Bob Jensen's
Introduction to e-Business and e-Commerce
http://www.trinity.edu/rjensen/ecommerce/000start.htm
Bob
Jensen at Trinity
University
Top 25 Google
e-searches of the month
Most Popular Web Sites 2006 - 2007 ---
http://www.webtrafficstation.com/directory/
WebbieWorld Picks ---
http://www.webbieworld.com/default.asp
How E-commerce Works --- http://money.howstuffworks.com/ecommerce.htm
Electronic Commerce: The Fastest
Growing Phenomenon in World Commerce
Electronic Commerce: Special Problems
Arising for Accountants and Auditors
Electronic Commerce: Webledgers
Electronic Commerce: Revenue Accounting Problems and Related
Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm
Electronic Commerce: Training and
Education Issues
Electronic Commerce: Assurance Services Opportunities and
Risks
Illustration of Topics in a Continuous
Assurance Symposium
Investor Relations and Internet Reporting
XBRL Will Change the World of Financial Reporting and Analysis ---
http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended
Education and Online Training Issues
A Special Section on Computer and Networking
Security (including spam fighters)
Introduction
How to make stolen laptop data useless to thieves
Is your data safe? Survey reveals scandal of
snooping IT staff
Viruses
Spyware (and SiteAdvisor)
Cell Phone Records are for Sale
Phishing , Pharming, Vishing, Slurping, and Spoofing
Pretexting
Cookies
Spam Blocking
Searching Dangers: Beware of Search
Engines
Hacking Into Systems
Security on Public Wireless Networks
Denial of Service Attacks
Spy Tools: How safe are unlisted phone numbers?
Forget Big Brother, Now You Are
Being Watched by Almost Anybody
Weapons of Information Warfare
Threads on Firewalls
--- Go to http://www.trinity.edu/rjensen/firewall.htm
Identity Theft http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft
Encryption
New Tech Tools to Combat Fraud
The Downside: Psychology of Electronic Commerce and
Technology
Intangibles
Accounting Issues --- http://www.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes
Managerial
Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm
How
Can Technology be Used to reduce Fraud? --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7
ROI
Issues --- http://www.trinity.edu/rjensen/roi.htm
Implications for
Auditing and Assurance Services ---
http://www.trinity.edu/rjensen/ecommerce/assurance.htm
Opportunities
of E-Business Assurance & Security: Risks in Assuring Risk ---
http://www.trinity.edu/rjensen/ecommerce/assurance.htm
Accounting
Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime
The
Controversial Electronic Commerce of Education --- http://www.trinity.edu/rjensen/000aaa/0000start.htm
Investor Relations and Internet Reporting
Education and Training
Evaluation
of Websites
Search
for Internet, e-Commerce, or e-Business Phrases
Top Year 2002 Accounting Technologies
Bob
Jensen's Threads on Electronic Commerce ---
http://www.trinity.edu/rjensen/ecommerce.htm
Bob
Jensen's Threads on Electronic Commerce in College Curricula ---
http://www.trinity.edu/rjensen/ecommerce/curricula.htm
Accounting Threads
Bob
Jensen's Threads
on Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar
Crime
Bob
Jensen's Technology Glossary
Bob Jensen's threads on computer security are under "Security"
(in the S-Terms) at http://www.trinity.edu/rjensen/245gloss.htm
Also look under the C-Terms for "Cookies."
Top 25 Google
e-searches of the month
Most Popular Web Sites 2006 - 2007 ---
http://www.webtrafficstation.com/directory/
WebbieWorld Picks ---
http://www.webbieworld.com/default.asp
I created a timeline of major happenings (on
a timeline) leading up to the eXtensible Business Reporting Language (XBRL) and
On LIne Analytical Process (OLAP) systems. Overviews of XML, VoiceXML,
XLink, XHTML, XBRL, XForm, XSLT, RDF and the Semantic Web are also provided --- http://www.trinity.edu/rjensen/xmlrdf.htm
This is what Professor Jim Mahar says
about ERisk in the March 24, 2003 edition of TheFinanceProfessor (an
absolutely fabulous newsletter) --- www.FinanceProfessor.com
Erisk.com. I simply
love the site. I know it has been site of the week before, but it is so good,
it earned it again. Try it, you’ll love the case studies and the newsletter!
http://www.erisk.com
ERisk --- http://www.erisk.com/
ERisk is the leading
provider of strategic solutions for risk and capital management. We deliver a
unique combination of world-class analytics for risk-based capital, strategic
risk management expertise, risk transfer advice and risk information.
You can find out more
about our products and services in the Overview section. On this page, you can
find out more about the people and ideas that power our company.
The ERisk Report
--- http://www.erisk.com/about/about_company.asp?ct=n#report
The ERisk
Report is a concise monthly briefing for senior financial executives.
Every month, contributors from ERisk's team of risk management experts address
today's most pressing issues in strategic risk and capital management. Sign
up today for your personal copy of this cutting-edge publication!
Vol
1.6: Measuring the return on risk management; leveraging the economic
benefits of risk management
Vol
1.5: Putting the real value on customer relationships; rolling out
risk management
Vol
1.4: Making risk more transparent; fed takes pulse of economic capital
practices
Vol
1.3: Credit scoring: robots versus humans; James Lam's three lessons
from Enron
Vol
1.2: Weathering credit losses; regulators line up behind economic
capital
Vol
1.1: Revamping your credit ratings system; measuring bank
profitability
The ERisk Portal --- http://www.erisk.com/portal/home.asp
Resources for Enterprise Risk Management
ERisk today
continues to successfully develop and install its analytics
at client sites, conduct high-value consulting
engagements, offer unbiased advice on risk
transfer alternatives, and attract thousands of readers to the ERisk portal.
"New e-Accounting Advisor Network
Debuts," SmartPros, September 29, 2003 --- http://www.smartpros.com/x40720.xml
Insynq Inc., a
provider of Internet-delivered online accounting solutions and services, has
launched an online advisor network to assist the accounting professional by
supporting back-office processing requirements on a highly cost-efficient
basis.
The e-Accounting
Advisor Provider Network (http://eaccounting.cpa-asp.com)
has created a new cost-effective resource for practices of all sizes to use to
expand their practice, or to provide the opportunity of higher gross margins,
Insynq announced. Through the use of business process outsourcers -- such as
call centers, payroll and HR processing services -- professional practices are
able to improve client services, expand their practices, and improve practice
profitability.
"These
accountants have gained a comprehensive solution that combines our online
accounting technology services with business process outsourcing models,"
said Insynq president John Gorst. "e-Accounting is one of the few
providers in the industry with a service model that encompasses online
accounting applications, data management, document management and workflow
tools."
Insynq will
co-sponsor a series of seminars in the top 25 U.S. markets over the next four
months for CPAs, accountants and bookkeepers that explain the online
accounting model. These seminars will detail the outsourced accounting
opportunity, and demonstrate the benefits of using business process
outsourcers in support of practice initiatives.
Electronic
Commerce
ONLINE SPENDING CLIMBED 25% during the holiday
season from a year earlier, a survey found.
Desiree J. Hanford, The Wall Street Journal, January 4, 2005 --- http://online.wsj.com/article/0,,SB110478868075315675,00.html?mod=technology_main_whats_news
Question
What turns Web retailing into eCommerce?
Answer
A special feature about eCommerce is revenue collection over the Internet.
Today that revenue collection typically entails online credit card
transacting.
Bob Jensen's threads on accounting for electronic commerce are at http://www.trinity.edu/rjensen/ecommerce.htm
"E-tailing Comes of Age," by Nick Wingfield, The Wall Street
Journal, December 8, 2003 --- http://online.wsj.com/article/0,,SB10708342997640400,00.html?mod=technology%5Ffeatured%5Fstories%5Fhs
Dot-com retailers had a message for bricks-and-mortar
stores at the start of the 1999 holiday season: We're coming after you.
A year or two later, traditional retailers had their
revenge, of course, when stock certificates of such companies as Pets.com
Inc., eToys Inc. and Webvan Group Inc. were fit for little more than wrapping
paper. With some notable exceptions -- including Amazon.com Inc. and eBay Inc.
-- established stores and catalog companies ended up snaring most of the
online sales.
But something surprising happened: Some
small Web-only retailers refused to die. A handful in unlikely categories such
as jewelry, shoes and luggage are profitable and growing far more quickly than
their offline counterparts.
These specialty online retailers are
prospering at a time when overall online sales are booming. Consumers are
expected to spend $12.2 billion online this year in the
Thanksgiving-to-Christmas period, up 42% from last year, according to
Forrester Research of Cambridge, Mass. The growth reflects a steady shift of
retail spending to the online world, as consumers grow more comfortable with
the Internet and the spread of high-speed home connections makes browsing and
ordering simpler. Online shopping also tends to be more weather-proof; many
snowbound Northeasterners ventured out into cyberspace instead of the elements
to continue their holiday shopping this past weekend.
Still, a mere 4.5% of total retail
spending is expected online this year, compared with 3.6% in 2002. But even
the small shift in retail sales represents a combined billions of dollars for
Internet retailers.
Traditional retailers are doing their
best to keep holiday customers clicking on their sites by offering good deals.
Some are discounting heavily; free-shipping offers are commonplace. Gap Inc.,
for instance, is waiving standard delivery fees on orders of $100 or more
until Dec. 15.
Continued in the article
There were 50 global online users of
the new World Wide Web in 1990. The worldwide growth is connected
consumers, businesses, and other types of organizations is staggering. A
study conducted by IDC (2001) estimates the following at http://www.filmsoho.com/marketing/marketing_internet.html
Use of the Internet continues to grow
rapidly worldwide. This growth is fuelling e-commerce transactions which are one
barometer of the commercial success of the medium. Almost 1 billion people
(about 15 percent of the world's population) are forecast by research firm
International Data Corp to be using the Internet by 2005. IDC foresee a spending
of more than $5 trillion in Internet commerce representing a staggering 70
percent compound annual growth rate from last year's Internet spending of $354
billion in 2000.
The adoption of the Internet as a
communications tool is still undergoing explosive growth. In the developed
world the proliferation of mobile phones and other Internet access devices
will maintain these growth rates even once PC penetration has reached
saturation.
Growth statistics are provided the following sites:
Web Data and Statistics
Builder.com ---
http://builder.cnet.com/webbuilding/pages/Servers/Statistics/
This site is great for definitions and explanations.
Why Web usage statistics are (worse than) meaningless ---
http://www.goldmark.org/netrants/webstats/
Internet Sizer http://www.netsizer.com/
(This site has a link to a neat graph that shows the increase in Web use
in a spinning real-time counter. It resembles the counter on Times
Square that used to show the increases in the U.S. National Debt.)
Web Characterization ---
http://wcp.oclc.org/
Listings from Webreference.com --- http://webreference.com/internet/statistics.html
Internet Statistics
- CyberAtlas (*)
- Internet market research and information site. Provides
a periodic overview of Internet trends, demographics,
marketing, and advertising information.
-
CyberGeography
- Interesting collection of experiments and approaches in
visualizing internet statistics and topology.
-
GVU
WWW User Surveys
- User surveys dating back to 1994. The surveys feature a
wide variety of WWW usage and opinion-oriented questions.
-
The
Internet Index
- "An occasional collection of facts and statistics
about the Internet and related activities." By Win
Treese of Open Market.
- ISC: Internet Domain
Survey
- Estimates the number of hosts and domains by doing a
complete search of the Domain Name System. From the
Internet Software Consortium.
- Media Metrix
- Web market research information and analysis service
providing demographic data, measuring Internet and digital
media audiences and usage since 1996.
- MIDS: Matrix Information
and Directory Services
- MIDS provides statistics on about the Internet and
estimates of its growth. Information is presented
textually, graphically, and in geographic maps.
- Netcraft
- Conducts the Web Server Survey which tracks the usage of
HTTP server software. Also offers a searchable hostname
database.
-
Nielsen
Net-Ratings
- Online usage and popularity statistics.
- Nua's Internet
Surveys
- An organized collection of Internet statistical surveys.
Has digests of the important research reports and
demographic surveys from the major research companies.
Includes summary graphs and data of Internet statistics
and trends. Offers a monthly newsletter.
- StatMarket
- In-depth statistics on a wide variety of Internet
topics, and a sharp interface. StatMarket provides free
global Internet usage statistics gathered from tens of
thousands of web sites and and millions of daily visitors.
-
TheCounter.com
- Detailed browser statistics, including information on
monitor resolution, color depth and java/javascript usage.
-
Yahoo:
Statistics and Demographics
- Yahoo's collection of related sites.
|
Most
popular Websites in the world ---
http://www.webbieworld.com/ww/ |
Bob Jensen's Off-the-Wall
Definitions
Electronic
Business (B2B)and Commerce B2C)
Any computer-networked communications or transactions that were
formerly more apt to be transmitted by physical transfers such as
in-store purchases and mail ordering and payment. Electronic
business makes it possible to eliminate paper documentation such as
purchase orders, invoices, monthly account statements, and payment
checks or credit card receipts. Electronic communications and
transactions with retail customers are generally referred to as
e-Commerce. Business-to-business (B2B) communications and
transactions between business firms are generally called e-Business.
Includes electronic business, but electronicization encompasses other
things as well such as Enterprise Resource Modeling (ERP),
customer relations management (CRM),
artificial intelligence/smart agents, and computerization/networking
of virtually all elements of the supply chain.
|
M. Greenstein and M.
Vasarhelyi Definition
Electronic Commerce: Security, Risk Management and Control
(McGraw-Hill, 2002, p. 3)
The use of
electronic transmission mediums (telecommunications) to engage in the
exchange, including buying and selling, of products and services
requiring transportation, either physically or digitally, from
location to location. |
Electronic Commerce - A Leading
Definition --- http://www-cec.buseco.monash.edu.au/links/ec_def.html
A broad definition of
'electronic commerce' is provided by Electronic Commerce Australia (ECA,
formerly EDICA) in its 1994 Annual Report as:
The
process of electronically conducting all forms of business between entities in
order to achieve the organisation's objectives.
The term 'electronic
commerce' embraces electronic trading, electronic messaging, EDI, EFT,
electronic mail (e-mail), facsimile, computer-to-fax (C-fax), electronic
catalogues and bulletin board services (BBS), shared databases and
directories, continuous acquisition and lifecycle support (CALS), electronic
news and information services, electronic payroll, electronic forms (E-forms),
online access to services such as the Internet (discussed later), and any
other form of electronic data transmission.
For example, medical
and clinical data, data related to taxation, insurance, vehicle registration,
case information involving legal proceedings, immigration and customs data,
data transmitted for remote interactive teaching, video-conferencing, home
shopping and banking, EDI purchase orders and remittance advices - are all
applications of electronic commerce.
The term 'electronic
commerce' is sometimes incorrectly used as an alternative to EDI. EDI, a
subset of electronic commerce, refers specifically to the inter-company or
intra-company transmission of business data in a standard, highly structured
format. Electronic commerce, however, includes structured business data and
unstructured messages or data, such as electronic memos sent via e-mail.
Another term,
'electronic trading', is commonly used to refer to electronic transactions
which occur in the procurement of goods and services. Electronic trading uses
structured and/or free-form messages. Electronic trading can also be
considered a sub-set of electronic commerce.
"Amazon Finally Clicks: Ten years old and profitable at last, it
offers a textbook lesson on how to be both focused and flexible," by Russ
Banham, CFO Magazine, Spring 2004 Special Issue, pp. 20-22 --- http://www.cfo.com/article/1,5309,12598||M|846,00.html
The foosball tables are still there, as are the desks
made from sawhorses, plywood, and old doors. And no one wears a tie, not even
CFO Thomas J. Szkutak. But if some E-commerce trappings are alive and well at
Amazon.com headquarters, others are not. Red ink, for example, has disappeared—at
least for now. The company posted its first indisputably (that is, GAAP-based)
profitable year in 2003, propelled by strong holiday sales and a weakened
dollar, which boosted overseas results.
That has prompted plenty of backslapping in the halls
of Amazon's headquarters, a former hospital with an improbable Art Deco design
and a postcard view of downtown Seattle and Puget Sound. As it prepares to
celebrate its 10th anniversary, Amazon.com is a very different company from
the so-called E-tailer that, at the time of its initial public offering in
1997, had to caution would-be investors not to confuse it with Amazon Natural
Treasures, a retailer and E-tailer of rain-forest products.
Few would make that mistake today. While still
sometimes referred to as an online bookstore, Amazon now boasts a product line
that staggers the imagination, from apparel, sporting goods, and jewelry to
new services including a feature that lets customers make "1-Click"
Presidential campaign contributions.
Behind Amazon's breadth of products and services are
myriad business arrangements: some products the company owns, inventories,
sells, and ships; others it sells on behalf of third-party retailers. Some of
these third-party products Amazon ships and fulfills; others are shipped and
fulfilled by the third parties themselves. Among those third parties are
thousands of mom-and-pop E-tailers that collectively make Amazon's Marketplace
division a perpetual online garage sale surpassed only by E-bay.
With 39 million active customer accounts (based on
the number of E-mail addresses from which orders originated in 2003), Amazon
seems to be making good on its promise to offer the "Earth's biggest
selection of products," or as Szkutak puts it, "to build a place
where people can find, discover, and buy anything they want online." To
do that, he says, the company has learned—sometimes the hard way—to
"start with the customer and work backward."
Working backward has changed Amazon from an online
retailer to an E-commerce platform. Today, it is not a store so much as a
channel, a place where brand-name third-party retailers, smaller businesses,
and just plain folks can hawk their goods to a worldwide clientele. This past
holiday season, shoppers traipsed through Amazon to buy products from Gap,
Toys "R" Us, True Value Hardware, and Kitchen Etc.—and maybe some
kid in Idaho who was trying to unload his slightly dog-eared Harry Potter
library. Assembling such a vast collection of partners and building the
systems that allow customers to buy from an individual as easily as they buy
from a retail giant has not been easy, and analysts praise Amazon's
achievements. "Amazon has knocked 10 steps down to 1," says Adam
Sarner, a research analyst at Stamford, Connecticut-based technology research
firm Gartner Inc. "This is what they mean by 'customer
convenience.'"
Jonathan Gaw, a research manager at technology
research firm IDC, says, "No one else has this kind of expertise, because
no one else has invested the capital to build this kind of
infrastructure."
Amazon.com was once viewed as a leading member of the
E-commerce vanguard, but most of the followers have fallen by the wayside.
True, the survivors—E-bay, MSN, AOL, Yahoo, and Google—have become
household names, but success remains precarious and depends on, among other
things, the ability to be nimble. Amazon built its brand initially on
low-priced books and waited for customers to come bargain-hunting. Today it
pulls out all the stops to get people to visit, from
"never-before-seen" Bruce Springsteen concert footage to a
"secret message" from Madonna. If that sounds like the sort of
pop-culture gimmickry one might expect from, say, AOL, there's good reason:
the E-commerce giants are out to eat one another's lunch. When Google, for
example, announced Froogle, a new service that allows users to search for a
product name and be directed only to sites that sell that product, Amazon
launched a new subsidiary, A9, devoted to Web searching, and even located its
offices close to Google in Silicon Valley. Similarly, the boundaries between
the business models of E-bay, Yahoo, and even Microsoft can be hard to
discern, as all of these companies seek to protect themselves and to copy
whatever seems to work.
Continued in the article
Yahoo's Links to Electronic Commerce Sites
The U.S. Government Knows How to Sell
Online (e-Commerce)
From InformationWeek Online May 30, 2001
Uncle Sam Rings Up
$3.6B In Online Sales
Look out, Jeff Bezos.
Amazon.com Inc.'s $2.8 billion in annual revenue has been eclipsed by another
E-commerce contender--a purveyor of flame throwers, burros, and Lamborghini
Diablos that generated $3.6 billion in sales last year. The mastermind behind
this E-retailing juggernaut? Uncle Sam.
That revelation comes
from a recent study by the Pew Internet & American Life Project and
Federal Computer Week magazine, which tracked the government's E-commerce
activity. Of course, straight revenue comparisons may not be fair. After all,
it's not exactly a level playing field for Amazon since the government's $3.6
billion came from 164 sites. That was a bit of a shock for Allan Holmes,
editor-in-chief of Federal Computer Week. "When we first started, I had
no idea how many sites we would find. I thought maybe a few dozen." Plus,
that revenue figure would be significantly lower without the Treasury
Department, which generated $3.3 billion from the sale of bonds and notes.
But the remaining
$300 million in sales is still a significant achievement, considering the
government hasn't done much to promote its efforts. Looking to bid on luxury
items such as helicopters or sports cars? Try Bid4Assets, which sells property
seized by the U.S. Marshals Service in criminal raids. "The federal
government has always had surplus property and auctioned off property seized
in drug busts. Now they're able to do it more efficiently and reach more
people," Holmes says.
While so many others are
still struggling to make the Web pay, Walt Disney's Internet ventures are
thriving --- http://www.wired.com/news/business/0,1367,56314,00.html
LOS ANGELES, November
11, 2002 -- Last year, the Walt Disney Co. surrendered in the Internet portal
wars after spending hundreds of millions of dollars to compete against Yahoo!,
America Online and others.
But it didn't give up
entirely. In a strategic retreat, the company refocused on Web projects that
highlighted its core brands, such as ABC News and ESPN, which is the exclusive
provider of sports on the MSN service.
That strategy has
started to pay off. Last week, Disney
announced a modest milestone -- its Internet properties are profitable.
The company doesn't
report the results of its Internet properties as a group, so Disney did not
provide any profit figure when it reported fourth-quarter earnings. But the
company said profits from individual sites, led by ESPN and Disney's online
store; from licensing content to other Internet sites; and from advertising
and subscriptions pushed online operations into the black.
Disney's Internet
ventures contribute only about several hundred million dollars to the
company's $25 billion in annual revenue. Nonetheless, Disney can say it is
profiting online while so many others are still struggling to make the
Internet pay.
"I feel good
that we've been able to sort of figure it out," said Steve Wadsworth,
president of the Walt Disney Internet Group.
What Disney learned
and other companies are discovering is that it's best to abandon a
one-size-fits-all approach to the Web.
"There is not
one single formula that is going to work," said Charlene Li, principal
analyst for Forrester Research, a technology consulting firm based in
Cambridge, Mass. "What works for Disney.com and its characters isn't the
same thing that will work for ESPN. Even The New York Times and The Boston
Globe are completely different. They're owned by the same company, but they
use completely different approaches."
Disney's announcement
of its modest profit is a victory of sorts for chairman and CEO Michael
Eisner. During the heyday of e-commerce, he resisted pressure to merge with
Yahoo or Microsoft, even after AOL merged with Time Warner.
Today, AOL is
struggling, weighed down by declining advertising revenue and a government
investigation into its accounting practices. Chairman Steve Case reportedly
has considered separating the companies.
Continued at http://www.wired.com/news/business/0,1367,56314,00.html
Webledger alternatives are becoming a much bigger deal in accounting
information systems. I suspect that many accounting educators are not
really keeping up to date with the phenomenal growth in vendor services.
I am a strong advocate of Webledger accounting and
information systems.
In my viewpoint they are the wave of the future for small and even medium-sized
business and other organizations. The main obstacle is overcoming the
natural tendency to fret over having data stored with a Webledger vendor.
But the advantages of cost savings (e.g., savings not having to employ technical
database and IT specialists. savings in hardware costs, and savings in software
costs), advantages of worldwide access over the Internet, and advantages of
security (due to the millions invested by vendors to ensure security) far
outweigh the disadvantages until organization size becomes so overwhelming that
Webledgers are no longer feasible for accounting ledgers, inventory controls,
payroll processing, billings, etc.
Webledger software and databases offer accounting, bookkeeping, inventory
control, billings, payrolls, and information systems that can be accessed
interactively around the globe. Companies and other organizations do not
maintain the accounting systems on their own computers. Instead, the data
are stored and processed on vendor systems such as the Oracle database systems
used by NetLedger.
NetLedger is part of the NetSuite described at
http://www.netledger.com/portal/home.shtml
Click on the "See One System in Action" Link
NetSuite's all-in-one business management application allows each user to
work off the same, real-time information, but with a user interface and
functionality appropriate to them.
Watch the role-based demo
As a project in Fall of 2000, a team of my
students set up an accounting system on Netledger. This team's project
report is available at http://www.trinity.edu/rjensen/acct5342/projects/Netledger.pdf
Bob
Jensen’s threads on Webledgers can be found at http://www.trinity.edu/rjensen/webledger.htm
A Guide to E-Commerce at http://e-comm.internet.com/
An Electronic Encyclopedia at http://e-comm.internet.com/library/glossary.html
A longer listing of this and similar glossaries can be found at http://www.trinity.edu/rjensen/245gloss.htm
U.S. Policy on E-Commerce at http://www.ecommerce.gov/
Electronic
Books Directory (U. Mn.)
- Electronic
Commerce World: On-line journal for electronic commerce - Articles, Resource
Directory, Discussions
Electronic Commerce: Special
Problems Arising for Accountants and Auditors
You
must be very careful when viewing a corporate Website that you think is
authentic but is a total fraud. One
such site is http://www.dowethics.com/ which
spoofs the genuine http://www.dow.com
The
site at dowethics.com is a very clever spoof site that mirrors the real
corporate site but runs it with stories against the company.
It is interesting because it appears to be very authentic and illustrates
how companies really do need authentication seals such as Verisign, the Better
Business Bureau BBB seal, or the WebTrust Seal --- http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems
Immense problems arise in accounting, auditing, and taxation as the world
moves ever forward into electronic commerce.
- Stewardship, control, and security problems such as the explosion of
computer and Internet fraud
- Auditing and information systems problems such as the loss of audit trails
over global networks of transactions
- Revenue accounting problems such as gross vs. net, bartering, and
recognition timing.
- Cost accounting problems such as accounting for the costs
of intangibles
- Managerial accounting problems apart from cost accounting,
including evaluation of return on investment (ROI) that includes startup net
losses in the numerator and excludes intangibles in the denominator.
- Taxation problems such as the purchase and sale of merchandise and service
outside accustomed taxation jurisdictions
|
Advantages and disadvantages
of electronic commerce
Advantages |
Disadvantages |
Convenience
Speed
Information Access Volume
Expense Savings (e.g., Marketing)
Reduced Transactions Cost
Improved Training & Education
(Army University and IRS University)
Revenue Enhancing
Reduced Barriers to Entry
Innovative Products & Services
Increased Price Competition
Increased Vendor Selection
Increased Access to Customers
Customer Behavior/Interest Databases
(Like it or not, have a cookie!)
Increased Ability to Place Custom Orders
Improved Warranty & Customer Service
Customized & Personalized Feedback
Common Interest Virtual Communities
Globalization of Business and Labor |
Ever-Changing Technologies
Geek Dependent Systems
Going Concern Risks
Risk of Service Disruptions
Customers Need Computers
Customers Need Access
Shortage of Bandwidth
Frauds & Error Risk
Highly Creative Deceptions
Security Nightmares
Privacy Risks
(Data sale, theft, sniffers)
Hacker Targets
Dehumanization of Life
Rise in Gambling & Porn
Cut-Throat Competion
(e.g., Encyclopedia Britannica)
Information Warfare
System-Wide Vulnerability |
Electronic Commerce: Revenue Accounting Problems and Related
Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm
Common Electronic Risks
Disruption
of service
Hardware/software
failure
Virus
Worm
Trojan Horse
Hoax
Logic Bomb
Unauthorized access
Trap Door
Data theft
Loss of data/information
Privacy issues
|
- What company was voted the 1996
Internet Company of the year and how did this company later drastically
revise the electronic business model.?
Answer:
General Electric in 1996 had a separate part of GE for electronic
commerce. Several years later, GE did away with the electronic
commerce unit and elected to build electronic commerce into virtually all
divisions of the company.
- Increased interdependency between
organizations.
Under the agreement, P&G has access to certain portions of Wal-Mart's
inventory data. When Wall-Mart's inventory of P&G goods
reaches a certain level, P&G automatically arranges for shipment of
additional inventory.
- Impact on business models
- value-added chains broken and
reformed (e.g., closing down of physical stores and opening of virtual
stores)
- new marketing, transportation,
and supply channels (e,g., FedEx "Supply Chain Services")
- increasing value of
knowledge assets
- changing infrastructure of
factories and warehouses (e.g., Amazon.com discovered it had to build
new warehouses)
- decentralization of employees
and services such as virtual on-site service of computer hardware using
technicians anywhere in the world)
- Type of network (EDI, LAN, WAN,
Internet, etc.)
- Audit trail
- Security and privacy, including
newer types of assurance services such as WebTrust and SysTrust
- Accounting issues such as new types
of business ventures and transactions that were not envisioned in existing
GAAP
- Declining value of items accounted
for under GAAP and rising value of items not accounted for under GAAP
- The breakdown of traditional
decision aids such as ROI estimates
- The rise of gimmicks such as
"Pro Forma" and "core"not covered under GAAP
Pro-Forma Earnings (Electronic
Commerce, e-Commerce, eCommerce)
From the Wall Street Journal's Accounting Educators'
Reviews, October 4, 2001
Educators interested in receiving these excellent reviews (on a
variety of topics in addition to accounting) must firs subscribe to
the electronic version of the WSJ and then go to http://209.25.240.94/educators_reviews/index.cfm
Sample from the October 4 Edition:
TITLE: Sales Slump Could Derail Amazon's Profit Pledge
REPORTER: Nick Wingfield
DATE: Oct 01, 2001
PAGE: B1
LINK: http://interactive.wsj.com/archive/retrieve.cgi?id=SB1001881764244171560.djm
TOPICS: Accounting, Creative Accounting, Earnings Management,
Financial Analysis, Net Income, Net Profit
SUMMARY: Earlier this year Amazon promised analysts that it will
report first-ever operating pro forma operating profit. However,
Amazon is not commenting on whether it still expects to report a
fourth-quarter profit this year. Questions focus on profit measures
and accounting decisions that may enable Amazon to show a profit.
QUESTIONS:
1.) What expenses are excluded from pro forma operating profits?
Why are these expenses excluded? Are these expenses excluded from
financial statements prepared in accordance with Generally Accepted
Accounting Principles?
2.) List three likely consequences of Amazon not reporting a pro
forma operating profit in the fourth quarter. Do you think that Amazon
feels pressure to report a pro forma operating profit? Why do analysts
believe that reporting a fourth quarter profit is important for
Amazon?
3.) List three accounting choices that Amazon could make to
increase the likelihood of reporting a pro forma operating profit.
Discuss the advantages and disadvantages of making accounting choices
that will allow Amazon to report a pro forma operating profit.
SMALL GROUP ASSIGNMENT: Assume that you are the accounting
department for Amazon and preliminary analysis suggest that Amazon
will not report a pro forma operating profit for the fourth quarter.
The CEO has asked you to make sure that the company meets its
financial reporting objectives. Discuss the advantages and
disadvantages of making adjustments to the financial statements. What
adjustments, if any, would you make? Why?
Reviewed
By: Judy Beckman, University of Rhode Island Reviewed
By: Benson Wier, Virginia Commonwealth University Reviewed
By: Kimberly Dunn, Florida Atlantic University
Bob
Jensen's threads on pro forma accounting issues can be found at
http://www.trinity.edu/rjensen/theory.htm
|
- Taxation issues such as how to
replace sales taxes on declining in-store purchases and lost taxes on
foreign transactions
- Financing issues, especially how to
finance an e-Commerce business like Amazon.com for years of phenomenal
growth during which there are accounting losses every year
- The future of the dot.com companies
after their fall from grace
- Impact on financial reporting and
analysis, especially XBRL
See http://www.trinity.edu/rjensen/xmlrdf.htm
Links to Some of Bob Jensen's Accounting Theory Documents
Introduction to Accounting Theory --- http://www.trinity.edu/rjensen//theory/00overview/theory01.htm
Accounting for Electronic Commerce, Including Controversies on
Business Valuation, ROI, and Revenue Reporting --- http://www.trinity.edu/rjensen/ecommerce.htm
State of Accountancy in the Year 2002: My Lectures for Germany
(Augsburg and Rothenburg) in June 2002 --- http://www.trinity.edu/rjensen/FraudConclusion.htm
Accounting Tricks and Creative
Accounting Schemes Intended to Mislead Investors, Creditors, and
Employees --- http://www.trinity.edu/rjensen//theory/00overview/AccountingTricks.htm
Letter to Senator Schumer --- http://www.trinity.edu/rjensen/theory/sfas123/jensen01.htm
Links to the following accountancy documents:
Accounting Theory Course --- http://www.trinity.edu/rjensen/acct5341/index.htm
Pro forma reporting --- http://www.trinity.edu/rjensen/acct5341/theory/00overview/theory01.htm
Accounting for Derivative Financial Instruments and Hedging
Activities --- http://www.trinity.edu/rjensen/caseans/000index.htm
Real Options, Option Pricing Theory, and Arbitrage Pricing Theory ---
http://www.trinity.edu/rjensen/realopt.htm
An Accounting Theory Final
Examination, The Open Polytechnic of New Zealand Semester Two, 2000,
http://www.topnz.ac.nz/info/services/pdf/71300_00_2.pdf
Bob Jensen's threads on e-Commerce and e-Business can be found at http://www.trinity.edu/rjensen/ecommerce.htm
Bob Jensen's threads on XBRL are at http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended
Bob Jensen's Helpers for Accounting Educators --- http://www.trinity.edu/rjensen/default3.htm
Bob Jensen's Accountancy Bookmarks --- http://www.trinity.edu/rjensen/bookbob.htm
Bob Jensen's Threads --- http://www.trinity.edu/rjensen/threads.htm |
Electronic Commerce: Revenue Accounting Problems and Related
Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm
Accounting
Issues Addressed by the SEC and FASB
DESCRIPTION OF THE PROPOSED
PROJECT
This potential FASB project on
disclosure about intangibles would focus on improving information
about intangible assets that are seen by many as increasingly
important to business success but are not currently recognized as
assets in financial statements. Intangible assets are generally
recognized only if acquired, either separately or as part of a
business combination. Intangible assets that are generated internally,
and some acquired assets that are written off immediately after being
acquired, are not reflected in financial statements, and little
quantitative or qualitative information about them is reported in the
notes to the financial statements. The principal goals of the project
would be to make new information available to investors and creditors
and to improve the quality of information currently being
provided—information vital to well-reasoned investment and credit
resource allocation decisions. A secondary goal of the project would
be to take a first step in what might become an evolution toward
recognition in an entity’s financial statements of internally
generated intangible assets. The balance of this Proposal discusses
the problem to be addressed, the scope of the project, the issues that
would have to be resolved, how practice might change, and the FASB
agenda criteria. It concludes with a request for comments and several
questions for constituents.
|
- Denny
Beresford's Terry Breakfast Lecture
Subtitle: Does Accounting Still Matter in the "New Economy"
Every accounting educator and
practitioner should read Professor Beresford's Lecture at http://www.trinity.edu/rjensen/beresford01.htm
Corporate
America's New Math: Investors Now Face Two Sets of Numbers In Figuring
a Company's Bottom Line
By Justin Gillis
The Washington Post
Sunday, July 22, 2001; Page H01
http://www.washingtonpost.com/wp-adv/archives/front.htm
Cisco Systems
Inc., a bellwether of the "new economy," prepared its books for
the first three months of this year by slicing and dicing its financial
results in the old ways mandated by the rules of Washington regulators and
the accounting profession.
Result: a
quarterly loss of $2.7 billion.
Cisco did more,
though. It sliced and diced the same underlying numbers in ways preferred
by Cisco, offering an alternative interpretation of its results to the
investing public.
Result: a
quarterly profit of $230 million.
That's an
unusually large swing in a company's bottom line, but there's nothing
unusual these days about the strategy Cisco employed. Across corporate
America, companies are emphasizing something called "pro forma"
earnings statements. Because there are no rules for how to prepare such
statements, businesses have wide latitude to ignore various expenses in
their pro forma results that have to be included under traditional
accounting rules.
Most of the time,
the new numbers make companies look better than they would under standard
accounting, and some evidence suggests investors are using the massaged
numbers more and more to decide what value to attach to stocks. The pro
forma results are often strongly emphasized in news releases announcing a
corporation's earnings; sometimes the results computed under traditional
accounting techniques are not disclosed until weeks later, when the
companies file the official results with the Securities and Exchange
Commission, as required by law.
Cisco includes
its results under both the pro forma and the traditional accounting
methods in its news releases. People skeptical of the practice of using
pro forma results worry that investors are being deceived. Karen Nelson,
assistant professor of accounting at Stanford University, said some
companies were "verging on fraudulent behavior" in their
presentation of financial results.
Companies that
use these techniques say they are trying to help investors by giving them
numbers that more accurately reflect the core operations of their
businesses, in part because they exclude unusual expenses. Cisco's
technique "gives readers of financial statements a clearer picture of
the results of Cisco's normal business activities," the company said
in a statement issued in response to questions about its accounting.
Until recently,
pro forma results had a well-understood and limited use. Most companies
used pro forma accounting only to adjust previously reported financial
statements so they could be directly compared with current results. This
most frequently happened after a merger, when a company would adjust past
results to reflect what they would have been had the merger been in effect
earlier. Pro forma, Latin for "matter of form," refers to
statements "where certain amounts are hypothetical," according
to Barron's Dictionary of Finance and Investment Terms.
What's changed in
recent years is that many companies now using the technique also apply it
to the current quarter. They include some of the leading names of the
Internet age, including Amazon.com Inc., Yahoo Inc. and JDS Uniphase Corp.
These companies have received enthusiastic support from many Wall Street
analysts for their use of pro forma results. The companies' arguments have
also been bolstered by a broader attack on standard accounting launched by
some academic researchers and accountants. They believe the nation's
financial reporting system, rooted in the securities law reforms of the
New Deal, is inadequate to modern needs. In testimony before Congress last
year, Michael R. Young, a securities lawyer, called it a "creaky,
sputtering, 1930s-vintage financial reporting system."
The dispute over
earnings statements has grown in intensity during the recent economic
slide. To skeptics, more and more companies appear to be coping with bad
news on their financial statements by redefining the concept of earnings.
SEC staffers are worried about the trend and are weighing a crackdown.
"People are
using the pro forma earnings to present a tilted, biased picture to
investors that I don't believe necessarily reflects the reality of what's
going on with the business," said Lynn Turner, the SEC's chief
accountant.
For the rest of the article (and it
is a long article), go to
http://www.washingtonpost.com/wp-adv/archives/front.htm
The full article is salted with quotes from accounting professors and Bob
Elliott (KMPG and Chairman of the AICPA)
BARUCH LEV'S NEW BOOK Brookings
Institution Press has just issued Baruch's new book, Intangibles:
Management, Measurement and Reporting. Regardless of the "dot com"
collapse, this subject continues to be high on the corporate executive's
agenda. Baruch foresees increasing attention being paid to intangibles by
both managers and investors. He feels there is an urgent need to improve
both the management reporting and external disclosure about intellectual
capital. He proposes that we seriously consider revamping our accounting
model and significantly broaden the recognition of intangible assets on the
balance sheet. The book can be ordered at https://www.brookings.edu/press/books/intangibles_book.htm
Professor Lev's free documents on
this topic can be downloaded from http://www.stern.nyu.edu/~blev/newnew.html
FASB REPORT - BUSINESS AND
FINANCIAL REPORTING, CHALLENGES FROM THE NEW ECONOMY NO. 219-A April 2001
Author: Wayne S. Upton, Jr. Source: Financial Accounting Standards Board ---
http://accounting.rutgers.edu/raw/fasb/new_economy.html
Upton's book challenges Lev's contention that the existing standards are
enormously inadequate for the "New Economy."
The Garten SEC Report: A press
release and an executive summary are available at http://www.mba.yale.edu
The Garten SEC Report supports Lev's contention that the existing standards
are enormously inadequate for the "New Economy."
(You can request a copy of the full report using an email address provided
at the above URL)
Trinity University students may
access this report at J:\courses\acct5341\readings\sec\garten.doc
Dear Professor Jensen:
As you may know, Greenstein and Vasarhelyi's
ELECTRONIC COMMERCE was the first book to combine accounting risk management
and control issues with systems issues--in other words, the first book to
really combine accounting and electronic commerce. But it's not enough
to be first once--you need to be first every time. And with ELECTRONIC
COMMERCE 2/E, once again you get the newest and most up-to-date coverage
available.
Just published this summer, ELECTRONIC COMMERCE, 2/E
covers the hottest topics in e-commerce, including e-business strategy, XML
and XBRL, and emerging supply chain e-commerce and e-revenue models. And a
constantly updated Website will insure your course has access to the very
latest developments.
To learn more about ELECTRONIC COMMERCE, 2/E or to
request a complimentary copy, contact, Ray Lesikar, your McGraw-Hill/Irwin
representative, at ray_lesikar_jr@mcgraw-hill.com. You may also visit the
book's Website at this address: http://www.mhhe.com/webmaster/redirector.pl?p=1000001004457&c=938&a=4&s=1
.
Thank you for your time.
Regards,
Rich Kolasa
Marketing Manager, Accounting, McGraw-Hill/Irwin
How to Build Customer Relationships Online Marketing is not just about
getting an order, it's about getting a customer and keeping them. Nurture your
customer relationships with regular e-mails. With regular e-mails you can build
relationships and gather market intelligence. http://www.newmedia.com/default.asp?articleID=3275
Bob Jensen's small business links are at http://www.trinity.edu/rjensen/bookbob1.htm#SmallBusiness
Top Year 2002 Technologies
as Rated by the AICPA --- http://www.cpa2biz.com/ResourceCenters/Information+Technology/Top+10+Techs/default.htm
Top 10 Techs
|
|
TopTechs provide information
about cutting edge technologies that could impact your ability to
compete effectively in the e-world.
TopTechs are presented in four categories:
- Issues -- situations that
result from technology implementation
- Applications -- business
opportunities/objectives using one or more technologies
- Technologies -- end
products (hardware, software, or standard)
- Emerging Technologies --
new developments currently under review
|
Certainly
database technology has been around for a while. It made the list of
top ten technologies ... [ Article
] Full
Story |
Technologies:
Security Technologies |
In the past
year, nine out of 10 organizations experienced security breaches,
according to a recent ... [ Article
] Full
Story |
Technologies:
XML (Extensible Markup Language) |
"Your
tax dollars at work" could be the subtitle for this section,
assuming you waited 20 years and ... [ Article
] Full
Story |
|
Technologies:
Communications Technologies - Bandwidth |
|
Here's a
riddle for you: What doubles in demand every three to four months, but
drops in price over ... [ Article
] Full
Story |
|
|
Technologies:
Mobile Technologies |
|
Convenience,
Efficiencies are Hallmarks of Mobile Technologies What would Benjamin
Franklin think o ... [ Article ] Full
Story |
|
|
Technologies:
Wireless Technologies (includes wireless networks) |
|
Are you on
the cutting edge of wireless technology? If your first thoughts were
of your beloved PDA ... [ Article
] Full
Story |
|
|
Technologies:
Electronic Authorization |
|
In a
workflow system, documents move from one user to another as they are
electronically processed. ... [ Article
] Full
Story |
|
|
Technologies:
Encryption |
|
We've come
a long way from the "magical" times of the 17th century
where works about ciphers and cry ... [ Article
] Full
Story |
|
|
Technologies:
Remote Connectivity Tools |
|
The
information you need is in one place; you are in another place.
Traditional solutions to remote ... [ Article
] Full
Story |
|
|
Technologies:
Electronic Authentication |
|
Are you who
you say you are? That is, in fact, the question of authentication,
which is one aspect o ... [ Article
] Full
Story |
Investor Relations and Internet Reporting
Jerry Trites from Canada and I
conducted two workshops on electronic reporting and electronic commerce.
The first of these is for August 14 in San Antonio (AAA
Annual Meetings) and November 23 in Los Angeles (Asian
Pacific Conference). I received the following message from Jerry on
February 14, 2002:
Hi Bob,
Following is the URL
for the website for my new e-business textbook. Thought you might be
interested.
http://www.pearsoned.ca/trites/
Jerry,
p.s. When will we
hear back from AAA re the San Antonio conference?
Gerald Trites, CA*CISA,
FCA
Gerald Schwartz School of Business and Information Systems,
St Francis Xavier University,
Antigonish, Nova Scotia
Phone: (902) 867-5410 Fax: (902) 867-3352 Cell: (902) 867-0977
Home page: http://iago.stfx.ca/people/gtrites/index.html
August 8, 2002 message from Miklos
I have posted on the Web pieces of my e-commerce
course about hr + of clips,, .... be my guest to use them
http://raw.rutgers.edu/miklos/baxtermovies/baxter.html
they can be used (not tightly coupled) with my
e-commerce slides
http://raw.rutgers.edu/ecommerce2
Miklos A. Vasarhelyi
KPMG Professor of AIS
Rutgers University Director, Rutgers Accounting Research Center
315 Ackerson Hall, 180 University Ave. Newark, NJ 07102
tel: 973-353 5002 fax 973-353 1283 miklosv@andromeda.rutgers.edu
Bob Jensen's related assurance services threads are at http://www.trinity.edu/rjensen/ecommerce/assurance.htm
This appeared in one of my older documents that is no longer updated --- http://www.trinity.edu/rjensen/99aaa/updatefr.htm
Online Financial Reporting
Ross A Kaplan, "Identity Crisis for Online Annual Reporting," Financial
Executive, Jul/Aug 1999, 38-39.
-
More that 70 publicly traded companies now make their
quarterly conference calls available using streaming
audio or video.
-
The number of companies using the web to make their annual
shareholders meetings available is likely to treble to about 100
this annual-meeting season.
-
Four of the top 25 investor-relations web sites are based
outside the United States, according to Ross Kaplan; 13 of these offer at
least some investor-relations content in more than one language.
-
Five of the top sites present financial
information in more than one currency.
-
As the underlying technology improves, good
investor-relations web sites will go beyond simply informing shareholders
and increasingly let them do things -- for
example, calculate ROI and other ratios, vote their shares, enroll in a
dividend reinvestment plan and generate graphics showing trends in
operating results.
-
Increasing "customizability"
means that shareholders will be able to configure web sties to show only
the information they're interested in -- bypassing the vast majority of
web content (sales material, technical support, etc.) aimed at other
audiences.
Have traditional accounting and finance measures of corporate wealth
"lost their Utility?"
http://www.zdnet.com/pcweek/stories/columns/0,4351,407222,00.html
However, I will provide some updates below:
Top Investor Relations and Internet Reporting Sites --- http://ids.csom.umn.edu/faculty/kauffman/courses/8420/Projects/POlson/page5.htm
According to Ross
Kaplan of the Off-line website,
six attributes of a good IR web site are:
- Timeliness
- Investors expect current data with twenty-four hour access. The
site should contain only valid and current hypertext links.
- Content -
Comprehensive content covering current financial information, historical
data, press releases, SEC filings and corporate profiles is essential to
a public company's site.
- Design -
The IR site should be easy to navigate and clearly accessible from the
company's home page. It should use graphics, text, and video to
detail the company's financial position. The design should be
tested for readability in all types of web browsers.
- Interactivity
- E-mail, forums, and chatting allow shareholder's to request
information and use web sites as a communication tool.
- Horsepower
- Investors are increasingly expecting to be able to search for,
manipulate, and analyze online information. The visitor should
feel that the server responds quickly and is consistently available for
access.
- Mutability
- Sites need to be flexible by allowing visitors to customize the
information according to their interests. Two important
customizations are language and currency.
- Investor
Relations Magazine provides the following advice on
adding value to a corporate web site:
- Investors
are becoming more sophisticated and expect to be able to add their
names to a mailing list and be kept updated on press releases.
- The IR site
should have different design considerations than the rest of a
corporate web site. Investors want detailed information and
fast downloads, forget the spinning logos.
- Make sure
your server is adequate for traffic requirements.
- Keep the IR
web site content and corporate values consistent with other
communication with shareholders (annual reports, brochures, etc.).
In March, 1998 Investor
Relations Magazine named Microsoft
as the winner of its "Best World Wide Web Site" award. The
magazine holds an annual awards ceremony to recognize exellence in
investor relations. The Microsoft IR web site is a standard of
excellence in using technology to promote investor relations.
Attributes of the web site include:
- Basic
offerings such as stock quotes, Frequently Asked Questions (FAQs),
annual reports, and press releases
- A daily update
on the antitrust trial brought against it by the U.S. Department of
Justice
- Transcripts of
speeches by company executives
- Live internet
broadcasts of its conference calls
- Detailed
historical data and analysis tools which allow an investor to analyze
income statement line items dating back to 1985 or analyze revenue by
product group
- Stock
information such as price and volume history, investment growth
history, five year comparison to the S&P 500, history of stock
splits and dividend information
- The annual
report is available in eleven languages
- Its income
statements can be viewed in accordance with accounting standards and
in the local currencies of Australia, Canada, Germany, France, Japan,
and the U.K.
Companies such as Intel,
3com, Xerox,
Dell computer, and IBM
are also frequently discussed as having exceptional IR web sites.
XBRL Will Change the World of Financial Reporting and Analysis --- http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended
Data Binding
Data Binding as defined at
http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci991121,00.html
Data binding is a
process that allows an Internet user to
manipulate Web page elements
using a Web
browser. It
employs
dynamic HTML
(hypertext markup language) and does not
require complex scripting or
programming. Data binding first became
available with Microsoft Internet Explorer
(MSIE)
version 4. It can be
used in conjunction with that and all
subsequent versions of MSIE to create and
view interactive Web sites with a minimum
demand on authoring time, subscriber effort,
server drive space, and server processing
resources.
The data binding
architecture consists of data source objects
(DSOs)
that supply the
information to viewed pages, data consumers
that display the DSO information, and agents
that ensure that the data is synchronized
between the DSOs and the consumers. Data
binding is used in Web pages that contain
interactive components such as forms,
calculators, tutorials, and games. Pages are
displayed incrementally so that portions of
a page can be used even before the entire
page has finished downloading. This makes
data binding convenient when pages contain
large amounts of data and bandwidth is
limited.
Data binding has
been used by hackers in attempts to gain
access to the hard drives of Internet users.
This is known as a
DSO exploit.
|
|
|
|
XML Data Binding ---
http://www.rpbourret.com/xml/XMLDataBinding.htm
Data Binding for Java ---
http://www-106.ibm.com/developerworks/xml/library/x-bindcastor/
From Builder.com --- http://builder.com.com/5100-6387-1058862.html?tag=grid
Data binding 101: DataSets
In its simplest form, data binding involves attaching an ASP.NET Web control,
say a ListBox, to a DataSet containing some database data. The ListBox.DataSource
property lets you specify the DataSet to which the control should bind,
and the DataBind method actually fills the control with data. Because a
DataSet can contain multiple fields, Web controls with a single column
(ListBox, DropDownList, etc.) all expose DataTextField
and DataKeyField properties to let you specify the name of the field
the control will display as text and use as a value, respectively.
Listing
A contains a simple example that binds a ListBox to the Categories
table of the Northwind sample database.
After creating the DataSet, I bind it to ListBox1 using the DataSource
property. I then set the DataTextField property to CategoryName, the
field that ListBox1 should display (it will be used as SelectedItem.Text),
and the DataKeyField property to CategoryId so that ListBox1
will use it as the key. (It will be returned as SelectedItem.Value.).
Data binding 201: Arrays and collections
Okay, so binding to a DataSet is child’s play. But what if the data
you want isn’t contained in a database? What if you would like to allow the
user to choose from an array of objects? Sure, you could manually create a DataSet
containing the data, but that's kind of like building a mansion when all you
need is a tool shed. Wouldn’t it be nice if you could just bind directly to
the array?
Continued at http://builder.com.com/5100-6387-1058862.html?tag=grid
Education and
Training Outlines
Electronic business education and training programs in various major
universities are outlined at
http://www.ehrlichorg.com/ibp/Undergraduate%20E%20BusE%20Com-0825.doc
Note
the sheer size of this operation --- "more than 1.5 million people already
use its 15 e-Learning modules in three topic areas of leadership, strategy and
general management."
From
Syllabus News on October 2, 2001
Harvard B-School Expands Business Courses Via the Web
Harvard Business School Publishing said last week it
would use the Internet to make available its electronic learning programs in
best management and business practices to corporate groups and enterprises.
HBSP said more than 1.5 million people already use its 15 e-Learning modules
in three topic areas of leadership, strategy and general management. HBSP will
now offer support for companies that wanted to make the modules available to
company groups via the Internet.
For more information, contact Nancy O'Leary at
Harvard Business School Publishing http://noleary@hbsp.harvard.edu
Electronic commerce courses, including accounting courses, have been added to
the curricula of many business schools. As a sample, the courses at the
University of Scranton are shown below --- http://matrix.scranton.edu/academics/ac_courses_electronic_commerce.shtml
Electronic
Commerce Program
Course Descriptions — Electronic Commerce
- EC 251 — Introduction to
Electronic Business — 3 credits
- (Prerequisite: C/IL 104) This introductory course
in electronic business explores how the Internet has revolutionized the
buying and selling of goods and services in the marketplace. Topics covered
include: business-to-business and business-to-consumer electronic commerce,
electronic commerce infrastructure, designing and managing online
storefronts, payment acceptance and security issues, and the legal and
ethical challenges of electronic commerce. Students will also gain hands-on
experience in creating, editing, and enhancing a web site using an HTML
editor.
- EC 361 — Electronic Business
Communication Networks — 3 credits
- (Prerequisite: EC 251) The course is designed to
provide students with networking and telecommunications fundamentals
necessary to develop enterprise networks to conduct business on the
Internet. Topics covered include: communication network media; processors
and protocols; multimedia transmission; wireless networks; network design,
management and security; and present capabilities and future trends in
communication. Discussion of the technology is focused on business
applications within and among organizations. Hands-on experience and case
studies will be used to illustrate concepts and business use of enterprise
networks.
- EC 362 — Database Management for
Electronic Business — 3 credits
- (Prerequisites: EC 251, OIM 471) The course deals
with database design, implementation and use of Database Management Systems
to support Electronic Business. Topics covered include: database design and
implementation; data modeling and structured query language (SQL);
distributed data base management system, open data base connectivity,
integration of web server and backend database server; data warehousing and
mining; on-line analytical processing; and database application and
management. Cases and DBMS software will be used to illustrate concepts and
to gain hands-on experience.
- EC 370 — Interactive Marketing —
3 credits
- (Prerequisite: MKT 351, junior standing) This
course focuses on the integration of state-of-the-art interactive
technologies in the design and implementation of marketing programs for the
new millenium. The functions of market identification through customer
analysis, and the planning and implementation of conception, pricing,
promotion and distribution of ideas, goods and services to satisfy the
market benefit immensely from the capabilities of the rapidly developing
information technology (IT) infrastructure.
