JusticeDept.com

July 8, 2009

Spy’s Out-of-control?

Filed under: Uncategorized — Tags: , , , — @ 11:45 pm

Washington, D.C. — First, there were questions about the USA’s NSA spy department developing Einstein 3 for the Internet. Next, there was the life of the head British spy being put on Facebook by his wife. Now, there are questions if North Korea launched a cyber attack against the USA and South Korea.

Starting on the 4th Of July, over 35 government websites in the U.S. and South Korea were simultaneously hit with a widely known weapon known as a DSA (denial of service attack). The NASDAQ said they were unaffected. The WhiteHouse.gov, Homeland Security and the FAA felt the impact. Some sites were shut down including the the Treasury Department, the Secret Service, Federal Trade Commission, and the Transportation Department.

South Korea’s spy agency is pointing the finger at North Korea’s spy agency; however, not everyone is so sure. It is common place to make attacks look like they are coming from somewhere else. A bunch of kids, another government or a rouge hacker could have made it look like North Korea. “In the dozens of instances that I worked over the past decade, I cannot recall a single instance in which someone intending to attack came from the source it appeared to have come from,” offered a former intelligence agent.

“The preventative measures in place to deal with frequent attempts to disrupt WhiteHouse.gov’s service performed as planned, keeping the site stable and available to the general public, although visitors from regions in Asia may have been affected,” said Nick Shapiro.

The State Department’s attack started on July, 5. “It’s still ongoing, but I’m told that it’s much reduced right now,” spokesperson Ian Kelly said.

July 6, 2009

Head British Spy’s Face on Facebook

Filed under: Uncategorized — Tags: , , , , — @ 8:28 pm

Cover blown?

London — You need to be careful what you post to social networking sites. The Mail, a London newspaper, reported that the new head of the British Spy agency the Secret Intelligence Service cover was blown on Facebook. The SIS, more popularly known as MI6, is England’s intelligence gathering organization.

The Mail reported, “The new head of MI6 has been left exposed by a major personal security breach after his wife published intimate photographs and family details on the Facebook website.”

“But his wife’s entries on the social networking site have exposed potentially compromising details about where they live and work, who their friends are and where they spend their holidays.”

“Amazingly, she had put virtually no privacy protection on her account, making it visible to any of the site’s 200million users who chose to be in the open-access ‘London’ network - regardless of where in the world they actually were.”

The SIS promptly took the information down after inquiries were made by The Mail; however, the newspaper printed the information and pictures in a two page spread.

July 4, 2009

Einstein 3: Homeland Security and NSA Vs. Privacy

Filed under: Uncategorized — Tags: , , , — @ 6:00 pm

Washington, DC, USA — The Department of Homeland Security is getting ready to release the long delayed Einstein 3. The Einstein 3 project is meant to detect and prevent attacks against government computers. Because the National Security Agency (NSA) is involved, there is concern among citizens and civil liberty organization over privacy.

The following assessment was produced for Einstein 2 by the Department of Homeland Security:

U.S. Department of Homeland Security Seal
Privacy Impact Assessment for
EINSTEIN 2
May 19, 2008
Contact Point
United States Computer Emergency Readiness Team (US-CERT)
(888) 282-0870
Reviewing Official Hugo Teufel III Chief Privacy Officer Department of Homeland Security (703) 235-0780
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 2
Abstract
This is the Privacy Impact Assessment (PIA) for an updated version of the EINSTEIN System. EINSTEIN is a computer network intrusion detection system (IDS) used to help protect federal executive agency information technology (IT) enterprises. Pursuant to Section 208 of the E?Government Act of 2002 (Public Law 107?347, 44 U.S.C. § 3501, note), the Department of Homeland Security (DHS) must provide this publicly available PIA prior to initiating a new collection of information that uses information technology o collect, maintain or disseminate information that is in an identifiable form or collects identifiable information through the use of inormation technology. The original PIA for EINSTEIN 1, dated September 2004, explained that EINSTEIN 1 analyzes network flow information from participating federal executive government agencies and provies a high?level perspective from which to observe potential malicious activity in computer network traffic of participating agencies? comuter networks.

The updated version, EINSTEIN 2, will incorporate network intrusion detection technology capable of alerting the United States Computer Emergency Readiness Tea (US?CERT) to the presence of malicious or potentially harmful computer network activity in federal executive agencies? network traffic. EINSTEIN 2 principally relies on commercially available intrusion detection capabilities to increase the situational awarenes of the US?CERT. This network intrusion detection technology uses a set of pre?defined signatures based upon known malicious network traffic. The signatures which will be implemented when EINSTEIN 2 goes ?live? are based upon malicious computer code and are not based upon personally identifiable information (PII). Nor is the IDS programmed to specifically collect or locate PII. While future signatures might be developed in response to threats that use what appears to be PII, the purpose of these signatures is to prevent malicious activity from reaching federal networks, not to collect or locate PII. For example, if the author of a computer security exploit chose to use PII in the delivery of malicious code, a signature may be developed in response to that exploit which could contain PII.1 Accordingly, while the IDS will collect some PII that is directly related to malicious code being transmitted to the federal networks, its main focus is to identify the malicious code and protect federal networks, not to collect PII. In identifying malicious code across the federal networks, EINSTEIN 2 increases situational awareness and provides an improved real?time ability to address computer network incidents on federal systems.

Overview
Protecting the federal executive agencies? IT infrastructure is a substantial undertaking. Under the Federal Information Security Management Act of 2002 (FISMA) (44 U.S.C. § 3541 et seq.), all federal departments and agencies must adhere to information security best practices. As such, federal departments and agencies use individual intrusion detection systems to help protect their own computers, networks, and information. Within the National Cyber Security Division of the Department
1 For example, the Melissa virus (http://www.cert.org/advisories/CA?1999?04.html) propagates in the form of an email message containing malicious code as an attachment. That email message could contain PII.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 3
of Homeland Security, the US?CERT serves as a focal point for addressing computer network security incidents within the federal government. One of the primary functions of the US?CERT is to increase the federal government?s awareness of computer network threats and vulnerabilities thereby increasing the government?s ability to prepare for and respnd to computer network security events.

To improve the US?CERT?s capability to maintain situational awareness, all federal executive agencies2, in accordance with the Office of Management and Budget (OMB) November 20, 2007, Memorandum M?08?05, Implementation of Trusted Internet Connection, will be required to use EINSTEIN 2. This expanded use of EINSTEIN 2 enables the US?CERT to gain increased situational awareness from all the federal executive agencies and fulfill its mandate to act as a centra point for computer network security of the federal enterprise.

EINSTEIN 1, developed in 2003, provides an automated process for collecting, correlating, and analyzing computer network security information from voluntary participating federal executive agencies. It works by collecting network flow records. ?Flow records? are records of connections made to a federal executive agency?s IT systems. The records identify: the source Internet Protocol (IP) address of the computer that connects to the federal system; the port the source uses to communicate; the time the communication occurred; the federal destination IP address; the protocol used to communicate; and, the destination port. Using network flow records, the US?CERT can detect certain types of malicious activity and coordinate with the appropriate federal executive agencies to mitigate hose threats and vulnerabilities. The US?CERT shares this analysis, along with additional computer network security information, with both the public and private sectors, via its web site.

EINSTEIN 2, like EINSTEIN 1, will continue to passively observe network traffic to and from participating federal executive agencies? networks. In addition, EINSTEIN 2 will alert when specific malicious network activity is detected and provide the US?CERT with increased insight into the nature of that activity. Through EINSTEIN 2, the US?CERT will be able to analyze malicious activity occurring across the federal IT networks resulting in improved computer networksecurity situational awareness. This increase in situational awareness can then be shared with federal executive agencies in an effort to reduce and prevent omputer network vulnerabilities.

EINSTEIN 2 adds to EINSTEIN 1 a network intrusion detection technology that will monitor for malicious activity in network trafic to and from participating federal executive agencies. EINSTEIN 2?s network intrusion detection technology uses a set of pre?defined signatures based upon known malicious network traffic.

