An 'Ethical Hacker' On Protecting Your Identity

qwqwss writes "Canada.com is running an article by Terry Cutler, a 'certified Ethical Hacker', who wants to get the word out to people on protecting their identities from a growing number of risks. The piece covers shopping online, keeping your personal information contained, and avenues of inquiry if your identity is stolen."

I don't want to be a killjoy, but...

[winkydink]

...was there really anything mentioned in that article that your typical /. reader didn't already know?

Re:I don't want to be a killjoy, but...

[pseudorand]

Well, I'd never though of always typing in the wrong pin first to verify that the ATM is actually connected to the ATM network. But I'm also not sure I believe the keylogger keypad connected to wifi thing either. I imagined ATMs were tamper resistant such that the bank would be notified if anything was disconnected.

Online identity theft = FUD?

[porkmusket]

Does anyone else think that online identity theft is exaggerated? I mean, I have seen stats for identity theft in general, but not specifically for online identity theft. It strikes me as an insurance company/bank/credit card company ploy to make money. They take the internet, something a lot people don't understand, paint it as a major source of fraud, and ask you to pay $10/mo for their 'identity protection' services.

I have a feeling that the mjaority involvement of the internet in these crimes is as a vehicle for the transmission or cracking or databases made available by poor security practices.

Re:Online identity theft = FUD?

This is true. You are more likely to have your neighbor steal your mail and get your credit card information. Once they have that they can go on a shopping spree. All they have to do is make sure they get home from work before you. I know four people who have had this happen in the last year. They don't find out until they got their bill with all of the extra purchases.

Simple: post AC!

[mangu]

I can't really understand why /. always has these news about protecting one's identity, but when someone wants to post a comment and remain anonymous they call him a "coward"...

Mind your language please

I know this comment will probably languish in obscurity, it's becoming an unfashionable sentiment but the
world is changing, Slashdot too.

But I object to the phrase "Ethical Hacker"

Kudos to the ed/poster who placed it in quotes, but personally I would have dropped the qualifying word.

I never knew a genuine hacker who wasn't deeply ethical, even the mischievous ones up for cracking and pranks.
To propagate this newspeak merely reinforces unfounded prejudices and panders to the frightened powers and ignorati.

Re:Get a Prepaid Master Card

[golgoj4]

But what happens when they flag you as a terrorist for using pre-paid credit cards too much?

"Contained"

[Short+Circuit]

keeping your personal information contained

Last week, I tasked myself with determining ways to contact 72 Slashdot users. (People who'd responded to a subset of my journals in the past.) I found email addresses for fifty of them, instant messenger IDs for three others, profiles in other communities for five of them, and other ways to contact all the rest but four. That's a success rate of 94%. Oh, and I didn't spend a cent on acces to databases. Google and WHOIS was sufficient for most of them.

My recommendations to those in the Slashdot community who want to keep their lives private:

• Use an anonymizer to sign up for domain names. I found a bunch of email addresses through WHOIS.
• Don't base your username on the whole or parts of your Real name.
• Above all, avoid using the same username on multiple communities. If I know your username, and even a small bit of information about your interests (Like, "You read Slashdot"), I can find your profile on plenty of other websites.

For those of you who've failed any of those three tests already, well, it's likely to be a long, uphill battle if you want to regain your privacy.

Re:"Contained"

I did this once three years ago, half for fun and half for work. A buddy was chatting with me in my cube, talking about an article in the pages of an old 2600 magazine featuring our company (which is never a good thing!) So he showed it to me and noted the guy authored his article with a Yahoo! email address. He said "I've been trying to think of how to track this guy down." I said "that should be easy" and turned to Firefox.

I Googled for the email address, found nothing, checked a few other search engines (including Yahoo) that turned up nothing, and then thought to search Google Groups. I found half a dozen hits, one of which had an AKA to a variant of the email address as an IM name. Googling for the new IM name led to over a hundred hits, and one had a link to someone's page on a big social networking site. The "friends" list on that page had a link to another social page with a nickname composed of another variant of the email address. This site was pay dirt! On that page the guy had listed yet another email address for his college, which looked like it was based on his real name. I also found his city and date of birth. A quick trip through Dex later, and I had it narrowed down to 19 people who matched the partial details of the name. Reading the article had already led me to guess that he might be an employee, so I looked at the employee list for that city's location. There was one exact match for that partial name. Bingo! And the whole thing took less than 30 minutes, including chasing the dead ends.

