There was a time when an event could only be experienced by witnessing it. If you missed the event you were left with little to go by.

There once was a generation that spread knowledge and commodities by foot.

Those days are long gone, time has passed and we have evolved:

Seeing a person, turned into a description of a person, descriptions turned into drawings of a person, drawings turned into pictures, and pictures turned into computer bytes.

Experienced events turned into word of mouth, word of mouth turned to hieroglyphics, hieroglyphics turned to scrolls, scrolls turned to books, and then books turned to computer bytes.

Traveling by foot on a weak path turned into traveling by animals on a beaten path, animals turned to engines on paved roads, and engines turned into computer bytes via the Internet (in some cases).

You, my digital friend, have become a digital signature in this world. LIKE IT OR NOT. Much of what you see, say and do is digitized and stored. Storage creates historical record, historical records can be analyzed for events, paths, and patterns. YOU ARE MAKING HISTORY. Consider yourself a star! Paul Revere and the midnight ride? BAH! You are the new history.

Just for the record "you" digitally is: 101110010110101 (rough estimate... geeks don't correct me, I don't care). Yeah, doesn't make much sense to me either, but somehow or other this fabulous computer brought that definition to you (101110010110101).

Where was I? Oh yeah...

Here you were worrying and waiting for the mark of the beast to be forced on you:

"He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead." Revelation 13:16"

Hehe... You fool! The mark is your forehead and right hand, and now it's digitized and posted on the Internet (remember that picture you took with Grandma last Christmas that clearly showed your forehead and right hand, and then posted to your MySpace?). Yes, you've been marked, and oddly enough, you are the one that published your mark to the world. Sucks for you. Dang... Me too.

Scary huh? Oh, don't be afraid. Everybody is in the same boat as you. The wonderful part is that when the boat sinks we'll all be going down together.

YOU and the INTERNET are the end of the world. The Internet is the fast track to spreading the digital blasphemy we've created.

Don't get me wrong, I love the Internet. It puts food on my table.

I just wanted to let you know. I hope I didn't ruin your day, it wasn't my intent. I just wanted to make you aware. I'm going to go check my email now.

Rob over at Cockeyed.com has shown us how incredibly insecure it is to rip up those credit card offers you get in the mail. Rob took an application he received in the mail, ripped it up, taped it back together, filled it out using a different address (his father's), using his cell phone as a phone number, and submitted it. A few weeks later his Dad received the credit card.

Is that messed up or what? I can just picture some underpaid worker at Chase opening the envelope and entering the data into the system without giving one rip why the app was torn up and re-taped. Sad, oh so sad. Learn a lesson from this folks!

Just in case you don't get it:

If you rip up your credit card offers and throw them away (or even worse, don't rip them up at all), a thief can fish them out of the garbage, tape it back together, fill it out with his/her address and phone number and receive that card at his/her address, and then go shopping.

My advice: SHRED ALL CREDIT APPLICATIONS YOU RECEIVE IN THE MAIL

Read Rob's adventure step by step here.

A quarter-million hospital patients social security numbers were burned to CDs, put in an employees bag, the bag was exchanged at a store for a larger version, and the exchanged bag (with CDs) were bought by another person. The person brought the CDs back 3 days later.

Think about this story and the lack of responsibility next time you give somebody your social security number!

Read the full article here.

Today, my coworker Aaron Jensen provided a link to Microsoft's Privacy Guidelines for Developing Software Products and Services paper. I haven't had a chance to read it yet but I think this will be a great starting step towards helping develop software with respect for user privacy. The development community needs this...The testing community could benefit highly from this document too. A guy could create a pretty sweet set of privacy test cases from this information.

I've recently had a chance to write some Ajax in a side project that I've been working on and through use of it I started thinking about how one could easily use it to do evil things. Doing evil things reminds me of security testing, and I haven't had an opportunity to test an application that uses Ajax but am pretty interested in finding some good exploits when I do get the chance. Before you get all "You had the chance to test it Brent, didn't you test YOUR Ajax code Brent? You're in Software QA and you don't test your own code?". Let me tell you that I did think about it being exploited, and if it did it wouldn't really matter in my situation.

But while thinking about it, I did find the following article on Ajax Security Basics that would help a tester start thinking about how to attack the technology. After working with it, and reading the article, when I think about how dangerous this could be to an application I rank it up there with the danger of using <frames>. Are any of you testing Ajax applications? Do you have any advice or test cases you'd be willing to share?