Signatures are specific patterns of network traffic that affect the integrity, confidentiality, or availability of computer networks, systems, and information. For example, a specific signature might identify a known computer virus that is designed to delete files from a computer without authorizaton. Signatures are derived from numerous sources such as: commercial or public computer security information; incidents reported to the US?CERT; information from federal partners; or, independent in?
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 4
depth analysis by the US?CERT. As mentioned above, the signatures which will be implemented when EINSTEIN 2 goes ?live? are based upon malicious computer code and are not based upon PII. Nor is the IDS programmed to specifically collect or locate PII. While future signatures might be developed in response to threats that use what appears to be PII, the purpose of these signatures is to prevent malicious activity from reaching federal networks, not to collect or locate PII. For example, if a computer security exploit chose to use PII in the delivery of malicious code, a signature may be developed in response to that exploit which could contain PII.3 Accordingly, while the IDS will collect some PII that is directly related to malicious code being transmitted to the federal networks, its main focus is to identify the malicious code and protect federal networks, not to collect PII. All signatures will be reviewed by the US?CERT in accordance with legal and privacy guidelines before being employed.

EINSTEIN 2 will alert the US?CERT when the system identifies malicious network traffic occurring in a federal executive agencies? network in response to speific predefined signatures. EINSTEIN 2 sensors only monitor for specific predefined signatures of known malicious activity. EINSTEIN 2 does not seek or obtain the content of all electronic communications. Rather, by scanning communications during transmission, EINSTEIN 2 identifies harmful communications that warrant analysis. A US?CERT analyst may then query that specific information in EINSTEIN 2 to analyze the potentially harmful network traffic identifid by the alert. The US?CERT analysts will view only the specific intrusion detection information that caused the triggering alert. The intrusion detection information used by the US?CERT is that portion of the network traffic that is relevant to the specific signature, along with the network traffic that is reasonably related to and associated with the network connection that caused the triggeing alert.

EINSTEIN 2 is to augment??not replace or reduce??the current computer network security practices of participating federal executive agencies. Participating agencies will continue to operate their own intrusion detection and prevention systems, perform network monitoring, and use other information security technologies. EINSTEIN 2 enables the US?CERT to correlate activity across the entire federal enterprise. With the enhanced correlation capability, the US?CERT achieves increased situational awareness of federal executive agency computer networks which is required to perform the coputer network security responsibilities assigned to DHS.

2 Not to include Department of Defense or Intelligence Community Executive Branch agencies.

3 For example, the Melissa virus (http://www.cert.org/advisories/CA?1999?04.html) propagates in the form of an email message containing malicious code as an attachment. That email message could contain PII.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 5
Section 1.0 Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, rule, or technology being developed.

1.1 What information is collected, used, disseminated, or maintained in the system?
The information collected, used, disseminated or maintained is information derived from communications made to and from the federal networks. This will include communications sent to the federal networks by the public and those communications generated by users of th federal networks. The information collected takes the ?form? of network flow records and network packets collected in response to alerts triggered by pre?determined intrusion detection signatures. When malicious traffic triggers an alert, that data will be captured along with the data that is transmitted in proximity to that alert and related to that connection. When data is captured due to an alert being triggered, there is a slight risk that personal information may be transmitted along with a malicious activity. It is the malicious activity that the IDS is focused on and not the PII. EINSTEIN 2 will maintain this captured information on a separate network under the control of the US?CERT. The US?CERT may disseminate this information with federal executive agencies according to written standard operating procedures. The method EINSTEIN 2 uses to collect the information is set forth below.

Client ? Server Model & Flow Records
Under the client/server model each entity connected to the Internet is assigned an IP addresses which permits other connected entities to send i communications. This is typically known as the client/server model of information delivery. Typically, the client is a desktop computer or the software that runs on it and the server, also known as the host, is the more powerful computer that houses the data and/or server software. The connection to the server can occur many ways, via LAN, phone line, cable, or modem. In the case of the Internet?s World Wide Web, the client is actually the browser on your PC and the server is a host computer located somewhere on the Internet. Typically the browser sends the server a request for a Web page. The server processes that request and sends the answer back to the browser. The connection between the client and the server is maintained only during the actual exchange of information (the connection). Thus after a Web page is transferred from the server, the connection between that computer and the client is broken. Browsers interact with the server using a set of instructions called protocols. These protocols help in the accurate transfer of data through requests from a browser and responses from the server. There are many protocols available on the Internet. The World Wide Web, which is a part of the Internet, brings all these protocols under one roof.4
4 Gralla, Preston, How the Internet Works, p. 19 (Que Publishing 2004); see also, In Re Doubleclick, Inc., 154 F. Supp 497 (S.D. NY 2001)(Technology required to communicate with Internet described in detail.)
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 6
Flow is a computer network traffic summarization format widely used by network engineers and security analysts. It summarizes communication between two hosts communicating over the Internet. A flow record is created from multiple, related packets grouped together under a common label. This record stores the source and destination IP address; source and destination port; the IP protocol; and associated derived metrics such as timing information and traffic volumes. No packet payload is stored in a flow record. Conceptually, a flow record is akin to a telephone call record ?? details such as the caller?s phone number and length of the call are stored, but the contents of the conversation are not.

Signatures
As noted in the Overview, EINSTEIN 2 also uses a signature?based detection method. A signature, as defined by in NIST Special Publication 800?94, is a ?pattern that corresponds to a known threat.? The NIST Special Publication 800?94 provides that:

Signature?based detection is the process of comparing signatures against observed events to identify possible incidents. Examples of signatures are as follows:

? A telnet attempt with a username of ?root?, which is a violation of an organization?s security policy
? An e?mail with a subject of ?Free pictures!? and an attachment filename of ?freepics.exe?, which are characteristics of a known form of malware
? An operating system log entry with a status code value of 645, which indicates that the host?s auditing has been disabled.

Signature?based detection is very effective at detecting known threats but largely ineffective at detecting previously unknown threats, threats disguised by the use of evasion techniques, and many variants of known threats. For example, if an attacker modified the malware in the previous example to use a filename of ?freepics2.exe?, a signature looking for ?freepics.exe? would not match it.

The US?CERT uses known patterns of malicious activities to create signatures for inclusion in EINSTEIN 2?s intrusion detection capabilities. The US?CERT will also implement a review process for all new signatures to ensure that the signatures are narrowly tailored to specifi computer network activities. This process includes a specific review to ensure that the new signature actually identifies malicious activity and only a miimal amount of raw network traffic is captured to properly identify the computer network event.

Anomaly-based Detection
In addition, EINSTEIN 2 uses anomaly?based detection methods to identify harmful or malicious computer network incidents. Anomaly?based detection, as defined in NIST Special Publication 800?94, is
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 7
defined as ?the process of comparing definitions of what activity is considered normal against observed events to identify significant devitions.?

Anomaly detection can best be viewed as an alarm for strange system behavior.5 It is an activity profile of normal usage over an interval of time. Anything that deviates from the baseline, or the norm, is logged as anomalous. Anomaly detection can be based upon statistical, characteristic, behavioral, protocol or traffic information. Again, the fundamental component to anomaly detection technique is the baseline, or profile. It requires knowing what the normal characteristics of the system are. While an IDS uses a defined set of rules or filters that have been crafted to catch a specific, malicious event, the EINSTEIN 2 anomaly detection capability utilizes the network flow data and alerts to focus on the system?s baseline of noral activity. As described above, behavior that varies from this standard is noted. Intrusion detection systems look for a misuse signature and anomaly detection looks for a strange event.6
1.2 What are the sources of the information in the system?
As mentioned in Section 1.1, the source of the information collected is that of the network connections established under mechanisms such as the client?server method. The following is an example of a flow record:

Sample Flow record:

127.0.0.1|192.168.0.20|52119|25|6|10|600|S|2008/04/28T00:02:47.958|44.985|2008/04/28T00:03:32.943|SENSOR1|out| S|
sIP|dIP|sPort|dPort|protocol|packets|bytes|flags|sTime|dur|eTime|sensor|type|initialFlags|
Explanation of Sample Flow Record:
127.0.0.1 (sIP) IP of Computer who is the source of the connection
192.168.0.20 (dIP) IP of the computer who is the destination of the connection
52119 (sPort) Port the connection was initiated on by the source computer
25 (dPort) Port the connection was received on by the destination computer
6 (protocol) Protocol number, the number is based on the protocol being used to transport the data (6 = TCP, 1 = ICMP, 17 = UDP)
10 (packets) Count of total number of packets seen in this single connection (calculated by the sensor)
5 The concept stems from a paper fundamental to the field of security ? An Intrusion Detection Model, by Dorothy Denning, http://www.cs.georgetown.edu/~denning/infosec/ids?model.rtf (last viewed May 7, 2008).

