Looking for a good read? Check out the FBI’s 2005 Computer Crime Survey at www.fbi.gov. After surveying over 2000 small and large private and public organizations in the Unites States, the FBI found:

Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year’s time; 20% of them indicated they had experienced 20 or more attacks.

Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.

Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.

Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.

Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.

Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement’s response. And 81% said they’d report future incidents to the FBI or other law enforcement agencies.

Conclusion: Computer crime is serious and every company must give it high priority.

So if I were the bad guy wanting to pillage, your company’s proprietary information, here’s how I might do it:

Tap your wireless network. Despite all the warnings, many companies so not protect their wireless networks. The router’s login and password are the same factory defaults and no one bothered to use the built-in encryption. Danger: I can access your files.

Send email containing a payload. If I can just get someone to click on the attachment, then I’m in. I can remotely record all keystrokes from the infected machine, including logins and passwords and email communications.

Send an email which looks official. In this case, I impersonate your bank, for example, with an official looking email which includes some call to action, like “Please take care of this now or the account will be closed.” I may ask for logins and passwords or just entice the user to click on a link. Most organizations don’t teach their employees about such tricks. They are easy victims.

Call and pretend to be “Barry upstairs in tech support”. This tactic is called social engineering. You may have never heard of “Barry”. Neither have your employees. They just want their computer to work well. Barry to the rescue. Again, the employee doesn’t know any better. There goes a network login and everything else on that network.

Hire the janitor. Most computer crime comes from within the company. Known as the ‘triangle of opportunity’, an employee – for whatever reason – feels he’s been victimized, they are owed something in return, and there’s a good chance he can get away with it. If I can gain physical access to a computer, I can quickly and easily install hardware that will record everything done on that computer and email me hourly reports. Game over.

For more info, please checkout www.infragard.net. Feel free to email (help@supergeeks.net) or call me (808.942.0773) if I can help with anything. And no attachments, please!

DO
• Use a password with mixed-case letters. Use uppercase letters throughout the password.
• Use a password that contains alphanumeric characters and include punctuation, where supported by the operating system.
• Use a password with mixed-case letters. Do not just capitalize the first letter, but add uppercase letters throughout the password.
• Use at least six characters, eight characters for Windows NT.
• Use a seemingly random selection of letters and numbers.
• Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as “shoulder surfing”).
• Change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.

DO NOT
• Use a network login ID in any form (reversed, capitalized, or doubled as a password).
• Use your first, middle or last name or anyone else’s in any form. Do not use your initials or any nicknames you may have or anyone else’s.
• Use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations.
• Use other information easily obtained about you. This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
• Use a password of all numbers, or a password composed of alphabet characters. Mix numbers and letters.
• Use dates e.g., September, SEPT1999 or any combination thereof.
• Use keyboard sequences, e.g., qwerty.
• Use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security.
• Use any of the above things spelled backwards, or in caps, or otherwise disguised.
• Write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others.
• Use shared accounts. Accountability for group access is extremely difficult.
• Reveal a password to anyone.

SUGGESTIONS
Common suggestions for constructing seemingly random passwords are:
• Use the first letter of each word from a line in a book, song, or poem. For example: “Who ya gonna call? Ghost Busters!” would produce “Wygc?GB!”
• Use the output from a random password generator. Select a random string that can be pronounced and is easy to remember. For example, the random string “adazac123″ can be pronounced a-da-zac, and you can remember it by thinking of it as “A-to-Z,1 through 3.” Add uppercase letters to create your own emphasis, e.g., aDAzac.2
• Use two short words connected by punctuation, e.g., T1me#0ff
• Use numbers and letters to create an imaginary vanity license plate password, e.g., 1H8work!

A common theme of these suggestions is that the password should be easy to remember. Avoid passwords that must be written down to be remembered. If unrecallable, someone in your office may find the password you have written down, and compromise your network identity.
These guidelines and suggestions should enable you to choose strong passwords that will help you improve the security of your system.

