Unbloating Vista Could Be Security Risk

A frustrated Windows Vista user who turns to the vLite application to shrink the OS can pick and choose components to remove, including the Windows Firewall.

A 15GB operating system may have a little more on the component side than it truly needs to run efficiently. Lots of people feel this way about Vista, especially Dino Nuhagic.

He developed vLite, a utility that permits customization of the Vista OS before installing it on a system. “This method is much cleaner, not to mention easier and more logical than doing it after installation on every reinstall,” Nuhagic said on the vLite site.

Doing this is not for the faint of heart when it comes to technology issues. Being able to remove a component doesn’t mean one should. Someone who decides to trust a router for protection and removes the Windows Firewall from a laptop installation could be in for a nasty surprise when connecting to another network that may be lacking in security for whatever reason.

The Windows Firewall arrived with Microsoft operating systems starting with XP. Before that, security pros and other prudent users had to add third party firewalls to Windows 2000 to safeguard against the OS attacks that were common for the period.

People may not realize this, but the shift from attacking Windows to attacking applications began when XP gained a place on thousands of personal computers. Though people could add firewalls to their systems before this, many did not. XP arrived with the firewall on by default.

It may feel right to remove some of Vista’s excess. Gamers in particular will be heartened by Nuhagic’s comment in Computerworld about putting Vista on a drastic diet:

Nuhagic didn’t come right out and say it, but he hinted that he — like more critical users and pundits — thought Vista was bloated and could use some reducing. “To be frank, I don’t need 90% of Windows. But that 10%, which guarantees that you can run [the] majority of games out there, is what is worth isolating.”

To the power gamers who have been frustrated with Vista, vLite may look like an absolute must-have for their systems. Achieving speed at the expense of security should not be part of the process. Plenty of criminals would love to grab a gamer’s login credentials, and losing one’s virtual identity would be worse than a headshot in-game.

Link

ATM Fraud / Costco Shopping?

As you know, this is my bread and butter. I thought I would pass along some information that might concern you, especially if you have shopped at the Tracy Costco lately. It’s extremely important to keep a sharp eye out for fraudulent transactions on your bank and credit accounts. Many perpetrators pull a little money out at first to see if you notice. Then they start siphoning out money daily, until the account is closed. This Costco event affected a co-worker of mine, but he caught it early because every bank account transaction is setup to notify his email account. He caught it within one hour, and is only dealing with a $500 case. Others weren’t so fortunate, and are having a harder time.

ATM fraud cases spread, FBI to help

Bob Brownne / Tracy Press / Wednesday, 16 January 2008

On Wednesday alone, 24 more people reported that money was taken out of their bank accounts using their ATM cards, and the FBI has been contacted to help solve the puzzling electronic crime spree.

Dozens of people have been ripped off through an ATM scam in town, and Tracy Police could get FBI help with their investigation.

On Wednesday, Tracy police had fielded 24 calls from victims as of 4 p.m. Police heard from 14 victims on Tuesday and 12 on Monday, but before that, there were only a few each day. While many people, including 20 or so from the Grant Line Road Costco store, suspect their accounts were compromised at the Costco gas station, the scam could reach further.

“What’s so bizarre was I didn’t use my debit card since I was up with my aunt and uncle for New Year’s Eve,” said Janet Sayers of Tracy.

She said her bank called her Sunday to report a $500 withdrawal from an ATM in Pleasanton and then froze her account when she confirmed that it was a fraudulent transaction.

“I was home all day,” she said.

While she uses the Costco gas station, she said she hadn’t been back since just before the New Year’s holiday. She said she has also used her ATM at a store where a clerk passes the card through a reader behind the counter, but she won’t do that anymore.

Another woman said she used her ATM at the Costco pharmacy and lost $1,000 shortly afterward when someone made withdrawals from ATMs in Milpitas and Palo Alto.

Management at Costco would not comment on the matter.

Banks are familiar with ATM and credit card scams. Yannick Green of Mountain House said he learned how widespread this week’s problem is when he went to his bank to cancel his ATM cards.

“When I went into the bank to stop everything, they said they weren’t surprised,” Green said. “I wasn’t the first one in there to report theft.”

Like many of the folks who called the police Tuesday, Green had used an ATM card at Costco on Grant Line Road. He said the machine wouldn’t accept his card Friday, so he used a cash voucher to buy gas. Afterward, he thought something was amiss, and over the weekend, his wife spotted $500 worth of charges from ATMs in Sunnyvale and Mountain View on their account.

Tracy police still haven’t reported where or how thieves gained access to debit card data in town.

City spokesman Matt Robinson said Wednesday that the detective on the case is now working with the FBI. An FBI spokesman in Sacramento said he was unaware of an investigation. The FBI spokesman from the San Francisco office said agents would not comment on whether there is an active investigation.

Scott Gillingham, resident agent in charge for the U.S. Secret Service office in Sacramento, said he is unfamiliar with this case, but the agency regularly investigates electronic fraud of this sort.

Gillingham said thieves often attach electronic devices to the front of an ATM. A person using an unfamiliar ATM might not recognize the device, which will read a card’s magnetic strip and record or transmit the information. That allows a thief to make a counterfeit card. Thieves will use a hidden camera on or near the ATM to record a user’s entry on the PIN keypad.

“It’s not very common in this area, and people are able to tell that the machine has been modified,” he said, though the devices also have become more sophisticated.