- EC 371 — Investments — 3
credits
- (Prerequisite: FIN 351, junior standing) This
course will provide students with an overview of the fundamentals of
investing, with specific emphasis on the use of information technology
tools. Topics will broadly cover the areas of stock selection and valuation,
bond valuation, and the use of options and futures to hedge risk. Students
will be taught to use resources available on the Internet in order to
develop security selection rules and valuation models. For example
Quicken.com and Hoovers have web sites that enable an investor to retrieve
current financial data and build stock screens. Students will also learn to
build a financial web site that contains features found in many professional
web sites.
- EC 372 — Accounting for Electronic
Business — 3 credits
- (Prerequisite: ACC 252 or ACC 254, junior
standing) This course is intended to introduce E-Commerce students to the
role of accounting in today’s business environment. Students will examine
how technology has impacted the techniques of accounting and reporting.
Computerized models of accounting will be used to explore the tools
available to compile data for management decisions and reporting. Internet
business and traditional business transactions will be evaluated in light of
global markets. Thus students will see the effects of control features built
into software systems and understand the role such systems play in running
the company.
- EC 461 — Internet Applications
Development — 3 credits
- (Prerequisites: EC 361, EC 362) The course
introduces the student to existing and evolving Internet technologies needed
for electronic commerce site development and management. Topics covered
include: Windows NT, Internet information server, index and transaction
servers, object-oriented paradigm, client and server side scripting, active
server page, enterprise data access, domain name service, and trends in web
development tools. The course emphasizes applications of the technology and
provides hands-on experience by having students develop a working electronic
business site. Cases will be used to illustrate concept and the role of each
technology used to conduct business on the web.
- EC 462 — Projects in Electronic
Business — 3 credits
- (Prerequisite: EC 461) In this course, students
will develop an electronic commerce project that will be used to conduct
online business. The purpose of this course is to synthesize the Internet
related technologies and the business knowledge acquired in different
courses to develop a working electronic commerce site. Students will work in
a team-oriented environment under the guidance of the instructor. Students
will design, develop, implement, and operate a secure content-rich
electronic commerce web site to attract and retain customers.
- EC 470 — Supply Chain Management —
3 credits
- (Prerequisites: EC 361, EC 362) This course
integrates two powerful trends that are critical management imperatives for
the new millennium: Supply Chain Management & Electronic Business. The
students will learn how the principles of supply chain management integrate
into the “real-time” environment of e-business and examine case studies
of such implementations. Latest software and technology will be discussed
and examples demonstrated on the SAP R/3 platform available at KSOM.
- EC 471 — Electronic Business
Security Controls and Ethics — 3 credits
- (Prerequisites: EC 361, EC 362) The course is
designed to provide students with an understanding of the technical,
managerial, legal and ethical issues to build, operate and manage e-commerce
solutions. Topics covered include: web server and client security; secure
transactions and payments; information security; digital certificates and
practices; civil and criminal legal issues; morality and ethical issues;
intellectual property and patents; governmental regulations and policies;
and emerging technologies and standards. Appropriate cases will be used to
illustrate the above concepts.
- EC 472 — Electronic Business and
Entrepreneurship — 3 credits
- (Prerequisites: EC 361, EC 362) This course links
electronic commerce with entrepreneurship. The convergence of information
and communication technologies has created numerous opportunities to
entrepreneurs to start new and innovative businesses based on electronic
commerce. The course will examine the issues related to the starting and
establishment of new businesses based on electronic commerce. The course
comprises three parts. The focus of the first part is on issues related to
the establishment of a new business and entrepreneurship. The second part
examines the business issues related to electronic commerce including the
development of business models and plans. The last part is a practical part
where groups of students will develop and establish small electronic
commerce businesses from start to finish. The learning will occur through
study and discussion of conceptual reading material, analysis and discussion
of cases, and through the development and implementation of an e-commerce
business.
Question
What are the CERIAS programs in assurance services?
Answer
Certified Public Accountants over the past
decade have be actively promoting the branching out of financial attestation
services (especially auditing) into wider ranging "assurance
services." Especially noteworthy is the new service SysTrust where
pubic accountants in the U.S. and Canada have partnered to extend assurance
services into the areas of computing services and information systems. For
details and links, see http://www.trinity.edu/rjensen/ecommerce/000start.htm#AssuranceServices
I mention this because, unlike auditing
services by public accountants, where there is an SEC-mandated monopoly under
SEC rules, there is no such monopoly on extended assurance services. In
assurance services other than auditing, CPAs face increasing competition from
other professional bodies. One such area is in the entire area of
Information Assurance and Security. I mention this, because an education
and training center at Purdue University is generating courses and graduates in
a program that is not a part of the Accounting Department or the School of
Business. I will now briefly summarize the CERIAS Center at Purdue
University --- http://www.cerias.purdue.edu/
What I found
interesting is the extent to which students can get both MS and PhD degrees in
Information Assurance and Security.
The Center for
Education and Research in Information Assurance and Security, or CERIAS, is
the world's foremost University center for multidisciplinary research and
education in areas of information security. Our areas of research include
computer, network, and communications security as well as information
assurance.
Mission
Statement
To establish an ongoing center of excellence which will promote and enable
world class leadership in multidisciplinary approaches to information
assurance and security research and education. This collaboration will advance
the state and practice of information security and assurance. The synergy from
key members of academia, government, and industry will promote and support
programs of research, education, and community service.
Vision
Statement
The Center for Education and Research in Information Assurance and Security
will be internationally recognized as the leader in information security and
assurance research, education, and community service.
Internal Vision
Build a well-supported community of scholars actively involved in: Evolution
and offering of educational programs in information assurance and security.
Solving fundamental questions of science, engineering and management as they
relate to information security and assurance. Transfer of expertise and
technology to organizations with real world needs. Assuming leadership roles
in appropriate community and government organizations. Activities to enhance
the public's understanding and acceptance of information protection. To
accomplish this, the Center promotes research, education and community service
programs in conjunction with various key groups. It also brings synergy to
these diverse groups (consisting of members from academia, government agencies
and industrial partners) to advance the philosophy of information security and
assurance.
-
We have compiled
resources for students, parents, and teachers on a host of topics
including copyright, safe surfing, acceptable use, cryptography, and
much more; we also offer teacher and student workshops on a variety of
security topics, at a variety of levels.
-
Information
about our graduate studies, including the Scholarship
for Service program.
-
The
post-secondary education site contains information about formal and
informal information security and assurance educational initiatives,
including workshops, multimedia product offerings, certification and
faculty development efforts, and awareness activities.
-
A site created
by CERIAS and several partners to raise awareness of Information
Security in the state. Includes information for K-12, Home Computing,
and Business and Industry.
So, you are
interested in graduate studies in Information Security at Purdue
University? That's great! You can take advantage of the infosec
expertise present at Purdue and associated with CERIAS, but you can't
actually get your degree from there. CERIAS is a research center, and
not an academic department. However, there are other ways to get your
degree and be associated with CERIAS.
There are
currently 3 different approaches to graduate study in infosec here:
- The
interdisciplinary MS specialization
- A
standard MS in one of the involved departments, with a focus on
infosec topics
- A
PhD course of study in one of the involved departments, with a
dissertation topic in infosec
We are currently
offering an interdisciplinary Master's specialization in InfoSec. This
is offered as an MS through a participating department, not CERIAS.
While the program is multidisciplinary and requires (and recommends)
courses in Computer Sciences as well as other fields, admission to the
program is handled administratively by a participating department. The
specialization on your diploma will, however, read "Information
Security," independently of what department handles the admission.
As of September 2000, the only department ready to admit students to the
program is Philosophy. Computer Sciences, Education, and Electrical
& Computer Engineering are all in the midst of the administrative
process to join the program.
You can apply
for the Program electronically for future sessions. Please select
"Philosophy" on the application and indicate "Information
Security" as your area of interest. Your default contact professor
in the next field of the application is Eugene H. Spafford, Director of
CERIAS and of the Program. Feel free to mention in that field any other
professor in information security that you would like to work with if
you have established such a contact already. You will eventually be
contacted by the graduate school about your admission status.
Students can also
receive graduate degrees in existing programs with a specialization in
infosec areas. To do this, the students enroll in a traditional major,
take a core of common courses, and then are able to take electives
related to their interests. Masters students may choose to research and
write a Master's thesis that involves further study in a particular area
of interest, or they may simply take 30 or more credit hours of
coursework. PhD students must choose a specialized topic for their
dissertation research. The most common major for students interested in
information security is Computer Sciences, but degrees are also
associated with Electrical & Computer Engineering, Management,
Philosophy, Political Science, and many other departments associated
with CERIAS.
Note that
specific requirements for individual department degrees are given in the
course catalogs and on some departmental WWW pages. What follows is a
summary of the requirements for a CS graduate degree, serving as an
example of what is expected. You need to consult one of the definitive
references to get the whole picture. (CS graduate degree requirements
are available on the WWW; information on other graduate programs can be
found by starting at the main Purdue WWW page.)
MS students are
required to take a course in operating systems or networks (CS 503 or CS
536), one in programming language design or compilers (CS 565 or CS
502), and algorithm analysis (CS 580), plus another 7 courses of
electives, or 5 courses and the thesis option. Normally, for infosec
study, MS (and PhD) students would take CS 502 and CS 503, plus the
courses in computer security (CS 526) and cryptography (CS 555) as
electives, and consider taking the advanced security (CS 626) and
cryptanalysis courses (CS 655), too.
There are many
electives available to graduate students, including graphics, databases,
numerical methods and distributed systems. Each year, several faculty
also offer special topic courses in their areas of interest.
Opportunities for directed reading or research courses are also
available. In the last few years, we will have had seminars in Intrusion
Detection and Incident Response, Penetration Analysis, Firewalls,
Electronic Commerce, Network Security, and Security Tools. Additionally,
we have had seminar courses in Wireless Networks, Advanced Operating
Systems, and Internetworking.
Normally, a PhD
program starts with 2 years of graduate study and passing a series of
general exams in the area of study (the "qualifier exams").
The candidate then decides on an area of study, chooses an advisor, and
takes an in-depth exam in the area of specialization (the
"preliminary exam"). Next, the candidate performs in-depth
research under the guidance of the advisor for a period of time ranging
from 6 months to as many as 5 years. Finally, the candidate writes a
detailed scientific account of his or her research (the dissertation)
and defends it in a public exam before a committee of faculty, visitors,
and members of the community. The average time to complete a PhD in CS
at Purdue (assuming the student already has a good undergraduate
background in CS) is 5 years.
Required
courses for PhD students in CS include courses in operating systems,
algorithm analysis, compilers and programming languages, numerical
analysis, and theory of computation; this is a superset of the courses
required for the MS degree, and almost all PhD candidates obtain their
MS degree during their candidacy for the PhD.
Currently, there
is a large range of projects being conducted in information security at
Purdue. We have almost 40 projects involving over 30 faculty in a dozen
different academic departments. You can get a more complete picture of
the faculty and research projects via the CERIAS WWW pages. These
projects are normally open to graduate students and can be used to
satisfy research requirements towards MS and PhD thesis work. Not all
infosec projects are offered through CERIAS, either, and there is no
requirement that students work on a CERIAS project to get an infosec-related
degree.
Students coming in
to the graduate program are expected to be ready to pursue the degree
upon arrival. There are limits as to how many semesters may be spent in
residence before completing each of the steps towards the degree.
In particular,
students are expected to:
- have strong,
basic skills in mathematics, including working knowledge of
statistics, calculus and linear algebra
- know how to
write programs in some advanced computer language (C/C++/Java are
languages of choice; Perl is also encouraged)
- have mastery
of spoken English sufficient to understand lectures and
presentations, and to discuss assignments with faculty and TAs
- have mastery
of written English sufficient to document programs and write
grammatical research papers. This is especially critical for MS and
PhD
- students who
need to write a thesis and research papers
Students without
adequate preparation, or who fall behind in assignments, may be tempted
to take "shortcuts" on assignments to keep up. Cheating,
plagiarism, and falsifying work are severe violations of both the
student code of conduct and academic honesty, and discovered incidents
are dealt with particularly harshly by faculty in the infosec arena.
Graduate students in violation of these rules are routinely recommended
to the dean of students for expulsion from the university; foreign
students in this situation will lose their visas. Thus, it is strongly
recommended that applicants be sure they have mastery of these basic
skills prior to applying to graduate school at Purdue.
Financial aid for
graduate students is based on both scholarship and need. Some
fellowships are available to exceptional incoming students. Others are
supported by the departments or by research projects. It is unusual that
a new student will get support from a faculty member's research funding;
indeed, most faculty do not support students prior to their completion
of some of the qualifying exams. Some incoming students qualify for
selection as teaching assistants, however. Other information about
financial aid is in the graduate student information documents.
For financial
aid, contact the admitting department and not individual faculty
members.
The above is not
an official document of Purdue University, but Professor Spafford's
interpretation of Purdue policy. Interested parties should consult
official University documents, available through the
graduate school.
From Syllabus News on December 10, 2002
Compsec Firm Funds Purdue Info Assurance Degree
Internet security firm Symantec Corp. has endowed a
fellowship for a student pursuing a degree at Purdue University’s Center for
Education and Research in Information Assurance and Security (CERIAS. The
Symantec Fellowship will provide up to $50,000 to cover the full tuition costs
for two years and a stipend for a degree-seeking student enrolled at Purdue
and working with CERIAS, a center for multidisciplinary research and education
in information security. Applications will be accepted immediately with a
deadline of March 1, 2003. The Fellowship recipient will be announced April 8,
2003 at the annual CERIAS Spring Symposium held on the West Lafayette, Ind.,
campus of Purdue University. The Fellowship will begin during the 2003-2004
school year and will be expanded to include a second student beginning the
Fall of 2004.
December 11, 2002 reply from J. S. Gangolly
[gangolly@CSC.ALBANY.EDU]
Bob,
I wanted to brief
AECMers on the happenings, with respect to Information Assurance in Albany.
The Department of
Accounting & Law at SUNY ALbany is starting with the Fall semester 2003 an
MBA track on Information Assurance (IA) based on our earlier efforts in AIS in
the MS program in Accounting with an emphasis in AIS. When we have prepared
the materials about the program, I'll post them on this listserv.
We have re-engineered
all courses in AIS to have security/assurance permeate throughout the
curriculum. This is now receiving the last review by us to ensure compliance
with the curriculum recommendations of the National Security Agency.
The above is a part
of our campus-wide forensics initiative (Departments of Accounting & Law,
Management Science & Informatrion Systems, Department of Computer Science,
School of Information Science & Policy, and in the future hopefully our
very well regarded School of Criminal Justice) which has already received
funding from the US Department of Education and is in partnership with the New
York State Police, and CERIAS is also our partner in the efforts.
We are hoping to
apply and receive next year the designation of Center of Excellence in
Information Assurance Education. We hope more Accounting Departments will be
hospitable to this "diversion" from our perceived central mission of
educating future CPAs (currently there is no curriculum on IA in any
Accounting Department that I am aware of).
It is important for
me to brief the AECMers on the issue of "accountingness" of the
curriculum in this respect, particularly since it became quite an issue even
at Albany where our Department has traditionally been hospitable to
off-the-wall curricular innovations. 'Accounting content' in much of the
Information assurance curriculum usually is (and probably should be) expected
to be very meager even though the assertions-based philosophy is rather
similar.
I had a quite
difficult time convincing my dyed-in-the-wool accounting colleagues (specially
in Financial Accounting) that Information Assurance education can coexist
peacefully in our Department. (Many Financial Accounting colleagues rightfully
asked: since accounting content is minimal, why not have it in the MSIS or
some other Department? My arguments were: 1. Such other departments do not
have the tradition of scepticism that we in accounting/auditing have, and 2.
we were better poised to offer a computationally intensive Information
Assurance curriculum in the department because of the sophistication of our
existing AIS curriculum). Ultimately, we did win the confidence of the
department faculty, though in some instances it might have been grudging
acceptance because of what we would lose in the long run if we chose to not
have the program.
Jagdish S.
Gangolly,
Associate Professor (j.gangolly@albany.edu)
Accounting & Law and Management Science & Information Systems
State University of New York at Albany, Albany, NY 12222.
Phone: (518) 442-4949 Fax: (707) 897-0601
URL: http://www.albany.edu/acc/gangolly
December 11, 2002 reply from Bob
Jensen
Hi Jagdish,
I appreciate your informative reply. It
appears that Albany has avoided the vexing problem that Notre Dame and the
University of Virginia faced with their Masters of Assurance Services Programs
for Ernst & Young employees --- http://www.trinity.edu/rjensen/255wp.htm#ErnstandYoung
The vexing problem arises when one of
the goals is to have the graduates of the assurance services program also be
eligible to sit for the CPA examination. It appears that assurance services
masters programs at Albany and Purdue have no CPA examination goal. Hence there
can be very little accounting, tax, and auditing in those programs. This was not
the case for Notre Dame and the University of Virginia where a major goal is for
the graduates to be eligible to sit for the CPA examination in most states.
This begs the question about what
career paths students will take after graduating from assurance services
programs. It would seem that Albany and Purdue University are envisioning
graduates joining consulting firms, computer systems companies, etc. Graduates
of the Notre Dame and UVA programs already work for the accountancy divisions of
Ernst & Young.
It seems to me that for a career path
in the accountancy divisions of a public accounting firm, there is very little
future without becoming a CPA.
Hence, I anticipate two types of
assurance services degree programs. One type is more focused on computer science
and information systems. The other type is more focused on accountancy and
accounting information systems.
I think there's room for both types of
emerging programs.
Bob Jensen
December 12, 2002 reply from Calderon,Thomas G [tcalder@uakron.edu]
Our entire grad program (at the University of
Akron) is built around an IT security and assurance
theme. Each course taught by acct dept faculty has security and assurance
content and we attempt to tie everything together in our capstone IS Audit
& Control Project (a hands-on project organized as a mini-internship and
supervised by a faculty member and a "competent" professional in the
field.)
Courses, 3 hrs each, in the program are: 1. Business
Application Development (taught by MIS) 2. Applications Development for
Financial Systems (taught by accounting -- uses skills learned in BAP to
address assurance type problems) 3. Enterprise Resource Planning &
Financial Systems (uses Oracle 11i to expose students to architecture,
business process issues, & security and assurance issues in ERP
environments) 4. Financial Data Communications & Enterprise Integration
(focus on XML, XBRL, and security/assurance issues associated with enterprise
integration) 5. Advanced Information Systems (database/data warehouse
design/assurance issues; use Oracle 8i) 6. e-business foundations (general
management issues in a distributed network environment--taught by MIS) 7.
e-business technologies (exposure to networks, internet technologies, and
application development for a web environment; use Windows OS, Cold Fusion,
Oracle--taught by MIS) 8. e-business risk, control & assurance (business
risk assessment, security, & assurance for entities that use distributed
networks such as the Internet for business critical activities) 9. Assurance
Services with Data Warehousing & Data Mining (a hands-on course that uses
Classification & Regression Trees (CART), Multivariate Adaptive Regression
Splines (MARS), neural networks, and ACL to identify red flags in quantitative
data). 10. IS Audit & Control Project (the capstone hands-on project,
structured as a mini-internship with a very specific deliverable).
All students admitted into the program must take the
following courses if not taken in their undergrad program: 3 hrs of accounting
information systems 3 hrs of intermediate accounting 3 hours of auditing 3
hours of cost & management accounting (beyond principles)
We encourage students to prepare for and take the
CISA exams and CITP. The program does not attempt to prepare students for any
specific professional examination.
Electronic
Commerce: Assurance
Services Opportunities and Risks
Possible new assurance service clients for CPA firms
A number of major international charities are opening
their doors for the first time to outside inspectors, allowing them to certify
that donations are spent as advertised. The charities say they hope
thorough inspections and a new industry seal of approval will assuage public
fears of donations being misused. The nonprofits are also trying to keep ahead
of a movement in Congress to impose regulations on the fast-growing but largely
unsupervised world of nongovernmental organizations.
Michael M. Phillips, "Big Charities Pursue Certification To Quell Fears of
Funding Abuses," The Wall Street Journal, March 9, 2005; Page A1 ---
http://online.wsj.com/article/0,,SB111033202546074217,00.html?mod=todays_us_page_one
Bob Jensen's threads on charity frauds are at http://www.trinity.edu/rjensen/FraudReporting.htm#CharityFrauds
Nobody has been more
influential in moving the auditing profession toward expansion of scope of
services than the former KPMG partner and former Past Chairman of the AICPA than
Robert K. Elliott. In the mid-1990s, Bob Elliott chaired the AICPA Special
Committee on Assurance Services. His basic argument was that the future
auditing was becoming increasingly bleak without expansion into a broader scope
of services that did not impair professional reputation for CPA integrity and
independence.
First he argued that the
traditional audited financial statements rooted in standards for industrial
companies are rapidly becoming obsolete in terms of usefulness and timeliness to
investors. He stated the following in a November 2, 1998 Saxe Lecture at
Baruch College: --- http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm
Now let's focus, in
this new environment, on the financial statements that we prepare under
generally accepted accounting principles. These financial statements have been
designed by the FASB and its predecessors to describe the industrial-era
enterprise, the enterprise that creates value by physically manipulating
tangible property like raw materials and turning them, by the application of
energy and labor, into finished goods, then pushing the finished goods down
the line to customers physically. What you see on those financial statements
are the very tangible assets of that process. You see the raw material, the
work in process, the finished goods. You see machinery and equipment. You see
the buildings and the land.
That's what's on
the financial statements, but post-industrial enterprises run on a different
set of assets. They basically run on intangible assets, such as the capacity
of innovation, research and development, human resources, information and
know-how, brand equity, relations with customers and vendors, and relations
with employees. These intangible assets drive the post-industrial firm, and
none of them are on the balance sheet at all. We don't account for them.
Post-industrial
enterprises run on intangible assets...
- Information
- Research
and development
- Capacity
for innovation
- Human
resources
...which
are not in the financial statements
|
Now you're thinking,
"Okay, but those are just the post-industrial enterprises. Most of
American economy is still making things-automobiles, steel, food." Well,
let me tell you, two percent of the American work force is involved in growing
things on farms, and ten percent of the American work force is involved in
making things in factories. The rest of the work force is doing something
else. Seventy percent are involved in the creation, distribution, or use of
information. The economy has basically become information-oriented. Even
industrial enterprises are no longer strictly tangible-goods companies.
Let me give you an
example: Motorola. It's a manufacturing company, so it should be described by
an industrial accounting model. Let's look into that. Say you go down to the
store and buy a Motorola cellular phone that costs $100. How much of the $100
was for the physical content of the phone? There is less than a penny's worth
of sand, turned into silicon. There is less than two cents worth of copper, to
make the wires to connect things. There is less than a nickel's worth of oil,
turned into a plastic box. What is the rest of the $100? Software, research
and development, innovation, brand equity, information. Manufacturing
companies are putting out more and more products that are post-industrial.
They too run on assets that are not in the financial statements.
Let's took at it
graphically, on this slide. In the past, a company's value-producing assets
were largely tangible. There were intangible assets, but tangible assets
dominated. So at this end of the spectrum, think of United States Steel.
You've got steel mills, blast furnaces, land, piles of coal. But the emergent
economy is basically working on intangible assets.
At the other end of
the spectrum, think Microsoft and think of Microsoft's balance sheet. I
guarantee you, Microsoft's balance sheet has nothing of interest on it
whatsoever. What are the assets of Microsoft that comprise the balance sheet?
A couple of diskettes, probably not even much land. Where is the some $300
billion of Microsoft's market value? It's between the ears of Microsoft's
people, not on the balance sheet.
Don't get me wrong;
I'm not saying that we should take these intangible assets and turn them into
debit and credit entries, but I am saying that ignoring them in the accounting
model is a fatal mistake, because what we're doing with these grand financial
statements is producing what's in the left-hand column. We're producing
periodic historical cost basis financial statements, five terms to describe
what we provide as accountants, but look at the right-hand column and you will
see the way in which people are used to getting information in every other
information domain besides accounting.
Periodic? No.
People don't want periodic information. They want to log on and get the information
they want on demand. They want
up-to-the-minute, if not forward-looking, cost bases. I'm not saying they want
to know the current value of the assets as much as I'm saying they want to
know the capacity of this basket of assets to make customers better off, to
create value for customers.
Sure they want
financial information, but they want much more than that: They want to be able
to look behind it and see the operating data
that lie behind those numbers, see the leading indicators, see the
non-financial performance indicators that management itself is using
increasingly to run the enterprise, things like customer satisfaction, product
and process quality, measures of innovation-those types of things.
Then, the last word
in this five-part set is the word statements." We're referring to general
purpose financial statements. General purpose financial statements means the
information is not exactly what the investors need, not exactly what the
creditors need, not exactly what the managers need, not exactly what the
regulators need, not exactly what the tax man needs. It's not exactly what
anybody needs. It's a compromise.
But today, we
actually have the capacity to go in and find out what we want on demand. This
trick of summarizing a complex enterprise in two pages, a balance sheet and an
income statement, is a neat trick we learned as accountants 500 years ago or
so. It was a pretty good trick when people could hardly come into the
enterprise, thumb through the journals and ledgers, and form their own
impression of the enterprise.
But today, we
actually have the capacity to go in and find out what we want on demand. This
trick of summarizing a complex enterprise in two pages, a balance sheet and an
income statement, is a neat trick we learned as accountants 500 years ago or
so. It was a pretty good trick when people could hardly come into the
enterprise, thumb through the journals and ledgers, and form their own
impression of the enterprise.
But today, users can
literally come in and thumb through the journals and ledgers themselves. I
don't mean with their thumbs, but with their software. They have the ability
to come in and express their information demands and get them met in the
format that they need, drill down, and get whatever they want when they want
it.
What I am saying is
that this left-hand column is not a formula for success in the future. In
fact, it leads to something we might call a loss of decision-information
market share.
On this graph, what I
show, over the extent of the 20th century, is the information content of
financial statements available to decision makers. It has been going up
somewhat during the century as a result of higher standards, better
accounting, better practice, and so forth. Actually, those show a tailing off
at the end of the century. That's what I was talking about earlier. These
financial statements don't describe the Microsofts and the other
post-industrial enterprises.
Looked at this way,
the information content of financial statements is declining. At the same
time, we have other information. At the beginning of the century, you would
certainly need information outside the financial statements to decide whether
to commit money to the enterprise as either an investor or a creditor, but a
relatively large percent of what we needed could come from the financial
statements. You always need some other information, but the financial
statements supply a relatively large part of what is needed.
As the century goes
on, though, low-tech information intermediaries emerged, people like Moodys,
Standard & Poors, and Dun & Bradstreet. Later in the century, you get
an explosion of other sources of information because of electronic databases
now on line. So while the total information that creditors and investors have
is exploding, the piece that we as accountants are involved in preparing and
auditing is flat at best, perhaps even declining, but either way, it's a loss
of relative market share.
That's why I say we're
facing a parlous present. Yet, I have the temerity to tell you there is a
great future in front of us. How so? How do I get there?
First, there are some
enormous megatrends in our favor. One megatrend is the change from an
industrial to an information or post-industrial economy. We as the information
people should be able to figure out how to take advantage of the shift to an
information economy. Unless we're foolish or lack creativity, that megatrend
actually operates in our favor. A second megatrend is that all around the
world, people of every type are expressing less and less trust in
institutions, businesses, governments, and people. More and more, they want
accountability for the money they are investing or contributing, for resources
managed by others, and for relationships. They want to be told about what's
happening with their trusted inputs.
These demands for
accountability express themselves in many ways, but we as the accountability
people should be able to figure out how to take advantage of the trend. That's
what we supply. If people are demanding more of it, that's good for us.
The third megatrend
is that information technology is making markets so much more competitive. You
have probably heard this comparison: an Internet year to a regular year is
like a dog year to a human year. This enormously speedy change creates turmoil
everywhere. That should be good for us. We should be able to step in and help
resolve the turmoil by bringing some information discipline to it. What we
have to do is figure out how to harness these megatrends.
Continued at http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm
The Special Committee under Elliott's leadership contacted a random sample of
CPAs in all 50 states and concluded the following four bullet points as listed
on pp. 11-12 of the above document:
Combining insight with integrity, CPAs deliver value.
They listed four bullets:
- One is communicating a total picture with
clarity and objectivity.
- Second is translating complex information into
critical knowledge.
- Third is anticipating and creating
opportunities. That sounds a little more creative than what most people
think of when they think of accountants.
- And fourth is designing pathways that transform
vision into reality.
Let me take those four bullets and recast them a bit
for you. I want to start here with the information value chain. You have
probably seen this in some form or another, but here's the idea. At the left
end of this chain, we've got business events and transactions taking place,
but we don't know anything about them yet, so the first thing we do is record
them. Now we have data about them, and we can begin to take a look at what
happened. We take the data, refine and combine it with other information, and
we have more than data -- we have information, information from the outside
and so forth. That turns into knowledge, and we use that knowledge in order to
make wise decisions -- consumption decisions or welfare, political, and social
decisions. Any type of decision.
So as you move up the information value chain, you
get to higher and higher value activity. The person who sits there at
shipping, taking down and recording things going in and out, creating data, is
earning what? Perhaps ten dollars an hour. That's what you get for actually
creating data. Then you move up to the 30 people who get $100 an hour because
they are transforming data into information and refining information into
knowledge.
Now let's take those four bullets that I showed you
here and locate them on this value chain. The first was communicating the
picture with clarity and objectivity. That's down here at this level. The
conversion of data and information -- good work, pays decent, but a lot of
that is being made redundant by technology. It's not going to be great work
too far into the future. The next bullet is translating information into
knowledge. That falls right here; that's higher value. People who do that get
paid more.
The third bullet is creating opportunities. That lies
even further up the value chain, and those people get paid even more. The
fourth is designing the pathways that permit people to achieve their vision,
and that's where you're up at the top of the value chain. So 3,000 members
told us they aspire to move their practice up the information value chain. We
also asked, "What do you think are the core values of the accounting
profession?" These were the top five that they listed: First, a
commitment to continuing education and lifelong learning. Second, competence.
They think that whatever they are doing, they must be highly competent at it.
Third, integrity -- stands to reason. The reputation of the accounting
profession rests on people believing that we have integrity, and that rests on
CPAs having integrity. Fourth, they list attunement to broad business issues,
not just narrow green-eye shade focus on the numbers, but a holistic view of
the enterprise. Fifth, objectivity, which is different from integrity. You can
have one or the other or both, but objectivity is the neutrality,
trustworthiness. So these are the top five values.
Now look at what our numbers showed as the services
with the highest potential in the future. The first one was assurance and
information integrity services. They extend the historical audit function,
taking in a much broader domain. The second is technology. They see technology
services as something that's really going to be high value-added and demanded
well into the future. Third, management consulting and performance management.
Obvious, right? The fourth is financial planning, helping people to achieve
their financial objectives. And fifth, they see the world economy as global
and see in that enormous opportunities for international services, much more
than we have exploited in the past.
Our members also identified the capabilities that
CPAs would need to have in order to succeed in taking advantage of the
opportunities they identified. Number one was communications and leadership
skills. Number two, strategic and critical thinking skills. You can't get up
the value chain if you're just thinking about the production of debits and
credits; you have to think strategically, the way the management of the
enterprise thinks.
The third needed competency is a focus on customer,
client, and market. We talked earlier about mass production, where the
producer tries to drive down the price and isn't too concerned whether the
product meets specific customer needs. Demassification is where you turn
around and face every problem from the customer's perspective. You have to
turn around and face the whole thing from the customer's perspective or you
won't get the right answer.
The fourth competency is the interpretation of
convergent information, by which they mean the ability to interpret both
financial and non-financial information. If you only see one side of the
picture, you don't have the full story. Fifth, you have to have high
technology skills to succeed in this environment. When vision-project
participants talk technology skills, they are not talking about the ability to
run a PC, do a spreadsheet, and make a Powerpoint presentation; they're
talking about a fundamental understanding of how technology reshapes
organizations, products, services, and markets, and about the risks of
employing technology and the ways in which to control those risks. They are
talking about business implications of technology, not just the ability to run
applications or deploy software. Those are necessary, but not sufficient in
order to succeed.
The vision-project participants mentioned obstacles
to achieving this vision-problems we have to solve and issues we have to deal
with. One is that we can't get anywhere if the customers don't believe we can
do it. So they held that future success would be based on public perceptions
of our ability and roles. The second issue is that we've got to become as a
profession much more market-driven than we are. Third, we have to be less
dependent on traditional accounting and auditing services and focus more on
high-value services like consulting. Fourth, you can't face this marketplace
as a generalist very well in the future. You've got to specialize in some
area. You need the breadth to see problems as a whole, but you also have to
have the skills to be able to solve problems in some specialized domain.
Fifth, these CPAs are saying that as a profession, they don't think we're
sufficiently global in our perspective and outlook. That's an issue as well.
So these are the things that our members are telling
us. This is not the leadership of the AICPA telling us what to do; it's the
members of the AICPA telling the leaders what to do. That doesn't mean that if
the AICPA does those things, the game is won, because other actions are
necessary as well. Some actions have to be taken at the level of firms, both
industrial firms and CPA practice firms. Since I am in practice and I'm
familiar with what we have to do in our firm and firms like it, I'll focus on
them.
The first thing that firms have to do in order to
realize these opportunities is to adopt a customer focus for the auditing
product. The customers are not only the clients, but the investors and
creditors out there who are the end users of the information. If we're not
making those people better off, we're not going to have much of a job in the
future. The second thing is that firms have to build competencies,
particularly in the technology area but in some others as well. The third
thing is that we have to take our existing product offerings and invest them
with higher and higher value. We have to make them more valuable to the
customers, and we have to show our customers and clients our capacity to
create value.
When they think of CPAs, we don't want them to think
only of people who prepare the financial statements and tax returns; we want
them to think of CPAs as the people who help them shape their future. Those
firms that don't have a research and development arm oriented to finding out
customer needs and creating service opportunities to fulfill those needs will
have to create one.
It should be stressed that Elliott and the Special Committee viewed assurance
services to extend well beyond attestation services. Attestation is
usually associated with verification of past transactions such as attesting to a
golfer's score or attesting to the fairness of a contest drawing outcome.
Assurances can be more forward looking in terms of design of systems that are
"assured" to perform within specified tolerances. For
example, one type of assurance service proposed by the Special Committee is
called WebTrust. It is intended not so much as an "attestation"
that a company in the past did not violate its data privacy policy with
customers as it is intended to "assure" customers that the company
will abide by its promises in the future.
I greatly admire Bob Elliott and the Special Committee for both giving us a
vision for the future and for the boldness in the plan. The
disappointment, at least in the short-run, has been in the inability of CPA
firms to undertake many new assurance service experiments. And some of the
experiments like WebTrust that have taken place have been largely disappointing
in terms of perceived value in the eyes of potential customers.
Then came the implosion of Enron and the explosion of the auditing firm,
Andersen, that transpired in 2002. Public respect for the independence and
integrity of CPAs plummeted along with short-term prospects that the world was
ready for a new type of professional. Members of the AICPA resoundingly
defeated the AICPA proposal that a new professional designation be developed
such as the failed XYZ (unspecified) and Cognitor proposed designations.
Rather than focus more and more on expanded services, large CPA firms in the
post-Enron era had to divest themselves of large chunks of the consulting
practice in concerted effort to restore public confidence in CPAs and in their
audit services. The momentum for expanded assurance services has
temporarily slowed, but it will come booming back over the longer term.
Virtually all colleges with accounting programs have added assurance service
modules and/or complete courses.
The future of assurance services is so promising, that some major
universities have initiated assurance service degree programs apart from
traditional accounting and tax degree programs. Several examples are
listed below:
Assurance Services Updates
January 19, 2003 message from Lawrence Gordon
[LGordon@rhsmith.umd.edu]
Dear Bob:
The Journal of Accounting and Public Policy
has initiated a new sub-section called "Accounting and Information
Assurance Letters." The sub-section publishes short papers (not to exceed
6 printed pages, or approximately 2400 words) that link timely accounting
(broadly defined) and information assurance issues to public policy and/or
corporate governance. Papers submitted to this subsection of the journal will
be reviewed within four weeks of receipt and revisions will be limited to one.
Papers accepted for this subsection will be published within four months of
acceptance.
We believe that this new section of the journal will
help define the relationship between accounting and information assurance, and
would be especially pleased to publish papers on this topic from members of
the journal's Editorial Board. Accordingly, if you are working on research
papers that seem to fit the new section of the Journal of Accounting and
Public Policy ,we hope you will consider submitting it to the journal. More
information about the new section can be found at: http://www.elsevier.com/inca/publications/store/5/0/5/7/2/1/
. We also hope you will bring this new section of the journal to the attention
of your colleagues.
Sincerely,
Larry and Marty
Lawrence A. Gordon, Ph.D. Ernst & Young Alumni
Professor of Managerial Accounting and Information Assurance Director, Ph.D.
Program The Robert H. Smith School of Business University of Maryland -
College Park College Park, Maryland 20742 Phone: (301) 405-2255 Fax: (301)
314-9611 E-mail:lgordon@rhsmith.umd.edu
http://www.rhsmith.umd.edu/accounting/lgordon/
Martin P. Loeb Professor of Accounting and
Information Assurance Deloitte & Touche Faculty Fellow The Robert H. Smith
School of Business University of Maryland, College Park College Park, MD
20742-1815 e-mail: mloeb@rhsmith.umd.edu
phone: 301-405-2209 fax: 301-405-0359
The AICPA's main site of interest --- http://www.aicpa.org/assurance/index.htm
Assurance Services are defined as
"independent professional services that improve the quality or context of
information for decision makers." Today's business environment is marked
by increased competition and the need for quicker and better information for
decisions. In addition, the complexity of systems and the anonymity of the
Internet present barriers to growth. Businesses and their customers need
independent assurance that the information on which decisions are based is
reliable. By virtue of their training, experience and reputation for
integrity, CPAs are the logical choice to provide this assurance.
The AICPA's movement into developing
additional Assurance Services began with the 1993 Audit/Assurance Conference.
The Conference had been concerned with the decline in the demand for audits
and other attest services and that the users of Assurance Services had
expressed dissatisfaction with their scope and utility. It analyzed why the
audit and assurance function had come to this juncture and developed a broad
plan for shaping the future of assurance to enhance its value.
The AICPA authorized the Special
Committee on Assurance Services ("SCAS") to investigate the issues
and what could be done to reposition CPAs for the future. The SCAS's report,
The Report of the Special Committee on Assurance Services, was issued in 1997.
The report called for the development of additional services to serve the
needs of clients. For a complete understanding of the history of Assurance
Services, follow the links under About
Assurance Services.
The first four services that were
developed are: ElderCare Services, Performance View, SysTrust Services, and
WebTrust. This section of the AICPA's Web site provides information on each of
these services, including: what the service encompasses; the necessary skills;
information on developing a practice; and FAQs. In addition, links to the
people to contact to request additional information are also provided.
Risk Advisory Services by CPA Firms ---
http://www.aicpa.org/assurance/risk/index.htm
What are Risk
Advisory Services and Why Should I Get Involved?
Risk Advisory
Services Task Force
Learn about the Task Force's mission, its members and highlights of meetings.
How to obtain a
free copy of the new thought leadership document on Risk,
MANAGING RISK IN THE NEW ECONOMY
Download URL --- http://ftp.aicpa.org/public/download/Managing%20Risk.pdf
Update on WebTrust --- http://www.aicpa.org/assurance/webtrust/princip.htm
The AICPA/CICA Trust Services principles and
criteria will be released January 1, 2003. The effective date of the
new Trust Services principles and criteria will be effective for
engagements beginning on or after January 2003. Earlier implementation
is encouraged.
Trust Services Principles and Criteria
Exposure Draft Click
here to view the Trust Services principles and criteria The Trust
Services Principles and Criteria are intended to address user and
preparer needs regarding issues of security, availability, processing
integrity, online privacy and confidentiality within ecommerce and
nonecommerce systems. The Principles and Criteria contained in this
program supersede Version 2.0 of the SysTrust Principles and Criteria
and Version 3.0 of the WebTrust Principles and Criteria and are
effective for examination periods beginning after August 31, 2002.
The new and improved WebTrust 3.0 family of
services provides best practices and eBusiness solutions for
Business-to-Consumer and Business-to-Business Electronic Commerce, for
Service Providers, and for Certification Authorities. Please review
each to determine which would be best for your clients and their
customers.
|
Illustration of Topics in a Continuous
Assurance Symposium
Fifth Continuous Assurance
Symposium
November
22 and 23(AM), 2002
Rutgers
Business School
190
University Ave.
Bove
Lecture Hall – Engelhard Hall
Newark,
NJ 07102
Web
address- http://raw.rutgers.edu/continuousauditing/fifthaudit.htm
Sponsored by IMA, Artificial Intelligence and
Emerging Technologies section of the AAA, ISACA.
November 22nd,
9am-6pm
INTRODUCTION: 9:00-10:30
Welcome to Rutgers:
Dean Howard Tuckman
§
Update on the Center for Continuous Auditing, Don
Warren(Texas A & M University)
§
Update on the European Center for Continuous Auditing,
Robert Onions (Salford University, UK)
§
Principles of Analytic Monitoring, Mike Alles, Alex Kogan
& Miklos Vasarhelyi, (Rutgers Business School)
§
Understanding the New
Business Reporting Model for the Future, Tony
Pugliese (AICPA)
Break: 10:30-10:45
RESEARCH
PAPERS I: 10:45-12:15
·
James Hunton(Bentley College),Jackie Reck (Univ. of So.
Florida) &Robert Pinsker (Old Dominion Univ.) ,
Investigating the Reaction of Relatively Unsophisticated
Investors to Audit Assurance on Firm-released News Announcements
·
Ron Fritz, The Tax Department Is Well Positioned to
Perform Independent Periodic Validation Checks
·
Roger
Debreceny (Nanyang Technological University),
and Glen Grey: Embedded Audit Modules
Lunch in the Dean’s Lounge located in Ackerson Hall: 12:15-13:15
CORPORATE EXPERIENCE IN CONTINUOUS
AUDITING: 13:15-14:15
§
HCA Healthcare, Chase Whitaker
§
KOLA:
KPMG On-Line Audit:Practical Experiences From Piloting On-Line
Continuous Audit Tools, Kevin
Handscombe, KPMGAssurance Innovation Centre, UK
RESEARCH PLANNING WORKSHOP:
14:15-15:15
·
Mary Curtis( University of North Texas), An Innovation
Characteristics Approach to the Study of the Adoption of Continuous
Auditing
·
Michael Fancher, National Consortium of Manufacturing
Services, Research Opportunities in Continuous Auditing in the
Manufacturing Area
Break: 15:15-15:30
SOFTWARE FOR CONTINUOUS AUDITING &
CLIENT APPLICATION: 15:30-18:00
§
ACL, John Verver
§
AuditMaster, Ed Kress
§
Approva, Larry Roshfeld
§
Caseware, Alain Soubliere
§
Applimation and Ernst & Young, Rajesh Parthasarathy,
Value Added Auditing of Oracle Applications: How Ernst &
Young Used Assessor to Take
Audits to the Next Level. A Case Study.
Dinner at Mediterranean Manor
(rodizio and others) 6:30
Located at 255-269 Jefferson Street, Newark, NJ
07105 – Telephone # 973-465-1966 or1967
Saturday Nov 23, 8 AM-1PM
RESEARCH
PAPERS II: 8:00-9:00
·
Richard Dull (Clemson)
and David Tegarden (Virginia Tech), The Proposal of a Visual
Approach to Implement Continuous Auditing
·
Rob Nehmer ( Berry College), Continuous Auditing
Implications:Rethinking the Roles of Systems of Internal Controls
RESEARCH PAPERS III: … 9:10:30
·
Jim Hunton (Bentley College), Arnold Wright (Boston
College) & Sally Wright (Univ. of MA), Assessing The Impact of More
Frequent External Financial Statement Reporting and Independent Auditor
Assurance on Quality of Earnings and Stock Market Effects
·
Michael Alles (Rutgers Business School), The Black Box
Log Proposal
·
Bonnie Morris (West Virginia University), The Use of
Legal Ontologies to Model Privacy Policies
Break: 10:30-10:45
RESEARCH PAPERS III: … 10:45:11:45
·
Vicky Arnold (University of Connecticut) , Clark
Hampton(Uconn), Deepak Khazanchi (University of Connecticut) and Steve
Sutton (UConn), Risk Analysis in B2B E-Business Relationships: A Model
for Continuous Monitoring and Assurance in Partnering Relationships
·
Don Warren ( Texas A & M University), Data Mining
As a Continuous Auditing Tool For Soft Information: A Research Question
CONCLUSION: THE ROLE XML – XBRL/GL IN
CONTINUOUS AUDIT: 11:45-13:00
·
Eric Cohen, PWC, Data Level Assurance: Bringing Data into
to Continuous Audit Using XML Derivatives
·
Michael Groomer,( U of Indiana) and Uday Murthy(Texas
A&M University), Enhancing an XML Schema for Accounting Systems to
Facilitate Continuous Auditing
Discussants
·
Jim Peters, (University of Maryland )
·
Charlie LeGrand, IIA
|
Financial Statement Assurance in an E-Business
Environment
-
Risks uniquely present in an
e-business environment.
-
Networked
transactions
-
Changing
technologies that can tank a business overnight
-
Soft
assets dominate hard assets
-
Ever-evolving
series of mergers and acquisitions
-
Short
and high-risk product life cycles
-
Young
and inexperienced labor force
-
Success
or failure may ride on one person or a few key people
-
Lack
of management focus on cost control
-
Successions
of losses do not necessarily impair a going concern (provided
investors are willing to keep infusing the business with cash)
-
Substantive
testing in audits may not be practical or feasible (see Statement on
Auditing Standards [SAS] 80, Amendment to SAS 31, Evidential Matter)
|
New Forms of Assurance to Facilitate E-Business
AICPA formed the Special Committee
on Assurance Services (SCAS) in 1994. After a careful analysis of
demographic and other trends, this committee concluded the following:
Your marketplace is changing. Multibillion-dollar
markets for new CPA services are being created. Investors, creditors,
and business managers are swamped with information, yet frustrated about not
having the information they need and uncertain about the relevance and
reliability of what they use. CPA firms of all sizes--from small
practitioners to very large firms--can help these decision makers by
delivering new assurance services. (AICPA Web site, "Assurance
Services," www.aicpa.org).
The Elliott Committee (named after its chair, Robert K. Elliott)
identified six new service areas considered to have high potential for revenue
growth for assurance providers:
-
Risk Assessment
-
Business Performance Measurement
-
Information Systems Reliability
-
Electronic Commerce
-
Health Care Performance Measurement
-
ElderCare
The work of the Elliott Committee was followed by the
appointment of the ongoing Assurance Services Executive Committee, chaired by
Ronald Cohen. This committee is charged with the ongoing development of
new assurance services and the provision of guidance to practicing CPAs on
implementing the services developed.
- Information Systems Reliability
Assurance
- Electronic Commerce Assurance.
Business-To-Consumer Assurance
- CPA/CA WebTrust (Joint
Venture of AICPA and CICA)
-
Business Practices and
Disclosure--The entity discloses
its business and information privacy practices for e-business transactions
and executes transactions in accordance with its disclosed practices.
-
Transaction
Integrity--The entity maintains effective
controls to provide reasonable assurance that customers' transactions using
e-business are completed and billed as agreed.
-
Information Protection and
Privacy--The entity maintains
effective controls to provide reasonable assurance that private customer
information obtained as a result of e-business is protected from uses not
related to the entity's business.
- Proprietary E-Business Audits
- Privacy Audits
Business-to-Business Assurance
- Assurances against service
disruptions and product shipments
- CPA/CA SysTrust (Joint
Venture of AICPA and CICA)
-
Availability--The system is available during times
specified by the entity.
-
Security--Adequate protection is provided against
unwanted logical or physical entrance into the system.
-
Integrity--Processes within the system are
executed in a complete, accurate, timely and authorized manner.
-
Maintainability--Updates (upgrades) to the
system can be performed when needed without disabling the other three
principles.
- SAS 70 Reviews of Service Organizations
(extended to B2B Risks)
SAS 70, Reports on the Processing of Transactions by Service
Organizations, was issued to provide assistance in the auditing of entities
that obtain either or both of the following services from an external third
party entity.
-
Internal Controls Risk
-
The financial statement assertions that are either directly
or indirectly affected by the service organization's internal control
policies and procedures.
-
The extent to which the service organization's policies and
procedures interact with the user organization's internal control structure
-
The degree of standardization of the services provided by
the third-party to individual clients. In the case of highly
standardized services, the service auditor may be best suited to provide
assurance: however, when the third-party offers many customized services,
the third-party auditor may be unable to provide sufficient assurance
regarding a specific client.
SAS 70 provides for two reports the service auditor can provide
to the user auditor concerning the policies and procedures of the service
organization:
Other Potential New Services to Facilitate E-Business
-
Value-Added Network (VAN) Service Provider Assurance
-
Evaluation of Electronic Commerce Software Packages
-
Trusted Key and Signature Provider Assurance
-
Criteria
Establishment
-
Counseling Services
The AICPA's Assurance Services Website is at http://www.aicpa.org/assurance/index.htm |
Major Constraints and
Considerations
Competencies
Required
Competition
Jeopardy to Public
Accountancy's Image of Independence and Professionalism
Legal Risks |
One of the most significant and
controversial professional practice areas where Bob Elliott led accounting profession into its new Song of SysTrust. I don't know if all
accountants have noticed the monumental and highly controversial change in
attestation services being proposed by the AICPA and the CICA for the public
accounting profession. Most certainly the lyrics are not familiar to
non-accountants other than attorneys who, while dancing in their briefs, have
difficulty containing their enthusiasm for this new Anthem of the Auditors.
This is the first major shift of the accounting profession into the
attestation of complete information services. Financial audits may
eventually be but a small part of the total attestation and assurance service
symphony of services. The proposed new "accounting"-firm service
is called SysTrust at http://www.aicpa.org/assurance/systrust/index.htm
.
Probably the best summary of SysTrust to date
is "Reporting on Systems Reliability,"
by Efrim Boritz, Erin Mackler, and Doug McPhie in the Journal of Accountancy,
November 1999, pp. 75-87. The online version is at http://www.aicpa.org/pubs/jofa/nov1999/boritz.html.
(It might be noted that both Boritz and McPhie are from Canada --- SysTrust is a
joint venture with the Canadian Institute of Chartered Accountants and the AICPA
in the U.S.)
How can you protect confidential documents at
your Website?
Answer: See http://www.w3.org/Security/Faq/wwwsf5.html#Q14
Privacy in eCommerce
Playboy says hacker stole
customer info," by Greg Sandoval and Robert Lemos, C|Net News Com, November
20, 2001 --- http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd
Playboy.com has
alerted customers that an intruder broke into its Web site and obtained some
customer information, including credit card numbers.
The online unit of
the nearly 50-year-old men's magazine said in an e-mail to customers that it
believed a hacker accessed "a portion" of Playboy.com's computer
systems. In the e-mail, a copy of which was reviewed by CNET News.com,
Playboy.com President Larry Lux did not disclose how many customers might have
been affected.
Playboy.com
encouraged customers to contact their credit card companies to check for
unauthorized charges. New York-based Playboy.com also said it reported the
incident to law enforcement officials and hired a security expert to audit its
computer systems and analyze the incident.
Continued at http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd
For a brief period, Ziff Davis published the personal information -- including
credit card numbers -- of thousands of its subscribers on the Web. --- http://www.wired.com/news/ebiz/0,1272,48525,1162b6a.html
"A Tell-All ZD Would Rather Ignore," by Declan McCullagh, Wired
News, November 20, 2001
Because Ziff Davis' 1.3-MB text file included names,
mailing addresses, e-mail addresses and in some cases credit card numbers, a
thief who downloaded it would have enough information to make fraudulent
mail-order purchases. An executive at one New York magazine firm called the
error "a bush-league mistake for a major online publisher."
Zane said Ziff Davis relies on EDS
and Omeda database technology to protect
subscriber information. He refused to provide details, except to say that
"we were doing a promotion not using the EDS and Omeda products."
In interviews, two people who appeared on the Ziff
Davis list said they had typed in their information when responding to a
promotion for Electronic Gaming Monthly.
"I went to the site and signed up for the free
year, but did not sign up for the second year, which was not free," said
Jerry Leon of Spokane, Washington, whose Visa number and expiration date
appeared in the file. "I get the feeling that this was one huge scam, but
that card is now dead, and any charges made on it will be refused."
"If it was just a stupid accident, they are
going to regret failing a community that worries about this stuff ever
happening, but if something less innocent has occurred, they may as well fold
the tents," said Leon, who signed up through AnandTech's hot
deals forum.
Rob Robinson, whose address information -- but not
credit card number -- was on display, says he subscribed to Electronic
Gaming Monthly through a promotion on ebgames.com.
"I'm annoyed that my home info as well as a
valid e-mail is available to anyone. That's quite a valuable list of gamers'
personal data up for grabs. I feel really bad for the poor folks who are going
to have to cancel their credit cards," Robinson said.
It's not clear whether Electronic Gaming
Monthly subscribers were the only ones affected by the security snafu,
and Ziff Davis refused to provide details. The file appeared at the address http://www.zdmcirc.com/formcollect/ebxbegamfile.dat
until around noon EST on Monday.
That address began circulating around Home
Theater Forum discussion groups over the weekend, and Ziff Davis at first
erased the contents of the database at around 9 a.m. EST Monday. But its
system continued to add new subscribers to the public file until Ziff Davis
administrators blocked access to that address around midday Monday.
"Every week we learn of new cases where
companies used insecure technology or unsecure servers to handle business that
utilizes financial information or customer information," says Jericho,
who edits the security news site attrition.org.
"In the rush to be e-appealing for e-business they e-screw up time and
time again."
Jericho has compiled
a list of miscreant firms whose shoddy security practices have exposed
customer information. The hall of shame includes notables such as Amazon,
Gateway, Hotmail and Verizon.
Ziff Davis Media publishes 11 print magazines. It is
a separate company from ZDNet, which is
owned by CNET Networks.
See
also:
HQ
for Exposed Credit Numbers
Students
Expose Bank ATM Hole
E-Commerce
Fears? Good Reasons
Privacy in eCommerce: Personal
Certificates
For discussion of cookies and how to Surf the Web anonymously, see Cookies.
