Wrong, according to a study issued today by Experian, a company that does both identity fraud protection services and marketing demographics services. In fact, the most likely victims of identity fraud are those with the most money, the study says.

The study — which was created using Experian’s unlikely combination of identity fraud incidence statistics with basic consumer demographics — indicates that identity thieves are successfully targeting the wealthy and affluent, regardless of the systems and software they use.

According to Experian, consumers in the “Affluent Suburbia” category — the wealthiest of the company’s 12 demographic categories — are 43 percent more likely to fall victim to identity fraud as the average credit applicant. Experian describes Affluent Suburbia as “the wealthiest households in the U.S., living in exclusive suburban neighborhoods and enjoying the best everything has to offer.”

Individuals in the “Upscale America” category are 22 percent more likely to fall prey to identity fraud than the average credit applicant, Experian says. Upscale America is defined as “college-educated couples and families living in metropolitan sprawl, earning upscale incomes that provide them with large homes and very comfortable, active lifestyles.”

The study offers a different perspective on identity fraud than more technical studies, which suggest the most likely victims of identity fraud are those who don’t deploy security software or are ignorant of best practices.

In its study, Experian found the median income of identity fraud victims is 11 percent higher than the average credit applicant. The percentage of victims who own luxury vehicles is 26 percent higher, and the percentage of homeowners is 23 percent higher.

The Experian study suggests that identity thieves and fraudsters could be targeting victims by their neighborhoods, rather than by their computer systems or defenses.

For example, the study found that the percentage of victims found in metropolitan communities and other high-population areas is significantly higher than areas where the population is less than 20,000. In fact, consumers who live in rural areas with a population of 2,500 or less were 60 percent less likely to fall victim to identity fraud than the average consumer.

Attackers may also target users by their hobbies and interests, the study suggests. Consumers who displayed an interest in traditionally affluent avocations were much more likely to fall prey to identity thieves, the study says.

For example, users who displayed an interest in tennis were 85 percent more likely to have been victims of identity fraud than users who didn’t, Experian says. Consumers who were interested in foreign travel were 70 percent more likely to be victims. Interests in cultural arts (52 percent) and skiing (50 percent) also set victims apart from nonvictims.

Experian has not yet posted the study for general viewing on the Web, but the company plans to make it available at a future date, a spokeswoman said.

SOURCE: http://darkreading.com/securityservices/security/privacy/showArticle.jhtml?articleID=222600185

The Elcomsoft iPhone Password Breaker, which was released for free into beta, recovers passwords for iPhones and iPod Touches by trying thousands of phrases per second. It performs wordlist-based attacks only, but the final version will allow dictionary attacks that can be customized.

Apple’s iTunes application allows users to make iPhone and iPod Touch backups that store a wealth of potentially sensitive information, including call logs, address books, SMS archives, calendars, pictures and voice mail. Brought to you by the same company that offers password crackers for wireless networks, Quicken files and many other applications, the iPhone Password Breaker doesn’t require the use of iTunes.

It makes use of multi-core processors, extended CPU instructions and will run faster on certain types of graphics cards.

According to researchers at CA Security’s malware analysis lab, a new wave of malicious dialers is hitting users of mobile phones. The trojans are built on the Java 2 Micro Edition programming language and cause infected handsets to send SMS messages to high-cost numbers, at great expense to the victim.

“As soon as the application is loaded, this malicious software starts to send premium text messages,” CA warned on Tuesday. “The messages sent out are in the typical format to invoke premium services and land the mobile user with heavy mobile bills without the user’s knowledge and consent.”

Malware that automatically dials pricey premium numbers was all the rage a decade ago, when dial-up internet services required computers to connect to a phone line. With the growth of broadband connections the frequency of dialers waned.

The explosion of smart phone that can run software made by anyone has given malicious dialers a new lease on life. And as was the case in the days of yore, they mostly tap into porn services.

SOURCE: http://www.theregister.co.uk/2010/01/13/trojan_dialer_comeback/

The US flaw-hunting specialist said that the attack was an attempt to steal source code on an industrial scale and was, in many cases, probably successful. If correct, this might explain why Google has by its own normally quite restrained standards gone ballistic to the extent of threatening to quit China.