6 See http://www.securityfocus.com/infocus/1600 (last visited May 7, 2008).
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 8
600 (bytes) Count of total number of bytes seen in this single connection (calculated by the sensor)
S (flags) Aggregation of all flags seen in this single connection. Flags describe what happened in the connection
2008/04/28T00:02:47.958 (sTime) Start time of the connection, Universal Timestamp added by sensor to indicate when the connection was started
44.985 (dur) Duration of the connection, this field is calculated (dur = eTime - sTime)
2008/04/28T00:03:32.943 (eTime) End time of the connection, Universal Timestamp added by sensor to indicate when the connection was ended
SENSOR1 (sensor) Name of the Sensor that collected the data, this field is added by the sensor
out (type) Direction of the traffic (types include ?in,inweb,inicmp,out,outweb,outicmp, int2int,ext2ext”)
S (initialFlags) First flag seen in the connection, this is only based on the first packet of the connection
Flag Markers and their meanings
C = CWR - Congestion Window Reduced
E = ECE - Explicit Congestion Notification echo U = URG - Urgent A = ACK - Acknowledgement P = PSH - Push R = RST - Reset S = SYN - Synchronize F = FIN ? Finished

Additionally, intrusion detection information will be collected in response to alerts from developed signatures. For illustrative purposes only, the following is an example of a commercially available signature. (This is not a signature the US?CERT intends to use.)

alert tcp any any -> $HOME_NET 443 (msg:”DoS Attempt”; flow:to_server,established; content:”|16 03 00|”; offset:0; depth:3; content:”|01|”; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve; classtype:attempted-dos; sid:2000016; rev:5;)
Explanation of Signature:

Alert: Type of IDS Event
tcp: Protocol being examined
any: Any source IP
any: Any source port
->: Direction (points to @HOME_NET which indicates inbound)
$HOME_NET: A variable which is defined by the IDS as the subnets that make up the internal network
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 9
443: Destination port traffic is bound for
msg:”DoS Attempt”: Name of the alert that is sent to the console (for humans reading the alert console)

The remaining fields of the string tells the IDS what to look for, the breakdown of the commands and instructs the IDS where in the packet to look for the text.

This signature example tells the IDS to alert on any external IP on any external port that sends traffic to the home network, on port 443, with the text ?|16 03 00|?, and the text ?|01|? within certain parameters and offsets. The alert name is defined as ?Dos Attempt? and references CVE, SID:2000016, revision 5.

1.3 Why is the information being collected, used, disseminated, or maintained?
The purpose of EINSTEIN 2 is to provide increased computer network security through detecting malicious activities occurring onfederal executive agency computer networks. The US?CERT will use this information to fulfill its responsibilities to analyze and reduce computer network threats and vulnerabilitis; disseminate computer network security threat warning information; and, coordinate incident response activities.

1.4 How is the information collected?
The EINSTEIN 2 sensor consists of a computer configured with commercial off the shelf software, government developed software, and commercial intrusion detection software. It will be deployed at participating federal executive agencies? Internet Access Points. It is envisioned that these access points will be those being promoted under the OMB Trusted Internet Connection initiative.7 At these access points the EINSTEIN 2 sensor obtains the network flow information as indicated above. Additionally, EINSTEIN 2 analyzes computer packets as they are being transmitted to and from the federal agency?s networks. If these packets match the patterns of the intrusion detection signatures an alert is triggered in which those packets, and those packets that are reasonably related to the connection, are captured for analysis of the computer network incident.

1.5 How will the information be checked for accuracy?
The hardware and software of this system are not programmed to manipulate or modify any data. EINSTEIN 2 maintains exact copies of intrusion detection information transmitted to or from the
7 EINSTEIN 2 is associated with the Trusted Internet Connection initiative (see OMB M?08?05), but will not strictly be limited to use at Trusted Internet Connections. The US?CERT will seek to maximize the efficiency and benefit from EINSTEIN 2 by focusing on networks containing aggregated Internet trffic to and from participating federal agencies.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 10
federal network. For example, if a connection ?spoofs? an IP address (manipulates the data packets it transmits to the federal network to appear as being sent from one source when they come from anther source) the intrusion detection system will simply record those packets with the ?spoofed? IP address.

1.6 What specific legal authorities, arrangements, and/or agreements defined the collection of information?
EINSTEIN 2 furthers the Department?s network security and critical infrastructure protection responsibilities assigned in the Hmeland Security Act, FISMA, and related authorities. See 6 U.S.C. §§ 101 et seq. and 44 U.S.C. §§ 3541 et seq.. Moreover, all federal executive agencies, in accordance with the Office of Management and Budget (OMB) November 20, 2007, Memorandum M?08?05, Implementation of Trusted Internet Connection, will be required to use EINSTEIN 2. As such, the US?CERT will enter into a Memorandum of Understanding with each participating agency articulating the specific services the US?CERT will provide through EINSTEIN 2.

1.7 Privacy Impact Analysis: Given the amount and type of data collected, discuss the privacy risks identified and how they were mitigated.
EINSTEIN 1 collects flow record information, which is limited to a small subset of data fields focused on the technical details of network transactions between computers. Flow record data includes IP addresses but does not contain any additional information to identify the individuals communicatng. The flow record data is stored in a government?operated, ?owned, or ?leased secured facility and is only reviewed by the US?CERT.

As the first government?wide intrusion detection system, EINSTEIN 2 will analyze and obtain more network traffic than the federal government has previously been able to rely on to assss threats to federal networks. In addition, the amount of network flow record data (information described above) being captured will increase as more federal agencies are monitored by EINSTEIN 2. Additionally, EINSTEIN 2, as an intrusion detection system, also observes and analyzes all network traffic that connects to a federal executive agency IT system. When malicious traffic triggers an alert, that data will be captured along with the data that is transmitted in proximity to that alert and related to that connection. When data is captured due to an alert being triggered, there is a slight risk that personal information may be transmitted along with a malicious activity. This risk is initially mitigated by establishing specific rule?based signatures developed to identify specific malicious activity. EINSTEIN 2 will use the minimal amount of signatures necessary to effectively defend the federal executive agencies? IT netwoks. Secondly, the privacy risk is mitigated by limiting how the intrusion detection information is viewed. Under EINSTEIN 2 the captured data is only accessed by the intrusion detection computer program. The only detailed computer network traffic data that analysts will see will be the limited portions of the traffic that is spcifically tailored to support an alert of an instance of known malicious activity as defined by a signature, and in those limited situations, only trained US?CERT analysts will
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 11
view the traffic data. If network traffic does not meet the specific criteria of a specific signature, that network traffic will not be viewed by the US?CERT.

Section 2.0 Uses of the Information
The following questions are intended to delineate clearly the use of information and the accuracy of the data being used.

2.1 Describe all the uses of information.
The flow?records, signatures, alerts, and portions of network traffic containing identified malicious activity will be used by trained US?CERT analysts to identify and respond to computer network security incidents and anomalies, improve network security, generate reports for distribution to participating agencies and other partners, and increase the resiliency of critical, electronically delivered government services. Only information that is directly related to a security incident may be included in any of these products. The US?CERT is a computer network defense and security organization that is responsible for increasing the security of federal systems not investigating or obtaining attribution for a particular event. Computer network security is, however, accomplished using multiple disciplines to secure the federal network and part of this support is provided by law enforcement, intelligence, and other agencies. These other agencies will be notified when a computer network event occurs that falls under their responsibility. The US?CERT will notify that entity only that the event has occurred and will provide them with contact information so they can coordiate directly with the affected participating federal agency.

2.2 What types of tools are used to analyze data and what type of data may be produced?
EINSTEIN 2 uses commercial and in?house network security tools to identify instances of known malicious activities that are observable at the intersection of theInternet and the computer networks of participating federal executive agencies. The US?CERT analysts will continue to use flow record analysis tools from commercial and government sources. Many of the tools to be used by EINSTEIN 2 will be the same tools that are currently used in consumer?level computer security software and those used by the individual participating federal executive agencies.