My buddy just stood there the whole time, slackjawed. He had no idea that it was so easy to track people down, or that people would give away that much information. I went back through my browser history, got pages and screen prints of what I found and emailed it to him. He then forwarded it to our security team, where it must have disappeared into a black hole. (Although I did hear a rumor later that they had been trying to find the guy ever since the article was published.)

A few months later got to I wondering what ever happened to my little friend, so I returned to his social site. Apparently he had been visited by the ghosts of Secret Service present, had tea and crumpets with them, and was given a matching pink slip to go with his lecture on the joys of a stay in Federal Pound-Me-In-The-Ass prison. (I felt bad about that; I have no idea why the company dragged in the Federal government just to fire the idiot.)

But I still don't feel bad about my decision to turn my findings over to security. If an employee finds a security hole in his own company, he should have the decency to report it to the company to get it fixed. With his hack he'd already proven he had the technical skills to work in the IS area, so he could have turned this into a promotion (I was considering asking him to come in for an interview.) Instead, he published the info to a big group of outsiders who were likely to explore the hole, if not find a way to exploit it. I decided I couldn't trust someone like that, so I never contacted him personally.

There are two morals to this the story. The first, obviously, is don't bite the hand that feeds you. The second is more of a lesson than a moral: if you're going to use a throw-away identity for possibly illicit purposes, be sure to actually THROW IT AWAY.

LOL @ CEH!

[ninja_assault_kitten]

I love how they make him seem qualitifed because he's a "CERTIFED ETHICAL HACKER". This is equivalent to A+ Certification in the generic IT space.

How does one judge "ethical"?-Humanism.

"Right and wrong are always blurred and I can't see how "ethical" can really be defined."

Which explains the messes the world gets into. Too many people "defining" ethics, and not enough living them.*

*Here's a way to think about morality and ethics. They're more what you do when no one is looking, than when they are [1]

[1] Example: For all of you engaging in illegal copyright infringement (of ALL kinds). Would you do it with the content creator looking over your shoulder? Or wait till they left the room?

certifed ethical hacker

[falconwolf]

Apparently, 'certifed ethical hacker' is an actual cert one can get. But I don't think I would the term 'hacker' to appear anywhere on my resume. Unless I was trying to get a job with some black hat pseudo legal firm...that'd been sweet.

I've never heard of any certification for ethical hackers before reading this article. What organization issues the cert? Once upon a tyme I read about the Model Railroad Club at MIT, the WOZ, and others and I wanted to be a hacker like them. Alas back then adjective "ethical" wasn't needed, but reporters and the mass media has bastardized the word. When I read where a reporter goes on about how hackers are bad I want to ask "so why are you a hacker?" Many people may not recall or know it but "hackers" is what reporters were once called. Though I'm not sure I think they are referred to as hackers in "Citizen Kane" made in 1941.

Falcon

Re:Hiding your credit report

[Eivind]

Thats pretty close to how it works in Norway. For marketing of any sort adressed directly to you. There is a single govnerment-maintained list where you can opt to not receive direct marketing.

Companies that do direct marketing send their lists in, and get them back without those persons who have opted out. They learn nothing new about you in the process, other than the fact that you've opted out.

For electronic marketing (email, sms, fax) it's opt-in rather than opt-out. In other words, they cannot legally do it unless you've given prior, informed consent to that. The logic is that this in this type of marketing, the recipient typically pays a large part of the cost. Marketers are less likely to abuse say paper-based marketing as that actually costs them to print and distribute. (compare the quality of the marketing in the average paper-based marketing and the average spam you receive to see what I mean..)

For unadressed "distributed to all" marketing there's a small sticker you can put on your mailbox, and you won't get any.

In short, you can eliminate receiving any marketing by following 3 simple steps:

• Register yourself to opt-out of direct marketing. (one phone-call or one visit to the opt-out list.
• Do not agree to receive direct marketing when companies ask.
• Get a small sticker and put it on your mailbox.

Re:How does one judge "ethical"?

[rohan972]

Something like: has a knowable standard of behavior and lives by it.

It's about predictability. I have friends with a different standard of ethics than I do, but that's ok, if I know what it is, I can know what to trust them with.

Not a conclusive definition, but that's a fair part of how I assess ethics.

Re:Get your CEH creditial now!

[Drathus]

Apparently, 'certifed ethical hacker' is an actual cert one can get. But I don't think I would the term 'hacker' to appear anywhere on my resume.

I've actually taken a CEH prep course, but that was because my boss had been pressuring me to take a class, and it was a week away from work paid. The information it covers is very basic, the vast majority of it is based on the "tools" used. They spend a bit of time covering how you're supposed to operate as a CEH, but there's so much material that even with five full day classes we were rushed when moving through it all.