The California Bankers Association issued an alert about that type of scam in July 2005. The association warned people to be aware of any changes to the ATMs they regularly use and also to shield the keypad when they enter their pass codes.

• We want to hear what you have to say. To reach reporter Bob Brownne, call 830-4227 or e-mail

brownne@tracypress.com. This email address is being protected from spam bots, you need Javascript enabled to view it <!– document.write( ” ); //–>

Identity Theft Preventive and Reactive Steps

 

Preventive Steps:

• When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, mother’s maiden name, your birth date, middle name, pet’s name, consecutive numbers or anything else that could easily be discovered by thieves. It’s best to create passwords that combine letters and numbers.
• Here’s a tip to create a password that is strong and easy to remember. Think of a favorite line of poetry, like “Mary had a little lamb.” Use the first or last letters to create a password. Use numbers to make it stronger. For example, MHALL, or better yet MHA2L!. The longer the string, the harder it is to crack.
• Never respond to “phishing” email messages. These appear to be from your bank, eBay, or PayPal. They instruct you to visit their web site, which looks just like the real thing. There, you are told to confirm your account information, provide your SSN, date of birth and other personal information. Legitimate financial companies never email their customers with such requests. These messages are the work of fraudsters attempting to obtain personal information in order to commit identity theft. (See example below.)

 

Example:

From: BankofAmerica [mailto:BankofAmerica@online.com]
Sent: Thursday, September 06, 2007 1:53 PM
Subject: Security update

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by September 7, 2007, we will be forced to suspend your ccount indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your Online Banking records click on the following link: https://online.bankofamerica.com/IdentityManagement/ Thank you for your patience in this matter. Bank of America Customer Service Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered. © 2007 Bank of America Corporation. All rights reserved.

 

***Note that this appears to be from a legitimate Bank of America email account; however, further investigation shows that the hyperlink advertised hides a different imbedded url address than the text that appears. It misleads victims to a scam website and records the private information that you provide.

· When shopping online, do business with companies that provide transaction security protection, and that have strong privacy and security policies. Always look for a secure url when making an online transaction (HTTPS://).

· Before disposing of your computer, remove data by using a strong “wipe” utility program. Do not rely on the “delete” function to remove files containing sensitive information.

• Be aware that file-sharing and file-swapping programs expose your computer to illegitimate access by hackers and fraudsters. If you use such programs, make sure you comply with the law and know what you are doing. Install and update strong firewall and virus protection.
• Run a credit report on yourself to see if there are any unknown credit inquiries or unauthorized accounts
• Reconcile your check and credit card statements in a timely fashion and challenge any purchases that you did not make
• Never give any important number out like from your drivers license, credit card, bank account, date of birth or social security number to anyone you don’t know over the telephone
• Shred your bank statements and any tax documents when you dispose of them
• Scrutinize your utility and subscription bills to make sure the charges are yours
• Memorize your passwords and personal identification (PIN) numbers. Keep your PIN numbers somewhere that only you know
• Don’t give out your PIN or write them on your credit cards or ATM cards
• Keep a list or photocopy all credit and identification cards you carry with you, including front and back, so that you can quickly call the issuers to inform them about missing or stolen cards
• Don’t give away too much personal information on your family web site. Full names, date of births, and address is too much information to post. By obtaining your “place-of-birth,” the identity thief can possibly get your duplicate birth certificate

If You Become a Victim

• Report the incident to the police immediately. If you know where your identification was stolen, that would be the correct police jurisdiction to report it to. Insist on being given a police report number a get a copy to encloses in correspondence with credit agencies
• Report all stolen cards to the issuers immediately and request that new card numbers. Always respond to written credit card receipt notifications received in the mail
• Notify your bank in the event that your checks are stolen and request that your account be closed

Credit Reporting Agencies:

	Phone	Online
Equifax	(888) 766-0008	www.equifax.com
Experian	(888) EXPERIAN (397-3742)	www.experian.com
TransUnion	(800) 680-7289	www.transunion.com

Federal Trade Commission Identity Theft Clearinghouse

• Phone: (877) IDTHEFT (877-438-4338)
• Web: www.consumer.gov/idtheft
• FTC’s free identity theft guide “Take Charge,” www.consumer.gov/idtheft

Federal Agencies and Technology Industry

• For tips on online safety, visit www.onguardonline.gov

California Office of Privacy Protection

• Phone: (866) 785-9663
• Web: www.privacy.ca.gov
• Guide to California identity theft and privacy laws, www.privacy.ca.gov/laws.htm. See also the state’s official web site on legislative bills and statutes, www.leginfo.ca.gov.

Identity Theft Resource Center

• Phone: (858) 693-7935
• Web: www.idtheftcenter.org

Privacy Rights Clearinghouse

• Phone: (619) 298-3396
• Web: www.privacyrights.org
• Test your identity theft risk factor, www.privacyrights.org/itrc-quiz1.htm

Compilation of Identity Theft Surveys

· Web: www.privacyrights.org/ar/idtheftsurveys.htm

Additional web sites:

• U.S. Dept. of Justice, identity theft info., www.usdoj.gov/criminal/fraud/idtheft.html
• FBI Internet Fraud Complaint Center. Report cases involving online fraud and phishing. www.ic3.gov
• Mari Frank’s Identity Theft Survival Kit. Phone: (800) 725-0807. Web: www.identitytheft.org