CNET has published an excellent resource for protecting oneself from identity theft. The site includes an ID theft FAQ with many good tips, a roundtable debate, and a few little multimedia gems.
One of my favorite pieces is the pie graph in the sidebar that illustrates risks to ID theft. The most prevalent risks still come from offline.
I gave an ID Theft talk several months ago, and the audience was looking for any way to protect themselves online, to the point of absurdity. But when I suggested that they cut down on all the stuff they carry in their wallets and/or purses, they nearly revolted: “What if I need to do XYZ and don’t have my ID/credit card/library card/customer card/social security card/insurance card/etc.?”
To me, this illustrates that we have a long way to go in educating users about risks. It also illustrates that we need to push back from all the noise created in the infotainment industries, who are perpetuating the online myth and ignoring the brick-and-mortar threats.
A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is more susceptible, so I’ve started a list:
I’m sure there are many more contributing factors. What interests me is determining the appropriate role of the university in helping to prevent identity theft among this age group. Most colleges and universities now engage in information security awareness and training initiatives with the goal of protecting the university’s infrastructure and the privacy of information covered by regulations such as FERPA, HIPPA, and so on. Should higher education institutions extend infosec awareness campaigns so that they deal with issues of personal privacy protection and identity theft? What are the benefits to universities? What are their responsibilities to their students?
The results are in from the EDUCAUSE Security Task Force’s Computer Security Awareness Video Contest. Topics covered include spyware, phishing, and patching. The winning video, Superhighway Safety, uses a simple running metaphor, a steady beat, and stark visual effects to concisely convey the dangers to online computing as well as the steps one can take to protect his or her computer and personal information.
The videos are available for educational, noncommercial use, provided that each is identified as being a winning entry in the contest. In addition to being great educational/awareness tools, they should serve as inspiration for K-12 schools as well as colleges and universities.
Ars Technica‘s Eric Bangeman posted a pointer and commentary about a case in Illinois where a WiFi piggybacker got caught and fined. This is apparently the third conviction in the US (two in Florida and this one) in the last 9 months. The Rockford Register reports:
In a prepared statement, Winnebago County State’s Attorney Paul Logli said, “With the increasing use of wireless computer equipment, the people of Winnebago County need to know that their computer systems are at risk. They need to use encryption or what are known as firewalls to protect their data, much the same way locks protect their homes.”
Firewall? I guess they didn’t prepare the statement enough, but the intent is clear. Still, it seems that the focus is on the consumer’s responsibility to lock down their network, ignoring the fact that the equipment that’s churned out by manufacturers is far too difficult to secure in the best of circumstances, let alone when you have legacy gear that won’t support WPA. Eric seems to agree:
Personally, I keep my home network locked down, and with consumer-grade WAPs so easy to administer, there’s really no excuse for leaving them running with the default (open) settings.
“Easy” is very relative. It’s “easy” for guys like us, and probably a lot of the Ars audience, but try standing in the networking hardware aisle at Best Buy for about 15 minutes and listen to the questions most customers ask. As I’ve touched on before, expecting them to secure their setups is just asking for trouble.
Well, we’re all pretty beat from this year’s Symposium, but things went off pretty well. Along with lots of running around to make sure posters showed up and stuff, I was able to give a presentation called Web Application Security - The New Battlefront. People must like ridiculous titles like that, because turnout was pretty good. Anyway, I covered the current trend away from OS attacks/vandalism and towards application attacks for financial gain, which includes web apps. We went over the major types of attacks, and I introduced a brief summary of what I feel needs to be done in the education, tool development, and app auditing areas to improve the rather poor state of affairs. I’ll expand on these topics more in the future, but you can see my slides and watch the video for now: