Re: Identity Theft - Protection?

One thing I like to do for extra security is use KeepassX to generate and store all my passwords. KeepassX makes an impossible to crack password and all you have to do to access that password database is have one single password. Keep the file backed up in case of a computer disaster and you're good to go.

I also use a firewall on my Kubuntu computer since I have a lot of sensitive information stored on it. The router has a good firewall, but I just like to have more. If you decide to turn on your firewall, make sure you configure it properly so you can still use certain programs such as Samba, which your firewall will block if no policy is in place.

Also, when you have files that have sensitive info, make sure only you can access the info by changing privileges within the file properties. Allow access to no one but yourself.

That's about all I have.

Re: Identity Theft - Protection?

Bummer! I think we all live at some level of dread that this could happen. I've been lucky, so far. I do buy almost everything except food via the Internet and using either a credit card or Paypal, so I do these things to try to cut down the exposure to risk:

- wireless router has its firewall enabled, WPA2 encryption turned on, and unneeded services disabled

- On a new OS or browser installation, don't use it for a purchase until you have checked the system against Shields Up

- use respectable alpha-numeric passwords for all online and ATM accounts

- when a credit card is approaching its expiration date, let it die and open a new one with a new account

- don't hold more credit card accounts than you really need (I've been fine for years with only two)

- use your first initial and surname on checks, don't include your phone number

Be judicious about handing your credit card to a waiter/waitress at the restaurant, if they are not prepared to swipe it right in front of you. If you can carry it directly to the cashier and avoid having it go down the hall out of your sight, it's worth the effort.

That's all I can think of -- I'm sure there are more things you can do.

Re: Identity Theft - Protection?

If one routinely makes purchases 'on-line', you might consider getting a pre-paid credit card - one which you can 'fund' at a preset level, and that can be 'added to' as needed - or using a Virtual Credit Card for on-line shopping.

One might/should also consider changing on a regular/frequent basis, ones passwords/pass phrases on each of their accounts - banking, credit cards, on-line web sites, etc. - and ensuring that such passwords/pass phrases are 'strong' -- not easy to guess at.

If any business you have accounts with that have on-line access, and don't permit for long passwords, contact them and complain that they are not providing their customers with adequate protection from potential identity thieves.

For on-line accounts that do allow for long passwords, consider using extremely strong passwords that are safe, that are generated 'just for you' at Perfect Passwords - GRC's Ultra High Security Password Generator - by Gibson Research Corporation.

Re: Identity Theft - Protection?

Getting new credit card account numbers is of course the minimum you should do; I've even known some people to get new social security numbers. I'd advise against closing existing and opening new cards, though: one element of the somewhat mysterious credit score has to do with how long your accounts have been open. Closing accounts can actually lower your score.

It's more likely that a company you've done business with experienced a breach, rather than an attacker having accessed your own computer. And, unfortunately, you have little in the way of remedies. To see just how much of a problem this is, take a look at the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse. They've been tracking exfiltrations since January 2005; as of today, 542,214,290 records have been breached. The Ponemon Institute, a security research firm, analyzes the cost to recover from a data breach to be $214 per record. Multiply those two numbers together and the result is truly staggering: $116,033,858,060 has been spent recovering from what are mostly simple errors in policy or process.

Let me continue for a moment. Look at that number again: $116,033,858,060. That's a lot of money. Here's something I use frequently in presentations to help this sink in: examples of societal opportunity costs. What else could we have done with that massive sum? Try these on:

• 892,568,139 barrels of oil (at $130/bbl)
• 2,976,448 four-year degrees ($9,746 annual tuition, University of Washington, 2011)
• 187,484 HIV-er lives saved ($618,900 lifetime cost, Nov 2006 Medical Care journal)
• 12,380,907 families fed ($781/mo, 2 adults and 2 children, USDA 2008)

Anywayz... I'm a big fan of one-time-use credit card numbers. These virtually eliminate the utility of credit cards to attackers. I'm converting to using only these for on-line orders.

{begin-mini-rant}

I'm not much of a fan of Steve Gibson. His ShieldsUP! site is a testament to "security theater." First it begins by ominously warning you of your computer's reverse DNS name. Properly-designed DNS is supposed to create in-addr.arpa (reverse) names; it's becoming mandatory as a fundamental tool for thwarting spam. (If you don't see this page when you visit ShieldsUP!, it's because your ISP has misconfigured their DNS.) Besides, attack tools use IP addresses, not in-addr.arpa DNS names. The existence of these is no threat whatsoever.

It gets worse. Once I hit the button to acknowledge that I'm sufficiently frightened of my computer's in-addr.arpa name, this error message pops up:

His own web page can't properly POST a reply over SSL! This certainly doesn't inspire confidence.

Next, I'm told that Windows networking technology in my PC might be leaking data at this very moment!



Notice the extra touches of nice, scareifying bold text! Obviously, although one of his later tests examines your browser headers, he can't detect that, um, I'm not running Windows on this machine. Sigh.

What lurks behind the file sharing test? Well, while opening NetBIOS (TCP port 139) to the Internet is indeed dangerous, Windows has not done this since before XP Service Pack 2. And again we see misleading messages: NetBIOS is not a "hidden Internet server."



Gibson is enamored of his "stealth" mode checks. In reality, there is no such thing. If your computer opens a connection to a destination socket (that is, the tuple IP_addressort), you will receive one of three responses:

• connection allowed
• connection refused
• no response

The first is how servers behave. They listen for incoming requests and reply appropriately. The second is the standard reply to an unauthorized request. The third simply means that nothing listening on the destination socket. There is no notion in TCP/IP of "stealth," and Gibson offers the world no favors by perpetuating this terminology.

Generally I'm not one to raise a lot of criticism in public forums. However, Gibson has largely lost credibility in the security community. He was a fabulous programmer back in the days of DOS, and contributed some valuable code -- not to mention his wonderful InfoWorld articles back in the late 1990s. When he became completely unhinged over how raw sockets in Windows XP would spell the demise of the Internet as we know it, he began his unfortunate slide into irrelevancy. Hawking Vitamin D? C'mon.

Re: Identity Theft - Protection?

Glad to see your take on the Gibson site, SteveRiley. I have also noticed the things you mentioned and quit using the site long ago. I'm no expert at all on these issues; good to see your knowledgeable review/analysis of it.

Re: Identity Theft - Protection?

Thank you to everyone for their suggestions; in fact I had already implemented many of the ideas! I just wanted to know if I had forgotten anything obvious.

Shields-Up gave me the highest rating (but like SteveRiley I was not impressed because it thought I was on a Windoze machine!)

My Kubuntu box is connected via Ethernet (like my internet TV and my partner's Kubuntu laptop). Other items (e.g. mobile phone, Asus Transformer, Kindle are connected via WPA/WPA2 PSK encryption, and in any case do not contain any financial data.

My router has a firewall set up.

I don't think my identity was stole from my box (the bank are sure it was hacked somewhere else); but, specifically, is it possible to get a fraudster's key-logger installed on Kubuntu? How could you find out. I re-formatted the drive and re-installed a fresh Kubuntu system anyway. Was that enough?

Re: Identity Theft - Protection?

That's a great rant, Steve -- although it was obvious (re: "Windows warnings") that Gibson's site was not exactly omniscient, I didn't know some of that information. Thanks!

(now going to review my router settings, again ...)