Yet it's far more than that. "I think of the stories in 'Super Vision' as the emotional side of data," explains Marianne Weems, the show's director. "The point is to bring visceral sensation and visual impact to these stories -- and as we move more deeply into interpreting the factual material on which they're based, we move away from the literal."

    This is what lifts "Super Vision" out of the pedestrian realm of the purely factual. Yes, Ms. Weems and her collaborators are rightly disturbed by what she calls "this new form of surveillance and its constant incursions into the realm of our selves." But instead of preaching a strident sermon about how "dataveillance" threatens the right to privacy, they've transformed their fears into a fast-flowing stream of nonliteral images that stick in your mind like the swirling colors of an abstract painting. Just when John, the identity thief, thinks he's gotten away clean, you see in the distance what looks like a flock of birds. Then, as it draws nearer, you realize that it's actually a cloud of computer-generated data points hurtling through the air to chase him down. That's not politics -- it's poetry. And it's the quintessence of "Super Vision," a work of theatrical alchemy in which ideas are turned into art by making them more beautiful.


    "Viral cure could 'immunise' the internet," Kurt Kleiner, NewScientist, December 1, 2005 --- http://www.newscientist.com/article.ns?id=dn8403

    Some researchers have developed artificial "immune systems" that automatically analyse a virus meaning a fix can be sent out more rapidly. In practise, however, computer viruses still tend to spread too quickly.

    Now Eran Shir, and colleagues at Tel-Aviv University in Israeli, have applied network theory to the problem, and believe they have come up with a more effective solution.

    Part of the problem, the researchers say, is that countermeasures sent from a central server over the same network as the virus it is pursuing will always be playing catch-up.

    They propose developing a network of "honeypot" computers, distributed across the internet and dedicated to the task of combating viruses. To a virus, these machines would seem like ordinary vulnerable computers. But the honeypots would attract a virus, analyse it automatically, and then distribute a countermeasure

    Healing hubs But the honeypots would be linked to one another via a dedicated and secure network. This way, once one has captured a virus, all the others will quickly know about the infection immediately. Each honeypot then acts as a hub of healing code which is disseminated to computers connected to it. The countermeasure then spreads out across the broader network.

    Simulations show that the larger the network grows, the more efficient this scheme should be. For example, if a network has 50,000 nodes (computers), and just 0.4% of those are honeypots, just 5% of the network will be infected before the immune system halts the virus, assuming the fix works properly. But, a 200-million-node network – with the same proportion of honeypots – should see just 0.001% of machines get infected.

    Security measures, such as encryption, would be needed to prevent viruses from exploiting the honeypot network.

    "They've shown it is possible to use this epidemically spreading immune agent to good advantage," says Jeff Kephart, a computer scientist at IBM in Hawthorne, New York, US. "The next step would be to look more carefully at the benefits and costs of this approach. I see promise in it."

    The paper only discusses the mathematical model, and there is no effective implementation as yet. But Shir plans to release a simple example program soon and hopes that volunteers or a company will eventually implement the real thing across the internet.

    Journal reference: Nature Physics (DOI: 10.1038/nphys177).


    Walt's Warnings About File Sharing

    "The Practical Case Against File Sharing," by Walter Mossberg, The Wall Street Journal, October 20, 2005 --- http://online.wsj.com/article/SB112976373382173735.html?mod=todays_us_marketplace 

    Q:
    Are there problems with using file-swapping sites like Kazaa, as long as you have a good antivirus protection program? I don't mind paying for individual songs, but other sites like iTunes or Rhapsody often don't have the songs I want.

    A:
    Yes, there are problems. The first are the ethical and legal issues arising from obtaining somebody else's copyrighted intellectual property without paying for it, from a person who isn't licensed or authorized to distribute it. The other sites you mention, iTunes and Rhapsody, are legally licensed to distribute music. Kazaa and its ilk aren't, nor are the people who make music available through them. Your argument is like rationalizing buying stolen TVs because your local Best Buy didn't have the model you wanted.

    If your conscience can get past that, there are practical issues. These sites are major transmitters not only of viruses, but of spyware, which your antivirus program can't stop. Even if your PC has a full, up-to-date security suite, with antispyware software, you are asking for trouble by downloading from "file swapping" sites. Many of the people I hear from who have had to take drastic, costly steps to save heavily infected PCs attribute their problems to the fact that their kids were frequenting file-sharing sites.

    Bob Jensen's threads on file sharing are at http://www.trinity.edu/rjensen/napster.htm


    Telling Computers How to Keep Secrets
    The home version of Windows XP (unlike Apple's two most recent Mac OS X releases) can't lock up your important data, but other developers have come up with tools for this task. You just have to decide which of these three qualities is most important to you: simplicity, price or capabilities.  The easiest data-protection software we tested was Steganos Safe 8 (Win 2000 or newer, $30 at http://www.steganos.com/  ). It creates a "secure drive," an encrypted, password-protected file that houses whatever files you choose to put in it. When the secure drive is unlocked, it works just like a regular drive, but when locked, it turns into a single file filled with encrypted gibberish.
    Kevin Savetz, "Telling Computers How to Keep Secrets," The Washington Post, July 3, 2005 --- http://www.washingtonpost.com/wp-dyn/content/article/2005/07/02/AR2005070200116.html?referrer=email

    Kim Zetter. "ID Theft: What You Need to Know," Wired News, June 29, 2005 --- http://www.wired.com/news/privacy/0,1848,68032,00.html?tw=wn_tophead_8

    What should I do if my wallet or purse is lost or stolen?

    Immediately contact all three credit reporting agencies -- Equifax, Experian and TransUnion -- and have them place a fraud alert on your account. This means that companies issuing new credit accounts in your name will have to call you to obtain permission first. The alert will last for 90 days only. You can extend the alert to seven years, but only if you've been a victim of identity theft and can provide a police report.

    Equifax: 1.800.525.6285

    Experian: 1.888.397.3742

    TransUnion: 1.800.680.7289

    In addition to contacting the credit reporting agencies, you should file a police report if your property was stolen. Close any accounts that you think may have been compromised by the loss or theft. The FTC provides more information and a chart to tick off steps you should take.

    What can I do to prevent myself from becoming a victim?

    There isn't really anything you can do to prevent identity theft. As long as Social Security numbers are used for purposes other than Social Security, you are at risk of having your identity stolen any time someone has access to documents that carry your number and other personal data. There are, however, things you can do to lower your risk of becoming a victim.

    • Review monthly financial statements carefully for fraudulent activity.
    • Request a free copy of your credit report from a credit-reporting agency once a year to examine it for fraudulent activity. A new law requiring credit reporting agencies to provide a free annual report goes into effect nationwide in September. Until then, it's in effect only in western and Midwestern states. The credit report will show who requested access to your credit record. Look for requests from companies you haven't done business with and tell credit-reporting agencies if you see credit accounts that you didn't open or debts you didn't incur. Check to see that your name and address are correct.
    • Don't give your Social Security number to any business that doesn't really need it.
    • Cross shred sensitive documents. Thieves have been known to piece together strips of paper that are shredded only once. Cross-shredders double-shred documents.
    • Shred pre-approved credit-card offers before tossing them in the garbage.
    • Don't store sensitive personal information, such as bank account numbers and passwords, on home computers or handheld devices.
    • Install a firewall and anti-virus software on your computer and keep the virus definitions up to date to prevent viruses and Trojan horses from infecting your computer and feeding personal information back to hackers.
    • Don't fall for phishing scams. Phishing occurs when someone sends you an e-mail purporting to be from your bank or other company you do business with and requesting you to update your account information.
    • Use specially designed software programs to clean data from your computer before you sell or discard it. Simply deleting files will not remove data from the memory.
    • Don't carry any documents in your wallet that have your Social Security number on them, including your medical card or military ID, on days when you don't need the card.
    • Opt-out when your bank or other financial institution requests permission to share information about you with other businesses.
    • Close all credit-card accounts except the one or two that you really need.
    • If you are an identity theft victim and live in one of ten states, including California, Colorado, Louisiana, Maine, Texas, Vermont or Washington, consider placing a "freeze" on your credit report so that no one can access it without your permission. More than 20 additional states are considering passing similar legislation. Creditors need to look at your report before granting you credit. By freezing your report, it will prevent unauthorized people from seeing your personal data and it will prevent creditors from opening a new credit account in your name for an impostor. Some states only let victims of identity theft freeze their records. Other states allow anyone to freeze their record. The State Public Interest Research Groups maintains a list of states with freeze laws.

    Bob Jensen's guides on how to report fraud --- http://www.trinity.edu/rjensen/FraudReporting.htm

    Bob Jensen's helpers on identity theft --- http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft

     

    A government Website on Cybercrime --- http://www.usdoj.gov/criminal/cybercrime/

    FCC Posts Lists of Sites That Send Spam to Cell Phones --- http://www.technologyreview.com/articles/05/02/ap/ap_2020805.asp?trk=nl 

    "Blocking Cellphone Spam," by Debra Goldschmidt, The Wall Street Journal,  January 3, 2006; Page D1 --- http://online.wsj.com/article/SB113625263355436073.html?mod=todays_us_personal_journal

    The Problem:
    You're paying for all the unwanted text messages you get on your cellphone.

    The Solution:
    Unwanted text messages usually come from two sources: telemarketers or friends who do more typing than talking.

    The first is called cell spam -- illegal solicitations. Most service providers use anti-spam programs but nothing is foolproof. If you receive cell spam, ask your cellphone company to deduct the cost of that message from your next bill. You can also file a complaint with the Federal Communications Commission at www.fcc.gov.

    So-called friendly fire text messages are those from people you know -- such as your teenager's friends who inadvertently run up your bill. To combat these, most service providers allow you to log onto their Web site to block a limited number of phone numbers from sending you messages. If you have Cingular or Verizon, you can ask to disable the text messaging function on your phone -- or your teenager's phone.

     


    "Adobe PDF Patch Plugs Data Leak Threat," by Brian Krebs, The Washington Post, June 20, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/06/adobe_pdf_patch.html?referrer=email

    According to Adobe, the latest version gets rid of a fairly serious security flaw. By convincing a target to download a specially crafted PDF document, attackers could "discover the existence of local files," -- i.e., read documents on the victim's computer. Adobe says that threat is minimized because the attacker would have to know the exact name and location of the files he was searching for to be able to leverage the security flaw.

    Anyway, you can update using the automatic updater bundled with Adobe, or visit Adobe's download site to install the fix manually. Adobe says it is working on a fix for Mac users. If any Mac users are concerned about this vulnerability, this page has instructions on how to disable Javascript in Adobe.

    By the way, if you browse the Web using Mozilla's Firefox Web browser and have always had trouble loading PDF documents, you might consider following the advice here to fix the problem. Just scroll down to the question in the FAQ that reads "Why do Adobe pdf files load slowly in Windows?" For the longest time I put off researching a tweak for this problem. Mozilla says it's because Adobe Reader for Windows loads lots of unused plugins on startup.


    "The State Of Internet Security," by Fahmida Y. Rashid, Forbes, June 14, 2005 --- http://www.forbes.com/technology/2005/06/14/verisign-internet-security-cx_fr_0614verisign.html

    E-mails from Nigeria asking for your help in transferring money. Important information about compromised bank accounts.

    While the scams that daily flood our e-mail in-boxes show no signs of abating, there is some good news for the users who have to sort through them all. So says VeriSign (nasdaq: VRSN - news - people ), in its latest "State of Internet Security" address covering the first three months of 2005.

    Phishing attacks--the attempted theft of information such as user names, passwords or credit-card numbers--are increasingly more sophisticated, VeriSign said. But the company, which lives by the sale of computer security software, says phishing attacks are less profitable than they used to be, and of shorter duration, since affected companies work with Internet service providers to shut down sites capturing the information.

    Pharming, also known as DNS spoofing because it fools the domain-name system, is an alternative technique that tries to direct users to a fake Web site even when the correct address is entered into a browser. "It's as if you looked up a number in the phone book," says Phillip Hallam-Baker, a Web security expert at Verisign, "but someone somehow changed the number, managed to swap the phone book on you."

    VeriSign's report lists ways to lock down DNS infrastructure to shut down pharming. It encourages administrators to upgrade their DNS software and to install cryptography solutions. Hallam-Baker feels that pharming attacks that depend on cached information could be eliminated fairly easily. Pharming attacks infrastructure, so the company in charge of that segment could prevent further attacks by upgrading necessary components.

    Continued in article

    Links to the ISIB report are given at
    http://www.verisign.com/verisign-inc/news-and-events/news-archive/us-news-2005/page_030922.html

     


    Tired of Computer Viruses, Spyware, and all the Other Microsoft Diseases?
    Switch to a Mac

    If you switch to a  Mac, a must book is Mac OS X: The Missing Manual by David Pogue http://www.amazon.com/exec/obidos/tg/detail/-/0596000820/002-3743809-1628824?v=glance 

    This book explains how to translate what you liked to do in Windows into how to do the same things on a Mac.


    It's been proven, there is life after death
    Identity theft isn't among the risks of medical treatment -- such as infection -- listed on the standard release form that patients sign. But there's evidence that identity thieves are starting to target medical patients. 
    Kevin Helliker, "A New Medical Worry: Identity Thieves Find Ways To Target Hospital Patients," The Wall Street Journal, February 22, 2005, Page D1 --- http://online.wsj.com/article/0,,SB110902598126260237,00.html?mod=todays_us_personal_journal 

    Just this weekend, the University of Chicago Hospitals reported that a former employee had stolen identity information from as many as 85 patients. In recent years, rings of thieves stole the identities of more than 15 such patients in Iowa, 30 in Minnesota and nearly 50 in Indiana. During the past two years, the state of Michigan has prosecuted more than 20 cases involving medical-patient identity theft, many involving multiple victims, Michigan Attorney General Mike Cox says.

    Hospital patients are vulnerable in part because they are unlikely to detect anything amiss. Some may never leave the hospital. A team of alleged identity thieves arrested in 2003 in New Jersey were targeting the terminally ill, according to police.

    Continued in article


    Hackers are turning digital rights management features of Microsoft's Windows Media Player against users by fooling them into downloading massive amounts of spyware, adware, and viruses.  A year after it went into effect, the federal CAN-SPAM Act is a "miserable" failure, a messaging security firm that monitors compliance with the anti-spam legislation says.  The United States was the 800-pound spam-spewing gorilla throughout 2004, a spot it held from wire to wire throughout the year, an anti-virus firm says.  Federal judge grants restraining order shutting down six porn purveyors.
    Information Week's Updates on Spam (including how spyware burglars and spammers stay ahead all efforts to stop it) --- http://snipurl.com/spamJan19 


    "Beware Web Hitchhikers," CBS News, December 31, 2004 --- http://www.cbsnews.com/stories/2004/12/31/eveningnews/consumer/main664185.shtml 

    One of the big-sellers this holiday season is the wireless router, which lets you link your computer to the Internet from any room in the house.

    But as CBS News Correspondent Vince Gonzales reports, the problem is that strangers on the street can also hook up to the net -- through your router.

    It's called "war-driving" -- prowling neighborhoods, searching for open wireless networks that offer a free ride onto the Internet.

     

     


    Surprise, Surprise!
    In terms of features, especially security protection, Microsoft's Internet Explorer is well behind the times in terms of alternatives.

     

    Meanwhile, other people have been building much better browsers, just as Microsoft itself did in the 1990s, when it challenged and eventually bested the then-dominant browser, Netscape Navigator. The most significant of these challengers is Firefox, a free product of an open-source organization called Mozilla, available for download at www.mozilla.org. Firefox is both more secure and more modern than IE, and it comes packed with user-friendly features the Microsoft browser can't touch.

    "Security, Cool Features Of Firefox Web Browser Beat Microsoft's IE," Walter Mossberg, The Wall Street Journal, December 30, 2004, Page B1 --- http://online.wsj.com/article/0,,SB110435917184512320,00.html?mod=todays_us_marketplace 

    Microsoft's Internet Explorer Web browser is one of the most important, and most often used, programs on the world's personal computers, relied upon by more than 90% of Windows users. But Microsoft hasn't made any important functional improvements in Internet Explorer for years.

    The software giant has folded IE into the Windows operating system, and the browser only receives updates as part of the "Windows update" process. In recent years, most upgrades to IE have been under-the-hood patches to plug the many security holes that have made IE a major conduit for hackers, virus writers and spyware purveyors. The only visible feature added to IE recently: a pop-up ad blocker, which arrived long after other browsers had one.

    Meanwhile, other people have been building much better browsers, just as Microsoft itself did in the 1990s, when it challenged and eventually bested the then-dominant browser, Netscape Navigator. The most significant of these challengers is Firefox, a free product of an open-source organization called Mozilla, available for download at www.mozilla.org. Firefox is both more secure and more modern than IE, and it comes packed with user-friendly features the Microsoft browser can't touch.

    Firefox still has a tiny market share. But millions of people have downloaded it recently. I've been using it for months, and I recommended back in September that users switch to it from IE as a security measure. It's available in nearly identical versions for Windows, the Apple Macintosh, and the Linux operating system.

    There are some other browsers that put IE to shame. Apple's elegant Safari browser, included free on every Mac, is one. But it isn't available for Windows. The Opera browser is loaded with bells and whistles, but I find it pretty complicated. And NetCaptor, my former favorite, is very nice. But since it's based on the IE Web-browsing engine, it's vulnerable to most of IE's security problems.

    Firefox, which uses a different underlying browsing engine called "Gecko," also has a couple of close cousins based on the same engine. One is Netscape, now owned by America Online. The other is a browser called Mozilla, from the same group that created Firefox. But Firefox is smaller, sleeker and newer than either of its relatives, although a new Netscape version is in the works.

    Firefox isn't totally secure -- no browser can be, especially if it runs on Windows, which has major security problems and is the world's top digital target. But Firefox has better security and privacy than IE. One big reason is that it won't run programs called "ActiveX controls," a Microsoft technology used in IE. These programs are used for many good things, but they have become such powerful tools for criminals and hackers that their potential for harm outweighs their benefits.

    Firefox also has easier, quicker and clearer methods than IE does for covering your online tracks, if you so choose. And it has a better built-in pop-up ad blocker than IE.

    But my favorite aspect of Firefox is tabbed browsing, a Web-surfing revolution that is shared by all the major new browsers but is absent from IE. With tabbed browsing, you can open many Web pages at once in the same browser window. Each is accessed by a tab.

    The benefits of tabbed browsing hit home when you create folders of related bookmarks. For instance, on my computer I have a folder of a dozen technology-news bookmarks and another 20 or so bookmarks pointing to political Web sites. A third folder contains 15 or so bookmarks for sites devoted to the World Champion Boston Red Sox. With one click, I can open the entire contents of these folders in tabs, in the same single window, allowing me to survey entire fields of interest.

    And Firefox can recognize and use Web sites that employ a new technology called "RSS" to create and update summaries of their contents. When Firefox encounters an RSS site, it displays a special icon that allows you to create a "live" bookmark to the site. These bookmarks then display updated headlines of stories on the sites.

    Firefox also includes a permanent, handy search box that can be used to type in searches on Google, Yahoo, Amazon or other search sites without installing a special toolbar.

    And it has a cool feature called "Extensions." These are small add-on modules, easy to download and install, that give the browser new features. Among the extensions I use are one that automatically fills out forms and another that tests the speed of my Web connection. You can also download "themes," which change the browser's looks.

    There is only one significant downside to Firefox. Some Web sites, especially financial ones, have chosen to tailor themselves specifically for Internet Explorer. They rely on features only present in IE, and either won't work or work poorly in Firefox and other browsers.

    Luckily, even if you switch to Firefox, you can still keep IE around to view just these incompatible sites. (In fact, Microsoft makes it impossible to fully uninstall IE.) There's even an extension for Firefox that adds an option called "View This Page in IE."

     


    "Barbarians at the Digital Gate," by Timothy L. O'Brien and Saul Hansell, The New York Times, September 19, 2004 --- http://www.nytimes.com/2004/09/19/business/yourmoney/19gator.html 

     

    KARSTEN M. SELF, who oversees a children's computer lab at a youth center in Napa, Calif., spends about a half-hour each morning electronically scanning 10 PC's. He is searching for files and traces of code that threaten to hijack the computers by silently monitoring the children's online activities or by plastering their screens with dizzying - and nearly unstoppable - onslaughts of pop-up advertisements.

    To safeguard the children's computers, Mr. Self has installed a battery of protective software products and new Web browsers. That has kept some - but by no means all - of the youth center's digital intruders at bay. "You would expect that you could use these systems in a safe and sane way, but the fact of the matter is that you can't unless you have a fair amount of knowledge, time to fix the problems and paranoia," he said.

    The parasitic files that have beset Mr. Self and other frustrated computer users are known, in tech argot, as spyware and adware. The rapid proliferation of such programs has brought Internet use to a stark crossroads, as many consumers now see the Web as a battlefield strewn with land mines.

    At the same time, major advertisers and big Internet sites are increasingly tempted by adware's singular ability to display pop-up ads exactly when a user has shown interest in a particular service or product.

    "Adware has its place, but to grab market share I think a lot of companies are doing things that make consumers feel betrayed," said Wayne Porter, co-founder of Spyware-Guide.com, a Web site that tracks adware and spyware abuses. "I think we're at a very important inflection point that is going to decide how the Internet operates."

    Continued in the article


     

    The link below was forwarded by Helen Terry
    "Digital mafia hitting Web sites in protection racket," by Joseph Menn, Los Angeles Times, October 26, 2004 --- http://www.chron.com/cs/CDA/ssistory.mpl/front/2867289 

    To an old-time bookie like Mickey Richardson, $500 in protection money was chump change.

    So when he got an e-mail from gangsters threatening to bring his online sports betting operation to its knees, he paid up.

    Before long, though, the thugs wanted $40,000. And that ticked him off.

    "I'm stubborn," said Richardson, who runs Costa Rica-based BetCRIS.com. "I wanted to be the guy that says, 'I didn't pay, and I beat them.'"

    Richardson couldn't figure the odds, but he was determined to fight what's fast becoming the scourge of Internet-based businesses: high-tech protection rackets in which gangs of computer hackers choke off traffic to Web sites whose operators refuse their demands.

    Rather than brass knuckles and baseball bats, the weapons of choice for these digital extortionists are thousands of computers. They use them to launch coordinated attacks that knock targeted Web sites off-line for days, or even weeks, at a time.

    The shakedowns generate millions of dollars. Many Internet operators would rather pay protection money than risk even greater losses if their Web sites go down.

    After more than a year perfecting their techniques on gambling and pornographic Web sites, the gangs are starting to turn their talents to mainstream e-commerce operations.

    "It's pretty much a daily occurrence that one of our customers is under attack, and the sophistication of the attacks is getting better," said Ken Silva, a vice president at VeriSign Inc., the company that maintains the ".com" and ".net" domain name servers and provides security to many firms.

    • Last month, Authorize.net, one of the biggest credit-card-services processors for online merchants, was hit repeatedly over two weeks, leaving thousands of businesses without a means to charge their customers.

    • In April, hackers silenced Card Solutions International, a Kentucky company that sells credit card software over the Web, for a week after its owner refused to pay $10,000 to a group of Latvians. Only after switching Internet service providers could the company come back online.

    • In August, a Massachusetts businessman was indicted on charges of orchestrating attacks on three television-services companies -- costing one more than $200,000. The case against Saad Echouafni is one of the rare instances in which alleged attackers have been identified and charged. Echouafni skipped bail.

    Many more attacks go unreported. "You're just seeing the tip of the iceberg," said Peter Rendall, chief executive of the Internet filter maker Top Layer Networks.

    Richardson was intent on keeping his ship afloat.

    BetCRIS, short for Bet Costa Rica International Sportsbook, takes about $2 billion in bets every year from gamblers around the world. Most are placed online. After customers complained early last year that the Web site seemed sluggish, Richardson felt a little relieved when an anonymous hacker e-mailed an admission that he had launched a denial-of-service attack against BetCRIS.

    The hacker wanted $500, via the Internet payment service e-Gold.

    That seemed like a bargain to Richardson. He paid up and promptly spent thousands more on hardware designed to weed out unfriendly Web traffic. "I was thinking if this ever happens again," he said, "we won't have a problem."

    The Saturday before Thanksgiving, Richardson found out how wrong he was. An e-mail demanded $40,000 by the following noon. It was the start of one of the biggest betting weeks of the year, with pro and college football as well as basketball.

    Richardson didn't respond.

    The next day, BetCRIS crashed hard.

    About the same time, other betting sites were getting hit too. The threats came in mangled English: "In a case if you refuse our offer, your site will be attacked still long time." Some sites were shut down for weeks.

    Costa Rican law enforcement was ill-equipped to deal with computer hackers thousands of miles away. Given the shaky legality of offshore betting, seeking help from U.S. authorities wasn't an attractive option.

    So the bookie in Costa Rica turned to Barrett Lyon, a spiky-haired philosophy major from Sacramento.

    Continued in the article


    Bottom Line Solution --- Change to a Mac

    "How to Protect Yourself From Vandals, Viruses If You Use Windows," by Walter Mossberg, The Wall Street Journal, 
    September 16, 2004; Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html 

    If you use a Windows personal computer to access the Internet, your personal files, your privacy and your security are all in jeopardy. An international criminal class of virus writers, hackers, digital vandals and sleazy businesspeople wakes up every day planning to attack your PC.

    And the company that controls the Windows platform, Microsoft, has made this too easy to do by carelessly opening numerous security holes in the operating system and its Web browser. Even if you install the recent Service Pack 2 update to Windows XP, you will still be vulnerable.

    As I have said before, I believe Microsoft and the computer makers should be taking care of all these problems with a unified, managed approach that would free users from having to learn about all the threats and constantly manage security. They should take responsibility for shielding users from hackers, spammers, viruses and spyware -- the malicious software that hijacks your browsing and searching, pushes ads into your face, and secretly logs your activities.

    But until that happens, you will have to fend for yourself. So here's a quick, rudimentary guide to protecting yourself in the digital world.

    Opting out: The single most effective way to avoid viruses and spyware is to simply chuck Windows altogether and buy an Apple Macintosh. Apple's operating system, Mac OS X, is harder for the criminals to infect, and the Mac's market share is so small that hackers, virus writers and spies get little thrill, financial gain or publicity from attacking the platform.

    There has never been a successful virus written for Mac OS X, and there is almost no spyware that targets the Mac. Plus, the Mac is invulnerable to viruses and spyware written for Windows. Not only is it more secure, but the Mac operating system is more capable, more modern and more attractive than Windows XP, and just as stable.

    Macs are as good as, and often better than, Windows PCs at doing the most common computing tasks: Web browsing, e-mail, word processing, spreadsheets, presentations, photos, music and video. The Mac version of Microsoft Office can handle Windows Office files with ease, and it produces files that Office for Windows handles effortlessly. Apple's computers are also gorgeous.

    But switching platforms is expensive, and scary to people. So if you're sticking with Windows, read on.

    Halting hackers: Buy a software firewall program, one that won't only stop hackers trying to get in but will also halt suspicious programs already on your PC from trying to send information out over the Internet. The one I recommend is ZoneAlarm, a free utility from Zone Labs, available at www.zonelabs.com. Use it instead of the wimpier built-in firewall Microsoft supplies.

    If you have a broadband connection or a home network, make sure your modem or router (a common piece of networking gear) is equipped with a feature called NAT, or Network Address Translation. This technology makes it harder for criminals on the Internet to find your computers. Even if you have NAT, however, I still recommend you have a software firewall program, because NAT doesn't block every attack.

    Curing viruses: You must run a strong antivirus program, and keep it updated, even if updates cost money. I recommend Norton AntiVirus (the stand-alone program, not the cumbersome security suite). It's very effective, and its automatic update system is the best I've ever tested. It costs $50, including a year of updates.

    Stopping spyware: Since antivirus programs don't attack spyware, you will need to run, and keep updating, a separate piece of software called an antispyware program. I recommend Spy Sweeper from Webroot software, at www.webroot.com . It costs $30, including a year of updates. Like an antivirus program, it not only detects and removes spyware already on your PC, but also watches for, and blocks, new spyware.

    Stuffing spam: Buy a decent antispam program. I know of none that is close to perfect, but the best is probably MailFrontier Desktop, available for $30 at www.mailfrontier.com . If you're really fed up, you can turn on the "challenge" feature in this program, which forces unknown senders to pass a simple test that baffles the mass-mailing software spammers use.

    Browsing safely: I suggest dumping Microsoft's Internet Explorer Web browser, which has a history of security breaches. I recommend instead Mozilla Firefox, which is free at www.mozilla.org    It's not only more secure but also more modern and advanced, with tabbed browsing, which allows multiple pages to be open on one screen, and a better pop-up ad blocker than the belated one Microsoft recently added to IE.

    Being careful: Never download software from the Web unless you are certain you know what it is and that you want and need it. If a Web site says you need some special plug-in to view things, be very wary. Common viewer software, like that from Real Networks, Apple or Macromedia, should be obtained from those companies' official sites.

    Staying current: You should probably install Microsoft's new SP2 update, which does improve Windows security -- although it has caused serious problems for a minority of Windows users. And you should install all the "critical updates" Microsoft issues for Windows.

    Bottom line: If you use Windows, you're asking for trouble. But you can mitigate the risk by taking precautions.

    It's the Best Solution, But It's No Longer Perfect

    From Technology Review on October 28, 2004 
    Apple's Got a Virus? Congratulations!
    Whenever Windows users grouse about the latest virus or spyware attack, Macintosh devotees good-naturedly tease that they don't have worry about such nonsense. Well, the Apple-heads can't say that anymore. Last week, astute Mac users discovered a program dubbed "Opener"--a nefarious piece of code embeds itself onto Macs using OS X, disables the computer's firewall, and collects any password information it can find. The Apple community should not be upset about this malware news, writes Eric Hellweg, but celebrating it. Finally, a virus writer thinks Macs matter enough to merit attack!
    http://www.technologyreview.com/articles/04/10/wo_hellweg102804.asp?trk=nl


    Changes in Microsoft Windows XP Service Pack 2 --- http://www.macromedia.com/devnet/logged_in/wanbar_sp2.html 

    On Friday, August 6, 2004 Microsoft announced the release of a significant update to the Windows XP operating system: Microsoft Windows XP Service Pack 2 (SP2). This security-focused update includes numerous changes, many of them transparent to end users, which aim to reduce the operating system's exposure to attacks from the Internet and protect users from predatory software like adware, spyware, and malware. The Windows XP operating system is installed on nearly 50% of net-connected computers worldwide—almost 250 million PCs, according to the Flash Player survey Macromedia conducts quarterly through NPD.

    While targeted at abusers of the current Windows security model, the changes in SP2 also peripherally affect many safe and useful technologies, including, in some instances, Macromedia software. Microsoft and Macromedia have worked closely throughout the development of SP2 to ensure the best possible experience for customers of Macromedia Flash Player.

    In this article I'll talk about areas of the service pack that web designers and developers, website owners, IT and MIS personnel, and Flash Player users might be concerned about, with the goal of outlining the impact SP2 will have on the user experience and the development process.

    To get the most comprehensive and detailed information about the service pack, visit the Microsoft website, which includes the following:

    What's New in Windows XP Service Pack 2

    Microsoft Windows Service Pack 2 users will experience some changes in the way software behaves, including some minor changes when launching some Macromedia products. The most visible change is the presence of a new security warning dialog box, which asks users to confirm that they want to install or launch software.

    Many of the new security dialog boxes appear if a particular piece of software does not have a digital signature. Digital signatures verify the authenticity of the software download. As software publishers get busy creating and filing their digital signatures, there will be a transitional period in which many reliable software applications will not yet have them. Even without a digital signature, users are able to click to confirm that they want to install their software and proceed with the installation. To find out more about the digital signatures, see the Enhanced Browser Security section of the Microsoft TechNet article, Changes to Functionality in Microsoft Windows XP Service Pack 2.

     


    "Free Security Update To Windows XP Has Value but Falls Short," by Walter Mossberg, The Wall Street Journal, August 19, 2004, Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html 

    Microsoft has paid so little attention to security over the years that consumers who use Windows have been forced to spend more and more of their time and money fending off viruses, hackers, spyware and spam. For this reason, the burden of using a Windows computer has grown immeasurably recently.

    Now, under pressure from its customers and critics, the software giant is making a move toward undoing that damage. Over the next few weeks, Microsoft will be rolling out a major, free security update to Windows XP. It's called "Service Pack 2," or simply "SP2."

    I've been testing SP2 on two Windows computers, and it seems to work fine. I recommend installing it, if only because of the under-the-hood security improvements Microsoft claims it contains.

    But SP2 falls way short of what Microsoft could have done to fix the miserable state of security in Windows. While the update will make it harder for malicious software to enter your PC, SP2 doesn't detect or remove viruses or spyware or spam.

    What's more, some of the key features of SP2 are inferior to those in third-party security software. In fact, even after you install SP2, you will still have to use add-on security programs, if you want to be reasonably safe.

    Over the next month, SP2 will arrive at many PCs, unbidden, via the built-in Windows Update feature in Windows XP. It will also be available for downloading from Microsoft's Windows Update Web site. And Microsoft plans to mail it out, by request, on a free CD.

    On my two test machines, an IBM laptop and a Dell desktop, installation went very smoothly. All my programs and data remained intact and functional. Microsoft concedes that SP2 does interfere with about 50 known programs. Most are corporate products, but the list also includes a few games and consumer utilities.

    In addition to the under-the-hood changes, which are aimed at stopping several common intrusion techniques, SP2's main features are a new firewall, a new "Security Center" and new protections built into Microsoft's Internet Explorer Web browser. SP2 also turns on the automatic-update feature in Windows, which allows Microsoft to transmit and install future patches without user intervention.

    The firewall, which is designed to shield your PC from attacks over the Internet, is now turned on by default. Formerly, it was off by default. (You can still turn it off manually, along with the automatic update feature.) And it has a few new features, including one that warns you if a program running on your PC is seeking to open a "port" -- a conduit to the Internet -- so it can receive incoming data.

    But the new firewall lacks a crucial component present in some third-party firewalls, like ZoneAlarm. It doesn't prevent rogue programs already on your PC from using the Internet to make outbound data transfers, such as the secret reports that spyware programs make on your activities, or instructions that Trojan horse programs send out to attack other computers.

    Also, Microsoft has made it easy for other software programs to turn off the new firewall. This was done so competing firewalls like ZoneAlarm could turn off the Windows firewall during installation, to avoid having duplicate firewalls running. But Microsoft concedes that hackers can use the technique to shut down the firewall as well. So I recommend buying, or sticking with, a superior third-party firewall.

    The Security Center is where you can determine whether your firewall, your automatic-update settings and your antivirus program are on or off. It doesn't actually add a layer of protection to your PC. It's just an information device.

    Even in that role, it falls short. In my tests, it couldn't tell whether Symantec's Norton AntiVirus program was on or off, and it warned me that my PC might not be protected against viruses, even though my antivirus protection was definitely on. This is apparently because Symantec needs to patch its product so it can talk to the Security Center. And the center made no effort to monitor my antispyware or antispam programs.

    The changes to the Internet Explorer browser include a long-overdue pop-up ad blocker, which many other browsers now include, and additional warnings and controls on software downloads, so users will think twice about installing programs that might be malicious. An "Information Bar" at the top of the browser screen warns about downloads and notes that pop-ups have been blocked.

