Slashdot Mirror
An 'Ethical Hacker' On Protecting Your Identity
qwqwss writes "Canada.com is running an article by Terry Cutler, a 'certified Ethical Hacker', who wants to get the word out to people on protecting their identities from a growing number of risks. The piece covers shopping online, keeping your personal information contained, and avenues of inquiry if your identity is stolen."
1-888-567-8688
Call this one number to opt out of all three bureaus. You can protect yourself from identity theft by taking your name off of the credit bureaus mailing lists. The credit bureaus are one of the biggest offender when it comes to selling your name and information to the credit card companies who in turn send you all those pre-approved applications. One call to the Opt Out Request Line (for Equifax, TransUnion, Experian and Consumer Credit Associates) is all it takes to permanently remove your name from all marketing lists that the credit agencies supply to direct marketers. You can also opt for a two-year period, renewing your request at any time in the future.
Identity theft certainly happens on the Internet, but it's the old-fashioned cons that usually get your SSN and such. Put your paranoia in the right place. Please.
It should be called "Common Sense 101". This type of thing should be posted on, oh I don't know, maybe blogs that old people read?
The trick to not worrying about identity theft is to have horrible credit and just about $0 in the bank. I've never got to worry about somebody using my identity. Hell, my identity doesn't even do me any good.
Here in the backwater US, you can get your credit report for free three times a year at http://annualcreditreport.com/ - Check it every four months.
...was there really anything mentioned in that article that your typical /. reader didn't already know?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Just about all the information the "certified ethical hacker" is putting out is nothing new. Awareness is all good and well, but the steps to protect your identity require more work and understanding than the average joe is willing to commit to. Laziness is the trait that identity thiefs hope for, and usually find.
Until the current standards change or are more rigorously enforced, Identity theft will remain one of our electronic cultures downfalls. And now that pandora's box has been opened on identity theft, I doubt a system will be made that could keep even the most determined from gaining your identity.
This space intentionally left blank
Minor methods like:
...
a. shredding the account numbers and names/address on your bills or mail.
b. taking out the recycling only on recycle day, and making sure none of it contains identifying materials, but that all those are shredded and then mixed.
c. not taking too much ID with you.
And realizing that you're being phished. I learned a lot of techniques in the Canadian Armed Forces, when they would try to get information out of our systems by trying to pretend they were from someplace that just needed info, or wanted to verify something.
Never trust email, don't trust phoners, and never action things that you didn't originate.
And keep your hand over the other one (shading it) when entering your PIN.
Canada.com is a website for daily newspapers in Canada, FYI. Always right-click to inspect any links and ensure they go to the correct location before clicking them - and always use URLs you made yourself to access your banking and credit info.
Now, I've got an underwater tunnel to sell you if you don't want to follow that advice, and I'm sure other people will tell you about all the lotteries you've won, and how a rich religious minister left you money in [NAME OF COUNTRY]
-- Tigger warning: This post may contain tiggers! --
Apparently, 'certifed ethical hacker' is an actual cert one can get. But I don't think I would the term 'hacker' to appear anywhere on my resume. Unless I was trying to get a job with some black hat pseudo legal firm...that'd been sweet.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Hey, it's fun to shred stuff...
Just don't ever allow your kids to shred anything, even once. If you do, you may find yourself re-filling your taxes, one piece of sellotape at a time.
Deleted
Umm ..call me paranoid.. how do I know that number u posted is not set up by some guy to get people's info?
That said, I did verify on google.. and it seems fine.
Does anyone else think that online identity theft is exaggerated? I mean, I have seen stats for identity theft in general, but not specifically for online identity theft. It strikes me as an insurance company/bank/credit card company ploy to make money. They take the internet, something a lot people don't understand, paint it as a major source of fraud, and ask you to pay $10/mo for their 'identity protection' services.
I have a feeling that the mjaority involvement of the internet in these crimes is as a vehicle for the transmission or cracking or databases made available by poor security practices.
That's what I did. Now if some joker gets my numbers, I can simply dump the card and get a new prepaid Master Card. Pfffft, eat that h4xx0rz! ;-)
The dangers of knowledge trigger emotional distress in human beings.
