Archive for August, 2008
PRIVACY IS DEAD – GET OVER IT Pt 01, with Steve Rambam

round of applause to Immanuel of 2600 Magazine

PRIVACY IS DEAD – GET OVER IT Pt 01, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 02, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 03, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 04, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 05, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 06, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 07, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 08, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 10, with Steve Rambam

PRIVACY IS DEAD – GET OVER IT Pt 11, with Steve Rambam

All ‘PRIVACY IS DEAD – GET OVER IT with Steve Rambam’ Lectures

Invasion of Privacy Laws

Privacy laws are supposed to protect the rights of individual citizens. The advent of the information age has made privacy a bit of a challenge. Invasion of privacy is now much more common place as personal information on individuals is readily available and many organizations that collect certain bits of information on customers, employees, servants and officers don’t do enough to protect privacy.

Invasion of privacy laws are imperative because the loss of privacy can mean not only a small inconvenience but major loss of assets and/or opportunity. Loss of privacy can mean (among other things) identity theft, financial fraud or and inability to get a job.

Many first world and emerging technological countries must deal with this challenge. There are many invastion of privacy laws designed to protect common citizens:

United States, Privacy Act of 1974, designed to hold those that handle private information accountable for its protection.

* Health Information Privacy Accountability Act — Office for Civil Rights U.S. Department of Health and Human Services
* Financial Services Modernization Act (GLB), 15 U.S. Code §§ 6801-6810
* Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal Regulations, Part 313
* Fair Credit Reporting Act (FCRA), 15 U.S. Code §§ 1681-1681u

Australia, Privacy Act of 1988, sets out principles in relation to the collection, use, disclosure, security and access to personal information.

Canada Privacy Law

Personal Information Protection and Electronic Documents Act governs the collection, use and disclosure of personal information in connection with commercial activities and personal information about employees of federal works, undertakings and businesses. Wiki

Gaping hole opened in Internet’s trust-based BGP protocol

For all the viruses, malware, and exploits that crawl around the web, fundamental flaws in the system are supposed to be few and far between, but the last two months have proven to be an exception to the rule. In July, Dan Kaminsky revealed his discovery of a DNS flaw that could be exploited to direct unwitting users to malicious web addresses, Now, practically on the heels of that announcement, a hacker team that presented at DEFCON has demonstrated how a fundamental design error in the Internet’s border gateway protocol (BGP) can be used to invisibly eavesdrop on all traffic originating from a particular set of IP blocks.

Neither of these attack vectors are hacks in the typical sense of the word, as Wired’s own report explains. Instead of injecting malicious code into a system or systems, the DNS and BGP assaults take advantage of inherent structural weaknesses in the Internet itself. When the ARPANET was under development in the late 60s and early 70s, its designers chose to implement trust-based protocols. At the time, this made sense; ARPANET was a communications network between a relative handful of university and government institutions. The Internet of today has grown beyond the projected size of ARPANET by multiple orders of magnitude. The fact that it has scaled as well as it has is a testament to the engineers who built its foundation as well as those that came later, but the trust-based protocols that made sense in the 1970s don’t make sense today.

read more | digg story

Romance Scam

From Russian brides to Nigerian date scams, romance scams are rampant on the Internet.

Avoid these scams by being suspicious. Don’t allow your desire to find that special someone to cloud your judgement. They will promise you the world and say whatever it takes to keep your interest.

This is how I think of the Internet: There are billions of people on the Internet. You have a great chance of meeting someone especially for you somewhere in the world. With 7 billion human beings 3.5 billion being the gender of your choice there are likely more than a dozen perfect fits for you. Its true, but for every one of your soul mates that has put their bios on Internet, there are a thousand false profiles pretending to be that perfect someone.

Romance scams are especially vicious because they are reach for your wallet/bank account through your heart. Once they have you hooked they are after your money.