    Microsoft still hasn't devised a quick, easy way to thoroughly erase your browsing tracks in Explorer or added an antispam feature to its Outlook Express e-mail program. The company says that SP2 was all about security, and these things weren't viewed as core security features. But it somehow still managed to use this security update to jam an unsolicited new "Favorites" link into the browser, one that points to a Microsoft site where it wants to sell you software and hardware.

    Overall, SP2 is worth installing and will definitely improve Windows security. But it's limited. You'll still need to look beyond Microsoft to really secure your Windows PC.


    It's almost the same thing as robbing the jewelry in your house and then asking $300 for the map to where it's buried --- only this time Ole would say "the yoke's on yew."

    But I have to admit that it is a clever password.

    "New Trojan Ransoms Files, Demands $300:  The Trojan archives 44 file types with a ZIP library, then password-protects the files and deletes the originals. But some have discovered the password needed to free the files," by Gregg Keizer, Information Week, March 16, 2006 --- http://www.informationweek.com/news/showArticle.jhtml?articleID=183700241

    A Trojan is loose that locks up files and then demands a $300 ransom to return access, several security firms said Thursday, but at least two have discovered the password needed to free the files.

    Dubbed "Cryzip" by some anti-virus vendors and "Zippo.a" by others, the Trojan archives 44 file types -- including .doc (Microsoft Word), .pdf (Adobe Acrobat), and .jpg (images) -- with a ZIP library, then password-protects the files and deletes the originals.

    A "ransom note" is left on the machine, and reads in part: "Do not try to search for a program what encrypted your information - it is simply do not exists in your hard disk anymore. If you really care about documents and information in encrypted files you can pay using electonic [sic] currency $300.

    "Reporting to police about a case will not help you, they do not know password."

    At least two security firms, however, have dug up the password, which was left in plain view within one of the DLL files dropped by the Trojan. According to both Sophos and LURHQ, the password is:

    C:\Program Files\Microsoft Visual Studio\VC98

    "Because this string often appears inside projects compiled with Visual C++ 6, the author likely figured anyone who found the infecting DLL and examined its strings looking for the password would simply overlook it," LURHQ wrote in its Cryzip advisory.

    "There should be no need for anyone to pay the reward," said Graham Cluley, a senior technology consultant with Sophos, in a separate statement. "It looks like this password was deliberately chosen by the author in an attempt to fool analysts into thinking it was a directory path instead."

    Victims can use any ZIP utility to unlock the files with the password.

    Ransom-like attacks, labeled "ransomware," are rare. The last full-fledged attack was in May 2005 when another security company, California-based Websense, spotted a Trojan that demanded $200 for a decryption key.

    Other, and more common, forms of ransomware-style attacks are used by bogus spyware vendors, who claim that users' PCs harbor massive amounts of adware and spyware, and try to sell their phony products to spooked consumers.

    Bob Jensen's threads on reporting computer frauds are at http://www.trinity.edu/rjensen/FraudReporting.htm

     


    Leading Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
    I trust Consumer Reports rankings more than virtually all other ranking sources mainly because Consumer Reports accepts no advertising or has other links to the vendors of products rated in Consumer Reports' labs.

    The Consumer Reports home page is at http://www.consumerreports.org/cro/index.htm  

     

    Consumer Reports Rankings of AntiSpam Software
    September 2006, Page 29
    E-MAIL ANTISPAM SOFTWARE (used in conjunction with e-mail programs)

    Rank 1 Microsoft Outlook http://www.microsoft.com/athome/security/email/fightspam.mspx

    Rank 2 Apple Mac X Mail http://www.apple.com/macosx/features/mail/ 

     

    ADD-ONS TO E-MAIL PROGRAMS (can filter spam without additional software)

    Rank 3 Trend Micro Anti-Spam Pilot Click Here

    Rank 4 Allume Systems Click Here

    Rank 5 Cloudmark Desktop http://www.cloudmark.com/desktop/

    Rank 6 Trend Micro Anti-Spam Pilot Click Here   

    Rank 7 PC Tools Spam Monitor http://www.pctools.com/

    Rank 8-13 given on Page 29

     

    Consumer Reports Rankings of Antivirus Software
    September 2006, Page 27

    Rank 1 BitDefender http://www.bitdefender.com/solutions/internet-security.html

    Rank 2 Zone Labs Zone Alarm Anti-Virus http://www.zonelabs.com/store/content/home.jsp  

    Rank 3 Kaspersky Anti-Virus Personal --- http://www.kaspersky.com/ 

    Rank 4 Norton AntiVirus http://www.symantec.com/avcenter/ 

    Rank 5 Norton AntiVirus for Macintosh http://www.symantec.com/avcenter/ 

    Rank 6 McAfee ViruScan http://www.mcafee.com/us/

    Rank 7 Trend Micro PC-cillin http://www.trendmicro.com/en/home/us/enterprise.htm 

    Ranks 8-12 given on Page 27
     

     

    Consumer Reports Rankings of AntiSpyware Software
    September 2006, Page 28
    Rank 1 F-Secure Anti-Spyware http://www.f-secure.com/

    Rank 2 Webroot Spy Sweeper http://www.webroot.com/wb/products/spysweeper/index.php?rc=266&ac=417 

    Rank 3 PC Tools Spyware http://www.pctools.com/

    Rank 4 Trend Micro Anti-Spyware Click Here

    Rank 5 Lavasoft Ad-aware http://www.lavasoftusa.com/software/adaware/

    Rank 6 Spybot-Search & Destroy http://www.safer-networking.org/en/index.html 

    Rank 7 Zone Labs Zone Alarm Anti-Spyware http://www.zonelabs.com/store/content/home.jsp  

    Ranks 8-12 Given on Page 28


    Spyware Dectector and Remover
    January 2004 message from Richard Campbell [campbell@RIO.EDU

    This product gets my 5 star rating - I was lulled into a false sense of security with Norton Security suite on my new computer.

    http://www.sunbeltsoftware.com/product.cfm?page=benefits&id=410 

    Richard J. Campbell mailto:campbell@rio.edu 

     


    What a Great Idea in the War on Spam:  Unfortunately, Make Love, not Spam only covers Italy, France, Germany, The Netherlands, Spain, Sweden and the UK to Date
    Internet users fed up with spam can go on the offensive by downloading a screensaver aimed at hitting junkmailers in the pocket.  The screensaver, called Make Love Not Spam and launched by search engine Lycos, requests data from websites that are mentioned in bulk mailings.  Lycos Europe spokesman Frank Legerland says if thousands of users sign up, the websites' servers will run at nearly full tilt.  The demand will slow the websites' response and hike their bandwidth bills, yet derive no income for the accesses.  He says those costs may discourage the sites from hiring email spammers to advertise their wares.
    ABC News, November 30, 2004 --- http://www.abc.net.au/news/newsitems/200411/s1254988.htm 
    You can read reviews at http://www.macupdate.com/info.php/id/16592 
    Also see http://www.eweek.com/article2/0,1759,1733446,00.asp 

     


    "Microsoft, Amazon Unite to Battle E-Mail Scammers," by Judy Lam, The Wall Street Journal, September 29, 2004, Page D3 --- http://online.wsj.com/article/0,,SB109639503163330213,00.html?mod=technology_main_whats_news 

    Amazon.com Inc. and Microsoft Corp. have joined forces to combat online fraud and find the people behind e-mail scams that send millions of forged messages to consumers.

    Yesterday, the two companies said they filed suits against Canadian company Gold Disk Canada Inc. and three individuals for allegedly sending millions of unsolicited e-mails using Microsoft's Hotmail services and forging the name of Amazon.com. The suits were filed in Superior Court of the State of Washington and the U.S. District Court in Seattle.

    Amazon and Microsoft said they are working to identify offenders and are collaborating to test technical solutions that would make it more difficult to send unwanted messages to consumers.

    Over the past year, Microsoft has stepped up its efforts to fight spam and e-mail scams as part of a broader move to stem a range of attacks on its software. The company has had to respond to growing customer complaints about the security of Microsoft applications, prompting the company to release a host of new security software, sign new partnerships, and begin taking more legal action to thwart hackers and senders of spam.

    Continued in the article


    Microsoft to Bundle Anti-Spyware App With Windows
    Microsoft said Friday that it plans to bundle its "Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next version of the company's operating system. Microsoft also decided to rename the program "Windows Defender," in part to give it "a more positive name." The announcement, like others of late, was posted on one of the numerous blogs on Microsoft's site that catalog the daily doings of the software giant's many technical divisions. But this news -- for me, anyway -- was more than just a press release issued via a breezy blog post. It offered a glimpse of something Redmond hinted it was going to do years ago, but which has only recently become more of a reality: ship antivirus and anti-spyware updates to hundreds of millions of Windows computers every day through its Windows/Microsoft Update feature.
    Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The Washington Post, November 7, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email


    The 10 best tools to keep viruses, spyware and bad guys away
    "Defensive Perimeter," by Gary Berline, PC Magazine, July 9, 2004  --- http://www.pcmag.com/article2/0,1759,1621759,00.asp 

    Detailed Checklist 
    "Keep Your PC Safe," PC Magazine, August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618797,00.asp 

    Toolkit of Free Products
    "Keep Your Friends Safe," by Neil J. Rubenking, PC Magazine, August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618804,00.asp 

    Security Watch Special Report --- http://www.pcmag.com/category2/0,1738,12,00.asp 

    My good friend Amy Dunbar at the University of Connecticut recommends the following spam blocker ---  http://spambayes.sourceforge.net/ 
    Bob Jensen's threads on spam blocking are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

    Eileen Taylor from the University of South Florida recommends Cloudmark's SpamNet spam protection --- http://www.cloudmark.com/ 

    Puala Ward sent this link to a listing of spam fighters --- http://email.about.com/od/windowsspamfightingtools/ 

    Spam and Spyware Blocker Software
    All-in-One- Secretmaker (Free) --- http://www.secretmaker.com/ 

    All-in-One SECRETMAKER is designed for users who wish to:

    ● Keep their email box free of spam
    ● Avoid irritating pop-up and banner interruptions
    ● Protect their privacy and avoids profiling
    ● Use the Internet efficiently for private or business use



    Spam Blocking

    January 25, 2006 Update

    Bill Gates prediction of spam elimination widely misses his expectation
    Two years ago, Gates said the spam problem would be "solved" by now. We're not even close, experts say, and for many reasons that don't have anything to do with Microsoft.
    Gregg Keiser, "Bill Gates' Spam Prediction Misses Target," Information Week, January 24, 2006 --- http://www.informationweek.com/story/showArticle.jhtml?articleID=177103434
    Also see http://www.internetweek.cmp.com/showArticle.jhtml?articleId=177103508


    Damn Spam: The Losing War on Junk E-Mail, by Michael Specter, The New Yorker, August 6, 2007 --- 
    http://www.newyorker.com/reporting/2007/08/06/070806fa_fact_specter 

    "Why Is Arizona State Blocking Change.org?" Inside Higher Ed, February 6, 2012 ---
    http://www.insidehighered.com/quicktakes/2012/02/06/why-arizona-state-blocking-changeorg


    "Major Source of Internet Spam Yanked Offline:  Web Hosting Firm Shuttered After Connection to Spammers is Exposed," by Brian Krebs, The Washington Post, November 12, 2008 --- http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html?wpisrc=newsletter

    The gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for a full-scale cyber crime offensive against America. But security experts say a relatively small Web hosting firm at that location is home to servers that help manage the distribution of the majority of the world's junk e-mail.

    The servers are owned by McColo Corp, a Web hosting company that has emerged as a major U.S. base of operations for a host of international cyber-crime syndicates, involved in everything from the remote management of millions of compromised PCs to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography.

    Multiple security researchers have recently published data naming McColo as a mother ship for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online.

    Joe Stewart, director of malware research for Atlanta based SecureWorks, said that these known criminal botnets: "Mega-D," "Srizbi," "Pushdo,""Rustock" and "Warezov," have their master servers hosted at McColo.

    Collectively, these botnets are responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity.

    Vincent Hanna, a researcher for the anti-spam group Spamhaus.org, said Spamhaus sees roughly 1.5 million computers infected with either Srizbi or Rustock sending spam over an average one-week timeframe.

    Hanna said McColo has for years been the source of botnet and other cyber-criminal activity, and that it has a reputation as one of the most dependable players in the so-called "bulletproof hosting" business, which are Web servers that will remain online regardless of complaints.

    "These are serious issues, almost all relating to the very core of spammer infrastructure," he said.

    Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site. But within hours of being presented with evidence from the security community about illegal activity coming from McColo's network, the two largest Internet providers for the company decided to pull the plug on McColo late Tuesday.

    Global Crossing, a Bermuda-based company with U.S. operations in New Jersey, declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.

    Benny Ng, director of marketing for Hurricane Electric, the Fremont, Calif., company that was the other major Internet provider for McColo, took a much stronger public stance.

    "We shut them down," Ng said. "We looked into it a bit, saw the size and scope of the problem [washingtonpost.com was] reporting and said 'Holy cow!' Within the hour we had terminated all of our connections to them."

    Continued in article

    Bob Jensen's fraud updates are at http://www.trinity.edu/rjensen/FraudUpdates.htm


     


    Leading Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
    I trust Consumer Reports rankings more than virtually all other ranking sources mainly because Consumer Reports accepts no advertising or has other links to the vendors of products rated in Consumer Reports' labs.

    The Consumer Reports home page is at http://www.consumerreports.org/cro/index.htm  

     

    Consumer Reports Rankings of AntiSpam Software
    September 2006, Page 29
    E-MAIL ANTISPAM SOFTWARE (used in conjunction with e-mail programs)

    Rank 1 Microsoft Outlook http://www.microsoft.com/athome/security/email/fightspam.mspx

    Rank 2 Apple Mac X Mail http://www.apple.com/macosx/features/mail/ 

     

    ADD-ONS TO E-MAIL PROGRAMS (can filter spam without additional software)

    Rank 3 Trend Micro Anti-Spam Pilot Click Here

    Rank 4 Allume Systems Click Here

    Rank 5 Cloudmark Desktop http://www.cloudmark.com/desktop/

    Rank 6 Trend Micro Anti-Spam Pilot Click Here   

    Rank 7 PC Tools Spam Monitor http://www.pctools.com/

    Rank 8-13 given on Page 29

     

    Consumer Reports Rankings of Antivirus Software
    September 2006, Page 27

    Rank 1 BitDefender http://www.bitdefender.com/solutions/internet-security.html

    Rank 2 Zone Labs Zone Alarm Anti-Virus http://www.zonelabs.com/store/content/home.jsp  

    Rank 3 Kaspersky Anti-Virus Personal --- http://www.kaspersky.com/ 

    Rank 4 Norton AntiVirus http://www.symantec.com/avcenter/ 

    Rank 5 Norton AntiVirus for Macintosh http://www.symantec.com/avcenter/ 

    Rank 6 McAfee ViruScan http://www.mcafee.com/us/

    Rank 7 Trend Micro PC-cillin http://www.trendmicro.com/en/home/us/enterprise.htm 

    Ranks 8-12 given on Page 27
     

     

    Consumer Reports Rankings of AntiSpyware Software
    September 2006, Page 28
    Rank 1 F-Secure Anti-Spyware http://www.f-secure.com/

    Rank 2 Webroot Spy Sweeper http://www.webroot.com/wb/products/spysweeper/index.php?rc=266&ac=417 

    Rank 3 PC Tools Spyware http://www.pctools.com/

    Rank 4 Trend Micro Anti-Spyware Click Here

    Rank 5 Lavasoft Ad-aware http://www.lavasoftusa.com/software/adaware/

    Rank 6 Spybot-Search & Destroy http://www.safer-networking.org/en/index.html 

    Rank 7 Zone Labs Zone Alarm Anti-Spyware http://www.zonelabs.com/store/content/home.jsp  

    Ranks 8-12 Given on Page 28


    Those phony emails pretending to be from banks and PayPal

    "Revealing Fraud in E-Mail Addresses," by J.D. Biersdorfer, The New York Times, August 10, 2006 --- http://www.nytimes.com/2006/08/10/technology/10askk.html

    Q. I get a ton of e-mail messages purporting to be from banks and Web sites that are obviously not from those institutions even though the return address looks real. Is there a way to find out where these messages actually came from?

    A. Although you probably won’t be able to trace the fraudulent message directly back to its human sender, you can usually poke around inside the message’s full header field to see where it might have come from electronically. Check your particular e-mail program’s settings for displaying “full” or “long” message headers — in Outlook Express, for example, you can see the full header by right-clicking on a message in your mailbox window, selecting Properties and clicking the Details button.

    The full header shows the path that message took across the Internet from sender to recipient. Even if the return address is forged with something like admin@irs.gov, if you look closely, odds are you’ll see other addresses in the “Received:” lines in the header that give some indication of the message’s origin. A detailed explanation of how to read e-mail headers is at spamlinks.net/track-trace-headers.htm.

    If you receive spam that solicits your personal information, the consumer safety site OnGuardOnline.gov suggests forwarding it to the bank or institution used in the forged address and to spam@uce.gov.

    Bob Jensen's threads on ID theft are at http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft


    "Retail Fraud Rates Plummeted the Night McColo Went Offline," by Brian Krebs, The Washington Post, December 2008 --- http://voices.washingtonpost.com/securityfix/2008/12/mccolo_shutdown_killed_retaile.html?wpisrc=newsletter&wpisrc=newsletter

    One month after the shutdown of hosting provider McColo Corp., spam volumes are nearly back to the levels seen prior to the company's take down by its upstream Internet providers. But according to one noted fraud expert, spam wasn't the only thing that may have been routed through the Silicon Valley based host: New evidence found that retail fraud dropped significantly on the same day.

    It is unclear whether the decrease in retail fraud is related to the McColo situation, but in speaking with Ori Eisen, founder of 41st Parameter, he said close to a quarter of a million dollars worth of fraudulent charges that his customers battle every day came to a halt.

    Eisen, whose company provides anti-fraud consulting to a number of big retailers and banks, told me at least two of the largest retailers his company serves reported massive declines in fraud rates directly following McColo's termination.

    "It stopped completely that night," Eisen said, referring to a drop in fraudulent activity linked to purchases of high-value merchandise with stolen credit and debit cards on Nov. 11, the day McColo was shut down. "Yet, it will come back after [the scammers] erect their new infrastructure."

    Eisen's testimony suggests that a great many fraudsters may have been using McColo to funnel their Internet connections when attempting to purchase goods from retailer sites.

    In a follow-up blog post about the casualties of the McColo disconnection, Security Fix called attention to a Web site called "fraudcrew.com," a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others. Fraudcrew.com was hosted on McColo's servers.

    From that piece:

    There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives.

    These masking services provide a software program that allows the user to pick from a drop down list of Internet addresses to proxy through. For example, if a user in Ukraine, has stolen the user name and password that Joe from St. Louis uses to access his bank online, that user can simply select a node in the proxy list that's in St. Louis, and the bank site will be none the wiser that the person logging in is not actually in St. Louis.

    It is impossible to say whether the same individuals who were funneling their spam operations through McColo have moved elsewhere. For its part, Fraudcrew appears to have found a new host, a provider in Luxembourg.

    Spam volumes have since risen almost to pre-McColo levels in the past month. Some of this resurgence has been sporadic, thanks in no small part to the efforts of FireEye, a Milpitas, Calif., based security startup, which has kept pressure on Internet service providers not to associate themselves with the spam gangs that have been trying to regain control over their herds of spam spewing zombie PCs. Interested readers can learn more about these efforts by visiting the always-interesting FireEye blog, at this link here

     


    Question
    What are two of the shocking developments in spyware and spam?

    July 14, 2006 message from Richard Campbell [campbell@RIO.EDU]

    This is from a newsletter from sunbelt software - developers of Counterspy, a spyware detection software.

    CSN: What do you see as the latest trends in spam?

    AM: I see four main trends. The first is that most spam now comes from zombie machines so even if you are able to track the spam back to the machine that sent it, there is nothing you can do about it as the person that owns the machine most likely doesn't even know that his machine is being used as a zombie and even if he did, he wouldn't know what to do about it. This zombie phenomenon also leads to individualized spam as the zombie code can access the address book and send legitimate looking email to the zombie machine owner's friends.

    The second trend I see is the increase in the amount of image spam. That is spam that contains an image instead of text. The spammer's message is contained in the image as a graphic image instead of text so that there is no practical way to try and detect spam by looking at the contents of the email. It's easy for the human eye to look at the picture and read the text that it contains but it is very difficult for a computer to do the same thing. Since it is so easy to change a bit or two in the image, it is not easy to come up with a hashing algorithm (a way to create a "signature" that can be used to determine if another image is the same as the original one). There is a lot of work being done to try to come up with ways of comparing images to see how "similar" they are but nobody has come up with a workable solution so far. Currently, I'd guess the amount of image spam is around 5% - 10% of the total amount of spam. I expect to see this increase to 20% - 30% in the next year or two.

    The third trend is the scariest and that is phishing. I monitor the spam reported by our users so I get to see a pretty good cross section and it scares me to see how good the phishing sites are. They are so good that you have to be pretty savvy to detect some of them. I feel sorry for all the non-computer types out there that will fall victim to these. I have seen a dramatic rise in the amount of phish email in the past 6 months and expect to see that increase continue because there is so much money to be made with very little effort or risk.

    The fourth trend and is "returned email" I have noticed a marked increase but I haven't had time to investigate. I suspect that the bulk of it is spam/malware, especially those that have attachments. It is particularly nasty because an attachment on a returned email doesn't seem out of the norm. In fact, you kind of expect to see your original email attached. Some of the undelivered email that I've looked at with attachments doesn't have the original email there. Instead it contains spam or a link to a malware site. You have to be real careful and make sure that the "bounce" (rejected email) is actually something that you sent. Many times it is the result of a rootkit having taken over your machine, turning it into a zombie. If you see email bounced that you never sent, it is very likely that you machine is infected.

    CSN: What about image spam, what is it, and why so dangerous or such a pain to get ride of?

    AM: The primary use for image spam is to advertise penny stocks. Most of this type of spam is part of a 'pump-n-dump' scheme where the spammer buys a lot of a particular stock and then starts promoting it via spam that describes what a great buy the stock is or giving the impression that the company is on the verge of some major expansion or discovery in order to get gullible investors to buy the stock. Once the price goes up, and it can go up as much as 500%, the spammer sells his shares and makes a huge profit. Since there was no real reason for the stock to increase, it usually falls back to its original level or lower. Most of the time, the company whose stock is being hyped is not involved in the spamming so they end up being a victim of the spammer as well as there is very little that they can do to keep their stock from being manipulated.

    Image spam is only useful in situations where the user doesn't have to communicate with the spammer. With normal spam, there is a phone number to call or a button to click to order pills or whatever the spammer is hawking but with image spam, there is no information that links the email to the spammer as the typical stock add mentions the company but not the spammer. This is what makes it so different from the run of the mill spam.

    I'm sure that it won't be too long before some creative spammer comes up with another type of situation where one way communication can be used to somehow flow money to them.

    Richard J. Campbell
    mailto:campbell@rio.edu


    July 25, 2004 Update

    Mozilla can help defend against some spyware invasions on your computer!

    Forwarded by Jagdish Gangolly [JGangolly@UAMAIL.ALBANY.EDU

    According to Rist (who is sitting behind me while I write this, just to make sure I don’t misquote him), the biggest problem is with Microsoft’s continued use of ActiveX, but that's by no means the only problem. In fact, it looks as if IE can’t be successfully patched, and what’s needed is a whole new version.

    But what are you going to do if you don’t use IE? For most, IE is the default browser; they don’t have another choice that’s easy to implement. Does that mean that you should just grit your teeth and hope for the best? Not necessarily.

    There are other browsers out there without IE’s security holes, most notably Mozilla. Getting Mozilla isn’t a problem -- just download it from the Web site <http://newsletter.infoworld.com/t?ctl=7ABD7D:1F5397F>

    . The real problem is that you have to be sure that moving to Mozilla doesn’t introduce a new set of problems.

    My own experience with Mozilla indicates that it works at least as well as IE and appears to be somewhat faster. I’ve already moved to Mozilla as my default browser because of the security issues with IE. As it happens, I'm also finding that I like it better than IE.

    Unfortunately, the only way to know for sure whether Mozilla will work with the apps that require a browser is to test it. Download it to a few machines and see if anything breaks.

    Testing Mozilla might be the first step on the path to IE separation, but the journey isn't over yet. Many companies who run Web sites tend to be kind of lazy and code their sites only for IE, because it’s the dominant browser. Sometimes they take shortcuts that keep other browsers from working properly.

    The only way to know for sure if these shortcuts will shortcircuit a non-IE browser is to try potential replacement browsers to see if they work with the Web sites you absolutely depend on. If they do, you won’t need to worry as much about adopting them, although you’ll still have to install the new browser on every machine, and that’s not the world’s easiest task in a large enterprise.

    But there’s another task you have to worry about. What are you using for your own Web server? Internet Information Server has its own set of vulnerabilities, after all. And what about the code running on your Web site? Have you avoided those programming practices that will lock your visitors into IE? After all, a lot of companies are now using machines that don’t run Windows (and therefore not IE), and a growing number are trying to avoid IE even if they do run Windows because of the security issues. You don’t want to discourage them from visiting your site, do you? I didn’t think so.

    Unfortunately, you can’t drop IE from your Windows machines completely. You still need it for Windows Update alerts. But it is possible to use it sparingly, and until Microsoft issues a new release, that would be a good idea.

    <mailto:wayne_rash@infoworld.com;letters@infoworld.com> Wayne Rash is a senior analyst at the InfoWorld Test Center.

    • More of Wayne Rash's column <http://newsletter.infoworld.com/t?ctl=7ABD7B:1F5397F>

    • Wayne Rash's forum <http://newsletter.infoworld.com/t?ctl=7ABD7A:1F5397F>

    July 25, 2005 reply from Schatzel, John [JSchatzel@STONEHILL.EDU

    I also read this past week (I believe it was in eWeek) that CERT (Computer Emergency Readiness Team) and the Department of Homeland Security have also declared IE to be unsafe.  There are apparently so many security flaws with IE that they can not be reliably patched.  For example, IE's ability to use ActiveX allows it to access low level features of your operating sytem that can allow trojans and key loggers to be placed on your computer.  These programs can and have collected personal bank account and credit card passwords that have led to significant losses recently.  This whole new Phishing scam used by hackers who exploit weaknesses in IE to get your personal information without you knowing it is the most dangerous thing I have ever seen.  They target your machine by sending you a regular email message (i.e., no attachments are involved) which drops an IE helper object on your computer which then downloads additional software to your computer capable of collecting and sending your personal information.

    IE also has another feature called Adodb.stream (among too many other problems to list in this message), which allows your computer to be compromised.  “Adodb.stream provides a method for reading and writing files on a hard drive,” according to Microsoft. “This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an Internet web site to execute script from the Local Machine Zone (LMZ).” This is dangerous folks and allows hackers to really have a field day with your personal information.

    To reduce your risk, security experts recommend using Mozilla (http://mozilla.org) or Opera (http://www.opera.com).  I have used both of them and can say that they are both better featured browsers than IE (the experts say that they are safer).  The latest version of Mozilla (1.7.1) is open source; so it is free.  The basic version of Opera is free, but it displays ads. The no ad version costs $39 and was selected best browser of 2004 by PC World (and it really is the fastest). 

    Wishing you all a safer browser,

    John Schatzel

    July 25, 2004 reply from David Fordham, James Madison University [fordhadr@JMU.EDU

    The primary drawback I've encountered with alternate browsers (and I've tried about half a dozen over the past few months and years) is that they aren't prepared to deal with all the various file extensions and file types today which IE handles so transparently.

    I consider myself a "power web user", and I conduct a lot of business on-line, which means that my banks, credit card companies, hotels, vendors, university webmail, university tech-tools, etc. are sending me a lot of scripts, image/sound files, and executable code. For example, in the past hour, I've been sitting here in a hotel room in Charlotte looking for Fuddrucker, Krystals', Boston Markets, double-checking my next hotel reservation as well as my rewards points, checking the status of my on-line class recording in Centra, checking webmail, and checking the status of my shipment from the Palm store. All of this requires executable code, map images, animated logos, etc. on my computer. (And yes, before you hit the flame button, I realize that using IE for all this stuff exposes me to all kinds of hazards in spite of my plethora of antiadware, antispyware, antivirusware, high security settings, etc....)

    But at least all the apps work in IE! When I get messages saying "this website is trying to execute something, do you trust them?" and when I hit "yes", the site runs and my transaction is completed.

    When I use the alternate browsers, they were forever choking and giving me error messages saying "Unknown file type" and "Unknown file extension" and "unable to process such-and- such-a script" and so forth, and the transaction chokes and dies. Depending on the alternate browser, anywhere from 10% to 80% of my web attempts would not display or run. Mapquest, Citibank, Switchboard.com, UPS, and even Google's advanced searches sometimes tripped on these. And our school uses Centra, Blackcboard, Tegrity, and a host of other tech tools which are certified and warrantied to run on IE, but not on most of the others. (And, surprise, they DON'T! Not reliably, not 100% of the time! I know. I tried! And yes, I spent hours tinkering with settings and security configurations and with tech-support people. The usual answer from the browser support people WHEN I COULD GET THEM TO RESPOND was "our product doesn't support that".)

    Ergo, as is usually the case, security is a trade-off with convenience. (Been through an airport since 9/11/01?) If all you do is surf the web for pleasure (bikini.com or something) or if you are in the habit of inhabiting questionable websites, then perhaps one of the other browsers might work and be more secure. Or if you are the government security agency and your people are doing limited stuff on the government account, you can probabably find an alternate browser much more secure that will run your apps.

    But as for me and my house, I sure hate getting 90% of the way into an on-line transaction, and the browser bombs out and says it encountered a problem processing, even if it only happens once every 10 times. (If your car failed to start once every 10 or so times, wouldn't it get irritating, especially if you had come to rely on your car for your day- to-day operations?)

    So once again, until the rest of the world recognizes the emperor's lack of clothes, I'm afraid I'll have to avoid the little tailor shops, too. At least until they can handle the content a little more transparently. (pun intended)

    Another devils-advocate contrarigram from you-know-who, although this time I'm sincere in my beliefs, having actually truly, been there and done that. Several times.

    David Fordham 
    James Madison University


    Hi Paula,

    I live with whatever Trinity University is providing for spam protection on our email system.  I still get a lot of unwanted messages for dates, lower mortgage rates, Viagra, larger breasts, and manhood the size of Kentucky Derby winners.  

    My good friend Amy Dunbar at the University of Connecticut recommends the following spam blocker ---  http://spambayes.sourceforge.net/

    There’s a nice article that came out two days ago reviewing some of the major alternatives for protection against “spam, viruses and directed attacks.”

    "Appliances Ease E-Mail Security," by Michael Caton, eWeek, June 28, 2004 --- http://www.eweek.com/article2/0,,1616472,00.asp 

    Spam, viruses and directed attacks have made managing e-mail security an increasingly complex and difficult job. eWEEK Labs recently reviewed three appliances that will reduce the burden on IT managers by consolidating messaging security applications in a single box.

    Appliances from BorderWare Technologies Inc., CipherTrust Inc. and IronPort Systems Inc. give companies a new way to solve the problem of securing e-mail without investing in numerous point applications—from messaging gateways to anti-spam software—and the hardware needed to run those applications. We reviewed the $7,995 BorderWare MXtreme Mail Firewall MX 200, the $44,000 CipherTrust IronMail 305 and the $54,950 IronPort C60.

    All three appliances include a mail transfer agent, policy management capabilities, and virus- and spam-filtering features. However, the systems also have a number of differences—both big and small.

    We found that the CipherTrust appliance provides the best all-around solution, including a Web mail proxy.

    The BorderWare MXtreme appliance likewise covers all the bases, but we'd like to see better reporting and consolidated management for administering multiple boxes. These capabilities are coming in the next release of the appliance's software.

    Pointer eWEEK Labs evaluated a late-beta version of Version 4.0 of the Mxtreme software. Click here to read the review.

    The IronPort appliance will be a good fit for companies that already have a firewall and proxy in place for managing access to Web mail but need a way to handle large volumes of inbound and outbound e-mail while filtering spam and viruses.

    The appliances we tested give companies a way to eliminate what are often dedicated boxes running messaging gateways and anti-virus and anti-spam systems. Furthermore, they simplify management of all these applications by providing unified management and reporting capabilities.

    However, these appliances won't necessarily reduce messaging costs. All the appliances we tested rely on third-party anti-virus tools, so companies will still need to pay an annual renewal fee to keep virus definition files up-to-date. The cost can range from $1.50 to $5 per user per year, depending on volume. The BorderWare and IronPort appliances also offer third-party anti-spam software, whose annual cost can run from $3 to $7 per user. In the case of the anti-spam engines developed by CipherTrust and BorderWare, the yearly maintenance and support fees will cover updates to those engines.

    All three appliances provide policy management capabilities, but none of the systems' features was as complete as we'd like.

    In addition, none of the systems provides the flexibility of point solutions.

    For example, the appliances can search only messages and attachments for content that may be confidential or objectionable. In contrast, a point solution that runs in close conjunction with a groupware application, such as Omniva Inc.'s Policy Manager, will give companies the ability to create policies to filter internal and external communications, as well as provide a means to encrypt outbound messages.

    Groupware-based solutions can also give companies a way to more readily manage the workflow associated with auditing messages, as well as either distribute keys or provide Web-based access for opening encrypted messages.

    Bob Jensen's threads on computer and network security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection 

    June 29, 2004 message from Paula Ward

    Bob, 

    What anti-SPAM software do you recommend? 

    Paula Kelley Ward


    "Pop-Up Program Snatches Banking Passwords," by Dennis Fisher, eWeek, June 29, 2004 --- http://www.eweek.com/article2/0,1759,1618458,00.asp?kc=ewnws063004dtx1k0000599 

    Customers who use a number of the top online banking sites are at risk of falling prey to a new Web-based attack that snatches user IDs and passwords for these sites.

    Among the sites targeted by the attack are some owned by Citibank, Deutsche Bank and Barclays Bank.

    The attack is rather complex and appears to use a known flaw in Internet Explorer (IE) to drop a Trojan horse program on vulnerable machines. The Trojan is delivered through a malicious pop-up ad that loads a file called "img1big.gif" onto the machine. The file is in fact a compressed Win32 executable that contains the Trojan and a DLL.

    The DLL is installed on the PC as a BHO (Browser Helper Object), a type of DLL that normally is used to let developers control IE in certain circumstances.

    When IE runs on a machine infected with the malicious BHO, the file monitors IE's activities for any HTTPS sessions with URLs that have any of a large number of banking-related strings in them.

    Click here to read about malicious code that has been affecting some Windows machines.

    Once IE establishes an outgoing HTTPS connection—which is secured using SSL encryption—to one of these URLs, the BHO collects all of the outbound POST or GET data before it is encrypted, according to an analysis of the attack done by researchers at The SANS Institute's Internet Storm Center. The attack affects IE 4.x and later.

    Continued in the article


    Question
    Is it legal for your employer or your landlord to open your first class mail?

    Answer
    I'm not certain about first class mail, but people with access to your email system have just received added legal green lights to view your email.

    "E-Mail Snooping Ruled Permissible," by Kim Zetter, Wired News, June 30, 2004 --- http://www.wired.com/news/politics/0,1283,64043,00.html?tw=newsletter_topstories_html 

    E-mail privacy suffered a serious setback on Tuesday when a court of appeals ruled that an e-mail provider did not break the law in reading his customers' communications without their consent.