Right and wrong are always blurred and I can't see how "ethical" can really be defined.
Engineering is the art of compromise.
It's shameless self-promotion, but I just wrote an article on computerworld about basic security and privacy issues for the homeless and/or other perennially wandering folks. There's a little coverage about identity establishment there too, along with general protection of information and resources.
-Jon
I think not...(*poof*)
I can't really understand why /. always has these news about protecting one's identity, but when someone wants to post a comment and remain anonymous they call him a "coward"...
Some banks allow users to generate virtual credit card numbers (that can have dollar limits and specific expiration dates) for use with online purchases. Probably not a bad idea to buy things online with one of these generated online numbers (using the purchase amount as the limit).
I know this comment will probably languish in obscurity, it's becoming an unfashionable sentiment but the
world is changing, Slashdot too.
But I object to the phrase "Ethical Hacker"
Kudos to the ed/poster who placed it in quotes, but personally I would have dropped the qualifying word.
I never knew a genuine hacker who wasn't deeply ethical, even the mischievous ones up for cracking and pranks.
To propagate this newspeak merely reinforces unfounded prejudices and panders to the frightened powers and ignorati.
And does Jinx.com carry Certified Hacker shirts for the l33t crowd?
This is sortof unrelated, but it seems appropriate.
What's the privacy record as far as cell phone address books? If I store names and numbers on cell phones, is a warrant required in order for the police to view those records, or do the police just pop on into the phone company and ask nicely (or not so nicely?)
no comment.
Last week, I tasked myself with determining ways to contact 72 Slashdot users. (People who'd responded to a subset of my journals in the past.) I found email addresses for fifty of them, instant messenger IDs for three others, profiles in other communities for five of them, and other ways to contact all the rest but four. That's a success rate of 94%. Oh, and I didn't spend a cent on acces to databases. Google and WHOIS was sufficient for most of them.
My recommendations to those in the Slashdot community who want to keep their lives private:
For those of you who've failed any of those three tests already, well, it's likely to be a long, uphill battle if you want to regain your privacy.
tasks(723) drafts(105) languages(484) examples(29106)
What I can't figure out is how did you know that Computerworld is the preferred reading material of the homeless?????
Good question. If you give information to a third party, what are your privacy rights concerning that? In some cases, that's pretty clear. If I give my credit card to a store clerk, it's implied that he will not give it to anybody else but the card company.
But there are many instances where we presume a right that others may consider subject to interpretation. "Is Jack Brown here?" -- "Let's see. Sure, his key is here". Perhaps Jack Brown would object to his whereabouts being known. If he told a garage attendant not to tell anyone, the police would need a warrant to get that information. OTOH, if the traffic camera on the other side of the street caught his car coming in, the police wouldn't need any warrant.
Unfortunately, the basic rights we have are all specified on documents that are centuries old. We need a new and revised phrasing to make sure everything we take for granted is covered. What was called a "house" two hundred years ago today includes things such as our bank account and phone address databases.
Let's be honest. "Identity theft" is only about the precious "credit rating". "Credit ratings" are useful, true, but they're waaaay overused, primarily because people tend to live faaar beyond their means. A credit rating can only be held over your head if you insist on living on credit. The simple fact of the matter is that by avoiding using credit you don't really have to worry about "identity theft", one of the Big Three screwing up, and you don't have Big Brother watching your every move. People use credit so much that a person's credit rating has become the equivalent of "be good, or it goes on your PERMANENT RECORD" from grade school. It's been an adjustment, but I'm both personally, and business-wise (I own my own business) completely debt-free, and I intend to stay that way.
In fact, I had a company (BellSouth Advertising) screw up my business listing badly last year. They published my store hours saying that we were closed a day that we're not. I never signed off on that ad. As a result, business is slower that day. Of course, BellSouth Advertising is giving me some bullshit about "you signed off on the previous year, and it says in fine print that if you don't sign off for the next year, that we can still bill you, blah, blah, blah". I told them that I don't pay for anything that I don't agree to, and I certainly won't pay for an ad that hurts my business. They call every few days, and all they can threaten me with is that they'll ding my credit rating. I just smile and say, "that's fine. I'm still not paying."