ONLINE DATING SCAM TACTICS:

Step 1) Take the Bait

You meet someone on a dating site (Adult Friend Finder, Match, okcupid, etc). This person has posted a picture of themselves and they are gorgeous!
Their profiles says something like:

I am a caring ,loving, honest, respectful and i believe in god and real people to hop to meet meet my real love here

There profile seems perfect. They sounds sweet, loving and caring. Their picture (if they have one) looks incredible. They seem to live pretty close.

What’s really going on? More than likely it is some ugly dude from a third world country who just learned to use a computer. They found a hot picture and posted it on the dating site. They are the exact opposite of what ever they said on their profile: they are uncaring, dishonest and don’t respect anyone… not even themselves.

Step 2) The Out of Country Story

You send them a message. They reply and tell you that they’d rather talk to you on email (usually hotmail or yahoo). They then proceed to tell you that they are currently in another country (Nigeria, Ghana, Mali, England), but they have some sort of connection to the states in your local area. They’ll say they’re relatives are there or they do business their and they’d love to meet you sometime.

What’s really going on? They really are outside of whatever country you are (usually Nigeria, Ghana, West Africa – this is one of the top scams in that region).

Step 3) Relationship Deception

What they do next is get a steady relationship with you. They will send more pictures. They will want to know more about you so they can cater to your ego. They will tell you they love you, tell you how good you look, how great you are. Basically, anything get the relationship going.

What’s really going on? They are lying to you and 20 other people on 5 or 6 different dating sites.

Step 4) A Crisis: they Need Money

There are various lies they may use to get money. They will ask for cash to buy the ticket to come visit you or they will tell you a tragedy has occurred and they need your help maybe even with a promise to pay you back.

What’s really going on? They are attempting to take your money and spend it on bullshit.

Clues to Spot Dating Scams:

Pictures look too professional. Magazine quality photos should be a dead give away. If they send a series of pics and each one looks like a “model posed” photo shoot, be suspicious.
BAD GRAMMAR & SPELLING. They are typically not very well educated and it will sometimes come through loud the clear via very choppy English and slight stupid logic. Sometimes it is as bad as a 3rd grader (a dumb 3rd grader).
Western Africa. Be suspicious of ANYTHING from from Ghana, Mali and especially Nigeria.
Too much love, too fast. They will almost immediately start talking about “I love you”, “I miss you” – don’t be flattered… they don’t love you… trust me.

Disclaimer: Miracles do happen. Maybe you’ve just met a West African supermodel, with bad grammar, who has fallen madly in love with you in the course of two or three emails.

Conclusion:
I’ve dealt with these scammers on ebay, email, dating sites and in chat rooms and one thing I’ve noticed is that they are actually not very smart. They are just ruthless. They take advantage of people’s trust, kindness and generosity. They are not so much predators as they are parasites that jump from host to host. They feed on the infrastructure and wealth of Western Civilization and have nothing at all to contribute to humanity but ignorance and greed. The sad thing is that these few greedy, idiots are giving ALL West Africans a bad name on the Web and these nations (particularly Ghana & Nigeria) are among the richest nations in Africa with the greatest potential of having great success in any and all endeavors. Its a real shame.

If you are looking for real relationships online, here are some good resources on how to make it happen!