For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12
What is WebTrust? What are its
major competitors?
Hint: See the following:
-
Question:
What makes WebTrust more "trusted" vis-a-vis its competitors (aside
from being CPA or CICA firms)?
Answer:
WebTrust is the only service that requires random site visits by independent
CPA firms to spot check if privacy policies are being adhered to by the
WebTrust client.
Truste Network Authenication Security in Question
Even one of the originators of the Internet's wannabe consumer seal --
ubiquitous technologist Esther Dyson -- is disappointed in the way the service
has panned out.
"Just How Trusty Is Truste?," by Paul Boutin, Wired News, April 10,
2002 --- http://www.wired.com/news/exec/0,1370,51624,00.html
Enron had Arthur Andersen. Yahoo has Truste, the
nonprofit privacy organization whose seal of approval is designed to assuage
consumer fears about giving personal information to websites.
But Yahoo's recent announcement of sweeping changes
in the way it will use customer data collected under previous policies has
many calling Truste's seal as meaningless as an Andersen audit.
Even Esther Dyson, the high-profile technologist
who played a major role in Truste's launch five years ago, says she is
"disappointed in what ended up becoming of it."
By its own account, Truste was conceived at Dyson's
industry-leading PC Forum conference in 1996. Dyson credits others with the
concept, but she pushed both publicly and privately for the establishment of
the nonprofit company and adoption of its "trustmark," which
certifies that online companies comply with their own stated privacy
policies.
Truste makes no attempt to set privacy policies. It
merely ensures that companies clearly state their own rules for handling
customer data, and then adhere to them.
"We thought disclosure would be enough,"
Dyson said.
Web surfers, her reasoning went, would read the
various companies' policies themselves and make their own choices, letting
companies use privacy policies as a competitive differentiator. Truste's
seal would simply ensure that the policy was being followed, so that
"between two sites I've never heard of, I'd rather pick the one that
has the Truste logo," she explained.
But over the years, a series of Truste clients have
managed to violate the spirit, if not the letter, of their Truste-approved
policies.
Rather than revoking seals left and right, Truste
officials often seemed to be covering for their clients -– explaining, in
one case, that a Real Networks media player which reported users' video
selections back to Real headquarters in Seattle was "outside of the
scope of Truste's current privacy seal."
Their reasoning: The program uploaded data not to
Real's website, but to a nearby set of servers.
"That symbol is meaningless, because of the
number of institutions it has been associated with and the things they've
gotten away with," said Yahoo user Jenifer Jenkins, who claims she
stopped using Yahoo mail and other services last week after learning of the
company's policy changes. "If (Yahoo) wants to be the first place
people go on the Internet, they need to clean up their act."
Dyson agreed that, despite being co-founded by
outspoken privacy advocates the Electronic Frontier Foundation, Truste's
image has slipped from consumer advocate to corporate apologist. "The
board ended up being a little too corporate, and didn't have any moral
courage," she said.
"Clearly, if you're hostile all the time
you're not very effective. But you have to have the moral courage to say,
'This is wrong, even if it's not in our contract.'"
Truste executive director Fran Maier argued that in
Yahoo's case, critics don't recognize how much work her organization did to
keep the megaportal in line -- not only with its own policy, but with
generally acceptable behavior. "I can't tell you all the things they
wanted to do, but believe me, we were there," she said.
"We reviewed a number of proposed changes,
some of which were made, some weren't," she added. "It went
through the highest level of oversight at Truste. Before they can launch or
relaunch something with our seal on it, they have to deal with our
review."
Continued at http://www.wired.com/news/exec/0,1370,51624,00.html
You
must be when viewing a corporate Website that you think is authentic but is a
total fraud. One
such site is http://www.dowethics.com/
which spoofs
the genuine http://www.dow.com
The
site at dowethics.com is a very clever spoof site that mirrors the real
corporate site but runs it with stories against the company.
It is interesting because it appears to be very authentic and
illustrates how companies really do need authentication seals such as Verisign,
the Better Business Bureau BBB seal, or the WebTrust Seal --- http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems
Question: What is the most
popular and less costly privacy seal alternative relative to WebTrust?
Answer: The Better Business
Bureau --- http://www.bbbonline.org/privacy/index.asp
Of the many challenges facing the Internet,
privacy has risen above them all as the number one concern (and barrier)
voiced by web users when going online. Participants in the BBBOnLine Privacy
Program are addressing this concern head-on with responsive and effective
self-regulation. By subscribing to responsible information practices,
BBBOnLine Privacy participants are promoting the vital trust and confidence
necessary for their own and future success of the Internet.
Taking advantage of the significant expertise the
Council of Better Business Bureaus wields in self-regulation and dispute
resolution, the BBBOnLine Privacy Program features verification, monitoring
and review, consumer dispute resolution, a compliance seal, enforcement
mechanisms and an educational component. The BBBOnLine Privacy Program
offers consumers a user-friendly tool that helps increase their comfort
while on the Internet and is a reasonably priced and a simple, one-stop,
non-intrusive way for business to demonstrate compliance with credible
online privacy
Question on Website (Provider)
Authentication
How can you find out that you are not at a phony site that pretends to be
legitimate?
Answer:
Look for a logo verification seal on at the site. Although the AICPA's
WebTrust seal is primarily a Web privacy seal (credit card information, medical
information, etc.), the WebTrust seal is also a seal that assures users that the
site is not a phony imitation of a real site --- http://www.aicpa.org/assurance/webtrust/princip.htm
The WebTrust privacy and logo verification seal contains the following image on
a document (the image below is for illustration only and is not valid on Bob
Jensen's Web documents).
A less costly logo verification seal is the VeriSign seal if it appears
on a document (the image below is for illustration only and is not valid on Bob
Jensen's Web documents).
"VeriSign Delivers Protections for Digital CPA Documents," by Wayne
Harding, Journal of Accountancy, May 2002 --- http://www.aicpa.org/pubs/jofa/may2002/cpa2biz.htm
CPA2Biz, the AICPA, and VeriSign are now offering
Authentic Document Service to CPAs. Through the use of Authentic Document IDs
CPAs can notarize electronic documents. This notarization prevents any changes—
a paragraph being deleted, a sentence added, even a space changed.
VeriSign --- http://www.verisign.com/
Get VeriSign's free white paper at https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0714&toc=w093325300714000&email=
.
Learn From the Experts VeriSign's Training Courses
cover all areas of enterprise security including Firewalls, PKI, VPNs, Applied
Hacking, and Web Security. Our small classes, hands-on labs, and world-class
instructors ensure the highest level of security for your networks. Download
our FREE White Paper, "VeriSign Internet Security Education: E-Commerce
Survival Training" outlining the benefits of security education.
The Better Business Bureau (BBB): Another Source of Website (Provider)
Authentication --- http://www.bbb.org/
ADVERTISING
REVIEW PROGRAMS |
|
ADVERTISING/SELLING
GUIDELINES |
|
|
|
|
|
|
|
DISPUTE
RESOLUTION |
|
BUSINESS
GUIDANCE |
|
|
|
|
|
|
|
CONSUMER
GUIDANCE |
|
NEWS
AND ALERTS |
|
|
|
|
|
|
Although the BBB is best known as a place where consumers and businesses can
file complaints about unethical, deceptive, and illegal commerce and charitable
practices, the BBB also provides an Internet seal of Website (Provider)
Authentication.
Reliability
Seal Program --- http://www.bbbonline.org/reliability/index.asp
Helping Web users find reliable, trustworthy businesses online, and helping
reliable businesses identify themselves as such, through a voluntary
self-regulatory program that promotes consumer trust and confidence on the
Internet.
Privacy Seal Program
--- http://www.bbbonline.org/privacy/index.asp
Helping Web users identify companies that stand behind their privacy policies
and have met the program requirements of notice, choice, access and security in
the use of personally identifiable information.
For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12
Advantages of and risks of cookies ---
see Cookies.
What is user authentication?
Answer See Question 4 at http://www.w3.org/Security/Faq/wwwsf5.html#Q14
User verification is any system
that for determining, and verifying, the identity of a remote user. User name
and password is a simple form of user authentication. Public key cryptographic
systems, described below, provide a more sophisticated form authentication that
uses an unforgettable electronic signature.
Continued at at http://www.w3.org/Security/Faq/wwwsf5.html#Q14
What Dollar Rental Car Company now
requires from persons who rent cars might be extended to people who conduct
transactions on Websites. Dollar Rent A Car is currently making customers
give a thumbprint before they give them the keys, another example of biometrics
being used for ID purposes.
"No Thumbprint, No Rental
Car," by Julia Scheeres, Wired News, November 21, 2001 --- http://www.wired.com/news/privacy/0,1848,48552,00.html
For more discussion of the
above issues, go to the document entitled "Opportunities of
E-Business Assurance: Risks in Assuring Risk" at http://www.trinity.edu/rjensen/ecommerce/assurance.htm
My other electronic
Business links are at http://www.trinity.edu/rjensen/ecommerce.htm
Crime and Justice Data Online --- BJS http://149.101.22.40/dataonline/
Ten Ways to Reduce Chargebacks and
Fraud Merchants' concern about online credit card fraud and chargebacks is
rising at a significant rate. According to the 2001 Online Fraud Report
conducted by Mindwave Research, 41 percent of merchants say the issue of online
credit card fraud is "very serious" to their business. http://www.newmedia.com/default.asp?articleID=3443
Bob Jensen's threads on fraud are at
http://www.trinity.edu/rjensen/fraud.htm
Bob Jensen's e-Commerce threads are
at http://www.trinity.edu/rjensen/ecommerce.htm
A Special
Section on Computer and Networking Security
Stay Safe Online ---
http://www.staysafeonline.info/
Also see Also see
http://www.google.com/search?hl=en&lr=&q=parental+control+software
"Keeping Kids Safe Online," by Johanna Ambrosio, InformationWeek
Newsletter, March 15, 2006
I'm no expert, but I am a parent of three teenagers who, thankfully, have
been safe so far. My reaction to the news about Microsoft jumping into the
monitoring space
with a free tool to
be available this summer is that it sounds great, but I hope parents realize
that the use of any monitoring software isn't by itself enough to guarantee
kids' safety.
I think anyone in the computer industry already knows this and certainly
understands the dangers that lurk. But I worry there may be some parents who
too readily trust a tool to take the place of their (human) care and
concern. Parents must still be parents, and older teens especially must be
made aware of their responsibility in this, too. With great freedom comes
great personal responsibility, both online and offline, and kids need the
adults in their lives to both explain and model this.
We've certainly been lucky, and we've done some things to help. (For the
fuller story, please check out my
blog entry.)
Computer-based fraudsters are finding new ways to trick people—not
technology—to get the information they seek
"Tech Special Report," Business Week, June 13, 2007 ---
Click Here
"The 25 Worst Web Sites," by Dan Tynan, PC World, September 21,
2006 ---
http://www.pcworld.com/article/id,127116/article.html
People say hindsight is 20/20. When it comes to the
Web, hindsight is more like X-ray vision: In retrospect, it's easy to see
what was wrong with dot coms that tried to make a business out of giving
stuff away for free (but making it up later in volume), or to make fun of
venture capitalists who handed millions to budding Web titans who had never
run a lemonade stand before, let alone an enterprise.
It's so easy, in fact, we can't help doing it
ourselves. So as venture capitalists scramble to throw money at anything
labled Ajax or Web 2.0, and Web publishing becomes so simple that anyone
with a working mouse hand can put up a site, we offer our list of the 25
worst Web sites of all time.
Many of our bottom 25 date from the dot-com boom,
when no bad idea went unfunded. Some sites were outright scams--at least two
of our featured Net entrepreneurs spent some time in the pokey. Others are
just examples of bad design, or sites that got a little too careless with
users' information, or tried to demand far too much personal data for too
little benefit.
And to prove we're not afraid to pick on somebody
much bigger than us, our pick for the worst Web site may be the hottest
cyberspot on the planet right now.
Feel free to start at the bottom and work your way
up, or jump ahead and read about the worst of the worst.
Center for Systems Security and Information Assurance ---]
http://www.cssia.org/
NetVeda Safety. Net 3.62
http://www.netveda.com/consumer/safetynet.htm
The idea behind the NetVeda Safety Net application
is a simple one: to allow users to control access to certain websites on
their computer and to maintain firewall protection in the process. Users of
the application can define user access based on the time of day and for
content, if they so desire. As might be expected, the application also
contains privacy controls that block the sending of personal information and
that can also generate activity reports. This version is compatible with all
computers running Windows 95 and newer.
"Laptop Security, Part 2: Tips on protecting your data, should
fate--or a criminal--separate you and your notebook," by James A. Martin, PC
World via The Washington Post, June 9. 2006 ---
Click Here
My guess is that your notebook is worth several
thousand dollars. I'd also guess that the data stored on it is worth much,
much more--and that you'd be entering a world of woe if your notebook were
stolen or lost.
Last week I offered tips on how to protect and
physically secure your notebook when you're out of the office. This week,
I've got tips on protecting your data, should fate--or a criminal--separate
you and your notebook.
Windows XP gives you the option of requiring a user
password to log on. Though certainly far from bulletproof, a relatively
complex password provides more protection than none at all.
A complex password includes upper- and lowercase
letters, numbers, and one or more special characters. For example, suppose
your name is Pat. You wouldn't use "Pat" as your password, would you? (You
would? My, aren't we feeling lucky?) A better password would be something
not easily identified with you.
The more complex your password, the more difficult
it is to crack--and, potentially, for you to remember. Don't make your
password so complex you can't remember it. Or, if you must store your
passwords, keep them somewhere safe. Some software programs for PCs and PDAs
give you the ability to manage and secure passwords. One example: DataViz's
Passwords Plus ($30), which lets you manage and
secure passwords on your notebook as well as your Palm OS PDA.
To create a password for your account in Windows
XP, go into Control Panel, then open User Accounts. Select the account you
want to protect with a password and click the "Create a password" button.
For more about passwords, read Scott Dunn's June "
Windows Tips ."
Some laptops now come equipped with biometric
fingerprint scanners, as an alternative or enhancement to Windows
password-protection. For more on this, see number 3, below.
Another option is to encrypt any files on your
notebook that contain sensitive data, such as customer Social Security
numbers. (Of course, as I said last week, it's best not to place any
sensitive data on a mobile system.)
In essence, encryption scrambles data into code
that only an authorized user can access. However, encrypting files, or your
entire drive, can be time-consuming, slow system performance, and increase
the likelihood you'll lose access to the data.
Windows XP Professional (but not XP Home) includes
an option that lets you encrypt files on an NTFS-formatted hard drive. After
encrypting a file, you can open it just as you would any file or folder.
However, someone who gains unauthorized access to your computer cannot open
any encrypted files or folders.
To encrypt a folder in Windows XP Professional,
right-click it in Windows Explorer, choose Properties, click Advanced,
select the "Encrypt contents to secure data" check box, and click OK twice.
In the Confirm Attribute Changes dialog box, do one of the following: To
encrypt only the folder, click "Apply changes to this folder only," and
click OK; to encrypt the folder contents as well as the folder, click "Apply
changes to this folder, subfolders, and files," and click OK.
Continued in article
"First-Ever Virus Hits Mac OS X: There are many signs that Apple
computers are finally becoming vulnerable to Internet-based viruses and other
attacks," MIT's Technology Review, May 2, 2006 ---
http://www.technologyreview.com/read_article.aspx?id=16758
Benjamin Daines was browsing the Web when he
clicked on a series of links that promised pictures of an unreleased update
to his computer's operating system.
Instead, a window opened on the screen and strange
commands ran as if the machine was under the control of someone else. Daines
was the victim of a computer virus.
Such headaches are hardly unusual on PCs running
Microsoft Corp.'s Windows operating system. Daines, however, was using a Mac
-- an Apple Computer Inc. machine often touted as being immune to such
risks.
He and at least one other person who clicked on the
links were infected by what security experts call the first-ever virus for
Mac OS X, the operating system that has shipped with every Mac sold since
2001 and has survived virtually unscathed from the onslaught of malware
unleashed on the Internet in recent years.
''It just shows people that no matter what kind of
computer you use you are still open to some level of attack,'' said Daines,
a 29-year-old British chemical engineer who once considered Macs
invulnerable to such attacks.
Apple's iconic status, growing market share and
adoption of same microprocessors used in machines running Windows are making
Macs a bigger target, some experts warn.
Apple's most recent wake-up call came last week, as
a Southern California researcher reported seven new vulnerabilities. Tom
Ferris said malicious Web sites can exploit the holes without a user's
knowledge, potentially allowing a criminal to execute code remotely and gain
access to passwords and other sensitive information.
Ferris said he warned Apple of the vulnerabilities
in January and February and that the company has yet to patch the holes,
prompting him to compare the computer maker to Microsoft three years ago,
when the world's largest software company was criticized for being slow to
respond to weaknesses in its products.
''They didn't know how to deal with security, and I
think Apple is in the same situation now,'' said Ferris, himself a Mac user.
Apple officials point to the company's virtually
unvarnished security track record and disputed claims that Mac OS X is more
susceptible to attack now than in the past.
Apple plans to patch the holes reported by Ferris
in the next automatic update of Mac OS X, and there have been no reports of
them being exploited, spokeswoman Natalie Kerris said. She disagreed that
the vulnerabilities make it possible for a criminal to run code on a
targeted machine.
In Daines' infection, a bug in the virus' code
prevented it from doing much damage. Still, several of his operating system
files were deleted, several new files were created and several applications,
including a program for recording audio, were crippled.
Behind the scenes, the virus also managed to hijack
his instant messaging program so the rogue file was blasted to 10 people on
his buddy list.
''A lot of Mac users are in denial and have
blinders on that say, 'Nothing is ever going to get to us,''' said Neil
Fryer, a computer security consultant who works for an international
financial institution in Britain. ''I can't say I agree with them.''
Continued in article
Video Tutorials
Protecting Your PC
--- Digital Duo ---
http://www.pcworld.com/digitalduo/video/0,segid,35,00.asp
A ray of hope for the new Internet Explorer
Firefox may still be better at repelling spyware
"Internet Explorer 7.0 makes waves," PhysOrg, March 1, 2006 ---
http://www.physorg.com/news11306.html
After winning the browser wars and vanquishing
its chief competitor, Netscape, the folks at Microsoft decided it was
time to take a break from improving its industry standard browser.
Without competition the company felt that there was no need to release
any new updates. But an upstart open-source group funded in part by
Mozilla (the same folks who originally created Netscape) created a new
browser called "Firefox" that sparked the brand-new browser wars. While
the folks at MS won't admit that Firefox spurred them into action, it's
hard to deny that the new beta release of Internet Explorer 7.0 doesn't
have more than a passing resemblance to the Firefox browser.
"Microsoft welcomes competition because it
drives innovation which benefits customers. That's a good thing," said a
spokesperson for Microsoft. "Ultimately, customers will choose the
browser that best meets their needs, and we are confident that most will
continue to use Internet Explorer when they evaluate factors such as
end-user functionality, site and application compatibility, developer
extensibility, enterprise manageability, and security backed by the
processes and engineering discipline employed by Microsoft."
Maybe it's the new interface, or the fact that
it's been over three years since the last major release of I.E., but the
new version just "feels" different and fresh. It could be the idea that
MS has finally added tabbed browsing to Explorer -- one of the key
features that made me go with and stick with Firefox -- I always felt
Explorer was the better browser, but I became addicted to my precious
tabs. Another nice addition to I.E. 7.0 is it now handles bookmarks (or
as I.E. calls it "favorites") the same way as Firefox does. Instead of
exporting all of your bookmarks as individual folders, I.E. now places
everything into a single html index file. Which can be imported into
Firefox, and you can now import Firefox bookmarks into I.E., which makes
moving between both browsers painfully simple.
"I.E. 7.0 is the right product, though late in
the market. This demonstrates Microsoft's approach to the Internet
browser market as being more laid back and reactionary rather than
leading the development of new features," said Razvan Neagu, president
and chief executive officer of KOMOTION Inc., developer of Web Gallery
Wizard.
One of the major complaints about I.E. has been
its lack of compliance with Web standards, part of the problem is, as
stated before, it's been three or four years since there was a major
release of I.E. And in that time Web development standards have
progressed exponentially. While playing around with I.E., I noticed that
some Web sites didn't display properly in the new release, while they
displayed perfectly fine in the current version. I'm hoping against hope
that these are isolated incidents and not a sign of the future, and an
indication that 7.0 still has a way to go to be completely standards
based.
A spokesperson for Microsoft said "The IE7 beta
2 preview for Windows XP, which was released to Windows XP testers on
1/31, is considered feature complete. We do however expect to continue
development work based on tester feedback and expect to do additional
design work and enhancements to application compatibility and fit and
finish. At this point we are targeting to release the final product in
the second half of 2006."
Another main draw of the new version of I.E. is
all of the new built in security features, starting with its new anti "phishing"
filter. The new trend in e-mail spam is for scam artists to create fake
websites that resemble popular sites like eBay, PayPal, etc. in attempt
to get users to submit their personal account information. I.E. 7.0
anti-phishing filter successfully warned and blocked these sites from
showing up. While this is a fantastic new feature, it has a major
drawback, the validity of Web sites appears based on whether or not a
site has a valid SSL Certificate or not, and you would be surprised at
the number of websites that don't have these certifications. Eventually,
I had to deactivate the filter, although you can change the settings in
the tools menu.
"IE's top priority is security. While we made
great progress with support for CSS 2.0, we knew that we would have to
trade off full compatibility with CSS 2.0 for additional work on
security," added the Microsoft spokesperson. "We will not pass CSS 2.0,
but certainly will evaluate doing that in the future."
Other new security features include ActiveX
Opt-In. This is a malware protection feature that disables nearly all
pre-installed ActiveX Controls, and helps prevent potentially vulnerable
controls from being exposed to attack. Users can easily enable or
disable ActiveX Controls as needed through the Information Bar and the
Add-on Manager. Cross-domain script barriers. This feature limits the
ability of Web page script to interact with content from other domains
or windows to help users keep their personal information out of
potentially malicious hands. This new safeguard further protects users
against malware by limiting the potential for malicious Web sites to
manipulate flaws in other Web sites, or cause users to download
undesired content or software onto their PCs.
International Domain Name Anti-Spoofing. In
addition to adding support for International Domain Names in URLs,
Internet Explorer 7.0 also notifies the user when similar characters in
the URL are not expressed in the same language -- even when the
characters look similar across several languages -- thus helping protect
the user against sites that would otherwise appear as a known
trustworthy site.
When a new version of I.E. is released everyone
has to take notice, it's impact on Web development and business owners
can't be underestimated.
"Business strategy always needs to take into
account market forces and competitive threats; so, the direction that
Microsoft takes is very important," said Neagu. "Unless you're a
100-pound gorilla yourself, you don't want to compete directly with
Microsoft. So, there are really two strategies. You can either add value
to the marketplace by working with their products, or you must make sure
you're in a space that is either small enough or removed enough from
Microsoft's strategic interests so that you minimize the possibility of
conflict.
"With our product, Web Gallery Wizard, we
maximized both of these strategies. We took advantage of Microsoft's
solid .Net framework for rapid development, and we targeted digital
photo enthusiasts offering functionality which is underserved by the big
players in the market."
Continued in article
Video Guide To Securing Your Computer
I
wanted to call attention to a new resource
on washingtonpost.com for people who need a
little help getting started in securing
their computers. We produced a
series of "screencasts" or video guides
demonstrating some of
the basic steps users need to take to stay
safe online, including brief primers on
choosing and using firewall and anti-virus
software, downloading and installing the
latest Microsoft Windows patches, and taking
advantage of free anti-spyware tools.
These videos are by
no means definitive guides, but I hope they
will be of some use to those who find
themselves completely intimidated by
computer security.
Brian Krebs, "ideo Guide To Securing
Your Computer," The Washington Post
---
http://blogs.washingtonpost.com/securityfix/2005/05/video_guide_to_.html?referrer=email
Video Tips of the Week for Windows XP
Enabling the Internet Firewall ---
http://channels.lockergnome.com/windows/videotips/1/
Customizing the Window Taskbar ---
http://channels.lockergnome.com/windows/videotips/2/
Disabling Windows Messenger Service (to reduce spyware) ---
http://channels.lockergnome.com/windows/videotips/3/
Sending E-mail from a Different Address ---
http://channels.lockergnome.com/windows/videotips/4/
Managing Windows Updates ---
http://channels.lockergnome.com/windows/videotips/5/
Selecting a Different Image Viewer ---
http://channels.lockergnome.com/windows/videotips/6/
Logging Security Events ---
http://channels.lockergnome.com/windows/videotips/7/
Using Remote Desktop ---
http://channels.lockergnome.com/windows/videotips/8/
Exploring With Process Explorer ---
http://channels.lockergnome.com/windows/videotips/9/
Defragging With Task Scheduler ---
http://channels.lockergnome.com/windows/videotips/10/
Killing Spyware With Spybot ---
http://channels.lockergnome.com/windows/videotips/11/
Also see (you can change the video number at the end to go to
video1, video2, etc.)
http://www.homenetworkhelp.info/popup.php?popup=podcast-2005-06-11-spyware-video1
Managing .Net Passports With Windows XP ---
http://channels.lockergnome.com/windows/videotips/12/
Managing E-mail With Outlook Rules (guard against spam) ---
http://channels.lockergnome.com/windows/videotips/13/
Exploring Windows XP Security Center ---
http://channels.lockergnome.com/windows/videotips/14/
Windows XP Firewall Helper Video ---
http://channels.lockergnome.com/windows/videotips/15/
Internet Explorer's Add-On Manager ---
http://channels.lockergnome.com/windows/videotips/16/
Internet Explorer's Popup Blocker ---
http://channels.lockergnome.com/windows/videotips/17/
The FBI's
Internet Fraud and Complaint Center (IFCC FBI) --- Report Internet frauds and
crimes here.
To thwart fraud on the Internet and terror in general, check in and/or report to
http://www1.ifccfbi.gov/index.asp
National
Infrastructure Protection Center (NIPC) --- Report infrastructure security
incidents here.
Located in the FBI's headquarters building in Washington, D.C., the NIPC brings
together representatives from U.S. government agencies, state and local
governments, and the private sector in a partnership to protect our nation's
critical infrastructures.
http://www.nipc.gov/
Computer
Emergency Response Team (CERT) --- Report computer invasions and viruses here.
The CERT® Coordination Center (CERT/CC) is a center of Internet security
expertise, at the Software Engineering Institute, a federally funded research
and development center operated by Carnegie Mellon University. We study Internet
security vulnerabilities, handle computer security incidents, publish security
alerts, research long-term changes in networked systems, and develop information
and training to help you improve security at your site. http://www.cert.org/
Center for Systems Security and Information Assurance
---]
http://www.cssia.org/
Stay Safe Online http://www.staysafeonline.info
/
Bob Jensen's threads on Identity
Theft ---
http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft
Pop Up Blocker ---
http://www.synergeticsoft.com/
Recommended Reading: Getting Smart About Information
Security
Bruce Schneier, founder and chief technical officer of
Counterpane Internet Security Inc., has spent much of his career educating
people about digital security. His book, Secrets and Lies: Digital Security
in a Networked World, serves as a non-technical introduction to the full,
messy complexity of digital security.
"Recommended Reading: Getting Smart About Information Security," The
Wall Street Journal, July 18, 2005; Page R2 ---
http://online.wsj.com/article/0,,SB112060620712177906,00.html?mod=todays_us_the_journal_report
Information Warfare Weapons ---
http://www.trinity.edu/rjensen/acct5342/infowar.pdf
The World Wide Web Security FAQ ---
http://www.w3.org/Security/Faq/www-security-faq.html
Trinity students may access this at
J:\courses\ACCT5342\readings\WWWsecurity\The WWW Security FAQ.htm
CIAC Notes
http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-01.html
http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-02.html
2005 Anti-Virus product comparison guide ---
http://www.tips-it.com/product.php?x_user_number=305788&pid=13&smb=1&emailid=WNN081605
All you have to do is open
the message, nothing else
Microsoft's Newest Bug Could Be Awful, Researcher Says
Forget the WMF problems; the really big issue could be
with the flaw in Outlook and Exchange that Microsoft disclosed on Tuesday. All
that's required to exploit this is an e-mail message.
Gregg Keizer, "Microsoft's Newest Bug Could Be Awful, Researcher Says,"
InformationWeek, January 11, 2006 ---
http://www.informationweek.com/story/showArticle.jhtml?sssdmh=dm4.163111&articleID=175803695
"What I
find bizarre is that there's still all this focus on the WMF
[Windows Metafile] bug," said Mark Litchfield, the director of
NGS Software, a U.K.-based security company, and one of the two
researchers credited by Microsoft with the discovery of the TNEF
(Transport Neutral Encapsulation Format) vulnerability.
"This
one has massive financial implications if someone exploits it,"
Litchfield said.
The TNEF vulnerability, which Microsoft spelled out in the
MS06-003 security bulletin, is a flaw
in how Microsoft's Outlook client and older versions of its
Exchange server software decode the
TNEF
MIME attachment. TNEF is used by
Exchange and Outlook when sending and processing messages
formatted as Rich Text Format (RTF), one of the formatting
choices available to Outlook users.
"All
that's required to exploit this is an e-mail message," said
Litchfield. No user interaction is needed to compromise an
Exchange 5.0, 5.5, or 2000 server; all that's necessary is to
deliver a maliciously-crafted e-mail to the server.
It's
that characteristic, as well as the ease with which an attack
could spread, that has Litchfield so worried.
"You
could take over an Exchange server with a single, simple
e-mail," he said. "From there you could target all the clients
accessing that server. You would 'own' any Outlook client that
connects to that server. Then an attacker could grab the Outlook
users' address books.
Continued in article
|
"Unknown Attacks: A Clear and Growing Danger," by Secure Computing,
InformationWeek, January 2006 ---
http://snipurl.com/UnknownAttacks
More on security threats and hoaxes ---
http://www.trinity.edu/its/virus/
"Everyone Wants to 'Own' Your PC," by Bruce Schneier, Wired
News, May 4, 2006 ---
http://www.wired.com/news/columns/0,70802-0.html?tw=wn_index_4
You own your computer, of
course. You bought it. You paid for it. But how much
control do you really have over what happens on your
machine? Technically you might have bought the
hardware and software, but you have less control
over what it's doing behind the scenes.
Using the hacker sense of
the term, your computer is "owned" by other people.
It used to be that only
malicious hackers were trying to own your computers.
Whether through worms, viruses, Trojans or other
means, they would try to install some kind of
remote-control program onto your system. Then they'd
use your computers to sniff passwords, make
fraudulent bank transactions, send spam, initiate
phishing attacks and so on. Estimates are that
somewhere between hundreds of thousands and millions
of computers are members of remotely controlled "bot"
networks. Owned.
Now, things are not so
simple. There are all sorts of interests vying for
control of your computer. There are media companies
that want to control what you can do with the music
and videos they sell you. There are companies that
use software as a conduit to collect marketing
information, deliver advertising or do whatever it
is their real owners require. And there are software
companies that are trying to make money by pleasing
not only their customers, but other companies they
ally themselves with. All these companies want to
own your computer.
Some examples:
- Entertainment
software: In October 2005, it emerged
that
Sony had distributed a
rootkit with
several music CDs -- the same kind of software
that crackers use to own people's computers.
This rootkit secretly installed itself when the
music CD was played on a computer. Its purpose
was to prevent people from doing things with the
music that Sony didn't approve of: It was a DRM
system. If the exact same piece of software had
been installed secretly by a hacker, this would
have been an illegal act. But Sony believed that
it had legitimate reasons for wanting to own its
customers’ machines.
- Antivirus:
You might have expected your antivirus software
to detect Sony's rootkit. After all, that's why
you bought it. But initially, the security
programs sold by Symantec and others did not
detect it, because Sony had asked them not to.
You might have thought that the software you
bought was working for you, but you would have
been wrong.
- Internet
services: Hotmail allows you to
blacklist certain e-mail addresses, so that mail
from them automatically goes into your spam
trap. Have you ever tried blocking all that
incessant marketing e-mail from Microsoft? You
can't.
- Application
software: Internet Explorer users might
have expected the program to incorporate
easy-to-use cookie handling and pop-up blockers.
After all, other browsers do, and users have
found them useful in defending against internet
annoyances. But Microsoft isn't just selling
software to you; it sells internet advertising
as well. It isn't in the company's best interest
to offer users features that would adversely
affect its business partners.
Business-Technology: Security Threats Galore, But No Worries
Here
Taken together, you begin to get the full, unsettling
picture of information security today. Automated bot attacks, Windows bulletins
by the dozen, a new breed of business worms, risk of heap overflow in Cisco's
IOS, the underground's new fascination with unpatched holes in 20 types of
applications and devices. And that doesn't even include problems caused by
spyware or phishing, or customer-data breaches, or the complications of wireless
networks and devices, or CDs with hidden rootkits, or the Sober worm variants
spreading again. With all of this going on, how do you explain the fact that so
few security and IT professionals feel things have gotten worse? It's possible
they have systems in place to ward off ill-intended probes, keep software
patched, and protect customer records. Maybe the bullets are bouncing off.
That, or maybe security at their companies
isn't as good as it seems.
John Foley, "Business-Technology: Security Threats Galore, But No Worries Here,"
InformationWeek Newsletter, November 29, 2005
"Two More Ways to Fight Viruses, for Free," by Rob
Pegoraro, The Washington Post, November 28, 2005 ---
http://snipurl.com/PegoraroNov28
But you don't have to. For several
years, two Czech software developers have offered free versions of their
anti-virus programs to home users. These no-charge downloads don't offer
every feature provided by McAfee Inc. and Symantec Corp., the two security
developers whose programs come pre-installed on most Windows PCs. But when
put to the same tests as software from the Big Two, they did the job almost
as well and with less fuss.
Both of these freebies -- Avast 4
Home Edition, from Prague's Alwil Software, and AVG Free
Edition, from Brno-based Grisoft Inc. -- can be
installed only on home computers that aren't put to any
business or commercial use. (Income from sales to
businesses and organizations covers the cost of this
exercise in Internet charity.)
These two programs share a
few welcome traits. Both are relatively small downloads
-- almost 10 megabytes for Avast, just under 15 for AVG
-- that tout compatibility with systems as old as
Windows 95. And both automatically download updates
every day and allow quick manual updates.
With Avast (
http://www.avast.com/eng/free_virus_protectio.html ),
the major selling point is a greater sense of security.
After a refreshingly fast install, Avast automatically
scans your computer for trouble before allowing Windows
to boot up -- a helpful precaution if the computer may
already be infected.
Continued in article
Auntie Spam's Net Patrol ---
http://www.aunty-spam.com/deleting-email-leads-to-145billion-judgement-against-company/
Cagey Consumer ---
http://cc.edumacation.com
Latest security
threats and hoaxes ---
http://www.trinity.edu/its/virus/
25 Hottest Urban Legends
(hoaxes) ---
http://www.snopes.com/info/top25uls.as
JUNKBUSTERS Anti-Telemarketing Script
http://www.junkbusters.com/script.html
From the Scout Report on July 14, 2005
Powerful Cookies 1.0.7
http://www.freewebs.com/powerfulcookies/
For those people who are concerned about erasing evidence of their Internet
activity stored in their browser, Powerful Cookies 1.0.7 may be worth taking
a look at. Visitors can use this program to delete cookies, clean index.dat
files, clean the cache, remove temporary files, and erase typed URLs. This
application is compatible with Windows 95 or newer.
The Sorry State of ID Theft
One of the most
popular stories on our site over the last two weeks was
PIN Scandal 'Worst Hack Ever'; Citibank Only The Start,
followed closely by
International Citibank Customers Shaken By Data Breach.
Day after day, one or
both made our list of the five most popular headlines.I'm guessing
another story, about
two large botnets hacking into users' online shopping carts
to steal credit card
numbers, bank account details, and log-on passwords, will grab similar
reader interest.Little wonder. The banks involved in the first story
were huge, with huge IT budgets and even bigger data stores. We all bank
and use ATMs, and many use debit cards. And regards the second story,
most of us shop, to varying degrees, online. It just isn't hard to
imagine yourself as one of the current--or future--victims of these
scams or dubious security policies.
Patricia Keefe, "Securing A Solution To Data Theft," InformationWeek
Daily, March 21, 2006
The High Cost Of Data Loss
Sensitive personal data has been misplaced, lost,
printed on mailing labels, posted online, and just left around for anyone to
see. The situation has become untenable. Here's the ugly truth about how it
keeps happening, who's been affected, and what's being done about it.
Elena Malykhina et al., InformationWeek, March 20, 2006
How many ways are there to expose sensitive
personal data? One company misplaces a backup tape; another puts customers'
Social Security numbers onto mailing labels for anyone to see. Others lose
laptops, inadvertently post private information online, or leave documents
exposed to prying eyes. The possibilities are endless-- as we're learning
with every new revelation of a data breach or hack or inexcusable lapse in
secure business practices. By one estimate, 53 million people--including
consumers, employees, students, and patients--have had data about themselves
exposed over the past 13 months.
This sorry state of affairs is taking its toll:
fines, lawsuits, firings, damaged reputations, spooked customers, credit
card fraud, a regulatory crackdown, and the expense of fixing what's broken.
The situation has become untenable. Here's the ugly truth about how it keeps
happening, who's been affected, and what's being done about
Continued in a long article
In parts to follow, I will define and elaborate on various
terminologies of computer and networking security. For help in preventing
and overcoming invasions, I especially recommend the links provided by Yahoo
below:
Microsoft to Bundle Anti-Spyware App With Windows
Microsoft said Friday that it plans to bundle its
"Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next
version of the company's operating system. Microsoft also decided to rename the
program "Windows Defender," in part to give it "a more positive name." The
announcement, like others of late, was posted on one of the numerous blogs on
Microsoft's site that catalog the daily doings of the software giant's many
technical divisions. But this news -- for me, anyway -- was more than just a
press release issued via a breezy blog post. It offered a glimpse of something
Redmond hinted it was going to do years ago, but which has only recently become
more of a reality: ship antivirus and anti-spyware updates to hundreds of
millions of Windows computers every day through its Windows/Microsoft Update
feature.
Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The
Washington Post, November 7, 2005 ---
http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email
This module may seem a little off topic. But it fits nicely into past
AECM threads about Big Brotherism in the age of technology. David Fordham
expressed it well by stating that almost anything about a person is either
available for free or for sale. It is in the spirit of those threads that I
forward the following tidbit. Those of you with liberal arts backgrounds
may especially like this tidbit. My threads on this are at
http://www.trinity.edu/rjensen/ecommerce/000start.htm#Cellphones
Bob
"Making Ideas Beautiful: Do art and ideas mix? It depends on
who's stirring the pot," by Terry Teachout, The Wall Street Journal,
December 10, 2005; Page P15 ---
http://online.wsj.com/article/SB113416176976318692.html?mod=todays_us_pursuits
Sometimes a heartfelt compliment can blow up in the
recipient's face, as when T.S. Eliot said of Henry James that he had "a mind
so fine that no idea could violate it," thus making him sound like a
plot-spinning idiot savant. What Eliot really meant was that James
understood how an artist who dabbles in ideas can lose sight of the true
purpose of art, which is (as Renoir said) to "make everything more
beautiful." You can't paint a picture of E = mc2, or compose a symphony
about the law of supply and demand. Nevertheless, art is so effective at
swaying men's minds that there have always been cultural commissars prepared
to enlist it in the service of ideas by any means necessary -- including
brute force.
To see what happens when politicians ram ideas down
artists' throats, take a trip to "Russia!" This once-in-a-lifetime
blockbuster show of Russian art from the 12th century to the present, on
display at the Guggenheim Museum through Jan. 11, is billed as "the most
comprehensive and significant exhibition of Russian art outside Russia since
the end of the Cold War." It's that, for sure, but it's also an object
lesson in the power of ideas to hijack a great culture.
In the '30s and '40s, Russian artists were expected
not merely to toe the Marxist line, but to embody it in their work. Unless
you wanted to end up in the Gulag -- or worse -- you did what Stalin said.
The deliberately anti-modern style that resulted, known as "socialist
realism," was a crude burlesque of 19th-century realism in which the Soviet
Union was portrayed as a proletarian paradise. Visual artists had an
especially tough time of it, for the once-thriving Russian avant-garde was
replaced overnight by a school of simple-minded poster artists who
specialized in cheery canvases with titles like "Collective Farm Worker on a
Bicycle." To stroll through "Russia!" is to be stupefied by the sheer
banality of the assembly-line art these brush-wielding apparatchiks cranked
out.
That's one kind of idea-driven art in which the
artist illustrates ideas, often with the intention of bludgeoning others
into embracing them. But there's another kind, in which an idea is so
radically transformed by the artist that the resulting work of art floats
free from its initial inspiration, taking on the haze of ambiguity that is
part and parcel of beauty.
I saw a wonderful example of the latter kind of art
last week at Brooklyn's BAM Harvey Theater. "Super Vision" is an
evening-long piece of performance art created by the Builders Association, a
New York-based touring experimental theater troupe, in collaboration with
dbox, the multidisciplinary design studio. On paper it sounds like a
"Nineteen Eighty-Four"-style documentary about how governments and
corporations misuse the mountains of personal data they collect from private
citizens. In the theater, though, "Super Vision" blossoms into something
completely different, a computer-enhanced visual poem about the pitfalls and
promise of life in the information age.
"Super Vision," which is being performed this
weekend at Montclair State University in Montclair, N.J. (for a tour
itinerary, go to
www.superv.org ), consists of three interwoven stories in which six
actors move through a breathtakingly complex series of digitally generated
three-dimensional projections. In one story line, a computer-savvy swindler
named John steals his young son's identity, uses it to run up $400,000 in
debt, then vanishes. John and his wife are played by real-life actors, but
John Jr. exists only as a video image, while the suburban house in which
they live is entirely animated.
Again, this bald description makes "Super Vision"
sound like a technical tour de force -- which it is. Yet it's far more than
that. "I think of the stories in 'Super Vision' as the emotional side of
data," explains Marianne Weems, the show's director. "The point is to bring
visceral sensation and visual impact to these stories -- and as we move more
deeply into interpreting the factual material on which they're based, we
move away from the literal."
This is what lifts "Super Vision" out of the
pedestrian realm of the purely factual. Yes, Ms. Weems and her collaborators
are rightly disturbed by what she calls "this new form of surveillance and
its constant incursions into the realm of our selves." But instead of
preaching a strident sermon about how "dataveillance" threatens the right to
privacy, they've transformed their fears into a fast-flowing stream of
nonliteral images that stick in your mind like the swirling colors of an
abstract painting. Just when John, the identity thief, thinks he's gotten
away clean, you see in the distance what looks like a flock of birds. Then,
as it draws nearer, you realize that it's actually a cloud of
computer-generated data points hurtling through the air to chase him down.
That's not politics -- it's poetry. And it's the quintessence of "Super
Vision," a work of theatrical alchemy in which ideas are turned into art by
making them more beautiful.
"Viral cure could 'immunise' the internet," Kurt Kleiner,
NewScientist, December 1, 2005 ---
http://www.newscientist.com/article.ns?id=dn8403
Some researchers have developed artificial "immune
systems" that automatically analyse a virus meaning a fix can be sent out
more rapidly. In practise, however, computer viruses still tend to spread
too quickly.
Now Eran Shir, and colleagues at Tel-Aviv
University in Israeli, have applied network theory to the problem, and
believe they have come up with a more effective solution.
Part of the problem, the researchers say, is that
countermeasures sent from a central server over the same network as the
virus it is pursuing will always be playing catch-up.
They propose developing a network of "honeypot"
computers, distributed across the internet and dedicated to the task of
combating viruses. To a virus, these machines would seem like ordinary
vulnerable computers. But the honeypots would attract a virus, analyse it
automatically, and then distribute a countermeasure
Healing hubs But the honeypots would be linked to
one another via a dedicated and secure network. This way, once one has
captured a virus, all the others will quickly know about the infection
immediately. Each honeypot then acts as a hub of healing code which is
disseminated to computers connected to it. The countermeasure then spreads
out across the broader network.
Simulations show that the larger the network grows,
the more efficient this scheme should be. For example, if a network has
50,000 nodes (computers), and just 0.4% of those are honeypots, just 5% of
the network will be infected before the immune system halts the virus,
assuming the fix works properly. But, a 200-million-node network – with the
same proportion of honeypots – should see just 0.001% of machines get
infected.
Security measures, such as encryption, would be
needed to prevent viruses from exploiting the honeypot network.
"They've shown it is possible to use this
epidemically spreading immune agent to good advantage," says Jeff Kephart, a
computer scientist at IBM in Hawthorne, New York, US. "The next step would
be to look more carefully at the benefits and costs of this approach. I see
promise in it."
The paper only discusses the mathematical model,
and there is no effective implementation as yet. But Shir plans to release a
simple example program soon and hopes that volunteers or a company will
eventually implement the real thing across the internet.
Journal reference: Nature Physics (DOI:
10.1038/nphys177).
Walt's Warnings About File Sharing
"The Practical Case Against File Sharing," by Walter Mossberg, The Wall
Street Journal, October 20, 2005 ---
http://online.wsj.com/article/SB112976373382173735.html?mod=todays_us_marketplace
Q:
Are there problems with using file-swapping sites like Kazaa, as long as you
have a good antivirus protection program? I don't mind paying for individual
songs, but other sites like iTunes or Rhapsody often don't have the songs I
want.
A:
Yes, there are problems. The first are the ethical and legal issues arising
from obtaining somebody else's copyrighted intellectual property without
paying for it, from a person who isn't licensed or authorized to distribute
it. The other sites you mention, iTunes and Rhapsody, are legally licensed
to distribute music. Kazaa and its ilk aren't, nor are the people who make
music available through them. Your argument is like rationalizing buying
stolen TVs because your local Best Buy didn't have the model you wanted.
If your conscience can get past that, there are
practical issues. These sites are major transmitters not only of viruses,
but of spyware, which your antivirus program can't stop. Even if your PC has
a full, up-to-date security suite, with antispyware software, you are asking
for trouble by downloading from "file swapping" sites. Many of the people I
hear from who have had to take drastic, costly steps to save heavily
infected PCs attribute their problems to the fact that their kids were
frequenting file-sharing sites.
Bob Jensen's threads on file sharing are at
http://www.trinity.edu/rjensen/napster.htm
Telling Computers How to Keep Secrets
The home version of Windows XP (unlike Apple's two most
recent Mac OS X releases) can't lock up your important data, but other
developers have come up with tools for this task. You just have to decide which
of these three qualities is most important to you: simplicity, price or
capabilities. The easiest data-protection software we tested was Steganos
Safe 8 (Win 2000 or newer, $30 at
http://www.steganos.com/
). It creates a "secure drive," an encrypted,
password-protected file that houses whatever files you choose to put in it. When
the secure drive is unlocked, it works just like a regular drive, but when
locked, it turns into a single file filled with encrypted gibberish.
Kevin Savetz, "Telling Computers How to Keep Secrets," The Washington Post,
July 3, 2005 ---
http://www.washingtonpost.com/wp-dyn/content/article/2005/07/02/AR2005070200116.html?referrer=email
Kim Zetter. "ID
Theft: What You Need to Know," Wired News, June 29, 2005 ---
http://www.wired.com/news/privacy/0,1848,68032,00.html?tw=wn_tophead_8
What should I do if my
wallet or purse is lost or stolen?
Immediately contact all three
credit reporting agencies -- Equifax, Experian and
TransUnion -- and have them place a fraud alert on your
account. This means that companies issuing new credit
accounts in your name will have to call you to obtain
permission first. The alert will last for 90 days only.
You can extend the alert to seven years, but only if
you've been a victim of identity theft and can provide a
police report.
Equifax: 1.800.525.6285
Experian: 1.888.397.3742
TransUnion: 1.800.680.7289
In addition to contacting the
credit reporting agencies, you should file a police
report if your property was stolen. Close any accounts
that you think may have been compromised by the loss or
theft. The FTC provides
more information and a chart
to tick off steps you should take.
What can I do to
prevent myself from becoming a victim?
There isn't really anything you
can do to prevent identity theft. As long as Social
Security numbers are used for purposes other than Social
Security, you are at risk of having your identity stolen
any time someone has access to documents that carry your
number and other personal data. There are, however,
things you can do to lower your risk of becoming a
victim.
- Review monthly financial
statements carefully for fraudulent activity.
- Request a free copy of
your credit report from a credit-reporting agency
once a year to examine it for fraudulent activity. A
new law requiring credit reporting agencies to
provide a free annual report goes into effect
nationwide in September. Until then, it's in effect
only in western and Midwestern states. The credit
report will show who requested access to your credit
record. Look for requests from companies you haven't
done business with and tell credit-reporting
agencies if you see credit accounts that you didn't
open or debts you didn't incur. Check to see that
your name and address are correct.
- Don't give your Social
Security number to any business that doesn't really
need it.
- Cross shred sensitive
documents. Thieves have been known to piece together
strips of paper that are shredded only once.
Cross-shredders double-shred documents.
- Shred pre-approved
credit-card offers before tossing them in the
garbage.
- Don't store sensitive
personal information, such as bank account numbers
and passwords, on home computers or handheld
devices.
- Install a firewall and
anti-virus software on your computer and keep the
virus definitions up to date to prevent viruses and
Trojan horses from infecting your computer and
feeding personal information back to hackers.
- Don't fall for phishing
scams. Phishing occurs when someone sends you an
e-mail purporting to be from your bank or other
company you do business with and requesting you to
update your account information.
- Use specially designed
software programs to clean data from your computer
before you sell or discard it. Simply deleting files
will not remove data from the memory.
- Don't carry any documents
in your wallet that have your Social Security number
on them, including your medical card or military ID,
on days when you don't need the card.
- Opt-out when your bank or
other financial institution requests permission to
share information about you with other businesses.
- Close all credit-card
accounts except the one or two that you really need.
- If you are an identity
theft victim and live in one of ten states,
including California, Colorado, Louisiana, Maine,
Texas, Vermont or Washington, consider placing a
"freeze" on your credit report so that no one can
access it without your permission. More than 20
additional states are considering passing similar
legislation. Creditors need to look at your report
before granting you credit. By freezing your report,
it will prevent unauthorized people from seeing your
personal data and it will prevent creditors from
opening a new credit account in your name for an
impostor. Some states only let victims of identity
theft freeze their records. Other states allow
anyone to freeze their record. The State Public
Interest Research Groups maintains
a list of states with
freeze laws.
Bob Jensen's guides on how to
report fraud ---
http://www.trinity.edu/rjensen/FraudReporting.htm
Bob Jensen's helpers on identity
theft ---
http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft
A government Website on Cybercrime ---
http://www.usdoj.gov/criminal/cybercrime/
FCC Posts Lists of Sites That Send Spam to Cell Phones
--- http://www.technologyreview.com/articles/05/02/ap/ap_2020805.asp?trk=nl
"Blocking Cellphone Spam," by Debra Goldschmidt, The Wall Street
Journal, January 3, 2006; Page D1 ---
http://online.wsj.com/article/SB113625263355436073.html?mod=todays_us_personal_journal
The
Problem:
You're paying for all the unwanted text messages you get on your
cellphone.
The
Solution:
Unwanted text messages usually come from two sources: telemarketers
or friends who do more typing than talking.
The first is called cell spam -- illegal
solicitations. Most service providers use anti-spam programs but
nothing is foolproof. If you receive cell spam, ask your cellphone
company to deduct the cost of that message from your next bill. You
can also file a complaint with the Federal Communications Commission
at
www.fcc.gov.
So-called
friendly fire text messages are those from people you know -- such
as your teenager's friends who inadvertently run up your bill. To
combat these, most service providers allow you to log onto their Web
site to block a limited number of phone numbers from sending you
messages. If you have Cingular or Verizon, you can ask to disable
the text messaging function on your phone -- or your teenager's
phone. |
"Adobe PDF Patch
Plugs Data Leak Threat," by Brian Krebs, The Washington Post, June 20,
2005 ---
http://blogs.washingtonpost.com/securityfix/2005/06/adobe_pdf_patch.html?referrer=email
According to Adobe, the latest version gets rid of
a fairly serious security flaw. By convincing a target to download a
specially crafted PDF document, attackers could "discover the existence of
local files," -- i.e., read documents on the victim's computer. Adobe says
that threat is minimized because the attacker would have to know the exact
name and location of the files he was searching for to be able to leverage
the security flaw.
Anyway, you can update using the automatic updater
bundled with Adobe, or
visit
Adobe's download site to install the fix manually.
Adobe says it is working on a fix for Mac users. If any Mac users are
concerned about this vulnerability,
this page has instructions on how to disable
Javascript in Adobe.
By the way, if you browse the Web using
Mozilla's Firefox Web browser
and have always had trouble loading PDF documents, you
might consider following
the advice here to fix the problem. Just scroll
down to the question in the FAQ that reads "Why do Adobe pdf files load
slowly in Windows?" For the longest time I put off researching a tweak for
this problem. Mozilla says it's because Adobe Reader for Windows
loads lots of unused plugins on startup.
"The State Of Internet Security," by Fahmida Y. Rashid, Forbes, June
14, 2005 ---
http://www.forbes.com/technology/2005/06/14/verisign-internet-security-cx_fr_0614verisign.html
E-mails from Nigeria
asking for your help in transferring money. Important information about
compromised bank accounts.
While the scams
that daily flood our e-mail in-boxes show no signs of abating, there is
some good news for the users who have to sort through them all. So says
VeriSign (nasdaq:
VRSN -
news -
people ), in its
latest "State of Internet Security" address covering the first three
months of 2005.
Phishing attacks--the attempted theft of
information such as user names, passwords or credit-card numbers--are
increasingly more sophisticated, VeriSign said. But the company, which
lives by the sale of computer security software, says phishing attacks
are less profitable than they used to be, and of shorter duration, since
affected companies work with Internet service providers to shut down
sites capturing the information.
Pharming, also known as DNS spoofing because it
fools the domain-name system, is an alternative technique that tries to
direct users to a fake Web site even when the correct address is entered
into a browser. "It's as if you looked up a number in the phone book,"
says Phillip Hallam-Baker, a Web security expert at Verisign,
"but someone somehow changed the number, managed to swap the phone book
on you."
VeriSign's report lists ways to lock down DNS
infrastructure to shut down pharming. It encourages administrators to
upgrade their DNS software and to install cryptography solutions. Hallam-Baker
feels that pharming attacks that depend on cached information could be
eliminated fairly easily. Pharming attacks infrastructure, so the
company in charge of that segment could prevent further attacks by
upgrading necessary components.