That's REAL freedom. I'm not beholden to ANYBODY, from a financial standpoint. How many people in the US today can say that they're financially free?
Let us analyse this boobytrap shall we ?
"Certified" -- Here we have the Welcome Mat, designed to make us feel comfortable & willing to continue.
"Ethical" -- Ah, we find outselves Tempted By Cheese sitting on the welcome mat.
"Hacker" -- And here we have, the 10 Ton sandbag hanging above the welcome mat, if you look closely, you can see the fishing line that holds the bag above the mat going through a series of pullies & eventually running under the mat.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Data Thefts have been so rampant there is likely little this article says for pointers. You can have ubersecurity skills and all it takes is the theft from your bank and everything you've done is down tubes. The article if you ask me was meant for those new to the net and did nothing to give me insight. Flame on, moderate away but lets be realistic, the article did nothing for me.
Infiltrated dot Net
I should have felt misled when I followed the link to AnnualCreditReport.com think that is free and less than annual as the poster stated. How does one get it every 4 months for free. I did it last summer and have been waiting for the anniversary to roll around. Even the welcome page states 1 per year. Please tell me!!
I love how they make him seem qualitifed because he's a "CERTIFED ETHICAL HACKER". This is equivalent to A+ Certification in the generic IT space.
Sure, it's great if you can live without credit and get by.... But I occasionally run into someone just like yourself, preaching that the "rest of us" need to stop using credit and achieve "financial freedom" (or some variation on that theme). EG. One of my former bosses that I do some computer work for got that same lecture from his bookkeeper a few months ago. (He was upset that a few incorrect things on his credit report, plus an ex-employee mishandling some bills caused his credit score to drop too low to get a home loan he was seeking for a new investment property.)
I didn't get in the middle of that particular argument -- but if it was me, I would have told the bookkeeper to shut her trap. The fact is, she was only able to live "credit/debt free" because her husband happened to have a really good paying job - and her salary was just "play money" for them.
Credit scores *are* important, if only because a smart individual has more options with a good credit score. Credit is simply a tool, and it can be used well or improperly. But without a decent credit score, you've lost access to that "tool" completely.
People like my former boss leverage their credit to make purchases that help them generate positive cash flow. (He rents out houses after buying them when he sees a good deal on one.)
In circumstances like your ordeal with BellSouth, I can sympathize - except it's a smarter thing to attack the problem directly, rather than just ignore it and let them damage your credit. If you didn't sign their agreement, you have a great lawsuit right there. Force them to produce the paperwork in court, or else they have to release you from the contract (and you could probably claim damages too, and recoup some of those lossses from the lost business due to their errors!).
I think you misinterpret "financial freedom" to an extent.... I'd say financial freedom is the ability to buy anything you want or need, when you want or need it. If you're a Bill Gates, you're there already and the "credit tool" is irrelevant. But most of us don't have that kind of cash in the bank.
makes about as much sense as "Ethical Lawyer".
The ones who help other people are ethical. The ones who try to fuck other people over are not.
Calling yourself ethical doesn't make you that. It's your deeds that determine whether or not you're ethical.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
"Right and wrong are always blurred and I can't see how "ethical" can really be defined."
Which explains the messes the world gets into. Too many people "defining" ethics, and not enough living them.*
*Here's a way to think about morality and ethics. They're more what you do when no one is looking, than when they are [1]
[1] Example: For all of you engaging in illegal copyright infringement (of ALL kinds). Would you do it with the content creator looking over your shoulder? Or wait till they left the room?
How does one get it every 4 months for free
One per year per agency. Get one from one agency every four months. If anything major happens, you can bet on it being in all three. Minor stuff, like addresses, etc are most likely what will differ from one agency to another and are not so urgent to get fixed.
I got all of my reports except Equifax. The whole process fails when I get to them. Does this happen to anyone else. I think out of all the credit reporting agencies this one is the most difficult to deal with.