Participating federal executive agencies will receive the tools and training (including privacy training) to analyze only the flow record information collected through EINSTEIN 2. The alert information will be used by the US?CERT to support analysis efforts in identifying malicious code and signatures.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 12
2.3 If the system uses commercial or publicly available data please explain why and how it is used.
EINSTEIN 2 will not use commercial or publicly available data about individuals. EINSTEIN 2 will use signatures of known malicious activities. Signatures are derived from numerous sources such as: commercial or public computer security information; incidents reported to the US?CERT; information from federal partners; or, independent in?depth analysis by the US?CERT. All signatures will be reviewed by the US?CERT in accordance with legal and privacy guidelines before being used. Analysts at the US?CERT may combine the EINSTEIN 2 data with other commercial or publicly available data, including information about Internet routes, bandwidth, and outages to create better situational awareness. The US?CERT does not focus on the identities of specific individuals and any data obtained from data providers will be limited to infomation relevant to the protection of computer networks. The US?CERT does not have an intelligence or law enforcement mission. It is a consumer of computer network security information and as such analyzes computer network security information that hasbeen properly collected in accordance with applicable laws. The US?CERT fuses this information into computer network security products to provide a greater and much needed situational awareness.

2.4 Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above described uses.
EINSTEIN 2 acts like a commercially available intrusion detection system. As such, protection is inherently built into the system to minimize the amount of inadvertently acquired personal information. While the network data that traverses the connection to the federal network is copied and fed through EINSTEIN 2, as stated above, the network flow records are stripped down to minimal non?content information. Additionally, the data captured in response to an alert contains only that connection information relevant to the alert. EINSTEIN 2 does not use each and every signature available for monitoring a network system. It monitors for specific signatures related to those malicious activities targeting federal executive agencies? networks. Those signatures are based not on PII but on the malicious activities themselves.

This temporary copy of raw computer network traffic, used only to identify known malicious activities based on signatures, is never viewed by any DHS personnel unless the traffic contains previously defined malicious activity. The raw computer network traffic not containing a malicious activity (i.e., ?clean? traffic) is promptly deleted from the system once the analysis of the malicious activity concludes. No computer network traffic will be disrupted. The only information produced by EINSTEIN 2 are high?level records of computer network traffic (flow records); alerts that announce that a particular malicious activity occurred for a particular participating federal executive agency; and, only in those cases, selected portions of the network traffic as defined by the particular signature. This reported information will only be handled by trained and experienced computer network security professionals subject to versight and audits. The intrusion detection system, as programmed, includes detailed log records which make a record of each command run on the system. This is one of the key control features
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 13
of this system, ensuring that any unauthorized access to the EINSTEIN 2 data, although unlikely, will be monitored.

The situational awareness information the US?CERT communicates to other agencies and to DHS through summary reports is stripped of any information, such as personally identifiable information, that is not directly related or relevant to the security incident.

Finally, all US?CERT analysts who access data flow records, alerts, and raw computer network traffic will be subject to oversight and will receive annual training from the DHS Privacy Office regrding privacy in general and specific privacy issues related to the US?CERT?s computer network defense responsibilities.

Section 3.0 Retention
The following questions are intended to outline how long information will be retained after the initial collection.

3.1 How long is information retained?
Flow records, alerts, and specific network traffic related to an alert will be maintained for up to three years, although limitations on available storage may limit the volume, and therefore time period covered. If at any point in the analysis, the specific network traffic or alert is deemed unrelated or potentially collected in error, it will be deleted.

In all cases of false alerts ? an alert generated by non?malicious network traffic ? that information will be immediately deleted from the EINSTEIN 2 system. Furthermore, a record will be kept of the deletion and the related signature will be re?evaluated. After re?evaluation, the signature will either be corrected or removed from the system.

3.2 Has the retention schedule been approved by the component records officer and the National Archives and Records Administration (NARA)?
An approval request is in process. The Department of Homeland Security is currently working with the DHS Senior Records Officer to develop a disposition schedul, which will be sent to NARA for approval.

3.3 Privacy Impact Analysis: Please discuss the risks associated with the length of time data is retained and how those risks are mitigated.
The risk associated with the use of this computer network security intrusion detection system is actually lower than the risk gnerated by using a commercially available intrusion detection system. EINSTEIN 2 does not use each and every signature available for monitoring a network system. It
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 14
monitors only for those specific signatures related to malicious activities targeting federal executive agencies? networks.

There is a nominal risk during the time an intrusion detection system makes a copy of network traffic data in order to monitor he transmission. The length of time that this raw network traffic is retained and analyzed is minimal. The information generated from flow records does not contain personal information. The information generated from an alert is analyzed and any personal information is minimized promptly. All captured information resides upon a secured system with complete record logging to ensure an audit trail is created. This use of minimization, a secured system, and auditing mitigates the risks associated with this intrusion detection system.

Section 4.0 Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Homeland Security.

4.1 With which internal organization(s) is the information shared, what information is shared and for what purpose?
As part of its computer network security responsibilities, the US?CERT generates reports on topics including general computer network security trends; specific incidents after minimizing PII; and, anomalous or suspicious activity observed on federal networks. Attribution??actually identifying the specific individual or entity that established the network connection that triggered an alert??is not included in the reports. These reports are made available to DHS organizations, including the National Cyber Security Center, and other federal executive agencies through systems such as the US?CERT Secure Portal for their use in infrastructure protection and other computer network security related responsibilities. Computer network security is, however, accomplished using multiple disciplines to secure the federal network and part of this support is provided by law enforcement, intelligence, and other agencies. These other agencies will be notified when a computer network event occurs that falls under their responsibility. The US?CERT will notify that law enforcement or intelligence entity of the event and provided them with contact information so they ca coordinate directly with the affected participating federal agency.

The overarching purpose of the EINSTEIN system and the sharing of information are to increase the shared situational awareness nd ensure that important cyber security information is shared in a timely and efficient manner.

4.2 How is the information transmitted or disclosed?
As stated above, the information is shared in the form of reports that minimize any PII. This information is transmitted to other federal executive agencies in the form of electronic message alerts; written reports; and, posts to the US?CERT Secure Portal.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 15
4.3 Privacy Impact Analysis: Considering the extent of internal information sharing, discuss the privacy risks associated with the sharing and how they were mitigated.
Only PII that is directly related to a security incident is collected in EINSTEIN 2. As mentioned above, when an alert is triggered based upon a signature, the connection event (communication between two computers) is captured. For example, if the alert is triggered by malicious code contained in an attachment to an email, that email will be captured. Many times the analysis of this event will only require looking at the attachment and not even reviewing the contents of the mail. However, sometimes the malicious payload is hidden and delivered via the content (or body) of the email. In those circumstances, the analyst focuses on analyzing the event for the malicious payload, not on any content nor PII contained in the event. Only the US?CERT can see the full details of any PII in the flow records, alerts, and related network traffic. All sharing within DHS is in the form of reports that are designed to minimize the PII contained in the EINSTEIN 2 system.

Section 5.0 External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DHS which includes Federal, state and local government, and the private sector.

5.1 With which external organization(s) is the information shared, what information is shared, and for what purpose?
There are two classes of external organizations that receive information derived from the US?CERT?s EINSTEIN 2 system.

1. The US?CERT provides a service that allows each participating department to access its own specific EINSTEIN 2 flow records, but not the flow records of other participating departments. In addition, the US?CERT may share the raw computer network information collected through EINSTEIN 2, pursuant to individual signatures, with the specific agency on whose network the malicious activity was discovered. The purpose for sharing this raw information will be limited to furthering the analysis of the specific identified malicious ctivity.

2. Federal agencies (including participating agencies) are able to obtain access to systems such as a secured US?CERT website that contains trend and summary information on computer network security. This trend and summary information is based in part on EINSTEIN 2 information but does not contain any PII obtained through ENSTEIN 2 that is not directly related to a security incident.

In all cases, the US?CERT will share information with participating agencies for one purpose??to improve computer network security and protection. This includes sharing with other agencies having computer security responsibilities. Computer network security is accomplished using multiple
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 16
disciplines to secure the federal network and part of this support is provided by law enforcement, intelligence, and other agencies. These other agencies will be notified when a computer network event occurs that falls under their responsibility. The US?CERT will notify that entity of the event and provide them with contact information so they can coordinate directly with the afected participating federal agency.

Again, the overarching purpose of the EINSTEIN system and the sharing of information are to increase the shared situational awarenessand ensure that important cyber security information is shared in a timely and efficient manner.