Continued in article
Links to the ISIB report are given at
http://www.verisign.com/verisign-inc/news-and-events/news-archive/us-news-2005/page_030922.html
Tired of Computer Viruses, Spyware, and all the Other Microsoft Diseases?
Switch to a Mac
If you switch to a Mac, a must book is Mac OS X: The Missing Manual
by David Pogue http://www.amazon.com/exec/obidos/tg/detail/-/0596000820/002-3743809-1628824?v=glance
This book explains how to translate what you
liked to do in Windows into how to do the same things on a Mac.
It's been proven, there is life after death
Identity theft isn't among the risks of medical treatment -- such as infection
-- listed on the standard release form that patients sign. But there's
evidence that identity thieves are starting to target medical patients.
Kevin Helliker, "A New Medical Worry: Identity Thieves Find Ways To
Target Hospital Patients," The Wall Street Journal, February 22,
2005, Page D1 --- http://online.wsj.com/article/0,,SB110902598126260237,00.html?mod=todays_us_personal_journal
Just this weekend, the University of Chicago
Hospitals reported that a former employee had stolen identity information from
as many as 85 patients. In recent years, rings of thieves stole the identities
of more than 15 such patients in Iowa, 30 in Minnesota and nearly 50 in
Indiana. During the past two years, the state of Michigan has prosecuted more
than 20 cases involving medical-patient identity theft, many involving
multiple victims, Michigan Attorney General Mike Cox says.
Hospital patients are vulnerable in part because they
are unlikely to detect anything amiss. Some may never leave the hospital. A
team of alleged identity thieves arrested in 2003 in New Jersey were targeting
the terminally ill, according to police.
Continued in article
Hackers are turning digital rights management
features of Microsoft's Windows Media Player against users by fooling them into
downloading massive amounts of spyware, adware, and viruses. A year after
it went into effect, the federal CAN-SPAM Act is a "miserable"
failure, a messaging security firm that monitors compliance with the anti-spam
legislation says. The United States was the 800-pound spam-spewing gorilla
throughout 2004, a spot it held from wire to wire throughout the year, an
anti-virus firm says. Federal judge grants restraining order shutting down
six porn purveyors.
Information Week's Updates on Spam (including how spyware burglars and
spammers stay ahead all efforts to stop it) --- http://snipurl.com/spamJan19
"Beware Web Hitchhikers," CBS News, December 31, 2004 --- http://www.cbsnews.com/stories/2004/12/31/eveningnews/consumer/main664185.shtml
One of the big-sellers this holiday season is the
wireless router, which lets you link your computer to the Internet from any
room in the house.
But as CBS News Correspondent Vince Gonzales reports,
the problem is that strangers on the street can also hook up to the net --
through your router.
It's called "war-driving" -- prowling
neighborhoods, searching for open wireless networks that offer a free ride
onto the Internet.
Surprise,
Surprise!
In terms of features, especially security protection, Microsoft's Internet
Explorer is well behind the times in terms of alternatives.
Meanwhile,
other people have been building much better browsers, just as Microsoft itself
did in the 1990s, when it challenged and eventually bested the then-dominant
browser, Netscape Navigator. The most significant of these challengers is Firefox,
a free product of an open-source organization called Mozilla,
available for download at www.mozilla.org. Firefox is both more secure and more
modern than IE, and it comes packed with user-friendly features the Microsoft
browser can't touch.
"Security, Cool Features Of
Firefox Web Browser Beat Microsoft's IE," Walter Mossberg, The Wall
Street Journal, December 30, 2004, Page B1 --- http://online.wsj.com/article/0,,SB110435917184512320,00.html?mod=todays_us_marketplace
Microsoft's Internet Explorer Web
browser is one of the most important, and most often used, programs on the
world's personal computers, relied upon by more than 90% of Windows users. But
Microsoft
hasn't made any important functional improvements in Internet Explorer for
years.
The software giant has folded IE into
the Windows operating system, and the browser only receives updates as part of
the "Windows update" process. In recent years, most upgrades to IE
have been under-the-hood patches to plug the many security holes that have
made IE a major conduit for hackers, virus writers and spyware purveyors. The
only visible feature added to IE recently: a pop-up ad blocker, which arrived
long after other browsers had one.
Meanwhile, other people have been
building much better browsers, just as Microsoft itself did in the 1990s, when
it challenged and eventually bested the then-dominant browser, Netscape
Navigator. The most significant of these challengers is Firefox, a free
product of an open-source organization called Mozilla, available for download
at www.mozilla.org.
Firefox is both more secure and more modern than IE, and it comes packed with
user-friendly features the Microsoft browser can't touch.
Firefox still has a tiny market share.
But millions of people have downloaded it recently. I've been using it for
months, and I recommended back in September that users switch to it from IE as
a security measure. It's available in nearly identical versions for Windows,
the Apple Macintosh, and the Linux operating system.
There are some other browsers that put
IE to shame. Apple's elegant Safari browser, included free on every Mac, is
one. But it isn't available for Windows. The Opera browser is loaded with
bells and whistles, but I find it pretty complicated. And NetCaptor, my former
favorite, is very nice. But since it's based on the IE Web-browsing engine,
it's vulnerable to most of IE's security problems.
Firefox, which uses a different
underlying browsing engine called "Gecko," also has a couple of
close cousins based on the same engine. One is Netscape, now owned by America
Online. The other is a browser called Mozilla, from the same group that
created Firefox. But Firefox is smaller, sleeker and newer than either of its
relatives, although a new Netscape version is in the works.
Firefox isn't totally secure -- no
browser can be, especially if it runs on Windows, which has major security
problems and is the world's top digital target. But Firefox has better
security and privacy than IE. One big reason is that it won't run programs
called "ActiveX controls," a Microsoft technology used in IE. These
programs are used for many good things, but they have become such powerful
tools for criminals and hackers that their potential for harm outweighs their
benefits.
Firefox also has easier, quicker and
clearer methods than IE does for covering your online tracks, if you so
choose. And it has a better built-in pop-up ad blocker than IE.
But my favorite aspect of Firefox is
tabbed browsing, a Web-surfing revolution that is shared by all the major new
browsers but is absent from IE. With tabbed browsing, you can open many Web
pages at once in the same browser window. Each is accessed by a tab.
The benefits of tabbed browsing hit
home when you create folders of related bookmarks. For instance, on my
computer I have a folder of a dozen technology-news bookmarks and another 20
or so bookmarks pointing to political Web sites. A third folder contains 15 or
so bookmarks for sites devoted to the World Champion Boston Red Sox. With one
click, I can open the entire contents of these folders in tabs, in the same
single window, allowing me to survey entire fields of interest.
And Firefox can recognize and use Web
sites that employ a new technology called "RSS" to create and update
summaries of their contents. When Firefox encounters an RSS site, it displays
a special icon that allows you to create a "live" bookmark to the
site. These bookmarks then display updated headlines of stories on the sites.
Firefox also includes a permanent,
handy search box that can be used to type in searches on Google, Yahoo, Amazon
or other search sites without installing a special toolbar.
And it has a cool feature called
"Extensions." These are small add-on modules, easy to download and
install, that give the browser new features. Among the extensions I use are
one that automatically fills out forms and another that tests the speed of my
Web connection. You can also download "themes," which change the
browser's looks.
There is only one significant downside
to Firefox. Some Web sites, especially financial ones, have chosen to tailor
themselves specifically for Internet Explorer. They rely on features only
present in IE, and either won't work or work poorly in Firefox and other
browsers.
Luckily, even if you switch to Firefox,
you can still keep IE around to view just these incompatible sites. (In fact,
Microsoft makes it impossible to fully uninstall IE.) There's even an
extension for Firefox that adds an option called "View This Page in
IE."
"Barbarians at the Digital
Gate," by Timothy L. O'Brien and Saul Hansell, The New York Times,
September 19, 2004 --- http://www.nytimes.com/2004/09/19/business/yourmoney/19gator.html
KARSTEN
M. SELF, who oversees a children's computer lab at a youth center in Napa,
Calif., spends about a half-hour each morning electronically scanning 10 PC's.
He is searching for files and traces of code that threaten to hijack the
computers by silently monitoring the children's online activities or by
plastering their screens with dizzying - and nearly unstoppable - onslaughts of
pop-up advertisements.
To safeguard the children's computers, Mr. Self has
installed a battery of protective software products and new Web browsers. That
has kept some - but by no means all - of the youth center's digital intruders
at bay. "You would expect that you could use these systems in a safe and
sane way, but the fact of the matter is that you can't unless you have a fair
amount of knowledge, time to fix the problems and paranoia," he said.
The parasitic files that have beset Mr. Self and
other frustrated computer users are known, in tech argot, as spyware and
adware. The rapid proliferation of such programs has brought Internet use to a
stark crossroads, as many consumers now see the Web as a battlefield strewn
with land mines.
At the same time, major advertisers and big Internet
sites are increasingly tempted by adware's singular ability to display pop-up
ads exactly when a user has shown interest in a particular service or product.
"Adware has its place, but to grab market share
I think a lot of companies are doing things that make consumers feel
betrayed," said Wayne Porter, co-founder of Spyware-Guide.com, a Web site
that tracks adware and spyware abuses. "I think we're at a very important
inflection point that is going to decide how the Internet operates."
Continued in the article
The link below was forwarded by Helen Terry
"Digital mafia hitting Web sites in protection racket," by Joseph Menn,
Los Angeles Times, October 26, 2004 --- http://www.chron.com/cs/CDA/ssistory.mpl/front/2867289
To an old-time bookie like Mickey Richardson, $500 in
protection money was chump change.
So when he got an e-mail from gangsters threatening
to bring his online sports betting operation to its knees, he paid up.
Before long, though, the thugs wanted $40,000. And
that ticked him off.
"I'm stubborn," said Richardson, who runs
Costa Rica-based BetCRIS.com. "I wanted to be the guy that says, 'I
didn't pay, and I beat them.'"
Richardson couldn't figure the odds, but he was
determined to fight what's fast becoming the scourge of Internet-based
businesses: high-tech protection rackets in which gangs of computer hackers
choke off traffic to Web sites whose operators refuse their demands.
Rather than brass knuckles and baseball bats, the
weapons of choice for these digital extortionists are thousands of computers.
They use them to launch coordinated attacks that knock targeted Web sites
off-line for days, or even weeks, at a time.
The shakedowns generate millions of dollars. Many
Internet operators would rather pay protection money than risk even greater
losses if their Web sites go down.
After more than a year perfecting their techniques on
gambling and pornographic Web sites, the gangs are starting to turn their
talents to mainstream e-commerce operations.
"It's pretty much a daily occurrence that one of
our customers is under attack, and the sophistication of the attacks is
getting better," said Ken Silva, a vice president at VeriSign Inc., the
company that maintains the ".com" and ".net" domain name
servers and provides security to many firms.
• Last month, Authorize.net, one of the biggest
credit-card-services processors for online merchants, was hit repeatedly over
two weeks, leaving thousands of businesses without a means to charge their
customers.
• In April, hackers silenced Card Solutions
International, a Kentucky company that sells credit card software over the
Web, for a week after its owner refused to pay $10,000 to a group of Latvians.
Only after switching Internet service providers could the company come back
online.
• In August, a Massachusetts businessman was
indicted on charges of orchestrating attacks on three television-services
companies -- costing one more than $200,000. The case against Saad Echouafni
is one of the rare instances in which alleged attackers have been identified
and charged. Echouafni skipped bail.
Many more attacks go unreported. "You're just
seeing the tip of the iceberg," said Peter Rendall, chief executive of
the Internet filter maker Top Layer Networks.
Richardson was intent on keeping his ship afloat.
BetCRIS, short for Bet Costa Rica International
Sportsbook, takes about $2 billion in bets every year from gamblers around the
world. Most are placed online. After customers complained early last year that
the Web site seemed sluggish, Richardson felt a little relieved when an
anonymous hacker e-mailed an admission that he had launched a
denial-of-service attack against BetCRIS.
The hacker wanted $500, via the Internet payment
service e-Gold.
That seemed like a bargain to Richardson. He paid up
and promptly spent thousands more on hardware designed to weed out unfriendly
Web traffic. "I was thinking if this ever happens again," he said,
"we won't have a problem."
The Saturday before Thanksgiving, Richardson found
out how wrong he was. An e-mail demanded $40,000 by the following noon. It was
the start of one of the biggest betting weeks of the year, with pro and
college football as well as basketball.
Richardson didn't respond.
The next day, BetCRIS crashed hard.
About the same time, other betting sites were getting
hit too. The threats came in mangled English: "In a case if you refuse
our offer, your site will be attacked still long time." Some sites were
shut down for weeks.
Costa Rican law enforcement was ill-equipped to deal
with computer hackers thousands of miles away. Given the shaky legality of
offshore betting, seeking help from U.S. authorities wasn't an attractive
option.
So the bookie in Costa Rica turned to Barrett Lyon, a
spiky-haired philosophy major from Sacramento.
Continued in the article
Bottom Line
Solution --- Change to a Mac
"How to Protect Yourself From
Vandals, Viruses If You Use Windows," by Walter Mossberg, The Wall
Street Journal,
September 16, 2004; Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html
If you use a Windows personal computer
to access the Internet, your personal files, your privacy and your security
are all in jeopardy. An international criminal class of virus writers,
hackers, digital vandals and sleazy businesspeople wakes up every day planning
to attack your PC.
And the company that controls the
Windows platform, Microsoft,
has made this too easy to do by carelessly opening numerous security holes in
the operating system and its Web browser. Even if you install the recent
Service Pack 2 update to Windows XP, you will still be vulnerable.
As I have said before, I believe
Microsoft and the computer makers should be taking care of all these problems
with a unified, managed approach that would free users from having to learn
about all the threats and constantly manage security. They should take
responsibility for shielding users from hackers, spammers, viruses and spyware
-- the malicious software that hijacks your browsing and searching, pushes ads
into your face, and secretly logs your activities.
But until that happens, you will have
to fend for yourself. So here's a quick, rudimentary guide to protecting
yourself in the digital world.
Opting out: The single most effective
way to avoid viruses and spyware is to simply chuck Windows altogether and buy
an Apple Macintosh. Apple's operating system, Mac OS X, is harder for the
criminals to infect, and the Mac's market share is so small that hackers,
virus writers and spies get little thrill, financial gain or publicity from
attacking the platform.
There has never been a successful virus
written for Mac OS X, and there is almost no spyware that targets the Mac.
Plus, the Mac is invulnerable to viruses and spyware written for Windows. Not
only is it more secure, but the Mac operating system is more capable, more
modern and more attractive than Windows XP, and just as stable.
Macs are as good as, and often better
than, Windows PCs at doing the most common computing tasks: Web browsing,
e-mail, word processing, spreadsheets, presentations, photos, music and video.
The Mac version of Microsoft Office can handle Windows Office files with ease,
and it produces files that Office for Windows handles effortlessly. Apple's
computers are also gorgeous.
But switching platforms is expensive,
and scary to people. So if you're sticking with Windows, read on.
Halting hackers: Buy a software
firewall program, one that won't only stop hackers trying to get in but will
also halt suspicious programs already on your PC from trying to send
information out over the Internet. The one I recommend is ZoneAlarm, a free
utility from Zone Labs, available at www.zonelabs.com.
Use it instead of the wimpier built-in firewall Microsoft supplies.
If you have a broadband connection or a
home network, make sure your modem or router (a common piece of networking
gear) is equipped with a feature called NAT, or Network Address Translation.
This technology makes it harder for criminals on the Internet to find your
computers. Even if you have NAT, however, I still recommend you have a
software firewall program, because NAT doesn't block every attack.
Curing viruses: You must run a strong antivirus
program, and keep it updated, even if updates cost money. I recommend Norton
AntiVirus (the stand-alone program, not the cumbersome security suite). It's
very effective, and its automatic update system is the best I've ever tested.
It costs $50, including a year of updates.
Stopping spyware: Since antivirus programs don't
attack spyware, you will need to run, and keep updating, a separate piece of
software called an antispyware program. I recommend Spy Sweeper from Webroot
software, at www.webroot.com
. It costs $30, including a year of updates. Like an antivirus program, it not
only detects and removes spyware already on your PC, but also watches for, and
blocks, new spyware.
Stuffing spam: Buy a decent antispam program. I know
of none that is close to perfect, but the best is probably MailFrontier
Desktop, available for $30 at www.mailfrontier.com
. If you're really fed up, you can turn on the "challenge" feature
in this program, which forces unknown senders to pass a simple test that
baffles the mass-mailing software spammers use.
Browsing safely: I suggest dumping Microsoft's
Internet Explorer Web browser, which has a history of security breaches. I
recommend instead Mozilla Firefox, which is free at www.mozilla.org
It's not only more secure but also more modern and advanced, with tabbed
browsing, which allows multiple pages to be open on one screen, and a better
pop-up ad blocker than the belated one Microsoft recently added to IE.
Being careful: Never download software from the Web
unless you are certain you know what it is and that you want and need it. If a
Web site says you need some special plug-in to view things, be very wary.
Common viewer software, like that from Real Networks, Apple or Macromedia,
should be obtained from those companies' official sites.
Staying current: You should probably install
Microsoft's new SP2 update, which does improve Windows security -- although it
has caused serious problems for a minority of Windows users. And you should
install all the "critical updates" Microsoft issues for Windows.
Bottom line: If you use Windows, you're asking for
trouble. But you can mitigate the risk by taking precautions.
It's the Best Solution, But It's No Longer Perfect
From Technology Review on October 28, 2004
Apple's Got a Virus? Congratulations!
Whenever Windows users grouse about the latest virus or spyware attack,
Macintosh devotees good-naturedly tease that they don't have worry about such
nonsense. Well, the Apple-heads can't say that anymore. Last week, astute Mac
users discovered a program dubbed "Opener"--a nefarious piece of code
embeds itself onto Macs using OS X, disables the computer's firewall, and
collects any password information it can find. The Apple community should not be
upset about this malware news, writes Eric Hellweg, but celebrating it. Finally,
a virus writer thinks Macs matter enough to merit attack!
http://www.technologyreview.com/articles/04/10/wo_hellweg102804.asp?trk=nl
Changes in Microsoft Windows XP Service Pack 2 --- http://www.macromedia.com/devnet/logged_in/wanbar_sp2.html
On Friday, August 6, 2004 Microsoft announced the
release of a significant update to the Windows XP operating system: Microsoft
Windows XP Service Pack 2 (SP2). This security-focused update includes
numerous changes, many of them transparent to end users, which aim to reduce
the operating system's exposure to attacks from the Internet and protect users
from predatory software like adware, spyware, and malware. The Windows XP
operating system is installed on nearly 50% of net-connected computers
worldwide—almost 250 million PCs, according to the Flash
Player survey Macromedia conducts quarterly through NPD.
While targeted at abusers of the current Windows
security model, the changes in SP2 also peripherally affect many safe and
useful technologies, including, in some instances, Macromedia software.
Microsoft and Macromedia have worked closely throughout the development of SP2
to ensure the best possible experience for customers of Macromedia Flash
Player.
In this article I'll talk about areas of the service
pack that web designers and developers, website owners, IT and MIS personnel,
and Flash Player users might be concerned about, with the goal of outlining
the impact SP2 will have on the user experience and the development process.
To get the most comprehensive and detailed
information about the service pack, visit the Microsoft website, which
includes the following:
What's New in Windows XP Service Pack 2
Microsoft Windows Service Pack 2 users will
experience some changes in the way software behaves, including some minor
changes when launching some Macromedia products. The most visible change is
the presence of a new security warning dialog box, which asks users to confirm
that they want to install or launch software.
Many of the new security dialog boxes appear if a
particular piece of software does not have a digital signature.
Digital signatures verify the authenticity of the software download. As
software publishers get busy creating and filing their digital signatures,
there will be a transitional period in which many reliable software
applications will not yet have them. Even without a digital signature, users
are able to click to confirm that they want to install their software and
proceed with the installation. To find out more about the digital signatures,
see the Enhanced
Browser Security section of the Microsoft TechNet article, Changes
to Functionality in Microsoft Windows XP Service Pack 2.
"Free Security Update To
Windows XP Has Value but Falls Short," by Walter Mossberg, The Wall
Street Journal, August 19, 2004, Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html
Microsoft has paid so little attention
to security over the years that consumers who use Windows have been forced to
spend more and more of their time and money fending off viruses, hackers,
spyware and spam. For this reason, the burden of using a Windows computer has
grown immeasurably recently.
Now, under pressure from its customers
and critics, the software giant is making a move toward undoing that damage.
Over the next few weeks, Microsoft will be rolling out a major, free security
update to Windows XP. It's called "Service Pack 2," or simply
"SP2."
I've been testing SP2 on two Windows
computers, and it seems to work fine. I recommend installing it, if only
because of the under-the-hood security improvements Microsoft claims it
contains.
But SP2 falls way short of what
Microsoft could have done to fix the miserable state of security in Windows.
While the update will make it harder for malicious software to enter your PC,
SP2 doesn't detect or remove viruses or spyware or spam.
What's more, some of the key features
of SP2 are inferior to those in third-party security software. In fact, even
after you install SP2, you will still have to use add-on security programs, if
you want to be reasonably safe.
Over the next month, SP2 will arrive at
many PCs, unbidden, via the built-in Windows Update feature in Windows XP. It
will also be available for downloading from Microsoft's Windows Update Web
site. And Microsoft plans to mail it out, by request, on a free CD.
On my two test machines, an IBM laptop
and a Dell desktop, installation went very smoothly. All my programs and data
remained intact and functional. Microsoft concedes that SP2 does interfere
with about 50 known programs. Most are corporate products, but the list also
includes a few games and consumer utilities.
In addition to the under-the-hood
changes, which are aimed at stopping several common intrusion techniques,
SP2's main features are a new firewall, a new "Security Center" and
new protections built into Microsoft's Internet Explorer Web browser. SP2 also
turns on the automatic-update feature in Windows, which allows Microsoft to
transmit and install future patches without user intervention.
The firewall, which is designed to
shield your PC from attacks over the Internet, is now turned on by default.
Formerly, it was off by default. (You can still turn it off manually, along
with the automatic update feature.) And it has a few new features, including
one that warns you if a program running on your PC is seeking to open a
"port" -- a conduit to the Internet -- so it can receive incoming
data.
But the new firewall lacks a crucial
component present in some third-party firewalls, like ZoneAlarm. It doesn't
prevent rogue programs already on your PC from using the Internet to make
outbound data transfers, such as the secret reports that spyware programs make
on your activities, or instructions that Trojan horse programs send out to
attack other computers.
Also, Microsoft has made it easy for
other software programs to turn off the new firewall. This was done so
competing firewalls like ZoneAlarm could turn off the Windows firewall during
installation, to avoid having duplicate firewalls running. But Microsoft
concedes that hackers can use the technique to shut down the firewall as well.
So I recommend buying, or sticking with, a superior third-party firewall.
The Security Center is where you can
determine whether your firewall, your automatic-update settings and your
antivirus program are on or off. It doesn't actually add a layer of protection
to your PC. It's just an information device.
Even in that role, it falls short. In
my tests, it couldn't tell whether Symantec's Norton AntiVirus program was on
or off, and it warned me that my PC might not be protected against viruses,
even though my antivirus protection was definitely on. This is apparently
because Symantec needs to patch its product so it can talk to the Security
Center. And the center made no effort to monitor my antispyware or antispam
programs.
The changes to the Internet Explorer
browser include a long-overdue pop-up ad blocker, which many other browsers
now include, and additional warnings and controls on software downloads, so
users will think twice about installing programs that might be malicious. An
"Information Bar" at the top of the browser screen warns about
downloads and notes that pop-ups have been blocked.
Microsoft still hasn't devised a quick,
easy way to thoroughly erase your browsing tracks in Explorer or added an
antispam feature to its Outlook Express e-mail program. The company says that
SP2 was all about security, and these things weren't viewed as core security
features. But it somehow still managed to use this security update to jam an
unsolicited new "Favorites" link into the browser, one that points
to a Microsoft site where it wants to sell you software and hardware.
Overall, SP2 is worth installing and
will definitely improve Windows security. But it's limited. You'll still need
to look beyond Microsoft to really secure your Windows PC.
It's almost the same thing as robbing the jewelry in your house and
then asking $300 for the map to where it's buried --- only this time Ole
would say "the yoke's on yew."
But I have to admit that it is a clever password.
"New Trojan Ransoms Files, Demands $300: The Trojan archives 44 file
types with a ZIP library, then password-protects the files and deletes the
originals. But some have discovered the password needed to free the files," by
Gregg Keizer, Information Week, March 16, 2006 ---
http://www.informationweek.com/news/showArticle.jhtml?articleID=183700241
A Trojan is loose that locks up files and then
demands a $300 ransom to return access, several security firms said
Thursday, but at least two have discovered the password needed to free the
files.
Dubbed "Cryzip" by some anti-virus vendors and "Zippo.a"
by others, the Trojan archives 44 file types -- including .doc (Microsoft
Word), .pdf (Adobe Acrobat), and .jpg (images) -- with a ZIP library, then
password-protects the files and deletes the originals.
A "ransom note" is left on the machine, and reads
in part: "Do not try to search for a program what encrypted your information
- it is simply do not exists in your hard disk anymore. If you really care
about documents and information in encrypted files you can pay using
electonic [sic] currency $300.
"Reporting to police about a case will not help
you, they do not know password."
At least two security firms, however, have dug up
the password, which was left in plain view within one of the DLL files
dropped by the Trojan. According to both Sophos and LURHQ, the password is:
C:\Program Files\Microsoft Visual Studio\VC98
"Because this string often appears inside projects
compiled with Visual C++ 6, the author likely figured anyone who found the
infecting DLL and examined its strings looking for the password would simply
overlook it," LURHQ wrote in its Cryzip advisory.
"There should be no need for anyone to pay the
reward," said Graham Cluley, a senior technology consultant with Sophos, in
a separate statement. "It looks like this password was deliberately chosen
by the author in an attempt to fool analysts
into thinking it was a directory path instead."
Victims can use any ZIP utility to unlock the files
with the password.
Ransom-like attacks, labeled "ransomware," are
rare. The last full-fledged attack was in May 2005 when another security
company, California-based Websense, spotted a Trojan that demanded $200 for
a decryption key.
Other, and more common, forms of ransomware-style
attacks are used by bogus spyware vendors, who claim that users' PCs harbor
massive amounts of adware and spyware, and try to sell their phony products
to spooked consumers.
Bob Jensen's threads on reporting computer frauds are at
http://www.trinity.edu/rjensen/FraudReporting.htm
Leading
Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
I trust Consumer Reports rankings more than virtually all other ranking
sources mainly because Consumer Reports accepts no advertising or has
other links to the vendors of products rated in Consumer Reports' labs.
The Consumer Reports
home page is at
http://www.consumerreports.org/cro/index.htm
Spyware Dectector and Remover
January 2004 message from Richard Campbell [campbell@RIO.EDU]
This product gets my 5 star rating - I was lulled
into a false sense of security with Norton Security suite on my new computer.
http://www.sunbeltsoftware.com/product.cfm?page=benefits&id=410
Richard J. Campbell mailto:campbell@rio.edu
What a
Great Idea in the War on Spam: Unfortunately, Make Love, not Spam only
covers Italy, France, Germany, The Netherlands, Spain, Sweden and the UK to Date
Internet users fed up with spam can go on the offensive
by downloading a screensaver aimed at hitting junkmailers in the pocket.
The screensaver, called Make Love Not Spam and launched by search engine Lycos,
requests data from websites that are mentioned in bulk mailings. Lycos
Europe spokesman Frank Legerland says if thousands of users sign up, the
websites' servers will run at nearly full tilt. The demand will slow the
websites' response and hike their bandwidth bills, yet derive no income for the
accesses. He says those costs may discourage the sites from hiring email
spammers to advertise their wares.
ABC News, November 30, 2004 --- http://www.abc.net.au/news/newsitems/200411/s1254988.htm
You can read reviews at http://www.macupdate.com/info.php/id/16592
Also see http://www.eweek.com/article2/0,1759,1733446,00.asp
"Microsoft, Amazon Unite to
Battle E-Mail Scammers," by Judy Lam, The Wall Street Journal,
September 29, 2004, Page D3 --- http://online.wsj.com/article/0,,SB109639503163330213,00.html?mod=technology_main_whats_news
Amazon.com
Inc. and Microsoft
Corp. have joined forces to combat online fraud and find the people behind
e-mail scams that send millions of forged messages to consumers.
Yesterday, the two companies said they
filed suits against Canadian company Gold Disk Canada Inc. and three
individuals for allegedly sending millions of unsolicited e-mails using
Microsoft's Hotmail services and forging the name of Amazon.com. The suits
were filed in Superior Court of the State of Washington and the U.S. District
Court in Seattle.
Amazon and Microsoft said they are
working to identify offenders and are collaborating to test technical
solutions that would make it more difficult to send unwanted messages to
consumers.
Over the past year, Microsoft has
stepped up its efforts to fight spam and e-mail scams as part of a broader
move to stem a range of attacks on its software. The company has had to
respond to growing customer complaints about the security of Microsoft
applications, prompting the company to release a host of new security
software, sign new partnerships, and begin taking more legal action to thwart
hackers and senders of spam.
Continued in the article
Microsoft to Bundle Anti-Spyware App With Windows
Microsoft said Friday that it plans to bundle its
"Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next
version of the company's operating system. Microsoft also decided to rename the
program "Windows Defender," in part to give it "a more positive name." The
announcement, like others of late, was posted on one of the numerous blogs on
Microsoft's site that catalog the daily doings of the software giant's many
technical divisions. But this news -- for me, anyway -- was more than just a
press release issued via a breezy blog post. It offered a glimpse of something
Redmond hinted it was going to do years ago, but which has only recently become
more of a reality: ship antivirus and anti-spyware updates to hundreds of
millions of Windows computers every day through its Windows/Microsoft Update
feature.
Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The
Washington Post, November 7, 2005 ---
http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email
The 10 best tools to keep viruses, spyware and bad guys away
"Defensive Perimeter," by Gary Berline, PC Magazine, July 9,
2004 --- http://www.pcmag.com/article2/0,1759,1621759,00.asp
Detailed Checklist
"Keep Your PC Safe," PC Magazine, August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618797,00.asp
Toolkit of Free Products
"Keep Your Friends Safe," by Neil J. Rubenking, PC Magazine,
August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618804,00.asp
Security Watch Special Report --- http://www.pcmag.com/category2/0,1738,12,00.asp
My
good friend Amy Dunbar at the
University
of
Connecticut
recommends the following spam blocker --- http://spambayes.sourceforge.net/
Bob Jensen's threads on spam blocking are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection
Eileen Taylor from the University of South Florida recommends Cloudmark's
SpamNet spam protection --- http://www.cloudmark.com/
Puala Ward sent this link to a listing of spam fighters --- http://email.about.com/od/windowsspamfightingtools/
Spam and Spyware
Blocker Software
All-in-One- Secretmaker (Free) --- http://www.secretmaker.com/
All-in-One
SECRETMAKER is designed for users who wish to:
● Keep their email box free of spam
● Avoid irritating pop-up and banner interruptions
● Protect their privacy and avoids profiling
● Use the Internet efficiently for private or business use
Spam Blocking
January 25, 2006 Update
Bill Gates prediction of spam elimination widely misses his expectation
Two years ago, Gates said the spam problem would be
"solved" by now. We're not even close, experts say, and for many reasons that
don't have anything to do with Microsoft.
Gregg Keiser, "Bill Gates' Spam Prediction Misses Target," Information Week,
January 24, 2006 ---
http://www.informationweek.com/story/showArticle.jhtml?articleID=177103434
Also see
http://www.internetweek.cmp.com/showArticle.jhtml?articleId=177103508
Leading
Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
I trust Consumer Reports rankings more than virtually all other ranking
sources mainly because Consumer Reports accepts no advertising or has
other links to the vendors of products rated in Consumer Reports' labs.
The Consumer Reports
home page is at
http://www.consumerreports.org/cro/index.htm
Those phony emails pretending to be from banks and PayPal
Q. I get a ton of
e-mail messages purporting to be from banks and Web sites that are
obviously not from those institutions even though the return address
looks real. Is there a way to find out where these messages actually
came from?A.
Although you probably won’t be able to trace the fraudulent message
directly back to its human sender, you can usually poke around inside
the message’s full header field to see where it might have come from
electronically. Check your particular e-mail program’s settings for
displaying “full” or “long” message headers — in Outlook Express, for
example, you can see the full header by right-clicking on a message in
your mailbox window, selecting Properties and clicking the Details
button.
The full header shows the path that message
took across the Internet from sender to recipient. Even if the return
address is forged with something like admin@irs.gov,
if you look closely, odds are you’ll see other addresses in the
“Received:” lines in the header that give some indication of the
message’s origin. A detailed explanation of how to read e-mail headers
is at
spamlinks.net/track-trace-headers.htm.
If you receive spam that solicits your personal
information, the consumer safety site
OnGuardOnline.gov
suggests forwarding it to the bank or institution used in the forged
address and to spam@uce.gov.
Bob Jensen's threads on ID theft are at
http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft
Question
What are two of the shocking developments in spyware and spam?
July 14, 2006 message from Richard Campbell
[campbell@RIO.EDU]
This is from a newsletter from sunbelt software -
developers of Counterspy, a spyware detection software.
CSN: What do you see as the latest trends in spam?
AM: I see four main trends. The first is that most
spam now comes from zombie machines so even if you are able to track the
spam back to the machine that sent it, there is nothing you can do about it
as the person that owns the machine most likely doesn't even know that his
machine is being used as a zombie and even if he did, he wouldn't know what
to do about it. This zombie phenomenon also leads to individualized spam as
the zombie code can access the address book and send legitimate looking
email to the zombie machine owner's friends.
The second trend I see is the increase in the
amount of image spam. That is spam that contains an image instead of text.
The spammer's message is contained in the image as a graphic image instead
of text so that there is no practical way to try and detect spam by looking
at the contents of the email. It's easy for the human eye to look at the
picture and read the text that it contains but it is very difficult for a
computer to do the same thing. Since it is so easy to change a bit or two in
the image, it is not easy to come up with a hashing algorithm (a way to
create a "signature" that can be used to determine if another image is the
same as the original one). There is a lot of work being done to try to come
up with ways of comparing images to see how "similar" they are but nobody
has come up with a workable solution so far. Currently, I'd guess the amount
of image spam is around 5% - 10% of the total amount of spam. I expect to
see this increase to 20% - 30% in the next year or two.
The third trend is the scariest and that is
phishing. I monitor the spam reported by our users so I get to see a pretty
good cross section and it scares me to see how good the phishing sites are.
They are so good that you have to be pretty savvy to detect some of them. I
feel sorry for all the non-computer types out there that will fall victim to
these. I have seen a dramatic rise in the amount of phish email in the past
6 months and expect to see that increase continue because there is so much
money to be made with very little effort or risk.
The fourth trend and is "returned email" I have
noticed a marked increase but I haven't had time to investigate. I suspect
that the bulk of it is spam/malware, especially those that have attachments.
It is particularly nasty because an attachment on a returned email doesn't
seem out of the norm. In fact, you kind of expect to see your original email
attached. Some of the undelivered email that I've looked at with attachments
doesn't have the original email there. Instead it contains spam or a link to
a malware site. You have to be real careful and make sure that the "bounce"
(rejected email) is actually something that you sent. Many times it is the
result of a rootkit having taken over your machine, turning it into a
zombie. If you see email bounced that you never sent, it is very likely that
you machine is infected.
CSN: What about image spam, what is it, and why so
dangerous or such a pain to get ride of?
AM: The primary use for image spam is to advertise
penny stocks. Most of this type of spam is part of a 'pump-n-dump' scheme
where the spammer buys a lot of a particular stock and then starts promoting
it via spam that describes what a great buy the stock is or giving the
impression that the company is on the verge of some major expansion or
discovery in order to get gullible investors to buy the stock. Once the
price goes up, and it can go up as much as 500%, the spammer sells his
shares and makes a huge profit. Since there was no real reason for the stock
to increase, it usually falls back to its original level or lower. Most of
the time, the company whose stock is being hyped is not involved in the
spamming so they end up being a victim of the spammer as well as there is
very little that they can do to keep their stock from being manipulated.
Image spam is only useful in situations where the
user doesn't have to communicate with the spammer. With normal spam, there
is a phone number to call or a button to click to order pills or whatever
the spammer is hawking but with image spam, there is no information that
links the email to the spammer as the typical stock add mentions the company
but not the spammer. This is what makes it so different from the run of the
mill spam.
I'm sure that it won't be too long before some
creative spammer comes up with another type of situation where one way
communication can be used to somehow flow money to them.
Richard J. Campbell
mailto:campbell@rio.edu
July 25, 2004 Update
Mozilla
can help defend against some spyware invasions on your computer!
Forwarded
by Jagdish Gangolly [JGangolly@UAMAIL.ALBANY.EDU]
According to Rist
(who is sitting behind me while I write this, just to make sure I don’t
misquote him), the biggest problem is with Microsoft’s continued use of
ActiveX, but that's by no means the only problem. In fact, it looks as if IE
can’t be successfully patched, and what’s needed is a whole new version.
But what are you
going to do if you don’t use IE? For most, IE is the default browser; they
don’t have another choice that’s easy to implement. Does that mean that
you should just grit your teeth and hope for the best? Not necessarily.
There are other
browsers out there without IE’s security holes, most notably Mozilla.
Getting Mozilla isn’t a problem -- just download it from the Web site <http://newsletter.infoworld.com/t?ctl=7ABD7D:1F5397F>
. The real problem is
that you have to be sure that moving to Mozilla doesn’t introduce a new set
of problems.
My own experience
with Mozilla indicates that it works at least as well as IE and appears to be
somewhat faster. I’ve already moved to Mozilla as my default browser because
of the security issues with IE. As it happens, I'm also finding that I like it
better than IE.
Unfortunately, the
only way to know for sure whether Mozilla will work with the apps that require
a browser is to test it. Download it to a few machines and see if anything
breaks.
Testing Mozilla might
be the first step on the path to IE separation, but the journey isn't over
yet. Many companies who run Web sites tend to be kind of lazy and code their
sites only for IE, because it’s the dominant browser. Sometimes they take
shortcuts that keep other browsers from working properly.
The only way to know
for sure if these shortcuts will shortcircuit a non-IE browser is to try
potential replacement browsers to see if they work with the Web sites you
absolutely depend on. If they do, you won’t need to worry as much about
adopting them, although you’ll still have to install the new browser on
every machine, and that’s not the world’s easiest task in a large
enterprise.
But there’s another
task you have to worry about. What are you using for your own Web server?
Internet Information Server has its own set of vulnerabilities, after all. And
what about the code running on your Web site? Have you avoided those
programming practices that will lock your visitors into IE? After all, a lot
of companies are now using machines that don’t run Windows (and therefore
not IE), and a growing number are trying to avoid IE even if they do run
Windows because of the security issues. You don’t want to discourage them
from visiting your site, do you? I didn’t think so.
Unfortunately, you
can’t drop IE from your Windows machines completely. You still need it for
Windows Update alerts. But it is possible to use it sparingly, and until
Microsoft issues a new release, that would be a good idea.
<mailto:wayne_rash@infoworld.com;letters@infoworld.com>
Wayne Rash is a senior analyst at the InfoWorld Test Center.
• More of Wayne Rash's column <http://newsletter.infoworld.com/t?ctl=7ABD7B:1F5397F>
• Wayne Rash's forum <http://newsletter.infoworld.com/t?ctl=7ABD7A:1F5397F>
July 25, 2005 reply from Schatzel, John
[JSchatzel@STONEHILL.EDU]
I also read this past
week (I believe it was in eWeek) that CERT (Computer Emergency Readiness Team)
and the Department of Homeland Security have also declared IE to be unsafe.
There are apparently so many security flaws with IE that they can not be
reliably patched. For example, IE's ability to use ActiveX allows it to
access low level features of your operating sytem that can allow trojans and
key loggers to be placed on your computer. These programs can and have
collected personal bank account and credit card passwords that have led to
significant losses recently. This whole new Phishing scam used by
hackers who exploit weaknesses in IE to get your personal information without
you knowing it is the most dangerous thing I have ever seen. They target
your machine by sending you a regular email message (i.e., no attachments are
involved) which drops an IE helper object on your computer which then
downloads additional software to your computer capable of collecting and
sending your personal information.
IE also has another
feature called Adodb.stream (among too many other problems to list in this
message), which allows your computer to be compromised. “Adodb.stream
provides a method for reading and writing files on a hard drive,” according
to Microsoft. “This by-design functionality is sometimes used by web
applications. However, when combined with known security vulnerabilities in
Microsoft Internet Explorer, it could allow an Internet web site to execute
script from the Local Machine Zone (LMZ).” This is dangerous folks and
allows hackers to really have a field day with your personal information.
To reduce your risk,
security experts recommend using Mozilla (http://mozilla.org)
or Opera (http://www.opera.com).
I have used both of them and can say that they are both better featured
browsers than IE (the experts say that they are safer). The latest
version of Mozilla (1.7.1) is open source; so it is free. The basic
version of Opera is free, but it displays ads. The no ad version costs $39 and
was selected best browser of 2004 by PC World (and it really is the fastest).
Wishing you all a
safer browser,
John Schatzel
July 25, 2004 reply from David Fordham, James Madison University
[fordhadr@JMU.EDU]
The primary drawback
I've encountered with alternate browsers (and I've tried about half a dozen
over the past few months and years) is that they aren't prepared to deal with
all the various file extensions and file types today which IE handles so
transparently.
I consider myself a
"power web user", and I conduct a lot of business on-line, which
means that my banks, credit card companies, hotels, vendors, university
webmail, university tech-tools, etc. are sending me a lot of scripts,
image/sound files, and executable code. For example, in the past hour, I've
been sitting here in a hotel room in Charlotte looking for Fuddrucker,
Krystals', Boston Markets, double-checking my next hotel reservation as well
as my rewards points, checking the status of my on-line class recording in
Centra, checking webmail, and checking the status of my shipment from the Palm
store. All of this requires executable code, map images, animated logos, etc.
on my computer. (And yes, before you hit the flame button, I realize that
using IE for all this stuff exposes me to all kinds of hazards in spite of my
plethora of antiadware, antispyware, antivirusware, high security settings,
etc....)
But at least all the
apps work in IE! When I get messages saying "this website is trying to
execute something, do you trust them?" and when I hit "yes",
the site runs and my transaction is completed.
When I use the
alternate browsers, they were forever choking and giving me error messages
saying "Unknown file type" and "Unknown file extension"
and "unable to process such-and- such-a script" and so forth, and
the transaction chokes and dies. Depending on the alternate browser, anywhere
from 10% to 80% of my web attempts would not display or run. Mapquest,
Citibank, Switchboard.com, UPS, and even Google's advanced searches sometimes
tripped on these. And our school uses Centra, Blackcboard, Tegrity, and a host
of other tech tools which are certified and warrantied to run on IE, but not
on most of the others. (And, surprise, they DON'T! Not reliably, not 100% of
the time! I know. I tried! And yes, I spent hours tinkering with settings and
security configurations and with tech-support people. The usual answer from
the browser support people WHEN I COULD GET THEM TO RESPOND was "our
product doesn't support that".)
Ergo, as is usually
the case, security is a trade-off with convenience. (Been through an airport
since 9/11/01?) If all you do is surf the web for pleasure (bikini.com or
something) or if you are in the habit of inhabiting questionable websites,
then perhaps one of the other browsers might work and be more secure. Or if
you are the government security agency and your people are doing limited stuff
on the government account, you can probabably find an alternate browser much
more secure that will run your apps.
But as for me and my
house, I sure hate getting 90% of the way into an on-line transaction, and the
browser bombs out and says it encountered a problem processing, even if it
only happens once every 10 times. (If your car failed to start once every 10
or so times, wouldn't it get irritating, especially if you had come to rely on
your car for your day- to-day operations?)
So once again, until
the rest of the world recognizes the emperor's lack of clothes, I'm afraid
I'll have to avoid the little tailor shops, too. At least until they can
handle the content a little more transparently. (pun intended)
Another
devils-advocate contrarigram from you-know-who, although this time I'm sincere
in my beliefs, having actually truly, been there and done that. Several times.
David Fordham
James Madison University
Hi Paula,
I live with whatever
Trinity
University
is providing for spam protection on our email system.
I still get a lot of unwanted messages for dates, lower mortgage rates,
Viagra, larger breasts, and manhood the size of Kentucky Derby winners.
My
good friend Amy Dunbar at the
University
of
Connecticut
recommends the following spam blocker --- http://spambayes.sourceforge.net/
There’s a nice article that came out two days ago reviewing some of the
major alternatives for protection against “spam, viruses and directed
attacks.”
"Appliances Ease E-Mail Security," by Michael Caton, eWeek,
June 28, 2004 --- http://www.eweek.com/article2/0,,1616472,00.asp
Spam, viruses and directed attacks have made managing
e-mail security an increasingly complex and difficult job. eWEEK Labs recently
reviewed three appliances that will reduce the burden on IT managers by
consolidating messaging security applications in a single box.
Appliances from BorderWare Technologies Inc.,
CipherTrust Inc. and IronPort Systems Inc. give companies a new way to solve
the problem of securing e-mail without investing in numerous point
applications—from messaging gateways to anti-spam software—and the
hardware needed to run those applications. We reviewed the $7,995 BorderWare
MXtreme Mail Firewall MX 200, the $44,000 CipherTrust IronMail 305 and the
$54,950 IronPort C60.
All three appliances include a mail transfer agent,
policy management capabilities, and virus- and spam-filtering features.
However, the systems also have a number of differences—both big and small.
We found that the
CipherTrust
appliance
provides the best all-around solution, including a Web mail proxy.
The BorderWare
MXtreme
appliance
likewise covers all the bases, but we'd like to see better reporting and
consolidated management for administering multiple boxes. These capabilities
are coming in the next release of the appliance's software.
eWEEK
Labs evaluated a late-beta version of Version 4.0 of the Mxtreme software. Click
here to read the review.
The
IronPort
appliance
will be a good fit for companies that already have a firewall and proxy in
place for managing access to Web mail but need a way to handle large volumes
of inbound and outbound e-mail while filtering spam and viruses.
The appliances we tested give companies a way to
eliminate what are often dedicated boxes running messaging gateways and
anti-virus and anti-spam systems. Furthermore, they simplify management of all
these applications by providing unified management and reporting capabilities.
However, these appliances won't necessarily reduce
messaging costs. All the appliances we tested rely on third-party anti-virus
tools, so companies will still need to pay an annual renewal fee to keep virus
definition files up-to-date. The cost can range from $1.50 to $5 per user per
year, depending on volume. The BorderWare and IronPort appliances also offer
third-party anti-spam software, whose annual cost can run from $3 to $7 per
user. In the case of the anti-spam engines developed by CipherTrust and
BorderWare, the yearly maintenance and support fees will cover updates to
those engines.
All three appliances provide policy management
capabilities, but none of the systems' features was as complete as we'd like.
In addition, none of the systems provides the
flexibility of point solutions.
For example, the appliances can search only messages
and attachments for content that may be confidential or objectionable. In
contrast, a point solution that runs in close conjunction with a groupware
application, such as Omniva Inc.'s Policy Manager, will give companies the
ability to create policies to filter internal and external communications, as
well as provide a means to encrypt outbound messages.
Groupware-based solutions can also give companies a
way to more readily manage the workflow associated with auditing messages, as
well as either distribute keys or provide Web-based access for opening
encrypted messages.
Bob Jensen's threads on computer and network security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection
June 29, 2004 message from Paula Ward
Bob,
What anti-SPAM software do you recommend?
Paula Kelley Ward
"Pop-Up Program Snatches Banking Passwords," by Dennis Fisher, eWeek,
June 29, 2004 --- http://www.eweek.com/article2/0,1759,1618458,00.asp?kc=ewnws063004dtx1k0000599
Customers who use a number of the top online banking
sites are at risk of falling prey to a new Web-based attack that snatches user
IDs and passwords for these sites.
Among the sites targeted by the attack are some owned
by Citibank, Deutsche Bank and Barclays Bank.
The attack is rather complex and appears to use a
known flaw in Internet Explorer (IE) to drop a Trojan horse program on
vulnerable machines. The Trojan is delivered through a malicious pop-up ad
that loads a file called "img1big.gif" onto the machine. The file is
in fact a compressed Win32 executable that contains the Trojan and a DLL.
The DLL is installed on the PC as a BHO (Browser
Helper Object), a type of DLL that normally is used to let developers control
IE in certain circumstances.
When IE runs on a machine infected with the malicious
BHO, the file monitors IE's activities for any HTTPS sessions with URLs that
have any of a large number of banking-related strings in them.
Click
here to read about malicious code that has been affecting some Windows
machines.
Once IE establishes an outgoing HTTPS
connection—which is secured using SSL encryption—to one of these URLs, the
BHO collects all of the outbound POST or GET data before it is encrypted,
according to an analysis of the attack done by researchers at The SANS
Institute's Internet Storm Center. The attack affects IE 4.x and later.
Continued in the article
Question
Is it legal for your employer or your landlord to open your first class mail?
Answer
I'm not certain about first class mail, but people with access to your email
system have just received added legal green lights to view your email.
"E-Mail Snooping Ruled Permissible," by Kim Zetter, Wired News,
June 30, 2004 --- http://www.wired.com/news/politics/0,1283,64043,00.html?tw=newsletter_topstories_html
E-mail privacy suffered a serious setback on Tuesday
when a court of appeals ruled that an e-mail provider did not break the law in
reading his customers' communications without their consent.
The First Court of Appeals in Massachusetts ruled
that Bradford C. Councilman did not violate criminal wiretap laws when he
surreptitiously copied and read the mail of his customers in order to monitor
their transactions.
Councilman, owner of a website selling rare and
out-of-print books, offered book dealer customers e-mail accounts through his
site. But unknown to those customers, Councilman installed code that
intercepted and copied any e-mail that came to them from his competitor,
Amazon.com. Although Councilman did not prevent the mail from reaching
recipients, he read thousands of copied messages in order to know what books
customers were seeking and gain a commercial advantage over Amazon.
Authorities charged Councilman with violating the
Wiretap Act, which governs unauthorized interception of communication. But the
court found that because the e-mails were already in the random access memory,
or RAM, of the defendant's computer system when he copied them, he did not
intercept them while they were in transit over wires and therefore did not
violate the Wiretap Act, even though he copied the messages before the
intended recipients read them. The court ruled that the messages were in
storage rather than transit.
The court acknowledged in
its decision (PDF) that the Wiretap Act, written before the advent of the
Internet, was perhaps inadequate to address modern communication methods.
But critics said the decision represented a huge
privacy setback for e-mail users.
"By interpreting the Wiretap Act's privacy
protections very narrowly, this court has effectively given Internet
communications providers free rein to invade the privacy of their users for
any reason and at any time," says Kevin Bankston, an attorney with the
Electronic Frontier Foundation. "This decision makes clear that the law
has failed to adapt to the realities of Internet communications and must be
updated to protect online privacy."
In his dissenting opinion, which contained a detailed
description of how e-mail works, Justice Kermit V. Lipez wrote that Congress
never intended for e-mail temporarily stored in the transmission process to
have less privacy than messages in transit. And he acknowledged that "the
line that we draw in this case will have far-reaching effects on personal
privacy and security."
In my AIS course, I sometimes have an invited speaker from the consulting
division of Ernst & Young. His full time job is trying to hack into
client computer systems.
What is the certification credential called CEH?
Answer
Certified Ethical Hacker
"Ethical Hacking Is No Oxymoron," Reuters, Wired News, June
27, 2004 --- http://www.wired.com/news/infostructure/0,1377,64008,00.html?tw=newsletter_topstories_html
Sporting long sideburns, a bushy goatee and black
baseball cap, instructor Ralph Echemendia has a class of 15 buttoned-down
corporate, academic and military leaders spellbound. The lesson: hacking.
The students huddled over laptops at a Los
Angeles-area college have paid nearly $4,000 to attend “hacker
college," a computer boot camp designed to show how people will try to
break into network systems -- and how they will succeed.
"It's an amazing thing how insecure the big
corporations are," Echemendia said during a break in the weeklong
seminar. "It's just amazing how easy it is."
Hackers are believed to cost global businesses
billions of dollars every year, and the costs to defend against them are
soaring. One study by Good Harbor Consulting showed that security now accounts
for up to 12 percent of corporate technology budgets, up from 3 percent five
years ago.
"This is definitely bleeding edge -- so bleeding
edge in fact, sometimes, that it's frightening," said Loren Shirk, a
student in the class at Mt. Sierra College who owns a small-business computer
consulting company.
The course prepares students for an exam offered by
the International Council of E-Commerce Consultants, or EC-Council. If they
pass that test, they get the ultimate seal of approval: Certified Ethical
Hacker.
The class is by no means easy. Instructors race
through topics like symmetric versus asymmetric key cryptography (symmetric is
faster), war dialing (hackers will always call late at night) and well-known
TCP ports and services (be wary of any activity on Port 0).
"I can definitely say it's not for
everyone," said Ben Sookying, director of network security services for
the California State University's 23-campus system and another student in this
week's class. "If you don't have discipline, you won't make it through
this course."
But the work is practical, too. On the first day,
students were taught basic free and legal research methods, mostly involving
search engines and securities databases, so they could learn as much
information as possible about companies, their executives and systems.
With relatively little effort, they found out that
the chief executive of one public company maintained his own website dedicated
to guitars, while another public company still uses a number of systems known
to be easily exploited by hackers.
Intense School, the Florida-based company that runs
the hacking boot camp, started in 1997 with a $35,000 investment, teaching
Microsoft and Cisco software to systems engineers.
But after the Sept. 11, 2001, attacks on the World
Trade Center and the Pentagon, the company expanded its focus to information
security courses. It now offers around 200 classes a year, generating about
$15 million in annual revenue.
"What we attempt to do in our classes is teach
how the hackers think," said Dave Kaufman, president of Intense School.
The only way to keep hackers out of major corporate systems, he said, is to
know how they will be attacked in the first place.
Continued in the article
Bob Jensen's threads on computer and network security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection
"Who's Seeding the Net With Spyware? Young surfers pick up
paychecks for posting misleading pitches armed with invasive programs.," by
Emily Kumler, PC World , June 15, 2004 --- http://www.pcworld.com/news/article/0,aid,116512,00.asp
It's tough enough sometimes to figure out where you
picked up that spyware, but have you ever wondered who planted that digital
parasite?