    The First Court of Appeals in Massachusetts ruled that Bradford C. Councilman did not violate criminal wiretap laws when he surreptitiously copied and read the mail of his customers in order to monitor their transactions.

    Councilman, owner of a website selling rare and out-of-print books, offered book dealer customers e-mail accounts through his site. But unknown to those customers, Councilman installed code that intercepted and copied any e-mail that came to them from his competitor, Amazon.com. Although Councilman did not prevent the mail from reaching recipients, he read thousands of copied messages in order to know what books customers were seeking and gain a commercial advantage over Amazon.

    Authorities charged Councilman with violating the Wiretap Act, which governs unauthorized interception of communication. But the court found that because the e-mails were already in the random access memory, or RAM, of the defendant's computer system when he copied them, he did not intercept them while they were in transit over wires and therefore did not violate the Wiretap Act, even though he copied the messages before the intended recipients read them. The court ruled that the messages were in storage rather than transit.

    The court acknowledged in its decision (PDF) that the Wiretap Act, written before the advent of the Internet, was perhaps inadequate to address modern communication methods.

    But critics said the decision represented a huge privacy setback for e-mail users.

    "By interpreting the Wiretap Act's privacy protections very narrowly, this court has effectively given Internet communications providers free rein to invade the privacy of their users for any reason and at any time," says Kevin Bankston, an attorney with the Electronic Frontier Foundation. "This decision makes clear that the law has failed to adapt to the realities of Internet communications and must be updated to protect online privacy."

    In his dissenting opinion, which contained a detailed description of how e-mail works, Justice Kermit V. Lipez wrote that Congress never intended for e-mail temporarily stored in the transmission process to have less privacy than messages in transit. And he acknowledged that "the line that we draw in this case will have far-reaching effects on personal privacy and security."


    In my AIS course, I sometimes have an invited speaker from the consulting division of Ernst & Young.  His full time job is trying to hack into client computer systems.

    What is the certification credential called CEH?

    Answer
    Certified Ethical Hacker

    "Ethical Hacking Is No Oxymoron," Reuters, Wired News, June 27, 2004 --- http://www.wired.com/news/infostructure/0,1377,64008,00.html?tw=newsletter_topstories_html 

    Sporting long sideburns, a bushy goatee and black baseball cap, instructor Ralph Echemendia has a class of 15 buttoned-down corporate, academic and military leaders spellbound. The lesson: hacking.

    The students huddled over laptops at a Los Angeles-area college have paid nearly $4,000 to attend “hacker college," a computer boot camp designed to show how people will try to break into network systems -- and how they will succeed.

    "It's an amazing thing how insecure the big corporations are," Echemendia said during a break in the weeklong seminar. "It's just amazing how easy it is."

    Hackers are believed to cost global businesses billions of dollars every year, and the costs to defend against them are soaring. One study by Good Harbor Consulting showed that security now accounts for up to 12 percent of corporate technology budgets, up from 3 percent five years ago.

    "This is definitely bleeding edge -- so bleeding edge in fact, sometimes, that it's frightening," said Loren Shirk, a student in the class at Mt. Sierra College who owns a small-business computer consulting company.

    The course prepares students for an exam offered by the International Council of E-Commerce Consultants, or EC-Council. If they pass that test, they get the ultimate seal of approval: Certified Ethical Hacker.

    The class is by no means easy. Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialing (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0).

    "I can definitely say it's not for everyone," said Ben Sookying, director of network security services for the California State University's 23-campus system and another student in this week's class. "If you don't have discipline, you won't make it through this course."

    But the work is practical, too. On the first day, students were taught basic free and legal research methods, mostly involving search engines and securities databases, so they could learn as much information as possible about companies, their executives and systems.

    With relatively little effort, they found out that the chief executive of one public company maintained his own website dedicated to guitars, while another public company still uses a number of systems known to be easily exploited by hackers.

    Intense School, the Florida-based company that runs the hacking boot camp, started in 1997 with a $35,000 investment, teaching Microsoft and Cisco software to systems engineers.

    But after the Sept. 11, 2001, attacks on the World Trade Center and the Pentagon, the company expanded its focus to information security courses. It now offers around 200 classes a year, generating about $15 million in annual revenue.

    "What we attempt to do in our classes is teach how the hackers think," said Dave Kaufman, president of Intense School. The only way to keep hackers out of major corporate systems, he said, is to know how they will be attacked in the first place.

    Continued in the article

    Bob Jensen's threads on computer and network security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection 

     


    "Who's Seeding the Net With Spyware?  Young surfers pick up paychecks for posting misleading pitches armed with invasive programs.," by Emily Kumler, PC World , June 15, 2004 --- http://www.pcworld.com/news/article/0,aid,116512,00.asp 

    It's tough enough sometimes to figure out where you picked up that spyware, but have you ever wondered who planted that digital parasite?

    It's likely a young man, maybe a college student, just making a few bucks spreading pop-up ads that contain a package unwelcome by many. And it's a growing cottage industry

    How It Works Spyware follows your Internet surfing habits and serves up advertisements. You typically pick up spyware by clicking on links, which may not make it clear that you're downloading a "bonus" program when you read an ad or download a program you want.

    The Federal Trade Commission defines spyware as "software that aids in gathering information about a person or organization without their knowledge and which may send such information to another entity without the consumer's consent, or asserts control over a computer without the consumer's knowledge." The federal government and several states are considering antispyware laws, and Utah recently enacted one.

    FTC and industry leaders have urged Congress to resist spyware legislation, instead pushing for the industry to adopt self-regulatory practices. They fear that proposed laws define the practice too vaguely, and would prohibit other marketing practices that benefit consumers. But some lawmakers worry that the tech industry will not regulate spyware aggressively enough to protect consumers.

    Meanwhile, computer users continue to face the side effects of spyware on their systems: bogged-down Internet connections, identity theft, lost documents, system problems, and potential loss of privacy.

    Who's Behind It The people distributing the links for spyware downloads are paid about 15 cents every time an unsuspecting surfer clicks on their misleading bait.

    "Friends signed me up one night, after we'd been drinking," says one twenty-something man, who plants spyware for pay. "They said it was an easy way to make some money."

    "All I had to do was sign up and post fake ads, saying things like 'to see my picture click here.' Then when they clicked, it told them they had to download software to see the pictures."

    But the user downloaded no pictures; instead, they got the greeting, "Come back later to see my photo." The ad is bogus, but the contamination of the computer is real.

    He says open forums and other unregulated sites are the best places to post ads, because large numbers of people are likely to click on the phony links.

    "You have to move around," he says, noting that if users complain, he'll be kicked off a site, or a section of a site. For example, he will just move to a different part of a classified advertisement site, he says. "It's really easy, so reposting your ad is not a big deal."

    At 15 cents per hit, he got checks every two weeks for a few hundred dollars each.

    "I could have made a lot more," he says, adding that he really isn't doing it anymore. "All I had to do was put more ads up and I would have doubled or tripled my profits."

    What's the Risk? The foot soldiers who spread spyware may also become victims of the companies behind the software.

    Many companies paying individuals to spread spyware post a disclaimer on their own Web site. It often contains a clause telling readers that if they commit fraud the company has the right to pull their paycheck.

    However, the new Utah Spyware Control Act and other privacy laws sometimes invoked to combat spyware consider posting spyware to be fraud.

    The spyware spreaders may not be reading the disclaimer themselves. But they do understand the company is paying them to trick people into downloading software, the young man says.

    Does he feel any remorse for contaminating the computers of naive users? "Look, they're perverts if they click on my ads," he says, noting that the ads imply pornographic pictures await. "I say some nasty stuff, so, no, I don't feel bad." Anyone online should have a spyware blocker, spam blocker, and a firewall anyway, he said. "If they don't, they're just stupid."

    A Challenging Battle Placing ads online can be a tempting and easy way to make money from home, notes Ray Everette-Church, chief privacy officer for antispam product vendor Turn Tide.

    "It is very successful," Everette-Church says. "Hundreds of thousands of dollars a month is generated in this tiered structural referral." He is serving as an expert witness for the plaintiffs in an ongoing adware case arguing against pop-up ads.

    Millions of Americans online haven't protected their PCs, and pursuing perpetrators of spyware is more complicated than in other criminal investigations, according to Mozelle Thompson, an FTC commissioner.

    "It's hard to identify how many companies are engaged in dangerous spyware, or spyware in general," Thompson says. "The definition of spyware is too broad."

    The surreptitious nature of spyware makes it more difficult to track who, where, and how the spyware is disseminated, Thompson told a House subcommittee at a recent hearing.

    "Consumer complaints, for instance, are less likely to lead directly to targets than in other law enforcement investigations, because consumers often do not know that spyware has caused the problems or, even if they do, they may not know the source of the spyware," he said at the April hearing.

    How to Protect Against Spyware

    Question
    Why should we all look into installing software like
    AdWare Remover Gold? --- http://www.tucows.com/webbrowser_adwarecleaner_default.html

    Answer
    Known as bot software, the remote attack tools can seek out and place themselves on vulnerable computers, then run silently in the background, letting an attacker send commands to the system while its owner works away, oblivious. The latest versions of the software created by the security underground let attackers control compromised computers through chat servers and peer-to-peer networks, command the software to attack other computers and steal information from infected systems.
    Robert Lemos , CNET News.com, April 30, 2004 --- http://news.com.com/2100-7349_3-5202236.html?tag=nefd.lede 


    Question
    How can hidden data be removed from WORD doc files?

    Answer from Richard Campbell

    Here is the link to a free Microsoft utility:

    http://tinyurl.com/2qaax 

    Richard J. Campbell 
    mailto:campbell@rio.edu
     


    Malicious programs called browser hijackers install a lot of nasty stuff on people's computers -- primarily hard-core, borderline-illegal pornography. Some victims are facing firings, divorces and even criminal prosecution.

    "Browser Hijackers Ruining Lives," vy Michelle Delio, Wired News, May 11, 2004 --- http://www.wired.com/news/infostructure/0,1377,63391,00.html?tw=newsletter_topstories_html 

    Browser hijackers are doing more than just changing homepages. They are also changing some peoples' lives for the worse.

    Browser hijackers are malicious programs that change browser settings, usually altering designated default start and search pages. But some, such as CWS, also produce pop-up ads for pornography, add dozens of bookmarks -- some for extremely hard-core pornography websites -- to Internet Explorer's Favorites folder, and can redirect users to porn websites when they mistype URLs.

    Traces of browsed sites can remain on computers, and it's difficult to tell from those traces whether a user willingly or mistakenly viewed a website. When those traces connect to borderline-criminal websites, people may have a hard time believing that their employee or significant other hasn't been spending an awful lot of time cruising adult sites.

    In response to a recent Wired News story about the CWS browser hijacker, famed for peddling porn, several dozen readers sent e-mails in which they claimed to have lost or almost lost jobs, relationships and their good reputations when their computers were found to harbor traces of pornography that they insist were placed on their computers by a browser hijacker.

    In one case a man claims that a browser hijacker sent him to jail after compromising images of children were found on his work computer by an employer, who then reported him to law enforcement authorities.

    "The police raided my house on Sept. 17, 2002," said "Jack," who came to the United States from the former Soviet Union as a political refugee, and has requested that his name not be published. "Nobody gave me a chance to explain. I was told by judge and prosecutor that I will get years in prison if I go to trial. After negotiations through my lawyer I got 180 days in an adult correctional facility. I was imprisoned for 20 days and then released under the Electronic Home Monitoring scheme. I now have a felony sex-criminal record, and the court ordered me to register as a predatory sex offender for 10 years."

    Jack originally believed that the images found on his computer were from a previous owner -- he'd bought the machine on an eBay auction. But he now thinks a browser hijacker may have been responsible.

    "When I used search engines, sometimes I got a lot of porn pop-ups," Jack said. "Sometimes I was sent to illegal porn sites. When I tried to close one, another five would be opened without my will. They changed my start page, wrote a lot of illegal porn links in favorites. The only way to stop this was turn the (computer's) power off. But when I dialed up to my server again, I started with illegal site, then got the same pop-ups. There were illegal pictures in pop-ups."

    Several of the URLs that CWS injects into Internet Explorer's favorites list also appear in the arrest warrant and other materials from Jack's hearing. CWS works as Jack described -- changing start pages, adding to favorites, popping up porn. But CWS was first spotted several months after Jack's arrest, so it seems unlikely that this particular hijacker is the cause of his problems.

    Security experts who were asked to review Jack's claims said it is possible that a browser hijacker could have been the reason porn images were found on Jack's computer. But they also pointed out some discrepancies in the story.

    Some of the images were found in unallocated file space, and would have to have been placed there deliberately since cached images from browsing sessions wouldn't have been stored in unallocated space.

    May 3, 2004 reply from Andrew Priest [a.priest@ECU.EDU.AU

    There are numerous software tools around to combat this sort problem. Personally I use Ad-aware but there are others. For example you will find a range at http://www.tucows.com/webbrowser_adwarecleaner_default.html .

    Cheers Andrew

    Notes from Bob Jensen:  

    Although you can download the Ad-aware scanner noted above for free, I recommend that you purchase the professional version that will wipe out the problems from http://lavasoft.element5.com/purch

    I also recommend that you download and run the free CWShredder from http://www.majorgeeks.com/download4086.html 


    "What's That Sneaking Into Your Computer?" by David Bank, The Wall Street Journal, April 26, 2004

    New types of insidious programs called "spyware" are burrowing into PCs, wreaking all sorts of problems. These small programs that install themselves on computers to serve up advertising, monitor Web surfing and other computer activities, and carry out other orders are quickly replacing spam as the online annoyance computer users most complain about. Here's what's being done to combat them.

    John Gosbee was sitting up in bed on a cold night, surfing the Internet with his laptop on his knees. Suddenly, the computer's CD-ROM tray popped open, seemingly on its own.

    "What on earth is going on?" Mr. Gosbee, of Mandan, N.D., said to himself. "It was like it was possessed," he recalls.

    His laptop emitted a high-pitched "Uh-oh."

    Uh-oh is right. The pranks were a setup for the message that appeared on his screen: "Dangerous computer programs can control your computer hardware if you fail to protect your computer right at this moment!" That was followed by a plug for a program called Spy-Wiper that promised to clean out any rogue software.

    As if that wasn't alarming and annoying enough, the very next day the computer at Mr. Gosbee's one-man law office was similarly hijacked. The CD and DVD trays both opened; only one closed. Then came the same ad for Spy-Wiper, which kept popping up on both machines.

    "I was getting ticked," Mr. Gosbee says.

    As Mr. Gosbee and countless other computer users have discovered: It's a war out there. While malicious hackers are spreading viruses all over the global computer network, advertisers and scam artists are propagating other pests that are arguably even more annoying. They're called spyware -- and the implications for consumers are only beginning to be felt.

    Indeed, spyware -- small programs that install themselves on computers to serve up advertising, monitor Web surfing and other computer activities, and carry out other orders -- is quickly replacing spam as the online annoyance computer users most com- plain about. The outrage has grown to the point that politicians are threatening legislative controls on the tactic. But in their most benign form these programs have a powerful appeal to advertisers, and some marketers are banking on the idea that people eventually will grow accustomed to some use of such invasive software.

    "Snoops and spies are really trying to set up base camp in millions of computers across the country," said Sen. Ron Wyden, an Oregon Democrat, at a March hearing on proposed legislation he is co-sponsoring to tackle the problem. A Republican co-sponsor, Sen. Conrad Burns of Montana, said at the hearing: "I'm convinced that spyware is potentially an even greater concern than junk e-mail, given its invasive nature."

    Continued in the article

    May 3, 2004 reply from Andrew Priest [a.priest@ECU.EDU.AU

    There are numerous software tools around to combat this sort problem. Personally I use Ad-aware but there are others. For example you will find a range at http://www.tucows.com/webbrowser_adwarecleaner_default.html .

    Cheers Andrew

    You can also download free from http://download.com.com/3001-8022-10214379.html 
    Other options, including patches, are available at http://www.lavasoft.de/ 

    May 11, 2004 reply from Richard Campbell [campbell@RIO.EDU

    "Six Steps to Greater Computer Security"  (with audio)

    See http://www.virtualpublishing.net/compswf/step1.html 

    Richard J. Campbell 
    mailto:campbell@rio.edu
     

    This following reply from Paula may be of interest to some of you. She tells how she protects her computer. Paula retired from Trinity's development office and now lives online almost as much as I live online. You can thank her for much of the humor in New Bookmarks.

    I must warn you, however, that my security site she refers to is not kept up to date very well. Please do not rely on this for the latest and greatest news.

    Bob

    -----Original Message----- 
    From: Paula 
    Sent: Tuesday, May 11, 2004 4:48 PM 
    Subject: FW: How Nasty Stuff Gets Into Your Computer

    How does nasty stuff get into your computer? How can you protect your computer from "browser hijackers," spyware, Cookies that collect your personal information, etc.? Also, learn how to "opt out" of DoubleClick's cookies and how to send e-mail anonymously. This website was created by Bob Jensen, who is a distinguished professor at Trinity University in San Antonio: A Special Section on Computer and Networking Security http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection  Yes, there is a lot of information here! 

    What I do personally to protect my computer: I have Norton Anti-Virus, BlackIce Firewall, and Ad-Aware installed. Norton and Ad-Aware can be scheduled to run daily, weekly, etc. 

    In addition, my ISP provides a firewall, spam blocker, and pop-up blocker. If you have any questions about computer security, you should be able to find answers on Bob's website. 

    Paula 
    "Kwitchyerbellyakin." - Irish saying

    May 12, 2004 reply from David Coy [dcoy@ADRIAN.EDU

    I received the following from out IT guys here at Adrian College. FYI

    David Coy 
    Adrian College

    ----- Original Message ----- 
    From: Brad Maggard 
    To: David Coy 
    Sent: Wednesday, May 12, 2004 12:05 PM Subject: 
    Re: How Nasty Stuff Gets Into Your Computer

    There is no way to actually defend yourself against such programs other than simple smart web browsing. Whenever a window pops up that asks you to agree to any sort of disclaimer or install any sort of program, you must read carefully - and I would only suggest agreeing to the major players (Microsoft, Macromedia, Quicktime, etc)

    Once your computer has fallen victim to a browser hijacker, it must be removed using several utilities available on the net. there is a program called "CWShredder" that takes care of "CWS" (cool web search) which is probably the most destructive of them all. Other hijackers can be taken care of by a program called "Hi-Jack This" which removes several of the known hijacking aplications on the net.

    Ad-Aware, available at www.lavasoft.de , is another tool to remove Mal-ware and Ad-ware.

    All of this stuff can be found by doing a google search on the aforementioned removal utilities.

    -Brad

    CWShredder can be downloaded from http://www.majorgeeks.com/download4086.html 

    You can also download free from http://download.com.com/3001-8022-10214379.html 
    Other options, including patches, are available at http://www.lavasoft.de/ 

    May 12, 2004 reply from Scott Bonacker [lister@BONACKERS.COM

    I would also suggest using a HOSTS file.

    See links at: http://www.smartin-designs.com/ 

    Scott E Bonacker, CPA 
    820 E. Primrose 
    Springfield, MO 65807 
    Phone 417-883-1212 Cell 417-830-3441 Fax 417-883-4887

    May 12, 2004 reply from computer scientist John Howland [jhowland@ariel.cs.trinity.edu

    It is a never ending source of amazement to me that millions of people put up with this kind of problem when none of it is necessary if you use a Unix system such as Mac OSX or Linux.

    Why do you do it? Suppose that when you bought a new Toyota or Ford or BMW you also had to go out and buy all these (sometimes) expensive accessories and (sometimes) have to pay someone to install them just in order to be able to use (drive) your new car. Moreover, these accessories become obsolete (sometimes in a few months/days/hours) and need to be re-purchased and installed.

    In the automotive field we have laws which protect consumers. Where are the computer consumer protection laws?

    Microsoft says that security fixes are a couple of years away. Do you believe they will meet that schedule? They have been significantly late on every major project introduction in the history of the company.

    Again, it is a no-brainer to simplify one's digital existence by avoiding Microsoft products completely. Plus, there is a hidden bonus for those that so choose. It is significantly less expensive!

    John

    May 13, 2004 message from Jagdish Gangolly [JGangolly@UAMAIL.ALBANY.EDU

    Bob,

    I switched from unix to windows a few years ago mainly because

    1. I was tired of having to detach-ftp-view simple pure text documents sent to me (mostly by pencil pushers from around campus). When I got one such memo from my then dean a few years ago, I replied by appending a VERY large postscript file which crashed his machine, but then I got tired of complaining and paid my dues to the sage at Redmond. 

    2. Incredible pressure from pencil pushers to switch to windows (spurious arguments about economies of scale, ...) 

    3. Arm twisting by university level computing folks; they threatened that I would be responsible for patching/upgrading/backingup/... if I used anything-but-windows (I was then configuring our graduate lab)

    I am tired now of all the unnecessary trash I get by way of email, constant hassles with viruses/worms/spyware/malware/ ..., and am now in the process of moving back to unix (solaris for work and SUSE linux for home). I expect to gain AT LEAST an hour or two a day in saved time.

    I hope more of us will give FREE (in the sense of freedom) software a chance.

    Jagdish


    Microsoft says the upcoming release of Windows XP Service Pack 2 will make it much harder to sneak deceptive software onto users' computers. Is it game over for spyware authors?

    "Microsoft to Battle Spyware," by Amit Asaravala, Wired News, May 13, 2004 --- http://www.wired.com/news/technology/0,1282,63440,00.html?tw=newsletter_topstories_html 

    Nearly half the world's computers may soon have built-in protection against debilitating infections of spyware and other unwanted software, thanks to Microsoft's update of the Windows XP operating system.

    Expected to be released this summer, the Windows XP Service Pack 2 update will contain no fewer than five new security features designed to ward off the unauthorized installation of software via the Internet, according to Microsoft officials. The company hopes the features will not only quell the growing number of complaints from consumers about Windows XP's susceptibility to spyware, but will also save businesses millions of dollars in tech support calls.

    Almost 50 percent of the world's computers run Windows XP, according to IDC Research. The operating system's users have been hit especially hard by spyware and some versions of adware, which collect information about computer users and, in some cases, use that information to pepper the desktop with advertising. The programs often work their way onto computers by hitching rides with unrelated software packages or exploiting security holes in Microsoft's Internet Explorer browser.

    "People are feeling out of control and frustrated," said Jeffrey Friedberg, Microsoft's director of Windows privacy. "Millions of dollars are being spent" by Microsoft and other companies to help consumers remove spyware and other deceptive software from their computers, he said. "It's a huge support issue. People have problems and they call their support staff, they call us, they call their ISP."

    In an attempt to cut down on calls like these, Microsoft will upgrade Internet Explorer to make it more difficult for users to accidentally download and install spyware programs. The most noticeable of these changes will be the addition of a pop-up blocker, a feature that has existed in competing Web browsers for years.

    The blocker will prevent websites from opening new windows on users' computers without permission. Opening new windows on top of other windows is one way malware developers trick Internet users into downloading software that they don't want. It is also the primary technique used by some spyware programs to serve ads to users.

    Other changes to Internet Explorer will focus on the security of ActiveX objects, programs that can access almost any portion of the operating system, including the hard drive and user settings. Spyware developers often use ActiveX objects to write files to users' Start folders and to add advertiser-sponsored toolbars to their desktops.

    One update would make it more difficult for users to downgrade their Internet security settings to the lowest setting. This will prevent ActiveX objects from being downloaded without first displaying a warning. Another update will suppress downloads of ActiveX objects unless the user explicitly initiates them. Current versions of the browser let website developers initiate downloads.

    Other updates include a redesigned security warning and the addition of a Never Install option that allows users to permanently ban a software publisher's ActiveX programs from being downloaded. "This is a change we're making because of the feedback we've received," said Friedberg. "We have had an Always Install option, but users didn't have a way to completely block a software publisher that they don't trust."

    Security experts generally welcome the changes, but some wonder why they took so long. "Why this was never in there in the first place, I don't know," said Russ Cooper, editor of the popular NTBugtraq security mailing list and "surgeon general" of TruSecure. "Why somebody could bury something in your desktop setup that you couldn't find, I never understood in the first place."

    Still, Cooper said he believes the changes are a step in the right direction. "I do think it'll have an effect on spyware," he said. "You're not going to get rid of it altogether, but at least we'll be able to say to people, 'Look, just install Service Pack 2 and your problems will go away.'"


    SPAM

    Another frustration is spam on the email system.

    May 13, 2004 message from Paul Apodaca [paul@PAPODACA.COM

    These ideas are not open source filters, but may help with your problem. They are free, but do take some time. It may be worth paying the $20.00 if you consider the cost of your time.... Once I get my new computer/software, I will gladly pay the cost to avoid the lost time.

    1) Mozilla used to have a way to view headers without downloading the message. Then you could mark them for deletion or download. This may have been an add-on product. I haven't used Mozilla since it got out of 0.X beta.

    2) Many ISPs provide some sort of filtering function. In my case, filtering is provided by BrightMail. However, there are quite a number of different packages that the ISP may use. In addition, your university (Stonehill) may have some method of blocking.

    By logging on to the web version of my e-mail, I can add addresses to my "Blocked Senders List" relatively easily. However, this is actually a very bad solution as I get a limited number of blocks, and it blocks the specific address. For a while, I was receiving about 40-50 e-mails daily from Sapphirex Enterprises, each of which had a different source e-mail. So blocking specific addresses was a waste of time.

    The better approach is more painful, at least with my ISP. I created a list of the addresses to be blocked using the Junk Address feature of MS- Outlook. Then I stripped the list down to ONLY the domain. Then I add the domains one at a time to the list of addresses/domains that BrightMail blocks.

    It is important not to include the subdomain as many spammers such as Sapphirex use multiple subdomains and domains. Blocking the domains has dropped the list just for Sapphirex from over 100 addresses, and about 20 subdomains to about 5 domains. And of course, as they change the name of the sender and subdomain, it is still going to get blocked.

    The big drawback is that, at least for my ISP, blocked mail is deleted entirely. I get a summary that shows the sender and subject weekly. However, there is no way to recover the message except by contacting the sender. Since the subject lines are getting more clever, it is harder to tell if it is a real message.

    I am avoiding downloading between 150-250 messages a day. I still have 50- 100 spams getting through as spammers change their addresses, but my download time has improved dramatically.

    Sadly, I am getting about 50-75 real messages, so my spam percentage is about 75%. I probably have a higher than average spam rate because I have a website, and also have had the same address for years. But this is keeping the flood to a manageable level most days.

    Thank you, 

    Paul Apodaca Apodaca 
    Consulting Paul@papodaca .com 
    http://www.papodaca.com  
    (505) 837-1040 Direct Line (877) 286-1176 Direct Toll Free Fax

     


    Nearly the entire April 2004 issue of Syllabus Magazine is devoted to computer and network security.  This is a useful reference with lots of links --- http://www.syllabus.com/mag.asp 

    Bob Jensen's threads on computer and networking security are at the following links:

    http://www.trinity.edu/rjensen/245gloss.htm 

              http://www.trinity.edu/rjensen/fraud.htm#ThingsToKnow 

    Fed's computers feebly protected (November 2002) --- http://www.wired.com/news/politics/0,1283,56474,00.html 

    A server glitch makes internal Microsoft documents, including a massive database of customer names and addresses, accessible online (November 2002) --- http://www.wired.com/news/infostructure/0,1377,56481,00.html 

     

    Yahoo Security and Encryption Guides --- http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/ 
    Categories

     

     

     

     

    Spy Tools --- http://locate-unlisted-phone-numbers.com/ 
    (I really don't know how legitimate this outfit really and make no endorsements of its services)

    Find and Trace:

    Unlisted Numbers

    Cell Phone Numbers & Codes

    E-mail Addresses

    Protect Privacy:

    Anonymous Surfing

    Anonymous E-mail

    Erase Your Tracks

    Monitor Your PC

    See the Pictures Your Kids, Mate or Employees Viewed Days, Weeks or Months Ago

    See the Web Sites They Visit While Your Not Around

    Find Hidden and Alternate Screen Names People May be Using to "Play" Online

    The Best Spyware Stopper --- http://www.newsfactor.com/perl/story/20941.html

    After years of worrying about viruses and trojans, users have a new nemesis: spyware. This term refers to any program that distributes information from a user's computer without that user's knowledge.

    To be sure, most of this software is more annoying than harmful. However, as Jamie Garrison, co-owner of Aluria Software, which produces the spyware stopper, put it, "Some spyware can ruin your life. It's that invasive."

    So, what can a user do to avoid the onslaught of underhanded tracking programs?


    The Spyware Menace

    Garrison said the most pressing issue related to spyware is that people do not take it seriously enough. Part of the problem is awareness. Many people are only now finding out about spyware. "Few users are aware that everything they do on the Net or even while not connected to the Internet can be tracked," Ken Lloyd, lead developer at Aluria, told NewsFactor.

    After all, spyware can range from a stealthy program that runs in the background, transmitting your surfing habits to a company for marketing purposes, to keylogging software installed by a spouse to monitor communications.

    "Well over 85 percent of people have spyware on their computer," Lloyd said.

    Programs That Fight It

    Gartner analyst Richard Stiennon told NewsFactor that while antivirus products from companies like McAfee and Symantec (Nasdaq: SYMC)  can be used to detect spyware, the user is also an important ingredient in stopping spyware. He or she must recognize spyware programs -- and know enough to remove them -- when they are detected.

    Of course, most users do not know much about spyware. Stiennon recommended that users get a desktop firewall program that blocks unwanted outgoing connections. Then, even if spyware is running, it will be unable to connect to a server  to transmit information.

    One personal firewall, ZoneAlarm, can make sure spyware cannot communicate with the outside world. According to Fred Felman, vice president of marketing at Zone Labs, ZoneAlarm "shuts down Internet connectivity instead of losing control of the system" when an unauthorized application tries to send information from a user's PC. Felman told NewsFactor that ZoneAlarm allows users to specify which programs are allowed to send and receive data over the network. Users even can restrict programs to certain ports or domains.

    And in addition to antivirus vendors and personal firewalls, a number of companies like Aluria make spyware detection and removal software.

    Arms Race

    Even when a person recognizes spyware on his or her computer, removing it may be tricky business. According to Garrison, some spyware manages to "embed" itself into the software Windows uses to provide TCP/IP (Internet networking) services. She said that removing such spyware "actually removes your Internet connection. It's fixable, but it's a real pain."

    This makes sense, considering that malware authors are always trying to stay one step ahead of users and spyware stoppers. The latest rash of annoyware consists of programs that send pop-ups to instant messaging  programs like MSN Messenger. Even more irritating, many of those pop-ups simply inform users that they are vulnerable to unwanted messages.

    And it gets worse: Stiennon said that programs being sold to block this plague of IM pop-ups are scams, too. "Just go into the admin functions in the control panel [and do it yourself]," he said, noting that the program vendors are taking advantage of people who do not know they can turn off the function by themselves.

    The Perils of Free

    In fact, according to Garrison, most spyware is installed by users voluntarily, even if they do not know it. She blames free products like Grokster and Kazaa  for piggybacking spyware onto users' computers, though she noted that it is all disclosed in the fine print. "Here's the really dirty part of it. Let's say you go out and download a free program. It's almost certainly going to have spyware.... Very rarely does spyware get on your computer without your consent."

    So, what is the solution? "Stop using free products... Don't download it if it's free."

    Lloyd agreed. "The latest trend for software companies is to give their software away for free. By doing this they bundle ad software within it. They usually tell the customer in the EULA (end user license agreement) ... that some additional ad-tracking software will be installed, but they bury it so deep that the average person has no idea.

    Continued in the article.


    "Undercover Researchers Expose Chinese Internet Water Army: An undercover team of computer scientists reveals the practices of people who are paid to post on websites," Technology Review, November 22, 2011 ---
    http://www.technologyreview.com/blog/arxiv/27357/
    Thank you Glen Gray for the heads up

    In China, paid posters are known as the Internet Water Army because they are ready and willing to 'flood' the internet for whoever is willing to pay. The flood can consist of comments, gossip and information (or disinformation) and there seems to be plenty of demand for this army's services.

    This is an insidious tide. Positive recommendations can make a huge difference to a product's sales but can equally drive a competitor out of the market. When companies spend millions launching new goods and services, it's easy to understand why they might want to use every tool at their disposal to achieve success.

    The loser in all this is the consumer who is conned into making a purchase decision based on false premises. And for the moment, consumers have little legal redress or even ways to spot the practice.

    Today, Cheng Chen at the University of Victoria in Canada and a few pals describe how Cheng worked undercover as a paid poster on Chinese websites to understand how the Internet Water Army works. He and his friends then used what he learnt to create software that can spot paid posters automatically.

    Paid posting is a well-managed activity involving thousands of individuals and tens of thousands of different online IDs. The posters are usually given a task to register on a website and then to start generating content in the form of posts, articles, links to websites and videos, even carrying out Q&A sessions.

    Often, this content is pre-prepared or the posters receive detailed instructions on the type of things they can say. And there is even a quality control team who check that the posts meet a certain 'quality' threshold. A post would not be validated if it is deleted by the host or was composed of garbled words, for example.

    Having worked undercover to find out how the system worked, Cheng and co then studied the pattern of posts that appeared on a couple of big Chinese websites: Sina.com and Sohu.com. In particular, they studied the comments on several news stories about two companies that they suspected of paying posters and who were involved in a public spat over each other's services.

    The Sina dataset consisted of over 500 users making more than 20,000 comments; the Sohu dataset involved over 200 users and more than 1000 comments.

    Cheng and co went through all the posts manually identifying those they believed were from paid posters and then set about looking for patterns in their behaviour that can differentiate them from legitimate users. (Just how accurate were there initial impressions is a potential problem, they admit, but the same one that spam filters also have to deal with.)

    They discovered that paid posters tend to post more new comments than replies to other comments. They also post more often with 50 per cent of them posting every 2.5 minutes on average. They also move on from a discussion more quickly than legitimate users, discarding their IDs and never using them again.

    What's more, the content they post is measurably different. These workers are paid by the volume and so often take shortcuts, cutting and pasting the same content many times. This would normally invalidate their posts but only if it is spotted by the quality control team.

    So Cheng and co built some software to look for repetitions and similarities in messages as well as the other behaviours they'd identified. They then tested it on the dataset they'd downloaded from Sina and Sohu and found it to be remarkably good, with an accuracy of 88 per cent in spotting paid posters. "Our test results with real-world datasets show a very promising performance," they say.

    That's an impressive piece of work and a good first step towards combating this problem, although they'll need to test it on a much wider range of datasets. Nevertheless, these guys have the basis of a software package that will weed out a significant fraction of paid posters, provided these people conform to the stereotype that Cheng and co have measured.

    And therein lies the rub. As soon as the first version of the software hits the market, paid posters will learn to modify their behaviour in a way that games the system. What Cheng and co have started is a cat and mouse game just like those that plague the antivirus and spam filtering industries.

    And that means, the battle ahead with the Internet Water Army will be long and hard.

    Continued in article



    A Scary Article That Has Nothing to Do With 2013 Halloween --- This Scare is for Real!
    "I challenged hackers to investigate me and what they found out is chilling," by Professor Adam L. Penenberg (NYU), Pandodaily, October 26, 2013 ---
    http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and-what-they-found-out-is-chilling/

    . . .

    The detective, Dan Cohn, owned and operated Docusearch, a website that trafficked in personal information, and at the time, he was charging $35 to dig up someone’s driving record, $45 for his bank account balances, $49 for a social security number, $84 to trace a mobile number, and $209 to compile his stocks, bonds, and securities. The site offered a simple clickable interface and Amazon-like shopping cart. It’s still around today, boasting similar services. “Licensed Investigators for Accurate Results” reads the tag line, calling itself “America’s premier provider of on-line investigative solutions.”

    For Cohn, digging through what I had assumed was personal information, was less challenging than filling in a crossword puzzle. He was able to collect this amalgam of data on me without leaving the air-conditioned cool of his office in Boca Raton, Florida. In addition to maintaining access to myriad databases stuffed with Americans’ personal information, he was a master of “pre-texting.” That is, he tricked people into handing over personal information, usually over the telephone. Simple and devilishly effective. When the story hit newsstands with a photo of Cohn on the cover and the eerie caption: “I know what you did last night,” it caused quite a stir. It was even read into the Congressional Record during hearings on privacy.

    A decade and a half later, and given the recent Edward Snowden-fueled brouhaha over the National Security Agency’s snooping on Americans, I wondered how much had changed. Today, about 250 million Americans are on the Internet, and spend an average of 23 hours a week online and texting, with 27 percent of that engaged in social media. Like most people, I’m on the Internet, in some fashion, most of my waking hours, if not through a computer then via a tablet or smart phone.

    With so much of my life reduced to microscopic bits and bytes bouncing around in a netherworld of digital data, how much could Nick Percoco and a determined team of hackers find out about me? Worse, how much damage could they potentially cause?

    What I learned is that virtually all of us are vulnerable to electronic eavesdropping and are easy hack targets. Most of us have adopted the credo “security by obscurity,” but all it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy — and, if they choose, to wreak havoc on your finances and destroy your reputation.

    Continued in article



    Social Scams

    "3 Scams That Are More Social Than Technical," by Brian Proffitt, ReadWriteWeb, September 2012 ---
    http://www.readwriteweb.com/archives/3-scams-that-are-more-social-than-technical.php

    Internet scams always have a target-rich environment, and they exploit it with a little bit of technology and a lot more con-artistry. Here's a look at three such social-engineering scams to be aware of, including one that targeted me recently.

    Scam A: Gary from IT

    The caller ID showed an unknown person, which is never a good sign. On a whim, I picked it up instead of letting it roll to voice mail.

    "Hello, Mr. Proffitt, this is Gary from the IT department calling about the trouble you are having with your Windows computer."

    (A couple notes about "Gary": he sounded like he had a bad cell connection, and his accent was that of a Southwestern Asian, thick enough that I had to ask him to repeat himself, thanks to the quality of the call.)

    When he repeated his greeting, I was intrigued, mostly because I didn't currently work for any client that's providing IT support for me and (this is key) the one Windows machine in my office had been sitting idle for a couple of weeks.

    The signs were clear: I was being approached for a clever scam that's seen a resurgence in recent months. In the con, someone calls pretending to be tech support and attempts to gain access to business or personal computers. The methods vary, ranging from password acquisition to instructing targets to point their browsers at a "diagnostic" site that will actually download malware to the target's computer. Glancing to make absolutely sure that the Windows PC was powered down, I played along.

    "Um, sure… 'Gary'… though I have to say I wasn't aware my machine was having any problems." The truth, and I wanted to see what he would do with it.

    He was ready. "You are not having a problem that you can see, but we are showing that your computer needs to have some upgrades soon."

    "I see. Well, I can have the computer run its upgrade cycle and get that fixed."

    Gary paused. Careful, I thought, you just spoke geek, so he knows you're not dumb.

    "No… what you need to do is go to a special Microsoft upgrade site and download the software right away. I will help you install the software."

    That answered that question: He wasn't phishing for passwords, he was trying to get me to download the malware needed to remotely access and possibly control my computer. At this point, I was standing by my Linux machine and was ready to follow along and see what would happen next. Windows programs don't run on Linux, so anything that tried to download would be effectively rendered harmless. But then in my arrogance, I tipped my hand.

    "Okay, sure, no problem. I wasn't aware Microsoft had special sites like this set up," I replied.

    Click.

    Maybe the call was dropped, but he probably figured I was on to him and didn't want to waste time with me. My life as a sting operator would have to wait.

    Fake technical support calls are nothing new, but reports are on the rise of late, and they are getting more sophisticated. Mine, which happened about two weeks ago, called my business line and behaved as if they were from my workplace's IT department. There is little doubt that had they called a home number, they might have tried a different approach, like claiming they were calling from Microsoft.

    Solution: No tech support from any third-party vendor will call you unbidden to offer to fix something. Your own company might, and to make sure that you're dealing with the home office, hang up and call your IT department. If anyone asks you for a password, hang up.

    Never visit a strange site because you are asked by someone claiming to be from any kind of tech support, whether by phone or email. Legitimate email requests will tell you to visit your company's support site.

    Scam B: Your Computer as Hostage

    According to the Better Business Bureau, this is not the only kind of attack that's on the rise. The association is also reporting more complaints from its members of so-called scareware or ransomware scams.

    Ransomware is a form of trojan attack that uses a combination of malware and social engineering that's a flip on the tech support con. With ransomware, the illicit software is downloaded first and then the victim is tricked into parting with their money and their credit information.

    Here's how ransomware works: After surreptitiously installing itself on a Windows PC, ransomware pretends to be a very realistic-looking antivirus software application that has "found" terrible, bad viruses on a PC. As if to demonstrate just how bad these viruses are, anytime you try to open an application, the attempt is blocked with a message that the "application is infected." Indeed, the only thing that will run is Internet Explorer, which is key to the next step of the scam.

    Why does ransomware need a browser? In order to have the "antivirus" software "clean" your machine, you'll need to pay a low, low $39.95 to activate the software. If you can't get to the Internet, you can't log on to the payment site and enter your credit information.

    Victims of this con are lucky if they just lose the initial fee, but usually they've just given their credit-card number to the same person who infected their machine.

    Solution: There are a number of solutions proffered by blogs and real antivirus-software creators. Note the name of the fake anti-virus software and run it through your search engine to research it. The steps to remove ransomware can be complicated, but it's not impossible.

    Also, don't run your Windows PC with an all-powerful administrative account. Use a regular user account that won't let anything install without the administrator's password. That does a good job blocking malware like this from being installed in the first place.

    Scam C: The Grandparent Gambit

    Social engineering is very much at the heart of the another scam that the bureau says is being reported: the grandparent scam. Curiously, while this con seems to have a lot of success among the elderly, it's also targeted at anyone about whom a scam artist has personal information.

    Continued in article


    "College Professor: I Lost Tons Of Critical Files Because Of Dropbox," by Julie Bort, Business Insider, September 18, 2013 ---
    http://www.businessinsider.com/professor-suffers-dropbox-nightmare-2013-9 

    Bob Jensen's threads on computing and network security ---
    http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

     


    Big Google Becomes Big Brother

    From ACLU Week in Review on January 27. 2012 ---
    http://www.aclu.org/blog/organization-news-and-highlights/week-civil-liberties-1272012

    ACLU Lens: Google's New Privacy Policy
    This week
    , Google announced a new privacy policy effective March 1. The new policy is consistent across the vast majority of Google products, and it’s in English; you don’t have to speak legalese to understand it. But, the new privacy policy makes clear that Google will, for the first time, combine the personal data you share with any one of its products or sites across almost all of its products and sites (everything but Google Chrome, Google Books, and Google Wallet) in order to obtain a more comprehensive picture of you. And there’s no opting out.


    Jensen Question
    Is this doing "no evil?"

    "What Google's Larry Page Doesn't Understand," by Maxwell Wessel, Harvard Business Review Blog, January 27, 2012 --- Click Here
    http://blogs.hbr.org/cs/2012/01/what_larry_page_doesnt_underst.html?referral=00563&cm_mmc=email-_-newsletter-_-daily_alert-_-alert_date&utm_source=newsletter_daily_alert&utm_medium=email&utm_campaign=alert_date

    Google has been self-destructive recently. Last weekend, Google was exposed by engineers from Twitter, Facebook, and mySpace for interfering with their search results. Instead of apologizing and vowing to protect the sanctity of search, this week Larry Page announced that Google will soon integrate its products even further. On March 1st, Google will change its privacy agreement to allow the company to collect and unify user data across all its web properties. There is no opting out. Whether you want it or not, Google will be consolidating the data about what you search for, what you read in your email, and what you write in the cloud into a single profile that is you. Google wants to know everything about you with the intention of "improving" your Internet experience. Unfortunately, even with the best intentions, there's something that Larry Page doesn't seem to understand: delivering what he calls "Search Plus Your World" is going to create some problems.

    Allow me to explain. At the beginning of my career, I worked on something that resembles the "Search Plus Your World" project. In my first job, I was asked to build a fairly complex algorithm to help a big retail pharmacy identify customers with a potential to have hazardous drug interactions. From my clients' perspective, the last remaining hole in their drug screen came from patients who did not buy all their medication from one chain. Without a full purchase history, the pharmacist couldn't identify patients at risk.

    My job was to use patient purchase histories and flag patients who were "switchers" — those who alternated between pharmacy chains. I thought if I could figure this out, I could do a whole lot of good for patients. All the data showed that patients who consolidated their medication with one pharmacy were less likely to overdose on medications or have hazardous drug interactions. It was a win-win.

    Eight months after starting the job, we'd built the algorithm and were rolling out a counseling program to thousands of stores across the country. On paper, the program looked fantastic. We were identifying tens of thousands of potential "switchers" a week by looking at nothing other purchase information in our own stores. Once we'd identified patients, we'd send contact lists to pharmacies and ask the pharmacists to gently remind patients of the health benefits that came from consolidating their medication. It turned out that we were pretty accurate. Of the patients we'd identified, about 70 percent were actually picking up medication at other pharmacies, and missing important hazardous drug screens.

    But in practice, it was a disaster. The problem? We never took into account patients' expectations. As you might imagine, patients expected their health data to be treated as sacred. Imagine walking into a pharmacy, proceeding to the pharmacy counter, and asking for your monthly supply of Lipitor. Normally, you'd expect to simply pick up your prescription and go home. But instead of simply paying for your medication and leaving, the pharmacist comes over from the other side of the room to chat. He asks whether you are currently picking up your prescriptions from two different pharmacies. He explains the benefit of consolidating. Not so upsetting. At least, it's not upsetting until you ask yourself "Why did I get the sudden counseling session?" The pharmacist explains that someone from his pharmacy noticed odd behavior in your pickup history.

    And that's when the problems start.

    For most patients, the counseling sessions were matter of fact. But for a handful of patients, the counseling sessions felt like an enormous violation of their privacy. They'd never opted into a program that examined their purchase history, they didn't want to participate, and they were certain they were more than capable of handling their own medication management. The patients were upset; they threatened to leave. Some caused real scenes. It made pharmacists, techs, and other patients uncomfortable.

    When we designed our program, we imagined how the world should be from our perspective. We didn't consider how the world was from their perspective or the importance of our implicit agreements in their minds. We had their personal information. With it came their trust. We lost it. What we didn't understand then is what Larry Page seems not to understand today. Google is about to have their own "switcher" program.

    Continued in article

    Bob Jensen's threads on computing and networking security ---
    http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection


    "I'm Being Followed: How Google—and 104 Other Companies—Are Tracking Me on the Web," by Alexis Madrigal, The Atlantic, February 29, 2012 ---
    http://www.theatlantic.com/technology/archive/12/02/im-being-followed-how-google-and-104-other-companies-are-tracking-me-on-the-web/253758/

    This morning, if you opened your browser and went to NYTimes.com, an amazing thing happened in the milliseconds between your click and when the news about North Korea and James Murdoch appeared on your screen. Data from this single visit was sent to 10 different companies, including Microsoft and Google subsidiaries, a gaggle of traffic-logging sites, and other, smaller ad firms. Nearly instantaneously, these companies can log your visit, place ads tailored for your eyes specifically, and add to the ever-growing online file about you.

    There's nothing necessarily sinister about this subterranean data exchange: this is, after all, the advertising ecosystem that supports free online content. All the data lets advertisers tune their ads, and the rest of the information logging lets them measure how well things are actually working. And I do not mean to pick on The New York Times. While visiting the Huffington Post or The Atlantic or Business Insider, the same process happens to a greater or lesser degree. Every move you make on the Internet is worth some tiny amount to someone, and a panoply of companies want to make sure that no step along your Internet journey goes unmonetized.

    Even if you're generally familiar with the idea of data collection for targeted advertising, the number and variety of these data collectors will probably astonish you. Allow me to introduce the list of companies that tracked my movements on the Internet in one recent 36-hour period of standard web surfing: Acerno. Adara Media. Adblade. Adbrite. ADC Onion. Adchemy. ADiFY. AdMeld. Adtech. Aggregate Knowledge. AlmondNet. Aperture. AppNexus. Atlas. Audience Science.

    And that's just the As. My complete list includes 105 companies, and there are dozens more than that in existence. You, too, could compile your own list using Mozilla's tool, Collusion, which records the companies that are capturing data about you, or more precisely, your digital self.

    While the big names -- Google, Microsoft, Facebook, Yahoo, etc. -- show up in this catalog, the bulk of it is composed of smaller data and advertising businesses that form a shadow web of companies that want to help show you advertising that you're more likely to click on and products that you're more likely to purchase.

    To be clear, these companies gather data without attaching it to your name; they use that data to show you ads you're statistically more likely to click. That's the game, and there is substantial money in it.

    As users, we move through our Internet experiences unaware of the churning subterranean machines powering our web pages with their cookies and pixels trackers, their tracking code and databases. We shop for wedding caterers and suddenly see ring ads appear on random web pages we're visiting. We sometimes think the ads following us around the Internet are "creepy." We sometimes feel watched. Does it matter? We don't really know what to think.

    The issues the industry raises did not exist when Ronald Reagan was president and were only in nascent form when the Twin Towers fell. These are phenomena of our time and while there are many antecedent forms of advertising, never before in the history of human existence has so much data been gathered about so many people for the sole purpose of selling them ads.

    "The best minds of my generation are thinking about how to make people click ads," my old friend and early Facebook employee Jeff Hammerbacher once said. "That sucks," he added. But increasingly I think these issues -- how we move "freely" online, or more properly, how we pay one way or another -- are actually the leading edge of a much bigger discussion about the relationship between our digital and physical selves. I don't mean theoretically or psychologically. I mean that the norms established to improve how often people click ads may end up determining who you are when viewed by a bank or a romantic partner or a retailer who sells shoes.

    Already, the web sites you visit reshape themselves before you like a carnivorous school of fish, and this is only the beginning. Right now, a huge chunk of what you've ever looked at on the Internet is sitting in databases all across the world. The line separating all that it might say about you, good or bad, is as thin as the letters of your name. If and when that wall breaks down, the numbers may overwhelm the name. The unconsciously created profile may mean more than the examined self I've sought to build.

    Most privacy debates have been couched in technical. We read about how Google bypassed Safari's privacy settings, whatever those were. Or we read the details about how Facebook tracks you with those friendly Like buttons. Behind the details, however, are a tangle of philosophical issues that are at the heart of the struggle between privacy advocates and online advertising companies: What is anonymity? What is identity? How similar are humans and machines? This essay is an attempt to think through those questions.

    The bad news is that people haven't taken control of the data that's being collected and traded about them. The good news is that -- in a quite literal sense -- simply thinking differently about this advertising business can change the way that it works. After all, if you take these companies at their word, they exist to serve users as much as to serve their clients.

    Continued in article


    Big Brother is Watching Your Kid
    "Texas Schools Win Right To Track Students With Creepy, Invasive RFID Locators," by Adam Popescu, ReadWriteWeb, January 10, 2013
    http://readwrite.com/2013/01/10/texas-schools-win-right-to-track-students-with-creepy-invasive-rfid-locators 

    Jensen Comment
    I wonder if similar devices will one day be implanted in every child at birth. Think of the good and bad possibilities.

     


    "Student Uses Computer to Help Arrest iPhone Robbers," by Simmi Aujla, Chronicle of Higher Education, September 4, 2009 --- Click Here

    Robbed of his iPhone last week, a student at Carnegie Mellon University used a tracking program on the phone to help police officers find and arrest the robbers outside a fast-food restaurant.

    Early Saturday morning, Can Duruk, a senior, was walking home when two men stopped him and asked for his wallet, according to a press release from the Pittsburgh Bureau of Police. One of the men showed Duruk what looked like a handgun and demanded his PIN number, while the other took Duruk’s wallet and iPhone out of his pockets.

    After calling the police, Mr. Duruk used the program
    MobileMe to track the movements of the robbers, according to The Tartan, Carnegie Mellon’s student newspaper. MobileMe has a feature called Find My iPhone. Users can log onto a Web site to access a map, which can be updated at the push of a button, that shows the approximate location of the phone. As they headed toward an Eat'n Park restaurant, police went after them.

    Diane Richard, a spokeswoman for the Pittsburgh police, said she didn’t know of any instances when a victim had been able to track robbers himself. "I'm glad that he was able to help us clear the case so quickly and apprehend the people who took his belongings," she said.


    Cloud Security

    "Security rating for cloud services selection," ISACA, April 2, 2012 ---
    https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=183
    Thank you Jerry Trites for the heads up on April 2, 2012 ---
    http://uwcisa-assurance.blogspot.com/


    "IT Risk: Your Audit Checklist," by Rob Livingstone, CFO.com, June 19, 2012 ---
    http://www3.cfo.com/article/2012/6/the-cloud_audit-checklist-for-public-cloud


    "Electrical and cloud outages: Is it time to bring both on premise?"
    IS Assurance Blog by Jerry Trites
    July 8, 2012

    Amazon experienced an outage that affected a number of companies that rely on their cloud service. The company informed its users that its service went down due to the power outage stating: 


    "On June 29, 2012 at about 8:33 PM PDT, one of the Availability Zones (AZ) in our US-EAST-1 Region experienced a power issue.  While we were able to restore access to a vast majority of  RDS DB Instances that were impacted by this event, some Single-AZ DB Instances in the affected AZ experienced storage inconsistency issues and access could not be restored despite our recovery efforts.  These affected DB Instances have been moved into the “failed ” state." 


    This notice was actually taken from CodeGuard (a start-up that takes snapshots of websites enabling owners to undo unwanted changes) who was one of the companies affected by the outage. 

    Continued in article

    Bob Jensen's threads on computing and networking security ---
    http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection


    Blog Entry from Jerry Trites on October 7, 2011 --- http://uwcisa-assurance.blogspot.com/

    Web Application Security: Business and Risk Considerations

    ISACA has a White Paper on its website with the above title. The paper is an excellent resource for those interested in cloud risks and how to address them. That includes a lot of people!

    One of the interesting parts of the paper is the table listing the various types of vulnerabilities encountered in the cloud. These include SQL Injection, Cross-site scripting and Insecure Direct Object Reference, among others. The paper goes on to list some areas of security to focus on, including some specific guidance on the old stand-by's of executive support, training and support.

    The paper concludes with assurance considerations, including the use of Cobit to strengthen controls.

    An excellent paper.
    You can download it through this link.

    "KMPG: 'Cloud is Now'; Technology Spend to Leap Next Year," SmartPros, October 6, 2011 ---
    http://accounting.smartpros.com/x72834.xml

    The vast majority of senior executives globally say their organizations have already moved at least some business activities to the Cloud and expect 2012 investment to skyrocket, with some companies planning to spend more than a fifth of their IT budget on Cloud next year, according to a report by KPMG International.

    “Clearly, these findings proclaim, ‘the Cloud is now,’” said Bryan Cruickshank, KPMG head of Global IT Advisory, Management Consulting. “Clearly Cloud is transcending IT and widely impacting business operations, as a full third of survey respondents said it would fundamentally change their business, which is significant considering many organizations are still developing their Cloud strategies.”

    In a KPMG global survey of organizations that will use the Cloud, as well as companies that will provide Cloud services, economic factors were cited by 76 percent of both groups as an important driver for Cloud adoption. However, a number of other considerations were equally or more important: 80 percent said the switch to Cloud was driven by efforts to improve processes, offering more agility across the enterprise; 79 percent of users and 76 percent of providers said they saw it as having technical benefits, in some cases improvements that they otherwise could not gain from their own data centers; and, 76 percent said the use of Cloud would have strategic benefits, possibly including transforming their business models to gain a competitive advantage.

    Most user respondents to the KPMG survey (81 percent) said they were either evaluating Cloud, planned a Cloud implementation, or had already adopted a Cloud strategy and timeline for their organization, with almost one-quarter of them saying their organization already runs all core IT services on the Cloud (10 percent) or is in transition to do so (13 percent). Fewer than one in 10 executives say their company has no immediate plans to enter the Cloud environment.

    “Cloud adoption is quickly shifting from a competitive advantage to an operational necessity, enabling innovation that can create new business models and opportunities,” said Steve Hasty, head of Global IT Advisory, Risk Consulting. “As this rapid adoption curve continues to gain momentum amid a struggling global economy, it is important for corporate leadership, directors and boards to be informed and engaged in strategic discussions about Cloud’s impact on their long-term growth opportunities and competitiveness.”

    Hasty pointed out that the role of the corporate Cloud leader remained contentious. IT executives see migration to the Cloud as their initiative, while operations executives believe the CEO should lead the change. “Enter the Chief Integration Officer, as the traditional CIO’s role expands to break down potential silos and integrate internal and external business needs, systems and partners,” said Hasty.

    KPMG previewed the survey findings this week during Oracle Open World, Oracle Corp.’s global conference in San Francisco.

    IT-Business Executives Differ Moderately on Cloud Expectations

    Executives whose companies would use a Cloud strategy agree that spending will rise significantly in 2012.

    According to the KPMG survey, 17 percent of corporate executives said Cloud spending would exceed 20 percent of the total IT budget in 2012.

    Continued in article

     


    If your laptop is stolen, with your confidential data, several companies will help you get it back and/or prevent thieves from using the stored information

    "Solving Laptop Larceny: If your laptop is stolen, with your confidential data, several companies will help you get it back -– or else disable it," by Lamont "Wood, MIT's Technology Review, June 19, 2006 ---
    http://www.technologyreview.com/read_article.aspx?id=17000&ch=infotech

    These new systems, which aren't intended to prevent theft, but rather mitigate their consequences, come in three flavors: tracking software, encryption, and "kill" switches that can make a laptop's data self-destruct.

    Extra layers of protection are needed because the password and encryption mechanisms that come with most laptops are weak or inconvenient, says Jack Gold, head of J. Gold Associates, a market research firm in Northborough, MA. "There are hacker tools that let you get around [passwords] very quickly, or you can boot from a CD," Gold says. It's true that any laptop running Windows XP Professional has an optional encryption function that should defeat thieves, but using it slows down normal file access.

    One solution, then, is a tracking system, such as Computrace, run by Absolute Software of Vancouver, Canada. William Penn University in Oskaloosa, IA, turned to the system this year, after about 500 laptops in one of its colleges went missing, says Curt Gomes, the university's IT supervisor. The university decided it had become uneconomical to try to hunt down each machine manually. Instead, Gomes decided to try laptop tracking -- a technique that's been around for a decade, but recently has seen sales growth of 50 percent per year.

    Each machine subscribed to the Computrace service typically reports to a company server once a day via the Internet. If the computer is reported stolen, the server will instruct it to start sending messages every 15 minutes. And if the missing machine's Internet address can be pinned down to a street address, police will soon show up there, according to company spokesman Les Jickling. In fact, a week after William Penn signed up for the Computrace tracking system, a laptop stolen out of a car was recovered by police five days later.

    Continued in article


    Ironkey Hardware Encrypted Flash Drive

    February 2, 2008 message from Scott Bonacker [lister@BONACKERS.COM]

    Yesterday's newsletter from www.govexec.com  included an ad for a hardware encrypted flash drive called ironkey. It's not cheap, but might be effective. A hard drive with built in hardware encryption would also be useful.

    Scott Bonacker CPA
    Springfield, MO

     


    "Wi-Fi security do's and don'ts," by: Eric Geirer, IT Canada, November 7, 2011 --- Click Here
    http://www.itworldcanada.com/news/wi-fi-security-dos-and-donts/144256?sub=1520550&utm_source=1520550&utm_medium=top5&utm_campaign=TD+
    Link found in the IS Assurance Blog of Jerry Trites


    "Ceelox Announces Biometric Encryption Software Solution to Secure Critical Enterprise Data,"
    PR Web
    , June 24, 2006 --- http://www.prweb.com/releases/2006/6/prweb403052.htm

    Ceelox, Inc., a leading provider of biometric security software for enterprise networks and commercial applications, is proud to announce its release of Ceelox Vault, a powerful biometric authentication and encryption solution designed to protect lost or stolen data and combat identity theft.

    Ceelox Vault is the ideal solution for protecting any confidential information whether it is credit card numbers, social security numbers, personal financial data, medical records, private correspondence, personal details, sensitive company information, bank account information, business plans, or intellectual property.

    The theft or loss of high profile laptops containing social security numbers, employee information, intellectual property, credit reports and more are an everyday occurrence these days. It seems that virtually no organizations are immune to the problem which impacts millions of customers and employees who are relying on others to keep their information secure and out of the hands of identity thieves.

    "We created Ceelox Vault because we recognize the value of easily securing confidential data. In today’s world, securing critical enterprise data has never been more important," said Kass Aiken, president & COO of Ceelox. "With Ceelox Vault the key to unlock the encryption is not stored anywhere, it is a unique biometric characteristic carried by the users fingerprint," said Erix Pizano, Director of Software Development for Ceelox. "Many organizations have measures in place to protect sensitive data. However, these solutions sometimes make the user feel incapable of using them due to their complexity," said Pizano. "As simple as drag and drop, with Ceelox Vault, security software finally makes sense. The encryption process can be seen and understood, unlike most security systems which are not noticeable to the end user unless they fail," added Pizano.

    Ceelox Vault enables the user to simultaneously encrypt files and copy or move them to a server, personal computer, or external storage device. The customer then selects one of three industry standard ciphers (AES256, 3DES, or Blowfish448) for the file encryption. The encryption algorithms use a key attached to the user in a manner that requires the users fingerprint to encrypt and decipher the files.

    The Ceelox Vault user, after gaining access to the Ceelox Vault application through biometric authentication, works from a window, which displays all personal computer files on the left side of the window and the vault drive files on the right side of the window.

    Files and folders move back and forth between the computer and the vaulted storage device by simply clicking on them, dragging them to their destination and dropping them.

    Access to a vaulted storage location, controlled by the use of a fingerprint scanner embedded in a portable hard drive, an external fingerprint scanner, or the fingerprint scanner embedded in a laptop or mobile computing device.

    This provides two levels of security with authentication being required not only to access the drive but also to decrypt the files on the drive.

    Ceelox's mission is to develop and market biometric security software products that are simple to implement, deploy, and use. Security software should never make the user feel incapable of using it. Ceelox focuses their attention on building powerful, easy to use applications that will provide the best enterprise and customer experience within all levels of an organization.

    About Ceelox

    Ceelox is a developer and marketer of biometric security software products for logical access, identity authentication and file security. Ceelox core applications Ceelox ID, Ceelox Vault and Ceelox ID Online improve employee productivity and reduce information technology administrative costs. These products are supported by several U.S. and International pending patents. Ceelox focuses attention on building powerful, easy to use applications that will provide the best customer experience within all levels of an organization while enhancing security through biometric software technology.

    For more information regarding Ceelox visit www.ceelox.com


    Is your data safe? Survey reveals scandal of snooping IT staff
    Results of a recent study reveal the hidden scandal of IT staff snooping at the confidential information of other employees. One in three of IT employees admit to snooping through company systems and peeking at confidential information such as private files, wage data, personal e-mails, and HR background.
    AccountingWeb, August 31, 2007 --- http://www.accountingweb.com/cgi-bin/item.cgi?id=103934
    Jensen Comment
    And sometime they're looking for commercial and homemade porn.


    A Frightening Tale of Gmail
    "Hacked!" by James Fellows, "The Atlantic, November 2011 --- http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/?single_page=true
    Thank you Robert Walker for the heads up.

    As email, documents, and almost every aspect of our professional and personal lives moves onto the “cloud”—remote servers we rely on to store, guard, and make available all of our data whenever and from wherever we want them, all the time and into eternity—a brush with disaster reminds the author and his wife just how vulnerable those data can be. A trip to the inner fortress of Gmail, where Google developers recovered six years’ worth of hacked and deleted e‑mail, provides specific advice on protecting and backing up data now—and gives a picture both consoling and unsettling of the vulnerabilities we can all expect to face in the future.

    . . .

    “I see that you’ve got it!” he said. “The zeal of the convert. People in the business think about the risks all the time, but normal people don’t, until they’ve gotten a taste of the consequences of failure.”

    I have now had that taste and am here to share the experience. As with so many other challenges in modern life, responding with panic or zealotry doesn’t get us anywhere. But a few simple self-protective steps can save a lot of heartache later on.

    October 31, 2011 message from John Howland

    Bob, the Mike Jones in this article is a Trinity CS grad. He has helped provide Google internships for our students.

    Sent from my iPad

    John E. Howland
    url
    : http://www.cs.trinity.edu/~jhowland /
    Computer Science email: jhowland@ariel.cs.trinity.edu
    Trinity University voice: (210) 999-7364
    One Trinity Place fax: (210) 999-7477 San Antonio, Texas 78212-7200

    October 29, 2011 reply from Linda Phingst

    One of my main clients was subjected to this just this past summer. Really read the emails coming to you, and be suspect of anything that is not ‘good’ grammar. Yes, we all miss spell things, but ‘broken’ English is easy to spot. Main countries of origin are Russia and Nigeria. FBI/Homeland Security is not even the little bit interested if the scam is not Over 100K, they want the big fish. So it is up to us to be smarter and more diligent.

    Thankfully, it ‘only’ cost the client my time (n/c) and about 7K in lost funds. They are working on retrieving that. My advice, write it off to the experience account.

    But Pay Pal is not all it’s is cracked up to be. Forget the ‘safest, easiest way to pay’ it’s a joke. You have to buy more ‘security’ from Pay Pal, it does not come with the account. Unless you buy additional security Pay Pal does not even check the name against the card holder account. And they don’t tell you that when you sign up.

    And there is no insurance offered for commercial shopping cart scams.

    If you come across a scam or are scammed report it to the FBI at: https://tips.fbi.gov/ or http://www.ic3.gov/default.aspx

    Educate yourself on the latest scams at: http://www.fbi.gov/scams-safety/fraud

    And they will aggregate them for $$/occurrence and try to go after them.

    Linda Pfingst, CPA

    November 1,  2011 reply from Steve Hornik

    Thanks Robert and Linda for bringing this up on our list.

    It's my belief that we need to be educating our students on this issue and in that regard I've completely changed by Grad AIS course this semester.  For the first time the course is basically an IT Security course and believe me the hacking article is just a little scary compared to other issues once you start looking into this area.  I used to go over with my class the AICPA Top Technology Trends that they do each year, and if you look at them,


    http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/Pages/2011TopTechInitiatives.aspx

    You see that each year for over a decade Security is the #1 issue (or something related to security).  Also of course compliance with SOX, etc. makes this an important issue and knowledge that accounting students should have.  Of course I've always been a bit odd in what I've taught and maybe a bit contrarian - I mean what's more important, that these students know how to design an Access database or know where IT/Network vulnerabilities exist, why they exist, and what can be in put in place to help prevent hacks.  As was clear in the article, a lot of protections, starting with passwords, can be simple if only they are used properly.  But its amazing how often the simple stuff is just not done.  During the 1st day of the class I go over the HB Gary case with my students.  This is a top security firm, with government contracts that got hacked.  Now you would think that security companies are under attack all the time, and I expect they are but this top security firm got hacked because they employed incredibly weak to non-existent security - so if the one's being paid to protect us, are not "drinking their own kook-aid" what are mere mortals supposed to do?  Here's a link to a great article explaining the whole sad affair:

    http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/

    By the way, if there are other crazy one's like me teaching this - let me know.  In my first crack at this I'm tending to do a lot of lecturing but want to eventually move towards case studies and projects.  So if anyone has anything they'd like to share please do.
    _________________________
    Dr. Steven Hornik
    University of Central Florida
    Dixon School of Accounting
    407-823-5739
    http://about.me/shornik
    Second Life: Robins Hermano
    Twitter: shornik

    http://mydebitcredit.com
    yahoo ID: shornik

     


    Bad News for Wireless Routers at Home

    "Your Next Big Security Headache: Your Wireless Router," by Antone Gonsalves, ReadWriteWeb, April 16, 2013 ---
    http://readwrite.com/2013/04/16/beware-the-wireless-router-security-threat

    Jensen Comment
    Take a look at this one. It's bad news if you, like me, have a wireless system at home.

    Bob Jensen's neglected threads on computing and networking security ---
    http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

     

     


     

     

    Question
    Do you access your files using a public network in a library, cyber cafe, hotel, or wherever?

    If so, here are some scary thoughts and advice about computing via wireless/public networks
    For my LAN and Web server files at Trinity University, I'm only allowed to use Cisco VPN
    And my computer must be specially configured by Trinity University technicians for use of VPN with Cisco's Sophos Security System ---
    http://www.sophos.com/products/small-business/sophos-security-suite/

    "How to Keep Your Public Web Use Secure and Private with a VPN," by Brain Croxall, Chronicle of Higher Education, November 1, 2010 ---
    http://chronicle.com/blogs/profhacker/how-to-keep-your-public-web-use-secure-and-private-with-a-vpn/28257?sid=wc&utm_source=wc&utm_medium=en

    Last week, Mark wrote twice about backing up your Twitter archives (on your own server and using ThinkUp). In the first of these posts he noted ProfHacker’s obsession with backup. Making sure that you have backed up your essential files is an important part of using a computer securely.

    Regular backups aren’t the only important measure of computer security that you should consider. We all know that we need to be wary of emails from Nigerian officials, to use anti-virus and anti-malware tools, and to not trust attachments that come on those messages about particular pharmaceutical products. Equally important with these common-sense practices for behaving securely on the Internet is whether we connect securely to the Internet.

    If you’re like the rest of the ProfHacker team and occasionally use a coffee shop as workspace (or even your public library), you will likely have had times when you connect your laptop, PDA, or iPod Touch to the public wifi that is offered in these locations. Even if you have a super smartphone, you might sometimes use the wifi since it will be faster than the 3G or 4G connection. Deep down, we probably all know that using public wifi might be risky, but most of us think that the chances of our information being stolen is low.

    That might have been the case until October 24. That was the day that the Firesheep extension was released for the Firefox browser.* This simple add-on, which takes all of 15 seconds to install, “allows you to,” in the words of Peter Shankman, “see who’s connecting to various sites that don’t encrypt their HTTP login cookies, like Facebook, Evernote, Yahoo, Amazon, Dropbox, Gowalla, Twitter, WordPress, and others….” (See also this detailed explanation of Firesheep on TechCrunch.) It’s always been possible to spy on people’s activity when they were using public wifi, as this May 2010 article by Cory Bohon (friend of ProfHacker and occasional guest author) points out. But while it’s been possible to spy on others’ activity, Firesheep has made it ridiculously easy to do this. Not only does the add-on allow you to see people’s plain text passwords, but it allows you to login as this person by simply double-clicking on their information. Again, to quote Shankman, “This isn’t kid stuff. This is REAL, and this is DANGEROUS.

    If deep down you knew that it wasn’t perfectly safe to use public wifi previously, now you must assume that any public wifi is compromised. This last Wednesday, only 3 days after Firesheep was released, a friend of mine had her Facebook and Twitter accounts hacked while in a coffee shop. Racist and otherwise offensive messages were posted on her friends’ Facebook walls and Twitter accounts. As annoying as this is to deal with, it’s better than the damage that could have been done in these circumstances.