5.2 Is the sharing of personally identifiable information outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the personally identifiable information outside of DHS.
As noted above, the US?CERT will execute a Memorandum of Understanding with each agency that seeks to deploy EINSTEIN 2. Pursuant to the Memorandum of Understanding, the US?CERT will only share raw computer network information containing PII with the related participating agency for purposes of furter analyzing specifically identified malicious activity observed on that agency?s computer network
5.3 How is the information shared outside the Department and what security measures safeguard its transmission?
See Section 5.1, above. Two?factor authentication (e.g., a password and a physical token) is required for access to the EINSTEIN 2 flow records by participating agencies and for access to portals and other systems tht contain more detailed trend and computer network security information. EINSTEIN 2 information itself is not shared outside the Department, except in the form of reports on topics including general computer network security trends, specific incidents after minimizing PII, and anomalous or suspicious activity observed on federal networks.

5.4 Privacy Impact Analysis: Given the external sharing, explain the privacy risks identified and describe how they were mitigated.
The US?CERT alone has full access to the collective EINSTEIN 2 data from participating agencies. Organizations other than the US?CERT receive general reports as described previously. The US?CERT does not release any reports containing PII generated from data obtained under the EINSTEIN 2 system unless it is directlyrelated to a security incident.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 17
Section 6.0 Notice
The following questions are directed at notice to the individual of the scope of information collected, the right to consent to uses of said information, and the right to decline to provide information.

6.1 Was notice provided to the individual prior to collection of information?
Yes. Federal agencies are required to post notices on their websites as well as at other major points of entry that computer securty information is being collected and their system monitored. Such notices cover intrusion detection systems like EINSTEIN 2. Furthermore, users of federal computer systems are provided with logon banners and sign user agreements that specifically notify them of th computer network monitoring. This Privacy Impact Assessment also serves as a general notice to individuals that network traffic flowing to or from particiating federal executive agencies may be collected for computer security purposes.

Participating agencies using EINSTEIN 2 are required to certify to the US?CERT that they have appropriate notices/banners/measures in place to provide individuals with notice that their interaction with federal networks is subject to monitoring for omputer network security purposes.

While notice on the web site is provided, the specific requirements of the Privacy Act of 1974 (5 U.S.C. § 552a), do not apply to EINSTEIN 2. The Privacy Act requires any agency that maintains a ?system of records? to publish in the Federal Register a notice of the existence and character of the system (SORN). § 552a(e)(4). In order to qualify as a record under the Privacy Act, an item must contain information that actually describes the individual in some way.8
The Act defines a ?system of records? as a group of any records under the control of any agency from which information is maintained and retrieved by PII. § 552a(a)(5). EINSTEIN 2 primarily collects and maintains information based upon signatures generated from computer security events and alets, as opposed to information that identifies an individual. As described above, in rare cases EINSTEIN 2 will collect information which could identify a person (e.g., an unspoofed email address within header information or other PII within records incidentally collected as part of a security ncident), but this latter information will be maintained (indexed) by the security incident, not by the PII. Moreover, EINSTEIN 2 retrieves information (via signatures, analyses and reports) not by PII but by the security event which triggered the alert. It is not sufficient for purposes of the Privacy Act that an agency has the mere capability to retrieve information indexed uder a person?s name, but the agency must in fact retrieve records in this way in order for a system of records to exist. Only when there is actual retrieval of records
8 Tobey v. NLRB, 40 F.3d 469, 471?73 (D.C. Cir. 1994).
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 18
keyed to individuals does the Privacy Act require a SORN.9 The EINSTEIN 2 system does not maintain or query its data using incidentally collected PII. A SORN is therefore not required.

6.2 Do individuals have the opportunity and/or right to decline to provide information?
Personally identifiable information may be required to process or respond to queries made by individuals to the federal governmnt, but it is not mandatory that an individual produce this information. In this day and age it is assumed computer users are aware that they are voluntarily providing some information to the governent when they communicate with it via the Internet. Electronic mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information s provided to and used by service providers for the specific purpose of directing the routing of information. Like telephone numbers, which provide instructions to the switching equipment that processed those numbers, electronic mail to/from addresses and IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party?s servers.10 EINSTEIN 2 does not solicit or seek PII from individuals; rather, EINSTEIN 2 monitors the voluntarily?initiated connections made to the federal network. Individuals, understanding the nature of how the Internet works, may then decide if they want to transmit information to or from the federal IT network.

In addition, all individuals (employees and contractors) logging into their participating agency?s IT systems will be presented with an electronic notice, banner, that notifies them that government computer systems are monitored. These users can then decide if they wish to use the system or not, and decide what information they want to transmit over the government system.

6.3 Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
Yes, to the extent that an individual can decide whether or not to connect to the federal network. Once users decide to interact with a federal executive agency IT system, they are subject to the computer security efforts of the US?CERT and the EINSTEIN 2 system, in addition to any individual computer security programs the participating agencies might have in place.

9 Henke v. United States Department of Commerce, 83 F.3d 1453 (D.C. Cir. 1996) and see Office of Management and Budget Privacy Act Implementation ? Guidelines and Responsibilities, 40 Fed Reg 28948, 28952 (Jul. 9, 1975).

10 See United States v. Forrester, 512 F.3d 500 (9th Cir. Jan. 7, 2008).
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 19
6.4 Privacy Impact Analysis: Describe how notice is provided to individuals, and how the risks associated with individuals being unaware of the collection are mitigated.
Participating agencies using EINSTEIN 2 are required to certify to the US?CERT that they have appropriate notices/banners/measures in place to provide individuals with notice that their connection to a federal network is subject to monitoring for coputer network security purposes. In addition, this PIA explains the details of EINSTEIN 2 and the standards that the US?CERT will use to detect malicious activity on the computer networks of participating agencies. As mentioned above, users are expected to possess a rudimentary understanding of how computers communicate and therefore understand the limits of heir privacy rights when they voluntarily choose to transmit those communications. Given this understanding, the EINSTEIN 2 process still mitigates any possible risks by: capturing network flow records to which individuals do not have an expectation of privacy since no PII is in the information; and, minimizing the amount of network traffic it captures in response to an alert. Analysts then minimize the PII from the alert information and do not disseminate any products containing EINSTEIN 2 generatedPII that is not directly related to a security incident.

Section 7.0 Access, Redress and Correction
The following questions are directed at an individual?s ability to ensure the accuracy of the information collected about them.

7.1 What are the procedures that allow individuals to gain access to their information?
As discussed in section 6.1, information is not based on information that identifies an individual, and when in rare cases EINSTEIN 2 will collect information that could identify a person (e.g., an unspoofed email address within header information or other PII within records incidentally collected as part of a security ncident), this information will be maintained and indexed by the security incident, not by the PII. Moreover, EINSTEIN 2 retrieves information via signatures, analyses and reports, not by PII, but by the security event which triggered the alert. As such, there is no information about an individual that can be accessed.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 20
Individuals may request other information about EINSTEIN 2 under Freedom of Information Act (5 U.S.C. § 552) and may do so by contacting the DHS FOIA office directly:

FOIA The Privacy Office U.S. Department of Homeland Security 245 Murray Drive SW STOP?0550 Washington, DC 20528?0550 Toll?free: 866?431?0486 Telephone: 703?235?0790 Facsimile: 703?235?0443 Email: foia@dhs.gov
7.2 What are the procedures for correcting inaccurate or erroneous information?
There are no separate procedures for individual correction of information in EINSTEIN 2 since flow records and alerts are generted from exact copies of computer network traffic. The US?CERT analysts are specifically trained, and analysts? use of the system recorded, to ensure that use of EINSTEIN 2 is focused solely on the malicious activity data and not on the personal content of the commuications, or to obtain the personal attribution of the source of the malicious activity.

7.3 How are individuals notified of the procedures for correcting their information?
This PIA serves as notice of the EINSTEIN 2 system and associated processes. The EINSTEIN 2 system does not collect information specifically about individuals, only malicious activity occurring on computer networks and as such there are no procedures for correcting information as it exsts in EINSTEIN 2.

7.4 If no formal redress is provided, what alternatives are available to the individual?
The US?CERT refers individuals to the FOIA process, as described in Section 7.1.

7.5 Privacy Impact Analysis: Discuss the privacy risks associated with the redress available to individuals and how those risks are mitigated.
The redress procedures fall under the FOIA process. The risks associated with those are the same as for all other FOIA inquiries.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 21
Section 8.0 Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.

8.1 What procedures are in place to determine which users may access the system and are they documented?
Access to EINSTEIN 2 is strictly limited to trained US?CERT personnel who are governed by the US?CERT standard operating procedures.