“Two independent, anonymous iDefense sources in the defense contracting and intelligence consulting community confirmed that both the source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof,” said the iDefense press statement, confirming what the world already knows.

It now turns out that Adobe itself was targeted in the latest alleged Chinese attacks, as a statement on its own website explains.

“Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

The note goes on to say that in Adobe’s case, the attack was not successful in stealing any data.

More embarrassingly, a flaw in Adobe software has been implicated in the new attacks. iDefense has forensically linked these to last July’s attacks, which involved exploiting zero-day flaws in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10 to send specially-crafted PDFs.
As well as using the same emailed PDF technique to drop Trojans, the two attacks used the same HomeLinux DynamicDNS provider, pointed to the same virtual private server host owned by US-based Linode, and had IP addresses on the same subnet within a very similar address range.

“Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July,” says iDefense.

In fact, it is also possible that exploits go back further since the flaws used in last summer’s attack pre-date the known attack by some months.

Whatever the details, that China is targeting the US technology firms, the government and military is nothing new, as a Northrop Grumman report of last October made clear. It now looks as if the latest cycle of attacks could take US firms, and perhaps even the US government itself, beyond breaking point.

SOURCE: http://news.techworld.com/security/3210137/google-hack-hit-33-other-companies/

The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release (PDF) issued Monday. It was discovered on December 24 during an internal security review. In all, credentials 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB’s total

“Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server,” the bank, located about an hour east of New York City, stated. “To date, SCNB has found no evidence of any unauthorized access to online banking accounts, nor received any reports of unusual activity or reports of financial loss to its customers.”

The breach represents a variation on more traditional types of attacks on online banking. Cyber crooks typically target customers by surreptitiously planting malware on their computers that log their user name and password. The FBI estimates that online banking losses to small and medium-sized businesses alone have reached $100m.

By contrast, accessing a server that storing online credentials for tens of thousands of customers isn’t the kind of intrusion one hears about every day. Best security practices are clear that passwords should never be stored on servers unless they are encrypted.

The bank began notifying affected customers on Monday evening using first-class mail. The two-week delay “was necessary for making a lot of arrangements so we could come out with an absolutely conclusive statement about what happened,” said Douglas Ian Shaw, the bank’s corporate secretary. Retail customers whose details were lifted will be given two years worth of credit monitoring services at SCNB’s expense.

In the fourth quarter, the bank budgeted $351,000, or about 4 cents per share, to account for expenses related to the intrusion. Additional expenses may be incurred.

Research by moneysupermarket.com indicates that one wireless customer in five has not, or does not know whether he or she has, protected the network with a password. A quarter of wireless users do not even realise that strangers can log on to an unsecured network.

Last month the internet provider TalkTalk estimated that seven million home wireless connections are left open to hijackers. Stealing a wireless connection — “piggybacking” or “leeching” — is not a new problem. But moneysupermarket.com’s research estimates that four million Britons have accessed the internet on a neighbour’s wireless connection without his or her knowledge.

Tom Beale, a digital security expert at Vigilante Bespoke, believes the problem is growing. He says: “As it becomes more of the norm to get wireless at home, or wireless-enabled mobiles such as the iPhone, there is a greater number of people regularly using wireless technology without fully understanding the importance of securing a network.
“Many consumers trust their internet service provider to configure their router and ensure that it is safe, but help desks often give bad advice. Default security settings on routers are not always good enough, either. Consumers should have WPA2 (wi-fi protected access), the highest level of security that wireless routers support. Some routers come with WEP, which can be cracked by a schoolboy in seconds.”

WEP, or wired equivalent privacy, was replaced with WAP2 in 2004 after serious weaknesses were found in it by researchers, but some wireless equipment has not been updated.

James Parker, broadband expert at moneysupermarket.com, says the consequences of having your wireless hijacked can be severe: “It’s bad enough that your neighbours can use your internet connection freely, but this becomes far more threatening if someone uses your connection for criminal or improper activity. This could be accessing your internet connection to download obscene material, gathering personal information to defraud you or stealing your identity.”

