Understanding What Threat Lies Beneath!
The average citizen is very lax with the security of their credit card information therefore may be giving a non-verbal invitations to credit card scammers. Understanding how your card can be compromised is the first step to protecting your credit. There are many ways to extract your sensitive data to enable someone to go on a “free” shopping spree.
Lets start off by thinking like a thief, If someone wants to mimic your spending habits then they must first understand where you spend your money and how often you spend it. If they have access to your credit card statements, either by sifting through your mail or by breaking into your credit card account they can start to clone your credit experiences. By changing your password of your credit account to a 15 character passphrase your credit hacking experience may be minimized, also ensure that you shred all credit card statements after you have reviewed them, or lock them in a safe that is secured.
By understanding your shopping trends the “credit intruder” may be able to get around the alert system your credit card company has put in place. One healthy credit habit that you can adopt is to create an alert for your credit card. This pro-active measure is quick and easy and may save you from a lot of time and energy and most of all credit headaches. Many credit card companies will let you create credit alerts from your account with as much or as little detail you would like to be alerted on, for example you may want to be alerted for any charges over $100.00.
Understanding the types of credit card fraud will also help you defend yourself against credit card theft. Did you know that your magnetic strip of your card can be transferred over to a new card with little effort? Well many consumers don’t understand the cloning of credit cards but the criminals do! As easy as your card was made, another card with the same information, Your Name, Your Card Number can be duplicated. If you are not going to use a card, then lock it in a safe place! Lost or stolen cards can go unnoticed giving the thief enough time to create a credit nightmare for you. Ensure you are using your credit card on a safe website, if you are redirected to another website beware that this may an attempt to extract your credit information. When giving your credit card information over the phone ensure the person you are giving your information to is a representative of the company and not a telemarketing scamming group.
During this busy holiday season and beyond ensure that you are both creating a safe and healthy environment for yourself as well as your credit history! Remember to understand what threats lie beneath the quick savings and the glamorous “Buy Now” offers! Ensure you are proactive by creating measures that you will always be aware of what is going on with your credit cards!
How good is a product, when the support for it SUCKS?
Something I see get overlooked often in reviewing products, especially expensive security products, is support. I’ve done hundreds of product reviews over the years and numerous benchmarking comparisons to find the best software/hardware for the job. Early on I took for granted the type of support and the ease of access to qualified technical support staff, now it is my 2nd priority when investigating any product. A lot of companies have descent products but fail to provide adequate support, and some companies are actually selling varying types of supports for their products so only customers that pay service premiums get quick and knowledgeable support. It seems that support now means that you can email or call, if you’re lucky, a tier 1 or even 0 support person and they will search an internal knowledge base and provide you generic information. Tier Zero support is basically a phone answering service, they will try and route your issue to the right department and have someone call you back, hopefully before you have lost too much business.
Now Tier 1 support, these guys are usually the ones that have a little knowledge, unfortunately that knowledge comes from searching databases and technical notes and putting you on hold while they go ask someone about the issue. Both Tier 0 and 1 support can be very frustrating and time consuming to a customer with an issue, believe me I have spent countless hours on the phone with support people that knew less about the product than I did. Don’t be surprised if your support calls are routed outside the country where they can also be language barriers, this is sometimes referred to as “Follow the Sun Support”. Tier 1 supports main goal in most cases is to close the tickets as fast as possible so they can move on to the next case.
Tier 2, this is where the Tier 1 folks graduate to when they start to get an understanding of the product(s). Don’t get me wrong, you can find some good support people at this level and they will be able to fix most common/known issues, but if they haven’t seen it before, they want to try and figure it out instead of escalating the issue. This brings me to Tier 3 and the developers, which is where the serious issues end up, it usually takes an act of God to get to this level, which usually involves getting your Sales guy involved, because they still want to be able to try and sell you more products or at least get you to renew your (cough cough) support contracts.
To me, even more so, as I write this article and think about the countless wasted hours dealing with the lack of support from vendors, support and product functionality should be at the top of everyone’s list when reviewing products. You really don’t want to wait to find out how support works for a product, because when you find out you really need it, it’s too late. I have listed a few of my pet peeves below based of years of headaches and product troubleshooting so you will know what to expect. I also included a short list of questions that everyone should ask any vendor prior to purchasing; some even have quick horror stories, if you like those. As always, “Buyer Beware”.