8.2 Will Department contractors have access to the system?
Yes, US?CERT contractors will have access to the system and are subject to the same training, auditing, and oversight that governs the federal employees assigned to the US?CERT.

8.3 Describe what privacy training is provided to users either generally or specifically relevant to the program or system?
All DHS employees are required to have general privacy training. In addition, US?CERT analysts and other persons who might come into contact with EINSTEIN 2 information will receive annual training on privacy legal, and policy issues specifically related to EINSTEIN 2. This training will include how to address privacy during the development of new signatures, how to generate a report that minimizes the privacy impact, and how to report when a signature seems to be collecting more network traffic than is directly required to analyze the malicius activity.

8.4 Has Certification & Accreditation been completed for the system or systems supporting the program?
Yes. All new components added to EINSTEIN 2 will be subject to further certification and accreditation.

8.5 What auditing measures and technical safeguards are in place to prevent misuse of data?
The EINSTEIN 2 system is located on a separate firewalled network used only by trained US?CERT personnel for the purposes of detecting malicious computer network activity. All users of EINSTEIN 2 are subject to oversight and must use two?factor authentication to access EINSTEIN 2 data. All external reports are reviewed for appropriate minimization of personally identifiable data.

The EINSTEIN 2 system is designed to use an automated method to apply signatures to the network traffic of participating agencis. If network traffic does not match a signature, it will not be available to a US?CERT analyst, thus significantly minimizing the ability for the US?CERT to misuse the access to the full network traffic of participating federal agencies.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 22
8.6 Privacy Impact Analysis: Given the sensitivity and scope of the information collected, as well as any information sharing conducted on the system, what privacy risks were identified and how do the security controls mitigate them?
The EINSTEIN 2 system will be used solely by trained US?CERT personnel and will be located on a secured computer network, operated within secured physical locations. The use of known signatures of known malicious activity will minimize the raw computer network data available to US?CERT analysts. Finally, an ongoing assessment process will be implemented that will constantly review the signatures and related computer network trafic in order to continually refine (and limit) the amount of data used by EINSTEIN 2 and enhance the precision of the US?CERT?s detection of malicious computer network activity.

Section 9.0 Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics and other technology.

9.1 What structured development process was used to develop the system?
The EINSTEIN 2 system is based on the infrastructure, systems, and lessons?learned from EINSTEIN 1. EINSTEIN 2 is subject to the same development process used in EINSTEIN 1.

9.2 How was data integrity and security analyzed as part of the design of the system?
Data integrity and security have been built into the EINSTEIN program from the very beginning. The US?CERT analysts are required to undergo extensive training and background checks to ensure that they conform to the established plicies, procedures, and processes required by the US?CERT. Furthermore, the systems that collect the information in EINSTEIN 2 have undergone certification & accreditation and are monitored around the clock for integrity and security. The US?CERT uses two?factor authentication and robust information security practices to maintain the integrity, confidentiality, and availability of the EINSTEIN 2 system.

9.3 What design choices were made to enhance privacy?
The EINSTEIN 2 system was designed to focus strictly on detecting malicious computer network activity in an effort to enhance te integrity, confidentiality, or availability of federal agency information systems. Through the use of approved signatures, EINSTEIN 2 only collects network traffic (which may incidentally contain PII) if it is closely related to malicious computer network activity. There is no opportunity for US?CERT analysts to scan all network traffic and any new signatures must be reviewed for appropriateness before placed into the EISTEIN 2 system.
Privacy Impact Assessment
US-CERT, EINSTEIN 2
Page 23
The US?CERT analysts use tools designed to focus their attention on the portions of network traffic related to computer network securiy, not the substance or meaning of a personal electronic communication. Finally, only trained US?CERT analysts have full access to the EINSTEIN 2 system and any information that is disseminated is done so in a summary form dsigned to minimize the impact on privacy.

Contact Point
Randal Vickers
Deputy Director, US?CERT
(888) 282?0870
Approval Signature

Original signed and on file with the DHS Privacy Office.

Hugo Teufel III Chief Privacy Officer Department of Homeland Security

June 26, 2009

Job Search Email Scams

Filed under: Uncategorized — Tags: , , , — @ 1:53 pm

PA Attorney General Corbett cautions consumers about job-search emails requesting credit report information

HARRISBURG - Attorney General Tom Corbett today cautioned Pennsylvania job-seekers to be extremely cautious about Internet employment offers that ask applicants to email copies of their personal credit reports.

“Credit reports contain a wealth of background information about consumers, including social security numbers, summaries of bank and credit card accounts, employment history, current and previous addresses and other details that are extremely valuable to con artists,” Corbett said. “Falling for Internet job schemes can be a double threat - leaving victims unemployed and struggling to untangle a web of financial problems caused by identity theft.”

Corbett noted that con artists are using Internet postings and email messages to circulate ads for high paying part-time work as personal assistants, check processors and a variety of other work-at-home positions. The exact wording of these scams varies greatly, but all of them have common features;
- They offer “easy money” for little work.
- Consumers work from home, rather than an office.
- It is difficult to meet your “employer” in-person, often because they travel frequently or are based overseas.
- Consumers need to respond quickly.

“It is important for all Pennsylvania residents to be watchful for online job scams, especially students looking for summer work, graduates hoping for their first job or older residents searching for part-time work or new careers,” Corbett said. “Consumers should always be wary of offers that seem ‘too good to be true,’ especially in situations where you are being asked to provide detailed personal information to people you do not know.”

Corbett said that in addition to asking consumers to email copies of their credit report - a practice which leaves that personal information vulnerable to interception or theft - some con artists are including bogus website links in their email messages, directing victims to look-alike websites that can be used to electronically steal a consumer’s personal information.

“Legitimate businesses that require credit reports as part of an employee screening process can obtain that information directly from the major credit bureaus,” Corbett said. “There is no need for a business to ask consumers to obtain their own credit report and then forward that information by email.”

Additionally, Corbett said that consumers should avoid any type of online offer that involves a request to wire-transfer money to someone you do not know.

“An important element in many job-related scams is that consumers are given checks and are asked to wire-transfer money to other people, believing that they are paying bills for the ‘employers’, processing checks, handling payments for an overseas business or dealing with other financial matters,” Corbett said. “In reality, victims are depositing counterfeit checks or money orders into their bank accounts and then wire-transferring that money to scam artists overseas.”

In all of these cases, Corbett said the bogus checks will eventually be returned and banks will require consumers to repay any funds they withdrew.

Suspected scams can be reported to the national Internet Crime Complaint Center, at www.ic3.gov.

June 25, 2009

Green Dam Youth Escort

Filed under: Uncategorized — Tags: , , , , , — @ 9:13 pm

Beijing, China — The Chinese government has ordered PC (personal computers and laptops) makers to install Green Dam Youth Escort filtering software as of July 1. Representatives claim it is to prevent youth from viewing pornography on the Internet; however, independent analysis of the software revealed it blocked political content the government deemed unacceptable.

In a separate move, it appears China has also started blocking Google. A foreign ministry spokesman accused Google of spreading pornography and Chinese users were unable to connect to Google or Google.cn

June 23, 2009

Update for Microsoft Outlook Phishing Scams

Filed under: Uncategorized — Tags: , , , , , — @ 1:15 pm

A massive phishing scam similar to the recent bank fraud scams is being sent in emails that look like the following:

From: “Microsoft Customer Support”
Subject: Update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)

Brief Description

Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=860973044736591820463007000000

Quick Details

* File Name: officexp-KB910721-FullFile-ENU.exe
* Version: 1.4
* Date Published: Tue, 23 Jun 2009 07:21:24 -0400
* Language: English
* File Size: 81 KB

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
* This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement


The above URL is not the actual link. Hidden in the HTML code it the domain name that the link really take you to –
http://update.microsoft.com.ilfl1i1.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=860973044736591820463007003404087″>http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=86097304473659182046300700340000

If you get one of these emails, you should safely clear it from your computer and under no circumstance visit the website. In fact, if you are using a Microsoft based computer and / or email program, you should not open the email.

June 19, 2009

Phishing Scams: Chase, Bank of America, Sun Trust

Alert — There is a massive new bank fraud phishing scam being conducted via email. The website address that appears in the body of the email looks valid; however, if you view the source, you will see a bogus domain name. Clicking on the link will take you to an unauthorized website. Should you receive one of these emails, DO NOT reveal your private information.