It's likely a young man, maybe a college student,
just making a few bucks spreading pop-up ads that contain a package unwelcome
by many. And it's a growing cottage industry
How It Works Spyware follows your Internet surfing
habits and serves up advertisements. You typically pick up spyware by clicking
on links, which may not make it clear that you're downloading a
"bonus" program when you read an ad or download a program you want.
The Federal Trade Commission defines spyware as
"software that aids in gathering information about a person or
organization without their knowledge and which may send such information to
another entity without the consumer's consent, or asserts control over a
computer without the consumer's knowledge." The federal government and
several states are considering antispyware laws, and Utah recently enacted
one.
FTC and industry leaders have urged Congress to
resist spyware legislation, instead pushing for the industry to adopt
self-regulatory practices. They fear that proposed laws define the practice
too vaguely, and would prohibit other marketing practices that benefit
consumers. But some lawmakers worry that the tech industry will not regulate
spyware aggressively enough to protect consumers.
Meanwhile, computer users continue to face the side
effects of spyware on their systems: bogged-down Internet connections,
identity theft, lost documents, system problems, and potential loss of
privacy.
Who's Behind It The people distributing the links for
spyware downloads are paid about 15 cents every time an unsuspecting surfer
clicks on their misleading bait.
"Friends signed me up one night, after we'd been
drinking," says one twenty-something man, who plants spyware for pay.
"They said it was an easy way to make some money."
"All I had to do was sign up and post fake ads,
saying things like 'to see my picture click here.' Then when they clicked, it
told them they had to download software to see the pictures."
But the user downloaded no pictures; instead, they
got the greeting, "Come back later to see my photo." The ad is
bogus, but the contamination of the computer is real.
He says open forums and other unregulated sites are
the best places to post ads, because large numbers of people are likely to
click on the phony links.
"You have to move around," he says, noting
that if users complain, he'll be kicked off a site, or a section of a site.
For example, he will just move to a different part of a classified
advertisement site, he says. "It's really easy, so reposting your ad is
not a big deal."
At 15 cents per hit, he got checks every two weeks
for a few hundred dollars each.
"I could have made a lot more," he says,
adding that he really isn't doing it anymore. "All I had to do was put
more ads up and I would have doubled or tripled my profits."
What's the Risk? The foot soldiers who spread spyware
may also become victims of the companies behind the software.
Many companies paying individuals to spread spyware
post a disclaimer on their own Web site. It often contains a clause telling
readers that if they commit fraud the company has the right to pull their
paycheck.
However, the new Utah Spyware Control Act and other
privacy laws sometimes invoked to combat spyware consider posting spyware to
be fraud.
The spyware spreaders may not be reading the
disclaimer themselves. But they do understand the company is paying them to
trick people into downloading software, the young man says.
Does he feel any remorse for contaminating the
computers of naive users? "Look, they're perverts if they click on my
ads," he says, noting that the ads imply pornographic pictures await.
"I say some nasty stuff, so, no, I don't feel bad." Anyone online
should have a spyware blocker, spam blocker, and a firewall anyway, he said.
"If they don't, they're just stupid."
A Challenging Battle Placing ads online can be a
tempting and easy way to make money from home, notes Ray Everette-Church,
chief privacy officer for antispam product vendor Turn Tide.
"It is very successful," Everette-Church
says. "Hundreds of thousands of dollars a month is generated in this
tiered structural referral." He is serving as an expert witness for the
plaintiffs in an ongoing adware case arguing against pop-up ads.
Millions of Americans online haven't protected their
PCs, and pursuing perpetrators of spyware is more complicated than in other
criminal investigations, according to Mozelle Thompson, an FTC commissioner.
"It's hard to identify how many companies are
engaged in dangerous spyware, or spyware in general," Thompson says.
"The definition of spyware is too broad."
The surreptitious nature of spyware makes it more
difficult to track who, where, and how the spyware is disseminated, Thompson
told a House subcommittee at a recent hearing.
"Consumer complaints, for instance, are less
likely to lead directly to targets than in other law enforcement
investigations, because consumers often do not know that spyware has caused
the problems or, even if they do, they may not know the source of the spyware,"
he said at the April hearing.
How to Protect Against Spyware
Question
Why should we all look into installing software like AdWare
Remover Gold? --- http://www.tucows.com/webbrowser_adwarecleaner_default.html
Answer
Known as bot software, the remote attack tools can seek
out and place themselves on vulnerable computers, then run silently in the
background, letting an attacker send commands to the system while its owner
works away, oblivious. The latest versions of the software created by the
security underground let attackers control compromised computers through chat
servers and peer-to-peer networks, command the software to attack other
computers and steal information from infected systems.
Robert Lemos , CNET News.com, April 30, 2004 --- http://news.com.com/2100-7349_3-5202236.html?tag=nefd.lede
Question
How can hidden data be removed from WORD doc files?
Answer from Richard Campbell
Here is the link to a free Microsoft utility:
http://tinyurl.com/2qaax
Richard J. Campbell
mailto:campbell@rio.edu
Malicious programs called browser hijackers install a lot
of nasty stuff on people's computers -- primarily hard-core, borderline-illegal
pornography. Some victims are facing firings, divorces and even criminal
prosecution.
"Browser Hijackers Ruining Lives," vy Michelle Delio, Wired News,
May 11, 2004 --- http://www.wired.com/news/infostructure/0,1377,63391,00.html?tw=newsletter_topstories_html
Browser hijackers are doing more than just changing
homepages. They are also changing some peoples' lives for the worse.
Browser hijackers are malicious programs that change
browser settings, usually altering designated default start and search pages.
But some, such as CWS,
also produce pop-up ads for pornography, add dozens of bookmarks -- some for
extremely hard-core pornography websites -- to Internet Explorer's Favorites
folder, and can redirect users to porn websites when they mistype URLs.
Traces of browsed sites can remain on computers, and
it's difficult to tell from those traces whether a user willingly or
mistakenly viewed a website. When those traces connect to borderline-criminal
websites, people may have a hard time believing that their employee or
significant other hasn't been spending an awful lot of time cruising adult
sites.
In response to a recent Wired News story about the
CWS browser hijacker, famed for peddling porn, several dozen readers sent
e-mails in which they claimed to have lost or almost lost jobs, relationships
and their good reputations when their computers were found to harbor traces of
pornography that they insist were placed on their computers by a browser
hijacker.
In one case a man claims that a browser hijacker sent
him to jail after compromising images of children were found on his work
computer by an employer, who then reported him to law enforcement authorities.
"The police raided my house on Sept. 17,
2002," said "Jack," who came to the United States from the
former Soviet Union as a political refugee, and has requested that his name
not be published. "Nobody gave me a chance to explain. I was told by
judge and prosecutor that I will get years in prison if I go to trial. After
negotiations through my lawyer I got 180 days in an adult correctional
facility. I was imprisoned for 20 days and then released under the Electronic
Home Monitoring scheme. I now have a felony sex-criminal record, and the court
ordered me to register as a predatory
sex offender for 10 years."
Jack originally believed that the images found on his
computer were from a previous owner -- he'd bought the machine on an eBay
auction. But he now thinks a browser hijacker may have been responsible.
"When I used search engines, sometimes I got a
lot of porn pop-ups," Jack said. "Sometimes I was sent to illegal
porn sites. When I tried to close one, another five would be opened without my
will. They changed my start page, wrote a lot of illegal porn links in
favorites. The only way to stop this was turn the (computer's) power off. But
when I dialed up to my server again, I started with illegal site, then got the
same pop-ups. There were illegal pictures in pop-ups."
Several of the URLs that CWS injects into Internet
Explorer's favorites list also appear in the arrest warrant and other
materials from Jack's hearing. CWS works as Jack described -- changing start
pages, adding to favorites, popping up porn. But CWS was first spotted several
months after Jack's arrest, so it seems unlikely that this particular hijacker
is the cause of his problems.
Security experts who were asked to review Jack's
claims said it is possible that a browser hijacker could have been the reason
porn images were found on Jack's computer. But they also pointed out some
discrepancies in the story.
Some of the images were found in unallocated file
space, and would have to have been placed there deliberately since cached
images from browsing sessions wouldn't have been stored in unallocated space.
May 3, 2004 reply from Andrew Priest [a.priest@ECU.EDU.AU]
There are numerous
software tools around to combat this sort problem. Personally I use Ad-aware
but there are others. For example you will find a range at http://www.tucows.com/webbrowser_adwarecleaner_default.html
.
Cheers Andrew
Notes from Bob
Jensen:
Although you can download the Ad-aware scanner noted above for
free, I recommend that you purchase the professional version that will wipe out
the problems from http://lavasoft.element5.com/purch
I also recommend
that you download and run the free CWShredder from http://www.majorgeeks.com/download4086.html
"What's That Sneaking Into Your
Computer?" by David Bank, The Wall Street Journal, April 26, 2004
New
types of insidious programs called "spyware" are burrowing
into PCs, wreaking all sorts of problems. These small programs that install
themselves on computers to serve up advertising, monitor Web surfing and
other computer activities, and carry out other orders are quickly replacing
spam as the online annoyance computer users most complain about. Here's
what's being done to combat them.
John
Gosbee was sitting up in bed on a cold night, surfing the Internet with his
laptop on his knees. Suddenly, the computer's CD-ROM tray popped open, seemingly
on its own.
"What
on earth is going on?" Mr. Gosbee, of Mandan, N.D., said to himself.
"It was like it was possessed," he recalls.
His
laptop emitted a high-pitched "Uh-oh."
Uh-oh is
right. The pranks were a setup for the message that appeared on his screen:
"Dangerous computer programs can control your computer hardware if you fail
to protect your computer right at this moment!" That was followed by a plug
for a program called Spy-Wiper that promised to clean out any rogue software.
As if that wasn't
alarming and annoying enough, the very next day the computer at Mr. Gosbee's
one-man law office was similarly hijacked. The CD and DVD trays both opened;
only one closed. Then came the same ad for Spy-Wiper, which kept popping up on
both machines.
"I was getting
ticked," Mr. Gosbee says.
As Mr. Gosbee and
countless other computer users have discovered: It's a war out there. While
malicious hackers are spreading viruses all over the global computer network,
advertisers and scam artists are propagating other pests that are arguably even
more annoying. They're called spyware -- and the implications for consumers are
only beginning to be felt.
Indeed, spyware --
small programs that install themselves on computers to serve up advertising,
monitor Web surfing and other computer activities, and carry out other orders --
is quickly replacing spam as the online annoyance computer users most com- plain
about. The outrage has grown to the point that politicians are threatening
legislative controls on the tactic. But in their most benign form these programs
have a powerful appeal to advertisers, and some marketers are banking on the
idea that people eventually will grow accustomed to some use of such invasive
software.
"Snoops and spies
are really trying to set up base camp in millions of computers across the
country," said Sen. Ron Wyden, an Oregon Democrat, at a March hearing on
proposed legislation he is co-sponsoring to tackle the problem. A Republican
co-sponsor, Sen. Conrad Burns of Montana, said at the hearing: "I'm
convinced that spyware is potentially an even greater concern than junk e-mail,
given its invasive nature."
Continued in the article
May 3, 2004 reply from Andrew Priest [a.priest@ECU.EDU.AU]
There are numerous
software tools around to combat this sort problem. Personally I use Ad-aware
but there are others. For example you will find a range at http://www.tucows.com/webbrowser_adwarecleaner_default.html
.
Cheers Andrew
You can also download free from http://download.com.com/3001-8022-10214379.html
Other options, including patches,
are available at http://www.lavasoft.de/
May 11, 2004 reply from Richard Campbell [campbell@RIO.EDU]
"Six Steps to Greater Computer
Security" (with audio)
See http://www.virtualpublishing.net/compswf/step1.html
Richard J. Campbell
mailto:campbell@rio.edu
This following reply from Paula may be of interest to some of you. She tells
how she protects her computer. Paula retired from Trinity's development office
and now lives online almost as much as I live online. You can thank her for much
of the humor in New Bookmarks.
I must warn you, however, that my security site she refers to is not kept up
to date very well. Please do not rely on this for the latest and greatest news.
Bob
-----Original Message-----
From: Paula
Sent: Tuesday, May 11, 2004 4:48 PM
Subject: FW: How Nasty Stuff Gets Into Your Computer
How does nasty stuff get into your computer? How can
you protect your computer from "browser hijackers," spyware, Cookies
that collect your personal information, etc.? Also, learn how to "opt
out" of DoubleClick's cookies and how to send e-mail anonymously. This
website was created by Bob Jensen, who is a distinguished professor at Trinity
University in San Antonio: A Special Section on Computer and Networking
Security http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection
Yes, there is a lot of information here!
What I do personally to protect my computer: I have
Norton Anti-Virus, BlackIce Firewall, and Ad-Aware installed. Norton and
Ad-Aware can be scheduled to run daily, weekly, etc.
In addition, my ISP provides a firewall, spam
blocker, and pop-up blocker. If you have any questions about computer
security, you should be able to find answers on Bob's website.
Paula
"Kwitchyerbellyakin." - Irish saying
May 12, 2004 reply from David Coy [dcoy@ADRIAN.EDU]
I received the following from out IT guys here at
Adrian College. FYI
David Coy
Adrian College
----- Original Message -----
From: Brad Maggard
To: David Coy
Sent: Wednesday, May 12, 2004 12:05 PM Subject:
Re: How Nasty Stuff Gets Into Your Computer
There is no way to actually defend yourself against
such programs other than simple smart web browsing. Whenever a window pops
up that asks you to agree to any sort of disclaimer or install any sort of
program, you must read carefully - and I would only suggest agreeing to the
major players (Microsoft, Macromedia, Quicktime, etc)
Once your computer has fallen victim to a browser
hijacker, it must be removed using several utilities available on the net.
there is a program called "CWShredder" that takes care of "CWS"
(cool web search) which is probably the most destructive of them all. Other
hijackers can be taken care of by a program called "Hi-Jack This"
which removes several of the known hijacking aplications on the net.
Ad-Aware, available at www.lavasoft.de
, is another tool to remove Mal-ware and Ad-ware.
All of this stuff can be found by doing a google
search on the aforementioned removal utilities.
-Brad
CWShredder can be downloaded from http://www.majorgeeks.com/download4086.html
You can also download free from http://download.com.com/3001-8022-10214379.html
Other options, including patches,
are available at http://www.lavasoft.de/
May 12, 2004 reply from Scott Bonacker [lister@BONACKERS.COM]
I would also suggest using a HOSTS file.
See links at: http://www.smartin-designs.com/
Scott E Bonacker, CPA
820 E. Primrose
Springfield, MO 65807
Phone 417-883-1212 Cell 417-830-3441 Fax 417-883-4887
May 12, 2004 reply from computer
scientist John Howland [jhowland@ariel.cs.trinity.edu]
It is a never ending
source of amazement to me that millions of people put up with this kind of
problem when none of it is necessary if you use a Unix system such as Mac OSX
or Linux.
Why do you do it?
Suppose that when you bought a new Toyota or Ford or BMW you also had to go
out and buy all these (sometimes) expensive accessories and (sometimes) have
to pay someone to install them just in order to be able to use (drive) your
new car. Moreover, these accessories become obsolete (sometimes in a few
months/days/hours) and need to be re-purchased and installed.
In the automotive
field we have laws which protect consumers. Where are the computer consumer
protection laws?
Microsoft says that
security fixes are a couple of years away. Do you believe they will meet that
schedule? They have been significantly late on every major project
introduction in the history of the company.
Again, it is a
no-brainer to simplify one's digital existence by avoiding Microsoft products
completely. Plus, there is a hidden bonus for those that so choose. It is
significantly less expensive!
John
May 13, 2004 message from Jagdish Gangolly
[JGangolly@UAMAIL.ALBANY.EDU]
Bob,
I switched from unix to windows a few years ago
mainly because
1. I was tired of having to detach-ftp-view simple
pure text documents sent to me (mostly by pencil pushers from around campus).
When I got one such memo from my then dean a few years ago, I replied by
appending a VERY large postscript file which crashed his machine, but then I
got tired of complaining and paid my dues to the sage at Redmond.
2. Incredible pressure from pencil pushers to switch
to windows (spurious arguments about economies of scale, ...)
3. Arm twisting by university level computing folks;
they threatened that I would be responsible for patching/upgrading/backingup/...
if I used anything-but-windows (I was then configuring our graduate lab)
I am tired now of all the unnecessary trash I get by
way of email, constant hassles with viruses/worms/spyware/malware/ ..., and am
now in the process of moving back to unix (solaris for work and SUSE linux for
home). I expect to gain AT LEAST an hour or two a day in saved time.
I hope more of us will give FREE (in the sense of
freedom) software a chance.
Jagdish
Microsoft says the upcoming release of Windows XP Service Pack 2 will make it
much harder to sneak deceptive software onto users' computers. Is it game over
for spyware authors?
"Microsoft to Battle Spyware," by Amit Asaravala, Wired News,
May 13, 2004 --- http://www.wired.com/news/technology/0,1282,63440,00.html?tw=newsletter_topstories_html
Nearly half the world's computers may soon have
built-in protection against debilitating infections of spyware and other
unwanted software, thanks to Microsoft's update of the Windows XP operating
system.
Expected to be released this summer, the Windows XP
Service Pack 2 update will contain no fewer than five new security features
designed to ward off the unauthorized installation of software via the
Internet, according to Microsoft officials. The company hopes the features
will not only quell the growing number of complaints from consumers about
Windows XP's susceptibility to spyware,
but will also save businesses millions of dollars in tech support calls.
Almost 50 percent of the world's computers run
Windows XP, according to IDC Research. The operating system's users have been
hit especially hard by spyware and some versions of adware, which collect
information about computer users and, in some cases, use that information to
pepper the desktop with advertising. The programs often work their way onto
computers by hitching rides with unrelated software packages or exploiting
security holes in Microsoft's Internet Explorer browser.
"People are feeling out of control and
frustrated," said Jeffrey Friedberg, Microsoft's director of Windows
privacy. "Millions of dollars are being spent" by Microsoft and
other companies to help consumers remove spyware and other deceptive software
from their computers, he said. "It's a huge support issue. People have
problems and they call their support staff, they call us, they call their
ISP."
In an attempt to cut down on calls like these,
Microsoft will upgrade Internet Explorer to make it more difficult for users
to accidentally download and install spyware programs. The most noticeable of
these changes will be the addition of a pop-up blocker, a feature that has
existed in competing Web browsers for years.
The blocker will prevent websites from opening new
windows on users' computers without permission. Opening new windows on top of
other windows is one way malware developers trick Internet users into
downloading software that they don't want. It is also the primary technique
used by some spyware programs to serve ads to users.
Other changes to Internet Explorer will focus on the
security of ActiveX objects, programs that can access almost any portion of
the operating system, including the hard drive and user settings. Spyware
developers often use ActiveX objects to write files to users' Start folders
and to add advertiser-sponsored toolbars to their desktops.
One update would make it more difficult for users to
downgrade their Internet security settings to the lowest setting. This will
prevent ActiveX objects from being downloaded without first displaying a
warning. Another update will suppress downloads of ActiveX objects unless the
user explicitly initiates them. Current versions of the browser let website
developers initiate downloads.
Other updates include a redesigned security warning
and the addition of a Never Install option that allows users to permanently
ban a software publisher's ActiveX programs from being downloaded. "This
is a change we're making because of the feedback we've received," said
Friedberg. "We have had an Always Install option, but users didn't have a
way to completely block a software publisher that they don't trust."
Security experts generally welcome the changes, but
some wonder why they took so long. "Why this was never in there in the
first place, I don't know," said Russ Cooper, editor of the popular
NTBugtraq security mailing list and "surgeon general" of TruSecure.
"Why somebody could bury something in your desktop setup that you
couldn't find, I never understood in the first place."
Still, Cooper said he believes the changes are a step
in the right direction. "I do think it'll have an effect on spyware,"
he said. "You're not going to get rid of it altogether, but at least
we'll be able to say to people, 'Look, just install Service Pack 2 and your
problems will go away.'"
SPAM
Another frustration is spam on the email system.
May 13, 2004 message from Paul Apodaca [paul@PAPODACA.COM]
These ideas are not open source filters, but may help
with your problem. They are free, but do take some time. It may be worth
paying the $20.00 if you consider the cost of your time.... Once I get my new
computer/software, I will gladly pay the cost to avoid the lost time.
1) Mozilla used to have a way to view headers without
downloading the message. Then you could mark them for deletion or download.
This may have been an add-on product. I haven't used Mozilla since it got out
of 0.X beta.
2) Many ISPs provide some sort of filtering function.
In my case, filtering is provided by BrightMail. However, there are quite a
number of different packages that the ISP may use. In addition, your
university (Stonehill) may have some method of blocking.
By logging on to the web version of my e-mail, I can
add addresses to my "Blocked Senders List" relatively easily.
However, this is actually a very bad solution as I get a limited number of
blocks, and it blocks the specific address. For a while, I was receiving about
40-50 e-mails daily from Sapphirex Enterprises, each of which had a different
source e-mail. So blocking specific addresses was a waste of time.
The better approach is more painful, at least with my
ISP. I created a list of the addresses to be blocked using the Junk Address
feature of MS- Outlook. Then I stripped the list down to ONLY the domain. Then
I add the domains one at a time to the list of addresses/domains that
BrightMail blocks.
It is important not to include the subdomain as many
spammers such as Sapphirex use multiple subdomains and domains. Blocking the
domains has dropped the list just for Sapphirex from over 100 addresses, and
about 20 subdomains to about 5 domains. And of course, as they change the name
of the sender and subdomain, it is still going to get blocked.
The big drawback is that, at least for my ISP,
blocked mail is deleted entirely. I get a summary that shows the sender and
subject weekly. However, there is no way to recover the message except by
contacting the sender. Since the subject lines are getting more clever, it is
harder to tell if it is a real message.
I am avoiding downloading between 150-250 messages a
day. I still have 50- 100 spams getting through as spammers change their
addresses, but my download time has improved dramatically.
Sadly, I am getting about 50-75 real messages, so my
spam percentage is about 75%. I probably have a higher than average spam rate
because I have a website, and also have had the same address for years. But
this is keeping the flood to a manageable level most days.
Thank you,
Paul Apodaca Apodaca
Consulting Paul@papodaca .com
http://www.papodaca.com
(505) 837-1040 Direct Line (877) 286-1176 Direct Toll Free Fax
Nearly the entire April 2004 issue of Syllabus Magazine is devoted to
computer and network security. This is a useful reference with lots of
links --- http://www.syllabus.com/mag.asp
Bob Jensen's threads on computer and networking security are at the following
links:
http://www.trinity.edu/rjensen/245gloss.htm
http://www.trinity.edu/rjensen/fraud.htm#ThingsToKnow
Fed's computers feebly protected (November 2002) --- http://www.wired.com/news/politics/0,1283,56474,00.html
A server glitch makes internal Microsoft documents, including a
massive database of customer names and addresses, accessible online (November
2002) --- http://www.wired.com/news/infostructure/0,1377,56481,00.html
Spy Tools --- http://locate-unlisted-phone-numbers.com/
(I really don't know how legitimate this outfit really and make no endorsements
of its services)
Find and
Trace:
|
Unlisted
Numbers
|
Cell Phone
Numbers & Codes
|
E-mail
Addresses
|
Protect
Privacy:
|
Anonymous
Surfing
|
Anonymous
E-mail
|
Erase Your
Tracks
|
Monitor
Your PC
|
See the
Pictures Your Kids, Mate or Employees Viewed Days, Weeks or Months Ago
|
See the Web
Sites They Visit While Your Not Around
|
Find Hidden
and Alternate Screen Names People May be Using to "Play"
Online
|
The Best Spyware Stopper --- http://www.newsfactor.com/perl/story/20941.html
After years of worrying about viruses and trojans,
users have a new nemesis: spyware. This term refers to any program that
distributes information from a user's computer without that user's knowledge.
To be sure, most of this software is more annoying
than harmful. However, as Jamie Garrison, co-owner of Aluria
Software, which produces the spyware stopper, put it, "Some spyware
can ruin your life. It's that invasive."
So, what can a user do to avoid the onslaught of
underhanded tracking programs?
The
Spyware Menace
Garrison said the most pressing issue related to
spyware is that people do not take it seriously enough. Part of the problem is
awareness. Many people are only now finding out about spyware. "Few users
are aware that everything they do on the Net or even while not connected to
the Internet can be tracked," Ken Lloyd, lead developer at Aluria, told
NewsFactor.
After all, spyware can range from a stealthy program
that runs in the background, transmitting your surfing habits to a company for
marketing purposes, to keylogging software installed by a spouse to monitor
communications.
"Well over 85 percent of people have spyware on
their computer," Lloyd said.
Programs
That Fight It
Gartner
analyst Richard Stiennon told NewsFactor that while antivirus products from
companies like McAfee and Symantec
(Nasdaq: SYMC) can be used to detect spyware, the user is also an
important ingredient in stopping spyware. He or she must recognize spyware
programs -- and know enough to remove them -- when they are detected.
Of course, most users do not know much about spyware.
Stiennon recommended that users get a desktop firewall program that blocks
unwanted outgoing connections. Then, even if spyware is running, it will be
unable to connect to a server to transmit information.
One personal firewall, ZoneAlarm,
can make sure spyware cannot communicate with the outside world. According to
Fred Felman, vice president of marketing at Zone Labs, ZoneAlarm "shuts
down Internet connectivity instead of losing control of the system" when
an unauthorized application tries to send information from a user's PC. Felman
told NewsFactor that ZoneAlarm allows users to specify which programs are
allowed to send and receive data over the network. Users even can restrict
programs to certain ports or domains.
And in addition to antivirus vendors and personal
firewalls, a number of companies like Aluria make spyware detection and
removal software.
Arms
Race
Even when a person recognizes spyware on his or her
computer, removing it may be tricky business. According to Garrison, some
spyware manages to "embed" itself into the software Windows uses to
provide TCP/IP (Internet networking) services. She said that removing such
spyware "actually removes your Internet connection. It's fixable, but
it's a real pain."
This makes sense, considering that malware authors
are always trying to stay one step ahead of users and spyware stoppers. The
latest rash of annoyware consists of programs that send pop-ups to instant
messaging programs like MSN Messenger. Even more irritating, many of
those pop-ups simply inform users that they are vulnerable to unwanted
messages.
And it gets worse: Stiennon said that programs being
sold to block this plague of IM pop-ups are scams, too. "Just go into the
admin functions in the control panel [and do it yourself]," he said,
noting that the program vendors are taking advantage of people who do not know
they can turn off the function by themselves.
The
Perils of Free
In fact, according to Garrison, most spyware is
installed by users voluntarily, even if they do not know it. She blames free
products like Grokster and Kazaa
for piggybacking spyware onto users' computers, though she noted that it is
all disclosed in the fine print. "Here's the really dirty part of it.
Let's say you go out and download a free program. It's almost certainly going
to have spyware.... Very rarely does spyware get on your computer without your
consent."
So, what is the solution? "Stop using free
products... Don't download it if it's free."
Lloyd agreed. "The latest trend for software
companies is to give their software away for free. By doing this they bundle
ad software within it. They usually tell the customer in the EULA (end user
license agreement) ... that some additional ad-tracking software will be
installed, but they bury it so deep that the average person has no idea.
Continued in the article.
If your laptop is stolen, with your confidential data, several companies
will help you get it back and/or prevent thieves from using the stored
information
"Solving Laptop Larceny: If your laptop is stolen, with your confidential
data, several companies will help you get it back -– or else disable it," by
Lamont "Wood, MIT's Technology Review, June 19, 2006 ---
http://www.technologyreview.com/read_article.aspx?id=17000&ch=infotech
These new systems, which aren't intended to prevent
theft, but rather mitigate their consequences, come in three flavors:
tracking software, encryption, and "kill" switches that can make a laptop's
data self-destruct.
Extra layers of protection are needed because the
password and encryption mechanisms that come with most laptops are weak or
inconvenient, says Jack Gold, head of J. Gold Associates, a market research
firm in Northborough, MA. "There are hacker tools that let you get around
[passwords] very quickly, or you can boot from a CD," Gold says. It's true
that any laptop running Windows XP Professional has an optional encryption
function that should defeat thieves, but using it slows down normal file
access.
One solution, then, is a tracking system, such as
Computrace, run by Absolute Software of Vancouver, Canada. William Penn
University in Oskaloosa, IA, turned to the system this year, after about 500
laptops in one of its colleges went missing, says Curt Gomes, the
university's IT supervisor. The university decided it had become
uneconomical to try to hunt down each machine manually. Instead, Gomes
decided to try laptop tracking -- a technique that's been around for a
decade, but recently has seen sales growth of 50 percent per year.
Each machine subscribed to the Computrace service
typically reports to a company server once a day via the Internet. If the
computer is reported stolen, the server will instruct it to start sending
messages every 15 minutes. And if the missing machine's Internet address can
be pinned down to a street address, police will soon show up there,
according to company spokesman Les Jickling. In fact, a week after William
Penn signed up for the Computrace tracking system, a laptop stolen out of a
car was recovered by police five days later.
Continued in article
"Ceelox Announces Biometric Encryption Software Solution to Secure
Critical Enterprise Data,"
PR Web, June 24, 2006 ---
http://www.prweb.com/releases/2006/6/prweb403052.htm
Ceelox, Inc., a leading provider of biometric
security software for enterprise networks and commercial applications,
is proud to announce its release of Ceelox Vault, a powerful biometric
authentication and encryption solution designed to protect lost or
stolen data and combat identity theft.
Ceelox Vault is the ideal solution for protecting any confidential
information whether it is credit card numbers, social security numbers,
personal financial data, medical records, private correspondence,
personal details, sensitive company information, bank account
information, business plans, or intellectual property.
The theft or loss of high profile laptops
containing social security numbers, employee information, intellectual
property, credit reports and more are an everyday occurrence these days.
It seems that virtually no organizations are immune to the problem which
impacts millions of customers and employees who are relying on others to
keep their information secure and out of the hands of identity thieves.
"We created Ceelox Vault because we recognize
the value of easily securing confidential data. In today’s world,
securing critical enterprise data has never been more important," said
Kass Aiken, president & COO of Ceelox. "With Ceelox Vault the key to
unlock the encryption is not stored anywhere, it is a unique biometric
characteristic carried by the users fingerprint," said Erix Pizano,
Director of Software Development for Ceelox. "Many organizations have
measures in place to protect sensitive data. However, these solutions
sometimes make the user feel incapable of using them due to their
complexity," said Pizano. "As simple as drag and drop, with Ceelox
Vault, security software finally makes sense. The encryption process can
be seen and understood, unlike most security systems which are not
noticeable to the end user unless they fail," added Pizano.
Ceelox Vault enables the user to simultaneously
encrypt files and copy or move them to a server, personal computer, or
external storage device. The customer then selects one of three industry
standard ciphers (AES256, 3DES, or Blowfish448) for the file encryption.
The encryption algorithms use a key attached to the user in a manner
that requires the users fingerprint to encrypt and decipher the files.
The Ceelox Vault user, after gaining access to
the Ceelox Vault application through biometric authentication, works
from a window, which displays all personal computer files on the left
side of the window and the vault drive files on the right side of the
window.
Files and folders move back and forth between
the computer and the vaulted storage device by simply clicking on them,
dragging them to their destination and dropping them.
Access to a vaulted storage location,
controlled by the use of a fingerprint scanner embedded in a portable
hard drive, an external fingerprint scanner, or the fingerprint scanner
embedded in a laptop or mobile computing device.
This provides two levels of security with
authentication being required not only to access the drive but also to
decrypt the files on the drive.
Ceelox's mission is to develop and market
biometric security software products that are simple to implement,
deploy, and use. Security software should never make the user feel
incapable of using it. Ceelox focuses their attention on building
powerful, easy to use applications that will provide the best enterprise
and customer experience within all levels of an organization.
About Ceelox
Ceelox is a developer and marketer of biometric
security software products for logical access, identity authentication
and file security. Ceelox core applications Ceelox ID, Ceelox Vault and
Ceelox ID Online improve employee productivity and reduce information
technology administrative costs. These products are supported by several
U.S. and International pending patents. Ceelox focuses attention on
building powerful, easy to use applications that will provide the best
customer experience within all levels of an organization while enhancing
security through biometric software technology.
For more information regarding Ceelox visit
www.ceelox.com
Is your data safe? Survey reveals scandal of snooping IT staff
Results of a recent study reveal the hidden scandal of
IT staff snooping at the confidential information of other employees. One in
three of IT employees admit to snooping through company systems and peeking at
confidential information such as private files, wage data, personal e-mails, and
HR background.
AccountingWeb, August 31, 2007 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=103934
Jensen Comment
And sometime they're looking for commercial and homemade porn.
Probing Question:
What are computer viruses and where do they come from?
Answer
PhysOrg, July 20, 2006 ---
http://physorg.com/news72632629.html
The history of medical viruses is outlined at
http://en.wikipedia.org/wiki/Virus
The history of computer viruses is outlined at
http://en.wikipedia.org/wiki/Computer_Virus
PDF Now Means
Pretty Darn Fearful
Computer security researchers said Wednesday they
have discovered a vulnerability in Adobe Systems Inc.'s ubiquitous Acrobat
Reader software that allows cyber-intruders to attack personal computers through
trusted Web links. Virtually any Web site hosting Portable Document Format, or
PDF, files are vulnerable to attack, according to researchers from Symantec
Corp. and VeriSign Inc.'s iDefense Intelligence. The attacks could range from
stealing cookies that track a user's Web browsing history to the creation of
harmful worms, the researchers said. The flaw, first revealed at a hacker
conference in Germany over the holidays, exists in a plug-in that enables
Acrobat users to view PDF files within Web browsers. By manipulating the Web
links to those documents, hackers and online thieves are able to commandeer the
Acrobat software and run malicious code when users attempt to open the files,
according to Ken Dunham, director of the rapid response team at VeriSign's
iDefense Intelligence.
"Researchers: Adobe's PDF Software Flawed," PhysOrg, January 4, 2006 ---
http://physorg.com/news87093505.html
The never-ending cycle of Microsoft versus Scammer "Update Patches"
"Microsoft releases new security patch, as do scammers," AccountingWeb,
June 14, 2007 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=103622
Microsoft's update was the June entry in the
company's regular monthly set of security patches. This month, the patches
include repairs that protect Windows users who visit web sites infected with
malicious code and users who open infected e-mail messages with Outlook
Express or Windows Mail. There are also repairs to the Windows Vista program
that was launched earlier this year, and a patch that prevents hackers from
accessing PCs.
If your computer is set to install updates
automatically, you might not have even noticed the update taking place this
week. If you aren't set up for automatic updates, Microsoft recommends you
heed the update reminder that appears on your screen, or go to the Microsoft
update website to check to see if your computer has been updated and to
download updates.
What you should not do is click on the "Download
this update" link that appears in an e-mail message entitled "Cumulative
Security Update for Internet Explorer." This e-mail message is being sent by
scammers or hackers who are hoping you will click the link so they can
install malicious software on your computer. The software, when installed,
calls out to the Internet to access other programs that are then installed
on your computer.
Continued in article
Leading
Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
I trust Consumer Reports rankings more than virtually all other ranking
sources mainly because Consumer Reports accepts no advertising or has
other links to the vendors of products rated in Consumer Reports' labs.
The Consumer Reports
home page is at
http://www.consumerreports.org/cro/index.htm
"Kevin Mitnick's Security Advice," Wired News, November 15, 2006
---
http://www.wired.com/news/technology/0,72116-0.html?tw=wn_index_2
Ex-hacker Kevin Mitnick came by his security expertise the hard way.
In the 1990s, his electronic penetration of some of the biggest companies in
the world made him a notorious tech boogieman, and ultimately landed him
five years in prison.
Here's my Top 10 list of steps you should take to
protect your information and your computing resources from the bad boys and
girls of cyberspace.
- Back up everything! You are not invulnerable.
Catastrophic data loss can happen to you -- one worm or Trojan
is all it takes.
- Choose passwords that are reasonably hard to
guess -- don't just append a few numbers to a no-brainer. Always
change default passwords.
- Use an antivirus product like AVG or Norton,
and set it to update daily.
- Update your OS religiously and be vigilant in
applying all security patches released by the software manufacturer.
- Avoid hacker-bait apps like Internet Explorer
and disable automatic scripting on your e-mail client.
- Use encryption software like PGP (pretty good
privacy) when sending sensitive e-mail. You can also use it to protect
your entire hard drive.
- Install a spyware detection app -- or even
several. Programs that can be set to run frequently, like SpyCop, are
ideal.
- Use a personal firewall. Configure it to
prevent other computers, networks and sites from connecting to you, and
specify which programs are allowed to connect to the net automatically.
- Disable any system services you're not using,
especially apps that could give others remote access to your computer
(like Remote Desktop, RealVNC and NetBIOS).
- Secure your wireless networks. At home, enable
WPA (Wi-Fi protected access) with a password of at least 20 characters.
Configure your laptop to connect in Infrastructure mode only, and don't
add networks unless they use WPA.
Hackers are becoming more sophisticated in
conjuring up new ways to hijack your system by exploiting technical
vulnerabilities or human nature. Don't become the next victim of
unscrupulous cyberspace intruders.
"Finding Free Antivirus Software, Walter S. Mossberg, The Wall
Street Journal, August 3, 2006; Page B4 ---
http://online.wsj.com/article/mossberg_mailbox.html
Q: My computer is a virus-infected mess. I
sometimes have to close over 20 pop-ups just to access the PC. Taking your
advice, I tried to download the "free" AVG Anti-Virus, but there is nothing
free about it. They ask for your credit-card info. What am I missing?
A: The company that makes AVG,
Grisoft, offers both paid and free versions of the product. The free version
must be downloaded from a separate Web site,
free.grisoft.com.
Most of the first few results in a Google search for "AVG" or "AVG
anti-virus" point to this free version. Also, the free version is
prominently featured at
Download.com, the big
site for downloading software that is owned by CNET.
Q: Last week, you advised readers never to trust
any email from a financial institution because online criminals have gotten
so good at faking such emails. Does that include emails from institutions
where you have accounts, such as receipts for transactions at brokerages?
A: Yes and no. If you get an
unexpected email from a bank, or brokerage, or payment service like PayPal,
where you do have an account, I'd still advise ignoring it and never
clicking on any link it contains. This is even true if the email suggests
some problem with your account or advises that you need to log onto a web
site to "verify" your account information. Such emails are very often just
attempts to steal your passwords and account numbers. To double-check on
such an email, phone the bank or brokerage, or manually call up its Web
site.
However, if you have just bought or
sold a stock, or performed an online banking action, and you get an email
confirming the transaction, it could well be legitimate -- provided it
contains enough detail of a type criminals might find hard to replicate, and
it arrives very quickly after the transaction was completed. I still
wouldn't click on any links in such an email, however. Remember, most
financial institutions don't have to ask you to supply account information
they already have.
It's really too bad that people have
to look on such emails with such suspicion. Email could be a great tool for
communications between banks and their customers. But, despite some strides,
the technology and financial industries have so far failed to find a way to
make email truly trustworthy and secure. And law-enforcement agencies have
failed to stop the thefts of money and identities. So far, the crooks are
winning in this arena. So you have to be extra careful.
Spyware Update: What you need to know
Huge effort underway to end spyware
Major figures at Sun and Google -- including Vinton
Cerf, one of the inventors of the Internet and now Google's Chief Internet
Evangelist -- are backing a new academic anti-malware initiative that aims to
spotlight spyware purveyors and ultimately give besieged computer owners simple
technologies to guide their Web surfing and downloading decisions.
David Talbot, "Google, Sun Backing New Anti-Malware Effort: Harvard, Oxford
researchers aim to create Internet defensive strategies geared to consumers,"
MIT's Technology Review, January 25, 2006 ---
http://www.technologyreview.com/InfoTech/wtr_16184,300,p1.html
Leading
Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
I trust Consumer Reports rankings more than virtually all other ranking
sources mainly because Consumer Reports accepts no advertising or has
other links to the vendors of products rated in Consumer Reports' labs.
The Consumer Reports
home page is at
http://www.consumerreports.org/cro/index.htm
Also check on SUPERAntiSpyware Free Edition 3.2.1028 ---
http://www.superantispyware.com/
Is a visited Web site authentic and safe?
CallingID 1.5.0.70
http://www.callingid.com/Default.aspx
"Finding Free Antivirus Software, Walter S. Mossberg, The Wall
Street Journal, August 3, 2006; Page B4 ---
http://online.wsj.com/article/mossberg_mailbox.html
Q: My computer is a virus-infected mess. I
sometimes have to close over 20 pop-ups just to access the PC. Taking your
advice, I tried to download the "free" AVG Anti-Virus, but there is nothing
free about it. They ask for your credit-card info. What am I missing?
A: The company that makes AVG,
Grisoft, offers both paid and free versions of the product. The free version
must be downloaded from a separate Web site,
free.grisoft.com.
Most of the first few results in a Google search for "AVG" or "AVG
anti-virus" point to this free version. Also, the free version is
prominently featured at
Download.com, the big
site for downloading software that is owned by CNET.
Q: Last week, you advised readers never to trust
any email from a financial institution because online criminals have gotten
so good at faking such emails. Does that include emails from institutions
where you have accounts, such as receipts for transactions at brokerages?
A: Yes and no. If you get an
unexpected email from a bank, or brokerage, or payment service like PayPal,
where you do have an account, I'd still advise ignoring it and never
clicking on any link it contains. This is even true if the email suggests
some problem with your account or advises that you need to log onto a web
site to "verify" your account information. Such emails are very often just
attempts to steal your passwords and account numbers. To double-check on
such an email, phone the bank or brokerage, or manually call up its Web
site.
However, if you have just bought or
sold a stock, or performed an online banking action, and you get an email
confirming the transaction, it could well be legitimate -- provided it
contains enough detail of a type criminals might find hard to replicate, and
it arrives very quickly after the transaction was completed. I still
wouldn't click on any links in such an email, however. Remember, most
financial institutions don't have to ask you to supply account information
they already have.
It's really too bad that people have
to look on such emails with such suspicion. Email could be a great tool for
communications between banks and their customers. But, despite some strides,
the technology and financial industries have so far failed to find a way to
make email truly trustworthy and secure. And law-enforcement agencies have
failed to stop the thefts of money and identities. So far, the crooks are
winning in this arena. So you have to be extra careful.
Question
What are two of the shocking developments in spyware and spam?
July 14, 2006 message from Richard Campbell
[campbell@RIO.EDU]
This is from a newsletter from sunbelt software -
developers of Counterspy, a spyware detection software.
CSN: What do you see as the latest trends in spam?
AM: I see four main trends. The first is that most
spam now comes from zombie machines so even if you are able to track the
spam back to the machine that sent it, there is nothing you can do about it
as the person that owns the machine most likely doesn't even know that his
machine is being used as a zombie and even if he did, he wouldn't know what
to do about it. This zombie phenomenon also leads to individualized spam as
the zombie code can access the address book and send legitimate looking
email to the zombie machine owner's friends.
The second trend I see is the increase in the
amount of image spam. That is spam that contains an image instead of text.
The spammer's message is contained in the image as a graphic image instead
of text so that there is no practical way to try and detect spam by looking
at the contents of the email. It's easy for the human eye to look at the
picture and read the text that it contains but it is very difficult for a
computer to do the same thing. Since it is so easy to change a bit or two in
the image, it is not easy to come up with a hashing algorithm (a way to
create a "signature" that can be used to determine if another image is the
same as the original one). There is a lot of work being done to try to come
up with ways of comparing images to see how "similar" they are but nobody
has come up with a workable solution so far. Currently, I'd guess the amount
of image spam is around 5% - 10% of the total amount of spam. I expect to
see this increase to 20% - 30% in the next year or two.
The third trend is the scariest and that is
phishing. I monitor the spam reported by our users so I get to see a pretty
good cross section and it scares me to see how good the phishing sites are.
They are so good that you have to be pretty savvy to detect some of them. I
feel sorry for all the non-computer types out there that will fall victim to
these. I have seen a dramatic rise in the amount of phish email in the past
6 months and expect to see that increase continue because there is so much
money to be made with very little effort or risk.
The fourth trend and is "returned email" I have
noticed a marked increase but I haven't had time to investigate. I suspect
that the bulk of it is spam/malware, especially those that have attachments.
It is particularly nasty because an attachment on a returned email doesn't
seem out of the norm. In fact, you kind of expect to see your original email
attached. Some of the undelivered email that I've looked at with attachments
doesn't have the original email there. Instead it contains spam or a link to
a malware site. You have to be real careful and make sure that the "bounce"
(rejected email) is actually something that you sent. Many times it is the
result of a rootkit having taken over your machine, turning it into a
zombie. If you see email bounced that you never sent, it is very likely that
you machine is infected.
CSN: What about image spam, what is it, and why so
dangerous or such a pain to get ride of?
AM: The primary use for image spam is to advertise
penny stocks. Most of this type of spam is part of a 'pump-n-dump' scheme
where the spammer buys a lot of a particular stock and then starts promoting
it via spam that describes what a great buy the stock is or giving the
impression that the company is on the verge of some major expansion or
discovery in order to get gullible investors to buy the stock. Once the
price goes up, and it can go up as much as 500%, the spammer sells his
shares and makes a huge profit. Since there was no real reason for the stock
to increase, it usually falls back to its original level or lower. Most of
the time, the company whose stock is being hyped is not involved in the
spamming so they end up being a victim of the spammer as well as there is
very little that they can do to keep their stock from being manipulated.
Image spam is only useful in situations where the
user doesn't have to communicate with the spammer. With normal spam, there
is a phone number to call or a button to click to order pills or whatever
the spammer is hawking but with image spam, there is no information that
links the email to the spammer as the typical stock add mentions the company
but not the spammer. This is what makes it so different from the run of the
mill spam.
I'm sure that it won't be too long before some
creative spammer comes up with another type of situation where one way
communication can be used to somehow flow money to them.
Richard J. Campbell
mailto:campbell@rio.edu
"Everyone Wants to 'Own' Your PC," by Bruce Schneier, Wired
News, May 4, 2006 ---
http://www.wired.com/news/columns/0,70802-0.html?tw=wn_index_4
You own your computer, of
course. You bought it. You paid for it. But how much
control do you really have over what happens on your
machine? Technically you might have bought the
hardware and software, but you have less control
over what it's doing behind the scenes.
Using the hacker sense of
the term, your computer is "owned" by other people.
It used to be that only
malicious hackers were trying to own your computers.
Whether through worms, viruses, Trojans or other
means, they would try to install some kind of
remote-control program onto your system. Then they'd
use your computers to sniff passwords, make
fraudulent bank transactions, send spam, initiate
phishing attacks and so on. Estimates are that
somewhere between hundreds of thousands and millions
of computers are members of remotely controlled "bot"
networks. Owned.
Now, things are not so
simple. There are all sorts of interests vying for
control of your computer. There are media companies
that want to control what you can do with the music
and videos they sell you. There are companies that
use software as a conduit to collect marketing
information, deliver advertising or do whatever it
is their real owners require. And there are software
companies that are trying to make money by pleasing
not only their customers, but other companies they
ally themselves with. All these companies want to
own your computer.
Some examples:
- Entertainment
software: In October 2005, it emerged
that
Sony had distributed a
rootkit with
several music CDs -- the same kind of software
that crackers use to own people's computers.
This rootkit secretly installed itself when the
music CD was played on a computer. Its purpose
was to prevent people from doing things with the
music that Sony didn't approve of: It was a DRM
system. If the exact same piece of software had
been installed secretly by a hacker, this would
have been an illegal act. But Sony believed that
it had legitimate reasons for wanting to own its
customers’ machines.
- Antivirus:
You might have expected your antivirus software
to detect Sony's rootkit. After all, that's why
you bought it. But initially, the security
programs sold by Symantec and others did not
detect it, because Sony had asked them not to.
You might have thought that the software you
bought was working for you, but you would have
been wrong.
- Internet
services: Hotmail allows you to
blacklist certain e-mail addresses, so that mail
from them automatically goes into your spam
trap. Have you ever tried blocking all that
incessant marketing e-mail from Microsoft? You
can't.
- Application
software: Internet Explorer users might
have expected the program to incorporate
easy-to-use cookie handling and pop-up blockers.
After all, other browsers do, and users have
found them useful in defending against internet
annoyances. But Microsoft isn't just selling
software to you; it sells internet advertising
as well. It isn't in the company's best interest
to offer users features that would adversely
affect its business partners.
"The big point is that IE's been losing market share to Mozilla's
Firefox," and now Microsoft is trying to catch up and regain user loyalty
from people who have embraced Firefox's simple and more secure format, said
Gene Munster, an analyst with Piper Jaffray.
"Microsoft Tries for Safer Surfing Internet Explorer Revised in Response to
Security Concerns, Loss of Users," by Yuki Noguchi, The Washington Post,
April 26, 2006 ---
Click Here
Internet users were given a peek yesterday at a
revamped version of Microsoft Corp.'s Internet Explorer, a response to
criticism that the most popular tool for Web surfing and hacking made users
vulnerable to the Internet's dangers and caused them to defect to
alternative browsers.
Earlier versions of Internet Explorer, which comes
standard on most Windows computers, are still how most users access and view
Web pages. But being the leader in the browser game, with almost 85 percent
market share, means that it's also the most vulnerable to malicious programs
such as viruses, worms and phishing scams.
That, along with the limited features built into
earlier versions of the Internet Explorer browser, or IE, has sent a growing
number of users to alternative browsers.
The Redmond, Wash., company designed Internet
Explorer 7, a test version available for download from its Web site, with
tighter security protection and more advanced tools to give the user greater
control in navigating the Web, said Dean Hachamovitch, general manager of
Internet Explorer.
"Overall, for IE7, the principles we used were
safer, easier and more powerful," Hachamovitch said.
But Microsoft's real motivation is to try to stem
the defections to smaller providers, analysts said.
"The big point is that IE's been losing market
share to Mozilla's Firefox," and now Microsoft is trying to catch up and
regain user loyalty from people who have embraced Firefox's simple and more
secure format, said Gene Munster, an analyst with Piper Jaffray.
"Perception of security is of the highest level" of
concern for Microsoft, Munster said. With its new operating system, called
Vista, slated for release early next year, Microsoft is trying to offer
security reassurances to its customers.
A year ago, Internet Explorer commanded 88.6
percent of the market and Firefox had a mere 6.7 percent, according to Web
statistician Net Applications. Last month, Microsoft's share was down to
84.7 percent and Firefox had jumped beyond 10 percent.
Firefox's increasing popularity was partially
driven by Microsoft's worsening reputation for security, said Bruce Schneier,
chief technical officer at Counterpane Internet Security Inc., a computer
security firm.
"IE was the big target; if you're a virus writer,
you chose the big target," he said.
The company has improved its ability to write
secure code, he said, but it's unclear if the latest tools will address
other dangers on the Internet, which require users to be more savvy.
For example, the new version of Internet Explorer
will provide color-coded warnings when a user tries to access a Web site
that is suspicious or known as fraudulent. But users already encounter --
and ignore -- many Internet warnings because they're hard for beginners to
understand, Schneier said.
Internet Explorer's other new features include the
abilities to automatically open several frequently used Web sites at once
and print Web pages so the content doesn't get cut off on the right side.
The new browser also allows users to tailor search functions, aggregating
searches from various sources. It can also magnify pages so fonts are larger
and easier to read.
A final version of the browser is expected to be
released later this year.
Jensen Comment
The Beta version can be downloaded from
http://www.microsoft.com/windows/ie/downloads/default.mspx
Also note Windows Defender is now available in Beta from Microsoft ---
Click Here
Windows Defender (Beta 2) is a free program that
helps you stay productive by protecting your computer against pop-ups, slow
performance and security threats caused by spyware and other potentially
unwanted software.
April 27, 2006 reply from Pacter, Paul (CN - Hong Kong)
[paupacter@DELOITTE.COM.HK]
MSIE may be losing some users to Firefox, but it is
still dominant among the last million or so visitors to www.iasplus.com :
IE 6 IE 5.5
IE 5.0 Firefox
NS 3.0 Others
80% 8%
6% 2%
1%
3%
Global data. I don't have browser data by country,
and Firefox may be more dominant in USA.
Paul Pacter
April 27, 2006 reply from Bob Jensen
Hi Paul,
It’s important to note that it is not an either or choice. People can
have both IE and Firefox browsers on their computers connected to the
Internet. There are some things that will only work in IE such as
interactive DHTML spreadsheets ----
http://www.trinity.edu/rjensen/dhtml/excel01.htm
IE is plagued by spyware. Firefox, to my knowledge, is currently immune
to spyware. The current upsurge of Firefox use has been explosive and
results might soon show up in your more recent tracking data. Firefox is
free at
http://download-firefox.org/
I advise people to use Firefox (Windows) or Safari (Mac) at home where
protections against spyware and other bad stuff may not be as great as at
work where companies and colleges invest much more in security protection
systems. Your data may be somewhat biased since most visitors to IAS Plus
probably do so at work where the only browser available is probably IE.
Given Microsoft’s dismal track record in dealing with security issues, I
have my doubts whether IE’s Version 7 will be as protective as Firefox.
However, Firefox on Windows is vulnerable if it attracts more attention from
the spyware bad guys. The most secure alternative is the Safari browser on a
Mac.
By the way, congratulations at reaching the 1 million visitor mark at IAS
Plus You created a masterful site that is helpful to accountants in every
part of the world (well maybe not at the South Pole) ---
http://www.iasplus.com/index.htm
Bob Jensen
April 27, 2006 reply from Pacter, Paul (CN - Hong Kong)
[paupacter@DELOITTE.COM.HK]
Thanks, Bob. I use MSIE 6, Firefox 1.5.0.2, and
Netscape 8.0 happily together. In fact, I check most IASPlus pages in all
three, because each renders pages a bit differently.
I'm not sure that Firefox is fully "immune to
spyware". It does use cookies, same as MSIE. There are pop-up/under ads as
well (though I think there are blocking extensions, just as there are
various pop-up blockers for MSIE). I certainly agree that spyware is less of
a consideration than with MSIE.
At home I've taken PC Magazine's recommendation and
recently purchased Zone Alarm for virus, firewall, spyware, etc. Seems to be
working fine though every once in a while I think it degrades performance
slightly. On top of that I use AdAware for additional spyware removal,
though I've turned off their AdWatch. I just downloaded Microsoft's Windows
Defender and will check it out in the next few days. You will definitely
regard me as paranoid in the extreme when I also tell you that I have
installed at home, and periodically run, Advanced Spyware Detector, Spyware
Doctor, and Spybot Search and Destroy!