Of the three major credit report agencies, Equifax is the worst. Especially if you're trying to clean up your credit reports. Even if they're supposed to investigate and delete bad info if they ever get around to it they drag their feet to investigate. They're also supposed to allow you to write a letter to be attached to the report but they loose these. Because they're so bad it's a wonder why anyone would use them.
FalconShould there be a Law?
Apparently, 'certifed ethical hacker' is an actual cert one can get. But I don't think I would the term 'hacker' to appear anywhere on my resume. Unless I was trying to get a job with some black hat pseudo legal firm...that'd been sweet.
I've never heard of any certification for ethical hackers before reading this article. What organization issues the cert? Once upon a tyme I read about the Model Railroad Club at MIT, the WOZ, and others and I wanted to be a hacker like them. Alas back then adjective "ethical" wasn't needed, but reporters and the mass media has bastardized the word. When I read where a reporter goes on about how hackers are bad I want to ask "so why are you a hacker?" Many people may not recall or know it but "hackers" is what reporters were once called. Though I'm not sure I think they are referred to as hackers in "Citizen Kane" made in 1941.
FalconShould there be a Law?
Let's be honest. "Identity theft" is only about the precious "credit rating". "Credit ratings" are useful, true, but they're waaaay overused, primarily because people tend to live faaar beyond their means. A credit rating can only be held over your head if you insist on living on credit. The simple fact of the matter is that by avoiding using credit you don't really have to worry about "identity theft"
If only this were true but it's not. Even if you're careful and watch your spending, say you have a small discresionary fund but the rest you save and invest, you still need to be careful about your credit reports and id theft. Someone who stills your id can open credit accounts in your name then take all the money and run. If you are looking to buy a new car, no say a house, you may not be able to get a house once you find it because your credit as been messed up. Or say you're looking for new employment, you can be denied employment because of your FICA credit score. More and more employers check applicants credit. You can also be arrested because someone stole your id and used it. I've come across a number of stories like this in the news.
FalconShould there be a Law?
There is no such thing as privacy. Getting on or off lists wont help you a damn when any half-wit felon grabs your SSN and ruins your life.
For some victims of identity theft, it takes years to clear their normally good names. I read one article that describes the horror one person went threw. She couldnt ever get a job because a police unit in another state has a "file" on her time she did in prison for attempted murder and grand theft auto. She has never been to prison.
I guess teh ebst defense is to never give out any information, or be careful about it.
For example: Every time I go and get my school schedual they ask for my SSN. Most people blurt theirs out. I write mine down on a piece of paper and then get the paper back. I dispose of it by adding one number to the begginning (i dont seperate the digits initally) and pen in random name above it. So if someone crawling threw the school records office trash finds it; they will just think its a telephone number.
Its little things like this that will most likely keep you out of trouble. But you cant controle certain people grabbing hold of this information...so whats the use of being paranoid about it.
Wow, he said alot of new and useful things in that article....I never knew that before!
Please send me $29.95 and you will receive your Official Certified Ethical Hacker welcome kit. The kit contains:
1. Certificate of Authenticity
2. Certified Ethical Hacker Mug
3. Paper bag to hide your face from your friends and loved ones.
“Common sense is not so common.” — Voltaire
I reported an ebay scam to a canadian govt and they took care of it right away.
But sometimes you want to prevent the problem before it starts
and theres plenty of encryption tools out there to help you.
But common sense rules the day.
For a bit of technical help try http://www.mysecureisp.com/
I wouldn't trust a CEH for advice on how to tie shoes, let alone anything security related :P....
Saw these funny stickers, thought the CEH people would like to see them...
http://www.cafepress.com/defconshirts
Having had the inside scoop on identity fraud for a long while now I would just like to say that there is a lot that the media/banks and governments are not saying. The crux of it all is this The fraudsters already have your details and they have had them for a long while and when i say a long while i mean years!