    There are a number of ways to protect yourself from Firesheep attacks. In the first place, you should recognize that computers that have a wired connection are safe. This means that your office computer is likely protected.

    Second, if your campus’s wifi network requires you to login with a network ID and password before connection, you should be safe as well. The open network for campus guests, on the other hand, is not protected.

    The third way to be safe is perhaps the most obvious: do not use any public wifi signal. Connecting to the Internet via a 3G card or a MiFi device will keep you safe. Unfortunately, these services cost $50+/month. If you don’t want to or cannot shell out that money (and let’s remember that most faculty members are graduate students, adjuncts, contingent, or otherwise off the tenure-track), there are a few other solutions.

    A fourth method of protection has been reported on by both TechCrunch and ZDNetFirefox extensions such as HTTPS Everywhere and Force-TLS will improve security on sites that do not default to HTTPS logins by switching to the more secure protocol. But these only work in Firefox. And while Firesheep is a Firefox add-on, it works against any browser. This means that Safari, Chrome, IE, and Opera users are unprotected at the moment.

    Perhaps the best way, then, for ProfHackers to be safe and still work as they like is to make use of their campus’s Virtual Private Network, or VPN. As the crowd puts it on Wikipedia, a VPN “is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization’s network” (my emphasis). Connecting to a VPN does not mean that you can’t access anything besides your university’s website. Instead, it takes advantage of your university’s Internet security to hide the data that you are sending and receiving from others’ eyes–including those who are using Firesheep. A VPN should work independent of which operating system or browser you use. And best of all, it will almost certainly be free!

    I cannot speak about every university in the world, but I have had access to a VPN at both those where I have worked. When I have set up my computer to make use of the VPN, it has only taken a few minutes the first time. Subsequent VPN sessions can be started in under 30 seconds. Sure, it’s a hassle to have to take one more step before beginning to use the Internet, but it’s far better than having to apologize to all of your Facebook friends…or try to explain to your bank that you didn’t withdraw all that money.

    To find out whether your campus provides access to a VPN and how to go about setting it up on your mobile devices, search for “vpn” or “virtual private network” on the university’s website. If that doesn’t get you the information you need or if it doesn’t make sense, then call someone in your IT department. I’m willing to bet you a latté that they will be more than happy to get you set up. Remember, this is not the time to be too proud to ask for help.

    Even once you have a VPN up and running, you still must use common sense when handling sensitive computing tasks in public. The person next to you may no longer be able to Firesheep you, but they could still watch you type in your username and password.

    What precautions do you take when computing in the wild?

    Continued in article


    "IT Risk: Your Audit Checklist," by Rob Livingstone, CFO.com, June 19, 2012 ---
    http://www3.cfo.com/article/2012/6/the-cloud_audit-checklist-for-public-cloud


    From ACLU Week in Review on January 27. 2012 ---
    http://www.aclu.org/blog/organization-news-and-highlights/week-civil-liberties-1272012

    ACLU Lens: Google's New Privacy Policy
    This week
    , Google announced a new privacy policy effective March 1. The new policy is consistent across the vast majority of Google products, and it’s in English; you don’t have to speak legalese to understand it. But, the new privacy policy makes clear that Google will, for the first time, combine the personal data you share with any one of its products or sites across almost all of its products and sites (everything but Google Chrome, Google Books, and Google Wallet) in order to obtain a more comprehensive picture of you. And there’s no opting out.


    Jensen Question
    Is this doing "no evil?"

    "What Google's Larry Page Doesn't Understand," by Maxwell Wessel, Harvard Business Review Blog, January 27, 2012 --- Click Here
    http://blogs.hbr.org/cs/2012/01/what_larry_page_doesnt_underst.html?referral=00563&cm_mmc=email-_-newsletter-_-daily_alert-_-alert_date&utm_source=newsletter_daily_alert&utm_medium=email&utm_campaign=alert_date

    Google has been self-destructive recently. Last weekend, Google was exposed by engineers from Twitter, Facebook, and mySpace for interfering with their search results. Instead of apologizing and vowing to protect the sanctity of search, this week Larry Page announced that Google will soon integrate its products even further. On March 1st, Google will change its privacy agreement to allow the company to collect and unify user data across all its web properties. There is no opting out. Whether you want it or not, Google will be consolidating the data about what you search for, what you read in your email, and what you write in the cloud into a single profile that is you. Google wants to know everything about you with the intention of "improving" your Internet experience. Unfortunately, even with the best intentions, there's something that Larry Page doesn't seem to understand: delivering what he calls "Search Plus Your World" is going to create some problems.

    Allow me to explain. At the beginning of my career, I worked on something that resembles the "Search Plus Your World" project. In my first job, I was asked to build a fairly complex algorithm to help a big retail pharmacy identify customers with a potential to have hazardous drug interactions. From my clients' perspective, the last remaining hole in their drug screen came from patients who did not buy all their medication from one chain. Without a full purchase history, the pharmacist couldn't identify patients at risk.

    My job was to use patient purchase histories and flag patients who were "switchers" — those who alternated between pharmacy chains. I thought if I could figure this out, I could do a whole lot of good for patients. All the data showed that patients who consolidated their medication with one pharmacy were less likely to overdose on medications or have hazardous drug interactions. It was a win-win.

    Eight months after starting the job, we'd built the algorithm and were rolling out a counseling program to thousands of stores across the country. On paper, the program looked fantastic. We were identifying tens of thousands of potential "switchers" a week by looking at nothing other purchase information in our own stores. Once we'd identified patients, we'd send contact lists to pharmacies and ask the pharmacists to gently remind patients of the health benefits that came from consolidating their medication. It turned out that we were pretty accurate. Of the patients we'd identified, about 70 percent were actually picking up medication at other pharmacies, and missing important hazardous drug screens.

    But in practice, it was a disaster. The problem? We never took into account patients' expectations. As you might imagine, patients expected their health data to be treated as sacred. Imagine walking into a pharmacy, proceeding to the pharmacy counter, and asking for your monthly supply of Lipitor. Normally, you'd expect to simply pick up your prescription and go home. But instead of simply paying for your medication and leaving, the pharmacist comes over from the other side of the room to chat. He asks whether you are currently picking up your prescriptions from two different pharmacies. He explains the benefit of consolidating. Not so upsetting. At least, it's not upsetting until you ask yourself "Why did I get the sudden counseling session?" The pharmacist explains that someone from his pharmacy noticed odd behavior in your pickup history.

    And that's when the problems start.

    For most patients, the counseling sessions were matter of fact. But for a handful of patients, the counseling sessions felt like an enormous violation of their privacy. They'd never opted into a program that examined their purchase history, they didn't want to participate, and they were certain they were more than capable of handling their own medication management. The patients were upset; they threatened to leave. Some caused real scenes. It made pharmacists, techs, and other patients uncomfortable.

    When we designed our program, we imagined how the world should be from our perspective. We didn't consider how the world was from their perspective or the importance of our implicit agreements in their minds. We had their personal information. With it came their trust. We lost it. What we didn't understand then is what Larry Page seems not to understand today. Google is about to have their own "switcher" program.

    Continued in article


    Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows


    Malware --- http://en.wikipedia.org/wiki/Malware

    Comparisons of Antivirus and AntiMalware Software --- http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

    Malwarebytes Details the Biggest Threats of 2013 in Their End-of-Year Report ---
    http://www.howtogeek.com/177399/malwarebytes-details-the-biggest-threats-of-2013-in-their-end-of-year-report/


    Probing Questions:
    What are computer viruses and where do they come from?
    How do computer viruses differ from worms?

    Answers
    PhysOrg, July 20, 2006 --- http://physorg.com/news72632629.html

    The history of medical viruses is outlined at http://en.wikipedia.org/wiki/Virus

    The history of computer viruses is outlined at http://en.wikipedia.org/wiki/Computer_Virus

    Worm --- http://en.wikipedia.org/wiki/Worm
    Whereas a virus attaches itself to a program, a worm is independent and self-propagating.


    Windows XP Users: Here Are Your Upgrade Options ---
    http://www.howtogeek.com/172243/windows-xp-users-here-are-your-upgrade-options/

    Jensen Comment
    If you keep using XP it's best to install top-of-the-line virus, malware, and firewall protectors ---
    http://en.wikipedia.org/wiki/Comparison_of_antivirus_software
    After studying the above page, I went with Finland's F-Secure protection

    Antivirus Software --- http://en.wikipedia.org/wiki/Category:Antivirus_software

    Malware Protection --- http://en.wikipedia.org/wiki/Malware

    Firewall Protection --- http://en.wikipedia.org/wiki/Category:Firewall_software

    How to Fix Browser Settings Changed By Malware or Other Programs ---
    http://www.howtogeek.com/172141/how-to-fix-browser-settings-changed-by-malware-or-other-programs/

    Why Secure File Deletion Tools Aren’t Foolproof ---
    http://www.howtogeek.com/172077/why-secure-file-deletion-tools-arent-foolproof/


    "How To Fight CryptoLocker And Evade Its Ransomware Demands," by Lauren Osini, ReadWriteWeb, November 8, 2013 ---
    http://readwrite.com/2013/11/08/cryptolocker-prevent-remove-eradicate#awesm=~omJDczL2zJaMMO

    CryptoPrevent --- http://www.foolishit.com/vb6-projects/cryptoprevent/
    Jensen Note:  Before buying you should check for other solutions

    Comparisons of Antivirus Software ---
    http://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Microsoft_Windows

    Bob Jensen's threads on computing and network security ---
    http://readwrite.com/2013/11/08/cryptolocker-prevent-remove-eradicate#awesm=~omJDczL2zJaMMO

     


    DNS Changer Malware

    Forwarded by Jim Martin

    These links are in the July 2012 issue of PC World

    For a DNS Changer Check-Up see: www.dns-ok.us

    That site provides a link to the FBI's site at
    http://www.fbi.gov/news/stories/2011/november/malware_110911

    For infected systems see http://www.dcwg.org/fix/

    or Avir's repair tool at
    http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199


    "Safeguard Your Phone from Malware:  A Modern Cellphone Is Really a Small Computer and, Like Its Bigger Brethren, It Needs Protection," by Bonnie Cha, The Wall Street Journal, December 30, 2012 ---
    http://professional.wsj.com/article/SB10001424127887324669104578205164093345072.html

    If you think that only computers can get viruses, think again.

    According to a report by research group Juniper Networks, JNPR +1.50% hackers are increasingly targeting smartphones and other mobile devices with malicious software (also known as malware) to gain access to personal information. The threat is still small in comparison to computers, but that doesn't mean you shouldn't take precautions to protect your smartphone.

    Malware is software that can wreak havoc on your mobile phone, often without your knowledge. Depending on the type of malware, it can access private information, such as passwords, which can lead to identity theft; it can also track your location, make unauthorized charges to your cellphone bill, and more.

    As with computers, problems can arise when you download apps or files from unknown sources, click on suspicious links, or browse unsafe websites.

    I've just taken a look at two mobile security apps that can help monitor and alert you to any potential threats. They are Lookout Mobile Security and Avast Free Mobile Security. Both are free (Lookout also has a paid version with extra features), and both scan your phone for malware, backup contact information and more. Lookout Mobile Security

    Lookout Mobile Security is a free app for both iOS and Android devices. Its basic features include scanning your phone for malware and viruses, backup and restoration of contacts, and remotely locating your phone.

    There is also a premium Android version, which I found to be the most useful. It includes a privacy report for all apps, and the ability to remotely lock and wipe your phone's data in case it's stolen, among other things.

    I tested Lookout on the Motorola MSI +2.96% Droid Maxx HD and, upon launching the app, it immediately scanned the smartphone for any potential threats. It also ran tests every time I downloaded an app from the Google GOOG +1.05% Play Store or from GetJar, an independent Android marketplace that I use.

    I downloaded a fake virus called Eicar from the Google Play Store (the app does not harm your device, and is used for testing mobile security apps). As soon as it started downloading, Lookout alerted me that it was a virus, and that it should be removed. There are options to find out more information, as well as an uninstall button.

    Lookout's privacy report feature was extra helpful. It showed which apps were accessing which information—location, contacts and messages, for example. I always skip over the terms of agreement and permissions while downloading an app, but this feature gave me an easy way to see what each app was doing.

    I also like that I could back up my contacts to Lookout's website. One other cool feature of Lookout is Signal Flare.

    The tool automatically records your phone's location when your handset's battery is low. Lookout said it created the feature after learning that about 30% of people were unable to locate their lost or stolen phone because their battery was dead.

    I tried it out on my iPhone 4, and after it went completely dead, I logged onto Lookout's website and found its last location pinned on Google Maps under the Missing Devices tab. Avast Free Mobile Security

    Avast Mobile Security offers many of the same features of Lookout—all for free. But it only works with Android devices.

    I thought this mobile app's interface was cleaner and easier to navigate than Lookout's. I scheduled it to run a scan on my apps and SD card every day at midnight. It ran the tests with no problem. I also used the Eicar test on Avast. It displayed a message right away, saying, "Eicar Anti Virus Test has been reported as malware," and it gave me the option to get more information or to uninstall.

    Avast lacks a backup feature like Lookout's, which was disappointing. But the company says it plans to offer this function early next year.

    That said, Avast offers a plethora of tools to keep your data safe if your phone is stolen or lost. You can remotely lock it, trigger a siren or wipe data.

    You can even send a message to display on your screen, such as "If found, please contact this number," or "Get away from my phone, you thief!" All worked well in my tests.

    Some of Avast's features will be overkill for the average consumer. For example, there's a Firewall mode for users who have modified their phone, so hackers can't access their device.

    Continued in article

    Bob Jensen's threads on computer and networking security ---
    http://www.trinity.edu/rjensen/ecommerce.htm


    In the wild west it was easier for bandits to cover their tracks as it is today in these Tor(rible) times
    "The Hunt for the Wikileaks:  Whistle-blower Digital encoding could catch future informants," by David Talbot, MIT's Technology Review, July 28, 2010 --- http://www.technologyreview.com/web/25892/?nlid=3307

    Attorney General Eric Holder's new probe into Wikileaks's posting of 91,000 war documents will likely find that tracing the path of the documents back through the Internet is next to impossible. But watermarks--if they were embedded in the files--could reveal the whistle-blower.

    Wikileaks relies on a networking technology called Tor, which obscures the source of uploaded data. While Tor doesn't encrypt the underlying data--that's up to the user--it does bounce the data through multiple nodes. At each step, it encrypts the network address. The source of data can be traced to the last node (the so-called "exit node"), but that node won't bear any relationship to the original sender.

    Ethan Zuckerman, cofounder of the blogging advocacy organization Global Voices, says he doubts investigators can crack Tor to find the computer from which the documents were originally sent. "There's been an enormous amount of research done on the security of the Tor network and on the basic security of encryption protocols," he says. "There are theoretical attacks on Tor that have been demonstrated to work in the lab, but no credible field reports of Tor being broken."

    And while Tor's profile has been raised by its association with Wikileaks, Andrew Lewman, Tor's executive director, says he has no insights into the source of the purloined documents. "I don't know how Wikileaks got any of the information," he says. While Wikileaks gets technical help from Tor staffers, "they don't tell us anything, other than 'Did we set up the hidden service correctly?' which we'd answer for anyone," Lewman adds.

    "People assume that Wikileaks is a Tor project, but I can tell you definitely there is no official relationship."

    Lewman points out that many law-enforcement agencies, such as the U.S. Drug Enforcement Agency, also use Tor to protect their operations.

    Jensen Comment
    I wonder if Wikileaks, in the name of peace, would post whistleblower messages that name names of Taliban fighters and informants. Somehow I doubt it since vengeance is the master policy of the Taliban. Wikileaks will probably only pick on combatants that won't send suicide bombers in search of Wikileaks employees.

    Tor also makes it difficult to trace thieves of credit card numbers, social security numbers, child pornography, and malicious rumors.


    Google Chrome --- http://en.wikipedia.org/wiki/Google_Chrome

    Google Chrome Browser Blues
    "Google's Chrome OS Cited as Likely Hacker Vehicle:  The HTML 5 technology intended to power Google's forthcoming computer operating system can access a PC online or off, warns security vendor McAfee," by Aaron Ricadela, Business Week, December 29, 2009 ---
    http://www.businessweek.com/technology/content/dec2009/tc20091228_112186.htm?link_position=link2

    Google's computer operating system, due to be released next year, may rank among software most targeted by hackers in 2010, according to a Dec. 29 report from the computer security company McAfee (MFE).

    The Web-based operating system, dubbed Chrome, relies on a technology known as HTML 5 that's designed to help Web applications behave like PC software. Developers use HTML 5 language to ensure that software delivers fast response times and stores information that users can access even when they're not connected to the Internet.

    Yet because sites written with HTML 5 can directly access a user's PC online or off, they may provide a rich target for cyber attacks, McAfee said in its "2010 Threat Predictions."

    The popularity of Google's (GOOG) software, which includes a collaboration program, business applications that compete with Microsoft's Office suite, and other products, makes the company's Web sites alluring to hackers who hope to infect computers with malware that can spread spam or pilfer information, says Dave Marcus, director of security research at McAfee. "When a technology is widely used and adopted, the bad guys will latch onto it before the good guys do," he says. "Developers need to think about how [HTML 5] is going to be abused."

    Continued in article

    Facebook, Twitter to face more sophisticated attacks: McAfee ---
    http://www.physorg.com/news181398696.html


    "Huge computer worm Conficker stirring to life," MIT''s Technology Review, April 10, 2009 ---
    http://www.technologyreview.com/wire/22421/?nlid=1940&a=f

    The dreaded Conficker computer worm is stirring. Security experts say the worm's authors appear to be trying to build a big moneymaker, but not a cyber weapon of mass destruction as many people feared.

    As many as 12 million computers have been infected by Conficker. Security firm Trend Micro says some of the machines have been updated over the past few days with fake antivirus software -- the first attempt by Conficker's authors to profit from their massive "botnet."

    Criminals use bogus security software to extort money. Victims are told their computers are infected, and can be fixed only by paying for a clean-up that never happens.

    Conficker gets on computers through a hole Microsoft patched in October. PCs set up for automatic Windows updates should be clean.


    "Conficker Infects More Than 700 Computers at U. of Utah," by Steve Kolowich, Chronicle of Higher Education,  April 13, 2009 --- http://chronicle.com/wiredcampus/index.php?id=3712&utm_source=wc&utm_medium=en

    The latest variant of the Conficker worm—sophisticated computer malware that uses the Internet to invade and extract data from computers running Windows operating systems—infected between 700 and 800 computers at the University of Utah, primarily ones belonging to faculty and staff members in the university’s health-sciences center.

    Officials at the university are saying that computer-security personnel were able to successfully trap and kill the worm by disabling Web connections campuswide before Conficker could begin exporting sensitive data from the infected computers.

    Information-technology staff members noticed Friday morning that their Internet browsers were unusually sluggish, said Phil Sahm, a spokesperson for the health-sciences center. Knowing from recent press reports that the latest variant of Conficker was afoot, they disabled the university’s Web connection and spent the weekend scrubbing infected computers of the worm.

    Stephen H. Hess, chief information officer at the university, said that his staff does not believe any data stored on those computers were compromised—and that there is no doubt that personal medical data stored on the clinic computers is safe because those computers do not run the sort of operating system that Conficker preys on.

    Mr. Hess said the university’s computer-security staff will continue to monitor the computers for the next few weeks to make sure the worm doesn’t reappear. Meanwhile, the university is investigating how Conficker gained entry to its network.

    “I think any time you try to have a collaborative environment when it’s easy for people to get in a and out of a group of machines,” he said, “ that can be kind of an open door for these kinds of worms.”

    Douglas Pearson, who watches college networks in his role as technical director of the Research and Education Networking Information Sharing and Analysis Center at Indiana University at Bloomington, said in an e-mail interview that he knows of no other widespread Conficker infections at American colleges.

    Jensen Comment (just kidding)
    Could it be that Conficker was initiated by the U.S. Congress to consolidate the health records of every U.S. resident?
    President Obama may have decided to do this on the cheap.
     

    "Conficker Worm Awakens, Downloads Rogue Anti-virus Software," by Brian Krebs, The Washington Post, April 10, 2009 --- Click Here

    Security experts nervously watching computers infested with the prolific Conficker computer worm say they have begun seeing infected hosts downloading additional software, including a new rogue anti-virus product.

    Since its debut late last year, the collection of hundreds of thousands - if not millions - of systems sick with Conficker has somewhat baffled security researchers, who are accustomed to seeing such massive networks being used for money-making criminal activities, such as relaying junk e-mail.

    Today, however, that mystery evaporated, as anti-virus companies reported seeing Conficker systems being updated with SpywareProtect2009, a so-called "scareware" product that uses fake security alerts to frighten consumers into paying for bogus computer security software.

    According to Kaspersky Labs, once the scareware is downloaded, the victim will see the usual warnings, "which naturally asks if you want to remove the threats it's 'detected'. Of course, this service comes at a price - $49.95." Kaspersky reports that the rogue anti-virus product is being downloaded from a Web server in Ukraine.

    This development adds an interesting wrinkle. The first version of Conficker contained within its genetic makeup instructions telling infected systems to visit a site called TrafficConverter.biz. As I noted last month, this was a site where distributors of rogue anti-virus products would go for the latest programs and links to the latest download locations. Many affiliates were making six-figure paychecks each month distributing this worthless software by various means, all of them extremely sneaky if not downright illegal.

    The Clever Conficker Eye Chart for Detection of Conficker Infestations
    April 14, 2009 reply from Scott Bonacker [lister@BONACKERS.COM]

    http://tech.yahoo.com/blogs/null/138448/conficker-eye-chart-how-it-works/ 

    "Many readers have been wondering what the easiest way is to determine whether their computer has been infected with the Conficker worm. Previously I've pointed them to this Conficker Eye Chart -- and that recommendation still holds -- but now I want to respond to further questions about how it works.

    First, some have looked at the spartan Eye Chart and have worried that it might be, at best, a sham designed to lull you into a false sense of security and, at worst, yet another delivery mechanism for the Conficker worm. It is neither. The Conficker Eye Chart is in reality a very clever way to determine if your computer is compromised, and it doesn't require you to do anything but click one link.

    Here's how it works, in brief: Visit the web page linked above and you'll see six images: The three on top are for security software websites, and the three on the bottom are the logos of various open source operating system distributions. The clever part of all this is that the logos aren't actually being served from the web page linked above, but are rather drawn directly from the six different websites to which each logo belongs."

    The rest of the article is available on the site.

    Scott Bonacker CPA
    Springfield, MO

     

     


    Questions
    What are some of the pop-up advertisements to avoid at all times?
    What Bob Jensen found out the hard way that legitimate adware programs often fail in permanently deleting an adware Trojan virus!

    "How to Stop Operating-System Attacks Ads for DriveCleaner, WinFixer, Antivirus XP, Antivirus 2009 and others pop up on PCs all the time, but the software may be fraudulent or ineffective. Also: Mac users need security updates, too.," by Andrew Brandt, PC World via The Washington Post, January 29, 2009 --- http://www.washingtonpost.com/wp-dyn/content/article/2009/01/27/AR2009012701528.html?wpisrc=newsletter&wpisrc=newsletter

    A legitimate malware remover--one that independent testing has objectively demonstrated to be effective--should be able to deal with the immediate problem of an adware program that won't let you remove it. Check your security software to see if it will do the trick. But the real fix may be concerted government action: Late last year the Federal Trade Commission asked a federal court to stop some perpetrators of this type of scam. It may be that prison terms or massive fines are the only useful deterrents.

    Bob Jensen's threads on computer and networking security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection


    From the Scout Report on October 5, 2007

    Avast Home Edition 4.7.103 --- http://www.avast.com/eng/programs.html 

    It's important to stay on top of all those harmful viruses, Trojan horses, and other pests that threaten computers these days. The Home Edition of the Avast application can help concerned parties do just that. This edition contains multiple shields that will look over downloaded files, instant messages, emails, and a host of peer-to-peer networks. This version is compatible with computers running Windows 95 and newer.

     



     

    Beware of Security Patch Email Messages Purportedly from Microsoft

    "Virus Alert: Beware fake Microsoft patch e-mails," AccountingWeb, October 12, 2007 --- http://www.accountingweb.com/cgi-bin/item.cgi?id=104068

    Microsoft Security alerts are such a part of computing life that virus writers have now created spoof security alert e-mails to trick users into activating a trojan horse program.

    Symantec's security response blog recently reported on the appearance of fake Microsoft Security Bulletins that either carried the Trojan.Dropper virus as an attachment, or included infected links in the e-mail.

    The blog posting includes an example message purporting to be MS06-602, a cumulative security update for Internet Explorer. It's a plausible sounding message an an extremely clever piece of what security experts call "social engineering" to trick people into activating the malicious code - but no such bulletin exists.

    "We urge users to refrain from opening files or clicking links in e-mails from unknown sources," writes blog contributor Vikram Thakur.

    "We recommend all users to always keep their computers up-to-date on latest patch levels for all software installed. In doing so, it's important that users always download these patches from the original software vendor sites, by visiting the sites themselves rather than following links in e-mails or other third-party Web pages."

     


    Question
    Where are the next frontiers of installing malicious viruses on your computer?
    What video sites are the most likely places to catch these bad viruses?

     

    Answer
    Since email users have become more cautious about opening email, the next frontiers are bound to be popular downloads outside of email. These include videos and wikis. The most likely place to catch these bad viruses are porn sites, particularly the many porn sites maintained by Russians and former Eastern Bloc countries. But there are many other dangerous porn sites as well.

     

     

    "Online video players could become new vehicle for malicious code," MIT's Technology Review, October 2, 2007 --- http://www.technologyreview.com/Wire/19469/?nlid=578

     

    Online videos aren't just for bloopers and rants -- some might also be conduits for malicious code that can infect your computer.

    As anti-spam technology improves, hackers are finding new vehicles to deliver their malicious code. And some could be embedded in online video players, according to a report on Internet threats released Tuesday by the Georgia Tech Information Security Center as it holds its annual summit.

    The summit is gathering more than 300 scholars and security experts to discuss emerging threats for 2008 -- and their countermeasures.

    Among their biggest foes are the ever-changing vehicles that hackers use to deliver ''malware,'' which can silently install viruses, probe for confidential info or even hijack a computer.

    ''Just as we see an evolution in messaging, we also see an evolution in threats,'' said Chris Rouland, the chief technology officer for IBM Corp.'s Internet Security Systems unit and a member of the group that helped draft the report. ''As companies have gotten better blocking e-mails, we see people move to more creative techniques.''

    With computer users getting wiser to e-mail scams, malicious hackers are looking for sneakier ways to spread the codes. Over the past few years, hackers have moved from sending their spam in text-based messages to more devious means, embedding them in images or disguised as Portable Document Format, or PDF, files.

    ''The next logical step seems to be the media players,'' Rouland said.

    There have only been a few cases of video-related hacking so far.

    One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube.

    That reflects the lowered guard many computer users would have on such popular forums.

    ''People are accustomed to not clicking on messages from banks, but they all want to see videos from YouTube,'' Rouland said.

    Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.

    Computers surfing the sites silently communicate with a Web application in the background, but hackers sometimes secretly embed malicious code when they edit the open sites, and a Web browser will unknowingly execute the code. These chinks in the armor could let hackers steal private data, hijack Web transactions or spy on users.

    Tuesday's forum gathers experts from around the globe to ''try to get ahead of emerging threats rather than having to chase them,'' said Mustaque Ahamad, director of the Georgia Tech center.

    They are expected to discuss new countermeasures, including tighter validation standards and programs that analyze malicious code. Ahamad also hopes the summit will be a launching pad of sorts for an informal network of security-minded programmers.

    "Online Videos May Be Conduits for Viruses," by Greg Bluestein, The Washington Post, October 2, 2007 --- Click Here

    Online videos aren't just for bloopers and rants _ some might also be conduits for malicious code that can infect your computer.

    As anti-spam technology improves, hackers are finding new vehicles to deliver their malicious code. And some could be embedded in online video players, according to a report on Internet threats released Tuesday by the Georgia Tech Information Security Center as it holds its annual summit

    The summit is gathering more than 300 scholars and security experts to discuss emerging threats for 2008 _ and their countermeasures.

    Among their biggest foes are the ever-changing vehicles that hackers use to deliver "malware," which can silently install viruses, probe for confidential info or even hijack a computer.

    "Just as we see an evolution in messaging, we also see an evolution in threats," said Chris Rouland, the chief technology officer for IBM Corp.'s Internet Security Systems unit and a member of the group that helped draft the report. "As companies have gotten better blocking e-mails, we see people move to more creative techniques."

    With computer users getting wiser to e-mail scams, malicious hackers are looking for sneakier ways to spread the codes. Over the past few years, hackers have moved from sending their spam in text-based messages to more devious means, embedding them in images or disguised as Portable Document Format, or PDF, files.

    Continued in article

    Storm Worm:  The Perfect Email Storm

    "The Worm That Roared," by Lev Grossman, Time Magazine, September 27, 2007 --- http://www.time.com/time/magazine/article/0,9171,1666279,00.html

     

    During the week of Jan. 15, an innocuous-looking e-mail appeared in thousands of inboxes around the world. Its subject line read, "230 dead as storm batters Europe." The e-mail came with a file attached, bearing a plausible-sounding name like Full Story.exe or Read More.exe. Plenty of people clicked on it. After all, storms really were battering Europe at the time; that week high winds and rain had killed 14 in the U.K. alone. But all great cons have a grain of truth in them somewhere.

     

    The file that arrived with the e-mail was, of course, a computer virus, immediately christened the Storm Worm by the Finnish computer security firm F-Secure, which was among the first to spot it. Since then, the Storm Worm has proved remarkably hard to kill. Nine months later, it's still out there, infecting something like a million computers worldwide. It's not the most damaging virus in history, but it may be the most sophisticated. Whoever created it is to viruses what Michelangelo was to ceilings.

    The Storm Worm is a marvel of social engineering. Its subject line changes constantly. Whoever produced it--and its many later variants--has a lively feel for the seductive come-on and a thorough grounding in human nature. It preys on shock ("Saddam Hussein Alive!") and outrage ("A killer at 11, he's free at 21 and ...") and prurience ("Naked teens attack home director") and romance ("You Asked Me Why"). It mutates at a ferocious rate, constantly changing its size and tactics to evade virus filters, and finds evolving ways to exploit other online media like blogs and bulletin boards. Newer versions might contain, instead of a file, a single link to a fake YouTube page, which crashes your browser while quietly slipping the virus into your computer. "I've heard people talk about this like virus 2.0, just like people talk about Web 2.0, because it's so different from the traditional attacks," says Mikko Hypponen, chief research officer of F-Secure. "It's probably the largest collection of infected machines we've ever seen."

    Like any good parasite, the Storm Worm doesn't kill its host. In fact, most of the victims--some of whom are undoubtedly reading this article--will never know their machines are infected. It doesn't cripple your computer (and can be removed once identified), but the Storm Worm does give its authors the power to quietly control your computer. What do they do with this power? Mostly they send out spam. Back in the day, computer viruses were a relatively innocent affair, written as pranks by teenagers with too much time on their hands between Star Wars sequels. Now they're written by organized criminals looking to make money from fake offers.

    Nobody knows who's behind the Storm Worm. F-Secure suspects a group based in Russia, but there's no way to be sure, and recent Storm Worm subject lines referring to Labor Day and the start of the football season suggest that those involved have an American connection. What is certain is that they are very smart--prodigious innovators engaged in a cat-and-mouse game with security firms that so far they're winning. "I don't think these guys have day jobs," says Hypponen. "They're really active and really closely watching us. I don't see them stopping anytime soon."

    It's also clear that they've been pulling their punches. Right now the Storm Worm gang controls a massive amount of computing power, as much as some of the world's largest supercomputers, and all they do with it is send out spam and conduct the occasional denial-of-service attack (bombarding a specific server with traffic until it shuts down). We're lucky: so far they haven't gone in for more lucrative, damaging activities like online gambling, stock scams and stealing passwords and credit-card information. Is it possible that even a worm can have a conscience?

    Bob Jensen's best advice at this point in time --- Buy a Mac!


    PDF Now Means Pretty Darn Fearful
    Computer security researchers said Wednesday they have discovered a vulnerability in Adobe Systems Inc.'s ubiquitous Acrobat Reader software that allows cyber-intruders to attack personal computers through trusted Web links. Virtually any Web site hosting Portable Document Format, or PDF, files are vulnerable to attack, according to researchers from Symantec Corp. and VeriSign Inc.'s iDefense Intelligence. The attacks could range from stealing cookies that track a user's Web browsing history to the creation of harmful worms, the researchers said. The flaw, first revealed at a hacker conference in Germany over the holidays, exists in a plug-in that enables Acrobat users to view PDF files within Web browsers. By manipulating the Web links to those documents, hackers and online thieves are able to commandeer the Acrobat software and run malicious code when users attempt to open the files, according to Ken Dunham, director of the rapid response team at VeriSign's iDefense Intelligence.
    "Researchers: Adobe's PDF Software Flawed," PhysOrg, January 4, 2006 --- http://physorg.com/news87093505.html


    The never-ending cycle of Microsoft versus Scammer "Update Patches"

    "Microsoft releases new security patch, as do scammers," AccountingWeb, June 14, 2007 --- http://www.accountingweb.com/cgi-bin/item.cgi?id=103622

    Microsoft's update was the June entry in the company's regular monthly set of security patches. This month, the patches include repairs that protect Windows users who visit web sites infected with malicious code and users who open infected e-mail messages with Outlook Express or Windows Mail. There are also repairs to the Windows Vista program that was launched earlier this year, and a patch that prevents hackers from accessing PCs.

    If your computer is set to install updates automatically, you might not have even noticed the update taking place this week. If you aren't set up for automatic updates, Microsoft recommends you heed the update reminder that appears on your screen, or go to the Microsoft update website to check to see if your computer has been updated and to download updates.

    What you should not do is click on the "Download this update" link that appears in an e-mail message entitled "Cumulative Security Update for Internet Explorer." This e-mail message is being sent by scammers or hackers who are hoping you will click the link so they can install malicious software on your computer. The software, when installed, calls out to the Internet to access other programs that are then installed on your computer.

    Continued in article


    Leading Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
    I trust Consumer Reports rankings more than virtually all other ranking sources mainly because Consumer Reports accepts no advertising or has other links to the vendors of products rated in Consumer Reports' labs.