I suspect you're right that the IASPlus data is a
bit biased for the reasons you suggest.
Actually IASPlus has had about 3.5 million visitors
from 206 countries -- though our tracking service doesn't seem to track the
South Pole. I wonder which country visitors from the SP would be included
in?
Warm regards from Hong Kong,
Paul
April 27, 2006 reply from Scott Bonacker
[aecm@BONACKER.US]
There is an interesting article on this general
subject at:
http://snipurl.com/Explorer7
The article ends with a quote - "Ah, this is
obviously some strange use of the word 'safe' that I wasn't previously aware
of."
Scott Bonacker, CPA
Springfield, MO 65804
Question
Do you want to install SiteAdvisor or don't you know at this point in time?
"SiteAdvisor Adds Search Safety," by Brian Krebs, The Washington Post,
February 28, 2006 ---
Click Here
Since its inception, Security Fix has warned
Microsoft Windows users to be extremely wary of clicking on Web links that
arrive via instant messenger or e-mail, as these are the most common ways
that malware spreads online today. But the sad truth is that for many
Internet users, clicking on unfamiliar links that turn up in Google, MSN or
Yahoo search results frequently expose users to security risks.
For the past few weeks I've been surfing the Web
with the help of the beta version of a browser add-on called SiteAdvisor, a
tool that offers users a fair amount of information about the relative
safety and security of sites that show up in Internet searches. As I played
around with this program, it became clear that this is a tool that not only
allows users to make informed security decisions about a site before they
click on a search result link, but it also holds the potential to fuel a
more informed public dialogue about the often murky relationship between
Fortune 500 companies and the spyware and adware industry.
But more on the Fortune 500 stuff later.
SiteAdvisor is a browser add-on for Firefox or Internet Explorer that tries
to interpret the relative safety of clicking on Web search results. With
SiteAdvisor installed, each listing is accompanied by a small color-coded
icon that indicates whether the software developers have received any
reports of scammy, spammy or outright malicious activity emanating from the
site.
The software gets its intel from a proprietary "spidering"
technology that crawls around the Web much the same way as search engines
do. The company's spiders browse sites with the equivalent of an unpatched
version of IE to see if sites try to use any security exploits to install
spyware or adware on a visitor's machine.
"Our attitude is, if a site gives you an exploit
with an older version of IE, it's probably not one you want to visit with a
newer version," said Chris Dixon, one of SiteAdvisor's co-founders.
If you use IE and try to visit any site that the
program has seen using security vulnerabilites to install software, the
program immediately redirects you to a SiteAdvisor page offering more
information on the threat posed by the site (users can still chose to visit
the site if they so wish after the initial warning). All such sites will
earn a big red "X" next to their search listing, as will others that
threaten to bombard suscribers with junk e-mail or have questionable
relationships with third-party advertisers or shady Web sites.
Hover over the red "X" with your mouse arrow and a
small window appears urging you to exercise "extreme caution" in visiting
the site. If you then visit the site, a red dialogue box emerges that offers
a brief description of why SiteAdvisor doesn't like it.
Continued in article
"'X' Marks the Spyware A startup offers Internet users simple warnings about
a website's potential for spyware and spam," by David Talbot , MIT's
Technology Review, March 1, 2006 ---
http://www.technologyreview.com/InfoTech/wtr_16443,308,p1.html
Spyware has emerged as the bane of the
Internet -- and finding solutions represents a growing
obsession of Web users and the industry that serves them.
The newest entrant in the counteroffensive launches today:
Boston-based startup
SiteAdvisor is releasing software
that warns a user about potential spyware and spam hazards.
The spyware and malware problem is
enormous. According to a recent Pew Internet & American Life
Project, the computers of roughly 59 million Americans are
infected with spyware. And home computer users spent around
$3.5 billion in 2003-04 to fix the problems, according to a
recent Consumer Reports investigation. Infected machines
often slow down dramatically and begin generating error
messages, and some types of spyware code can steal passwords
and other personal information.
While many established software
products remove known spyware, the warnings and advisories
generated by SiteAdvisor are meant to keep users'
computers from getting infected in the first place. So far,
the company says it has collected data on two million
websites. While this is a fraction of all websites, the
company says those it rates make up 95 percent of all online
traffic.
SiteAdvisor's Web-crawling
technology checks whether sites offer programs for
downloading, whether those programs carry spyware-like
software, and whether entering an e-mail address in signup
forms will generate spam. The company stores the accumulated
knowledge in its databases, adds more information from
website owners and users, and offers the warnings via a
browser plug-in for Internet Explorer or Firefox.
[Click
here to view samples of warnings ---
http://www.technologyreview.com/InfoTech/wtr_16443,308,p1.html#
]
The SiteAdvisor home page is at
http://www.siteadvisor.com/
Editor's Picks from
InternetWeek on January 20, 2006
Anti-Spyware Strategies, Part 1: Clean Out Your System
Do you suspect that your system is infected with adware, spyware, or
other malware? Here's how to get rid of it.
Anti-Spyware Strategies 2: Offense And Defense
Now that your system is clean of spyware, keep it that way: keep your
patches up, don't be fooled into user-assisted installations of malware—and
read your EULAs.
Hardware: Is Your Computer Killing You?
"Killing" might be too strong of a word, but not by much—computing can
hurt you physically, emotionally, and environmentally. Find out how you
can minimize the damage.
Windows: Five Things You Didn't Know About Windows Vista
Some of the more offbeat angles surrounding Microsoft's upcoming
operating system involve guessing its launch date, finding where to go
to get a Vista-related job, and seeing who's got the name registered as
a trademark. |
"Spyware: What You Need to Know," by Kim Zetter, Wired News, October
17, 2005 ---
http://www.wired.com/news/privacy/0,1848,68275,00.html?tw=wn_tophead_4
The
Anti-Spyware Coalition,
(which
includes heavyweights like Microsoft, EarthLink and
Hewlett-Packard), says spyware is any application that
impairs "users' control over material changes that
affect their user experience, privacy or system
security."
In plainer language, spyware
consists of a host of programs that you likely wouldn't
invite onto your computer if you knew what they would do
once they invaded your machine. They are primarily
software programs that can hijack your browser to send
you to an advertiser's page or track where you surf on
the internet so marketers can learn your interests and
feed you pop-up ads.
Is spyware the same as
viruses and Trojan horses?
Traditionally, viruses and
Trojan horses have been considered a different type of
malware, but the Anti-Spyware
Coalition is attempting to lump all malware together to
make it easier for lawmakers to legislate against it.
The coalition does not include
viruses in this category, but it does include Trojan
horses, which are usually installed on your machine
without your consent and sit in the background quietly
recording your keystrokes or sending copies of your
files to a remote intruder over the internet. Keystroke
loggers are generally not used by people who want to
market to you, but by people who are interested in data
like passwords or credit card numbers for financial gain
or espionage.
Continued in article
Debit Card Fraud Jumps
Several banks have reported that account information
has been stolen and consumers have reported mysterious fraudulent account
withdrawals. Litan told MSNBC, “This is the absolute worst hack that has
happened, the biggest scam to date.” Using a debit card to steal cash is a more
direct process for thieves. Stealing merchandise and converting it into cash can
be a risky business. MSNBC reports this so-called “white card” fraud does not
require interaction with clerks or other store staff. Careless PIN storage is to
blame for these losses.
"Debit Card Fraud Jumps," AccounitngWeb, March 13, 2006 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=101885
Bob Jensen's threads on ID theft are at
http://www.trinity.edu/rjensen/FraudReporting.htm
Cell Phone Records are for Sale
Cell phone records are far more personal than typical Internet Identity
theft
Think your mate is cheating? For $110, Locatecell.com
will provide you with the outgoing calls from his or her cell phone for the last
billing cycle, up to 100 calls. All you need to supply is the name, address and
the number for the phone you want to trace. Order online, and get results within
hours. Carlos F. Anderson, a licensed private investigator in Florida, offers a
similar service for $165, for all major telephone carriers. "This report
provides all the calls with dates, times, and duration on the billing
statement," according to Anderson's Web site, which adds, "Incoming Calls and
Call Location are provided if available." Learning who someone talked to on the
phone cannot enable the kind of financial fraud made easier when a Social
Security or credit card number is purloined. Instead, privacy advocates say, the
intrusion is more personal.
Jonathan Kim, "Online Data Gets Personal: Cell Phone Records for Sale," The
Washington Post, July 8, 2005 ---
http://www.washingtonpost.com/wp-dyn/content/article/2005/07/07/AR2005070701862.html?referrer=email
Phishing,
Spoofing, Pharming, Slurping, and Pretexting
Question
What is phishing?
Answer
Phishing is a term standing for password, credit card number, or other private
information fishing. Often phishers use email messages in which they
masquerade as a trustworthy person or business in a a disguised official
electronic communication,
See
http://en.wikipedia.org/wiki/Phishing
Scam Warning
Denny Beresford sent me a message about the latest
Social Security email scam. Always remember that government agencies like the
IRS and the Social Security Administration, along with banks credit unions, do
not send you email messages out of the blue seeking your privacy information or
your money. These messages come from crooks, most of whom reside outside the
legal jurisdiction of the United States. I don't even open email messages from these institutions.
The sad part is that these scams work so
successfully!
Bob,
You might be interested in this -
http://www.ssa.gov/pressoffice/pr/colaPhishingScam-pr.htm
(This is a warning from the Social Security Administration! )
I'm receiving social security benefits now and I
have to say that the email I received earlier this morning looked fairly
official. However, it seemed unlikely that Social Security would make such a
notification by email. So I found the announcement on the official Social
Security site. While I'd bet that most people don't fall for the "wife of
the former president of Nigeria" type of scam, this looks like one that
might have a higher degree of success.
Denny
Jensen Comment
Even the familiar Nigerian-type scams are still enormously successful. These
scams are the second most lucrative export (oil is number one) from Nigeria, and
Nigeria is only one of many places in the world where such scams originate. Many
also come from Eastern Europe where technology geniuses are always miles ahead
of law enforcement and vendor security protection upgrades ---
http://www.trinity.edu/rjensen/FraudReporting.htm#NigerianFraud
Question
What's the use of spoof@paypal.com ?
November 13, 2006 message from Schatzel, John
[JSchatzel@STONEHILL.EDU]
Yeah, these "phishing" scams have netted crocks
over $2.8 billion this past year according to an article I read recently. I
thought the number sounded high, but they are bombarding people with genuine
looking requests from PayPal and Amazon.com saying that your account has
been restricted, charged for something you didn't buy, or is being
investigated for account tampering by their security staff. A lot of people
panic apparently when they see this stuff and reply with personal account
information. I feel sorry for them so every time I get one for PayPal I
reply by sending it to
spoof@paypal.com and they supposedly
investigate them. If anyone has a similar email address for Amazon, please
let us know. Just using Amazon's customer service form is not enough. The
whole message has to be forwarded to them, so they can investigate the
source of the illegal message.
John Schatzel
November 14, 2006
Snopes has a pretty good page for identifying phishing spoofs. Enter "phishing"
into the search box at
http://www.snopes.com/
Also see what you get when you enter "Nigerian" into the search box.
Bob Jensen
Free Fraud Alert Systems ---
http://www.trinity.edu/rjensen/FraudReporting.htm#Fraud%20Alerts
Bob Jensen's helpers if you think you've become a victim ---
http://www.trinity.edu/rjensen/FraudReporting.htm
Identity Theft Resource Center ---
http://www.idtheftcenter.org/index.shtml
Dirty Tricks Played on Job Seekers
Job hunters using Monster.com, the employment Web site
owned by Monster Worldwide, received fake job offers by e-mail that asks for
their Bank of America account information. The e-mail contains personal
information collected when hackers tricked Monster.com customers into
downloading a virus in a fake job-seeking tool, according to researchers at
Symantec, the world's biggest maker of security software.
Rochelle Garner, "Monster.com Users Get Fake Offers And Request," The
Washington Post, August 23, 2007, Page D04 ---
Click Here
"Phishing Scams Just Keep
Coming," by Greg Keizer, Information Week, August 3, 2004 --- http://www.informationweek.com/story/showArticle.jhtml?articleID=26805648
Phishing attacks were back up in June, the Anti-Phishing
Working Group said Tuesday, as the scams that continue to plague users and
steal millions from financial institutions climbed to all-time records. The
group, an association of more than 250 companies, tracked 1,422 new unique
phishing attacks in June, an increase of 19% over May's 1,197, and more than
25% higher than the previous month's record.
The average number of attacks per day was up even
more: 47.4 in June versus 38.6 a day in May. In an earlier report this summer,
the group noted that while May's first few weeks were thick with phishing
scams, schemers seemed to take a vacation around Memorial Day. That vacation,
obviously, is over. For the year so far, phishing has been growing about 52%
per month. No wonder the scams are getting the attention of users and the
financial organizations victimized by the attacks.
The solution, said the group, lies in sender
authentication, a scheme in which E-mail essentially "proves" to the
recipient that it came from where it said it came from. "As phishing
attacks continue to increase at a rate of more than 50%, enterprises must turn
to authentication-based technologies," said Jeff Smith, CEO of
Tumbleweed, the founding firm of the Anti-Phishing Working Group.
The Internet Engineering Task Force is meeting in San
Diego this week and is expected to approve the Sender ID standard, a blending
of Microsoft's Caller ID and the Sender Policy Framework protocol by Friday.
Shutting down address spoofing may be the best way to
stop phishing, said the anti-phishing group's report, since 92% of all
phishing E-mails use bogus addresses.
In other analysis of phishing figures, the APWG noted
that the average "life span" for a phishing site is a mere 2.25
days, an indication of how fast scammers cut and run--and thus how difficult
it is to track them down. And for the first time, the group also did an
in-depth analysis of a single phishing attack.
Over a 12-day run during late June and early July,
two banks were hit with identical attacks from a series of bogus sites hosted
in multiple countries--including the United States, Uruguay, and South
Korea--with the sites shifted daily during four of the days of the attack.
"This indicates the participation of at least
one well-orchestrated, systematic criminal organization in the phishing
world," the anti-phishing group's report concluded. The analysis backs up
claims by state and federal law enforcement that phishing is linked to
organized crime based in Eastern Europe and the former Soviet Union.
The top phishing targets didn't change in June.
Citibank again had the dubious honor of being the most hijacked brand,
accounting for 36% of all attacks, while eBay, US Bank, PayPal, and Fleet
retained their May spots as two through five, respectively.
Continued in the article
"Researchers create new system to address phishing fraud," PhysOrg,
September 1, 2006 ---
http://physorg.com/news76325493.html
Carnegie Mellon University CyLab researchers have
developed a new anti-phishing tool to protect users from online transactions
at fraudulent Web sites.
A research team led by Electrical and Computer
Engineering Professor Adrian Perrig has created the Phoolproof Phishing
Prevention system that protects users against all network-based attacks,
even when they make mistakes. The innovative security system provides strong
mutual authentication between the Web server and the user by leveraging a
mobile device, such as the user's cell phone or PDA.
The system is also designed to be easy for
businesses to implement. Perrig, along with engineering Ph.D. student
assistants Bryan Parno and Cynthia Kuo, has developed an anti-phishing
system that makes the user's cell phone an active participant in the
authentication process to securely communicate with a particular Internet
site.
"Essentially, our research indicates that Internet
users do not always make correct security decisions, so our new system helps
them make the right decision, and protects them even if they manage to make
a wrong decision," Perrig said. "Our new anti-phishing system, which
operates with the standard secure Web protocol, ensures that the user
accesses the Web site they intend to visit, instead of a phishing site
posing as a legitimate business. The mobile device acts like an electronic
assistant, storing a secure bookmark and a cryptographic key for each of the
user's online accounts."
Phoolproof Phishing Prevention essentially provides
a secure electronic key ring that the user can access while making online
transactions, according to Parno. These special keys are more secure than
one-time passwords because the user can't give them away. So, phishers can't
access the user's accounts, even if they obtain other information about the
user, researchers said.
Since the user's cell phone performs cryptographic
operations without revealing the secret key to the user's computer, the
system also defends against keyloggers and other malicious software on the
user's computer. Even if the user loses the cell phone, the keys remain
secure.
Driving the need for this new tool is escalating
consumer worries over online fraud -- a major barrier for a banking industry
seeking to push consumers to do more of their banking online. More than 5
percent of Internet users say they have stopped banking online because of
security concerns, up from 1 percent a year ago, according to industry
reports.
Complicating the concern for more secure financial
sites is a looming deadline for new security guidelines from the Federal
Financial Institutions Examination Council (FFIEC), a group of government
agencies that sets standards for financial institutions. Last year, the
FFIEC set a Dec. 31 deadline for banks to add online security measures
beyond just a user name and password. Failure to meet that deadline could
result in fines, the FFIEC said.
"Internet Con Artists Turn to 'Vishing'," PhysOrg, July 13,
2006 ---
http://physorg.com/news71990250.html
Internet con artists are turning to an old tool - the
phone - to keep tricking Web users who have learned not to click on links in
unsolicited e-mails.
User rating Not rated yet Would you recommend this
story? Not at all - 1 2 3 4 5 - Highly
A batch of e-mails recently making the rounds were
crafted to appear as if they came from PayPal, eBay Inc.'s online payment
service. Like traditional phony "phishing" e-mails, these said there was
some problem with the recipients' accounts.
Phishing e-mails generally instruct recipients to
click a link in the e-mail to confirm their personal information; the link
actually connects to a bogus site where the data are stolen.
But with Internet users wiser about phishing, the
new fake PayPal e-mail included no such link. Instead it told users to call
a number, where an automated answering service asked for account
information.
Security experts tracking this scam and other
instances of "vishing" - short for "voice phishing" - say the frauds are
particularly nefarious because they mimic the legitimate ways people
interact with financial institutions.
In fact, some vishing attacks don't begin with an
e-mail. Some come as calls out of the blue in which the caller already knows
the recipient's credit card number - increasing the perception of legitimacy
- and asks just for the valuable three-digit security code on the back of
the card.
"It is becoming more difficult to distinguish
phishing attempts from actual attempts to contact customers," said Ron
O'Brien, a security analyst with Sophos PLC.
Vishing appears to be flourishing with the help of
Voice over Internet Protocol, or VoIP, the technology that enables cheap and
anonymous Internet calling, as well as the ease with which caller ID boxes
can be tricked into displaying erroneous information.
The upshot: "If you get a telephone call where
someone is asking you to provide or confirm any of your personal
information, immediately hang up and call your financial institution with
the number on the back of the card," said Paul Henry, a vice president with
Secure Computing Corp. "If it was a real issue, they can address the issue."
Continued in article
"IRS Warns Phishing Scams Increasing," AccountingWeb, July 12, 2006
---
http://www.accountingweb.com/cgi-bin/item.cgi?id=102335
The Internal Revenue Service (IRS) is reminding
taxpayers to be on the lookout for bogus e-mails claiming to be from the tax
agency, on the heels of a recent increase in scam e-mails.
In recent weeks the IRS has experienced an increase
in complaints about e-mails designed to trick the recipients into disclosing
personal and financial information that could be used to steal the
recipient’s identity and financial assets. Since November, 99 different
scams have been identified. Twenty of those were identified in June, the
highest number since the height of the filing season when 40 were identified
in March.
“The IRS does not send out unsolicited e-mails
asking for personal information,” IRS Commissioner Mark W. Everson, said in
a prepared statement. “Don’t be taken in by these criminals.”
The current scams claim to come from theirs, tell
recipients that they are due a federal tax refund, and direct them to a web
site that appears to be a genuine IRS site. The bogus sites contain forms or
interactive web pages similar to the IRS forms or Web pages but which have
been modified to request detailed personal and financial information from
the e-mail recipients. In addition, e-mail addresses ending with “.edu” –
involving users in the education community – currently seem to be heavily
targeted.
Many of the current schemes originate outside the
United States. To date, investigations by the Treasury Inspector General for
Tax Administration have identified sites hosting more than two dozen
IRS-related phishing scams. These scam Web sites have been located in many
different countries, including Argentina, Aruba, Australia, Austria, Canada,
Chile, China, England, Germany, Indonesia, Italy, Japan, Korea, Malaysia,
Mexico, Poland, Singapore and Slovakia, as well as the United States.
Tricking consumers into disclosing their personal
and financial information, such as secret access data or credit card or bank
account numbers, is fraudulent activity which can result in identity theft.
Such schemes perpetrated through the Internet are called “phishing” for
information.
The information fraudulently obtained is them used
to steal the taxpayer’s identity and financial assets. Typically, identity
thieves use someone’s personal data to empty the victim’s financial
accounts, run up charges on the victim’s existing credit cards, apply for
new loans, credit cards, services or benefits in the victim’s name and even
file fraudulent tax returns.
When the IRS learns of new schemes involving use of
the IRS name or logo, it issues consumer alerts warning taxpayers about the
schemes.
The IRS also has established an electronic mailbox
for taxpayers to send information about suspicious e-mails they receive
which claim to come from the IRS. Taxpayers should send the information to
phishing@irs.gov. Instructions on how to properly submit possibly fraudulent
e-mails to the IRS may be found on the IRS web site at www.irs.gov. This
mailbox is only for suspicious e-mails, not general taxpayer inquiries.
More than 7,000 bogus e-mails have been forwarded
to the IRS, with nearly 1,300 forwarded in June alone. Due to the volume or
e-mails the mailbox receives, the IRS cannot acknowledge receipt or reply to
taxpayers who submit possibly bogus e-mails.
"Checking the Validity of Web Sites: What can browsers tell me
about how safe an e-commerce site is?" MIT's Technology Review, May 31,
2006 ---
http://www.technologyreview.com/read_article.aspx?id=16946
Q. What can browsers tell me about how safe an
e-commerce site is?
A. Security experts have long recommended that you
look for the closed padlock at the bottom of the browser window to make sure
your transactions are safe.
Unfortunately, the presence of a padlock is no
longer enough.
Sites wishing to enable the padlock must obtain a
digital certificate from any number of private companies known as
certificate authorities.
In the early days, the certificate authority
performed a series of checks to make sure sites were really who they said
they were. The authority may have asked for ID or a copy of a business
license, or it may have checked information a site submitted against state
business databases.
Older authorities still do that, but some newer
ones try to cut costs and corners by checking only that the site owns the
domain name -- not the business said to run on that domain, said Johannes
Ullrich, chief technology officer with the SANS Institute's Internet Storm
Center.
The difference in cost can be significant: Ullrich
said a site may spend $20 for the domain-only check, compared with $100 or
more for a traditional certificate. Consumers have no easy way to tell the
difference.
That doesn't mean the cheaper certificates are all
suspect -- Ullrich's group even has one. But the variation opens the door
for scammers known as phishers to easily obtain one and create a site that
mimics a real bank's. Customers can then be tricked into revealing passwords
and other sensitive details.
Scammers ''realize that as awareness of phishing
increases, one thing customers are doing is looking for a lock,'' said Tim
Callan, group product marketing manager for VeriSign Inc., one of the
old-style certificate authorities. ''As an anti-phishing measure, the
padlock has become increasingly unimportant.''
Melih Abdulhayoglu, chief executive of Comodo,
another issuer of traditional certificates, said the padlock is still a good
sign that a site is encrypted so sensitive information won't be leaked in
transit, but ''you could be encrypting for the fraudsters for all you
know.''
So all certificates -- those with and without
thorough checks -- are being put into question, because a customer is not
likely to know what went on behind the scenes.
Fortunately, change is on the way.
Later this year, the certificate authorities that
undergo thorough checks will mark their certificates differently. Browsers
could then highlight sites with such high-assurance certificates. The
address bar might turn green, for instance, when visiting such sites,
distinguishing them from ones that carry only a padlock.
Until then, still look for the closed padlock.
If it's missing, or if a warning appears about a
missing or expired certificate, that's a sign that something could be wrong.
Newer browsers are trying to make the padlock easier to see -- in Firefox
and Opera, for instance, the padlock is moved up top, next to the address
bar.
''Just because you see the padlock, it doesn't mean
it's meaningful, but it's not meaningless,'' said Greg Hughes, chief
security executive at Corillian Corp., a provider of online banking
technology.
Comodo, meanwhile, has a free tool at http://www.vengine.com
to help identify legitimate sites.
But ultimately, it comes down to common sense.
Ask yourself, is it a site you've done business
with before? Is it a big operation located in the United States? Did you
type in the Web address directly into the browser rather than click on an
e-mail link? Is the address a familiar one, one that appears in a bank's
brochure?
Beau Brendler, director of Consumer Reports
WebWatch, suggests that people also look for ''https'' -- the ''s'' for
secure -- instead of just ''http'' in the address bar.
''If you see the padlock and more importantly the
https, you've got a fairly good indication that the page is secure,'' he
said. ''They are one element of several things to possibly look for.''
But of course, he said, ''you're never necessarily
guaranteed anything. There's a certain amount of risk in any transaction.''
Beware of Employees Downloading ("Slurping") Confidential Data Into an
iPod
February 24, 2006 message from Claire Smith
Abe Usher, a 10-year veteran of the security
industry, created an application that runs on an iPod and can search
corporate networks for files likely to contain business-critical data. At a
rate of about 100MB every couple minutes, it can scan and download the files
onto the portable storage units in a process dubbed "pod slurping."
"Beware the 'pod slurping' employee," Will Sturgeon, C|Net News, February 15,
2006 ---
http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html
A U.S. security expert who
devised an application that can fill an iPod with
business-critical data in a matter of minutes is urging
companies to address the very real threat of data theft.
Abe Usher, a 10-year veteran of
the security industry, created an
application that runs on an iPod
and can search corporate networks
for files likely to contain business-critical data. At a
rate of about 100MB every couple minutes, it can scan
and download the files onto the portable storage units
in a process dubbed "pod
slurping."
To the naked eye, somebody doing
this would look like any other employee listening to
their iPod at their desk. Alternatively, the person
stealing data need not even have access to a keyboard
but can simply plug into a USB port on any active
machine.
"Phight Phraud: Steps to protect against phishing," by Steven C.
Thompson, Journal of Accountancy, February 2006 ---
http://www.aicpa.org/pubs/jofa/feb2006/thompson.htm
There are several free products that fight
phishing by disclosing whether the Web site you contact is legitimate:
Netcraft Toolbar (
http://toolbar.netcraft.com ) works in both Internet Explorer and
Firefox.
Cloudmark Safety Bar (
www.cloudmark.com/products/safetybar ) only supports Internet Explorer.
Mozdev.org TrustBar (
http://trustbar.mozdev.org ) works only in Firefox.
EarthlinkToolbar (
www.earthlink.com/software/free/toolbar ).
Microsoft also recently announced it is adding antiphishing features to
Internet Explorer 6 and subsequent versions. The new phishing filter, which
will require Windows XP SP2, will be available shortly in a beta version.
Question
What is spoofing?
Answer
From
http://www.webopedia.com/TERM/s/spoof.html
To fool. In networking, the term is used to
describe a variety of ways in which hardware and software can be fooled. IP
spoofing, for example, involves trickery that makes a message appear as if
it came from an authorized IP address. Also see e-mail spoofing.
Spoofing is also used as a network management
technique to reduce traffic. For example, most LAN protocols send out
packets periodically to monitor the status of the network. LANs generally
have enough bandwidth to easily absorb these network management packets.
When computers are connected to the LAN over wide-area network (WAN)
connections, however, this added traffic can become a problem. Not only can
it strain the bandwidth limits of the WAN connection, but it can also be
expensive because many WAN connections incur fees only when they are
transmitting data. To reduce this problem, routers and other network devices
can be programmed to spoof replies from the remote nodes. Rather than
sending the packets to the remote nodes and waiting for a reply, the devices
generate their own spoofed replies.
Also see "Spoofing Attack" at
http://en.wikipedia.org/wiki/Spoofing_attack
Spoofing is probably best known for faked Websites (either jokes or
criminal spoofs) that lead users into thinking that they are at a legitimate
site (such as eBay) when in fact they are at a faked reproduction.
See
http://www.paypalsucks.com/paypal-spoof-sites.shtml (this site has a great
illustration of an eBay spoof)
Critical Update: Phishing and Spoof sites are reaching epidemic levels.
You MUST learn about this right now and take action. While PayPal is most
often the target of "spoofers," there has been a recent rash of spoof sites
for almost every site on the net: PayPal, Ebay, US Bank, Citibank, Wells
Fargo, Bank of America, Yahoo, Hotmail, Washington Mutual, Commerce Bank,
and ANY ONLINE SITE. Whatever you do, DO NOT click on the link in the email!
If you actually have an account at one of the companies mentioned, go there
by opening your browser and typing in the correct URL yourself.
"Spoof sites" are web sites created by criminals to trick you into giving
them your information. The sites are designed to copy the exact look and
feel of the "real" site, in this case PayPal.com, but in fact, any
information you enter will be going to criminals, not PayPal. These sites
can be as simple as just copying the PayPal site via a "view, source" or
built using advanced scripts so that for all intents and purposes, it looks
and acts like the real PayPal site. After a thief builds such a site, they
will usually email you (spam) saying things like "Your account is limited,"
or "We require additional information," or "Due to a security breach, we
need to verify your information." This is known as "phishing." (Pronounced
"fishing." To project yourself against "phishing" see our Spyware Solutions
page.)
In the phishing email, there will be a link. It will look like
https://www.PayPal.com/
..., but in fact the email will hide the real address which will either be a
string of numbers, or the PayPal.com URL followed by a bunch of cryptic
looking information, or even something that resembles an email address. DO
NOT CLICK on these links! It's like handing your car keys over to a
chop-shop.
A fast-spreading variation on the long-running Sober worm is using extremely
effective tactics to trick users.
"New Sober Worm Spoofs FBI, CIA ," by Gregg Keizer, InformationWeek,
November 22, 2005 ---
http://www.informationweek.com/story/showArticle.jhtml?sssdmh=dm4.159017&articleID=174401321
A new variation of the long-running Sober worm uses
extremely effective tactics to trick users into infecting their PCs,
security companies said Tuesday, including posing as messages from the FBI
and CIA. Sober.w -- called Sober.x by Symantec, and Sober.z by Sophos and
F-Secure -- is spreading rapidly, said security experts, fast enough for
vendors to have amplified their threat levels Tuesday. Symantec raised its
warning to a "3" in its 1 through 5 scale, the first time since the Zotob
outbreak in August that the Cupertino, Calif.-based anti-virus vendor has
taken a worm to that threat level.
"The rate of its spread is quite high," said Sam
Curry, vice president of Computer Associates’ eTrust security group, who
also called the raw number of infections "still relatively low, but
growing."
U.K.-based MessageLabs disagreed with the second
half of Curry's estimate, however. "The size of the attack indicates that
this is a major offensive, certainly one of the largest in the last few
months," spokesman Chaim Haas said. By mid-Tuesday, MessageLabs had stopped
nearly 3 million copies of the worm from reaching its customers' inboxes.
Sophos, another U.K.-based anti-virus vendor, said
that its tallies showed this Sober now accounting for 61 percent of all
malware.
Sober.w is the most recent example of the
two-year-old Sober family, and shares important characteristics with other
variants, including bilingualism (messages arrive in either English or
German), address hijacking, and mass-mailing.
Computer Associates' Curry believes the fast spread
is due to better-than-average technical skills. "It's using slightly more
effective techniques," said Curry, "including running three separate [SMTP]
processes. That's becoming somewhat common, because the more simultaneous
processes a worm runs, the more copies it can blitz out."
Others, however, credit the enticing bait dangled
by the worm for its success. "I just don't see any technical reason why this
has popped," said Alfred Huger, senior director of engineering for
Symantec's security response team. Instead, he points to the worm's social
engineering tricks, which include posing as a message from the CIA or FBI
(English), or the Bundeskriminalamt, the German national police agency most
like the FBI (German).
These messages, with spoofed return addresses such
as "mail@cia.gov" and "admin@fbi.gov," claim that "We have logged your
IP-address on more than 30 illegal Websites," and demand that the user open
the attached .zip file, which supposedly contains questions to answer.
The FBI, in fact, took the unusual step Tuesday of
issuing a statement saying that the messages were bogus. "These e-mails did
not come from the FBI," the agency said. "Recipients of this or similar
solicitations should know that the FBI does not engage in the practice of
sending unsolicited e-mails to the public in this manner."
"This variant of Sober may catch out the unwary as
they open their e-mail inbox," said Graham Cluley, senior technology
consultant at Sophos, in a statement Tuesday. "Every law-abiding citizen
wants to help the police with their inquiries, and some will panic that they
might be being falsely accused of visiting illegal websites and click on the
unsolicited email attachment."
Sober's creator or creators are unknown, although
suspicions have long placed them in Germany. Recently, the Bavarian state
police (Bayerisches Landeskriminalamt) predicted the release of a minor
Sober variant the next day, leading to conjecture by security analysts that
the police may be on the trail of the hackers. No arrests have been made of
anyone accused of writing a Sober worm. The FBI urged users who had received
the Sober.w worm to report it to the Internet Crime Complaint Center.
People continuing to fall for hurricane victim scams
If you see an e-mail this weekend asking you to donate
to the victims of Hurricane Wilma, be careful. A scammer may be "phishing" in
your e-mail inbox. "Phishing" scams, in which e-mails and Web sites made to look
official are used to trick people out of their credit card numbers or other
personal information, are on the rise. And with people continuing to fall victim
and new opportunities to put a different face on the same scam -- the hurricane
relief efforts among the latest -- it appears that phishing attacks are here to
stay.
Mike Musgrove, "'Phishing' Keeps Luring Victims, The Washington Post,
October 22, 2005 ---
http://www.washingtonpost.com/wp-dyn/content/article/2005/10/21/AR2005102102113.html?referrer=email
Question
What is pharming and why is it the most dangerous form of phishing and spoofing?
Answer
Pharming is a type of spoofing that utilizes Trojans programs, worms, or other
virus technologies that attack the Internet browser address bar and is more
dangerous than mere phishing. When users type in a valid
URL they are redirected to the criminals' websites instead of the intended valid
website.
See
http://en.wikipedia.org/wiki/Pharming
Identity theft warning forwarded on July 13, 2005 by James P. Borden
[jborden119@comcast.net]
Bob,
Thought you might find this useful.
Best regards,
Jim Borden
Villanova University
Identity Thieves Employ High-Tech Tactics
Aleksandra Todorova SmartMoney.com THANKS TO TECHNOLOGY advances, identity
thieves no longer need to dumpster-dive in search of your private
information. Now, sensitive data can easily land in their hands while you're
shopping, browsing the Internet or simply visiting your dentist. Here are
five of the latest high-tech forms of identity theft, according to
Truecredit, a unit of credit-reporting bureau TransUnion, along with ways
consumers can protect themselves.
1. Pharming.
You've probably heard of "phishing,"
a form of identity theft where fake emails are sent out, asking you to
urgently update your bank account or credit-card information, which is then
sent to identity thieves. Now phishing has evolved into "pharming," where
thieves create fake Web sites similar to the Web sites of banks or
credit-card companies. When consumers who don't know the difference try to
log in, their account information is sent along to the thieves. These Web sites get traffic through phishing,
explains Nicole Lowe, credit education specialist at Truecredit.com, or with
the help of computer viruses that automatically redirect traffic from
specific Web addresses, such as those for banks, credit-card companies or
shopping Web sites.
To avoid pharming, look out for
anything strange or new in the site's Web address, or URL, Lowe
recommends. You can also browse the Web site in depth. The crooks likely
haven't recreated all its layers.
2. Gas stations.
Every time you swipe
your credit or debit card at the gas pump, your information is sent via
satellite to your bank for verification. According to Truecredit,
identity thieves have now invented a way to hijack that information by
modifying the program that carries out the data transfer so that your
credit-card number is sent to them at the same time it's sent to your
bank. While there isn't a way to detect when your data are being stolen,
Lowe recommends using only credit cards at the pump as a precaution.
With debit or check cards, it takes a while for fraudulent purchases to
be credited back into your checking account, while credit-card companies
will remove any disputed charges from your account immediately.
3. International skimming.
According to
Truecredit, skimming occurs when your credit card is run through a small
reader, similar to those used in grocery stores, which captures your
card information for future use by identity thieves. This form of fraud
is common in the service industry here in the U.S., and anywhere abroad.
Be on the lookout when paying with a credit card in a restaurant that
you're not familiar with, Lowe recommends. If you don't feel comfortable
letting your card out of sight, use cash or walk over to the cash
register to pay your bill. when traveling abroad, use only one credit
card so it's easier to detect any fraudulent charges.
4. Keystroke catchers.
These
small devices are attached to the cable that connects your keyboard to your
computer and can be bought online for a little over $100. The "catcher"
resembles a standard connector, but contains a memory chip that records
everything you type. It's typically used in public places where computers
are available, such as libraries, Internet cafes and college computer labs.
To protect yourself when using a public computer, never shop online, check
your bank account, pay bills or enter your credit-card information. 5.
Database theft. Chances are, your personal information is part of numerous
databases, including those at your dentist and doctor's offices, your
college or university admissions office, your mortgage and insurance
companies, even your local Blockbuster. While there's little you can do
about the way those companies safeguard your information, you can try
limiting their access to sensitive data, such as your Social Security
number, says Lowe. Your cable company and DVD rental store, for example,
have no need to know your Social Security number and should agree to an
alternative, such as the last few digits of your driver's license number.
_http://biz.yahoo.com/special/survive05_article1.html_
(
http://biz.yahoo.com/special/survive05_article1.html )
Do-it-yourself
phishing kits are freely available on the Internet, a security firm says, and
they will lead to more scams sent to online consumers. "Until now,
phishing attacks have been largely the work of organized crime gangs,"
says Graham Cluley, a senior technology consultant at U.K.-based security
vendor Sophos. "But the emergence of these 'build-your-own-phish'
kits mean that any old Tom, Dick, or Harry can now mimic bona fide banking Web
sites and convince customers to disclose sensitive information such as
passwords, PIN numbers, and account details," he says.
Greg Keizer, Information Week, August 19, 2004 --- http://www.informationweek.com/story/showArticle.jhtml?articleID=29112029
The Anti-PHishing
Working Group is an international association dedicated to the elimination of
fraud and identity theft on the internet from phishing, pharming and spoofing.
Their site contains up-to-date reports on the extent of such activities.Anti-Phishing
Working Group
From Gerald Trite's Blog, March 3, 2005 --- http://www.zorba.ca/blog.html
What is SpoofStick?
SpoofStick is a simple browser extension that helps
users detect spoofed (fake) websites. A spoofed website is typically made to
look like a well known, branded site (like ebay.com or citibank.com) with a
slightly different or confusing URL. The attacker then tries to trick people
into going to the spoofed site by sending out fake email messages or posting
links in public places - hoping that some percentage of users won't notice the
incorrect URL and give away important information. This practice is sometimes
known as “phishing".
From CoreStreet ---
http://www.corestreet.com/spoofstick/
"Avoid 'Pharming' Scams," The Wall Street Journal, May 24, 2005; Page
D1 ---
http://online.wsj.com/article/0,,SB111688741618841089,00.html?mod=todays_us_personal_journal
The Problem:
An identify-theft technique called "pharming" is particularly hard to
detect.
The Solution:
With pharming, no matter what Web address you type in, scamsters are able to
redirect you to fraudulent Web pages where they then try to capture your
personal financial information. To protect yourself, if you're using sites
where you have to give over a credit-card number or other sensitive data,
make sure the sites are secure. One sign of security: the Web address begins
with "https:" not just "http:".
While other scams such as phishing and spyware are
still more prevalent, there is a danger that pharming will become
increasingly common, security experts say. That's because thieves alter
Internet routing information such that it appears as if you're still going
to the correct Web address. Another sign that you're on a secure site: A
small padlock icon will sometimes appear along the bottom edge of the screen
when you view a Web page.
It started out as just a
few malcontents in third world countries, but now the threat has hit the big
time. Phishing joins numbers running, drug smuggling and currency fraud as yet
another tool of organized crime.
Phishing, which first appeared more than 10 years
ago, has grown from humble roots to become the international electronic crime of
choice for amateurs and professionals alike. In its simplest form,
phishing involves sending out fake e-mail messages that ask recipients to enter
personal information, such as bank account numbers, PINs or credit card numbers,
into forms on Web sites that are designed to mimic bank or e-commerce sites.
Dennis Fisher, "Phishing Is Big Business," eWeek, March 7, 2005
--- http://www.eweek.com/article2/0,1759,1772523,00.asp
MasterCard is making some effort to prevent identity theft
For nearly a year, the company has been striving to
close down Web sites that sell or share stolen MasterCard credit-card
information, and "phishing" or "spoof" sites that use MasterCard's name or logo
to trick consumers into divulging confidential information. Since last June, the
company has detected 35,045 MasterCard numbers for sale or trade on the
Internet, and has shuttered 766 sites trafficking in such information. It has
closed down 1,378 phishing sites.
Mitchell Pacelle, "How MasterCard Fights Against Identity Thieves," The Wall
Street Journal, May 9, 2005; Page B1 ---
http://online.wsj.com/article/0,,SB111559589681527765,00.html?mod=todays_us_marketplace
"Few companies have to tell when
identity thieves strike: Consumers don't learn they're in danger — until
the bills arrive," USA Today, February 28, 2005 --- http://www.usatoday.com/printedition/news/20050228/edit28x.art.htm
The Federal Trade Commission (FTC) received 246,570
identity theft complaints last year, and the problem actually is much worse:
9.9 million people (about one in every 30 Americans) were victims of identity
theft in a one-year period starting in spring 2002, according to an FTC
survey. Thieves use the data to get credit cards, pilfer bank accounts and
take over identities for future thefts.
Several factors give them the upper hand:
•Companies hide break-ins. Many companies
react as ChoicePoint did initially. They keep quiet after computers are
hacked, fearing lawsuits and damaged reputations.
•Police are busy elsewhere. Local police are
often reluctant to pursue cases. The amounts, while large to an individual,
seem small compared with other monetary crimes. Often the consumer lives in
one state, the thief in another. Federal authorities can act, but only about 1
in 700 cases of identity theft resulted in a federal arrest in 2002, according
to Avivah Litan, a cybercrime expert with the Gartner research firm.
•Oversight is weak. Identity theft is a
relatively new crime and, outside of California, governments haven't yet
geared up to address it. The rising industry of data brokers has little
oversight, and rules for financial institutions aren't up to the task.
The good news is that the ChoicePoint breach is
prompting several states, including Georgia, New Hampshire, New York and
Texas, to consider bills patterned on the California notification law. Several
U.S. senators are pushing a federal law.
Continued in article
July 11, 2005 warning forwarded by Scott Bonacker
[cpa@bonackers.com]
Professor Jensen - Something for your tidbits?
Note - to restore the link, delete the carriage return/linefeed so that "columnItem"
is immediately followed by "/0,294698"
Scott Bonacker, CPA
McCullough Officer & Co, LLC
Springfield, Missouri
Phone 417-883-1212
Fax 417-883-4887
> -----Original Message-----
> From: Spam Prevention Discussion List
> Sent: Monday, July 11, 2005 9:37 AM
> Subject: MEDIA: [infowarrior] -
> Phishing for the missing piece of the CardSystems puzzle]
>
> [ Yet another illustration that the relationships between various
> forms of 'net abuse can be complex. In this case, spam, phishing,
> data theft and identity theft all converge.
> I think this illustrates that even if we could wave our magic wand and
> make SMTP spam vanish forever...we'd be far, far from out of the
> woods. ---Rsk ]
>
> ----- Forwarded message from infowarrior.org -----
>
> > Date: Sun, 10 Jul 2005 22:07:56 -0400
> > Subject: [infowarrior] - Phishing for the missing piece of the
> > CardSystems puzzle
http://searchsecurity.techtarget.com/columnItem
/0,294698,sid14_gci1102336,00.html
> > Phishing for the missing piece of the CardSystems puzzle
> >
> > By Donald Smith
> > 07 Jul 2005 | SearchSecurity.com
> >
> > A banking insider examines the ties between customized phishing
> > attacks this spring and the CardSystems breach announced
> soon after.
> > Don't miss his revelations on how they're linked and what
> the phishers
> > really needed.
> >
> > Perhaps you heard about customized phishing scams when they began
> > circulating back in May, in which actual credit card data
> was used to
> > lure consumers into divulging even more secrets. But did you know
> > these scams could very well be the first externally visible
> result of
> > the CardSystems breach, before it was made public in June?
> >
> > -/SNIP/-
> >
> > About the author
> > Donald Smith is the IT audit manager for The Mechanics Bank of
> > Richmond, Calif. Smith's opinions are his own, and not those of The
> > Mechanics Bank.
> >
> > You are a subscribed member of the infowarrior list. Visit
> >
www.infowarrior.org for list information or to unsubscribe. This
> > message may be redistributed freely in its entirety. Any and all
> > copyrights appearing in list messages are maintained by
> their respective owners.
> >
>
> ----- End forwarded message -----
Bob Jensen's threads on Identity
Theft --- http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft
Question
What is fraudulent "pretexting?"
Answer
"AICPA Warns of Possible Pretexting Calls," AccountingWeb, June 28, 2005
---
http://www.accountingweb.com/cgi-bin/item.cgi?id=101050
The Federal Trade Commission (FTC) defines
“pretexting” as the practice of getting personal information under false
pretenses. Pretexters will use a variety of excuses in an attempt to gain
personal information. Once they obtain the personal information they are
seeking, they may sell it to people who will use it for identity theft or
use it themselves to investigate or stalk an individual. Some personal
information is a matter of public record, including home- or
property-ownership, real estate taxes and whether a person or firm has ever
filed for bankruptcy. It is not pretexting to collect this type of
information.
It is, however, illegal for anyone to obtain
customer information from a financial institution or a customer of a
financial institution by:
- using false, fictitious or fraudulent
statements
- using forged, counterfeit, lost or stolen
documents
- asking a third person to get someone else’s
information using false, fictitious or fraudulent statements or forged,
counterfeit, lost or stolen documents.
Human resources experts advise that a business must
disclose certain information in order to verify employment history. Because
laws governing what an employer can and cannot say about employees are often
complex, it is recommended all calls requesting personal information be
transferred to a representative of the human resources or personnel
departments when they cannot be transferred directly to the person that is
being inquired about. Firms receiving calls from suspect “AICPA employees”
are also asked to contact Jay Rothberg, AICPA Vice President at
jrothberg@aicpa.org .
For about $100 anyone can buy your cell phone records
"I still know who you called last month," by Bob Sullivan,
The Red Tape Chronicles, MSNBC, November 22, 2005 ---
http://redtape.msnbc.com/2005/11/its_actually_ob.html
It's actually obscene what you can find out about
people on the Internet.
Take cell phone records -- literally. Your cell
phone bills are there for the taking, for about $100 a month. Dozens of Web
sites offer this service –- one month, or one year. Every call, every phone
number. However scary that sounds, it won’t really hit you until you see it
for yourself --
so click here for an example of what's out there. Then hit "back" in
your browser, and let me explain.
Who your friends are. How to contact them. Even
where you were. All those crumbs are on sale. Right now. Online. To anyone.
It may be outrageous, but it's not new. MSNBC.com
first wrote about this problem in October 2001, in a story titled "I know
who you called last month."
The problem was exposed years earlier by a private
investigator named Rob Douglas. Banking records, home phone long-distance
calling, even medical information, were all for sale, he told Congress. Once
a buyer of that kind of information, Douglas came to believe the practice
was unethical, unfair and maybe even illegal –- and he began a crusade
against the industry, eventually founding
PrivacyToday.com.
During hearings in
1998 and
2000, Douglas told Congress that private investigators simply pretend to
be their targets, call up the phone companies involved, and ask for the data
they want. Someone who wanted John Smith's cell phone records would just
call up the cell company claiming to be John Smith and ask for a duplicate
copy of last month's bill. It usually worked. In the business, it's known as
"pretext" calling -- calling and asking for records under a false pretext.
It was that easy.
Since then, reporters around the world have proved
Douglas' point by purchasing all kinds of interesting cell phone records.
Most recently,
Maclean's magazine purchased the records of Canadian federal privacy
commissioner Jennifer Stoddart.
Still, all those Web sites selling all those
records keep advertising their services.
But finally, someone seems to be noticing. In July,
the Electronic Privacy Information Center (EPIC)
filed a complaint with the Federal Trade Commission, asking for an
investigation. A month later,
EPIC
asked the Federal Communications Commission to alter its regulations to
make cell phone companies more accountable.
At about the same time, Sen. Charles Schumer, D-N.Y.,
introduced legislation designed to crack down on the sale of cell phone
records by pretext callers. More recently -- just last week -- Sen. Ed
Markey, D-Mass., sent a letter to both the FTC and the FCC demanding action.
Verizon steps up to the plate But most important, a
cell phone company has finally stepped forward and said it can't take it any
more. In July,
Verizon sued a Web site named SourceResources.com for selling its
customers' cell phone records. In September, the site settled with Verizon,
agreeing to discontinue sales, and to tell Verizon how it managed to obtain
the customer records. Verizon spokesman Tom Pica won't say what the company
has learned from the trove of information. But it appears Verizon is in it
for the long haul; on Nov. 2, the firm went after another alleged pretext
Web site, a Florida company named Global Information Group. Pica said Global
Information agents made "thousands of attempts" to trick Verizon customer
service representatives into divulging phone records.
Kudos to Verizon for taking the issue on. For some
time, cell phone companies have been operating like the ostrich --
pretending the problem didn't exist would make it go away. In truth, cell
phone firms were afraid to take on the issue because doing so would be a
tacit admission that there's a problem. To sue Global and SourceResources,
Verizon had to admit these firms managed to steal data, something companies
are often reluctant to do.
But it's time to do something. Back in 2001, after
Douglas testified before Congress, he helped orchestrate a sting operation
against private investigators called Operation Detect Pretext. It
specifically targeted firms selling banking information; most sell the same
slate of personal data, including cell phone records.
Undeterred by FTC investigation
Initially, Douglas said, the Federal Trade Commission identified 1,500 firms
advertising such services, both online and offline. The list was pared to
200 firms,
which received warning notices. Then, about a dozen were targeted for
stings. FTC investigators using techniques designed by Douglas called those
firms, purchased data and recorded the conversations to be used as evidence
in later legal action. Eventually,
three
firms were sued. None was put out of business. In fact, one of the three
still operates -- Information Search Inc. On its site,
it
laments restrictions placed on its business by the FTC. And while the
site indicates the firm no longer sells banking information without a
permissible purpose, Information Search Inc. does still sell cell phone
records.
"We talk all the time about securing information,
and yet all of these companies are being duped by the easiest of scams,"
Douglas says.
Five years after his sting operation, pretext
calling still thrives. That's why Douglas says he doesn’t hold out much hope
that law enforcement will solve the problem of cell phone records for sale.
For now, Verizon's willingness to admit there's a
problem, and to put legal muscle into the fight against those who would
steal customer data, is the most hopeful sign.
Lack of imagination Still, EPIC's Chris Hoofnagle
has so far been disappointed by other telecommunications companies and what
he describes as a "hostile" response to his complaint. They’ve so far
resisted calls for higher security standards. But simple steps could make a
big difference, like sending letters to account holders after toll records
are requested. Even a text message to the cell phone saying a request had
been made would alert consumers that there's a problem.
"The cell phone companies so far have suffered from
a lack of imagination," Hoofnagle said.
For now, Douglas says, Verizon's initial legal
forays haven’t deterred pretext calling
-- and a simple Google search supports his claim. That means even bolder
action is required. This is no mere philosophical debate for privacy
advocates. Stolen cell phone records and information sold by data thieves
and pretext callers have led to embarrassment, unfair harassment, even
murder. Reporters used the records to find and hassle families in the
Columbine tragedy. In the Internet's most celebrated murder case, stalker
Liam Youens purchased Amy Boyer's Social Security number and name of her
employer from a data seller named Docusearch. He then showed up at Boyer's
office and shot her to death.
On Youens' personal Web site was a simple
indictment we would all do well to heed.
"It's actually obsene [sic] what you can find out
about people on the Internet."
Spy Tools ---
http://locate-unlisted-phone-numbers.com/
(I really don't know how legitimate this outfit really and make no endorsements
of its services)
Find and
Trace:
|
Unlisted
Numbers
|
Cell Phone
Numbers & Codes
|
E-mail
Addresses
|
Protect
Privacy:
|
Anonymous
Surfing
|
Anonymous
E-mail
|
Erase Your
Tracks
|
Monitor
Your PC
|
See the
Pictures Your Kids, Mate or Employees Viewed Days, Weeks or Months Ago
|
See the Web
Sites They Visit While Your Not Around
|
Find Hidden
and Alternate Screen Names People May be Using to "Play"
Online
|
Also see
http://www.letsinvestigate.net/investigation/index.html
Unlisted phone numbers ---
http://ww182.voipinternetphone.info/
Cookies = Applets that enable a web site to
collect information about each user for later reference (as in finding cookies
in the cookie jar). Web Browsers like Netscape Navigator set aside a small
amount of space on the user's hard drive to record detected preferences.
Cookies perform storage on the client side that might otherwise have to be
stored in a generic-state or database server on the server side. Cookies can be
used to collect information for consumer profile databases. Browsers can be set
to refuse cookies.
Many times when you browse a website, your browser checks to see if you have
any pre-defined preferences (cookie) for that server if you do it sends the
cookie to the server along with the request for a web page. Sometimes cookies
are used to collect items of an order as the user places things in a shopping
cart and has not yet submitted the full order. A cookie allows WWW customers to
fill their orders (shopping carts) and then be billed based upon the cookie
payment information. Cookies retain information about a users browsing patterns
at a web site. This creates all sorts of privacy risks since information
obtained from cookies by vendors or any persons who put cookies on your computer
might be disclosed in ways that are harmful to you. Browsers will let you
refuse cookies with a set up that warns you when someone is about to deliver a
cookie, but this really disrupts Web surfing and may block you from gaining
access to may sites. It is probably better to accept cookies for a current
session and then dispose of unwanted cookies as soon as possible so that cookie
senders do not obtain repeated access to your private information.
Microsoft Corporation has added the following utilities to the Internet Explorer
(IE) browser according to http://www.cnn.com/2000/TECH/computing/07/21/ms.cookies.idg/
The Internet Explorer 5.5 changes include the
following:
• Notifications that Microsoft said will help users
differentiate between first- and third-party cookies, plus automatic prompts
that inform users anytime a third-party cookie is being offered by a Web site.
• A "delete all cookies" control button
that has been added to the browser's main "Internet options" page to
make it easier for users to get rid of cookies.