Information security has only reached its peak in the last couple years. Prior to this, it was pretty lax especially during the height of companies outsourcing their call centers to foreign lands and not having a clue about data protection laws in said countries. There were multiple stories of fraudsters going to india with briefcases of cash and offering call center employees the equivalent of 1 years salary for them to pass on customer details. These people didnt pass on the names of one or two people, they passed on whole databases! http://news.bbc.co.uk/1/hi/uk/4121934.stm
Nowadays this is a lot more difficult to do, because information security is being taken a ot more seriously, and partly because thousands of people are getting stung.
IMHO, another reason why identity theft is so prevalent and will continue to be for the foreseeable future is that the weakest link will always be people. You cant bribe a computer system, but you can always bribe a call center employee or an equifax worker. I'll bet that no one reading this is more that 3 degree's of separation away from one of those two people. and besides, they say everyone has a price. If you can convince a couple of young men to blow themselves up, then personally i think it will be a peice of piss to get them to accept a bribe.
Just like everything else, fraud has and will continue to evolve. Initially it was stolen cheque books and credit cards, now you have elaborate schemes involving huge sums of money and lots of different people but using very little technology. For instance.
Nothing stops someone from spending a couple of grand putting ads in select newspapers offering loans etc. As soon as some unfortunate person bites, and say requests a loan for $5,000. The appropriate details are taken, and the sum of say $20000 is paid into the account. the recipient is called up a day later and told that themoney is in their account but they were overpaid and needs to send the excess of $15000 via money transfer or bank wire to X country/location ASAP. The "Mugu" at this point does so, and suddenly becomes liable for $20000 while the fraudsters vanish.
Now you may ask where did the initial $20K come from?? easy.
Well generally this comes from the account of someone with a lot of money in the bank. it is generally obtained by a frauduent person working in a bank. They will tend to get the details from accounts that they access as part of their job so as not to arouse suspicion. All that is done next is to match the details of this person with their credit report/ identity information obtained earlier, effect a wire transfer.. which can be done over the phone and voila, Robert is your father's brother!
They way we as humans do things, has to change. We want faster fast food, we open more fast food restaurants, and to cope with demand we pump the chicken full of hormones so that when it is slaughtered after 3 weeks its nice and fat. Then we start complaining about being obese, talking about being cruel to animals, worrying about what those hormones are doing to us. Yet we are the ones that demand faster fast food.
Its the same with banking, we want more convenience, we want to be able to bank online, but cant be bothered to secure our home computers against key loggers, we want lesser charges so banks operate call centers in far flung countries. Its all about what WE want. But we forget, that with the increases in our reliance on technology and our demands for "more" there are always risks that will have to be dealt with and until those risks are acknowledged there will always be victims. This goes for every facet of our existence.
Tis, brakes that allow cars go fast!
Woo hoo! Look at me...I just got one of the least-respected certifications ("Certified Ethical Hacker") in computer security!
Woo hoo! Look at me...I'm parroting back a little bit of information, containing nothing new whatsoever in depth or breadth of scope, about protecting your identity!
(yawn)
For your security, this post has been encrypted with ROT-13, twice.
CEH is like an "i'm a newbie badge" for security. Think of it as one step below security+
m l
Anyone can pick up a book and learn how to run vuln scanners or use prepackaged exploits.
If people want to go to some real security training, I recommend http://www.immunitysec.com/education-overview.sht
Dave Aitel is both technically brilliant and incredibly funny - a rare combination.
The fake PIN would work against trojan ATMs. I've seen more than one story on the news where fraudsters install a fake, free-standing ATM in a public shopping area (mall). It reads the cards and PINs, and maybe dispenses cash (or some sort of error message). The "service technicians" later remove the machine with all the recorded info. for cloning the cards.
Alas back then adjective "ethical" wasn't needed, but reporters and the mass media has bastardized the word.
The hackers back then weren't ethical, either. Take a closer look at those "heros"; and you'll find a band of con artists, and criminals.
These believed that breaking and entering was ethical; they were big on theft of services (especially phone and computer services), they loved to trespass, and they generally felt that forcing their way into places that the owners didn't want them to go was a fun thing to do. These were people who felt that everyone else's information should be free to all; but they themselves had an inviolable right to privacy. They were hypocrites of the highest order. They're mostly gone, and good riddence to them. They sucked.