When improper activities are carried out through your wireless router, they are traceable only to your home address. This may mean that you are subject to a fine or cut off by your internet provider for going over a download limit; prosecuted for illegally downloading music, films or more unsavoury material; or, as one Times reader discovered the hard way, unable to prove that you have had your details stolen.

Michael Black, 21, had his laptop stolen from outside his block of flats in Reading. Several days later the thief accessed his wireless connection on the laptop. The thief managed to access Mr Black’s internet banking and transferred £14,000 from his Nationwide savings account to his current account, then to a gambling website.

Mr Black says: “I reported the fraud to Nationwide immediately, but was told that, because someone gained access to my internet banking, I must have written down my security details or told them to someone. This is simply not the case; I have always kept them secret and safe.

“Unfortunately, as the thief has used my personal details to log on to my bank on my laptop through my wireless, there is no way I can prove it wasn’t me. The police say it is impossible to find the perpetrator; Nationwide do not seem to see the seriousness of this issue and are refusing to refund me.”

Although the thief could have been a neighbour, it is also possible that he or she could have accessed the wireless some distance away from the flat.

An attacker who accesses your wireless network can monitor all internet traffic through your router — potentially snooping on every website that you visit, e-mail that you send or user name and password that you type. By monitoring internet activity and a wireless user’s web browser and internet history, it is easy for a cybercriminal to collect personal information about the user: from answers to security questions to credit card numbers, passport numbers or payroll details. Hackers can even watch users book flights or hotels online, recording when a wireless user is likely to have an empty house.

It is more difficult to access internet-banking passwords by monitoring internet usage, as banks have a higher level of encryption than regular websites. However, hackers have developed techniques to bypass even the most secure sites. David Whitelegg, an IT security expert who writes a regular blog to help consumers to avoid digital fraud, explains: “By attacking a wireless router from inside a wi-fi network, hackers can redirect the wireless user invisibly to fake websites.

“It is possible to monitor which bank website you use, then adjust the domain name on the wi-fi router, so the next time the user visits his or her bank website the computer sends them to a fake bank site, which has the correct URL in the address bar. In doing this, the bad guys could harvest your bank account website log-on credentials without your knowledge.”

Fraudsters who steal bank account details in this way often build up a knowledge profile of their target too, then sell these details on an online black market. Mr Whitelegg says: “I have seen cyber-fraudsters selling complete profiles of UK individuals, along with their online bank account user name and password — including one that stated the victim’s pet’s name.”

Case study: ‘You don’t know who is watching online’

Keen to see how easy it is to snoop on someone else’s internet activity, I agree to meet the “ethical hackers” Oliver Crofton and Tom Beale in a coffee shop in the City of London.

The pair, who work for Vigilante Bespoke, a digital security company, have brought a Samsung Netbook, a £250 laptop from PC World.

Mr Beale, who has made some minor technical alterations to the machine, begins by scanning the area for wireless connections. About 40 networks pop up on his screen, including the public wi-fi in the coffee shop. Next to each network we can see its level of security. Many are not protected by a password, many more have WEP security, which he could bypass.

Some of the unprotected networks are BT Business wireless being used in offices near by; if they were not so ethical, the pair could read all the employees’ e-mails. We can also see ten devices being used in the coffee shop, including my iPhone. With my permission they access it, and as I type in hsbc.com on the phone’s internet, hsbc.com appears on their computer screen.

Mr Crofton says: “You wouldn’t have a conversation about your finances with your bank manager in the middle of Sainsbury’s so don’t carry out private activity over public wireless. You don’t know who is listening online.”

Ten easy ways to thwart the online snoopers

Ensure that your router has WPA2 security, the highest level available. It may only have WEP, which is known to be hackable in seconds.

Your security settings should be written in the router manual; if not contact your router or internet provider.

When buying a new router always check that it is WPA2 configured.

High-level network security is all but useless if you have a wireless password that can be guessed easily, such as your name, date of birth or any dictionary word. Use a complex password that includes special characters such as symbols. For example, Cocacola could become C0c4c@la.

Never write your password down or keep it on your computer. If you are likely to forget it write a prompt instead such as “first line of my favourite song”.

Try to change your password every few months; change it immediately if your computer is stolen.

Don’t rename your wireless network something that can be traced back to you or your address.