Here's an interesting report: 2006 CSI/FBI Computer Crime and Security Survey

Promoting CISP (Cardholder Information Security Program), Visa has published the educational bulletin: Top Five Data Security Vulnerabilities Identified to Promote Merchant Awareness. To summarize the top 5 vulnerabilities are:

1. Storage of Track Data
2. Missing or Outdated Security Patches
3. Vendor-Supplied Default Settings and Passwords
4. SQL Injection
5. Unnecessary and Vulnerable Services on Servers

The typo-squatter top level domain .cm is being used to take your .com typo of .cm and give you a page you didn't really want (e.g. microsoft.cm instead of microsoft.com). Here is an easy way to avoid the .cm typo in IE:

1. Type the domain name minus the suffix in the URL  (e.g. microsoft)
2. Press the keys: CTRL+SHIFT+Enter

A www. will be added to the front of the name and a .com will be added to the end. Avoid the .com typo-squatters with IE shortcuts!

The bad guys are using the FireFox extensions as a means of piggybacking FireFox to steal sensitve user data.

Once FormSpy is executed, it installs itself as a component of the Firefox Web browser.
The FormSpy spyware then gleans sensitive information, such as credit card and bank account numbers, from the user's browser and forwards it to a malicious Web site. But this Trojan is capable of other tricks, as well, McAfee noted.

Read more here.

Here is my identity and fraud link round-up for the week:

Does ID theft really cost $48 billion a year?

Stolen VA laptop recovered

Study: Most Technology Companies Have Data Losses

U.S. Navy: Data Breach Affects 28,000

Larry Dignan over at EWeek.com asks us how much our personal data is worth. He proposes "Stiffer fines, Safter Data". I agree and disagree; stiffer fines will eventually lead to safer data, but it won't happen right away. Enterprises need maintainable solutions and process that work first. In my opinion, identity theft lawsuits and media frenzy will drive this "solution".

How much is your stolen, used, and abused identity worth to you? Is $1000 enough? Has your identity been stolen? How much did it end up costing you money and time-wise?

And here we are on a glorious data stolen Two-sday:

Laptop with D.C. workers’ personal data stolen
 
Equifax laptop containing employees' SSNs stolen
A coworker and risk manager, Simon points out: "Equifax is a BS7799-2 certified company.  They/we are not immune…."

On the bright side, we have employers rushing to stem data theft tide

Stolen or "Lost" data reports sure seem a bit overwhelming lately don't they?

Stolen file contained unclassified information on 1,500 contract workers

Nearly 1 million prospective AIG customers could be at risk

This security breach hits a little to close to home:

Porn-surfing hits taxpayer IDs
Security breach - More than 1,300 people face identity theft after a state employee let in data-stealing spyware

Last night the 10 o'clock news said that the Oregon Department of Revenue would be sending letters to the individuals at risk.  I'm an Oregonian and I'm hoping I didn't make the list. It was rather amusing when the news station asked random Portland citizens their thoughts on the matter and they were more aghast with the fact that a Department of Revenue employee was surfing porn at work! Amazing... what is it going to take to wake up the public so they see the root of this identity theft problem?

Today Greg sent me a link and after clicking it the title of the article had me thinking that the identity theft pendulum had begun to swing the other way (in our favor). The article title was: Veterans Affairs chief calls for stronger data laws

The article is a reactive statement to the 26.5 million veterans information that was stolen a while ago and starts out hopeful with a great inspirational quote:

"It's an emergency at the VA, and it should be an emergency in our society,"

but then starts to take a roll down hill with:

Rep. Tom Davis, the Virginia Republican who heads the committee, said the incident had prompted him to weigh changes to a law called the Federal Information Security Management Act of 2002, which outlines procedures federal agencies must undertake in order to protect their data and systems.

I wonder, is it the actual incident that prompted Tom OR WAS IT THE FACT THAT THE VETS ARE SUING? Hope spirals back into the vast wasteland of stolen identity when the article goes on to say:

That law requires agencies to notify law enforcement and internal inspectors general when a breach occurs, but it does not require notification of potential victims or the public. It must be updated to include penalties, incentives and "proactive notification requirements," Davis said, adding that he is "troubled as the number and scope of losses continues to expand."