A few of my pet peeves:
– Not being able to call support, this should be unacceptable for any enterprise level product. Recently IBM-ISS did something I thought was impossible, they made their support even worse. They added the dreaded Tier ZERO support; my first and last call to these guys was full of me trying to explain the product line to the person (In the Philippines) on the phone so they could take 30+ minutes to find out where to direct my “Business Impacting” issue. So if you don’t want to be down for hours waiting for a phone call from support, you really should buy the Platinum support, but then make sure you include that in your up-front costing and annual costing for the product when compared to other products if the same class.
– Known issues, if I call another vendor and find out that an issue that I was having, was a “Known Issue”, but the fix was only provided to customers that noticed/experienced the issue, I will hit the roof. If it’s a known issue, if should be in the knowledgebase and/or an email bulletin should have been sent out to the customers.
– Vendors that like to use their customers as unknowing Beta testers for their products. I have seen this from several vendors, who will try and get you to test out special features or undocumented procedures on your production environments. So be aware of this and make sure that you don’t accidentally end up on the bleeding edge of product testing for a vendor.
– Vendors support at various levels not wanting to escalate to the next level. I have found that support people, regardless of the level, feel that it looks bad on them if they escalate your issue to the next level. Don’t be afraid to ask for an issue to be escalated, give them a fair amount of time to investigate the issue, but sometimes the issue can quickly be resolved once it reaches the right level of support.
A few questions to ask prospective vendors:
– What are the various levels of support that you offer? Remember you get what you paid for.
– How long has the product been around? Don’t end up being a beta tester for a new product, no matter the number of bells and whistles.
– Does support use the follow the Sun methodology? Meaning, depending on the time of the call you may be routed to other countries?
– Where is the support/call centers located? For some government agencies this needs to be within the US.
– What engineering and deployment support is provided?
– Do they have a full-text searchable knowledgebase? Is there a separate knowledgebase for internal support?
– Where was the product developed? One vendor I worked with, the product was developed in the Middle East and support was much better during evening hours.
– For software that has signature based values, will you have access to what the signature is detecting and how?
– How are upgrades handled? Another of my favorite (cough cough) vendors, Imperva, releases upgrades to fix stability or other issues, but you cannot simply upgrade your product, you have to re-image and re-build the system or wait an additional 2-3 months to get a upgrade path.
– Ask about SLAs and get copies so you know exactly what to expect. If it’s not in writing, you didn’t buy it and can’t expect of demand it.
– If you get an appliance with maintenance support, ask how that support is handled. Some companies now out-source the hardware maintenance on their appliances and then you get the privilege of having to spend numerous hours working with some 3rd party company to get your appliance fixed. One of my biggest frustrations of 2010 was working hard to get McAfee Vulnerability Manager Appliances, the old Foundstone devices, in place to replace an older technology. The initial shipment had 2 appliances, one of which worked great out of the box, the second box was DOA, the problem here was that the hardware support was outsourced to Dell and they considered the delivery date of the product as the date the product was received by McAfee not the end-user/customer. This led to 2+ weeks of trouble working with McAfee and Dell, to get the box replaced, first they send out a technician that replaced almost everything in the box, with refurbished parts no less, but left without verifying that this fixed the issue. As a side note of how bad the outsourcing is getting, McAfee outsourced the hardware support to Dell, but Dell outsourced it to Unisys, so I was stuck dealing with 2 companies that I had done no business with and didn’t have any SLAs with. In the end this was all resolved and the product really is great, but it did add a question to my list above.
SecurityOrb’s Top 5 Cyber Security Threat Predictions for 2011
2010 was an attention-grabbing year in the information security industry. We saw some interesting things such as Google alleged hack by China, Wikileaks and the issues with insider threat and hacktivism, Stuxnet advanced malware implementation and social networking site vulnerabilities as well as our share of zero-day attacks to name a few. So, what is in store for 2011 you ask?
Well, SecurityOrb.com, has released their top 5 cyber security threat predictions for 2011:
1. Smartphones and Apps
Smartphones are becoming very popular with 25% of Americans reported owning them in October 2010. The recent holiday and the stores special will sure push that number a lot higher by the next report in 2011. The threat of theft with these smartphones will disclose personal and confidential information. In addition, apps with malicious intent will also increase in 2011
2. Unauthorized information disclosure
With sites such as Wikileaks and newly formed spin-offs that will be popping up such as Openleaks and a few others, many people will have options to share internal documentations, personal information will also be released when pertaining to private organizations such as financial and health information.