Avoid wireless when checking internet banking or personal information — plug your computer directly into your router instead.

Encryption software, which jumbles up personal data, can be bought online.

Vigilante Bespoke recommends PGP wholedisk software, or TrueCrypt, which can be downloaded free.

SOURCE: http://www.timesonline.co.uk/tol/money/consumer_affairs/article6944666.ece

US District Judge Michael J. Davis said he was meting out the penalty under his “inherent power,” meaning no one in the court case had filed a motion requesting he do so. In an order issued late last month, he said the move was designed to prevent attorney Vincent J. Moccio from repeating the carelessness again.

“The court is deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents,” he wrote. “Although electronic filing significantly improves the efficiency and accessibility of our court system, it also elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to follow federal and local rules.”

Davis ordered Moccio to send the individuals a letter informing them that their private information had been made public and that unless they objected within seven days, they would automatically begin receiving a year’s worth of credit monitoring services fee of charge. He also ordered the attorney to pay $5,000 to a Saint Paul, Minnesota, food bank.

SOURCE: http://www.theregister.co.uk/2009/11/05/judge_sanctions_attorney/

The Information Commissioner’s Office (ICO) has repeatedly called for tougher penalties for those who blag telephone, medical and other records.

On Thursday justice minister Michael Wills launched a consultation. Alongside harsher punishments, a new public interest defence will aim to protect legitimate journalistic inquiry.

Wills said: “The Government have no intention of curtailing responsible investigative journalism, so we are also consulting on commencing the new defence under section 55 for those who can show that they acted for the purposes of journalism, art and literature with a view to publishing journalistic, literary or artistic material, in the reasonable belief that the obtaining, disclosing or procuring was in the public interest.”

The ICO highlighted abuses by journalists and private investigators in its 2006 report What Price Privacy? The unlawful trade in confidential personal information.

It took this summer’s high profile tabloid celebrity phone hacking scandal to prompt action, however. As El Reg pointed out, the issue of dodgy gumshoes listening in on unsecured voicemails was relatively insignificant compared to burgeoning trade in data obtained by pretexting and corrupt insiders.

http://www.theregister.co.uk/2009/10/16/hack_data_sentences/

A picture of a tearful Maradona was pasted on the website, alongside the message “Te Hicimos Llorar” (We made you cry). Maradona is pictured in tears and wearing a Boca Juniors top, whereas on the night he was wearing a suit. But such was the torrential downpour during the latter stages of the game, it would be difficult to tell if someone was crying or not.

The defacement goes on to add: “For the biggest cry baby of all time – you won over us at football, but we won on the internet”, above a picture of the Peruvian national team. The defacement, captured by net security firm Sophos here, is claimed in the name of Elite-Peruvian.

Peru equalized against Argentina in the last minute of normal time, only for Argentina to score an injury time 2-1 winner in Saturday’s game in Buenos Aires.

The result leaves Argentina in fourth place in the South American qualifying group. They will be guaranteed of a berth in South Africa next year, providing they defeat fifth place Uruguay in the final qualification game on Wednesday (14 October). A draw will almost certainly be enough, but defeat in the Montevideo showdown will result in either elimination or a play-off.

Last placed Peru have stood no chance of qualification for months.

World Cup qualification games between El Salvador and Honduras in 1969 infamously acted as a lightning rod for wider tensions between the two neighbours over issues such as immigration, and led to a four-day war (known as La guerra del fútbol). Forty years on we get a website defacement, which counts as progress of sorts, we suppose.

Maradona famously knocked England out of the 1986 FIFA World Cup with the infamous “Hand of God” goal. This was followed by an outstanding solo dribble and goal that showcased his extraordinary talent as an attacking midfielder.

“The message for Maradona [from the hack] is clear,” said Graham Cluley, a security consultant at Sophos. “Don’t leave your web security to the Hand of God – secure your systems and follow best practices instead to keep hackers locked out.”

http://www.theregister.co.uk/2009/10/13/maradona_defacement/

Microsoft, which owns the popular web-based e-mail system, said that it was aware of the claims and that it was “investigating the situation”.

http://news.bbc.co.uk/1/hi/technology/8291268.stm