• New topics that have been added to Internet
Explorer's help menu to better answer questions about cookies and their
management.
Instruction for cookies control using Internet Explorer --- http://www.scholastic.com/cookies.htm
To accept cookies if you are using a PC running Windows...
Internet Explorer 5 1. Click Tools, and then click Internet Options.
2. Click the Security tab.
3. Click the Internet zone.
4. Select a security level other than High.
-or-
Click Custom Level, scroll to the Cookies section, and then click Enable
for both cookie options.
5. Click on Apply.
6. Click on OK.
Other nations, notably in Europe, have placed more severe restrictions on the
use of cookies. See http://www.cnn.com/2000/TECH/computing/07/21/eu.spam.idg/index.html
For more on cookies, see the following:
Are cookies bad for your computer's health?
"Extreme File Sharing," by Brian Krebs, The Washington Post,
October 18, 2005 ---
http://blogs.washingtonpost.com/securityfix/2005/10/extreme_file_sh.html?referrer=email
Spent a few hours over the weekend poking around
Limewire , an online peer-to-peer file-sharing
network where an estimated 2 million users share and swap MP3 files, movies,
software titles and just about anything and everything else made up of ones
and zeroes (including quite a few virus-infected files).
I was sifting the lists not for music or movie
files, but for the stuff Limewire users may not know they're sharing with
the rest of the network. I quickly found what I was looking for, and then
some: dozens of entries for tax and payroll records, medical records, bank
statements, and what appeared to be company books.
A search for "cookies"
or "paypal," for example, turned up cookie files for a
number of financial institutions. Having cookie files exposed might be a
little less dangerous if you couldn't also click your way through every
shared file on a user's machine. For the most part I found that users who
shared sensitive information were also sharing the contents of their entire
hard drives.
Some users were sharing many megabytes' worth of
e-mails and addresses from their Microsoft Outlook inboxes and archives. But
perhaps most revealing was a search for "keylog.txt," which turned up
several huge text files no doubt generated by a
keystroke
logger -- a nasty bit of malware that records
everything a victim types and relays the data back to the attacker.
At first, I felt a little weird looking at records
of one apparent victim's private (and frequently explicit) online chat
conversations from just a few months back. But I wanted to find some contact
information in there so I could at least notify this person that their
system had been compromised. I found an AIM instant message ID -- but alas,
that screen name wasn't signed on. I even found what appeared to be the
victim's cell phone number, but got a fast-busy signal upon dialing it.
As I read on, however, it became clear that the
victim at some point realized his machine was infected with some sort of
virus, as evidenced by his IM complaints to a friend that his antivirus
software had alerted him to something evil on his machine.
Over the course of several days (the first 10 or so
pages of the keylog record) it appears that the victim tried to repel
whatever had invaded his computer. Apparently he failed, because not long
after he seems to have stopped searching (or at least stopped complaining
about it) -- even though the keylogger was clearly still doing its job.
My guess is that this guy ran an antivirus or anti-spyware
scan which found and deleted something, so he figured everything was back to
normal.
This reminds me of a concept that security
professionals understand all too well: When a computer system is compromised
by a virus or worm, the only way to truly clean it is to back up the data
and resinstall the operating system, including any software patches issued
since the computer was purchased. This can be a bitter pill to swallow for
home users, many of whom have trouble understanding why someone would go
through the trouble of trying to hack their system in the first place.
None of this to say that antivirus tools and other
security applications can't remove these intrusive programs on their own;
often they do the job quite nicely. But many of today's more aggressive
threats are designed to open the door for other intruders, which might not
be so easily detected by security software.
Obviously, the lessons here are: If you're going to
use file-sharing networks, be extremely careful about what you download;
and, pay close attention to the files and folders you are letting the rest
of the world see.
Bob Jensen's threads on file sharing are at
http://www.trinity.edu/rjensen/napster.htm
A December 1, 2002 message from one of my students on the topic of privacy on
the Internet
I'm not sure if you've ever been to their site or
not, but Double-Click is one of the companies that records the things people
do and sites they visit. They claim that they don't actually record names or
anything to allow them to identify you specifically. I think they use IP
addresses. But on their website ( http://www.doubleclick.com/us/corporate/privacy/privacy/default.asp?asp_object_1=&
) they give you the ability to "opt-out" and no longer have your
activities monitored by Double-Click and it's partners. I stumbled upon this a
few years back and just thought I'd share it. Hope you had a good holiday.
Lonnie
Bob Jensen's threads on network security are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection
Question 1:
How can you send email anonymously?
Answer 1:
Simply set up an email account under a fictitious name. For example, you
can send email under multiple fictitious names from the Yahoo email server at http://www.yahoo.com/
(Click on 'Mail" in the row "Connect")
Question 2:
How can you be totally anonymous on the Web such that cookie monsters do not
track your Web navigation at your site and bad guys cannot track your surfing
habits or get at your personal information such as medical records, name, mail
address, phone number, email address, etc.? (You can read about cookie
monsters at http://onyx.he.net/~hotmoves/LIC/cookies/
)
Answer 2:
There is probably no way to be 100% safe unless you use someone else's computer
without them knowing you are using that computer on the Web. In most
instances, the owner of the computer (a university, a public library, an
employer, etc.) will know who is using the computer, but cookie monsters and bad
guys on the Web won't have an easy time finding out who you are without having
the powers of the police.
About the safest way to remain anonymous as a Web surfer is to sign up for
Privada from your IP Internet provider that obtain your line connection from for
purposes of connecting to the Web. In most instances, surfers pay a
monthly fee that will increase by about $5.00 per month for the Pivada service
(if the IP provider has Privada or some similar service). To read more
about Privada, go to http://industry.java.sun.com/solutions/company/summary/0,2353,4514,00.html
Privada Control (Application)
Primary Market Target: Utilities&Services
Secondary Market Target: Financial Services
Description Used with Privada Network, PrivadaControl
provides the consumer component of Privada's services, and is distributed to
end-users by network service providers. Users create an online identity that
cannot be linked to their real-world identity, allowing them to browse the
Internet with the level of privacy they choose while still reaping the
benefits of personalized content. PrivadaControl is built entirely in the
Java(TM) programming language and runs completely in a Java Virtual Machine.
For discussion of other forms of protection, see Privacy
in eCommerce.
Question 3:
Where can you find great links to security matters in computing?
Answer 3:
Try Yahoo's links at http://dir.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/Security_and_Encryption/
- DomiLock
- online Lotus Domino security scanner.
- DShield
- provides a platform for users of firewalls to share intrusion
information.
- IDzap.com
- offers secure and anonymous web browsing products.
- KeyNote
Trust Management System - unified approach to specifying and
interpreting security policies, credentials, and relationships, allowing
direct authorization of security-critical actions.
- Netscape
Security (2)
- Publius
Censorship Resistant Publishing System - Web publishing system that is
highly resistant to censorship and provides publishers with a high degree
of anonymity, developed by researchers at AT&T Labs.
- Secure
Sockets Layer (SSL) Protocol (11)
- Shields
Up - Internet connection security analysis utility for Windows users.
- Shockwave
Security Alert - details potential security holes created by Shockwave
and solutions for them.
- Trust
Management on the World Wide Web - paper describing the philosophy for
codifying, analyzing, and managing trust decisions by Rohit Khare and Adam
Rifkin.
- Twenty
Most Critical Internet Security Vulnerabilities, The - based on
consensus from security experts at the SANS Institute, grouped into three
categories: general , Windows, and Unix vulnerabilities.
- FAQ
- World Wide Web Security
Question 4:
It is extremely dangerous to open email attachments. However, is it
dangerous to open an email message without opening any attachments?
Answer 4:
Generally the answer is no. However, it is a bit more complicated than
this. The following is stated at http://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q11
For many years the
answer to this question was a resounding no and that is largely the
case now as well. There are a series of hoax chain letters that are seemingly
endlessly circulating around the globe. A typical letter is the "Good
Times" hoax. It will warn you that if you see an e-mail with a subject
line that contains the phrase "Good Times" you should delete it
immediately because the very fact of opening it will activate a virus that
will do damage to your hard disk. The letter will encourage you to send this
warning to your friends.
The "Good
Times" hoax, and many like it, are simply not true. However there are
enough people who believe these hoaxes that the messages are endlessly
forwarded and reforwarded. If you get a letter like this one, simply delete
it. Do not forward it to your friends, and please do not forward it to any
mailing lists. If you are uncertain whether the letter is a hoax, refer it to
your system administrator or network security officer.
Just to make life
complicated, however, there are some cases in which the simple act of opening
an e-mail message can damage your system. The newer generation of
e-mail readers, including the one built into Netscape Communicator, Microsoft
Outlook Express, and Qualcomm Eudora all allow e-mail attachments to contain
"active content" such as ActiveX controls or JavaScript programs. As
explained in the JavaScript and in the ActiveX
sections, active content provides a variety of backdoors that can
violate your privacy or perhaps inflict more serious harm. Until the various
problems are shaken out of JavaScript and ActiveX, enclosures that might
contain active content should be opened cautiously. This includes HTML pages
and links to HTML pages. Disabling JavaScript and ActiveX will immunize you to
potential problems.
In addition, there
are other cases where e-mail messages can be harmful to your health. In the
summer of 1998, a number of programming blunders were discovered in e-mail
readers from Qualcomm, Netscape and Microsoft. These blunders (which involved
overflowing static buffers) allowed a carefully crafted e-mail message to
crash your computer or damage its contents. No actual cases of damage arising
from these holes has been described, but if you are cautious you should
upgrade to a fixed version of your e-mail reader. More details can be found at
the vendors' security pages:
- Microsoft
- http://www.microsoft.com/security/bulletins/
- Netscape
- http://www.netscape.com/products/security/
- Qualcomm
- http://eudora.qualcomm.com/security.html
Finally, don't forget
that some documents do carry viruses. For example, Microsoft Word, Excel and
PowerPoint all support macro languages that have been used to write viruses.
Naturally enough, if you use any of these programs and receive an e-mail
message that contains one of these documents as an enclosure, your system may
be infected when you open that enclosure. An up-to-date virus checking program
will usually catch these viruses before they can attack. Some virus checkers
that recognize macro viruses include:
- McAfee VirusScan
- http://www.mcafee.com/
- Symantec AntiVirus
- http://www.symantec.com/
- Norton AntiVirus
- http://www.symantec.com/
- Virex
- http://www.datawatch.com/virex.shtml
- IBM AntiVirus
- http://www.av.ibm.com/
- Dr. Solomon's
Anti-Virus
- http://www.drsolomon.com/
Question 5:
How can I safely open up email attachments?
Answer 5:
One way is to save the attachment to a floppy disk or some other storage disk
that can be accessed by more than one of your computers. The open the
attachment in the computer that you least care about if there is a virus
infection. Even that computer, however, should have the latest updated
version of one of the virus detection programs listed above.
You can avoid macro virus damage (which is the most
common type of danger when opening email attachments) by installing QuickView
Plus from JASC. The good news is that you are totally safe from macro
viruses. The bad news is that QuickView Plus does not provide full
functionality apart from displaying the text and graphics. For example,
QuickView Plus will not run the macros that may be an integral part of an Excel
program. To read more about QuickView Plus, go to http://www.jasc.com/
Especially
note the Stein and Stewart FAQ site at http://www.w3.org/Security/Faq/www-security-faq.html
CONTENTS
- Introduction
- What's
New?
Recent
versions of the FAQ.
- Version 3.0.1, June 22, 2001
- Added information on the
MIME Headers, cache content flaw, and certificate
validation in Internet
Explorer 5.5.
- Added information on the
email tapping Netscape
6.
- Added information on the
Brown Orifice vulnerability in Netscape
4.0-4.74.
- Added new section on Active
Content Protection
- Version 2.0.1, March 24, 2000
|
- General
Questions
- Q1
What's to worry about?
- Q2
Exactly what security risks are we talking about?
- Q3
Are some Web servers and operating systems more secure than others?
- Q4
Are some Web server software programs more secure than others?
- Q5
Are CGI scripts insecure?
- Q6
Are server-side includes insecure?
- Q7
What general security precautions should I take?
- Q8
Where can I learn more about network security?
- Client
Side Security
- Q1
How do I turn off the "You are submitting the contents of a form
insecurely" message in Netscape? Should I worry about it?
- Q2
How secure is the encryption used by SSL?
- Q3
When I try to view a secure page, the browser complains that the site
certificate doesn't match the server and asks me if I wish to
continue. Should I?
- Q4
When I try to view a secure page, the browser complains that it
doesn't recognize the authority that signed its certificate and asks
me if I want to continue. Should I?
- Q5
How private are my requests for Web documents?
- Q6
What's the difference between Java and JavaScript?
- Q7
Are there any known security holes in Java?
- Q8
Are there any known security holes in JavaScript?
- Q9
What is ActiveX? Does it pose any risks?
- Q10
Do "Cookies" Pose any Security Risks?
- Q11
I hear there's an e-mail message making the rounds that can trash my
hard disk when I open it. Is this true?
- Q12
Can one Web site hijack another's content?
- Q13
Can my web browser reveal my LAN login name and password?
- Q14
Are there any known problems with Microsoft Internet Explorer?
- Q15
Are there any known problems with Netscape Communicator?
- Q16
Are there any known problems with Lynx for Unix?
- Q17
Someone suggested I configure /bin/csh as a viewer for documents of
type application/x-csh. Is this a good idea?
- Q18
Is there anything else I should keep in mind regarding external
viewers?
- Server
Side Security
- General
- Q1
How do I set the file permissions of my server and document roots?
- Q2
I'm running a server that provides a whole bunch of optional
features. Are any of them security risks?
- Q3
I heard that running the server as "root" is a bad idea.
Is this true?
- Q4
I want to share the same document tree between my ftp and Web
servers. Is there any problem with this idea?
- Q5
Can I make my site completely safe by running the server in a
"chroot" environment?
- Q6
My local network runs behind a firewall. How can I use it to
increase my Web site's security?
- Q7
My local network runs behind a firewall. How can I get around it
to give the rest of the world access to the Web server?
- Q8
How can I detect if my site's been broken into?
- Windows NT Servers
- Q9
Are there any known problems with the Netscape Servers?
- Q10
Are there any known problems with the WebSite Server?
- Q11
Are there any known problems with Purveyor?
- Q12
Are there any known problems with Microsoft IIS?
- Q13Are
there any known security problems with Sun Microsystem's
JavaWebServer?
- Q14Are
there any known security problems with the MetaInfo MetaWeb
Server?
- Unix Servers
- Q15
Are there any known problems with NCSA httpd?
- Q16
Are there any known problems with Apache httpd?
- Q17
Are there any known problems with the Netscape Servers?
- Q18
Are there any known problems with the Lotus Domino Go Server?
- Q19
Are there any known problems with the WN Server?
- Macintosh Servers
- Q20
Are there any known problems with WebStar?
- Q21
Are there any known problems with MacHTTP?
- Q22
Are there any known problems with Quid Pro Quo?
- Other Servers
- Q23
Are there any known problems with Novell WebServer?
- Server Logs and Privacy
- Q24
What information do readers reveal that they might want to keep
private?
- Q25
Do I need to respect my readers' privacy?
- Q26
How do I avoid collecting too much information?
- Q27
How do I protect my readers' privacy?
- CGI
Scripts
- General
- Q1
What's the problem with CGI scripts?
- Q2
Is it better to store scripts in the cgi-bin directory or to
identify them using the .cgi extension?
- Q3
Are compiled languages such as C safer than interpreted languages
like Perl and shell scripts?
- Q4
I found a great CGI script on the Web and I want to install it.
How can I tell if it's safe?
- Q5
What CGI scripts are known to contain security holes?
- Language Independent Issues
- Q6
I'm developing custom CGI scripts. What unsafe practices should I
avoid?
- Q7
But if I avoid eval(), exec(), popen() and system(), how can I
create an interface to my database/search engine/graphics package?
- Q8
Is it safe to rely on the PATH environment variable to locate
external programs?
- Q9
I hear there's a package called cgiwrap that makes CGI scripts
safe?
- Q10
People can only use scripts if they're accessed from a form that
lives on my local system, right?
- Q11
Can people see or change the values in "hidden" form
variables?
- Q12
Is using the "POST" method for submitting forms more
private than "GET"?
- Q13
Where can I learn more about safe CGI scripting?
- Safe Scripting in Perl
- Q14
How do I avoid passing user variables through a shell when calling
exec() and system()?
- Q15
What are Perl taint checks? How do I turn them on?
- Q16
OK, I turned on taint checks like you said. Now my script dies
with the message: "Insecure path at line XX" every
time I try to run it!
- Q17
How do I "untaint" a variable?
- Q18
I'm removing shell metacharacters from the variable, but Perl
still thinks it's tainted!
- Q19
Is it true that the pattern matching operation $foo=~/$user_variable/
is unsafe?
- Q20
My CGI script needs more privileges than it's getting as user
"nobody". How do I run a Perl script as suid?
- Protecting
Confidential Documents at Your Site
- Q1
What types of access restrictions are available?
- Q2
How safe is restriction by IP address or domain name?
- Q3
How safe is restriction by user name and password?
- Q4
What is user verification?
- Q5
How do I restrict access to documents by the IP address or domain name
of the remote browser?
- Q6
How do I add new users and passwords?
- Q7
Isn't there a CGI script to allow users to change their passwords
online?
- Q8
Using .htaccess to control access in individual directories
is so convenient, why should I use access.conf?
- Q9
How does encryption work?
- Q10
What are: SSL, SHTTP, Shen?
- Q11
Are there any "freeware" secure servers?
- Q12
Can I use Personal Certificates to Control Server Access?
- Q13
How do I accept credit card orders over the Web?
- Q14
What are: CyberCash, SET, Open Market?
- Denial
of Service Attacks
- Overview
- Q1
What is a Denial of Service attack?
- Q2
What is a Distributed Denial of Service attack?
- Q3
How is a DDoS executed against a website?
- Q4
Is there a quick and easy way to secure against a DDoS attack?
- Q5
Can the U.S. Government make a difference?
- Step-by-Step
- Q6
How do I check my servers to see if they are active DDoS hosts?
- Q7
What should I do if I find a DDoS host program on my server?
- Q8
How can I prevent my servers from being used as DDoS hosts in the
future?
- Q9
How can I prevent my personal computer from being used as a DDoS
host?
- Q10
What is a "smurf attack" and how do I defend against it?
- Q11
What is "trinoo" and how do I defend against it?
- Q12
What are "Tribal Flood Network" and "TFN2K"
and how do I defend against them?
- Q13
What is "stacheldraht" and how do I defend against it?
- Q14
How should I configure my routers, firewalls, and intrusion
detection systems against DDoS attacks?
- Bibliography
Corrections and Updates
We welcome bug reports,
updates, reports about broken links, comments and outright disagreements.
Please send your comments to lstein@cshl.org
and/or jns@digitalisland.net.
Please make sure that you are referring to the most recent version of the
FAQ (maintained at http://www.w3.org/Security/Faq/);
someone else might have caught the problem before you.
Please understand that we
maintain the FAQ on a purely voluntary basis, and that we may fall behind
on making updates when other responsibilities intrude. You can help us out
by making an attempt to identify replacement links when reporting a broken
one, and by suggesting appropriate rewording when you have found an error
in the text. Suggestions for new questions and answers are welcomed,
particularly if you are willing to contribute the text yourself.
Two Cases Selected for Presentation and Publication in the AICPA Academic/Practioner
Case Competition
I also converted the draft of two technology assurance services cases that I
presented (with the help of my co-authors John Howland and Bruce Sidlinger) at
the 1998 AICPA Accounting Educators Conference. The motivation for these cases
was to highlight the dangers of CPA ventures into providing assurance services
for computers and networking systems. The cases were written for my ACCT 5342
Accounting Information Systems students. I would appreciate feedback on this
case from readers who venture to
http://WWW.Trinity.edu/rjensen/acct5342/262wp/262case1.htm
You can now link to the solutions from the cases
themselves. Also see Jensen, Howland, and Sidlinger solutions at
http://www.aicpa.org/members/div/career/edu/caselist.htm#98
.
"The Dangerous Side of Search Engines: Popular search engines
may lead you to rogue sites. Here's what you need to know to avoid dangerous
downloads, bogus sites, and spam," by Tom Spring, PC World via
The Washington Post, May 27, 2006 ---
Click Here
Who knew an innocent search for "screensavers"
could be so dangerous? It may actually be the riskiest word to type into
Google's search engine. Odds are, more than half of the links that Google
returns take you to Web sites loaded with either spyware or adware. You
might also face getting bombarded with spam if you register at one of those
sites with your e-mail address.
A recently released study, coauthored by McAfee and
anti-spyware activist Ben
Edelman , found that sponsored results from top
search engines AOL, Ask.com, Google, MSN, and Yahoo can often lead to Web
sites that contain spyware and scams, and are operated by people who love to
send out spam.
The
study concluded that an average of 9 percent of
sponsored results and 3 of organic search results link to questionable Web
sites. The study was based on analysis of the first five pages of search
results for each keyword tested.
According to the results of the study, the top four
most dangerous searches on Google are:
The study defined dangerous sites as those that
have one or a combination of the following characteristics: its downloads
contain spyware and/or adware; its pages contain embedded code that performs
browser exploits; the content is meant to deceive visitors in some way; it
sends out inordinate amounts of spam to e-mail accounts registered at the
site.
These results are a sobering wake-up call to Web
surfers, and they illustrate the changing nature of Internet threats today.
It used to be that most viruses and scams made their way to our PCs
via our inboxes . But thanks to security software
that's getting better at filtering out viruses, spam, and phishing attacks
from our e-mail, rogue elements are
having a difficult time booby-trapping our PCs.
"Scammers and spammers have clearly turned to
search engines to practice their trade," says Shane Keats, market strategist
for McAfee.
McAfee says that of the 1394 popular keywords it
typed into Google and AOL alone, 5 percent of the results returned links to
dangerous Web sites. Overall, MSN search results had the lowest percentage
of dangerous sites (3.9 percent) while Ask search results had the highest
percentage (6.1 percent).
Given the study's findings, it shouldn't come as a
big surprise that the company has a free tool, called McAfee SiteAdvisor,
for tackling the problems. In my tests I found it does a great job of
protecting you from the Web's dark side.
Since March McAfee has been offering a
browser plug-in that works with Mozilla Firefox
and
Microsoft Internet Explorer. SiteAdvisor puts a
little rectangular button in the bottom corner of the browser. If a site
you're visiting is safe, the SiteAdvisor button stays green. When you visit
a questionable Web site the button turns red or yellow (depending on the
risk level) and a little balloon expands with details on why SiteAdvisor has
rated the site as such.
SiteAdvisor ratings are based on threats that
include software downloads loaded with adware or spyware, malicious code
embedded in Web pages, phishing attempts and scams, and the amount of spam
that a registered user gets.
SiteAdvisor takes it a step further with Google,
MSN, and Yahoo. With these search engines, it puts a rating icon next to
individual results. This is a great safety feature and time saver, steering
you clear of dangerous sites before you make the mistake of clicking on a
link.
Continued in article
Bob Jensen's search helpers are at
http://www.trinity.edu/rjensen/searchh.htm
Hacking into Systems
Hackers are having success in looting online stock accounts: Guess where
these high tech thieves live?
Hackers have been breaking into customer accounts at
large online brokerages in the United States and making unauthorized trades
worth millions of dollars as part of a fast-growing new form of online fraud
under investigation by federal authorities. E-Trade Financial Corp., the
nation's fourth-largest online broker, said last week that "concerted rings" in
Eastern Europe and Thailand caused their customers $18 million in losses in the
third quarter alone.
Ellen Nakashima, "Hackers Zero In on Online Stock Accounts," The Washington
Post, October 24, 2006 ---
Click Here
Web Definitions of a Hacker
Definitions of Hacker on the Web:
- Unauthorized user who attempts to or gains access to an information
system.
www.tecrime.com/0gloss.htm
- A person who enjoys exploring the details of computers and how to
stretch their capabilities. A malicious or inquisitive meddler who tries
to discover information by poking around. A person who enjoys learning
the details of programming systems and how to stretch their
capabilities, as opposed to most users who prefer to learn on the
minimum necessary.
www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
- A slang term for a computer enthusiast. Among professional
programmers, the term hacker implies an amateur or a programmer who
lacks formal training. Depending on how it used, the term can be either
complimentary or derogatory, although it is developing an increasingly
derogatory connotation. ...
dtp.epsb.net/glossary.htm
- Originally, a hacker was a term of respect, used among computer
programmers, designers, and engineers. The hacker was one who created
original and ingenious programs. Unfortunately, the current popular
meaning of the term is used to describe those who break into systems,
destroy data, steal copyrighted software, and perform other destructive
or illegal acts with computers and networks.
www.cem.uvm.edu/util/html/definitions.php
- The term 'hacker' has been abused by the media to give a negative
connotation - of someone who engages in breaking into computers. In fact
'hacker' within the subculture of computing has a positive connotation,
meaning someone who is technologically adept with computers, electronics
or any other technical specialism. In the computer subculture those who
break into computer systems are referred to as 'crackers'. ...
www.fraw.org.uk/library/005/gn-irt/glossary.html
- 1) According to The New Hacker's Dictionary a hacker is a clever
computer programmer, who does not necessarily engage in illegal
activities. 2) In the media, a Hacker refers to a person who illegally
break in or attempts to break into a computer system. See Cracker.
practice.findlaw.com/glossary.html
- A highly proficient computer programmer who seeks to gain
unauthorised access to systems without malicious intent. Top
www.smoothwall.net/support/glossary.html
- A person who illegally gains access to your computer system.
www.infosec.gov.hk/english/general/glossary_gj.htm
- A person who is very knowledgable about computers and might try to
break into your computer to steal information, plant a virus, or play a
practiacl joke on you with devious intent.
www.pcviper.com/help/glossary.html
- a person who attempts to gain unauthorized access to a computer
system.
www.gbc.t-online.hu/english/bszotare2.htm
- Slang term for a technically sophisticated computer user who enjoys
exploring computer systems and programs, sometimes to the point of
obsession.
www.incredible.co.za/services/glossary/glossary.asp
- A person who understand the "ins and outs" of computers, networks,
and the Internet in general. They term generally refers to a person who
has intent to access a computer system without authorisation.
www.e-government.govt.nz/docs/authentication-bpf/chapter15.html
- A person who delves into software more deeply than an average PC
user. Hackers are often seen as "White hats" or "Black hats." White hat
hackers help fix badly written software programs and write new programs
for the greater good of the computing community. Black hats modify or
create software for criminal purposes such as stealing your passwords,
your identity, your bank account or simply to slow the Internet down to
no one's amusement but themselves. ...
www.aoaforums.com/frontpage/index.php
- Someone who tries to use their own computer and keyboard to break
through computer security of another user, business, or organisation. It
is usually done for fun, mischievious purposes, or to test limits. If
done with criminal intent, he/she becomes known as a cracker.
www.techwriter.co.nz/nerd-eh.html
- Hacker is a term used to describe different types of computer
experts. The media and the general populace typically use the term to
mean "computer criminal"; however, in many computer subcultures it
simply means "clever programmer", with no connotation of computer
security skill. It is also sometimes extended to mean any kind of
expert, especially one who has particularly detailed knowledge or
cleverly circumvents limits.
en.wikipedia.org/wiki/Hacker
How to Become a Hacker ---
http://www.catb.org/~esr/faqs/hacker-howto.html
Some examples of hacking are: password cracking
programs, port scanning of any computer that is not owned by the person doing
the scanning and gaining access or attempting to gain access to another computer
without the owner's permission. It should be kept in mind that port scanning is
considered by the vast majority of network administrators to be a "hostile" act
and a precursor to an actual hacking attempt. In light of the recent rash of
highly publicized incidents by the news media, it should be remembered that
network administrators are tracking attempts to hack into their systems, and
report those attempts immediately to the University when they occur.
Koç University Network and Internet ---
http://www1.ku.edu.tr/main/home.php?i=852&c=471&m=537&s=2&p=5&l=en
"Unknown Attacks: A Clear and Growing Danger," by Secure Computing,
InformationWeek, January 2006 ---
http://snipurl.com/UnknownAttacks
If a stalker is after you, chances are he/she is reading your email and
are prepared for character assassination
"Stalkers Go High Tech to Intimidate Victims," by Chris L. Jenkins, The
Washington Post, April 14, 2007; Page A01 ---
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/13/AR2007041302392.html
The case had the makings of an eerie cyber-mystery:
A young Alexandria woman told local police she suspected that her
ex-boyfriend was tapping into her e-mail inbox from thousands of miles away,
reading messages before she could and harassing the senders.
She was right to be suspicious. Her ex had hacked
into her e-mail account, either guessing her password or using spyware --
software that can secretly read e-mails and survey cyber-traffic, law
enforcement officials said. For months, apparently, he had followed her
every online move, part of a pattern of abuse city police are still
investigating.
Law enforcement officials and safety groups have
focused on the Internet as an arena for such types of harassment as false
impersonation and character assassination as more people voluntarily place
their private lives on public display through Web sites such as Facebook.com
and MySpace.com.
But a little-discussed and more threatening
phenomenon is also happening to the unwitting online and in the high-tech
world: cyber-stalking, the illegal monitoring of private information and
communication of ex-lovers and spouses as a form of domestic violence. The
spurned often use global positioning systems, invasive computer programs,
cellphone monitoring chips and tiny cameras to follow the whereabouts,
goings-on and personal communications of unsuspecting victims.
Cases from across the country have shown that
stalkers with little more than cursory computer knowledge have been able to
track the e-mail and Web activity of current or recently divorced spouses.
In other cases, some cellphones, outfitted with GPS chips, are secretly
attached to cars, and the signals are then followed online.
A Fairfax County woman named Carol, who requested
that her last name be withheld because her case is ongoing, said her
ex-husband accessed her e-mail and confronted her with personal information
she had shared only with a close family member.
The cyber-stalking came after weeks of harassing
e-mails and traditional stalking behavior, such as peeking in her window.
She's convinced that he presented the computer information to prove that he
could violate her sense of security whenever and wherever he wanted, even
after he moved out of the region. At one point he sent an e-mail saying "I
know what you're doing" and recounted personal actions she had told a family
member only via e-mail.
"When the stalking comes from someplace, anyplace,
it makes you wonder what he's really capable of . . . what he was going to
do next," Carol said. "He could have been anywhere at anytime looking into
my life and getting to me. He could have seen anything, like legal documents
I was forwarding; or where I was going to be. That's what I never knew."
Just as technology has opened a new realm of abuse
to those who seek to stalk someone from afar, cyber-stalking, in turn, has
opened a new avenue of violation. Victims feel powerless to stop others from
reading legal documents and intimate correspondence as well as tracking
their every online move.
"What's so disturbing for many victims is that they
can be harassed or followed from anywhere," said Susan Folwell, manager of
the Domestic Violence Grant Program at the Women's Center, a counseling and
resource center in Vienna. She said she has worked with victims who have had
GPS devices placed in children's backpacks and listening devices put in tote
bags.
"Victims begin thinking, 'I'm totally powerless'
and start wondering what they have to give up to stay safe," she added.
The scope of the activity is somewhat unclear,
police officials and victims' rights advocates said. In many cases, those
who are being stalked through the airwaves aren't aware that they are being
monitored. And evidence is difficult to gather, so police officials often
don't feel they have enough to clinch prosecution.
Continued in article
Want to know about a super secret site?
There's a huge danger from disgruntled and/or opportunist employees
HF's contention is that antivirus companies benefit from keeping their customers
just one step ahead of the next big malware attack. In other words, why bother
to invest the time and money creating a revolutionary anti-malware engine when
companies are willing to pay to upgrade regularly?
"Getting to the Root of Rootkits," by Larry Greenemeier, InformationWeek
Newsletter, January 19, 2006
The futility of today's
model for antivirus protection is fairly obvious. Plug one hole in the dike and
another will sprout. Pretty soon, you're running out of fingers and toes to hold
back the flood. It gets worse. Attackers without the skill to create their own
malicious hacks can outsource their dirty business to others who will write the
code for them and then offer services that keep these rootkits from being
detected.
One of the most prominent
rootkit suppliers is the Hacker Defender site, which I learned about during an
interview with Herbert Thompson, Ph.D., chief security strategist for Security
Innovation Inc., a provider of application security services. Worse than simply
selling rootkits to the masses, Hacker Defender also offers anti-detection
services that will help ensure that its rootkits aren't detected by antivirus
and other malware-prevention software.
These third-party
rootkits could be used by an employee who's about to leave an organization or
someone who thinks he or she will be fired and would love to keep control within
a network, Thompson told me. It's incredibly difficult for law enforcement to
gather evidence against someone selling hacks or botnets, unless they slip up
somehow. "If they are doing it from their house, they are traceable; but what
about if they're doing business from kiosks or libraries?" Thompson asks.
When I asked Thompson how
a site trying so hard to protect its identity (the person running the site
refers to himself only as Holy Father) could collect for its services, he told
me that the answer is E-gold. Excuse me? He told me about one West Indies
company, E-gold Ltd., that doesn't possess any national currency of any nation
and has no bank accounts. "They don't trade in any sovereign currency, so they
avoid the scrutiny of the Secret Service," Thompson says.
Like most tech pros who
make a living selling security to defend against attacks, Thompson couldn't give
me a good explanation of why someone would trade in malicious code, other than
to make money. Of course, if you're that skilled a programmer, there are lots of
ways to make money. I decided to bless myself and E-mail Holy_Father.
To my surprise, he
actually got back to me within a few hours. HF claims that it's because of his
work--he launched the site in 2002--that so many people even know what a rootkit
is. Of course, he had a lot of help from Sony.
HF's contention is that
antivirus companies benefit from keeping their customers just one step ahead of
the next big malware attack. In other words, why bother to invest the time and
money creating a revolutionary anti-malware engine when companies are willing to
pay to upgrade regularly? Sounds to me like he's accusing the software market of
complacency. I suppose he wouldn't be the first. What's your take? Are the
software companies being complacent? Is there anything the white hats can do to
win the chess match?
The Hacker Defender site is at
http://hxdef.czweb.org/about.php
More on security threats and hoaxes ---
http://www.trinity.edu/its/virus/
"Security on Public Wireless Networks," by Walter S. Mossberg, The
Wall Street Journal, April 6, 2006; Page B4 ---
http://online.wsj.com/article/mossberg_mailbox.html
Q:
Does the security I've installed for my home wireless network protect me
when I take my laptop to a public hot spot? If no, what can I do to protect
against snoopers there? I run both Windows and Apple laptops.
A:
No. The wireless security in your home is a network feature, not a laptop
feature. It doesn't come along with your computers when you use another
wireless network. At a public hot spot, you are sharing a network with
strangers. So you can't entirely guarantee your security and privacy from
prying or malicious people in the vicinity. However, I would turn off all
file-sharing features on the laptop, make sure a firewall is running, and
avoid doing anything sensitive online, such as financial transactions.
Q:
If one has a box of unlabeled USB cables, is there any way to sort USB
1.1 cables from the USB 2.0 cables? Or is there even a difference?
A:
You can't sort them, and in most cases there is no difference. Older USB
cables that were certified to work on the older 1.1 ports should also work
perfectly with the faster USB 2.0 ports. The USB 2.0 standard was designed
to work with the same cables as USB 1.1. In fact, I have never seen or used
a USB cable, no matter how old, that couldn't be used at full speed with USB
2.0. However, some cheaply made older cables that weren't certified might
fail.
Denial of Service
Definitions of Denial of Service on the Web:(found in a Google search)
- Action(s) which prevent any part of an AIS from functioning in
accordance with its intended purpose.
www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
- Result of any action or series of actions that prevents any part of
an information system from functioning.
www.tecrime.com/0gloss.htm
- is a hacker attack designed to shut down or overwhelm a system, such
as a Web server or authentication server.
www.dis.wa.gov/portfolio/Definitions.htm
- A condition in which a system can no longer respond to normal
requests.
www.wetstonetech.com/page/page/1972572.htm
- An attack on a network designed to render it - or an Internet
resource - unavailable. The target may be an organisation's e-mail
services or its website.
www.powernet.co.uk/client/general/glossary.shtml
- this is what happens when something stops working. Any service can
be denied. If there is service in the McDonald's drive through, a denial
of service for the fast-food drive-through might be cutting the wires
that allow the speaker and microphone to relay communications between
the sign and the window. Another might be to blow up the building, or
something small like paying everyone to not show up at work, or go on
strike. ...
mike.passwall.com/networking/termd.html
- Unwanted or malicious messages that render network resources
non-functional. Some examples are Ping of Death, SYN flood, IP spoofing
and Smurf attacks. Top
www.sequi.com/SEQUI_VPN_Glossary.htm
- On the Internet, a denial of service (DoS) attack is an incident in
which a user or organization is deprived of the services of a resource
they would normally expect to have. Typically, the loss of service is
the inability of a particular network service, such as e-mail, to be
available or the temporary loss of all network connectivity and
services. In the worst cases, for example, a Web site accessed by
millions of people can occasionally be forced to temporarily cease
operation. ...
www.marketconscious.com/dict.htm
- A type of attack that tries to block a network service by
overloading the server.
www.ingate.com/files/422/fwmanual-en/xa11944.html
- The prevention of authorised access to system assets or the delaying
of time-critical operations.
www.flashback.se/archive/BT/btcsmg.html
- A denial of service attack is when an attacker consumes the
resources on your computer for things it was not intended to be doing,
thus preventing normal use of your network resources to legimite
purposes.
gul.ime.usp.br/Docs/docs/howto/other-formats/html/HOWTO-INDEX-html/Security-HOWTO-12.html
- Action or actions that result in the inability of an automated
information system or any essential part to perform its designated
mission, either by loss or degradation of operational capability.
https://atiam.train.army.mil/soldierPortal/atia/adlsc/view/public/6903-1/fm/3-13/glos.htm
- A denial-of-service attack (also, DoS attack) is an attack on a
computer system or network that causes a loss of service to users,
typically the loss of network connectivity and services by consuming the
bandwidth of the victim network or overloading the computational
resources of the victim system.
en.wikipedia.org/wiki/Denial_of_Service
Blackmail: Here's a ploy of techie bad guys
"Blackmailers Behind Attack On Million-Dollar Site: The British
college student who launched an ad gimmick on the Web that took in $1 million in
a few months has received threatening letters from blackmailers apparently
behind a massive denial-of-service attack," by Antone Gonsalves,
InformationWeek, January 18, 2006 ---
http://www.informationweek.com/news/showArticle.jhtml?articleID=177101541
Personal Information Finders
Zaba Search (a person's birth date, social
security number, phone number, address, and other background information)
--- http://www.zabasearch.com/
We are searching Billions and Billions of Public Records to help you find what
you are looking for. We are searching Marketing Lists, Catalogue Purchases,
Magazine Subscriptions, Change of Address Records, Real Property Records, Court
Records, Business Records, and a variety of other public records and
publicly-available sources for you.
"They" Know Where You Are
So recently an acquaintance of mine expressed
concern online about the use of the GPS location information from his new Treo
650 on Verizon Wireless's network. It seems that phone options indicate that it
sends the information out with every call. Other people assert that the GPS data
is part of the "network heartbeat," going out to the mothership all the time.
Verizon Wireless eventually got around to telling him that whatever the option
indicates, the phone only sends GPS information on 911 calls. Almost nobody
objects to this use of GPS data, but it's not too big a leap to see how GPS data
could be abused. Basically, it's all about "Can they track where I'm going? Can
they find out where I've been after the fact?" The technical question to ask is
how often the phones are sending out GPS data to the network provider, and
whether the provider is holding on to that data and in what form.
Larry Seltzer, eWeek, November 28, 2005 ---
http://www.eweek.com/article2/0,1895,1893642,00.asp
Spy Tools
--- http://locate-unlisted-phone-numbers.com/
(I really don't know how legitimate this outfit really and make no endorsements
of its services)
Find and
Trace:
|
Unlisted
Numbers
|
Cell Phone
Numbers & Codes
|
E-mail
Addresses
|
Protect
Privacy:
|
Anonymous
Surfing
|
Anonymous
E-mail
|
Erase Your
Tracks
|
Monitor
Your PC
|
See the
Pictures Your Kids, Mate or Employees Viewed Days, Weeks or Months Ago
|
See the Web
Sites They Visit While Your Not Around
|
Find Hidden
and Alternate Screen Names People May be Using to "Play"
Online
|
Unlisted phone numbers ---
http://ww182.voipinternetphone.info/
How safe are unlisted phone numbers? New threats to
folks who pay to unlist their phone numbers
In the past five years, what most of us only recently
thought of as ''nobody's business'' has become the big business of everybody's
business. Perhaps you are one of the 30 million Americans who pay for what you
think is an unlisted telephone number to protect your privacy. But when you
order an item using an 800 number, your own number may become fair game for any
retailer who subscribes to one of the booming corporate data-collection
services. In turn, those services may be -- and some have been -- penetrated by
identity thieves. In the past five
years, what most of us only recently thought of as ''nobody's business'' has
become the big business of everybody's business. Perhaps you are one of the 30
million Americans who pay for what you think is an unlisted telephone number to
protect your privacy. But when you order an item using an 800 number, your own
number may become fair game for any retailer who subscribes to one of the
booming corporate data-collection services. In turn, those services may be --
and some have been -- penetrated by identity thieves. The computer's ability to
collect an infinity of data about individuals -- tracking every movement and
purchase, assembling facts and traits in a personal dossier, forgetting nothing
-- was in place before 9/11. But among the unremarked casualties of that day was
a value that Americans once treasured: personal privacy. William
Sapphire, "Goodbye to Privacy," The New York Times, April 10, 2005 ---
http://www.nytimes.com/2005/04/10/books/review/10COVERSAFIRE.html
April 9, 2005 reply from a Trinity University faculty member:
Case in point. Maybe 15 or 20 years ago I received
a call from Trinity Security. XXXXX's husband had died and they could
not reach her to tell her about it because she had an unlisted number. I
knew YYYYY had XXXXX's number but we could not call him because he had an
unlisted number. I don't remember how that worked out but it was very
frustrating,
We have several faculty who over the years had
minor children. I just shutter what would happen if one of the children was
seriously hurt and unconscious but they could not be notified because they
have unlisted phone numbers.
Jensen Comment
An alternative to unlisted phone service is something like what SBC now offers
in selected cities in most states (but not most towns at this point in
time). The link for Texas is at
http://www01.sbc.com/Products_Services/Residential/ProdInfo_1/1,,97--6-3-0,00.html
Privacy Manager® is a service
that screens your calls so you know
who it is before you pick up.
Pricing
(keep in mind that there is also a
monthly fee for unlisting your phone
number)
$5.99 per month for Privacy Manager®
$5.00 one time installation fee
What will it
do for me? (According to SBC)
-
Protect your privacy — A
recording will notify the caller
that you do not accept
unidentified, anonymous, or out
of area calls. A series of
choices will guide the caller to
self-identify. You then have
four options for handling the
call: send to
voice mail,
accept, decline or place on a do
not call list if the caller is a
telemarketer. To hear a
demonstration of the service
call 1-888-560-9299.
-
Save time — If a phone
solicitor calls, one of the
options you have is to be placed
on a telemarketer's do not call
list. This prevents you from
having to make time to provide a
written request or call to have
this done.
-
Have peace of mind — Our
service requires that callers
self identify or the phone
doesn't even ring. This keeps
you from dealing with annoying
or unwanted calls.
|
|
|
|
|
Forwarded message from a friend
Bob,
I talk to my brother with
Yahoo! Messenger through a feature called "Voice Chat."
I was surprised the first time
we tried it. He sounds as if he's in the room with me.
I don't know how skype works,
but Yahoo! Messenger is really simple--
you only need DSL, a
microphone, and speakers.
The only downside
I have found with Yahoo! Messenger is that if you sign in and your
status is "available" you will get spam from other Yahoo! users (I guess
you could call them Yahoos!). However, there are many choices for
"status" including: "invisible to everyone", "busy", "stepped out", "be
right back", "not at my desk", and "one the phone".
We usually e-mail
first, before signing in to Yahoo! Messenger.
I find the other
features of Yahoo!Messenger to be a waste of time--too
gimmicky--cutesy--teeny-bopper stuff. You can also place calls through
the Call Center, which has a rate schedule...I've never used that, so
can't comment on it. I suppose there are some issues with Voice
Chat--haven't investigated, but I would guess privacy would be the main
one. Right?
April 9, 2005 reply from Jagdish Gangolly
[JGangolly@UAMAIL.ALBANY.EDU]
Bob,
There is a much simpler and costless solution to
the problem. It is at
www.skype.com . I do not know if there has been a
message about it on AECM already.
It is free as long as both parties are on the
internet. If you want to call a landline phone, you need to prepay, but
their rates are something like 2cents a minute within US.
I make most of the calls through this service, and
have found it in fact to be superior to landlines. I have called/ received
calls from Switzerland, Germany, and India for free till now.
I know precisely who is calling me, because the
caller has to first ask me for my permission before the call goes through.
Moreover I can dump any one I don't want to hear from.
If you want to call me, you can skype me from my
new homepage (still under construction; the graduate student idiot was
redoing our web pages was inadvertantly given permission to myweb directory,
not an accountant by the way, trashed my whole directory). It is at
www.albany.edu/faculty/gangolly
You can read about this at:
Net calls to take on landlines
http://news.bbc.co.uk/1/hi/technology/3927977.stm
Some Skype users might experience
problems connecting to Skype network due to installed firewall on their
computer (Skype error #1102). Skype should work with any firewall and router
hardware/software.
Skype needs unrestricted outgoing TCP connections to some TCP ports. If you
fail to connect to Skype network, it is likely that your firewall is
blocking these and you need to open up some outgoing TCP connections. Note
that this is about outgoing connections, not incoming connections. In most
firewalls, you have to specify a destination port or port range to open.
There are four options for Skype to work:
* Ideally, outgoing TCP connections to all ports (1..65535) should be
opened. This option results in Skype working most reliably. This is only
necessary for your Skype to be able to connect to the Skype network and will
not make your network any less secure.
* If the above is not possible, open up outgoing TCP connections to port
443. This will only work if you are using Skype version 0.97 or later.
* If the above is not possible, open up outgoing TCP connections to port
80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this
case Skype can not use it since Skype does not use HTTP. In some firewalls
it is possible to open up all traffic to port 80, not just HTTP, and in this
case Skype will work.
* If the above is not possible, Skype versions 0.97 or later can use a
HTTPS/SSL proxy. In order to do that, you have to configure the proxy
address in Internet Explorer options. Then Skype will be able to use it as
well.
Jagdish
Second reply on April 10, 2005 from Jagdish Gangolly
[JGangolly@UAMAIL.ALBANY.EDU]
Bob,
1. I have the firewall that comes with windows xp,
and I use our office wireless access point which, unfortunately has not been
set up for WEP. Our CISCO router is secure.
2. I have had no problems at home either (even with
the firewall that came with my DSL router; I have set up my wireless router
for WEP).
3. You can reach landline phones while on the
internet, though it is not free. On the other hand, people using landlines
can not reach you on the internet. However, you can arrange conference calls
on the internet, which are also free, but my friends elsewhere tell me it
doesn't work that well. Apparently skype has become very popular among the
Bschool grad students; it saves them trips to schools on weekends to do
group work.
4. Once VOIP becomes ubiquitous, it is possible
that the seamless communications between landphones and internet that you
are looking for will be possible, but we are not there yet.
I am really glad I do not own much of phone company
stocks.
Jagdish
April 10, 2005 reply from Eric Press
[eric.press@TEMPLE.EDU]
I recently set up VOIP in my house. I have Comcast
broadband, and use AT&T Callvantage. I had no trouble getting phone service
when I plugged in the telephone adapter (TA), which inserts between the
cable modem and a Linksys wireless .g router (after I disconnected my house
from the grid--a symbolic moment, sort of the reverse of the gold spike at
Promontory, Utah). I don't observe any problems of firewall interference
with calling.
What I did have trouble with was getting service
back to the other phones in my house. Service through the jack system was
spotty. The solution was to circumvent the phone-jack problem, and go
wireless with the phones, too. I bought a Panasonic KX-TG5423, a small
office, 5.8 Ghz digital phone system. These are an order of magnitude better
telephones than I've ever used. It's uncanny when you talk to someone. If
there's a pause, you wonder if the caller is still there, because there is
no background hum, only perfect quiet. The 5.8Ghz standard apparently was
developed for use with VOIP (according to the online seller of the
Panasonic), and does not interfere with other frequencies in use in a home.
There are 5.8Ghz expandable systems (the
incremental units register with the base, and then work), but the systems I
viewed handle a maximum of 10 units. If you need 12 telephones on one line,
you're out of luck for now. I should also mention you can get VOIP and
wireless phones for a two-line system, as well.
April 10, 2005 reply from Bob Jensen
This is really helpful Eric.
Are you saving money now? If so, this is a form of arbitraging. As we
know full well, arbitraging profits (or savings) are generally short lived.
Either Congress or the FCC will probably soon equate Internet and landline
regulations, fees, and taxes. Otherwise traditional local phone service will
disappear as an option since it not presently profitable and can only be
rendered a bigger loser if your cheaper system is all that is needed.
I assume your closest friends can call you from a regular phone. I also
assume that this is equivalent to an unlisted number since you aren’t in any
local or national directory. As such it does run the problem that I
mentioned earlier about trying to reach a woman whose husband had died or
children had been seriously injured. I suspect, however, that we will one
day have Internet telephony phone directories.
Thanks,
Bob Jensen
April 10, 2005 reply from Eric Press
[eric.press@TEMPLE.EDU]
Bob,
1. Shhhhhhhhh! The total freight on ATT CallVantage
VOIP is about $32/monthly. There is a startling oversight I see in the
taxation, and I concur the differential should, or could disappear. It
depends how fast VOIP is adopted. E.g., I am NOT charged the $6.50 monthly
FCC connect charge. So VOIP isn't telephony, from Congress' perspective?
Other state and local taxes are circumvented, too. I probably avoid $10 or
$12 a month of tax (not evade---it is NOT levied!) The legislators are
perhaps not so technologically hip.
2. BTW, I switched from ATT One-Rate Plus, figuring
it'd be easier to go back to landline telephone if VOIP didn't work. Vonage
is $5 cheaper, and Lingo is $10 cheaper! But regardless, assuming VOIP keeps
working well, it is superior. Its features are impressive. A few: have your
phone calls track you, i.e., dial successive numbers if you do not pick up
after n rings. Another, send your voicemail as email files. All voicemail
generates an email notice to wife that we have a call. For ATT, LD calls to
US and Canada are included. Lingo has US, Canada, and 11 European countries
included.
3. My VOIP phone number is my old phone number
(another reason I stuck w/ ATT). Whether that shows up in next year's
landline directory is another matter. Good point you make per emergencies.
Tell your friends, contacts, schools, etc. your number, and carry it in your
wallet, which echoes P.Doherty's advice.
April 10, 2005 reply from David Fordham, James Madison University
[fordhadr@JMU.EDU]
In addition to Cable ISP service, more and more
cable TV companies are offering voice telephony delivered over their coaxial
cables. But this is NOT the analog "Plain Old Telephone Service" that the
phone company offers over the old unshielded twisted pair wires that run
between your house and the phone company; it is a digital packet-based
service like the internet packets. It requires a DIFFERENT box than a normal
cable modem: one with both your traditional Internet cable modem in it,
along with a second device (usually inside a single case) capable of
splitting out the telephone packets. The phone packets, instead of being
converted into Ethernet net packets, are converted into plain old analog
telephone system voltages, which can then be "piped" into your house's
existing wiring and distributed to as many phones as your have in your
house. Unfortunately, being analog, there is only so much voltage and
current to go around. Commercial telephone companies generally only
guarantee five (5) phones will work, but if you live close to the phone
company's central office, often you can get many more (I live less than a km
from my CO and I get nine phones to work with no problem). The cable modem
boxes, however, may NOT pump out as much voltage and current as a CO, and
thus likely will NOT drive as many phones as you can get to work when you
live close to a CO. But most of them will still drive at least five phones,
usually a few more.
Now let's turn our attention to yet another, very
different, technology. Skype. Skype is NOT the same service as the phone
service provided over the cable TV system. Skype is a phone service which
uses your computer's sound card and converts your voice into STANDARD
internet packets... the same packets that are used to transfer MP3 songs
from Kazaa, JPEG files from the weather bureau, and this listserv message.
Skype is a free computer program that runs on any
PC. It uses peer-to-peer technology (like Napster did) to exchange standard
internet packets. But those packets are identified as Skype packets by their
"port" number contained in the packet headers. (Port numbers are
"classifications" used by the internet system so it can tell the difference
between web pages, mail messages, FTP sessions, Centra on-line conference
sessions, DNS requests, and all other standard TCP/IP traffic).
One of the three primary ways that a firewall works
is to BLOCK all TCP/IP packets which don't have "approved" port number
identifiers. The reason Skype won't pass some firewalls is those firewalls
are blocking the port number which Skype uses to identify its packets.
Getting skype packets through a firewall is as simple as asking your
firewall manager to "open" or "enable" or "allow" the port number used by
Skype. (I can't remember the number right now, but Google should be able to
tell you.) If you are using Windows firewall, you need to "open" that
firewall to Skype's port number.
Skype works WONDERFUL, but it requires you to be
running the Skype program on the computer before someone can call you. Skype
can run in the background so it can stay in the system tray until someone
calls you, while you get other work done. But your computer has to be on.
One of the main problems with Skype, is it
restricts you to one computer at a time. If you "logged on" to Skype on your
office computer, the system thinks you are at the office, and will route
"calls" to the office. You cannot simultaneously log on at the office and at
home. And you cannot easily port a Skype call from your kitchen computer to
your den computer to your living room computer like you can an analog phone
via in-house phone wiring. One computer. Period.
Skype can place outgoing calls (for a fee) from a
computer to a landline phone, by accessing Skype's server which
interconnects the internet into the plain old telephone system. It costs
money, though, since your are placing a call from a Skype server location to
whatever phone you are calling to.
And has been pointed out, Skype does not (YET!)
offer incoming calls from the plain old phone system. Originators of Skype
calls must be at a computer.
HOWEVER, a system which DOES provide incoming calls
from plain telephones is a service by the name of VONAGE. Vonage, which is a
fee-based service, works almost exactly like Skype, except that it lets you
choose a local phone number in ANY area code that Vonage covers, and when
someone on the POTS dials that phone number, Vonage pipes the call to your
computer like a "Skype" call. For example, a colleague of mine who has kids
at BYU has obtained a local Provo Utah phone number. His kids call a local
number, and his computer rings in his office, and he answers the call via
his sound card. Anyone in the world can dial that landline phone number (for
example, you can call the Utah number from a phone in Austin, New York, or
Melbourne, using any long-distance service you want), and his computer will
ring.