3. Windows 7
Windows 7 has been out and in all since of the word a success. We usually see a 12 to 18 months operational period before malware start to really come out.
4. Apple Products
Talking about market share, apple has gains a substantial amount with the latest offering of their products that include the iPad, iPhone, iPod and computer based-systems. Hackers will be targeting them in 2011.
5. Legacy and Unpatched Systems/Applications
Unfortunately, we have observed a high amount of legacy systems such as Windows XP with SP 1 and SP2, Windows 2000, 2003 SP1 and Mac OS X version 1.4 and below as well as older versions of adobe reader, flash and MS Office applications still in operation. As we know, hackers will continue to check and exploit old vulnerabilities.
We ask that you be aware of these issues and as always, make sure you have security controls such as host-based firewalls, anti-virus and anti-spyware applications installed, make sure they are updated at all times and use common sense to help protect your information and privacy.
This is a test
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus.
Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem.
Hacker Group “Anonymous”, has Declared Cyber-War on behalf of WikiLeaks
A hacker group, identified as “Anonymous”, has declared cyber-war on behalf of WikiLeaks for the attempted censorship of the organization’s activities by the U.S. government and private companies. They are responsible for the recent distributed denial-of-service (DDoS) attacks on PayPal, Visa and MasterCard which has been titled “Operation Payback”. As of December 10, 2010, they have decided to focus their attacks on PayPal’s network due to the ineffectiveness of trying to bring down multiple websites at the same time. Anonymous has even called for cyber-volunteers to aid in what some may describe as a “Cyber-war”, “Cyber-Attack” or “Hacktivism”.
The recent activities by “Anonymous” have forced WikiLeaks to release a statement denying any affiliation with the hacking group. WikiLeaks spokesman Kristinn Hrafnsson stated:
“There has been no contact between any WikiLeaks staffer and anyone at “Anonymous”, WikiLeaks has not received any prior notice of any of Anonymous’ actions. We neither
condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets.”
As of this morning, techinians at SecurityOrb.com were able to fully access the PayPal services and they were not signs of any adverse effects from the attacks. PayPal released a statement stating:
“The PayPal.com site is fully operational. We can confirm that there have been multiple attempted DDoS attacks on paypal.com this week. We have also experienced an attack on api.paypal.com today. Attacks may slow the website itself down for a short while, but they have not significantly impacted payments.”
Browser History Hijacking Flaw
Browser history hijacking is a flaw in a web browser that allows certain websites access to all the sites a user has ever visited. This is a techniques used by sporting, news, movie, financial and porn websites to better place ads and check to see if you have visited any of their competitors.
The information is captured by a script that is executed on the visiting site against your web browser to see if stored links have changed colors. If the link is a different color, then that indicates a visited sited.
A survey conducted by researchers from University of California at San Diego concluded out of 50,000 most visited websites; nearly 500 of them were capturing browser history from users with porn sites being among the highest offenders.
Modern browsers such as Apple’s Safari, Google’s Chrome and Firefox version 3.6 and above are not vulnerable to the browser history-hijacking flaw. Internet Explorer unfortunately is vulnerable to browser history hijacking but is able to remediate the issue by turning on “Private Browsing” on the version 8 web browsers only. You can activate “Private Browsing” in IE8 by either selecting that option from the Safety button at the upper right, or from the Tools menu in the Menu Bar if you have chosen to make that bar visible.
At the very least, this flaw, pose a risk to personal privacy. Companies or hackers can collect your browsing history without your consent and target you for whatever purpose they what.
If you would like to see if your web browsers are vulnerable to the browser history hijacking flaw, a website has been created to check. You can click here or paste the URL in yourself: http://whattheinternetknowsaboutyou.com/
In addition, to checking if your web browsers are vulnerable to the history hijacking issue; there is a lot of other useful information on the site to further preserve your web browsing privacy. Among some are the following:
1. Disable your browser’s history – If you configure your browser to not keep any browsing history, no one will be able to detect which sites you visited.
2. Disable CSS styling of visited links – Remove special rules for displaying visited links, the cost is not immediately knowing which pages you’ve already been to.
3. Use special browser extension to fix the problem – If you are a Firefox 1.5/2 user, you can install the SafeHistory extension to protect yourself against the flaw.
[media id=10]