Avoid dating scams

Avoid dating scams

Avoid dating scams

Avoid dating scams

Avoid dating scams

Avoid dating scams

Subject: CONTRACT PAYMENT NOTIFICATION INFO *SCAM*

> From: cenbankcontractinfo1@cenbank.org
>
> Date: Wed, 27 Aug 2008 17:40:32 +0100
>
> CONTRACT PAYMENT NOTIFICATION INFO
> CENTRAL BANK OF NIGERIA,
> INTERNATIONAL REMITTANCE DEPARTMENT,
> CORPORATE HEAD QUARTERS
> TINUBU SQUARE, LAGOS NIGERIA,
> TEL: +234-1-408-9418.
> Our Ref: CBN/IRD/CBX/021/05,
> CONTRACT #: MAV/NNPC/FGN/MIN/009.
>
> Attn:
> We apologize, for the delay of your payment and all the inconveniences and inflict that we might have indulge you through. However, we were having some minor problems with our payment system, which is inexplicable, and have held us stranded and indolent, not having the aspiration to devote our 100% assiduity in accrediting foreign contract payments. We apologize once again.
>
> From the records of outstanding contractors due for Payment with the Federal Government of Nigeria , your Name and company was discovered as next on the list of The outstanding contractors who have not yet received Their payments. I wish to inform you that your payment is being processed and will be released to you as soon as you respond to this letter. Also be advised that because of too many contractors that I have to pay at this final quarter of the year.
>
> Five million seven hundred thousand us dollars (us$5.700, 000.00). We apologize for any inconvenience as a result of delay in transaction. Please kindly re-confirm to me the followings details to this email address: cbncontractinfo1@gmail.com
>
> 1) Your full name.
> 2) Phone, fax and mobile #.
> 3) Company name, position and address.
> 4) Profession, age and marital status.
> 5) Your working Id/Int’l passport.
>
> As soon as this information is received, your payment will be made to you in a certified bank draft directly from Central Bank of Nigeria. You are advice to respond immediately as soon as you receive this letter for further discussion, Have a Blessed Day.
>
> Best Regards,
> PROFESSOR CHARLES C. SOLUDO,
> EXECUTIVE GOVERNOR,
> OF CENTRAL BANK OF NIGERIA.

Subject: CONGRATULATIONS!!(Your Email Has Won $500,000,00) *SCAM*

Subject: CONGRATULATIONS!!(Your Email Has Won $500,000,00)

Date 27/08/2008
Ref: 575061725
Batch: 8056490902/188
Winning no:KB8701/LPRC
Dear Sir/Madam,
CONGRATULATIONS!!
We are delighted to inform you of your prize release on the 30th of july 2008 from the Australian International Lottery Programme which is fully based on an electronic selection of winners using their email addresses. Your name was attached to ticket number; 5750617258056490902 serial number 6741137002.
HOW TO CLAIM: Contact
our Fiducial Agent, Mr. Leo Clarkson at;(leoclarksoaustagent1@yahoo.es) to file for your
claim. Please quote your: Date of draw, Reference Number, Batch Number and Winning Number, Also, you should give in your telephone number to help locate your file easily.
MRS LISA ADDISON
(For the co-ordinator)

Subject: Attention: Prominent Internet User REF# SCAM

> Date: Wed, 27 Aug 2008 18:05:03 +0200
> To:
> From:
> Subject: Attention: Prominent Internet User REF#:100987bd
>
>
> —
> Attention: Prominent Internet User REF#:100987bd
>
> TRANSFER OF FUNDS
>
> How are you today? Hope all is well with you and your family? I hope this
> mail meets you in a perfect condition. Due to youreffort,using internet
> programs indoor and in your office,We want to compensate you and show our
> gratitude to you with the sum of $500,000.00 Thousand United States Of
> America Dollars we have authorized BGL SECURITIES AND FUND MANAGERS to
> assist you in getting your compensation check across to you. This is from a
> total cash prize of US $2.5 million dollars,given to the first FIVE (5)
> people who will be compensatedin this world internet programmes .
>
> All participants were selected randomly from World Wide Web site through
> computer draw system and extracted from over 500,000 companies and
> individuals. I am using this opportunity to thank you for using theinternet
> daily.
>
> The name and contact address of the agent is as follows:
>
> CONTACT AGENT:BGL SECURITIES AND FUND MANAGERS
> Email:bglsafm01@gmail.com
>
> Provide them with following information;
>
> Full Names: ———————-
> Address:——————–
> Phone Number(s):——————–
> Age:————–
> Sex:—————
> Occupation:——————
> Zip code:—————–
> State:—————–
> Nationality:————-
> Present Country:———-
>
> Finally remember that I have forwarded instruction to BGL
> SECURITIES AND FUND MANAGERS on your behalf to send the cash prize of five
> hundred
> thousand United State Of America Dollars to you as soon as you contact them
> without delay .
>
> Please I will like you to accept this token with good faith as this is
> from the bottom of our heart.Have a wonderful day Thanks and God bless you
> and your family.
>
> DAVID RAY,
> for
> WORLD INTERNET PROGRAMMES 2008
>

Subject: For your Consideration *SCAM*

Dear Friend ,

I am Mr john kofi, the chairman, contract award and tender committee of Economic community of west African States (Ecowas)with sub-head office in Accra Ghana. I got your contact during my search for a reliable person to entrust huge sum of money transfer project with. My colleagues and I involved in this project have Agreed to seek your mutual partnership into this huge Money transfer project.

