The Problem:
Have your seen this email?

“I received a telephone call last evening from an individual identifying himself as an AT&T Service technician who was conducting a test on telephone lines. He stated that to complete the test I should touch nine(9), zero(0), the pound sign (#), and then hang up.

Luckily, I was suspicious and refused.

Upon contacting the telephone company, I was informed that by pushing 90#, you give the requesting individual full access to your telephone line, which enables them to place long distance calls billed to your home phone number.

I was further informed that this scam has been originating from many local jails/prisons I have also verified this information with UCB Telecom,Pacific Bell, MCI, Bell Atlantic and GTE. Please beware.

DO NOT press 90# for ANYONE.

The GTE Security Department requested that I share this information with EVERYONE I KNOW.

After checking with Verizon they said it was true, so do not dial (9),zero(0), the pound sign # and hang up for anyone.

PLEASE HIT THAT FORWARD BUTTON AND PASS THIS ON TO EVERYONE YOU KNOW.”

Is it true? By pushing 90# on my landline, am I really relinquishing access to my phone?

The Solution:
Hacking, cracking, freaking, phishing, spoofing…. There’s so much to worry about these days when using the internet it’s surprising we hop online at all!

Fortunately, it doesn’t take much to be relatively safe. Of course, you’ll need to safeguard your computer with the usual prescription: firewall, antivirus solution, antispyware solution, updates, etc. When it comes to questionable e-mails like the one above, you will also need a good dose of skepticism.

The internet is full of lies. Just take a look at some of the stuff making it into your inbox. A lot simply aren’t true.

When you see something that seems a little over the top, take a moment and check its validity before forwarding it to your friends and family. A good place to start is TruthOrFiction.com, where you can check out everything from urban legends to pleas for help. To see what they have to say about the above email, go to their website and search on ‘90#’. (You didn’t think I will divulge the answer here, did you?!)

Other useful sites for questionable e-mails are:

HoaxBusters
Snopes
Break the Chain

All of them make for great reading. Enjoy!

A worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself.

Worms use parts of an operating system that are automatic and usually invisible to the user.

It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

What Is A Trojan Horse?

Trojan horses are malicious programs disguised as something benign. They’ve been known to pose as games, utilities, and email attachments. Once opened, Trojan horses act much differently than you expect. Some merely annoy, sending emails to everyone in your address book. Others do serious damage, to the point of stealing passwords and data files. Unlike viruses, Trojan horses are not self-replicating.

Active Trojan horses are an advanced type of Trojan horse. They use unprotected ports to open lines of communication with your computer, and they can ultimately give hackers control over your machine. Active Trojan horses are also called Remote Access Trojans.

Looking for a good read? Check out the FBI’s 2005 Computer Crime Survey at www.fbi.gov. After surveying over 2000 small and large private and public organizations in the Unites States, the FBI found:

Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year’s time; 20% of them indicated they had experienced 20 or more attacks.

Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.

Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.

Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.

Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.

Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement’s response. And 81% said they’d report future incidents to the FBI or other law enforcement agencies.

Conclusion: Computer crime is serious and every company must give it high priority.

So if I were the bad guy wanting to pillage, your company’s proprietary information, here’s how I might do it:

Tap your wireless network. Despite all the warnings, many companies so not protect their wireless networks. The router’s login and password are the same factory defaults and no one bothered to use the built-in encryption. Danger: I can access your files.

Send email containing a payload. If I can just get someone to click on the attachment, then I’m in. I can remotely record all keystrokes from the infected machine, including logins and passwords and email communications.

Send an email which looks official. In this case, I impersonate your bank, for example, with an official looking email which includes some call to action, like “Please take care of this now or the account will be closed.” I may ask for logins and passwords or just entice the user to click on a link. Most organizations don’t teach their employees about such tricks. They are easy victims.

Call and pretend to be “Barry upstairs in tech support”. This tactic is called social engineering. You may have never heard of “Barry”. Neither have your employees. They just want their computer to work well. Barry to the rescue. Again, the employee doesn’t know any better. There goes a network login and everything else on that network.

Hire the janitor. Most computer crime comes from within the company. Known as the ‘triangle of opportunity’, an employee – for whatever reason – feels he’s been victimized, they are owed something in return, and there’s a good chance he can get away with it. If I can gain physical access to a computer, I can quickly and easily install hardware that will record everything done on that computer and email me hourly reports. Game over.

For more info, please checkout www.infragard.net. Feel free to email (help@supergeeks.net) or call me (808.942.0773) if I can help with anything. And no attachments, please!

DO
• Use a password with mixed-case letters. Use uppercase letters throughout the password.
• Use a password that contains alphanumeric characters and include punctuation, where supported by the operating system.
• Use a password with mixed-case letters. Do not just capitalize the first letter, but add uppercase letters throughout the password.
• Use at least six characters, eight characters for Windows NT.
• Use a seemingly random selection of letters and numbers.
• Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as “shoulder surfing”).
• Change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.

DO NOT
• Use a network login ID in any form (reversed, capitalized, or doubled as a password).
• Use your first, middle or last name or anyone else’s in any form. Do not use your initials or any nicknames you may have or anyone else’s.
• Use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
• Use other information easily obtained about you. This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
• Use a password of all numbers, or a password composed of alphabet characters. Mix numbers and letters.
• Use dates e.g., September, SEPT1999 or any combination thereof.
• Use keyboard sequences, e.g., qwerty.
• Use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security.
• Use any of the above things spelled backwards, or in caps, or otherwise disguised.
• Write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others.
• Use shared accounts. Accountability for group access is extremely difficult.
• Reveal a password to anyone.

SUGGESTIONS
Common suggestions for constructing seemingly random passwords are:
• Use the first letter of each word from a line in a book, song, or poem. For example: “Who ya gonna call? Ghost Busters!” would produce “Wygc?GB!”
• Use the output from a random password generator. Select a random string that can be pronounced and is easy to remember. For example, the random string “adazac123″ can be pronounced a-da-zac, and you can remember it by thinking of it as “A-to-Z,1 through 3.” Add uppercase letters to create your own emphasis, e.g., aDAzac.2
• Use two short words connected by punctuation, e.g., T1me#0ff
• Use numbers and letters to create an imaginary vanity license plate password, e.g., 1H8work!

A common theme of these suggestions is that the password should be easy to remember. Avoid passwords that must be written down to be remembered. If unrecallable, someone in your office may find the password you have written down, and compromise your network identity.
These guidelines and suggestions should enable you to choose strong passwords that will help you improve the security of your system.

Additional Notes:
The CERT/CC (Computer Emergency Response Team / Coordination Center), a federally funded organization based at Carnegie Mellon University, estimates that 80% of all network security problems are caused by bad passwords; therefore, good passwords are the simplest, and most important part of information security.