    The Consumer Reports home page is at http://www.consumerreports.org/cro/index.htm  

     

    Consumer Reports Rankings of AntiSpam Software
    September 2006, Page 29
    E-MAIL ANTISPAM SOFTWARE (used in conjunction with e-mail programs)

    Rank 1 Microsoft Outlook http://www.microsoft.com/athome/security/email/fightspam.mspx

    Rank 2 Apple Mac X Mail http://www.apple.com/macosx/features/mail/ 

     

    ADD-ONS TO E-MAIL PROGRAMS (can filter spam without additional software)

    Rank 3 Trend Micro Anti-Spam Pilot Click Here

    Rank 4 Allume Systems Click Here

    Rank 5 Cloudmark Desktop http://www.cloudmark.com/desktop/

    Rank 6 Trend Micro Anti-Spam Pilot Click Here   

    Rank 7 PC Tools Spam Monitor http://www.pctools.com/

    Rank 8-13 given on Page 29

     

    Consumer Reports Rankings of Antivirus Software
    September 2006, Page 27

    Rank 1 BitDefender http://www.bitdefender.com/solutions/internet-security.html

    Rank 2 Zone Labs Zone Alarm Anti-Virus http://www.zonelabs.com/store/content/home.jsp  

    Rank 3 Kaspersky Anti-Virus Personal --- http://www.kaspersky.com/ 

    Rank 4 Norton AntiVirus http://www.symantec.com/avcenter/ 

    Rank 5 Norton AntiVirus for Macintosh http://www.symantec.com/avcenter/ 

    Rank 6 McAfee ViruScan http://www.mcafee.com/us/

    Rank 7 Trend Micro PC-cillin http://www.trendmicro.com/en/home/us/enterprise.htm 

    Ranks 8-12 given on Page 27
     

     

    Consumer Reports Rankings of AntiSpyware Software
    September 2006, Page 28
    Rank 1 F-Secure Anti-Spyware http://www.f-secure.com/

    Rank 2 Webroot Spy Sweeper http://www.webroot.com/wb/products/spysweeper/index.php?rc=266&ac=417 

    Rank 3 PC Tools Spyware http://www.pctools.com/

    Rank 4 Trend Micro Anti-Spyware Click Here

    Rank 5 Lavasoft Ad-aware http://www.lavasoftusa.com/software/adaware/

    Rank 6 Spybot-Search & Destroy http://www.safer-networking.org/en/index.html 

    Rank 7 Zone Labs Zone Alarm Anti-Spyware http://www.zonelabs.com/store/content/home.jsp  

    Ranks 8-12 Given on Page 28


    "Kevin Mitnick's Security Advice," Wired News, November 15, 2006 ---
    http://www.wired.com/news/technology/0,72116-0.html?tw=wn_index_2

     

    Ex-hacker Kevin Mitnick came by his security expertise the hard way. In the 1990s, his electronic penetration of some of the biggest companies in the world made him a notorious tech boogieman, and ultimately landed him five years in prison.

    Here's my Top 10 list of steps you should take to protect your information and your computing resources from the bad boys and girls of cyberspace.

    Hackers are becoming more sophisticated in conjuring up new ways to hijack your system by exploiting technical vulnerabilities or human nature. Don't become the next victim of unscrupulous cyberspace intruders.


    "Finding Free Antivirus Software, Walter S. Mossberg, The Wall Street Journal, August 3, 2006; Page B4 --- http://online.wsj.com/article/mossberg_mailbox.html

    Q: My computer is a virus-infected mess. I sometimes have to close over 20 pop-ups just to access the PC. Taking your advice, I tried to download the "free" AVG Anti-Virus, but there is nothing free about it. They ask for your credit-card info. What am I missing?

    A: The company that makes AVG, Grisoft, offers both paid and free versions of the product. The free version must be downloaded from a separate Web site, free.grisoft.com. Most of the first few results in a Google search for "AVG" or "AVG anti-virus" point to this free version. Also, the free version is prominently featured at Download.com, the big site for downloading software that is owned by CNET.

    Q: Last week, you advised readers never to trust any email from a financial institution because online criminals have gotten so good at faking such emails. Does that include emails from institutions where you have accounts, such as receipts for transactions at brokerages?

    A: Yes and no. If you get an unexpected email from a bank, or brokerage, or payment service like PayPal, where you do have an account, I'd still advise ignoring it and never clicking on any link it contains. This is even true if the email suggests some problem with your account or advises that you need to log onto a web site to "verify" your account information. Such emails are very often just attempts to steal your passwords and account numbers. To double-check on such an email, phone the bank or brokerage, or manually call up its Web site.

    However, if you have just bought or sold a stock, or performed an online banking action, and you get an email confirming the transaction, it could well be legitimate -- provided it contains enough detail of a type criminals might find hard to replicate, and it arrives very quickly after the transaction was completed. I still wouldn't click on any links in such an email, however. Remember, most financial institutions don't have to ask you to supply account information they already have.

    It's really too bad that people have to look on such emails with such suspicion. Email could be a great tool for communications between banks and their customers. But, despite some strides, the technology and financial industries have so far failed to find a way to make email truly trustworthy and secure. And law-enforcement agencies have failed to stop the thefts of money and identities. So far, the crooks are winning in this arena. So you have to be extra careful.

     


    Spyware Update:  What you need to know

     

    How to Protect Yourself Against Online Spying ---
    http://getitdone.quickanddirtytips.com/how-to-protect-yourself-against-online-spying.aspx

    Question
    What are some of the pop-up advertisements to avoid at all times?
    What Bob Jensen found out the hard way that legitimate adware programs often fail in permanently deleting an adware Trojan virus!

    "How to Stop Operating-System Attacks Ads for DriveCleaner, WinFixer, Antivirus XP, Antivirus 2009 and others pop up on PCs all the time, but the software may be fraudulent or ineffective. Also: Mac users need security updates, too.," by Andrew Brandt, PC World via The Washington Post, January 29, 2009 --- http://www.washingtonpost.com/wp-dyn/content/article/2009/01/27/AR2009012701528.html?wpisrc=newsletter&wpisrc=newsletter

    A legitimate malware remover--one that independent testing has objectively demonstrated to be effective--should be able to deal with the immediate problem of an adware program that won't let you remove it. Check your security software to see if it will do the trick. But the real fix may be concerted government action: Late last year the Federal Trade Commission asked a federal court to stop some perpetrators of this type of scam. It may be that prison terms or massive fines are the only useful deterrents.

    Bob Jensen's threads on computer and networking security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection


    Huge effort underway to end spyware
    Major figures at Sun and Google -- including Vinton Cerf, one of the inventors of the Internet and now Google's Chief Internet Evangelist -- are backing a new academic anti-malware initiative that aims to spotlight spyware purveyors and ultimately give besieged computer owners simple technologies to guide their Web surfing and downloading decisions.
    David Talbot, "Google, Sun Backing New Anti-Malware Effort: Harvard, Oxford researchers aim to create Internet defensive strategies geared to consumers," MIT's Technology Review, January 25, 2006 --- http://www.technologyreview.com/InfoTech/wtr_16184,300,p1.html


    Leading Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
    I trust Consumer Reports rankings more than virtually all other ranking sources mainly because Consumer Reports accepts no advertising or has other links to the vendors of products rated in Consumer Reports' labs.

    The Consumer Reports home page is at http://www.consumerreports.org/cro/index.htm  

     

    Consumer Reports Rankings of AntiSpam Software
    September 2006, Page 29
    E-MAIL ANTISPAM SOFTWARE (used in conjunction with e-mail programs)

    Rank 1 Microsoft Outlook http://www.microsoft.com/athome/security/email/fightspam.mspx

    Rank 2 Apple Mac X Mail http://www.apple.com/macosx/features/mail/ 

     

    ADD-ONS TO E-MAIL PROGRAMS (can filter spam without additional software)

    Rank 3 Trend Micro Anti-Spam Pilot Click Here

    Rank 4 Allume Systems Click Here

    Rank 5 Cloudmark Desktop http://www.cloudmark.com/desktop/

    Rank 6 Trend Micro Anti-Spam Pilot Click Here   

    Rank 7 PC Tools Spam Monitor http://www.pctools.com/

    Rank 8-13 given on Page 29

     

    Consumer Reports Rankings of Antivirus Software
    September 2006, Page 27

    Rank 1 BitDefender  http://www.bitdefender.com/solutions/internet-security.html

    Rank 2 Zone Labs Zone Alarm Anti-Virus http://www.zonelabs.com/store/content/home.jsp  

    Rank 3 Kaspersky Anti-Virus Personal --- http://www.kaspersky.com/ 

    Rank 4 Norton AntiVirus http://www.symantec.com/avcenter/ 

    Rank 5 Norton AntiVirus for Macintosh http://www.symantec.com/avcenter/ 

    Rank 6 McAfee ViruScan http://www.mcafee.com/us/

    Rank 7 Trend Micro PC-cillin http://www.trendmicro.com/en/home/us/enterprise.htm 

    Ranks 8-12 given on Page 27
     

     

    Consumer Reports Rankings of AntiSpyware Software
    September 2006, Page 28
    Rank 1 F-Secure Anti-Spyware http://www.f-secure.com/

    Rank 2 Webroot Spy Sweeper http://www.webroot.com/wb/products/spysweeper/index.php?rc=266&ac=417 

    Rank 3 PC Tools Spyware http://www.pctools.com/

    Rank 4 Trend Micro Anti-Spyware Click Here

    Rank 5 Lavasoft Ad-aware http://www.lavasoftusa.com/software/adaware/

    Rank 6 Spybot-Search & Destroy http://www.safer-networking.org/en/index.html 

    Rank 7 Zone Labs Zone Alarm Anti-Spyware http://www.zonelabs.com/store/content/home.jsp  

    Ranks 8-12 Given on Page 28


     

    Also check on SUPERAntiSpyware Free Edition 3.2.1028 --- http://www.superantispyware.com/

    Is a visited Web site authentic and safe?
    CallingID 1.5.0.70 http://www.callingid.com/Default.aspx


    "Finding Free Antivirus Software, Walter S. Mossberg, The Wall Street Journal, August 3, 2006; Page B4 --- http://online.wsj.com/article/mossberg_mailbox.html

    Q: My computer is a virus-infected mess. I sometimes have to close over 20 pop-ups just to access the PC. Taking your advice, I tried to download the "free" AVG Anti-Virus, but there is nothing free about it. They ask for your credit-card info. What am I missing?

    A: The company that makes AVG, Grisoft, offers both paid and free versions of the product. The free version must be downloaded from a separate Web site, free.grisoft.com. Most of the first few results in a Google search for "AVG" or "AVG anti-virus" point to this free version. Also, the free version is prominently featured at Download.com, the big site for downloading software that is owned by CNET.

    Q: Last week, you advised readers never to trust any email from a financial institution because online criminals have gotten so good at faking such emails. Does that include emails from institutions where you have accounts, such as receipts for transactions at brokerages?

    A: Yes and no. If you get an unexpected email from a bank, or brokerage, or payment service like PayPal, where you do have an account, I'd still advise ignoring it and never clicking on any link it contains. This is even true if the email suggests some problem with your account or advises that you need to log onto a web site to "verify" your account information. Such emails are very often just attempts to steal your passwords and account numbers. To double-check on such an email, phone the bank or brokerage, or manually call up its Web site.

    However, if you have just bought or sold a stock, or performed an online banking action, and you get an email confirming the transaction, it could well be legitimate -- provided it contains enough detail of a type criminals might find hard to replicate, and it arrives very quickly after the transaction was completed. I still wouldn't click on any links in such an email, however. Remember, most financial institutions don't have to ask you to supply account information they already have.

    It's really too bad that people have to look on such emails with such suspicion. Email could be a great tool for communications between banks and their customers. But, despite some strides, the technology and financial industries have so far failed to find a way to make email truly trustworthy and secure. And law-enforcement agencies have failed to stop the thefts of money and identities. So far, the crooks are winning in this arena. So you have to be extra careful.


    Question
    What are two of the shocking developments in spyware and spam?

    July 14, 2006 message from Richard Campbell [campbell@RIO.EDU]

    This is from a newsletter from sunbelt software - developers of Counterspy, a spyware detection software.

    CSN: What do you see as the latest trends in spam?

    AM: I see four main trends. The first is that most spam now comes from zombie machines so even if you are able to track the spam back to the machine that sent it, there is nothing you can do about it as the person that owns the machine most likely doesn't even know that his machine is being used as a zombie and even if he did, he wouldn't know what to do about it. This zombie phenomenon also leads to individualized spam as the zombie code can access the address book and send legitimate looking email to the zombie machine owner's friends.

    The second trend I see is the increase in the amount of image spam. That is spam that contains an image instead of text. The spammer's message is contained in the image as a graphic image instead of text so that there is no practical way to try and detect spam by looking at the contents of the email. It's easy for the human eye to look at the picture and read the text that it contains but it is very difficult for a computer to do the same thing. Since it is so easy to change a bit or two in the image, it is not easy to come up with a hashing algorithm (a way to create a "signature" that can be used to determine if another image is the same as the original one). There is a lot of work being done to try to come up with ways of comparing images to see how "similar" they are but nobody has come up with a workable solution so far. Currently, I'd guess the amount of image spam is around 5% - 10% of the total amount of spam. I expect to see this increase to 20% - 30% in the next year or two.

    The third trend is the scariest and that is phishing. I monitor the spam reported by our users so I get to see a pretty good cross section and it scares me to see how good the phishing sites are. They are so good that you have to be pretty savvy to detect some of them. I feel sorry for all the non-computer types out there that will fall victim to these. I have seen a dramatic rise in the amount of phish email in the past 6 months and expect to see that increase continue because there is so much money to be made with very little effort or risk.

    The fourth trend and is "returned email" I have noticed a marked increase but I haven't had time to investigate. I suspect that the bulk of it is spam/malware, especially those that have attachments. It is particularly nasty because an attachment on a returned email doesn't seem out of the norm. In fact, you kind of expect to see your original email attached. Some of the undelivered email that I've looked at with attachments doesn't have the original email there. Instead it contains spam or a link to a malware site. You have to be real careful and make sure that the "bounce" (rejected email) is actually something that you sent. Many times it is the result of a rootkit having taken over your machine, turning it into a zombie. If you see email bounced that you never sent, it is very likely that you machine is infected.

    CSN: What about image spam, what is it, and why so dangerous or such a pain to get ride of?

    AM: The primary use for image spam is to advertise penny stocks. Most of this type of spam is part of a 'pump-n-dump' scheme where the spammer buys a lot of a particular stock and then starts promoting it via spam that describes what a great buy the stock is or giving the impression that the company is on the verge of some major expansion or discovery in order to get gullible investors to buy the stock. Once the price goes up, and it can go up as much as 500%, the spammer sells his shares and makes a huge profit. Since there was no real reason for the stock to increase, it usually falls back to its original level or lower. Most of the time, the company whose stock is being hyped is not involved in the spamming so they end up being a victim of the spammer as well as there is very little that they can do to keep their stock from being manipulated.

    Image spam is only useful in situations where the user doesn't have to communicate with the spammer. With normal spam, there is a phone number to call or a button to click to order pills or whatever the spammer is hawking but with image spam, there is no information that links the email to the spammer as the typical stock add mentions the company but not the spammer. This is what makes it so different from the run of the mill spam.

    I'm sure that it won't be too long before some creative spammer comes up with another type of situation where one way communication can be used to somehow flow money to them.

    Richard J. Campbell
    mailto:campbell@rio.edu


    "Everyone Wants to 'Own' Your PC," by Bruce Schneier, Wired News, May 4, 2006 --- http://www.wired.com/news/columns/0,70802-0.html?tw=wn_index_4

    You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.

    Using the hacker sense of the term, your computer is "owned" by other people. 

    It used to be that only malicious hackers were trying to own your computers. Whether through worms, viruses, Trojans or other means, they would try to install some kind of remote-control program onto your system. Then they'd use your computers to sniff passwords, make fraudulent bank transactions, send spam, initiate phishing attacks and so on. Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned.

    Now, things are not so simple. There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer.

    Some examples:

    • Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit with several music CDs -- the same kind of software that crackers use to own people's computers. This rootkit secretly installed itself when the music CD was played on a computer. Its purpose was to prevent people from doing things with the music that Sony didn't approve of: It was a DRM system. If the exact same piece of software had been installed secretly by a hacker, this would have been an illegal act. But Sony believed that it had legitimate reasons for wanting to own its customers’ machines.

       

    • Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong.

       

    • Internet services: Hotmail allows you to blacklist certain e-mail addresses, so that mail from them automatically goes into your spam trap. Have you ever tried blocking all that incessant marketing e-mail from Microsoft? You can't.

       

    • Application software: Internet Explorer users might have expected the program to incorporate easy-to-use cookie handling and pop-up blockers. After all, other browsers do, and users have found them useful in defending against internet annoyances. But Microsoft isn't just selling software to you; it sells internet advertising as well. It isn't in the company's best interest to offer users features that would adversely affect its business partners.

    "The big point is that IE's been losing market share to Mozilla's Firefox," and now Microsoft is trying to catch up and regain user loyalty from people who have embraced Firefox's simple and more secure format, said Gene Munster, an analyst with Piper Jaffray.

    "Microsoft Tries for Safer Surfing Internet Explorer Revised in Response to Security Concerns, Loss of Users," by Yuki Noguchi, The Washington Post, April 26, 2006 --- Click Here

    Internet users were given a peek yesterday at a revamped version of Microsoft Corp.'s Internet Explorer, a response to criticism that the most popular tool for Web surfing and hacking made users vulnerable to the Internet's dangers and caused them to defect to alternative browsers.

    Earlier versions of Internet Explorer, which comes standard on most Windows computers, are still how most users access and view Web pages. But being the leader in the browser game, with almost 85 percent market share, means that it's also the most vulnerable to malicious programs such as viruses, worms and phishing scams.

    That, along with the limited features built into earlier versions of the Internet Explorer browser, or IE, has sent a growing number of users to alternative browsers.

    The Redmond, Wash., company designed Internet Explorer 7, a test version available for download from its Web site, with tighter security protection and more advanced tools to give the user greater control in navigating the Web, said Dean Hachamovitch, general manager of Internet Explorer.

    "Overall, for IE7, the principles we used were safer, easier and more powerful," Hachamovitch said.

    But Microsoft's real motivation is to try to stem the defections to smaller providers, analysts said.

    "The big point is that IE's been losing market share to Mozilla's Firefox," and now Microsoft is trying to catch up and regain user loyalty from people who have embraced Firefox's simple and more secure format, said Gene Munster, an analyst with Piper Jaffray.

    "Perception of security is of the highest level" of concern for Microsoft, Munster said. With its new operating system, called Vista, slated for release early next year, Microsoft is trying to offer security reassurances to its customers.

    A year ago, Internet Explorer commanded 88.6 percent of the market and Firefox had a mere 6.7 percent, according to Web statistician Net Applications. Last month, Microsoft's share was down to 84.7 percent and Firefox had jumped beyond 10 percent.

    Firefox's increasing popularity was partially driven by Microsoft's worsening reputation for security, said Bruce Schneier, chief technical officer at Counterpane Internet Security Inc., a computer security firm.

    "IE was the big target; if you're a virus writer, you chose the big target," he said.

    The company has improved its ability to write secure code, he said, but it's unclear if the latest tools will address other dangers on the Internet, which require users to be more savvy.

    For example, the new version of Internet Explorer will provide color-coded warnings when a user tries to access a Web site that is suspicious or known as fraudulent. But users already encounter -- and ignore -- many Internet warnings because they're hard for beginners to understand, Schneier said.

    Internet Explorer's other new features include the abilities to automatically open several frequently used Web sites at once and print Web pages so the content doesn't get cut off on the right side. The new browser also allows users to tailor search functions, aggregating searches from various sources. It can also magnify pages so fonts are larger and easier to read.

    A final version of the browser is expected to be released later this year.

    Jensen Comment
    The Beta version can be downloaded from http://www.microsoft.com/windows/ie/downloads/default.mspx

    Also note Windows Defender is now available in Beta from Microsoft --- Click Here

    Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.

    April 27, 2006 reply from Pacter, Paul (CN - Hong Kong) [paupacter@DELOITTE.COM.HK]

    MSIE may be losing some users to Firefox, but it is still dominant among the last million or so visitors to www.iasplus.com :

    IE 6     IE 5.5      IE 5.0      Firefox        NS 3.0         Others
    80%      8%          6%            2%              1%              3%

    Global data. I don't have browser data by country, and Firefox may be more dominant in USA.

    Paul Pacter

    April 27, 2006 reply from Bob Jensen

    Hi Paul,

    It’s important to note that it is not an either or choice. People can have both IE and Firefox browsers on their computers connected to the Internet. There are some things that will only work in IE such as interactive DHTML spreadsheets ---- http://www.trinity.edu/rjensen/dhtml/excel01.htm 

    IE is plagued by spyware. Firefox, to my knowledge, is currently immune to spyware. The current upsurge of Firefox use has been explosive and results might soon show up in your more recent tracking data. Firefox is free at http://download-firefox.org/ 

    I advise people to use Firefox (Windows) or Safari (Mac) at home where protections against spyware and other bad stuff may not be as great as at work where companies and colleges invest much more in security protection systems. Your data may be somewhat biased since most visitors to IAS Plus probably do so at work where the only browser available is probably IE.

    Given Microsoft’s dismal track record in dealing with security issues, I have my doubts whether IE’s Version 7 will be as protective as Firefox. However, Firefox on Windows is vulnerable if it attracts more attention from the spyware bad guys. The most secure alternative is the Safari browser on a Mac.

    By the way, congratulations at reaching the 1 million visitor mark at IAS Plus You created a masterful site that is helpful to accountants in every part of the world (well maybe not at the South Pole) --- http://www.iasplus.com/index.htm 

    Bob Jensen

    April 27, 2006 reply from Pacter, Paul (CN - Hong Kong) [paupacter@DELOITTE.COM.HK]

    Thanks, Bob. I use MSIE 6, Firefox 1.5.0.2, and Netscape 8.0 happily together. In fact, I check most IASPlus pages in all three, because each renders pages a bit differently.

    I'm not sure that Firefox is fully "immune to spyware". It does use cookies, same as MSIE. There are pop-up/under ads as well (though I think there are blocking extensions, just as there are various pop-up blockers for MSIE). I certainly agree that spyware is less of a consideration than with MSIE.

    At home I've taken PC Magazine's recommendation and recently purchased Zone Alarm for virus, firewall, spyware, etc. Seems to be working fine though every once in a while I think it degrades performance slightly. On top of that I use AdAware for additional spyware removal, though I've turned off their AdWatch. I just downloaded Microsoft's Windows Defender and will check it out in the next few days. You will definitely regard me as paranoid in the extreme when I also tell you that I have installed at home, and periodically run, Advanced Spyware Detector, Spyware Doctor, and Spybot Search and Destroy!

    I suspect you're right that the IASPlus data is a bit biased for the reasons you suggest.

    Actually IASPlus has had about 3.5 million visitors from 206 countries -- though our tracking service doesn't seem to track the South Pole. I wonder which country visitors from the SP would be included in?

    Warm regards from Hong Kong,

    Paul

    April 27, 2006 reply from Scott Bonacker [aecm@BONACKER.US]

    There is an interesting article on this general subject at:

     http://snipurl.com/Explorer7   

    The article ends with a quote - "Ah, this is obviously some strange use of the word 'safe' that I wasn't previously aware of."

    Scott Bonacker, CPA
    Springfield, MO 65804


    Question
    Do you want to install SiteAdvisor or don't you know at this point in time?

    "SiteAdvisor Adds Search Safety," by Brian Krebs, The Washington Post, February 28, 2006 --- Click Here

    Since its inception, Security Fix has warned Microsoft Windows users to be extremely wary of clicking on Web links that arrive via instant messenger or e-mail, as these are the most common ways that malware spreads online today. But the sad truth is that for many Internet users, clicking on unfamiliar links that turn up in Google, MSN or Yahoo search results frequently expose users to security risks.

    For the past few weeks I've been surfing the Web with the help of the beta version of a browser add-on called SiteAdvisor, a tool that offers users a fair amount of information about the relative safety and security of sites that show up in Internet searches. As I played around with this program, it became clear that this is a tool that not only allows users to make informed security decisions about a site before they click on a search result link, but it also holds the potential to fuel a more informed public dialogue about the often murky relationship between Fortune 500 companies and the spyware and adware industry.

    But more on the Fortune 500 stuff later. SiteAdvisor is a browser add-on for Firefox or Internet Explorer that tries to interpret the relative safety of clicking on Web search results. With SiteAdvisor installed, each listing is accompanied by a small color-coded icon that indicates whether the software developers have received any reports of scammy, spammy or outright malicious activity emanating from the site.

    The software gets its intel from a proprietary "spidering" technology that crawls around the Web much the same way as search engines do. The company's spiders browse sites with the equivalent of an unpatched version of IE to see if sites try to use any security exploits to install spyware or adware on a visitor's machine.

    "Our attitude is, if a site gives you an exploit with an older version of IE, it's probably not one you want to visit with a newer version," said Chris Dixon, one of SiteAdvisor's co-founders.

    If you use IE and try to visit any site that the program has seen using security vulnerabilites to install software, the program immediately redirects you to a SiteAdvisor page offering more information on the threat posed by the site (users can still chose to visit the site if they so wish after the initial warning). All such sites will earn a big red "X" next to their search listing, as will others that threaten to bombard suscribers with junk e-mail or have questionable relationships with third-party advertisers or shady Web sites.

    Hover over the red "X" with your mouse arrow and a small window appears urging you to exercise "extreme caution" in visiting the site. If you then visit the site, a red dialogue box emerges that offers a brief description of why SiteAdvisor doesn't like it.

    Continued in article

    "'X' Marks the Spyware A startup offers Internet users simple warnings about a website's potential for spyware and spam," by David Talbot , MIT's Technology Review, March 1, 2006 --- http://www.technologyreview.com/InfoTech/wtr_16443,308,p1.html

    Spyware has emerged as the bane of the Internet -- and finding solutions represents a growing obsession of Web users and the industry that serves them. The newest entrant in the counteroffensive launches today: Boston-based startup SiteAdvisor is releasing software that warns a user about potential spyware and spam hazards.

    The spyware and malware problem is enormous. According to a recent Pew Internet & American Life Project, the computers of roughly 59 million Americans are infected with spyware. And home computer users spent around $3.5 billion in 2003-04 to fix the problems, according to a recent Consumer Reports investigation. Infected machines often slow down dramatically and begin generating error messages, and some types of spyware code can steal passwords and other personal information.

    While many established software products remove known spyware, the warnings and advisories generated by SiteAdvisor are meant to keep users' computers from getting infected in the first place. So far, the company says it has collected data on two million websites. While this is a fraction of all websites, the company says those it rates make up 95 percent of all online traffic.

     

    SiteAdvisor's Web-crawling technology checks whether sites offer programs for downloading, whether those programs carry spyware-like software, and whether entering an e-mail address in signup forms will generate spam. The company stores the accumulated knowledge in its databases, adds more information from website owners and users, and offers the warnings via a browser plug-in for Internet Explorer or Firefox.

    [Click here to view samples of warnings --- http://www.technologyreview.com/InfoTech/wtr_16443,308,p1.html# ]

    The SiteAdvisor home page is at http://www.siteadvisor.com/


     

    Editor's Picks from InternetWeek on January 20, 2006

    Anti-Spyware Strategies, Part 1: Clean Out Your System
    Do you suspect that your system is infected with adware, spyware, or other malware? Here's how to get rid of it.

    Anti-Spyware Strategies 2: Offense And Defense
    Now that your system is clean of spyware, keep it that way: keep your patches up, don't be fooled into user-assisted installations of malware—and read your EULAs.

    Hardware: Is Your Computer Killing You?
    "Killing" might be too strong of a word, but not by much—computing can hurt you physically, emotionally, and environmentally. Find out how you can minimize the damage.

    Windows: Five Things You Didn't Know About Windows Vista
    Some of the more offbeat angles surrounding Microsoft's upcoming operating system involve guessing its launch date, finding where to go to get a Vista-related job, and seeing who's got the name registered as a trademark.


    "Spyware: What You Need to Know," by Kim Zetter, Wired News, October 17, 2005 --- http://www.wired.com/news/privacy/0,1848,68275,00.html?tw=wn_tophead_4

    The Anti-Spyware Coalition, (which includes heavyweights like Microsoft, EarthLink and Hewlett-Packard), says spyware is any application that impairs "users' control over material changes that affect their user experience, privacy or system security."

    In plainer language, spyware consists of a host of programs that you likely wouldn't invite onto your computer if you knew what they would do once they invaded your machine. They are primarily software programs that can hijack your browser to send you to an advertiser's page or track where you surf on the internet so marketers can learn your interests and feed you pop-up ads.

    Is spyware the same as viruses and Trojan horses?

    Traditionally, viruses and Trojan horses have been considered a different type of malware, but the Anti-Spyware Coalition is attempting to lump all malware together to make it easier for lawmakers to legislate against it.

    The coalition does not include viruses in this category, but it does include Trojan horses, which are usually installed on your machine without your consent and sit in the background quietly recording your keystrokes or sending copies of your files to a remote intruder over the internet. Keystroke loggers are generally not used by people who want to market to you, but by people who are interested in data like passwords or credit card numbers for financial gain or espionage.

    Continued in article

    Consumer Reports Rankings of Antispyware Software
    September 2004, Page 19
    Rank 1 Lavasoft Ad-aware http://www.lavasoftusa.com/software/adaware/ 

    Rank 2 PestPatrol http://www.pestpatrol.com/pestinfo/ 

    Rank 3 Spybot-Search & Destroy http://www.safer-networking.org/en/index.html 

    Rank 4 Webroot Spy Sweeper http://www.webroot.com/wb/products/spysweeper/index.php?rc=266&ac=417 

    Rank 5 InterMute SpySubtract Pro http://www.intermute.com/spysubtract/ 

    Rank 6 FBM Software ZeroSpyware http://www.fbmsoftware.com/ 


     


    Debit Card Fraud Jumps
    Several banks have reported that account information has been stolen and consumers have reported mysterious fraudulent account withdrawals. Litan told MSNBC, “This is the absolute worst hack that has happened, the biggest scam to date.” Using a debit card to steal cash is a more direct process for thieves. Stealing merchandise and converting it into cash can be a risky business. MSNBC reports this so-called “white card” fraud does not require interaction with clerks or other store staff. Careless PIN storage is to blame for these losses.
    "Debit Card Fraud Jumps," AccounitngWeb, March 13, 2006 ---
    http://www.accountingweb.com/cgi-bin/item.cgi?id=101885

    Bob Jensen's threads on ID theft are at http://www.trinity.edu/rjensen/FraudReporting.htm


    Cell Phone Records are for Sale

    Cell phone records are far more personal than typical Internet Identity theft
    Think your mate is cheating? For $110, Locatecell.com will provide you with the outgoing calls from his or her cell phone for the last billing cycle, up to 100 calls. All you need to supply is the name, address and the number for the phone you want to trace. Order online, and get results within hours. Carlos F. Anderson, a licensed private investigator in Florida, offers a similar service for $165, for all major telephone carriers. "This report provides all the calls with dates, times, and duration on the billing statement," according to Anderson's Web site, which adds, "Incoming Calls and Call Location are provided if available." Learning who someone talked to on the phone cannot enable the kind of financial fraud made easier when a Social Security or credit card number is purloined. Instead, privacy advocates say, the intrusion is more personal.
    Jonathan Kim, "Online Data Gets Personal: Cell Phone Records for Sale," The Washington Post, July 8, 2005 --- http://www.washingtonpost.com/wp-dyn/content/article/2005/07/07/AR2005070701862.html?referrer=email


    Phishing, Spoofing, Pharming, Slurping, and Pretexting


    Bob Jensen's threads on identity theft are also at http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

     

    FTC Identity Theft Center --- http://www.ftc.gov/bcp/edu/microsites/idtheft/

    Identity Theft Resource Center --- http://www.idtheftcenter.org/
    Note the tab for State and Local Resources

    IRS Identity Protection Specialized Unit at 800-908-4490


    The credit cards issued in other countries are much safer! Why does America lag so far behind?  by Joshua Brustein, Bloomberg Businessweek, December 23, 2013 ---
    http://www.businessweek.com/articles/2013-12-23/why-the-u-dot-s-dot-leaves-its-credit-card-system-vulnerable-to-fraud?campaign_id=DN122313

    Jensen Comment
    The sad part of this is that fraudulent charges not caught by consumers are borne by those consumers and not the credit card companies or the insurance purchased by consumers for protection. The key for consumers is to verify every charge on every account. Yeah Right!

    I'm told that credit companies rarely prosecute the thieves who are using the stolen credit card numbers. First the charges are often made from outside the USA thereby causing jurisdictional complications. Second the cost of prosecuting generally exceeds recovery thereby adding losses to losses. The sad part of this policy is that there's no deterrence if thieves know they won't be prosecuted.

    Bob Jensen's threads on Identity Theft: Phishing , Pharming, Vishing, Slurping, and Spoofing ---
    http://www.trinity.edu/rjensen/ecommerce/000start.htm#Phishing

    Bob Jensen's Fraud Updates are at
    http://www.trinity.edu/rjensen/FraudUpdates.htm

     


    Security Hacker Who Used To Rob Banks (over 1,000 and never arrested) Is Giving Away His Secrets For Free ---
    http://www.businessinsider.com/jim-stickley-on-security-2013-11

    Jensen Comment
    Especially note the "Library" of videos.

    Current video's available for download

    (Click on title to watch)

    Video's currently being developed

    Bob Jensen's threads on computer and networking security ---
    http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

     


    From the CFO Journal's Morning Ledger on November 12, 2013

    CFOs beware of phishing scams
    CFOs should keep their guards up when going through their email. Christopher Novak, managing principal and security expert at Verizon Business,
    tells the American Banker about a popular phishing exploit that uses the stolen email addresses of top executives. “Someone will spoof an email to the CFO or controller and it will purport to be from the CEO,” he says. “The email will say something like, we need to sponsor this event or pay this vendor, it’s urgent and I need you to wire $100,000 into this account immediately, we’re already 30 days late. Because it’s from the CEO, other staff will expedite the request. In one case, the CFO happened to have lunch with the CEO and said, just out of curiosity, who was that merchant you had us expedite the wire transfer to?” Mr. Novak recalls. “The CEO said, ‘What are you talking about?’ The blood drained out of the CFO’s face and he said he had to go. We’ve seen more than a dozen of those happen in the last week. Probably over $10 million has moved in the last week because of this.


    May 20, 2013 Message from Dennis Huber

    Read about security research as it happens. Obtain in-depth security information including, research & statistics, white papers, presentations and the latest threat maps that display the most recent data collected by Websense Security Labs.

    http://www.antiphishing.org/apwg-news-center/crimeware-map/

     


    "FTC releases final privacy report, says ‘Do Not Track’ mechanism may be available by end of year," by Hayley Tsukayama, Washington Post, March 27, 2012 --- Click Here
    http://www.washingtonpost.com/business/technology/ftc-releases-final-privacy-report-says-do-not-track-mechanism-may-be-available-by-end-of-year/2012/03/26/gIQAzi23bS_story.html

    The Federal Trade Commission on Monday outlined a framework for how companies should address consumer privacy, pledging that consumers will have “an easy to use and effective” “Do Not Track” option by the end of the year.

    The FTC’s report comes a little over a month after the White House released a “privacy bill of rights” that called on companies to be more transparent about privacy and grant consumers greater access to their data but that stopped short of backing a do-not-track rule.

    The FTC also said it plans to work with Web companies and advertisers to implement an industry-designed do-not-track technology so as to avoid a federal law that mandates it. The Digital Advertising Alliance, which represents 90 percent of all Web sites with advertising, is working with the Commerce Department and FTC to create an icon that would allow users an easy way to stop online tracking.

    But the enforcement agency said that if the companies aren’t able to get the technology launched by the end of the year, lawmakers should force those companies to offer consumers a similar option to stop tracking.

    “Although some companies have excellent privacy and data securities practices, industry as a whole must do better,” the FTC said.

    In its report, the agency called on companies to obtain “affirmative express consent” from consumers before using data collected for a different purpose and encourage Congress to consider baseline privacy legislation and measures on data security and data brokers.

    The FTC also reiterated its recommendations that Congress pass legislation to provide consumers with access to their personal data that is held by companies that compile data for marketing purposes.