The catch? He must still be at his computer to use
the service! His computer must be on. And one computer at a time... no
"extension phones".
So to summarize, you have (1) cable phone service,
which utilizes a special modem to split out digitized phone service off a
coaxial TV cable into analog telephone signals; (2) you have Skype, which is
a program run on your computer which uses traditional internet to transfer
digitized voice files two-ways in real time, and (3) you have Vonage, which
is a program run on your computer like Skype, but which is a little bit
ahead of the curve because it allows you to have an analog phone number
somewhere so people without computers can call you on your computer.
These are the three technologies I've seem come
across the list in the last few hours. There are several additional
telephone technologies out there, too, but I won't cover what's not being
discussed. All of these are competition for what most of us gray-hairs
remember as the "Bell System", and ancient artifact of a by-gone era.
And lest someone take offense at my comm style,
I'll say up front that I don't begrudge anyone using ANY of these tools...
they are all DIFFERENT, not necessarily BETTER than one another. I have used
all three, and all three provide decent (not perfect, but certainly usable)
replacement service for the public switched telephone network. Skype works
best if all your callers and callees use computers and also use only one
computer at a time, and don't need to be reached when their computer is off
or they are away from one of the computers. Vonage works best if you are a
computer and your callers or callees are not always at a computer but are at
landline or cell phone units. Cable phone service is simply an alternate
provider of landline telephone service, a true competitor to your local
phone company, but one which provides service which typically is interrupted
more frequently than the old reliable POTS due to growing pains of the
digital cable networks.
David Fordham
PBGH Faculty Fellow
James Madison University
April 10, 2005 reply from Eric Press
[eric.press@TEMPLE.EDU]
Bro' David,
You're right that recent posts, including mine,
conflate technologies. Thanks for setting me straight.
I confused ATTCallVantage and Vonage. You explain
that Vonage is Internet-based. I presumed that CallVantage was cable-based,
and when I shut off my computer, and dialed my number with my cellphone and
it rang (performing the experiment to answer Jensen's question), I
demonstrate that truth. I thought ATT was just trying to charge a premium
vs. Vonage and Lingo, but it provides a different service, cable-based
telephony with a very nice Web-based interface. So, even if it's $10 more
expensive per month ($29 vs. $19 for Lingo), I now mind less paying for its
service (which is still $40 cheaper than a landline).
Per the problem of getting multiple phones to ring
given the voltages available, wouldn't you say my solution--install wireless
phones--does the trick? You can pull all the power you need into the base
unit, and the 5Ghz phones are supposed to broadcast a quarter of a mile. One
new phenomenon I note is buying new power strips to run the 12v
transformers. I now have three--cable modem, telephone adapter, and
router--and each takes at least two slots on a linear strip. Someone should
design a circular strip and let their cases hang over the side.
Eric
April 10, 2005 reply from Scott Bonacker
[lister@BONACKERS.COM]
Any of these methods carry their own set of risks
and may not work in all instances.
Setting up VOIP service seems to resemble building
a golf course in a rural area. Maintaining the greens takes so much water
that the neighbors with wells realize that the supply may not be unlimited
after all and start calling for restrictions.
Privacy laws written for phone calls on
conventional lines don't apply when the call is carried another way.
Resistance from carriers - see white paper on
ex-parte letter at http://www.nuvio.com/.
Security restrictions often found on institutional
networks [snipped without verification from merit.edu mail archives]:
>>>> Something else to consider. We block TFTP at
our border for security reasons >>>> and we've found that this prevents
Vonage from working. Would this mean that >>>> LEC's can't block TFTP? >>>
>>> Was that a device trying to phone home and get it's configs? >>> Cisco,
Nortel, etc. phone home and get configs via tftp. >>> >>> Vonage doesn't
need to phone home for config. The device is >>> programmed (router) and it
registers with the call manager. >>> If you analyze the transactions it's
about 89% SIP and 11% SDP. >> >> Vonage devices initiate an outbound TFTP
connection back to Vonage to >> snarf their configs on initial connection
And also maybe yet another reason not to move to a
rural area where dialup may be the only way to connect to the internet.
Although fiber is (only) a mile away from here, it's point-to-point only and
$560 per month.
How about you, Bob Jensen, what's your access
method?
Scott Bonacker
Rogersville, Missouri
April 10, 2005 reply from Bob Jensen
Scott asked: How about you, Bob Jensen, what's your access method?
Mountaineer Jensen was saved by a bankrupt company (Adelphia) which had a
TV cable buried in the mountains many years before the company could afford
an Internet server. Six months before we moved to the mountains, Adelphia
commenced offering the Internet and at a pretty good monthly rate which I
can't recall since my wife does not trust me with a checkbook.
I live in fear that Time-Warner will buy out Alelphia and ruin both TV
and the Internet with high fees for poor service (like we had in San
Antonio).
Unlike all the telephony/cable telephone enthusiasts, I will stick to
landline since cell phones don't work behind our mountains and electric
power tends to shut down too often for telephony safety. Our landline phone
has never failed even though our rains and blizzards are often accompanied
by winds over 50 mph (equating to over 150 mph atop Mt Washington) that kill
electric power. The landline phone lets us call out in an emergency and
keeps our security system (including our landline fire alarm) up and
running. My wife looks forward to power outages that shut down my computer.
We tend to treat these candle lit power outages as cuddle times.
I am a bit surprised that nobody mentioned that many security systems use
the landline phone system. It is possible to install a radio alarm system
that does not rely on a landline phone, but the added monthly cost is very
high in the boon docks. Crime is very rare in our remote area so I don't see
much need for the radio alarm that would work if a bad guy cut the phone
line. I'm more concerned about fire starting or furnace quitting. As long as
the landline phone system is so reliable, we thereby have great fire/freeze
protection for our house when we're not at home.
Bob Jensen
PS
Your analogy about the golf course and water tables is perfect. My four
acres are bounded on two sides by a golf course. There have been seasons
some years back when the wells of the golf course and its lovely 34-room
Sunset Hill House Inn went dry. Fortunately the few neighbors I have do not
draw from Adelphia's "water" systems for computing purposes. You can scroll
down a bit for pictures of the Sunset Hill House at
http://www.trinity.edu/rjensen/NHcottage/NHcottage.htm
Did you know you can simply read in a phone number at
http://maps.google.com/
Then click on the satellite button.
This worked whenever I typed in home phone numbers of friends. It did not work
for my office phone number (took me to Coffeeville, Kansas) and obviously cannot
work for unlisted and cell phone numbers.
Forget Big Brother, Now You Are Being Watched by Almost
Anybody
April 6, 2005 message from David Fordham, James Madison University
[fordhadr@JMU.EDU]
Those of us who teach technology honestly, truly,
get a lot of entertainment from old-schoolers who still are under the
mistaken impression that 21st-century humans in developed countries possess
something they call "privacy" outside their bedrooms.
We have been showing students those same satellite
maps for several years now. The Defense Mapping Agency dropped the rule that
prohibited the satellite companies (yes, private enterprise, not the
"Government" that privacy advocates seem to enjoy fearing so much) from
freely distributing their products many years ago (I believe it was early in
the Clinton administration, about the same time they stopped scrambling the
GPS satellite signals, allowing GPS receivers to resolve location down to
about six feet instead of the 200 feet precision that GPS was limited to
prior to the "deregulation".)
This past week, I got a call from an "old-schooler",
gray- haired like me, uninformed (as is a disappointingly-large percentage
of the population) about the nature of some of the "vehicle location"
services being offered under trade names such as On-Star, Lo-Jack, Automatic
Position Reporting System (APRS), etc.
My friend, who owns a vehicle with such a tracking
system, had heard at lunch that there are websites where anyone with a web
browser can go and find the location of his car, and wanted me to "reassure"
him that it was an April Fools joke.
Sadly, I couldn't. (Actually, the "sadly" part is
inaccurate... I look on my job as a teacher to be informing the uninformed,
so I always relish an opportunity to share knowledge, -- except when
knowledge is copyrighted, of course! wink wink ;-)
I invited him to my office and together we found
four different sites showing his car's current location, along with various
other information that seemed to genuinely surprise him.
These sites very greatly in terms of which systems
they cover, how much information they offer, what bells and whistles the
sites offer, and so forth, but most of them have position reports that are
only a few minutes old. Of course, most of these systems transmit only when
the car is on or moving, so some of the position reports appear to be old,
but it is because the car was turned off shortly after the last position was
transmitted. For example, my friend's last position report was transmitted
over an hour before we saw it, because his car had been sitting off in the
parking lot for that long! (Yes, the sites show the date and time (to the
second) that the last position was transmitted.)
One of my personal favorites is the "Find-U"
website, which not only shows the location of the vehicle on a map, but also
--- hey, hey, hey! --- shows a recent satellite photograph of the location!
And yes, usually you can zoom down to where you can see the individual cars.
For example, to find out the location of my friend
Ed Good's pickup truck, go to: http://snipurl.com/dv5v
Wait a minute or two for the server (maintained by
a medical doctor in the Florida Keys) to go out to the satellite website and
match up Ed's latitude and longitude with the correct and most current
satellite image of the area. Your browser will show the location on a map at
the top of the screen... scroll down and you'll see the satellite image-- it
takes about 30 seconds or so to retrieve the latest satellite image.
To find the location of my friend Jason
Armentrout's company car, go to:
http://snipurl.com/dv5x
TO find the location of my friend Jeff Rinehart's
Impala, go to:
http://snipurl.com/dv5y
I have a friend Don Landes who drives a big rig
truck across the country. If you want to see where his rig is at the moment,
go to:
http://snipurl.com/dv5z
But if you want to see a map of where his truck's
been over the last 10 days, go to:
http://snipurl.com/dv60
(The little dots out in the Atlantic are anamolous...
they are where the location transmission packet was somehow garbled...)
(I've used snipurl because some of these URLs get
pretty long and when they wrap around to the next line, people email me
complaining their link doesn't work... another example of uninformed users
of technology...but honestly, I don't mind, that's why I'm a teacher!)
Ironic that this subject should come up today,
because yesterday, not 24 hours ago, I was showing my class some of the APRS
packets that we can receive in the classroom. I used a Radio Shack scanner
with the audio plugged into my sound card, and used a free public-domain
software package to decode the packets. (APRS packets are coded in AX.25
protocol, but the most of this software also decodes traditional TTY, Pactor,
Amtor FEC, Amtor ARQ, BPSK (several flavors), multi-FSK, among other coding
schemes and protocols. You can copy the highway patrol packets as they get
data on license plates delivered to their patrol car laptops, you can copy
the transmissions from the gas pumps to the station building before it gets
encrypted for satellite transmission to Visa/Mastercard, all kinds of neat
stuff.)
Of course, the Find-U website only publishes the
locations of APRS units (Automatic Position Reporting System), a system
designed by Bob Bruninga, professor of technology at the Naval Post-Graduate
School. And for all these systems and sites, you also have to know the
transmitter identifier programmed into the vehicle's transmitter. But hey,
that's not that hard to find, either... in fact, all of the above vehicles'
identification is available by looking up the owner's name and state on a
server located at the University of Arkansas at Little Rock, as well as a
couple of dozen others all over the world. Even the FCC website will show
it, since these transmitters are licensed individually by the FCC and the
FCC data is, by law, public information!
(If you want more info on APRS, check out Bob
Bruninga's site:
http://web.usna.navy.mil/~bruninga/aprs.html
-- he has a great powerpoint presentation on-line that gives a lot of
information about the system... but be warned it is aimed at techies, radio
amateurs and enthusiasts, wireless experimenters, and their (our) ilk.
Now, let's get to the entertainment part:
Privacy? Giggle, giggle. Chuckle, Chuckle, guffaw.
Imagine this: you are sitting in the bleachers at Camden Yards Stadium in
Baltimore, section D, row 15, seat F, watching the Socks beat up on the
Orioles. During the seventh inning stretch, you stand up and bellow into a
bullhorn: Hey, everybody, I'm (insert your name) and I'm sitting in section
D, row 15, seat F.
Now, imagine that someone in section B hears you on
the bullhorn, writes down your seat location on a piece of paper, and holds
it up for those around him to see. Is this invading your privacy? Well,
that's exactly what these websites are doing. You are voluntarily installing
in your car a piece of technology which uses radio waves, tantamount to
shouting into a bullhorn, your identification and location. Those
transmissions are relayed over and over, across a host of terrestrial and
satellite repeating transmitters (the APRS system uses over a thousand
ground stations and at least six satellites, including a relay station
installed on the international space station! I'm NOT joking!), and everyone
within range of those satellites (generally at least half the earth at any
given time) can receive those transmissions.
So don't come to me crying about privacy. YOU are
the one shouting into the bullhorn. You are the one using public airwaves to
broadcast (yes, broadcast) your car's position every two minutes.
The only problem that exists is that marketers
forget to remind their customers about the nature of radio waves. And most
Americans slept through their high school physics class when this stuff was
being taught (it has been taught since the 1920s!). Radio waves travel to
the edge of the universe. Sure, they may eventually become so faint as to
become indistinguishable from background noise with today's state of the art
receivers... but if we can detect Pioneer and Voyager spacecraft several
times further away than Pluto, surely we can hear your bullhorn giving out
your location every two minutes from a satellite only 50 miles up.
Privacy? Still in your bedroom. Perhaps. To some
small extent. For now.
I asked my students last semester to try to count
the number of cameras they see in plain sight in a one-hour period, anywhere
they choose, from the showers in the locker room to the line at McDonalds.
The highest was 37, the lowest was 8. Eight cameras in one hour, watching
you, as the LOWEST number, when students began looking for them.
So anyone who believes that "privacy" still exists
outside their own bedroom is fooling only themselves and those who want to
still put their heads in the sand instead of looking around and recognizing
the reality of modern 21st century life. If you will wake up and smell the
coffee and RECOGNIZE your environment, you can begin behaving accordingly,
and life will be just as fine, just as good, just as pleasant, just as
relaxed, and probably even of higher quality that it was back when you were
blissfully ignorant.
But if you want to act like one of the many, many
old fossilized fuddy-duddies, deny the realities of modern life, pretend
like we can "go back to the way things used to be", cry "help, help, there
oughta be a law", you will continue to provide mirth, entertainment, and
laughs to those who are able to adapt.
(I'm still waiting for the world to come to its
senses and put an end to the ridiculous (and mostly avoidable) practice of
identity theft. We have numerous technologies we can bring to bear to
increase the difficulty of stealing one's identity (WHICH by the way is NOT
the same as obtaining one's personal information, in spite of Chicken
Littles who would have you believe it is), but too many ostriches have
"voiced concerns" about unlikely (and in many cases, nonexistent)
possibilities which drown out the obvious advantages of eliminating what is
seen by most people as a real problem.)
Darwin supposedly once said, "Survival of the
fittest doesn't mean survival of the strongest. It means survival of those
most able to adapt."
So adapt already.
Technology has its drawbacks, sure, and I don't
deny that those drawbacks cause problems. But people who are informed of the
drawbacks can adapt, rather than futilely trying to turn back the clock,
stifle innovation, curtail progress, and yes, abridge liberties (liberty to
invent, to experiment, and even the liberty to disseminate knowledge of
observable facts, such as a photo of what your house looks like from any
airplane!).
I'm exaggerating for effect, of course, and writing
a diatribe that sounds downright scolding. But my adamant tone is purely for
your entertainment, so you can post a rebuttal. (Since Luddites entertain
me, it's only fair that I reciprocate, and give them some entertainment,
too, isn't it? Look on me as the Rush Limbaugh, Bill O'Reilly, or Howard
Stern of the AECM techno set! Lots of your fellow AECM'ers already do!)
But seriously... my only intent is to try to
enlighten, educate, and let people know that they can't keep on pretending
that life is like it used to be. Technological progress is accelerating, and
will keep on accelerating, and we can't stop it. Individual citizens over my
lifetime have lost the luxury of the old, slow-paced, self-guided lifestyle
my grandfather could choose if he wanted, and instead we are required to
keep abreast of everything from seat belt laws, new icons on our car
dashboards and street signs, new devices from hotel doorlocks to iPods to
cellphone cameras, and on and on. We have to stay abreast of this stuff if
we want to continue interacting with our fellow beings at a level sufficient
to prevent us from being labelled hermits. We can either learn about what's
going on around us, or we can moan and groan about how bad change is and beg
futilely for the ride to slow down because we are getting dizzy. (Notice:
the next generation isn't dizzy! They love the roller coaster and want it to
go faster! And they will prevail... I assure you, they will prevail.)
And if you really want to elicit a laugh, tell
somebody "There oughta be a law". Unlike accounting rules, the laws of
physics can't be (yet) legislated by the winners of November popularity
contests. As they say, if you outlaw listening to radio waves, only outlaws
will listen to radio waves. Even if the U.S. outlawed sites such as Find-U
and all the rest, the radio waves can still be heard in Finland, Israel,
Romania, North Korea, and even on the moon! So, as my post's subject title
says, Get Real.
Old geezers, unite. At least we can still complain
about moral issues such as open promotion of homosexuality, loss of ethics
in the boardroom, fundamentalist zealots, and political intrigue. Let's sit
around on the park bench and reminisce about the way things used to be. "I
remember way back when you could take a leak in the woods without having
your picture appear on the six o'clock news!" "Oh yeah? Well, I remember
when you could buy a loaf of bread without getting six tons of junk mail
inviting you to buy the competing brand of bread!" "I can top that! I
remember when you could drive your girlfriend out to the beach to watch the
midnight submarine races without your daddy knowing where the car was!" "Noooo!
Really? You can remember that far back?" "Yep. OF course, maybe my mind is
playin' tricks on me again..."
David Fordham Offerer of Unique Incites
(spelling deliberate)
What are the weapons of
"information warfare?"
See http://www.trinity.edu/rjensen/infowar.pdf
Also see denial of service attacks at http://www.w3.org/Security/Faq/wwwsf6.html
After four years
of haggling over the language, several countries including the United States
will sign a cybercrime treaty --- http://www.wired.com/news/politics/0,1283,48556,00.html
6:57 a.m. Nov. 21, 2001 PST
BUDAPEST -- A European convention to
be signed Friday will unite countries in the fight against computer criminals,
who have moved on from "innocent" hacking to fraud, embezzlement and
life-threatening felonies.
Interior ministers and law
enforcement officials from Europe, South Africa, Canada, the United States and
Japan will sign the milestone cybercrime convention, which has taken four
years to draft, in the Hungarian capital.
"Realistically, we can expect
some 30 countries to sign the convention," a Council of Europe official
told Reuters. "And this is a major achievement, given that many
conventions are signed by 10 to 20 countries at best."
The official said many people still
see computer hacking and other electronic crimes as mainly a moral issue,
without realizing the associated material damage and risk to life.
"There was a recent case when
someone took control of the computer system at a small U.S. airport and
switched off the landing lights," the official said. "This could
have killed many people."
Related Wired
Links:
Liberte,
Egalite ... E-Security?
Sep. 27, 2001
Congress
Covets Copyright Cops
July 28, 2001
Go
Ahead, Make Ashcroft's Day
July 23, 2001
Online
Crime a Tough Collar
July 11, 2001
Most
Hacking Hides Real Threats
July 3, 2001
U.S.'s
Defenseless Department
May 23, 2001
Brit
Cops Tackle E-Thievery
April 19, 2001
Spammer Exposes Customer Data A seller
of pirated Norton software, who inundates the Net with spam touting his cheap
prices, leaves open a back door to buyers' personal information -- and officials
say it happens all the time. - Special Report: Frauds, Scams and the
Flimflam-Man --- http://ecommerce.internet.com/news/news/article/0,,10375_1569901,00.html
One of the Web sites
operated by this particular spammer is called salesscape.com,
and links related to the site showed hundreds of customer orders in .txt
files.
The exposed data
includes what item was purchased, customer names, street addresses, phone
numbers and e-mail addresses, but apparently not credit card numbers.
Sites like this are
often totally unsecured, which is a good reason not to do business with them,
said a spokesman for Symantec.
And for anyone
wondering why spammers do what they do, the sheer number of customer orders
for this one spammer alone tells the story.
There is lots of
money to be made, which accounts for why an estimated 76 billion spam e-mails
will be sent worldwide in 2003, at an average cost to the spammers of 0.00032
cents per message, according to figures from eMarketer.
One of the recent
spam e-mails touting this software sales site came from
"first_response005@yahoo.com" and advertised Norton SystemWorks 2003
Software Suite -Professional Edition.
The e-mail touted
"Five Feature-Packed Utilities...For One Great Price... A $300-Plus
Combined Retail Value... YOURS for Only $39.99!" That software package
normally sells for about $70 or less on Amazon.com. It includes Norton
AntiVirus 2003, Norton Ghost 2003, GoBack 3 Personal Edition, Norton Utilities
2003 and Norton CleanSweep 2003.
Clicking on the link
in the e-mail takes one to www.salesscape.com,
which may be shut down by now, but which earlier listed the software package
and linked to an order page
that requests payment, either by clicking on a button or by snail mail to
"G.A. Moore - PO Box 19803 - Baltimore, MD 21225."
A whois check on the
site shows it is registered to Maryland Internet Marketing, with the
administrative contact being one George Moore Jr., 300 Twin Oaks Road,
Linthicum, Md. 21090. There was no answer when a reporter called the phone
number listed.
Another spam touting
this same offer took us to a
site called computerssystems.com that appeared to be identical.
The order form
instructs potential customers to enter their addresses and a credit card
number, then push a "send" button or print the form out and mail it.
It also says that the software comes with no retail packaging and the
"manuals are built into the programs." Customers are also given an
opportunity to buy Roxio EZ CD Creator for another $29.99.
A Symantec spokesman
said that "one of the key indicators of pirated software is the fact that
retail packaging is not included."
Continued at http://ecommerce.internet.com/news/news/article/0,,10375_1569901,00.html
Bob Jensen's threads on frauds are
at http://www.trinity.edu/rjensen/fraud.htm
Complaints
involving the Internet crack the top 10 for the first time in a survey conducted
by two major consumer advocacy groups --- http://www.wired.com/news/business/0,1367,48520,00.html
Associated Press 2:35 p.m. Nov. 19,
2001 PST
WASHINGTON --
Internet shopping and services have become a leading source of consumer
complaints, joining grievances about auto repair and telemarketing, a survey
finds.
Problems with auto
sales and household goods shared the top spot in the annual list of consumer
complaints released Monday by the National Association of Consumer Agency
Administrators and the Consumer Federation of America. Those categories ranked
second and third, respectively, in 1999 and have been in the top five since
1997
Consumer complaints
involving the Internet broke into the top 10 for the first time, sharing
eighth place with grievances about mail order shopping, telemarketing and
problems between landlords and tenants.
The most common
Internet complaints involved online purchases and auctions, according to
reports from 45 federal, state and local consumer agencies who participated in
the survey. The third most common type of Internet complaint involved service
providers.
"People don't
always get what they order over the Internet and sometimes they don't get
anything at all," said Wendy Weinberg, executive director of the NACAA.
"While there are many benefits to shopping over the Internet, consumers
need to be aware of the risks."
She recommended that
consumers use credit cards when shopping online, keep records of all
transactions and vary passwords among different websites.
The number of
Internet-related complaints has been surging for the last two years, Weinberg
said.
During the 1999
holiday season, many Internet sellers claimed they could ship extremely
quickly, but some failed to meet their promises. The Federal Trade Commission
fined companies more than $1.5 million in civil penalties.
The situation
improved last year, but the FTC said Monday it had sent warning letters to
more than 70 Internet retailers reminding them to live up to their claims.
"There's a lot
more consumers being impacted because there are simply more people shopping
online," said Harris Miller, president of the Information Technology
Association of America, a trade group. He said industry has to work to educate
consumers about Internet shopping.
"There are some
bad actors out there who prey on consumers and want to take advantage of the
excitement of buying online," Miller said. "Consumers have to be
smarter and have to go with reputable websites."
The categories
generating the most complaints in 2000 were auto sales and household goods,
which includes appliances, furniture, electronics and other retail items.
Complaints about
household goods involved defective merchandise, deceptive advertising and
failure to honor warranties or provide refunds.
Many of the
complaints with auto sales involved financing deals. Some consumers complained
they would take home a car with a good financing rate only to later get a call
from the dealer saying they have to return the car because they didn't qualify
for the rate.
The category of home
improvement services fell from first place on the list in 1999 to third, but
the survey ranked it as the type of business most likely to fail and reopen
under another name. Furniture stores and health studios were also types of
companies most likely to go out of business.
"Consumers need
to check out the company before they make any payments to business in these
industries," Weinberg said. "Consumers can lose large amounts of
money if a company that they are doing business with closes
See also:
Holiday
E-Sales Prospects Not Bad
Net
Shoppers Still Complaining
Ads
Stay Home for Holidays
There's no biz like E-Biz
Sleighbells &
Whistles: More tidings for the season
The Holidays at Lycos
Encryption
Definition of encryption from
http://en.wikipedia.org/wiki/Encryption
In cryptography, encryption is the process of
obscuring information to make it unreadable without special knowledge. While
encryption has been used to protect communications for centuries, only
organisations and individuals with an extraordinary need for secrecy have
made use of it. In the mid-1970s, strong encryption emerged from the sole
preserve of secretive government agencies into the public domain, and is now
employed in protecting widely-used systems, such as Internet e-commerce,
mobile telephone networks and bank automatic teller machines.
Encryption can be used to ensure secrecy, but other
techniques are still needed to make communications secure, particularly to
verify the integrity and authenticity of a message; for example, a message
authentication code (MAC) or digital signatures. Another consideration is
protection against traffic analysis.
For a history summary, see "Cryptography" at
http://en.wikipedia.org/wiki/Cryptography
Note that email messages, computer documents, and entire databases can be
encrypted. Especially note the encryption links below:
A free way to send up to a 1 Gb huge file by email
This is a good way to send video and audio files! ---
http://www.yousendit.com/
I love the YouSendIt service that does not require zip or any form of file
compression. You can learn how to use YouSendIt in less than a minute.
August 23, 2005 message from Scott Bonacker
[lister@BONACKERS.COM]
This company says that you can upload large files
to their server and email a link to download the file, all for free.
http://www.yousendit.com/
Does anyone have experience with this company?
I currently use filesanywhere.com for something
similar, but that is a paid service. A few more bells and whistles to be
sure though.
Scott Bonacker, CPA
Springfield, Missouri
Jensen Comment:
I experimented with this by sending a 200 Mb video file to myself. It is a
fantastic free service that can be used when the file you want to send is too
large to attach to an email message. It supposedly will take a file up to 1 Gb
without even having to zip or otherwise compress the file. My Internet Explorer
browser wanted to block the download, but when I clicked to accept the file it
downloaded beautifully.
My students will find this useful for sending large database files to each
other in course projects.
You do not have to send the file by email to YouSendIt. All you have to do
is provide the recipient's email address and the file on your computer that you
want to send. You do not even have to supply your own name or your own email
address. The recipient then receives a message that he/she has seven days in to
download the file. YouSendIt will not store the file beyond seven days.
I cannot vouch for the security of data stored by YouSendIt. If you are
sending sensitive data such as credit card numbers or a book draft that you've
not yet secured a copyright number, then I suggest that you encrypt the file
before sending it. There are various options for encryption. For example, most
database programs like MS Access have encryption utilities in the software
itself. Another encryption alternative (free) is described below.
August 25 reply from a Computer Science Professor
And how does YouSendIt access the file on your
system?
This is the problem to which I refer by the phrase
"today's digital environment". The idea of giving someone else your data and
a destination and "trusting" them to do the right thing with the data is a
scary thought.
Why not deposit your data in your web space
yourself and notify the recipient of its availability. If it needs to be
secure, encrypt it with Open encryption software (public key), such as gpg,
before putting in in your web space. And certify your public key.
August 26, 2005 reply from Bob Jensen
Hi XXXXX,
Perhaps there is a security problem that I do not know about. If this is
a gimmick to crack a firewall, then I would like to know more about it. It
does not seem more dangerous than the many times I download files from Web
sites, e.g., PDF files, PPT files, etc.
This is incredibly easy to use. I can imagine people who do not have
enormous amounts of Web server space available using the YouSendIt
alternative for sending home videos, audio files, and large picture files.
In many cases, people are sending files that they would willingly place on a
server if they had enormous server space available at zero cost.
Thanks to you and Gerald, I make some very large files available now on a
Computer Science Department Web server ---
http://www.cs.trinity.edu/~rjensen/video/ Of course these can be easily
downloaded by anybody in the world.
However, there are some database files that I cannot place on a Web
server. Most are hypothetical databases acquired free from various vendors,
databases that I'm allowed to modify for my teaching purposes and students
can modify for assignments. These would not be of much use for anybody to
steal, and I do not have the legal right to make them available to anybody
other than my students.
Even if I did put some of my larger databases on your Web server, I would
hog a tremendous amount of your capacity for very limited use by a few of my
students for a very short period of time.
YouSendIt simply asks the email address of where you want to send a huge
file and then gives you a browse button to find that file on your system.
Large files do take some time to send out.
It would probably be best to send that recipient an advanced warning to
expect such a file.
The recipient is then notified when the file is available for downloading
and that it will be held for seven days.
When the recipient downloads the file, he/she receives an option to
either run the file or to save it.
Neither the sender nor the recipient need install any software and the
service, for whatever reason, is free.
My students are especially going to like this for exchanging databases in
my courses. Obviously the files would have to be encrypted or sent by some
other means if the files were truly sensitive.
Bob Jensen
Free
encryption software
From the T.H.E. Journal Newsletter on August 25, 2005
Cypherix's (www.cypherix.com)
Cryptainer LE
is a free 128-bit encryption program that allows users to
modify and hide files with a single password by creating
multiple 25MB encrypted containers on their hard disk that
can be loaded and unloaded whenever necessary. The
easy-to-use, drag-and-drop system works on all 32-bit
versions of Microsoft Windows, and can protect and secure
any file or folder on any media, including flash drives,
CD-ROMs, and USB keys. Cryptainer LE also allows
users to send encrypted e-mails without requiring the
recipient to install the program to decrypt the files. To
download, visit
www.cypherix.com/cryptainerle/index.htm.
|
|
New Tech Tools to Combat Fraud
"Microsoft makes Windows more secure, but how much does that matter?"
MIT's Technology Review, December 11, 2006 ---
http://www.technologyreview.com/read_article.aspx?id=17882&ch=infotech
Microsoft Corp. took great pains to improve
security in its newly released computer operating system, Windows Vista,
redesigning it to reduce users' exposure to destructive programs from the
Internet. Outside researchers commend the retooled approach -- yet they also
say the changes won't make online life much safer than it is now.
Why not? Partly because of security progress that
Microsoft already had made in its last operating system, Windows XP. Also
because a complex product like Vista is bound to have holes yet to be
discovered. And mainly because of the rapidly changing nature of online
threats.
Sure, Microsoft appears to have fixed the glitches
that used to make it easy for viruses, worms and other problems to wreck
PCs. But other avenues for attack are always evolving.
''Microsoft has made the core of the operating
system more secure, but they've really solved, by and large, yesterday's
problems,'' said Oliver Friedrichs, director of emerging technologies at
antivirus vendor Symantec Corp.
That claim would not please Microsoft, which touts
Vista's improved security as a big reason why companies and consumers will
want to upgrade to the new operating system.
In fact, Microsoft's effort to tighten security in
Vista was one reason the software was delayed past the crucial holiday
shopping season. It's now available for businesses and will be available to
consumers Jan. 30.
''It is an incremental improvement -- it is a
reasonably large increment,'' said Jon Callas, chief technology officer at
PGP Corp., a maker of encryption software. ''I don't think it's a
game-changer.''
Some of Vista's security enhancements require
computers with the latest microprocessors -- which are known as 64-bit
chips, in reference to how much data they process at once. That won't
improve things on today's standard 32-bit computers, which will stick around
for a long time.
However, most of the improvements are available in
all editions of Vista, including a stronger firewall and a built-in program
known as Defender that alerts users if Vista believes spyware is being
installed.
''Windows is going to talk to you a lot more and
make sure you're a lot more aware of what you're doing,'' said Adrien
Robinson, a director in Windows' security technology unit. ''It's going to
help consumers be more savvy.''
One of Vista's biggest changes is more control over
computer management. With previous versions of Windows, users were given by
default great control over the computer's settings -- a situation that
opened the door to nefarious manipulation by outsiders. In Vista, users are
prompted to supply a password when they make significant changes -- a
security feature long available on Apple Computer Inc.'s Macintosh and
computers running the Linux operating system.
Bob Jensen's threads on computing and network security are at
http://www.trinity.edu/rjensen/ecommerce/000start.htm
"Researchers developing tool to combat Internet auction fraud,"
MIT's Technology Review, December 11, 2006 ---
http://www.technologyreview.com/read_article.aspx?id=17884&ch=infotech
Carnegie Mellon University researchers are relying
on an old adage to develop anti-fraud software for Internet auction sites:
It is not what you know, it is who you know.
At sites like eBay, users warn each other if they
have a bad experience with a seller by rating their transactions. But the
CMU researchers said savvy fraudsters get around that by conducting
transactions with friends or even themselves, using alternate user names to
give themselves high satisfaction ratings -- so unsuspecting customers will
still try to buy from them.
The CMU software looks for patterns of users who
have repeated dealings with one another, and alerts other users that there
is a higher probability of having a fraudulent transaction with them.
''There's a lot of commonsense solutions out there,
like being more careful about how you screen the sellers,'' said Duen Horng
''Polo'' Chau, the research associate who developed the software with
computer science professor Christos Faloutsos and two other students. ''But
because I'm an engineering student, I wanted to come up with a systematic
approach'' to identify those likely to commit fraud.
The researchers analyzed about 1 million
transactions involving 66,000 eBay users to develop graphs -- known in
statistical circles as bipartite cores -- that identify users interacting
with unusual frequency. They plan to publish a paper on their findings early
next year and, perhaps, market their software to eBay or otherwise make it
available to people who shop online.
Catherine England, an eBay spokeswoman, said the
company was not aware of the research and would not comment on it. But
England said protecting the company's more than 200 million users from fraud
was a top priority.
Online auction fraud -- when a seller does not
deliver goods or sells a defective product -- accounted for 12 percent of
the 431,000 computer fraud complaints received last year by Consumer
Sentinel, the Federal Trade Commission's consumer fraud and identity theft
database. Auction fraud was the most commonly reported computer-related
fraud in the database.
And the scams run the gamut.
Last year, a federal grand jury indicted an Ohio
man on charges he sold hundreds of thousands of dollars of stolen Lego
merchandise on the Internet. Earlier this year, a New Mexico woman was
sentenced to nine years in federal prison for selling forged hunting
licenses on eBay, over the phone and by e-mail, and then not delivering
trips paid for by out-of-state hunters.
Earlier this month, a man who failed to deliver
tickets to the 2005 Ohio State-Michigan football game to 250 online auction
customers was sentenced to 34 months in federal prison.
Johannes Ullrich, an Internet fraud expert with the
SANS Institute in Bethesda, Maryland, said the CMU research ''sounds like a
credible way to detect fraud.''
''Essentially, what they're trying to do is find
these extended circles of friends who make positive recommendations to each
other,'' said Ullrich, the chief technology officer of SANS' Internet Storm
Center, which tracks viruses and other Internet problems.
But Ullrich said the CMU researchers must find a
way to screen out false positives. He said a small group of users -- such as
baseball card collectors -- might repeatedly buy from one another and could
be flagged as high-risk.
Faloutsos said the researchers have thought of that
in developing the software called NetProbe -- short for Network Detection
via Propagation of Beliefs.
''We're not just looking at your neighbors (on the
auction site),'' Faloutsos said. ''We're looking at the neighbors of your
neighbors, and the neighbors of your neighbors' neighbors.''
Bob Jensen's threads on how to prevent eBay fraud are at
http://www.trinity.edu/rjensen/FraudReporting.htm#eBay
Bob Jensen's threads on computing and network security are at
http://www.trinity.edu/rjensen/ecommerce/000start.htm
Is a visited Web site authentic and safe?
CallingID 1.5.0.70
http://www.callingid.com/Default.aspx
"Two New Services Try to Warn You About Sleazy
Sites," by Walter S. Mossberg, The Wall Street Journal, June 22,
2006; Page B1 ---
http://online.wsj.com/article/SB115093607407387016.html?mod=todays_us_marketplace
The World Wide Web is a marvelous
thing. Because it exists, more people have direct access to more knowledge
than at any time in history. But, by linking people everywhere, the Web has
also spawned a new international criminal class, and a related class of
sleazy businesses.
These creeps now find it easier than
ever to defraud people, steal their identities and blast them with unwanted
or false advertising. They use the Web as a pathway to infect computers,
corrupt data and take over others' machines.
Security software can help block this
wave of woe. But it would be better to know in advance if a Web site that
comes up in a search result, or one you arrived at through other means, is
harboring malicious software, or perpetrating scams, or generating spam and
unwanted pop-ups. It might also be nice to know if a site with an innocuous
name contains pornography, hate speech or other content that might be
offensive to you.
I've been testing two services that
aim to provide such advance notice of bad or offensive sites. The services,
Scandoo and SiteAdvisor, take different approaches to the task and offer
different features. But both instantly mark up a search-result page, and
label the links that might be dangerous.
Both services are free of charge, and
each works on both Windows and Macintosh computers, and in multiple Web
browsers. On balance, I prefer SiteAdvisor, though Scandoo has a couple of
things SiteAdvisor lacks.
Scandoo, still in beta, or test,
phase, is from a company called ScanSafe, which provides site-scanning and
security services for corporations. SiteAdvisor was founded by some
engineers from MIT and was recently bought by McAfee, the big
computer-security firm.
SiteAdvisor works via a software
plug-in that you download and install. The plug-in, available at
www.siteadvisor.com, modifies either the Internet
Explorer browser for Windows, or the Firefox browser for Windows, Macintosh
and Linux, so the browser can identify bad Web sites. SiteAdvisor works with
the Google, Yahoo and MSN search engines.
Scandoo requires no software
downloads and works with more browsers than SiteAdvisor does. But it
requires you to enter a search term at its Web page,
www.scandoo.com, rather than at the home page or
search box of your favorite search engine. It then transfers to the search
engine you choose and modifies the results page to identify sites that may
be troublesome. It now works only with Google or MSN.
There are some other major
differences between the two. Scandoo scans Web pages on the fly to look for
bad stuff. SiteAdvisor matches Web sites against a database it has compiled
about content. Scandoo works only on pure search results, not the ads
alongside the results. SiteAdvisor rates the results and the ads, which
often are more dangerous.
In addition, because it is built into
the browser, SiteAdvisor can rate any site you are visiting, not just sites
listed in search results. SiteAdvisor places a small, unobtrusive icon in
your browser. The icon is green if you are on a Web page it considers safe
and honest. It turns red if it regards the site as dangerous.
Scandoo works only on search results
pages. But it has a function SiteAdvisor lacks. It can rate pages for
offensive content, while SiteAdvisor focuses just on the presence of
malicious software, or invasive advertising techniques. Scandoo allows you
to specify which kinds of content you want flagged, including pornography,
hate speech and gambling.
SiteAdvisor also flags sites it
regards as perpetrating scams, like charging people for software that
actually is free. But in my tests, it ignored some other scams, such as
offers for pills that magically enlarge body parts.
In my tests, SiteAdvisor consistently
flagged more Web sites as bad than Scandoo did. When I searched for "Free
iPods" in Google, Scandoo gave all the regular search results a green check
mark, meaning OK. SiteAdvisor marked the first regular result in red and
gave it an "X," meaning trouble. It also marked most of the ads in red and
gave them "X's."
This is partly due to different
techniques they use. Scandoo claims its real-time scanning can uncover bad
sites SiteAdvisor might miss. SiteAdvisor claims its database is more
comprehensive.
Another reason for the disparity is
that SiteAdvisor isn't just looking for viruses or spyware. It uses test
computers to see if sites are likely to generate what it calls "spammy"
email or pop-up ads. If they do, the sites get flagged.
Some might regard SiteAdvisor's
filters as too aggressive, but, unlike Scandoo, it gives a detailed
explanation for each rating. The explanations I saw made sense. For the free
iPods site SiteAdvisor flagged, it explained: "After entering our e-mail
address on this site, we received 11 e-mails per week. They were very spammy."
It even showed some test emails.
Both services are very helpful. You
might want to use Scandoo if you're concerned about offensive content. But
for flagging malicious software and invasive advertising, SiteAdvisor is
more comprehensive and tougher.
Bob Jensen's threads on consumer frauds are at
http://www.trinity.edu/rjensen/FraudReporting.htm
From the Federal Trade Commission on March 4, 2006
American's Top 10 Dot Cons ---
http://www.ftc.gov/bcp/conline/edcams/dotcon/
"Privacy for Sale: How to buy online anonymity," by Adam L. Penenberg,
Slate, November 1, 2005 ---
http://www.slate.com/id/2129114/
When you surf the Internet, you
leave footprints everywhere you go. Google conceivably
knows every term you've
searched for and every e-mail you've sent and received.
Cookies greet you when you return to a site and track
your movements when you stay within its pages or visit
affiliated sites. Your ISP knows who you are and where
you live or work whenever you get online.
This tracking continues far
from your computer. The
hundreds of publicly and
privately owned surveillance cameras within a 10-block
radius of my office capture my image when I buy a
falafel or read a book in Washington Square Park. If you
talk on a cell phone or send text messages from your
PDA, your provider knows where you are. The same goes
for when you pay for socks with a credit card or get
cash from an ATM.
As the battle to provide ads
better-targeted to online consumers intensifies, our
information becomes more valuable to online marketers
and publishers.
Web surfers also fear that
identity thieves are on the prowl for their personal
data. The government is a potential bogeyman, too: As
fears over terrorism intensify, the feds may find your
personal data irresistible. In 2003, Congress scuttled
the Total Information Awareness program, which would
have enabled the Pentagon to mine millions of public and
private records to search for indications of terrorist
activity. But that doesn't mean the effort to combine
databases has stalled—it's
just been redirected.
So, how can we
protect ourselves? We're going to
have to pay for it. In the same way
we fork over a few extra bucks a
month for caller ID block and an
unlisted phone number, we'll pay for
anonymity in other areas. Privacy
has become a commodity. The more our
personal information gets out there,
and the more valuable it becomes,
the more incentive there will be for
companies to shield it on our
behalf.
There's a
good chance you already have a
personal
firewall
or a
spyware remover
installed on your machine. But there
are loads of other products that can
do everything from masking your IP
address—kind of like driving in a
car with a fake license plate—to
scrambling your data so that anyone
trying to intercept it will
encounter gibberish, to services
that claim to expunge your personal
information from a whole range of
databases and search engines. Some
do what they say they can do. Others
don't.
For $29.99,
Acronis
Privacy Expert Suite will wipe your
hard drive of all traces of Web
surfing.
Anonymizer.com
offers an
array of products that do everything
from masking your identity by
routing your Web traffic through
secure servers to encrypting your
wireless connection.
GhostSurf,
a competing product, provides "an
anonymous, encrypted Internet
connection" that erases any trace of
your surfing "to Department of
Defense standards." Encryption
schemes like
PGP will
let you send e-mail securely so that
even if hackers intercept it
upstream, they won't be able to read
it. A program called
SafeHouse
will fully encrypt your hard drive
to ensure that if your laptop is
stolen, your data won't be.
Not
everything that comes at a price can
do the job. A new service called
DeleteNow
vows to expunge your personal
information from search engines,
databases, and directories for $2.99
a month. The company says it uses
searchbots and a "deletion module"
to search for and destroy
information in databases and on the
Web that its client doesn't want
dispersed in the ether. But
DeleteNow's claims are a bit
exaggerated. It can't simply delete
information from third-party Web
sites—all it does is automate the
process by which any user can ask
that a page gets removed from a
particular search engine. Believe
me: If Google didn't remove its CEO
Eric Schmidt's personal information
from search
results after the company
raised a stink
with CNET,
it's not going to remove yours.
Not all
privacy enhancers cost money. Some
free Web-based services help those
who simply want to control their
information because they don't want
"The Man" to have it—marketers, the
government, whoever.
Bugmenot
offers communal logins and
passwords—the password "liberalmedia"
for the New York Times and
the e-mail
nypostisfuckingretartedforrquiringregistration@suckme.com
to access
the New York Post, for
example—that allow users to avoid
providing personal information at
sites that require free (but
annoying) registration. But the
model that
Hushmail,
which offers snoop-proof e-mail, has
adopted will probably hold sway in
the future. The company gets you in
the door by offering free e-mail
accounts but then offers a number of
different services that cost money.
Of course,
it's possible that these services go
too far. Do most of us really need
to encrypt our hard drives so that
pictures of our kids don't fall into
enemy hands? The most important
question, though, is whether it's
right that individuals have to bear
the economic burden of protecting
their anonymity online. Shouldn't
our own personal default settings be
set on privacy?
Continued in article |
|
|
|
New Tech Tools to Combat Corporate Fraud
A new tech sector has sprung up to provide that
software. Virtually every computer and software maker is eager to tap one of the
few high-growth markets in technology -- the best thing to happen in the sector
since the Y2K panic caused thousands of big businesses to remake their computer
rooms in 1998 and 1999. Storage companies like EMC Corp. stress the need to save
audit-related materials for seven years. Security experts like RSA Security Inc.
and Computer Associates International Inc. argue that companies can't prevent
deficiencies if they can't pinpoint who is using the systems. A host of private
companies have shifted their business models to promote their software as a cure
for compliance woes.
William M. Bulkeley and Charles Forelle, "How Corporate Scandals Gave Tech Firms
a New Business Line: Sarbanes-Oxley, Other Rules Aimed at Fighting Fraud Create
Market for Software," The Wall Street Journal, December 9, 2005; Page A1
---
http://online.wsj.com/article/SB113409818808818144.html?mod=todays_us_page_one
Threads on Firewalls
Go to
http://www.trinity.edu/rjensen/firewall.htm
The Downside: Psychology of
Electronic Commerce
Does Technology Need to be Curbed? Has society become the captive of
technology? Just because we can work technological wonders isn't a good enough
reason to do so. Professor Harold Leavitt argues that mankind's insatiable
curiosity could become a danger.
"Who’s in Control Here?" by Harold J. Leavitt, Stanford Graduate
School of Business, November, 2002 --- http://www.gsb.stanford.edu/news/bmag/sbsm0211/feature_leavitt.shtml
Organizations, especially for-profit organizations,
now play a curiously dual role in promoting the unfettered acceleration of
technology. They are technology’s most powerful driver and also its hogtied
prisoner. That combination generates more and more acceleration, with
potentially disastrous downside effects.
The resultant maelstrom of technological products and
processes is beginning to look like a runaway locomotive, or worse—more like
a whole horde of runaway locomotives hurtling ahead along multidirectional,
multidimensional, ever-changing networks of tangled tracks. Now and again one
runs out of fuel, but by then a host of newcomers has already begun to roll.
And most of us, both individually and organizationally, as well as the media,
seem so caught up in this technological tsunami that we mentally push aside
any small prodromes of impending, down-the-road dangers. Science and
technology (S/T) have hastened globalization, shortened many organizations’
life spans, and revolutionized the notion of what constitutes an individual’s
career. Yet, even as it drives organizations to distraction, S/T also empowers
them. The potent “military-industrial complex” that President Eisenhower
warned against in 1960 has given way to the even more potent “technology-industrial”
complex of the 21st century.
TECHNOLOGY AND ORGANIZATIONS have always been
important to one another, but until recently, organizational change was at
least as much a matter of managerial choice as of pressing necessity imposed
by science/technology. And the serious entry of organizational money onto the
S/T scene has caused a shakeup in S/T’s internal culture. Technologists,
traditionally lower in the pecking order than “real” scientists, are now
approaching status parity. Steve Jobs and Bill Gates are almost as much
cultural emperors as Nobel laureates are cultural aristocrats.
Technology’s rising status also signals a shift in
the thought-to-action ratio. Science has traditionally been mostly about
thinking. But it is technology that carries the ball from thinking to doing,
from learning to building, from solving the problem to implementing its
solution. Ideas, in and of themselves, have certainly triggered revolutions,
but technology builds the cars, makes the pills, and puts together the
navigational systems. From the printing press to the light bulb to time and
motion study to the pc, cheap, transferable technology has always been a major
propellant of societal change.
Pure, unadulterated human curiosity was the initial
motivator for much of both science and technology. Scientists and
technologists, by training and by inclination, were intrinsically driven to
search and explore. Their work provided its own reward. They liked money too,
but gold was not the prime motivator. Indeed, the whole notion of grubbing for
money was antithetical to the ethos of science. Yet perhaps it should have
been obvious that greed would eventually become a camp follower of exploding
technology. The money magnet attracts us all, but its pull is especially
strong on financial types, marketers, and MBAs. Even Silicon Valley’s fabled
young crusaders have been infiltrated by people with more “pragmatic”
priorities. We are thus becoming doubly entrapped. Our limitless curiosity has
coupled with our equally limitless avarice.
The effect of both has been to push technology ahead
of science, while also blurring the distinction between the two. Would any
private organization today build the equivalent of the old science-driven Bell
Labs? That institution had a five-year moat of safety from the incursions of
at&t’s marketers and finance folks. Yet that magnificent scientific
resource gave way, more and more, to “directed” research, largely a
euphemism (as scientists complained in Bell Labs’ declining days) for the
demand that they devote themselves to designing Mickey Mouse telephones. While
that shift at Bell and other corporate labs began somewhat earlier, the
Japanese manufacturing challenge of the 1980s sped up the process. So did the
1980 Bayh-Dole Act, which streamlined and encouraged technology transfer from
federally funded university research to industry.
ALL OF WHICH BRINGS US to these questions: Where are
some of the danger spots? What else can and should we do about technology’s
surging speed and spread? What shall we worry about? Here are a few items:
Until now, when new technology was blamed for some
real or imagined downstream trouble, it got itself off the hook by offering a
standard medication: large doses of even newer technology. Are high-powered
cars on overcrowded highways killing too many of us? Invent seat belts and air
bags! Are “rogue” states threatening us with nuclear missiles? Develop
Star Wars antimissile technology! That nostrum is still being peddled. For
example, many private companies, long hostile to efforts to control the
greenhouse gases that their factories emit, have recently reversed their
position. They now see an opportunity for profit by developing new
technologies to control the negative impact of their own earlier technologies.
Such technological cures for technologically
generated ills are no longer the panacea they once were. S/T must live in the
interconnected global village it has helped create. Deep social and political
anxieties are growing around S/T’s perimeter, and many are becoming
technology-resistant. The “digital divide” between the have and the
have-not segments of the world may be growing, but the have-nots have enough
technology to be quite aware of how much more the haves have. Indeed, several
have-nots already have enough technical know-how to build horrendous nuclear
and chemical weapons. That great segment of humanity will not stand passively
by while our S/T rushes blithely onward. They will want more, and they may
have the population power to get it.
Consider some recent projections by knowledgeable S/T
people about what lies ahead: a now widely cited article in Wired by S/T
insider Bill Joy, chief scientist at Sun Microsystems, and a 1999 book by Ray
Kurzweil on soon-to-arrive “spiritual machines.” They assert—and they
should know (or should they?)—that machines will soon be able to do almost
everything humans can, but more and better. They may be overstating both the
case and the timetable, but can we blandly discount their informed judgments.
As S/T continues to proliferate and accelerate, the
interactions among its parts will become more and more complex, perhaps
exponentially. So what have been called “normal accidents”—like the
Challenger, Bhopal, and Chernobyl disasters—will become more probable and
more frequent.
More “control” of S/T is being taken by a
shrinking number of enlarging organizations. A century ago we tried, with only
moderate success, to cope with excessive concentrations of economic power via
antitrust laws and such. Can we handle increasing concentrations of S/T power
with the equivalents of antitrust?
The sweeping tide of technology threatens the
independence of science’s traditional home, the university. As S/T
accelerates, that academic birthing ground requires more resources.
Corporations are willing to contribute, but almost always in exchange for
partial control over universities’ research programs. A more intimate
relationship is bound to have negative impact on the autonomy and, of course,
the tenure of academic scientists and engineers. It’s appropriate to end
this set of worries on a more positive note: Somehow, over the years, we
humans have managed to survive most technological dangers, although sometimes—as
in the Cuban Missile Crisis—only by a hair’s breadth. Maybe, if we use our
collective heads, we can continue to muddle through, despite S/T’s
acceleration.
Continued in the article.
Bob Jensen's threads on the dark side of technology are at http://www.trinity.edu/rjensen/000aaa/theworry.htm
Spending time on the Internet can have a negative effect on personal life
such as reducing time spent socializing with friends says political scientist
Norman Nie.
"Journal Explores Life in the Electronic Age," by Norman Nie,
Stanford Graduate School of Business, November, 2002 --- http://www.gsb.stanford.edu/news/research/ebusiness_journal.shtml
Almost one-third of an average adult American's
day is spent with electronic devices—TV, radio, telephone, computer—that
did not exist a century ago, says Norman Nie, a Stanford political scientist
who studies the impact of information technology on society. Nie, who holds a
courtesy appointment at the Business School, finds that in some cases,
spending time on the Internet can have negative effects on personal life.
In research partly funded by the School's Center for
Electronic Business and Commerce, Nie and doctoral student Sunshine Hillygus
report: "Internet use at home has a strong negative impact on time spent
with friends and family as well as time spent on social activities, while
Internet use at work has no such effect. Similarly, Internet use during
weekend days is more strongly related to decreased time with friends and
family and on social activities than Internet use during weekdays."
Their report is one of the research articles in a new
interdisciplinary online journal, IT& Society (www.ITandSociety.org),
launched in August by the Stanford Institute for the Quantitative Study of
Society and the University of Maryland's Survey Research Center. Nie, who
directs the Stanford institute, said the goal is to encourage scholars of
different disciplines to share their research.
Future issues will deal with psychology, sociology,
and economics. According to Nie, subjects may include the future of the
workplace as society becomes saturated with broadband technology, enabling
more people to work at home, and how the phenomenon of oppression has been
altered by access to information technology.
Bob Jensen's threads on the dark side of technology are at http://www.trinity.edu/rjensen/000aaa/theworry.htm
The AICPA's Assurance Services Website is at http://www.aicpa.org/assurance/index.htm
Return to http://www.trinity.edu/rjensen/ecommerce/000start.htm