Additional Notes:
The CERT/CC (Computer Emergency Response Team / Coordination Center), a federally funded organization based at Carnegie Mellon University, estimates that 80% of all network security problems are caused by bad passwords; therefore, good passwords are the simplest, and most important part of information security.

The virus du jour (Conficker worm) has come and – well – stayed! The much anticipated April 1st date of doom and gloom seems to have been a false alarm. Yet some 10 million computers remain infected by a masterfully crafted virus with unknown intentions.

We can expect more of the same.

Cybercrime is very profitable. A recent study by security firm Finjan estimates a single hacker can make as much as $10,800 a day exploiting systems, or $3.9 million a year.

With numbers like that, it’s not surprising hacking is attracting the brightest minds in the industry as well as the most sophisticated organized crime syndicates. Indeed, hacking is now considered as lucrative as drug trafficking and prostitution.

Yuval Ben-Itzhak, Finjan’s chief technology officer, said: “Cybercrime today is a very, very big business and those behind Conficker have spent a lot of money organizing, writing code and securing these machines so they will be looking for a return soon.

“This type of cybercrime activity is here to stay and will grow because there is so much money involved and it’s hard to get caught.”

Compromised computers are typically harnessed at-will by cybercriminals to send spam, collect confidential information, and to extort money from websites. In this case of extortion, an online business is forced to pay ‘protection’ or risk having the business’ site go down for hours or even days as a result of those 10 million compromised computers trying to access it at the same time. How much do you think a successful online gambling operation is willing to pay for ‘protection?’

Some interesting facts from Symantec:
• A data breach can increase customer turnover by as much as 11%
• Nearly 60% of corporate information resides on unprotected desktops and laptops
• Spam accounts for 80% of the worldwide email
• Poor system configuration is directly responsible for 65% of all system weaknesses
• Over 85% of corporate systems are not backed up

Bottom line: We should continue to embrace the internet and computing, in general, but do so with an abundance of caution. Be sure to keep your security software is updated, be vigilant and refrain from dangerous online activities, like downloading bootleg music. And by the way, Macs still remain relatively unscathed from such attacks…

We parents didn’t grow up using the internet.  The closest we got to getting online was a dial-up email account with CompuServe.  Remember that?  And what was up with that long string of numbers for an email address?  It’s amazing how much has changed…

Unfortunately, we parent the way our parents parented us.  If you stop and listen to yourself while you’re talking to your kids, you may just hear your mom’s or dad’s voice – saying the same things you heard when you were a kid.

And that’s a problem when it comes to internet safety.  We parents didn’t receive those parenting skills.  Sure, we learned things like “Don’t talk to strangers”, but nothing like, “Don’t open spam email” and “Be careful phishing attacks.”

So here’s what your teen needs to know:

The internet can be a very dangerous place. You will get a lot of eye-rolling on this one.  But the fact is, kids are too trusting, and the bad guys know that.  They will con your kid faster than you can dial 911.  Explain how the world isn’t always what it seems to be and how this is especially true on the internet.  Ask your teen to stop and think:  Can he/she really be sure the “Melissa” he/she met online the other day really is female?  Probably not.

Pirating software is illegal. And it can cost you a lot in fines and legal fees when your teen gets caught.  Yes, everyone does it.  But if everyone raped and pillaged, would it be ok if we raped and pillaged, too?  And just because no one is watching, does it make it ok to steal?  Here’s what you can do: Bring your kid to 7-11, wait till the clerk is not looking, then tell your teen to shoplift.  Chances are he/she will be repulsed by the idea.  (If not, skip this column.)

Cyber bullying is also illegal. Terroristic threatening, character assassinations, hate crimes, etc. can also land your teen in jail and invite the evening news crew to your doorstep.  In the comfort of our homes and especially closed bedroom doors, we are lulled into feeling no one is watching.  We may even adopt false identities online to remain anonymous.  Explain to your teen that all this is false.  The truth is, we can uncover everything your teen does online.  We can retrieve every email.  We can find out what she has done.  So don’t do anything stupid, unfair, unkind or illegal.  Eventually people will find out.