    The 73-page report focuses heavily on mobile data, noting that the “rapid growth of the mobile marketplace” has made it necessary for companies to put limits on data collection, use and disposal. According to a recent report from Nielsen, 43 percent of all U.S. mobile phone subscribers own a smartphone.

    The commission called on companies to work to establish industry standards governing the use of mobile data, particularly for data that reveals a users’ location.

    Commissioner Thomas Rosch dissented from the other commissioners in a 3-1 vote on the privacy report. Rosch said that while he agrees with much of what the agency released Monday, he disagrees with the commission’s approach to the framework, which focuses more on what consumers may deem “unfair” as opposed to actual deception perpetrated by companies.

    Continued in article

     


    "IRS Warns on ‘Dirty Dozen’ Tax Scams for 2012," by Laura Saunders, The Wall Street Journal, February 12, 2012 ---
    http://blogs.wsj.com/totalreturn/2012/02/17/irs-warns-on-dirty-dozen-tax-scams-for-2012/?mod=google_news_blog

    Every year during tax season the Internal Revenue Service releases a list of its least-favorite tax scams. “Scam artists will tempt people in-person, on-line and by email with misleading promises about lost refunds and free money. Don’t be fooled by these,” warns Commissioner Douglas Stives.

    The list changes from year to year. Here’s what the IRS is warning about for this tax season. For more information, click here, or watch a video here.

    1. Identity theft

    “An IRS notice informing a taxpayer that more than one return was filed in the taxpayer’s name may be the first tipoff the individual receives that he or she has been victimized.”

    2. Phishing

    If you receive an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System, report it by sending it to phishing@irs.gov.”

    3. Tax-preparer fraud

    “In 2012 every paid preparer needs to have a Preparer Tax Identification Number (PTIN) and enter it on the returns he or she prepares.”

    4. Hiding income offshore

    Since 2009, 30,000 individuals have come forward voluntarily to disclose [undeclared] foreign financial accounts. . . With new foreign account reporting requirements being phased in over the next few years, hiding income offshore will become increasingly  more difficult.”

    5. ‘Free money’ from the IRS and tax scams involving Social Security

    Flyers and advertisements for free money from the IRS, suggesting that the taxpayer can file a tax return with little or no documentation, have been appearing at community churches around the country.”

    6. False/inflated income and expenses

    “Claiming income you did not earn or expenses you did not pay in order to secure larger refundable credits such as the Earned Income Tax Credit could have serious repercussions…. Fraud involving the fuel tax credit is considered a frivolous tax claim and can result in a penalty of $5,000.”

    7. False Form 1099 refund claims

    “In this ongoing scam, the perpetrator files a fake information return, such as a Form 1099 Original Issue Discount (OID), to justify a false refund claim on a corresponding tax return.”

    8. Frivolous arguments

    Promoters of frivolous schemes encourage taxpayers to make unreasonable and outlandish claims to avoid paying the taxes they owe. The IRS has a list of frivolous tax arguments that taxpayers should avoid.”

    9. Falsely claiming zero wages

    Filing a phony information return is an illegal way to lower the amount of taxes an individual owes. Typically, a Form 4852 (Substitute Form W-2) or a ‘corrected’ Form 1099 is used as a way to improperly reduce taxable income to zero. The taxpayer may also submit a statement rebutting wages and taxes reported by a payer to the IRS. ”

    10. Abuse of charitable organizations and deductions

    The IRS is investigating schemes that involve the donation of non-cash assets – including situations in which several organizations claim the full value of the same non-cash contribution. Often these donations are highly overvalued or the organization receiving the donation promises that the donor can repurchase the items later at a price set by the donor.”

    11. Disguised corporate ownership

    “Third parties are improperly used to request employer identification numbers and form corporations that obscure the true ownership of the business…. The IRS is working with state authorities to identify these entities and bring the owners into compliance with the law.”

    12. Misuse of trusts

    “IRS personnel have seen an increase in the improper use of private annuity trusts and foreign trusts to shift income and deduct personal expenses. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering a trust arrangement.”

     

    FTC Identity Theft Center --- http://www.ftc.gov/bcp/edu/microsites/idtheft/

    Identity Theft Resource Center --- http://www.idtheftcenter.org/
    Note the tab for State and Local Resources

    IRS Identity Protection Specialized Unit at 800-908-4490

    How Income Taxes Work (including history) --- http://money.howstuffworks.com/income-tax.htm

    Why not start with the IRS? (The best government agency web site on the Internet) http://www.irs.gov/ 

    IRS Site Map --- http://www.irs.gov/sitemap/index.html

    FAQs and answers --- http://www.irs.gov/faqs/index.html

    Taxpayer Advocate Service --- http://www.irs.gov/advocate/index.html

    Forms and Publications, click on Forms and Publications

     

    IRS Free File Options for Taxpayers Having Less Than $57,000 Adjusted Gross Income (AGI) ---
    http://www.irs.gov/efile/article/0,,id=118986,00.html?portlet=104

    Free File Fillable Forms FAQs ---
    http://www.irs.gov/efile/article/0,,id=226829,00.html

    Visualizing Economics
    Comparing Income, Corporate, Capital Gains Tax Rates: 1916-2011 and Other Graphics --- Click Here
    http://visualizingeconomics.com/2012/01/24/comparing-tax-rates/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+VisualizingEconomics+%28Visualizing+Economics%29&utm_content=Google+Reader

    Bob Jensen's tax filing helpers ---
    http://www.trinity.edu/rjensen/Bookbob1.htm#010304Taxation

     


    Question
    What is phishing?

     

    Answer
    Phishing is a term standing for password, credit card number, or other private information fishing.  Often phishers use email messages in which they masquerade as a trustworthy person or business in a a disguised official electronic communication,

     

    See http://en.wikipedia.org/wiki/Phishing



     

    Question
    When might you want to run Linux on your Windows computer?

    "E-Banking on a Locked Down (Non-Microsoft) PC," by Brian Krebs, The Washington Post, October  --- Click Here
    http://snipurl.com/linuxwindowslockdown 

    In past Live Online chats and blog posts, I've mentioned any easy way to temporarily convert a Windows PC into a Linux-based computer in order to ensure that your online banking credentials positively can't be swiped by password-stealing malicious software. What follows is a brief tutorial on how to do that with Ubuntu, one of the more popular bootable Linux installations.

    Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom or DVD. The beauty of Live CDs is that they can be used to turn a Windows based PC into a provisional Linux computer, as Live CDs allow the user to boot into a , Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are completely wiped away after the machine is shut down. To return to Windows, simply remove the CD from the drive and reboot.

    More importantly, malware that is built to steal data from Windows-based systems simply won't load or work when the user is booting from LiveCD. Even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or Trojan, the malware can't capture the victim's banking credentials if that user only transmits his user name and password after booting up into one of these Live CDs.

    There are dozens -- if not hundreds of these LiveCD distributions -- each with their own flavor or focus: Some try to be as small or lightweight as possible, others - like Backtrack - focus on offering some of the best open source hacking and security tools available. For this project, however, I'm showcasing Ubuntu because it is relatively easy to use and appears to play nicely with a broad range of computer hardware.

    A few words of advice before you proceed with this project:

    -LiveCDs are easiest to use on desktop PCs. Loading a LiveCD on a laptop sometimes works fine, but often it's a bit of a hassle to get it to boot up or network properly, requiring the use of cryptic "cheat codes" and a lot of trial and error, in my experience.

    -If you do decide to try this on a laptop, I'd urge you to plug the notebook into a router via an networking cable, as opposed to trying to access the Web with the LiveCD using a wireless connection. Networking a laptop on a wireless connection while using an LiveCD distribution may be relatively painless if you are not on an encrypted (WEP or WPA/WPA2) wireless network, but attempting to do this on an encrypted network is not for the Linux newbie.

    -I conceived this tutorial as a way to help business owners feel safer about banking online, given the ability of many malware strains to evade standard security tools, such as desktop anti-virus software. Consumers who have their online bank account cleaned out because of a keystroke-sniffing Trojan usually are made whole by their bank (provided they don't wait more than 10 business days before reporting the fraud). Not so for businesses, which generally are responsible for any such losses. I'm not saying it's impossible to bank online securely with a Windows PC: This advice is aimed at those who would rather not leave anything to chance.

    -The steps described below may sound like a lot of work, but most of what I'll describe only has to be done once, and from then on you can quickly boot into your Ubuntu Live CD whenever you need to.

    With that, let's move on. To grab this package, visit the Ubuntu site, pick the nearest download location, and download the file when prompted (the file name should end in ".iso"). Go make a sandwich, or water your plants or something. This may take a while, depending on your Internet connection speed.

    After you've download the file, burn the image to CD-Rom or DVD. If you don't know how to burn an image file to CD or don't know whether you have a program to do so, download something like Ashampoo Burning Studio Free. Once you've installed it, start the program and select "create/burn disc images." Locate the .iso file you just downloaded, and follow the prompts to burn the image to the disc.

    When the burn is complete, just keep the disc in the drive. We next need to make sure that the computer knows to look to the CD drive first for a bootable operating system before it checks the hard drive, otherwise this LiveCD will never be recognized by the computer. When you start up your PC, take note of the text that flashes on the screen, and look for something that says "Press [some key] to enter setup" or "Press [some key] to enter startup." Usually, the key you want will be F2, or the Delete or Escape (Esc) key.

    When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you'll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named "Boot". Hit the "right arrow" key until you've reached that screen listing your bootable devices. What you want to do here is move the CD-Rom/DVD Drive to the top of the list. Do this by selecting the down-arrow key until the CD-Rom option is highlighted, and the press the "+" key on your keyboard until the CD-Rom option is at the top. Then hit the F10 key, and confirm "yes" when asked if you want to save changes and exit, and the computer should reboot. If you'd done this step correctly, the computer should detect the CD image you just burned as a bootable operating system. [Unless you know what you're doing here, it's important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option "Exit without saving changes." The computer will reboot, and you can try this step again.]

    When you first boot into the Unbuntu CD, it will ask you to select your language. On the next screen, you'll notice that the default option - "Try Ubuntu without any change to your computer" - is already selected. Hit the "return" or "enter" key on your keyboard to proceed safely.

    Part II of the above article---
    http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_pc.html?wprss=securityfix

     

     


    This is probably the most clever phishing scam I've read about (link forwarded by Moe).
    This one is very real to me because I received a very similar call from Visa regarding a credit card that I only use for online purchases. The call was almost identical to the phone calls used in the scam linked below. In my case this really was my Visa bank regarding some fraudulent purchases that Visa suspected early on because the charges were made in foreign countries. I have not been out of the country recently. But to my chagrin, now, this call could've easily been a scam. Fortunately in my case the call was legitimate, and I received new credit cards the next day.

    Read about it at http://www.snopes.com/crime/warnings/creditcard.asp

    Bob Jensen's threads on phishing scams are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#Phishing



    Be on Your Guard
    IRS 2008 'Dirty Dozen' Phishing Scams
    --- http://accounting.smartpros.com/x61121.xml
     

    Bob Jensen's threads on tax scams are at http://www.trinity.edu/rjensen/FraudReporting.htm#TaxScams

     


    "Colleges Are Targets of E-Mail Scam," by Jeffrey R. Young, Chronicle of Higher Education, April 4, 2008 ---
    http://chronicle.com/free/2008/04/2366n.htm?utm_source=at&utm_medium=en

    An e-mail scam has hit thousands of users at dozens of colleges over the past few weeks, leaving network administrators scrambling to respond before campus computer accounts are taken over by spammers.

    Students, professors, and staff members at the affected colleges received e-mail messages that purport to come from the colleges' help desks, asking users to reply with their log-in and password, and in some cases other personal information including birth date.

    But the messages actually come from malicious hackers who use the information to send spam messages from the accounts. And administrators worry that the compromised accounts could be used to do further damage to the university networks.

    The attacks are "pretty broad" across higher education, says Douglas Pearson, technical director of the Research and Education Networking Information Sharing and Analysis Center at Indiana University at Bloomington. "And it seems to be growing."

    At Indiana University, thousands of the scam messages recently started hitting the campus network each day, says Nate Johnson, lead security engineer for the university.

    "We had one incident in the past week where within four minutes of the user disclosing their password, the attacker had managed to launch off 10,000 spam messages," says Mr. Johnson. "We contacted the users, they changed their pass phrases, and the hackers no longer had access to the accounts."

    Phishing New Waters

    The type of attack is known as phishing. In the past, most phishing e-mail messages pretended to come from banks, from eBay, or from the online payment service PayPal. Some college officials say that this year is the first time they have seen phishing schemes that pretend to be sent from college IT departments.

    At North Carolina State University, some 2,600 users received the targeted phishing messages in January. What's worse, the bogus messages started appearing just as the university's technology staff was switching to a new campuswide e-mail system.

    "This couldn't have come at a worse time," says Tim S. Gurganus, an IT-security officer at the university, noting that some users might have expected a note from administrators regarding the e-mail changeover.

    The messages were not riddled with grammatical errors, as some earlier phishing messages were. One of the messages read: "We are currently upgrading our data base and e-mail account center ... Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently."

    In the first days of the attack at North Carolina State, about 40 users responded, presumably falling for the scam, says Mr. Gurganus. At least three of those accounts were quickly used by the attackers to send hundreds of spam messages, including more copies of the phishing message. The sudden burst of e-mail coming from the three e-mail accounts set off scanning programs used to monitor the campus network for suspicious activity, and within about an hour, campus administrators disabled the accounts and told the users to change their passwords, he says.

    The university then sent a warning message to all campus users alerting them not to give their username and password to anyone via e-mail.

    Mr. Gurganus also sent a message to an e-mail list for campus-security administrators asking whether others had encountered the problem, and he learned that North Carolina State was not alone.

    "I got responses from 20 different universities saying they'd seen similar stuff," he says. "I think they started with bigger ones, like the state universities, and now they're going after the smaller schools," including community colleges, he adds.

    Spreading the Word

    Campus officials have been trading advice with colleagues on several campus-security e-mail lists as they work to try to stop the messages from coming in. But that can be tricky because the messages do not contain suspicious key words—like "Viagra" or "mortgages"—that are common in spam messages that colleges routinely block.

    So colleges have also been renewing their efforts to educate campus users that if you get an urgent e-mail message asking for your password, just delete it.

    Aware that it can be hard to get the attention of students, administrators at Louisiana State University at Baton Rouge have tried to use humor to get that message across. In a public-awareness campaign that recently won a national award, the university has published a poster featuring a cartoon character named Tad who replies to a phishing e-mail.

    Pictures of fish are shown falling on Tad as he crouches under a table. "Tad may as well have shouted his personal information to the world," the poster says. The campaign's motto: "Don't be a Tad."


    "PayPal: Steer clear of Apple's Safari According to PayPal, unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites," by Robert McMillan, PC World via The Washington Post, February 29, 2008 --- Click Here

    If you're using Apple's Safari browser, PayPal has some advice for you: Drop it, at least if you want to avoid online fraud.

    Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer.

    "Apple, unfortunately, is lagging behind what they need to do, to protect their customers," Barrett said in an interview. "Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera."

    Safari is the default browser on Apple's Macintosh computers and the iPhone, but it is also available for the PC. Both Firefox and Opera run on the Mac.

    Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari's lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.

    When it comes to fighting phishing, "Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that's it," he said. Apple representatives weren't immediately available to comment on this story.

    An emerging technology, EV certificates are already supported in Internet Explorer 7, and they've been used on PayPal's Web site for more than a year now. When IE 7 visits PayPal, the browser's address bar turns green -- a sign to users that the site is legitimate. Upcoming versions of Firefox and Opera are expected to support the technology.

    But EV certificates have their critics. Last year, researchers at Microsoft and Stanford University published astudyshowing that, without training, people were unlikely to notice the green address-bar notification provided by EV certificates.

    Still, Barrett says data compiled on PayPal's Web site show that the EV certificates are having an effect. He says IE 7 users are more likely to sign on to PayPal's Web site than users who don't have EV certificate technology, presumably because they're confident that they're visiting a legitimate site.

    Over the past few months, IE 7 users have been less likely to drop out and abandon the process of signing on to PayPal, he said. "It's a several percentage-point drop in abandonment rates," he said. "That number is... measurably lower for IE 7 users."

    Opera, IE, and Firefox are "safer, precisely because we think they are safer for the average consumer," he added. "I'd love to say that Safari was a safer browser, but at this point it isn't."

     


    Link forwarded by Richard Campbell
    Phishing Quiz --- http://www.sonicwall.com/phishing/
     


     

    Engaging Privacy and Information Technology in a Digital Age --- http://books.nap.edu/catalog.php?record_id=11896 

     



     

    Phishing With Fake Jury Notice

    I think this has been around foe a while, but Roger Hermanson called my attention to it once again. The scammer phones and claims to be working with a court. He alleges that you failed to show up for jury duty --- http://www.snopes.com/crime/fraud/juryduty.asp

    Identity Theft Resource Center --- http://www.idtheftcenter.org/

    Bob Jensen's threads on phishing/ID theft are at the following two sites:

    Identity Theft ---
    http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft

    Phishing, Spoofing, Pharming, Slurping, and Pretexting ---
    http://www.trinity.edu/rjensen/ecommerce/000start.htm#Phishing

     


    Scam Warning
    Denny Beresford sent me a message about the latest Social Security email scam. Always remember that government agencies like the IRS and the Social Security Administration, along with banks credit unions, do not send you email messages out of the blue seeking your privacy information or your money. These messages come from crooks, most of whom reside outside the legal jurisdiction of the United States. I don't even open email messages from these institutions.

    The sad part is that these scams work so successfully!

    Bob,

    You might be interested in this - http://www.ssa.gov/pressoffice/pr/colaPhishingScam-pr.htm 
    (This is a warning from the Social Security Administration! )

    I'm receiving social security benefits now and I have to say that the email I received earlier this morning looked fairly official. However, it seemed unlikely that Social Security would make such a notification by email. So I found the announcement on the official Social Security site. While I'd bet that most people don't fall for the "wife of the former president of Nigeria" type of scam, this looks like one that might have a higher degree of success.

    Denny

    Jensen Comment
    Even the familiar Nigerian-type scams are still enormously successful. These scams are the second most lucrative export (oil is number one) from Nigeria, and Nigeria is only one of many places in the world where such scams originate. Many also come from Eastern Europe where technology geniuses are always miles ahead of law enforcement and vendor security protection upgrades --- http://www.trinity.edu/rjensen/FraudReporting.htm#NigerianFraud

    Question
    What's the use of spoof@paypal.com ?

    November 13, 2006 message from Schatzel, John [JSchatzel@STONEHILL.EDU]

    Yeah, these "phishing" scams have netted crocks over $2.8 billion this past year according to an article I read recently. I thought the number sounded high, but they are bombarding people with genuine looking requests from PayPal and Amazon.com saying that your account has been restricted, charged for something you didn't buy, or is being investigated for account tampering by their security staff. A lot of people panic apparently when they see this stuff and reply with personal account information. I feel sorry for them so every time I get one for PayPal I reply by sending it to spoof@paypal.com  and they supposedly investigate them. If anyone has a similar email address for Amazon, please let us know. Just using Amazon's customer service form is not enough. The whole message has to be forwarded to them, so they can investigate the source of the illegal message.

    John Schatzel

    November 14, 2006

    Snopes has a pretty good page for identifying phishing spoofs. Enter "phishing" into the search box at http://www.snopes.com/

    Also see what you get when you enter "Nigerian" into the search box.

    Bob Jensen

    Free Fraud Alert Systems --- http://www.trinity.edu/rjensen/FraudReporting.htm#Fraud%20Alerts

    Bob Jensen's helpers if you think you've become a victim --- http://www.trinity.edu/rjensen/FraudReporting.htm

    Identity Theft Resource Center --- http://www.idtheftcenter.org/

    Bob Jensen's threads on identity theft are also at http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

     



    Dirty Tricks Played on Job Seekers
    Job hunters using Monster.com, the employment Web site owned by Monster Worldwide, received fake job offers by e-mail that asks for their Bank of America account information. The e-mail contains personal information collected when hackers tricked Monster.com customers into downloading a virus in a fake job-seeking tool, according to researchers at Symantec, the world's biggest maker of security software.
    Rochelle Garner, "Monster.com Users Get Fake Offers And Request," The Washington Post, August 23, 2007, Page D04 --- Click Here

     

     


    "Phishing Scams Just Keep Coming," by Greg Keizer, Information Week, August 3, 2004 --- http://www.informationweek.com/story/showArticle.jhtml?articleID=26805648 

     

    Phishing attacks were back up in June, the Anti-Phishing Working Group said Tuesday, as the scams that continue to plague users and steal millions from financial institutions climbed to all-time records. The group, an association of more than 250 companies, tracked 1,422 new unique phishing attacks in June, an increase of 19% over May's 1,197, and more than 25% higher than the previous month's record.

    The average number of attacks per day was up even more: 47.4 in June versus 38.6 a day in May. In an earlier report this summer, the group noted that while May's first few weeks were thick with phishing scams, schemers seemed to take a vacation around Memorial Day. That vacation, obviously, is over. For the year so far, phishing has been growing about 52% per month. No wonder the scams are getting the attention of users and the financial organizations victimized by the attacks.

    The solution, said the group, lies in sender authentication, a scheme in which E-mail essentially "proves" to the recipient that it came from where it said it came from. "As phishing attacks continue to increase at a rate of more than 50%, enterprises must turn to authentication-based technologies," said Jeff Smith, CEO of Tumbleweed, the founding firm of the Anti-Phishing Working Group.

    The Internet Engineering Task Force is meeting in San Diego this week and is expected to approve the Sender ID standard, a blending of Microsoft's Caller ID and the Sender Policy Framework protocol by Friday.

    Shutting down address spoofing may be the best way to stop phishing, said the anti-phishing group's report, since 92% of all phishing E-mails use bogus addresses.

    In other analysis of phishing figures, the APWG noted that the average "life span" for a phishing site is a mere 2.25 days, an indication of how fast scammers cut and run--and thus how difficult it is to track them down. And for the first time, the group also did an in-depth analysis of a single phishing attack.

    Over a 12-day run during late June and early July, two banks were hit with identical attacks from a series of bogus sites hosted in multiple countries--including the United States, Uruguay, and South Korea--with the sites shifted daily during four of the days of the attack.

    "This indicates the participation of at least one well-orchestrated, systematic criminal organization in the phishing world," the anti-phishing group's report concluded. The analysis backs up claims by state and federal law enforcement that phishing is linked to organized crime based in Eastern Europe and the former Soviet Union.

    The top phishing targets didn't change in June. Citibank again had the dubious honor of being the most hijacked brand, accounting for 36% of all attacks, while eBay, US Bank, PayPal, and Fleet retained their May spots as two through five, respectively.

    Continued in the article


    "Researchers create new system to address phishing fraud," PhysOrg, September 1, 2006 --- http://physorg.com/news76325493.html

    Carnegie Mellon University CyLab researchers have developed a new anti-phishing tool to protect users from online transactions at fraudulent Web sites. 

    A research team led by Electrical and Computer Engineering Professor Adrian Perrig has created the Phoolproof Phishing Prevention system that protects users against all network-based attacks, even when they make mistakes. The innovative security system provides strong mutual authentication between the Web server and the user by leveraging a mobile device, such as the user's cell phone or PDA.

    The system is also designed to be easy for businesses to implement. Perrig, along with engineering Ph.D. student assistants Bryan Parno and Cynthia Kuo, has developed an anti-phishing system that makes the user's cell phone an active participant in the authentication process to securely communicate with a particular Internet site.

    "Essentially, our research indicates that Internet users do not always make correct security decisions, so our new system helps them make the right decision, and protects them even if they manage to make a wrong decision," Perrig said. "Our new anti-phishing system, which operates with the standard secure Web protocol, ensures that the user accesses the Web site they intend to visit, instead of a phishing site posing as a legitimate business. The mobile device acts like an electronic assistant, storing a secure bookmark and a cryptographic key for each of the user's online accounts."

    Phoolproof Phishing Prevention essentially provides a secure electronic key ring that the user can access while making online transactions, according to Parno. These special keys are more secure than one-time passwords because the user can't give them away. So, phishers can't access the user's accounts, even if they obtain other information about the user, researchers said.

    Since the user's cell phone performs cryptographic operations without revealing the secret key to the user's computer, the system also defends against keyloggers and other malicious software on the user's computer. Even if the user loses the cell phone, the keys remain secure.

    Driving the need for this new tool is escalating consumer worries over online fraud -- a major barrier for a banking industry seeking to push consumers to do more of their banking online. More than 5 percent of Internet users say they have stopped banking online because of security concerns, up from 1 percent a year ago, according to industry reports.

    Complicating the concern for more secure financial sites is a looming deadline for new security guidelines from the Federal Financial Institutions Examination Council (FFIEC), a group of government agencies that sets standards for financial institutions. Last year, the FFIEC set a Dec. 31 deadline for banks to add online security measures beyond just a user name and password. Failure to meet that deadline could result in fines, the FFIEC said.

     


    "Internet Con Artists Turn to 'Vishing'," PhysOrg, July 13, 2006 --- http://physorg.com/news71990250.html

    Internet con artists are turning to an old tool - the phone - to keep tricking Web users who have learned not to click on links in unsolicited e-mails.

    User rating Not rated yet Would you recommend this story? Not at all - 1 2 3 4 5 - Highly

    A batch of e-mails recently making the rounds were crafted to appear as if they came from PayPal, eBay Inc.'s online payment service. Like traditional phony "phishing" e-mails, these said there was some problem with the recipients' accounts.

    Phishing e-mails generally instruct recipients to click a link in the e-mail to confirm their personal information; the link actually connects to a bogus site where the data are stolen.

    But with Internet users wiser about phishing, the new fake PayPal e-mail included no such link. Instead it told users to call a number, where an automated answering service asked for account information.

    Security experts tracking this scam and other instances of "vishing" - short for "voice phishing" - say the frauds are particularly nefarious because they mimic the legitimate ways people interact with financial institutions.

    In fact, some vishing attacks don't begin with an e-mail. Some come as calls out of the blue in which the caller already knows the recipient's credit card number - increasing the perception of legitimacy - and asks just for the valuable three-digit security code on the back of the card.

    "It is becoming more difficult to distinguish phishing attempts from actual attempts to contact customers," said Ron O'Brien, a security analyst with Sophos PLC.

    Vishing appears to be flourishing with the help of Voice over Internet Protocol, or VoIP, the technology that enables cheap and anonymous Internet calling, as well as the ease with which caller ID boxes can be tricked into displaying erroneous information.

    The upshot: "If you get a telephone call where someone is asking you to provide or confirm any of your personal information, immediately hang up and call your financial institution with the number on the back of the card," said Paul Henry, a vice president with Secure Computing Corp. "If it was a real issue, they can address the issue."

    Continued in article

    "IRS Warns Phishing Scams Increasing," AccountingWeb, July 12, 2006 ---
    http://www.accountingweb.com/cgi-bin/item.cgi?id=102335

    The Internal Revenue Service (IRS) is reminding taxpayers to be on the lookout for bogus e-mails claiming to be from the tax agency, on the heels of a recent increase in scam e-mails.

    In recent weeks the IRS has experienced an increase in complaints about e-mails designed to trick the recipients into disclosing personal and financial information that could be used to steal the recipient’s identity and financial assets. Since November, 99 different scams have been identified. Twenty of those were identified in June, the highest number since the height of the filing season when 40 were identified in March.

    “The IRS does not send out unsolicited e-mails asking for personal information,” IRS Commissioner Mark W. Everson, said in a prepared statement. “Don’t be taken in by these criminals.”

    The current scams claim to come from theirs, tell recipients that they are due a federal tax refund, and direct them to a web site that appears to be a genuine IRS site. The bogus sites contain forms or interactive web pages similar to the IRS forms or Web pages but which have been modified to request detailed personal and financial information from the e-mail recipients. In addition, e-mail addresses ending with “.edu” – involving users in the education community – currently seem to be heavily targeted.

    Many of the current schemes originate outside the United States. To date, investigations by the Treasury Inspector General for Tax Administration have identified sites hosting more than two dozen IRS-related phishing scams. These scam Web sites have been located in many different countries, including Argentina, Aruba, Australia, Austria, Canada, Chile, China, England, Germany, Indonesia, Italy, Japan, Korea, Malaysia, Mexico, Poland, Singapore and Slovakia, as well as the United States.

    Tricking consumers into disclosing their personal and financial information, such as secret access data or credit card or bank account numbers, is fraudulent activity which can result in identity theft. Such schemes perpetrated through the Internet are called “phishing” for information.

    The information fraudulently obtained is them used to steal the taxpayer’s identity and financial assets. Typically, identity thieves use someone’s personal data to empty the victim’s financial accounts, run up charges on the victim’s existing credit cards, apply for new loans, credit cards, services or benefits in the victim’s name and even file fraudulent tax returns.

    When the IRS learns of new schemes involving use of the IRS name or logo, it issues consumer alerts warning taxpayers about the schemes.

    The IRS also has established an electronic mailbox for taxpayers to send information about suspicious e-mails they receive which claim to come from the IRS. Taxpayers should send the information to phishing@irs.gov. Instructions on how to properly submit possibly fraudulent e-mails to the IRS may be found on the IRS web site at www.irs.gov. This mailbox is only for suspicious e-mails, not general taxpayer inquiries.

    More than 7,000 bogus e-mails have been forwarded to the IRS, with nearly 1,300 forwarded in June alone. Due to the volume or e-mails the mailbox receives, the IRS cannot acknowledge receipt or reply to taxpayers who submit possibly bogus e-mails.



    "Checking the Validity of Web Sites:  What can browsers tell me about how safe an e-commerce site is?" MIT's Technology Review, May 31, 2006 --- http://www.technologyreview.com/read_article.aspx?id=16946

    Q. What can browsers tell me about how safe an e-commerce site is?

    A. Security experts have long recommended that you look for the closed padlock at the bottom of the browser window to make sure your transactions are safe.

    Unfortunately, the presence of a padlock is no longer enough.

    Sites wishing to enable the padlock must obtain a digital certificate from any number of private companies known as certificate authorities.

    In the early days, the certificate authority performed a series of checks to make sure sites were really who they said they were. The authority may have asked for ID or a copy of a business license, or it may have checked information a site submitted against state business databases.

    Older authorities still do that, but some newer ones try to cut costs and corners by checking only that the site owns the domain name -- not the business said to run on that domain, said Johannes Ullrich, chief technology officer with the SANS Institute's Internet Storm Center.

    The difference in cost can be significant: Ullrich said a site may spend $20 for the domain-only check, compared with $100 or more for a traditional certificate. Consumers have no easy way to tell the difference.

    That doesn't mean the cheaper certificates are all suspect -- Ullrich's group even has one. But the variation opens the door for scammers known as phishers to easily obtain one and create a site that mimics a real bank's. Customers can then be tricked into revealing passwords and other sensitive details.

    Scammers ''realize that as awareness of phishing increases, one thing customers are doing is looking for a lock,'' said Tim Callan, group product marketing manager for VeriSign Inc., one of the old-style certificate authorities. ''As an anti-phishing measure, the padlock has become increasingly unimportant.''

    Melih Abdulhayoglu, chief executive of Comodo, another issuer of traditional certificates, said the padlock is still a good sign that a site is encrypted so sensitive information won't be leaked in transit, but ''you could be encrypting for the fraudsters for all you know.''

    So all certificates -- those with and without thorough checks -- are being put into question, because a customer is not likely to know what went on behind the scenes.

    Fortunately, change is on the way.

    Later this year, the certificate authorities that undergo thorough checks will mark their certificates differently. Browsers could then highlight sites with such high-assurance certificates. The address bar might turn green, for instance, when visiting such sites, distinguishing them from ones that carry only a padlock.

    Until then, still look for the closed padlock.

    If it's missing, or if a warning appears about a missing or expired certificate, that's a sign that something could be wrong. Newer browsers are trying to make the padlock easier to see -- in Firefox and Opera, for instance, the padlock is moved up top, next to the address bar.

    ''Just because you see the padlock, it doesn't mean it's meaningful, but it's not meaningless,'' said Greg Hughes, chief security executive at Corillian Corp., a provider of online banking technology.

    Comodo, meanwhile, has a free tool at http://www.vengine.com to help identify legitimate sites.

    But ultimately, it comes down to common sense.

    Ask yourself, is it a site you've done business with before? Is it a big operation located in the United States? Did you type in the Web address directly into the browser rather than click on an e-mail link? Is the address a familiar one, one that appears in a bank's brochure?

    Beau Brendler, director of Consumer Reports WebWatch, suggests that people also look for ''https'' -- the ''s'' for secure -- instead of just ''http'' in the address bar.

    ''If you see the padlock and more importantly the https, you've got a fairly good indication that the page is secure,'' he said. ''They are one element of several things to possibly look for.''

    But of course, he said, ''you're never necessarily guaranteed anything. There's a certain amount of risk in any transaction.''


    Beware of Employees Downloading ("Slurping") Confidential Data Into an iPod

    February 24, 2006 message from Claire Smith

    Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data. At a rate of about 100MB every couple minutes, it can scan and download the files onto the portable storage units in a process dubbed "pod slurping."

    "Beware the 'pod slurping' employee," Will Sturgeon, C|Net News, February 15, 2006 --- http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html

    A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft.

    Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data. At a rate of about 100MB every couple minutes, it can scan and download the files onto the portable storage units in a process dubbed "pod slurping."

    To the naked eye, somebody doing this would look like any other employee listening to their iPod at their desk. Alternatively, the person stealing data need not even have access to a keyboard but can simply plug into a USB port on any active machine.


    "Phight Phraud:  Steps to protect against phishing," by Steven C. Thompson, Journal of Accountancy, February 2006 --- http://www.aicpa.org/pubs/jofa/feb2006/thompson.htm

    There are several free products that fight phishing by disclosing whether the Web site you contact is legitimate:

    Netcraft Toolbar ( http://toolbar.netcraft.com ) works in both Internet Explorer and Firefox.

    Cloudmark Safety Bar ( www.cloudmark.com/products/safetybar ) only supports Internet Explorer.

    Mozdev.org TrustBar ( http://trustbar.mozdev.org )  works only in Firefox.

    EarthlinkToolbar ( www.earthlink.com/software/free/toolbar ).

    Microsoft also recently announced it is adding antiphishing features to Internet Explorer 6 and subsequent versions. The new phishing filter, which will require Windows XP SP2, will be available shortly in a beta version.


    Question
    What is spoofing?

    Answer
    From http://www.webopedia.com/TERM/s/spoof.html

    To fool. In networking, the term is used to describe a variety of ways in which hardware and software can be fooled. IP spoofing, for example, involves trickery that makes a message appear as if it came from an authorized IP address. Also see e-mail spoofing.

    Spoofing is also used as a network management technique to reduce traffic. For example, most LAN protocols send out packets periodically to monitor the status of the network. LANs generally have enough bandwidth to easily absorb these network management packets. When computers are connected to the LAN over wide-area network (WAN) connections, however, this added traffic can become a problem. Not only can it strain the bandwidth limits of the WAN connection, but it can also be expensive because many WAN connections incur fees only when they are transmitting data. To reduce this problem, routers and other network devices can be programmed to spoof replies from the remote nodes. Rather than sending the packets to the remote nodes and waiting for a reply, the devices generate their own spoofed replies.