So if I understand right, once you let my data get stolen you'll find it in the goodness of your heart to tell me (instead of me finding out after my bank account is drained). That's proactive? I think not. Proactive is encrypting my data and being certified to manage my data. Ugh..This is pathetic.

Is it the fact that I work in a security group and this stuff naturally flows through my inbox or has the last week been a stolen data fiesta?

Hotels.com customers data is stolen and Greg is MAD (WARNING! Don't make Greg mad, it's not pretty. Well, sometimes it's humorous to watch... If you have the opportunity to rib him a little bit someday in person just bring up how slow Microsoft Virtual Server is and you'll see traces of the mad Greg. Mad level 3 out of 10). Anywhooo, Greg not only rants about how pathetic security is in the industry but offers some practical advice on knowing how secure a company is by their certifications. Good stuff.

Data lost on all 2.2 million (nearly all) active duty, reserve and guard members.

Veterans fight back and sue for data lost/stolen (this is what we need to wake the industry up).

Alex Scoble sent an article stating that cleaning up data breach costs 15x more than encryption. No joke? Go figure. But why do that? That's pro-active and not re-active. Fire-fight mode is sooo much more fun though.

Are you a blogger or blog reader? Are you a fan of syndication? Let me present the latest in geek t-shirts for RSS. I had this one on the back burner since I started this blog in December of 2005 and finally sat down to create it tonight. This master-piece is titled "Feed Me" (I won't be offended if you consider it a master-POS). The image below requires ShockWave-Flash. If you can't see it, just go to Zazzle.com where this little beauty resides. Do you hate black t-shirts or would rather a sweat-shirt or tank top? Zazzle has a huge product line-up that you can place this advertising gem on. Gem you say? Yes, this is THE official RSS icon to be recognized by a cajillion internet users by 2007. TRUST ME. Don't be a "wanna-be" by displaying your syndication spirit in 2008. Get this frickin' thing on your chest now!

Ho-hum, more user data stolen, yawn... This time only 1.3 million borrowers Social Security numbers from the Texas Guaranteed Student Loan Corp. Interestingly enough, this time it was encrypted for transport but then decrypted by the data management company Hummingbird Ltd. After decryption the hardware that it was on was "lost". Lost? <Insert snide comment here>.

Read more here.

A Portland man gets pissed, turns sleuth, tracks down and catches identity thieves while they are using his identity and credit card. Read his story here. Pretty darn cool. Thanks for the link Matt.

Yet more personal information is stolen, this time from our Veterans. Don't act so surprised. This one seems to be getting some pretty good press though. Will it change anything? Doubt it. It's just another instance to add the simmering pot. Someday the pot will start to boil, and then eventually boil over. Who will make them stop and listen? Maybe Brad Pitt and Angela Jolie? Save us Brangela, save us from this wretched mess.

Read more here.

A while back MSDN TV posted a great video titled "The Code Room: Breaking Into Vegas". If you have an extra half hour it's a cool, informational watch about security and hacking with some real world scenarios and examples. The acting is pathetic and cheesy but the actors are real life experts and geeks so I guess that's expected! Here is a summary from the site:

"In this episode of The Code Room watch the White Hats and Black Hats battle for the security of Las Vegas. Jessi Knapp and Microsoft Security Guru Joe Stagner narrate as the Hackers try to gain control of The Plaza's online money management system and our Security Team tries to stay one step ahead."

The credit card system is a joke. Yeah, I know you know. I just wanted to remind you with my latest mockery of the system.

So, I receive a new MBNA Visa card about 3 months ago and have been using it pretty consistently since then. During the last few weeks while away on business I used it at least twice a day every day for food at various restaurants in Seattle, Bellevue, and Issaquah. Needless to say, a lot of activity. The night before I came back from my trip, after a delightful dinner of seared Tuna encrusted with soy and black pepper, the waitress handed me my card with a receipt after paying my bill. She unintentionally handed it to me backwards (no she wasn't backwards, the card was, stay with me here) and I noticed that I never signed it.