Examples:

Subject: SunTrust Bank reminder: notification Tue, 16 Jun 2009 10:06:37 -0300

Reference Number: 20091919664020

Online Treasury Manager Confirmation Form.

Dear Customer,

As part of the new security measures, all SunTrust Online Treasury Manager users are required to complete Online Treasury Manager Confirmation Form. Please complete the form as soon as possible.
* To access the form please click on the following link:

http://onlinetreasurymanager.suntrust.com/ibswebsuntrust/cmserver/ccare/default/cform.cfm?id=3081079390068176417033060820680455426793542263056&email=my@emailaddress.com.

SunTrust Bank, Member FDIC. © 2009 SunTrust Banks, Inc. SunTrust is a federally registered service mark of SunTrust Banks, Inc.
Live Solid. Bank Solid. is a service mark of SunTrust Banks, Inc.

This email was sent on behalf of SunTrust Customer Care, 1575 Lemon Farris Road, Cookeville, TN 38506.


The above is a criminal attempt at bank fraud. The hidden URL actually takes you to onlinetreasurymanager.suntrust.com.hiilff.net


Subject: Chase Bank: alert - online client form released.

Note: This is a service message regarding the Chase Customer Form.

Dear customer:

As part of the new security measures, all Chase bank customers are required to complete Chase Customer Form. Please complete the form as soon as possible.

To access the form please click on the following link:

http://chaseonline.chase.com/Secure/webform/OSL.aspx?LOB=84064245071871982084785953907115353560172752347916009775207850

Thank you for being a valued customer.

Sincerely,

Chase Customer Service

Please don’t reply to this Alert.


The above is criminal attempt at bank fraud. The hidden URL actually takes you to http://chaseonline.chase.com.il1ifi.com.mx


Subject: Bank of America customer service: important message [message ref:

Message from Customer Service

We would like to inform you that we have released a new version of Bank of America Customer Form. This form is required to be completed by all Bank of America customers.

Please follow these steps:

1.Open the form at http://www.bankofamerica.com/srv_37447993/customerservice/securedirectory/cform.do/cform.php?id=438646285236118062405358479406787325837698602578055323.
2.Follow given instructions.

Because email is not a secure form of communication, please do not reply to this email.
If you have any questions about your account or need assistance, please call the phone number on your statement or go to Contact Us at www.bankofamerica.com.

Bank of America, Member FDIC.
© 2009 Bank of America Corporation. All Rights Reserved.


The above is criminal attempt at bank fraud. The hidden URL actually takes you to http://www.bankofamerica.com.srv_37447993.hflij1.net


WARNING: Do not visit the above sites! If you receive an email like these, report it to the bank’s fraud division.

June 14, 2009

Microsoft Security Bulletin

Filed under: Uncategorized — Tags: , , , , — @ 1:14 pm

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, and Internet Explorer as part of the Microsoft Security Bulletin Summary for June 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, or obtain sensitive information.

Apple Safari Vulnerabilities

Filed under: Uncategorized — Tags: , , , — @ 1:10 pm

Apple has released Safari 4.0 for Windows and Mac OS X to address multiple vulnerabilities in CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.

June 4, 2009

7 Practices for Computer Security

Filed under: Uncategorized — Tags: , , , — @ 12:58 pm

1. Protect your personal information. It’s valuable.
2. Know who you’re dealing with.
3. Use security software that updates automatically.
4. Keep your operating system and Web browser up-to-date, and learn about their security features.
5. Protect your passwords.
6. Back up important files.
7. Learn what to do in an e-mergency.

Access to information and entertainment, credit and financial services, products from every corner of the world ? even to your work ? is greater than ever. Thanks to the Internet, you can play a friendly game with an opponent across the ocean; review and rate videos, songs, or clothes; get expert advice in an instant; or collaborate with far-flung co-workers in a “virtual” office.

But the Internet ? and the anonymity it affords ? also can give online scammers, hackers, and identity thieves access to your computer, personal information, finances, and more.

With awareness as your safety net, you can minimize the chance of an Internet mishap. Being on guard online helps you protect your information, your computer, and your money. To be safer and more secure online, make these seven practices part of your online routine.

1. Protect your personal information. It’s valuable.

To an identity thief, your personal information can provide instant access to your financial accounts, your credit record, and other assets. If you think no one would be interested in YOUR personal information, think again. ANYONE can be a victim of identity theft. In fact, according to the Federal Trade Commission, millions of people become victims every year. Visit ftc.gov/idtheft to learn what to do if your identity is stolen or your personal or financial information has been compromised ? online or in the “real” world.

How do criminals get your personal information online? One way is by lying about who they are, to convince you to share your account numbers, passwords, and other information so they can get your money or buy things in your name. The scam is called “phishing”: criminals send email, text, or pop-up messages that appear to come from your bank, a government agency, an online seller or another organization with which you do business. The message asks you to click to a website or call a phone number to update your account information or claim a prize or benefit. It might suggest something bad will happen if you don’t respond quickly with your personal information. In reality, legitimate businesses should never use email, pop-ups, or text messages to ask for your personal information.
To avoid phishing scams:

* Don’t reply to an email, text, or pop-up message that asks for personal or financial information, and don’t click on links in the message. If you want to go to a bank or business’s website, type the web address into your browser yourself.
* Don’t respond if you get a message ? by email, text, pop-up or phone ? that asks you to call a phone number to update your account or give your personal information to access a refund. If you need to reach an organization with which you do business, call the number on your financial statement, or use a telephone directory

Some identity thieves have stolen personal information from many people at once, by hacking into large databases managed by businesses or government agencies. While you can’t enjoy the benefits of the Internet without sharing some personal information, you can take steps to share only with organizations you know and trust. Don’t give out your personal information unless you first find out how it’s going to be used and how it will be protected.

If you are shopping online, don’t provide your personal or financial information through a company’s website until you have checked for indicators that the site is secure, like a lock icon on the browser’s status bar or a website URL that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some scammers have forged security icons. And some hackers have managed to breach sites that took appropriate security precautions.

Read website privacy policies. They should explain what personal information the website collects, how the information is used, and whether it is provided to third parties. The privacy policy also should tell you whether you have the right to see what information the website has about you and what security measures the company takes to protect your information. If you don’t see a privacy policy ? or if you can’t understand it ? consider doing business elsewhere.

2. Know who you’re dealing with.

And what you’re getting into. There are dishonest people in the bricks and mortar world and on the Internet. But online, you can’t judge an operator’s trustworthiness with a gut-affirming look in the eye. It’s remarkably simple for online scammers to impersonate a legitimate business, so you need to know who you’re dealing with. If you’re thinking about shopping on a site with which you’re not familiar, do some independent research before you buy.

* If it’s your first time on an unfamiliar site, call the seller’s phone number, so you know you can reach them if you need to. If you can’t find a working phone number, take your business elsewhere.
* Type the site’s name into a search engine: If you find unfavorable reviews posted, you may be better off doing business with a different seller.
* Consider using a software toolbar that rates websites and warns you if a site has gotten unfavorable reports from experts and other Internet users. Some reputable companies provide free tools that may alert you if a website is a known phishing site or is used to distribute spyware.

File-Sharing: Worth the hidden costs?

Every day, millions of computer users share files online. File-sharing can give people access to a wealth of information, including music, games, and software. How does it work? You download special software that connects your computer to an informal network of other computers running the same software. Millions of users could be connected to each other through this software at one time. Often, the software is free and easy to access.

But file-sharing can have a number of risks. If you don’t check the proper settings, you could allow access not only to the files you intend to share, but also to other information on your hard drive, like your tax returns, email messages, medical records, photos, or other personal documents. In addition, you may unwittingly download malware or pornography labeled as something else. Or you may download material that is protected by the copyright laws, which would mean you could be breaking the law.

If you decide to use file-sharing software, be sure to read the End User Licensing Agreement to be sure you understand and are willing to tolerate the potential risks of free downloads.

3. Use security software that updates automatically.

Keep your security software active and current: at a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. You can buy stand-alone programs for each element or a security suite that includes these programs from a variety of sources, including commercial vendors or from your Internet Service Provider. Security software that comes pre-installed on a computer generally works for a short time unless you pay a subscription fee to keep it in effect. In any case, security software protects against the newest threats only if it is up-to-date. That’s why it is critical to set your security software to update automatically.