    Also see "Spoofing Attack" at http://en.wikipedia.org/wiki/Spoofing_attack

    Spoofing is probably best known for faked Websites (either jokes or criminal spoofs) that lead users into thinking that they are at a legitimate site (such as eBay) when in fact they are at a faked reproduction.
    See http://www.paypalsucks.com/paypal-spoof-sites.shtml (this site has a great illustration of an eBay spoof)

    Critical Update: Phishing and Spoof sites are reaching epidemic levels. You MUST learn about this right now and take action. While PayPal is most often the target of "spoofers," there has been a recent rash of spoof sites for almost every site on the net: PayPal, Ebay, US Bank, Citibank, Wells Fargo, Bank of America, Yahoo, Hotmail, Washington Mutual, Commerce Bank, and ANY ONLINE SITE. Whatever you do, DO NOT click on the link in the email! If you actually have an account at one of the companies mentioned, go there by opening your browser and typing in the correct URL yourself.

    "Spoof sites" are web sites created by criminals to trick you into giving them your information. The sites are designed to copy the exact look and feel of the "real" site, in this case PayPal.com, but in fact, any information you enter will be going to criminals, not PayPal. These sites can be as simple as just copying the PayPal site via a "view, source" or built using advanced scripts so that for all intents and purposes, it looks and acts like the real PayPal site. After a thief builds such a site, they will usually email you (spam) saying things like "Your account is limited," or "We require additional information," or "Due to a security breach, we need to verify your information." This is known as "phishing." (Pronounced "fishing." To project yourself against "phishing" see our Spyware Solutions page.)

    In the phishing email, there will be a link. It will look like https://www.PayPal.com/ ..., but in fact the email will hide the real address which will either be a string of numbers, or the PayPal.com URL followed by a bunch of cryptic looking information, or even something that resembles an email address. DO NOT CLICK on these links! It's like handing your car keys over to a chop-shop.


    A fast-spreading variation on the long-running Sober worm is using extremely effective tactics to trick users.
    "New Sober Worm Spoofs FBI, CIA ," by Gregg Keizer, InformationWeek, November 22, 2005 --- http://www.informationweek.com/story/showArticle.jhtml?sssdmh=dm4.159017&articleID=174401321

    A new variation of the long-running Sober worm uses extremely effective tactics to trick users into infecting their PCs, security companies said Tuesday, including posing as messages from the FBI and CIA. Sober.w -- called Sober.x by Symantec, and Sober.z by Sophos and F-Secure -- is spreading rapidly, said security experts, fast enough for vendors to have amplified their threat levels Tuesday. Symantec raised its warning to a "3" in its 1 through 5 scale, the first time since the Zotob outbreak in August that the Cupertino, Calif.-based anti-virus vendor has taken a worm to that threat level.

    "The rate of its spread is quite high," said Sam Curry, vice president of Computer Associates’ eTrust security group, who also called the raw number of infections "still relatively low, but growing."

    U.K.-based MessageLabs disagreed with the second half of Curry's estimate, however. "The size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months," spokesman Chaim Haas said. By mid-Tuesday, MessageLabs had stopped nearly 3 million copies of the worm from reaching its customers' inboxes.

    Sophos, another U.K.-based anti-virus vendor, said that its tallies showed this Sober now accounting for 61 percent of all malware.

    Sober.w is the most recent example of the two-year-old Sober family, and shares important characteristics with other variants, including bilingualism (messages arrive in either English or German), address hijacking, and mass-mailing.

    Computer Associates' Curry believes the fast spread is due to better-than-average technical skills. "It's using slightly more effective techniques," said Curry, "including running three separate [SMTP] processes. That's becoming somewhat common, because the more simultaneous processes a worm runs, the more copies it can blitz out."

    Others, however, credit the enticing bait dangled by the worm for its success. "I just don't see any technical reason why this has popped," said Alfred Huger, senior director of engineering for Symantec's security response team. Instead, he points to the worm's social engineering tricks, which include posing as a message from the CIA or FBI (English), or the Bundeskriminalamt, the German national police agency most like the FBI (German).

    These messages, with spoofed return addresses such as "mail@cia.gov" and "admin@fbi.gov," claim that "We have logged your IP-address on more than 30 illegal Websites," and demand that the user open the attached .zip file, which supposedly contains questions to answer.

    The FBI, in fact, took the unusual step Tuesday of issuing a statement saying that the messages were bogus. "These e-mails did not come from the FBI," the agency said. "Recipients of this or similar solicitations should know that the FBI does not engage in the practice of sending unsolicited e-mails to the public in this manner."

    "This variant of Sober may catch out the unwary as they open their e-mail inbox," said Graham Cluley, senior technology consultant at Sophos, in a statement Tuesday. "Every law-abiding citizen wants to help the police with their inquiries, and some will panic that they might be being falsely accused of visiting illegal websites and click on the unsolicited email attachment."

    Sober's creator or creators are unknown, although suspicions have long placed them in Germany. Recently, the Bavarian state police (Bayerisches Landeskriminalamt) predicted the release of a minor Sober variant the next day, leading to conjecture by security analysts that the police may be on the trail of the hackers. No arrests have been made of anyone accused of writing a Sober worm. The FBI urged users who had received the Sober.w worm to report it to the Internet Crime Complaint Center.


    People continuing to fall for hurricane victim scams
    If you see an e-mail this weekend asking you to donate to the victims of Hurricane Wilma, be careful. A scammer may be "phishing" in your e-mail inbox. "Phishing" scams, in which e-mails and Web sites made to look official are used to trick people out of their credit card numbers or other personal information, are on the rise. And with people continuing to fall victim and new opportunities to put a different face on the same scam -- the hurricane relief efforts among the latest -- it appears that phishing attacks are here to stay.
    Mike Musgrove, "'Phishing' Keeps Luring Victims, The Washington Post, October 22, 2005 --- http://www.washingtonpost.com/wp-dyn/content/article/2005/10/21/AR2005102102113.html?referrer=email


    "Authorities Arrest Accused Identity Thief Who Conned 3 Universities," by Hurley Goodall, Chronicle of Higher Education, February 4, 2008 ---
    Click Here

    Federal agents arrested a woman on Saturday who was under investigation for stealing identities to gain admission to three universities, according to the Associated Press.

    The woman, Esther Elizabeth Reed, was arrested in a Chicago suburb under a federal warrant. She had been sought since July 2006, just before she was revealed as an impostor, and was listed as one of the U.S. Secret Service’s top fugitives. A federal grand jury indicted her last September on charges of wire fraud, mail fraud, false identification documents, and aggravated identity theft.

    In addition to using stolen identities to gain admission three times, the authorities said, Ms. Reed managed to obtain $100,000 in student loans. At one of the institutions, Columbia University, she is said to have studied criminology and psychology for two years under the name Brooke Henson — a woman who, according to the New York Post, has been missing since 1999.

    Ms. Reed also was admitted to California State University at Fullerton and Harvard.

     


    Question
    What is pharming and why is it the most dangerous form of phishing and spoofing?

    Answer
    Pharming is a type of spoofing that utilizes Trojans programs, worms, or other virus technologies that attack the Internet browser address bar and is more dangerous than mere phishing. When users type in a valid URL they are redirected to the criminals' websites instead of the intended valid website.

    See http://en.wikipedia.org/wiki/Pharming

    Identity theft warning forwarded on July 13, 2005 by James P. Borden [jborden119@comcast.net]

    Bob,

    Thought you might find this useful.

    Best regards,

    Jim Borden
    Villanova University

    Identity Thieves Employ High-Tech Tactics Aleksandra Todorova SmartMoney.com THANKS TO TECHNOLOGY advances, identity thieves no longer need to dumpster-dive in search of your private information. Now, sensitive data can easily land in their hands while you're shopping, browsing the Internet or simply visiting your dentist. Here are five of the latest high-tech forms of identity theft, according to Truecredit, a unit of credit-reporting bureau TransUnion, along with ways consumers can protect themselves.

    1. Pharming.
    You've probably heard of "phishing," a form of identity theft where fake emails are sent out, asking you to urgently update your bank account or credit-card information, which is then sent to identity thieves. Now phishing has evolved into "pharming," where thieves create fake Web sites similar to the Web sites of banks or credit-card companies. When consumers who don't know the difference try to log in, their account information is sent along to the thieves. These Web sites get traffic through phishing, explains Nicole Lowe, credit education specialist at Truecredit.com, or with the help of computer viruses that automatically redirect traffic from specific Web addresses, such as those for banks, credit-card companies or shopping Web sites.

    To avoid pharming, look out for anything strange or new in the site's Web address, or URL, Lowe recommends. You can also browse the Web site in depth. The crooks likely haven't recreated all its layers.

    2. Gas stations.
    Every time you swipe your credit or debit card at the gas pump, your information is sent via satellite to your bank for verification. According to Truecredit, identity thieves have now invented a way to hijack that information by modifying the program that carries out the data transfer so that your credit-card number is sent to them at the same time it's sent to your bank. While there isn't a way to detect when your data are being stolen, Lowe recommends using only credit cards at the pump as a precaution. With debit or check cards, it takes a while for fraudulent purchases to be credited back into your checking account, while credit-card companies will remove any disputed charges from your account immediately.

    3. International skimming.
    According to Truecredit, skimming occurs when your credit card is run through a small reader, similar to those used in grocery stores, which captures your card information for future use by identity thieves. This form of fraud is common in the service industry here in the U.S., and anywhere abroad. Be on the lookout when paying with a credit card in a restaurant that you're not familiar with, Lowe recommends. If you don't feel comfortable letting your card out of sight, use cash or walk over to the cash register to pay your bill. when traveling abroad, use only one credit card so it's easier to detect any fraudulent charges.

    4. Keystroke catchers.
    These small devices are attached to the cable that connects your keyboard to your computer and can be bought online for a little over $100. The "catcher" resembles a standard connector, but contains a memory chip that records everything you type. It's typically used in public places where computers are available, such as libraries, Internet cafes and college computer labs. To protect yourself when using a public computer, never shop online, check your bank account, pay bills or enter your credit-card information. 5. Database theft. Chances are, your personal information is part of numerous databases, including those at your dentist and doctor's offices, your college or university admissions office, your mortgage and insurance companies, even your local Blockbuster. While there's little you can do about the way those companies safeguard your information, you can try limiting their access to sensitive data, such as your Social Security number, says Lowe. Your cable company and DVD rental store, for example, have no need to know your Social Security number and should agree to an alternative, such as the last few digits of your driver's license number.
    _http://biz.yahoo.com/special/survive05_article1.html_ ( http://biz.yahoo.com/special/survive05_article1.html )

     


    Do-it-yourself phishing kits are freely available on the Internet, a security firm says, and they will lead to more scams sent to online consumers. "Until now, phishing attacks have been largely the work of organized crime gangs," says Graham Cluley, a senior technology consultant at U.K.-based security vendor Sophos.  "But the emergence of these 'build-your-own-phish' kits mean that any old Tom, Dick, or Harry can now mimic bona fide banking Web sites and convince customers to disclose sensitive information such as passwords, PIN numbers, and account details," he says.
    Greg Keizer, Information Week, August 19, 2004 --- http://www.informationweek.com/story/showArticle.jhtml?articleID=29112029 

     

    The Anti-PHishing Working Group is an international association dedicated to the elimination of fraud and identity theft on the internet from phishing, pharming and spoofing. Their site contains up-to-date reports on the extent of such activities.Anti-Phishing Working Group
    From Gerald Trite's Blog, March 3, 2005 --- http://www.zorba.ca/blog.html 

     

     

    What is SpoofStick?
    SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as “phishing".
    From CoreStreet --- http://www.corestreet.com/spoofstick/

     

    "Avoid 'Pharming' Scams," The Wall Street Journal, May 24, 2005; Page D1 --- http://online.wsj.com/article/0,,SB111688741618841089,00.html?mod=todays_us_personal_journal

    The Problem:
    An identify-theft technique called "pharming" is particularly hard to detect.

    The Solution:
    With pharming, no matter what Web address you type in, scamsters are able to redirect you to fraudulent Web pages where they then try to capture your personal financial information. To protect yourself, if you're using sites where you have to give over a credit-card number or other sensitive data, make sure the sites are secure. One sign of security: the Web address begins with "https:" not just "http:".

    While other scams such as phishing and spyware are still more prevalent, there is a danger that pharming will become increasingly common, security experts say. That's because thieves alter Internet routing information such that it appears as if you're still going to the correct Web address. Another sign that you're on a secure site: A small padlock icon will sometimes appear along the bottom edge of the screen when you view a Web page.

     

    It started out as just a few malcontents in third world countries, but now the threat has hit the big time. Phishing joins numbers running, drug smuggling and currency fraud as yet another tool of organized crime.
    Phishing, which first appeared more than 10 years ago, has grown from humble roots to become the international electronic crime of choice for amateurs and professionals alike.  In its simplest form, phishing involves sending out fake e-mail messages that ask recipients to enter personal information, such as bank account numbers, PINs or credit card numbers, into forms on Web sites that are designed to mimic bank or e-commerce sites.
    Dennis Fisher, "Phishing Is Big Business," eWeek, March 7, 2005 --- http://www.eweek.com/article2/0,1759,1772523,00.asp 

    MasterCard is making some effort to prevent identity theft
    For nearly a year, the company has been striving to close down Web sites that sell or share stolen MasterCard credit-card information, and "phishing" or "spoof" sites that use MasterCard's name or logo to trick consumers into divulging confidential information. Since last June, the company has detected 35,045 MasterCard numbers for sale or trade on the Internet, and has shuttered 766 sites trafficking in such information. It has closed down 1,378 phishing sites.
    Mitchell Pacelle, "How MasterCard Fights Against Identity Thieves," The Wall Street Journal, May 9, 2005; Page B1 --- http://online.wsj.com/article/0,,SB111559589681527765,00.html?mod=todays_us_marketplace

    "Few companies have to tell when identity thieves strike:  Consumers don't learn they're in danger — until the bills arrive," USA Today, February 28, 2005 --- http://www.usatoday.com/printedition/news/20050228/edit28x.art.htm

    The Federal Trade Commission (FTC) received 246,570 identity theft complaints last year, and the problem actually is much worse: 9.9 million people (about one in every 30 Americans) were victims of identity theft in a one-year period starting in spring 2002, according to an FTC survey. Thieves use the data to get credit cards, pilfer bank accounts and take over identities for future thefts.

    Several factors give them the upper hand:

    •Companies hide break-ins. Many companies react as ChoicePoint did initially. They keep quiet after computers are hacked, fearing lawsuits and damaged reputations.

    •Police are busy elsewhere. Local police are often reluctant to pursue cases. The amounts, while large to an individual, seem small compared with other monetary crimes. Often the consumer lives in one state, the thief in another. Federal authorities can act, but only about 1 in 700 cases of identity theft resulted in a federal arrest in 2002, according to Avivah Litan, a cybercrime expert with the Gartner research firm.

    •Oversight is weak. Identity theft is a relatively new crime and, outside of California, governments haven't yet geared up to address it. The rising industry of data brokers has little oversight, and rules for financial institutions aren't up to the task.

    The good news is that the ChoicePoint breach is prompting several states, including Georgia, New Hampshire, New York and Texas, to consider bills patterned on the California notification law. Several U.S. senators are pushing a federal law.

    Continued in article

    July 11, 2005 warning forwarded by Scott Bonacker [cpa@bonackers.com]

    Professor Jensen - Something for your tidbits?

    Note - to restore the link, delete the carriage return/linefeed so that "columnItem" is immediately followed by "/0,294698"


    Scott Bonacker, CPA
    McCullough Officer & Co, LLC
    Springfield, Missouri
    Phone 417-883-1212
    Fax 417-883-4887

    > -----Original Message-----
    > From: Spam Prevention Discussion List
    > Sent: Monday, July 11, 2005 9:37 AM
    > Subject: MEDIA: [infowarrior] -
    > Phishing for the missing piece of the CardSystems puzzle]
    >
    > [ Yet another illustration that the relationships between various
    > forms of 'net abuse can be complex. In this case, spam, phishing,
    > data theft and identity theft all converge.
    > I think this illustrates that even if we could wave our magic wand and
    > make SMTP spam vanish forever...we'd be far, far from out of the
    > woods. ---Rsk ]
    >
    > ----- Forwarded message from infowarrior.org -----
    >
    > > Date: Sun, 10 Jul 2005 22:07:56 -0400
    > > Subject: [infowarrior] - Phishing for the missing piece of the
    > > CardSystems puzzle


    http://searchsecurity.techtarget.com/columnItem
    /0,294698,sid14_gci1102336,00.html

    > > Phishing for the missing piece of the CardSystems puzzle
    > >
    > > By Donald Smith
    > > 07 Jul 2005 | SearchSecurity.com
    > >
    > > A banking insider examines the ties between customized phishing
    > > attacks this spring and the CardSystems breach announced
    > soon after.
    > > Don't miss his revelations on how they're linked and what
    > the phishers
    > > really needed.
    > >
    > > Perhaps you heard about customized phishing scams when they began
    > > circulating back in May, in which actual credit card data
    > was used to
    > > lure consumers into divulging even more secrets. But did you know
    > > these scams could very well be the first externally visible
    > result of
    > > the CardSystems breach, before it was made public in June?
    > >
    > > -/SNIP/-
    > >
    > > About the author
    > > Donald Smith is the IT audit manager for The Mechanics Bank of
    > > Richmond, Calif. Smith's opinions are his own, and not those of The
    > > Mechanics Bank.
    > >
    > > You are a subscribed member of the infowarrior list. Visit
    > >  www.infowarrior.org  for list information or to unsubscribe. This
    > > message may be redistributed freely in its entirety. Any and all
    > > copyrights appearing in list messages are maintained by
    > their respective owners.
    > >
    >
    > ----- End forwarded message -----
     

    Bob Jensen's threads on Identity Theft --- http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 


    Question
    What is fraudulent "pretexting?"

    Answer
    "AICPA Warns of Possible Pretexting Calls," AccountingWeb, June 28, 2005 ---
    http://www.accountingweb.com/cgi-bin/item.cgi?id=101050

    The Federal Trade Commission (FTC) defines “pretexting” as the practice of getting personal information under false pretenses. Pretexters will use a variety of excuses in an attempt to gain personal information. Once they obtain the personal information they are seeking, they may sell it to people who will use it for identity theft or use it themselves to investigate or stalk an individual. Some personal information is a matter of public record, including home- or property-ownership, real estate taxes and whether a person or firm has ever filed for bankruptcy. It is not pretexting to collect this type of information.

    It is, however, illegal for anyone to obtain customer information from a financial institution or a customer of a financial institution by:

    Human resources experts advise that a business must disclose certain information in order to verify employment history. Because laws governing what an employer can and cannot say about employees are often complex, it is recommended all calls requesting personal information be transferred to a representative of the human resources or personnel departments when they cannot be transferred directly to the person that is being inquired about. Firms receiving calls from suspect “AICPA employees” are also asked to contact Jay Rothberg, AICPA Vice President at jrothberg@aicpa.org .

    For about $100 anyone can buy your cell phone records

    "I still know who you called last month," by Bob Sullivan, The Red Tape Chronicles, MSNBC, November 22, 2005 --- http://redtape.msnbc.com/2005/11/its_actually_ob.html

    It's actually obscene what you can find out about people on the Internet.

    Take cell phone records -- literally. Your cell phone bills are there for the taking, for about $100 a month. Dozens of Web sites offer this service –- one month, or one year. Every call, every phone number. However scary that sounds, it won’t really hit you until you see it for yourself -- so click here for an example of what's out there. Then hit "back" in your browser, and let me explain.

    Who your friends are. How to contact them. Even where you were. All those crumbs are on sale. Right now. Online. To anyone.

    It may be outrageous, but it's not new. MSNBC.com first wrote about this problem in October 2001, in a story titled "I know who you called last month."

    The problem was exposed years earlier by a private investigator named Rob Douglas. Banking records, home phone long-distance calling, even medical information, were all for sale, he told Congress. Once a buyer of that kind of information, Douglas came to believe the practice was unethical, unfair and maybe even illegal –- and he began a crusade against the industry, eventually founding PrivacyToday.com.

    During hearings in 1998 and 2000, Douglas told Congress that private investigators simply pretend to be their targets, call up the phone companies involved, and ask for the data they want. Someone who wanted John Smith's cell phone records would just call up the cell company claiming to be John Smith and ask for a duplicate copy of last month's bill. It usually worked. In the business, it's known as "pretext" calling -- calling and asking for records under a false pretext. It was that easy.

    Since then, reporters around the world have proved Douglas' point by purchasing all kinds of interesting cell phone records. Most recently, Maclean's magazine purchased the records of Canadian federal privacy commissioner Jennifer Stoddart.

    Still, all those Web sites selling all those records keep advertising their services.

    But finally, someone seems to be noticing. In July, the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission, asking for an investigation. A month later, EPIC asked the Federal Communications Commission to alter its regulations to make cell phone companies more accountable.

    At about the same time, Sen. Charles Schumer, D-N.Y., introduced legislation designed to crack down on the sale of cell phone records by pretext callers. More recently -- just last week -- Sen. Ed Markey, D-Mass., sent a letter to both the FTC and the FCC demanding action.

    Verizon steps up to the plate But most important, a cell phone company has finally stepped forward and said it can't take it any more. In July, Verizon sued a Web site named SourceResources.com for selling its customers' cell phone records. In September, the site settled with Verizon, agreeing to discontinue sales, and to tell Verizon how it managed to obtain the customer records. Verizon spokesman Tom Pica won't say what the company has learned from the trove of information. But it appears Verizon is in it for the long haul; on Nov. 2, the firm went after another alleged pretext Web site, a Florida company named Global Information Group. Pica said Global Information agents made "thousands of attempts" to trick Verizon customer service representatives into divulging phone records.

    Kudos to Verizon for taking the issue on. For some time, cell phone companies have been operating like the ostrich -- pretending the problem didn't exist would make it go away. In truth, cell phone firms were afraid to take on the issue because doing so would be a tacit admission that there's a problem. To sue Global and SourceResources, Verizon had to admit these firms managed to steal data, something companies are often reluctant to do.

    But it's time to do something. Back in 2001, after Douglas testified before Congress, he helped orchestrate a sting operation against private investigators called Operation Detect Pretext. It specifically targeted firms selling banking information; most sell the same slate of personal data, including cell phone records.

    Undeterred by FTC investigation
    Initially, Douglas said, the Federal Trade Commission identified 1,500 firms advertising such services, both online and offline. The list was pared to 200 firms, which received warning notices. Then, about a dozen were targeted for stings. FTC investigators using techniques designed by Douglas called those firms, purchased data and recorded the conversations to be used as evidence in later legal action. Eventually, three firms were sued. None was put out of business. In fact, one of the three still operates -- Information Search Inc. On its site, it laments restrictions placed on its business by the FTC. And while the site indicates the firm no longer sells banking information without a permissible purpose, Information Search Inc. does still sell cell phone records.

    "We talk all the time about securing information, and yet all of these companies are being duped by the easiest of scams," Douglas says.

    Five years after his sting operation, pretext calling still thrives. That's why Douglas says he doesn’t hold out much hope that law enforcement will solve the problem of cell phone records for sale.

    For now, Verizon's willingness to admit there's a problem, and to put legal muscle into the fight against those who would steal customer data, is the most hopeful sign.

    Lack of imagination Still, EPIC's Chris Hoofnagle has so far been disappointed by other telecommunications companies and what he describes as a "hostile" response to his complaint. They’ve so far resisted calls for higher security standards. But simple steps could make a big difference, like sending letters to account holders after toll records are requested. Even a text message to the cell phone saying a request had been made would alert consumers that there's a problem.

    "The cell phone companies so far have suffered from a lack of imagination," Hoofnagle said.

    For now, Douglas says, Verizon's initial legal forays haven’t deterred pretext calling -- and a simple Google search supports his claim. That means even bolder action is required. This is no mere philosophical debate for privacy advocates. Stolen cell phone records and information sold by data thieves and pretext callers have led to embarrassment, unfair harassment, even murder. Reporters used the records to find and hassle families in the Columbine tragedy. In the Internet's most celebrated murder case, stalker Liam Youens purchased Amy Boyer's Social Security number and name of her employer from a data seller named Docusearch. He then showed up at Boyer's office and shot her to death.

    On Youens' personal Web site was a simple indictment we would all do well to heed.

    "It's actually obsene [sic] what you can find out about people on the Internet."

     

    Spy Tools --- http://locate-unlisted-phone-numbers.com/ 
    (I really don't know how legitimate this outfit really and make no endorsements of its services)

    Find and Trace:

    Unlisted Numbers

    Cell Phone Numbers & Codes

    E-mail Addresses

    Protect Privacy:

    Anonymous Surfing

    Anonymous E-mail

    Erase Your Tracks

    Monitor Your PC

    See the Pictures Your Kids, Mate or Employees Viewed Days, Weeks or Months Ago

    See the Web Sites They Visit While Your Not Around

    Find Hidden and Alternate Screen Names People May be Using to "Play" Online

    Also see http://www.letsinvestigate.net/investigation/index.html

    Unlisted phone numbers --- http://ww182.voipinternetphone.info/


    Cookies = Applets that enable a web site to collect information about each user for later reference (as in finding cookies in the cookie jar). Web Browsers like Netscape Navigator set aside a small amount of space on the user's hard drive to record detected preferences.  Cookies perform storage on the client side that might otherwise have to be stored in a generic-state or database server on the server side. Cookies can be used to collect information for consumer profile databases. Browsers can be set to refuse cookies. 

    Many times when you browse a website, your browser checks to see if you have any pre-defined preferences (cookie) for that server if you do it sends the cookie to the server along with the request for a web page. Sometimes cookies are used to collect items of an order as the user places things in a shopping cart and has not yet submitted the full order. A cookie allows WWW customers to fill their orders (shopping carts) and then be billed based upon the cookie payment information. Cookies retain information about a users browsing patterns at a web site. This creates all sorts of privacy risks since information obtained from cookies by vendors or any persons who put cookies on your computer might be disclosed in ways that are harmful to you.  Browsers will let you refuse cookies with a set up that warns you when someone is about to deliver a cookie, but this really disrupts Web surfing and may block you from gaining access to may sites.  It is probably better to accept cookies for a current session and then dispose of unwanted cookies as soon as possible so that cookie senders do not obtain repeated access to your private information.  Microsoft Corporation has added the following utilities to the Internet Explorer (IE) browser according to http://www.cnn.com/2000/TECH/computing/07/21/ms.cookies.idg/ 

    The Internet Explorer 5.5 changes include the following:

    • Notifications that Microsoft said will help users differentiate between first- and third-party cookies, plus automatic prompts that inform users anytime a third-party cookie is being offered by a Web site.

    • A "delete all cookies" control button that has been added to the browser's main "Internet options" page to make it easier for users to get rid of cookies.

    • New topics that have been added to Internet Explorer's help menu to better answer questions about cookies and their management.

    Instruction for cookies control using Internet Explorer --- http://www.scholastic.com/cookies.htm 

    To accept cookies if you are using a PC running Windows...

    Internet Explorer 5 1. Click Tools, and then click Internet Options.

    2. Click the Security tab.

    3. Click the Internet zone.

    4. Select a security level other than High.

    -or-

    Click Custom Level, scroll to the Cookies section, and then click Enable for both cookie options.

    5. Click on Apply.

    6. Click on OK.

    Other nations, notably in Europe, have placed more severe restrictions on the use of cookies.  See http://www.cnn.com/2000/TECH/computing/07/21/eu.spam.idg/index.html

    For more on cookies, see the following:


    Are cookies bad for your computer's health?

    "Extreme File Sharing," by Brian Krebs, The Washington Post, October 18, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/10/extreme_file_sh.html?referrer=email

    Spent a few hours over the weekend poking around Limewire , an online peer-to-peer file-sharing network where an estimated 2 million users share and swap MP3 files, movies, software titles and just about anything and everything else made up of ones and zeroes (including quite a few virus-infected files).

    I was sifting the lists not for music or movie files, but for the stuff Limewire users may not know they're sharing with the rest of the network. I quickly found what I was looking for, and then some: dozens of entries for tax and payroll records, medical records, bank statements, and what appeared to be company books.

    A search for "cookies" or "paypal," for example, turned up cookie files for a number of financial institutions. Having cookie files exposed might be a little less dangerous if you couldn't also click your way through every shared file on a user's machine. For the most part I found that users who shared sensitive information were also sharing the contents of their entire hard drives.

    Some users were sharing many megabytes' worth of e-mails and addresses from their Microsoft Outlook inboxes and archives. But perhaps most revealing was a search for "keylog.txt," which turned up several huge text files no doubt generated by a keystroke logger -- a nasty bit of malware that records everything a victim types and relays the data back to the attacker.

    At first, I felt a little weird looking at records of one apparent victim's private (and frequently explicit) online chat conversations from just a few months back. But I wanted to find some contact information in there so I could at least notify this person that their system had been compromised. I found an AIM instant message ID -- but alas, that screen name wasn't signed on. I even found what appeared to be the victim's cell phone number, but got a fast-busy signal upon dialing it.

    As I read on, however, it became clear that the victim at some point realized his machine was infected with some sort of virus, as evidenced by his IM complaints to a friend that his antivirus software had alerted him to something evil on his machine.

    Over the course of several days (the first 10 or so pages of the keylog record) it appears that the victim tried to repel whatever had invaded his computer. Apparently he failed, because not long after he seems to have stopped searching (or at least stopped complaining about it) -- even though the keylogger was clearly still doing its job.

    My guess is that this guy ran an antivirus or anti-spyware scan which found and deleted something, so he figured everything was back to normal.

    This reminds me of a concept that security professionals understand all too well: When a computer system is compromised by a virus or worm, the only way to truly clean it is to back up the data and resinstall the operating system, including any software patches issued since the computer was purchased. This can be a bitter pill to swallow for home users, many of whom have trouble understanding why someone would go through the trouble of trying to hack their system in the first place.

    None of this to say that antivirus tools and other security applications can't remove these intrusive programs on their own; often they do the job quite nicely. But many of today's more aggressive threats are designed to open the door for other intruders, which might not be so easily detected by security software.

    Obviously, the lessons here are: If you're going to use file-sharing networks, be extremely careful about what you download; and, pay close attention to the files and folders you are letting the rest of the world see.

    Bob Jensen's threads on file sharing are at http://www.trinity.edu/rjensen/napster.htm


    A December 1, 2002 message from one of my students on the topic of privacy on the Internet

    I'm not sure if you've ever been to their site or not, but Double-Click is one of the companies that records the things people do and sites they visit. They claim that they don't actually record names or anything to allow them to identify you specifically. I think they use IP addresses. But on their website ( http://www.doubleclick.com/us/corporate/privacy/privacy/default.asp?asp_object_1=&  ) they give you the ability to "opt-out" and no longer have your activities monitored by Double-Click and it's partners. I stumbled upon this a few years back and just thought I'd share it. Hope you had a good holiday.

    Lonnie

    Bob Jensen's threads on network security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection 


    Question 1:
    How can you send email anonymously?

    Answer 1:
    Simply set up an email account under a fictitious name.  For example, you can send email under multiple fictitious names from the Yahoo email server at http://www.yahoo.com/   (Click on 'Mail" in the row "Connect")

    Question 2:
    How can you be totally anonymous on the Web such that cookie monsters do not track your Web navigation at your site and bad guys cannot track your surfing habits or get at your personal information such as medical records, name, mail address, phone number, email address, etc.?  (You can read about cookie monsters at http://onyx.he.net/~hotmoves/LIC/cookies/ )

    Answer 2:
    There is probably no way to be 100% safe unless you use someone else's computer without them knowing you are using that computer on the Web.  In most instances, the owner of the computer (a university, a public library, an employer, etc.) will know who is using the computer, but cookie monsters and bad guys on the Web won't have an easy time finding out who you are without having the powers of the police.

    About the safest way to remain anonymous as a Web surfer is to sign up for Privada from your IP Internet provider that obtain your line connection from for purposes of connecting to the Web.  In most instances, surfers pay a monthly fee that will increase by about $5.00 per month for the Pivada service (if the IP provider has Privada or some similar service).  To read more about Privada, go to http://industry.java.sun.com/solutions/company/summary/0,2353,4514,00.html 

    Privada Control (Application)

    Primary Market Target: Utilities&Services 
    Secondary Market Target: Financial Services

    Description Used with Privada Network, PrivadaControl provides the consumer component of Privada's services, and is distributed to end-users by network service providers. Users create an online identity that cannot be linked to their real-world identity, allowing them to browse the Internet with the level of privacy they choose while still reaping the benefits of personalized content. PrivadaControl is built entirely in the Java(TM) programming language and runs completely in a Java Virtual Machine.

    For discussion of other forms of protection, see Privacy in eCommerce.


    Question 3:
    Where can you find great links to security matters in computing?

    Answer 3:
    Try Yahoo's links at
    http://dir.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/Security_and_Encryption/ 


    Question 4:
    It is extremely dangerous to open email attachments.  However, is it dangerous to open an email message without opening any attachments?

    Answer 4:
    Generally the answer is no.  However, it is a bit more complicated than this.  The following is stated at http://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q11 

    For many years the answer to this question was a resounding no and that is largely the case now as well. There are a series of hoax chain letters that are seemingly endlessly circulating around the globe. A typical letter is the "Good Times" hoax. It will warn you that if you see an e-mail with a subject line that contains the phrase "Good Times" you should delete it immediately because the very fact of opening it will activate a virus that will do damage to your hard disk. The letter will encourage you to send this warning to your friends.

    The "Good Times" hoax, and many like it, are simply not true. However there are enough people who believe these hoaxes that the messages are endlessly forwarded and reforwarded. If you get a letter like this one, simply delete it. Do not forward it to your friends, and please do not forward it to any mailing lists. If you are uncertain whether the letter is a hoax, refer it to your system administrator or network security officer.

    Just to make life complicated, however, there are some cases in which the simple act of opening an e-mail message can damage your system. The newer generation of e-mail readers, including the one built into Netscape Communicator, Microsoft Outlook Express, and Qualcomm Eudora all allow e-mail attachments to contain "active content" such as ActiveX controls or JavaScript programs. As explained in the JavaScript and in the  ActiveX sections,  active content provides a variety of backdoors that can violate your privacy or perhaps inflict more serious harm. Until the various problems are shaken out of JavaScript and ActiveX, enclosures that might contain active content should be opened cautiously. This includes HTML pages and links to HTML pages. Disabling JavaScript and ActiveX will immunize you to potential problems.

    In addition, there are other cases where e-mail messages can be harmful to your health. In the summer of 1998, a number of programming blunders were discovered in e-mail readers from Qualcomm, Netscape and Microsoft. These blunders (which involved overflowing static buffers) allowed a carefully crafted e-mail message to crash your computer or damage its contents. No actual cases of damage arising from these holes has been described, but if you are cautious you should upgrade to a fixed version of your e-mail reader. More details can be found at the vendors' security pages:

    Microsoft
    http://www.microsoft.com/security/bulletins/
    Netscape
    http://www.netscape.com/products/security/
    Qualcomm
    http://eudora.qualcomm.com/security.html

    Finally, don't forget that some documents do carry viruses. For example, Microsoft Word, Excel and PowerPoint all support macro languages that have been used to write viruses. Naturally enough, if you use any of these programs and receive an e-mail message that contains one of these documents as an enclosure, your system may be infected when you open that enclosure. An up-to-date virus checking program will usually catch these viruses before they can attack. Some virus checkers that recognize macro viruses include:

    McAfee VirusScan
    http://www.mcafee.com/
    Symantec AntiVirus
    http://www.symantec.com/
    Norton AntiVirus
    http://www.symantec.com/
    Virex