It’s tough to erase that sexy MySpace pic.  By this I mean, what you do online generally stays online long after you’ve done your best to delete it.  I long for the old blackboard and chalk days when you could right something silly on the classroom’s blackboard and safely erase it before the teacher arrived.  The internet is digital and – ironically – digital stuff is often very hard to get rid of because it propagates through the net so easily.  Tell your teen not to do anything which may jeopardize 10 years from now a job interview, college application or marriage proposal.

One click can ruin a perfectly good computer.  Well, it’s not as dramatic as that.  But the truth is the internet, and sites catering to teens in particular, are rampant with viruses and other malicious software.  And as I mentioned earlier in this column, teens are juicy online targets because they are generally too trusting AND because they typically feel utterly invincible.  (We were that way, too, remember?)  The message is this: Stay away from ghetto sites, delete all spam – don’t even open them up – avoid all links in emails, and don’t download anything.  Period.  Or you may have to bring your sick computer to one of service centers…

Sit down with your teen.  Take an interest in what he is doing online.  Use it to build an even better rapport with your child.  And while you’re at it, be sure to outline very clearly what is acceptable and unacceptable behavior online. Your teen will actually appreciate the discipline.

Painting by Evelyn de Morgan

The Problem
In Greek mythology, Cassandra was so beautiful Apollo granted her the gift of prescience, meaning she could see the future. Unfortunately, she wasn’t thrilled by Apollo and refused to return his love, so Apollo put a curse on her, ensuring no one would believe her predictions. As a result, she lived a life of great pain and frustration.

There’s a mortgage company here in Honolulu that nearly witnessed the fall and destruction of Troy. The story begins in a Starbucks’ parking lot. One of the employees, an uber broker, dashes in the store for her well-deserved double macchiato. When she returns just minutes later, her laptop is gone. The first reaction is disbelief, then anger and finally frustration. A quick call to the office seems to ameliorate the damage. The boss is stern but understanding and all activity is quickly focused on filing a police report, making an insurance claim, rescheduling appointments and getting her a loaner laptop.

But the real tragedy was lurking behind the curtains. The stolen laptop contained over 5000 names, address, social security numbers, bank accounts and other confidential information on the their clients…

The Fix
It sometimes takes a tragedy to do what’s right. In this case, with the looming threat of expensive legal exposure let alone public embarrassment if the incident hit the papers, the CEO realized he had to pull his team out of their day-to-day, gotta-get-it-done-now sense of urgency and get them focused on what’s important: safeguarding their company’s data.

They called us in for a security threat assessment. Here’s what we discovered:
The IT had been relegated to someone who was well-meaning but poorly trained.
The server was missing some critical software updates, exposing the server to malicious attacks.
A router had an open port, meaning one could penetrate the network from the outside.
The 14 laptops in the field were used as standalones by the brokers. Each unit had varying different versions of antivirus and antispyware solutions. Many were missing critical operating system updates. Some had the firewall turned off.
The tape backup on the server wasn’t capturing all of the important files.

Here’s what we did to help secure their network:

• We pulled all employees together for a brownbag lunch and told them some scary stories about data breaches. We showed them how data can easily fall into the wrong hands and why it’s important they – the frontline employees – engage security issues on a constant day to day basis.
• We established a set of policies and procedures for everything from the type of data can be put on a laptop to what is considered acceptable behavior when using the laptops.
• We encrypted the laptops and established data access rights, so employees could access only the data they needed, nothing more.
• We centralized all file management on the server, so the right data is automatically backed up every evening, with one complete week’s worth of data religiously stored offsite in a fire-resistant safe.
• We configured each laptop according to an agreed standard so each unit had the same software and the same settings and as a result could be used interchangeably to mitigate down time and preventive maintenance time.
• We closed the holes in the router and setup VPNs (virtual private networks) so employees could easily and safely access office the files through encrypted internet connections from home or elsewhere.

The stolen laptop was ultimately recovered. Our forensic analysis showed data on the unit wasn’t compromised. The mortgage company dodged a bullet. They heeded Cassandra’s call. They prefer to remain anonymous.