Some scam artists distribute malware disguised as anti-spyware software. Resist buying software in response to unexpected pop-up messages or emails, especially ads that claim to have scanned your computer and detected malware. That’s a tactic scammers have used to spread malware. OnGuardOnline.gov can connect you to a list of security tools from legitimate security vendors selected by GetNetWise, a project of the Internet Education Foundation.

Once you confirm that your security software is up-to-date, run it to scan your computer for viruses and spyware. If the program identifies a file as a problem, delete it.
Anti-Virus Software

Anti-virus software protects your computer from viruses that can destroy your data, slow your computer’s performance, cause a crash, or even allow spammers to send email through your account. It works by scanning your computer and your incoming email for viruses, and then deleting them.
Anti-Spyware Software

Installed on your computer without your consent, spyware software monitors or controls your computer use. It may be used to send you pop-up ads, redirect your computer to websites, monitor your Internet surfing, or record your keystrokes, which, in turn, could lead to the theft of your personal information.

A computer may be infected with spyware if it:

* Slows down, malfunctions, or displays repeated error messages
* Won’t shut down or restart
* Serves up a lot of pop-up ads, or displays them when you’re not surfing the web
* Displays web pages or programs you didn’t intend to use, or sends emails you didn’t write.

Firewalls

A firewall helps keep hackers from using your computer to send out your personal information without your permission. While anti-virus software scans incoming email and files, a firewall is like a guard, watching for outside attempts to access your system and blocking communications to and from sources you don’t permit.
Don’t Let Your Computer Become Part of a “BotNet”

Some spammers search the Internet for unprotected computers they can control and use anonymously to send spam, turning them into a robot network, known as a “botnet.” Also known as a “zombie army,” a botnet is made up of many thousands of home computers sending emails by the millions. Most spam is sent remotely this way; millions of home computers are part of botnets.

Spammers scan the Internet to find computers that aren’t protected by security software, and then install bad software ? known as “malware” ? through those “open doors.” That’s one reason why up-to-date security software is critical.

Malware may be hidden in free software applications. It can be appealing to download free software like games, file-sharing programs, customized toolbars, and the like. But sometimes just visiting a website or downloading files may cause a “drive-by download,” which could turn your computer into a “bot.”

Another way spammers take over your computer is by sending you an email with attachments, links or images which, if you click on or open them, install hidden software. Be cautious about opening any attachments or downloading files from emails you receive. Don’t open an email attachment ? even if it looks like it’s from a friend or coworker ? unless you are expecting it or know what it contains. If you send an email with an attached file, include a text message explaining what it is.

4. Keep your operating system and Web browser up-to-date, and learn about their security features.

Hackers also take advantage of Web browsers (like Firefox or Internet Explorer) and operating system software (like Windows or Mac’s OS) that don’t have the latest security updates. Operating system companies issue security patches for flaws that they find in their systems, so it’s important to set your operating system and Web browser software to download and install security patches automatically.

In addition, you can increase your online security by changing the built-in security and privacy settings in your operating system or browser. Check the “Tools” or “Options” menus to learn how to upgrade from the default settings. Use your “Help” function for more information about your choices.

If you’re not using your computer for an extended period, disconnect it from the Internet. When it’s disconnected, the computer doesn’t send or receive information from the Internet and isn’t vulnerable to hackers.

5. Protect your passwords.

Keep your passwords in a secure place, and out of plain sight. Don’t share them on the Internet, over email, or on the phone. Your Internet Service Provider (ISP) should never ask for your password.

In addition, hackers may try to figure out your passwords to gain access to your computer. To make it tougher for them:

* Use passwords that have at least eight characters and include numbers or symbols. The longer the password, the tougher it is to crack. A 12-character password is stronger than one with eight characters.
* Avoid common words: some hackers use programs that can try every word in the dictionary.
* Don’t use your personal information, your login name, or adjacent keys on the keyboard as passwords.
* Change your passwords regularly (at a minimum, every 90 days).
* Don’t use the same password for each online account you access.

6. Back up important files.

If you follow these tips, you’re more likely to be free of interference from hackers, viruses, and spammers. But no system is completely secure. If you have important files stored on your computer, copy them onto a removable disc or an external hard drive, and store it in a safe place.

7. Learn what to do in an e-mergency.

If you suspect malware is lurking on your computer, stop shopping, banking, and other online activities that involve user names, passwords, or other sensitive information. Malware could be sending your personal information to identity thieves.

Confirm that your security software is up-to-date, then use it to scan your computer. Delete everything the program identifies as a problem. You may have to restart your computer for the changes to take effect.

If the problem persists after you exhaust your ability to diagnose and treat it, you might want to call for professional help. If your computer is covered by a warranty that offers free tech support, contact the manufacturer. Before you call, write down the model and serial number of your computer, the name of any software you’ve installed, and a short description of the problem. Your notes will help you give an accurate description to the technician.

If you need professional help, if your machine isn’t covered by a warranty, or if your security software isn’t doing the job properly, you may need to pay for technical support. Many companies ? including some affiliated with retail stores ? offer tech support via the phone, online, at their store, or in your home. Telephone or online help generally are the least expensive ways to access support services ? especially if there’s a toll-free helpline ? but you may have to do some of the work yourself. Taking your computer to a store usually is less expensive than hiring a technician or repair person to come into your home.

Once your computer is back up and running, think about how malware could have been downloaded to your machine, and what you could do to avoid it in the future.

Also, talk about safe computing with anyone else who uses the computer. Tell them that some online activity can put a computer at risk, and share the seven practices for safer computing.

Where to report:
Hacking or a Computer Virus

Alert the appropriate authorities by contacting:

* Your ISP and the hacker’s ISP (if you can tell what it is). You can usually find an ISP’s email address on its website. Include information on the incident from your firewall’s log file. By alerting the ISP to the problem on its system, you can help it prevent similar problems in the future.
* The FBI at www.ic3.gov. To fight computer criminals, they need to hear from you

Internet Fraud

If a scammer takes advantage of you through an Internet auction, when you’re shopping online, or in any other way, report it to the Federal Trade Commission, at ftc.gov. The FTC enters Internet, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Deceptive Spam

If you get deceptive spam, including email phishing for your information, forward it to spam@uce.gov. Be sure to include the full header of the email, including all routing information. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
Divulged Personal Information

If you believe you have mistakenly given your personal information to a fraudster, file a complaint at ftc.gov, and then visit the Federal Trade Commission’s Identity Theft website at ftc.gov/idtheft to learn how to minimize your risk of damage from a potential theft of your identity.
Parents

Parents sometimes can feel outpaced by their technologically savvy kids. Technology aside, there are lessons that parents can teach to help kids stay safer as they socialize online. Most ISPs provide parental controls, or you can buy separate software. But no software can substitute for parental supervision. Talk to your kids about safe computing practices, as well as the things they’re seeing and doing online.
Social Networking Sites

Many adults, teens, and tweens use social networking sites to exchange information about themselves, share pictures and videos, and use blogs and private messaging to communicate with friends, others who share interests, and sometimes even the world-at-large. Here are some tips for parents who want their kids to use these sites safely:

* Use privacy settings to restrict who can access and post on your child’s website. Some social networking sites have strong privacy settings. Show your child how to use these settings to limit who can view their online profile, and explain to them why this is important.
* Encourage your child to think about the language used in a blog, and to think before posting pictures and videos. Employers, college admissions officers, team coaches, and teachers may view your child’s postings. Even a kid’s screen name could make a difference. Encourage teens to think about the impression that screen names could make.
* Remind your kids that once they post information online, they can’t take it back. Even if they delete the information from a site, older versions may exist on other people’s computers and be circulated online.
* Talk to your kids about bullying. Online bullying can take many forms, from spreading rumors online and posting or forwarding private messages without the sender’s OK, to sending threatening messages. Tell your kids that the words they type and the images they post can have real-world consequences. They can make the target of the bullying feel bad, make the sender look bad ? and, sometimes, can bring on punishment from the authorities. Encourage your kids to talk to you if they feel targeted by a bully.
* Talk to your kids about avoiding sex talk online. Recent research shows that teens who don’t talk about sex with strangers online are less likely to come in contact with a predator.
* Tell your kids to trust their instincts if they have suspicions. If they feel threatened by someone or uncomfortable because of something online, encourage them to tell you. You can then help them report concerns to the police and to the social networking site. Most sites have links where users can immediately report abusive, suspicious, or inappropriate online behavior.

Older Posts »

Powered by WordPress