We wish to transfer some money to your personal or company Account.This fund originated from over invoiced Contract bills awarded by us for the supply of pharmaceutical and Medical equipment to the ECOMOG Peacekeeping Mission In Liberia and Sierra-Leone civil wars. This over invoiced sum was deliberately hatched out and Carefully protected with all attendant lope holes Sealed off.The original executors of the contracts have been Duly paid through E.R.D.B (Ecowas Resources Bank) This over invoiced sum is suspended in an escrow account awaiting claims by any foreign person/company we may front as the owner. Based On the law and ethics of our service to Economic community of West African States, we as Civil servants are not allowed to operate a foreign Account.

You are offered 50% of the total sum as commission,50% will be held on trust for us.However note that if per-adventured there is any expenditures that is needed for the successful execution of this transaction,we shall share the burden. The project is expected to be completed within 7 days if you accord us maximum co-operation. We solicit for your unreserved confidentiality in this project. There is no risk involved.Call me upon the receipt of this mail for more details on the procedure if the need arises or you respond via email if you accept if you accept this proposal.Further information will be sent to you as soon I hear from you.

Thanks,Sincerely yours,
Mr john kofi.

Church Data Security

Whether government, corporate or faith-based file security is important.

No matter the denomination, church file security is especially important because it may not only deal with money, and privacy but the sanctity of the church community. The member, guest and family information must be protected just as much as the preacher, reverend, deacons, bishops, nuns, and/or administrators.

Coordination of church file security:
It is important to first identify what are the churches sensitive data. You may have in your mind what is or isn’t important files to protect for the church, but you may not have the authority or prerogative to make such an important determination. Even if you do, it important to get ideas from the staff and or clergy of what files should be protected and what level of protection should be considered. And interview or meeting with information owners is the first step.

Access to the church files:
Anyone with access to the church files should sign a user license agreement. This is a standard for security no matter what organization you enter. This is to make sure that those who are trusted with access understand what they can and can not do when entering the system. Items in a basic user license agreement include: what can be copied and/or installed on the system, what can and can not be done while accessing church files, whether or not church files are monitored for heightened security. User License agreements are usually done when multiple people have access to a medium to large network with critical resource (i.e. privacy data, financial information, sensitive data). They are also done for software, website/forum and data base access.

You can find examples of a user license agreement on the Internet.

What Church Files to Protect:
Files in a church community may include mission, member, drive, donation and service information that need to be protected. Any files dealing with any money should be protected always. Personal files of church members should be protected as well as data bases with potentially sensitive information. Even if the church has NO sensitive information, the files that allow any access from the Internet (such as webpages or ftp files and folders) should protected with various levels of security including: Username password (don’t EVER use anonymous for FTP), mandatory user registrations, and file permission lock down.

The reason this is important even for churches with no sensitive information, is that some malicious hackers like to use other organizations resources to upload viruses, spam, scams and pornography.

Regulations to consider:
The Privacy Act of 1974 make it mandatory to protect the personal information of all individuals

No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, MORE

Health Insurance Portability and Accountability Act (HIPAA) is another important law to consider when addressing church file security. Among other things, HIPAA deals with the protection of peoples medical and health history.

File Permission:
Files that are sensitive for a church should have some permissions assigned to them to allow only authorized users (system administrators, missionaries, clergy, secretaries) access. This is one part of the access control. Most operating systems have this capability. Don’t forget that not only computers need to be protected, routers, switches and databases also need adequate security.

Certification & Accreditation Change

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”