So about now you are thinking "Wow, what an idiot. How can you be so stupid?". Funny thing though, I don't feel stupid, not even the least bit. I find it rather amazing and pathetic that I could conduct 50+ transactions on this card and not one merchant ever asked me about it or probably looked at the back of the card for that matter. Should I feel stupid for not being "safer" with card? If you think so, then think about the following:

1. Let's say that somebody steals my credit card and signs it for me. Now when merchants do the signature comparisons the fraudsters receipt signatures will match the credit card signature. OH WAIT, MERCHANTS DIDN'T COMPARE SIGNATURES FOR 50+ TRANSACTIONS.
2. On the back of my card in small text below the signature strip it says "Not valid unless signed". SEEMS TO BE VALID TO ME, IT WORKED WITH 50+ TRANSACTIONS.
3. On the back of my card in small text below the signature strip it says "Authorize Signature ". I BET MERCHANTS READ THIS REMINDER RIGHT AFTER THEY LOOK AT THE SIGNATURE (EXCEPT ALL 50+ TIMES).
4. CitiBank says to prevent identity theft "Sign your credit card or write that the merchant must 'check id' on the back of your card". SEEMS FEASIBLE, IF THE MERCHANT EVER LOOKED AT THE BACK OF THE CARD (ALL 50+ TIMES).

See any trends in those examples?

Well...I've signed the card. I'm not sure why, but everybody else does so I might as well do it too. Everybody seems to think it's a good idea for some reason. I mean, I would hate to have the merchant get a wild hair and happen to CHECK THE SIGNATURE ON THE BACK OF THE CARD, and call me out on it. I can hear it now.

Merchant: Mr. Strange you didn't sign the back of your card.
Brent: Dagnabbit! I totally spaced it. I feel so stupid. Here let me sign it.
Merchant: Oh, no problem don't worry about it.
Brent: (the sound of chicken scratch as I create my humble cipher)
Merchant: Thanks Mr. Strange, I'll be right back with your receipt.

Heh, and that's the end of this sad sad joke.

Hmmm.. I may have found a good reason to sign it. I read somewhere: "By law, you are only liable for $50 of any fraudulent transactions on your card. Most credit card banks like AMEX, Citibank, MBNA, etc actually offer zero-liability on their cards, which means that you are not liable for any fraudulent activity at all! If you don't sign the card -- you are actually not eligible for those benefits!"

That's assuming you get caught. How many stolen cards do you think are recovered? When they recover them do you think they check to see if you signed it?

And yet again more personal financial user data was stolen. This time it was from a company named Regulus Integrated Solutions that was hired to take care of Wells Fargo monthly statements. Customers sued but since the user data has not been exploited (yet) they lost. Hmmm... I wonder if the customers "fear, anxiety and worry" could have been alleviated with use of encryption by Regulus?

Jaikumar Vijayan over at ComputerWorld writes about how Florida resident's Social Security numbers, bank info is available via county Web sites:

"The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents of Florida are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on county Web sites."

One of my favorite quotes is:

“Aside from making the redaction- request process as user-friendly and speedy as possible, I do not have the independent authority to take any additional action regarding removing material from the public records,”

They can't take down you private information unless requested. What's wrong with this world? Heh.

Read the full article here.

Google has released a version 2 of their toolbar for FireFox. Amongst its many features is the ability to detect phishing and site spoofing. I tried the feature out against a known, still active phishing site and the toolbar caught it immediately and then disabled the page until I answered its warning. Tools like this are a must have when studies show that 90% of people are fooled by a good phishing site. Here's a screenshot of what the warning looks like:

"The Energy and Commerce Committee of the U.S. House of Representatives unanimously approved The Data Accountability and Trust Act (H.R. 4127), a bill that requires companies to launch nationwide notification campaigns if the security of sensitive consumer information, such as Social Security Numbers, drivers license numbers or financial data, is breached and could be used for identity theft."

"The Data Accountability and Trust Act recognizes that encryption is a fundamental enabling technology for protecting electronic data and fulfilling regulatory compliance"

This is progress in protecting your identity! Read more here and here.

FREEZE! DROP THE PHISHING POLE. PUT YOUR HANDS BEHIND YOUR HEAD AND SLOWLY BACK TOWARDS MY VOICE. I SAID SLOWLY MOTHER PHISHER! MOVE SLOW I SAID. THAT'S RIGHT KEEP BACKING TOWARDS MY VOICE. I DON'T WANT ANY PHISHY BUSINESS OUT OF YOU. Okay, drop to your knees. Do you have any phish hooks or spears on you? IF I POKE MYSELF WITH A HOOK I'M GONNA KICK THE PHISH OUT OF YOU MOTHER PHISHER.

Microsoft and AOL take legal action against phishers