GetSafenSecure.com - Password Protect Your Files & Folders

Computerword is reporting:

Security researchers at a company called NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.

The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday

My reading of this is that these breaches are much bigger and worse than they've even discovered so far. And this is the new normal we can expect for some time. Huge amounts of attacks and breaches going after corporate and government secrets originating from criminal gangs or governments.

More from the Wall Street Journal.

File this one under "About Time!" The IRS is going to test a program that will let filers on a few limited informational returns truncate their SSN.

The IRS has released Notice 2009-93, announcing a pilot program allowing filers of information returns to truncate an individual payee’s identifying number on paper statements for calendar years 2009 and 2010. An individual identifying number is a social security number, individual taxpayer identification number or adoption taxpayer identification number. The provision applies only to information returns in the 1098, 1099, and 5498 series. It does not apply to employer identification numbers (EINs) in the format xx-xxxxxxx. The notice also requests public comments by May 1, 2010.

Under this optional program, payers may replace the first five digits of identifying numbers with asterisks or the letter x. For example, a social security number could appear as xxx-xx-1234. This will enable better protection of personal identifying information for the recipients.

To see the requirements for participating in this pilot program, see Notice 2009-93. The notice also contains instructions on making public comments.

Of course, all this won't solve the problem that full SSNs are often a deterministic number, within a range, if one knows the last four digits.

There is a huge loophole for criminals that want to take over your credit card account. They can get your account number and change your home address and phone number; redirecting all future statements and calls from customer service. Any calls alerting you to fraudulent transactions will go to the crook, not you! It costs them nothing, even the dumbest crook can do it, and it allows them to do it even if you put a PIN/password on your account. They never have to go online or call the credit card company. It's so simple you're going to laugh. It's also very effective.

The thief just needs to reach into your mailbox (if you have a "rural mailbox" that is standalone) and grab one statement. Now they have your name, address and account number. The real trick comes next: they turn your statement over, fill in the change of address form on the back and mail it in! There is NO authentication by the credit card compainies for this change of address and telephone. Any idiot can do it and it has zero security. If the thief tried to call to change your address, they'd have to enter your SSN, possibly mother's maiden name, and a PIN/password (if you have one and you should). That's too many hoops for the typical thief to jump through. But using the change of address form on your paper statement is as easy as it gets. I don't know of a single credit card company that notifies you when you change your address using that form (if you do, please let us know in the comments). Frankly, it should be a best practice to notify the cardholder before changing the addres, or at least sending a postcard to the OLD address after changing it.

So, the takeaway is this: go to paperless statements (or get a locking mailbox). I know many of you use the paper statement to remind you to pay your bills. I empathize with that need. But nearly every card issuer has an online service that will 1) send you an email notifying you that your statement is available, and 2) notify you several days before the payment is due (if you haven't paid yet).

I know this first hand because it has happened to me and it is no fun trying to unwind the mess.

Truston was profiled, for the second year in a row, in the Javelin Strategy & Research research report on identity theft service providers, entitled "2009 Consumer Identity Protection Services Scorecard". The report has an analysis of the top identity theft protection services and is based in Javelin's well-respected consumer ID theft survey.

Other companies featured include Equifax, Experian, TransUnion, Affinion, and Identity Guard (Intersections, Inc.)

Read more in the press release.

On May 22, 2009 the President signed the Credit Card Accountability, Responsibility, and Disclosure (CARD) Act of 2009. This law was designed to substantially increase protections for consumers, while many on the card issuer and bank side have said it will lead to higher fees and lower rewards. Many of the most disliked credit card policies were abolished with this law. One of the biggest is the ban on rate increases for universal default.

Here is a summary:

• No more retroactive rate increases on existing balances for "any time, any reason" or "universal default" (rate increases when you miss a payment on another, different credit card)
• Severely restricts retroactive rate increases due to late payment.
• Contract terms must be clearly spelled out and stable for the entirety of the first year.  Promotional rates must be clearly disclosed and last at least 6 months.
• Consumers get at least 21 calendar days from time of mailing to pay their monthly bill.
• Prohibits late fee traps such as weekend deadlines, due dates that change each month, and deadlines that fall in the middle of the day (now it's always 5pm on due date).
• Credit card companies required to apply excess payments to the highest interest balance first
• Ends the confusing and unfair practice by which issuers use the balance in a previous month to calculate interest charges on the current month, so called "double-cycle" billing.
• Card issuers must obtain a consumer’s permission to process transactions that would place the account over the limit.
• Fees on subprime, low-limit credit cards will be substantially restricted.
• Requires disclosure on fees for gift and stored value cards
• Restricts inactivity fees unless a gift card has been inactive for at least 12 months.
• Gift cards cannot expire in less than 5 years.
• Creditors will give consumers clear disclosures of account terms before consumers open an account, and clear statements of the activity on consumers’ accounts afterwards.
• Card issuers must display on periodic statements how long it would take to pay off the existing balance and the total interest cost if the consumer paid only the minimum due.
• Card issuers must display payment amount and total interest cost to pay off the existing balance in 36 months.
• Card issuers must make contracts available on the Internet.
• Higher penalties if card issuers violate the law.

I haven't read the entire law. There are a couple interesting things tacked on. One has to do with the right for licensed gun owners to carry a gun in a national park. The other is Section 603 which appears to allow the FDIC and NCUA to borrow more funds, from $30 billion to $100 billion; not sure what that's about but I assume it has to do with allowing them to save more failing financial institutions.

Read up on the bill (S.414 and H.R. 627) at the Library of Congress.

Affinion Security Center recently announced the results of a nationwide survey on the impact if identity theft.

The fascinating results centered around the disparity of the impact of identity theft on the sexes. Women are 26% more likely to experience identity theft than men. Women are also more harder hit when they fall victim. And, no surprise, women are more concerned about identity theft.

Read the press release for more.