He’s a social engineer.

And no, that doesn’t mean he’s a really savvy developer for Facebook.

Mitnick caused an estimated $300 million in damage through the better part of two decades spent hacking into some very large institutions. How did he do it? He asked. That is, he simply used “social engineering” to trick people into giving him access, kind of like that email that is still circulating on the Internet that convinces you to delete certain files off your computer because they’re a virus (when in fact they’re standard Java files).

He’s a fascinating case study in how to break into the Big Guys using some remarkably simple methods, without abundant, nor sophisticated, technical attacks. This isn’t Stuxnet. This is earning the sympathy of the receptionist who lets you use her computer for “just a moment.”

Mitnick, who is out of prison now and works as a consultant, mentioned in the article that he has a nearly 100% success rate, still today, for his consulting clients, breaking into their systems using good old social engineering.

But the kicker here is that he has a 90% success rate on the SECOND attempt…because his clients typically do not implement the corrections he advised in the first place. This experience mirrors our own experiences at Tri-8, Inc. (makers of MyLaptopGPS), particularly in our longer software automation history. It’s remarkable how many organizations will ask for, and pay for, key technical or business advice, and then essentially ignore it–and fall victim to the very same problems they started with.

Thus, our Tip of the Week is very simple, yet very powerful: if you ask for, and pay for, advice, consider following that advice.

Fool me once, shame on you. Fool me twice…

A key element of the attack is the fact that in many cases a bank or financial institution will ALLOW a red-flagged transaction to proceed, even in the midst of fraud suspicion, if the institution cannot get ahold of the account owner. It may seem odd, but in many cases the default posture is to hold, check, then allow if not denied.

The ring of thieves used a malware program called “Zeus Trojan” to hijack bank account info. They embedded the malware in emails and attachments. Once in possession of the necessary account access, the crooks were ready to strike. But what to do about the alert responses that the institutions would make–the calls to account owners to verify suspicious transactions?

Just ask good old Joe Jones: “You Talk Too Much.” The thieves used automated calling programs to bombard the victims’ telephone lines with bogus calls. While the lines were tied up with this bogus traffic (essentially a telephone DDOS), the financial institutions couldn’t get through to verify transactions. And because of the “proceed if not denied” policy in play in many cases, the transactions succeeded, with funds shuttled off to standard “mule” accomplices who could transfer it overseas.

Read the full article for details. You just never know what creativity these criminals will show.

The Queens Chronicle reports that the information also included administrative decisions, medical evidence, and internal agency documents, along with the names and SSNs.

The administration is offering three years of credit protection to all the victims.

Often the question is “how?”

Yet, as today’s Tip highlights, many businesses just don’t get around to putting any controls in place at all.

security curmudgeon over at DataLossDB gives a handy reference to an article at the Las Vegas Sun, detailing rampant identity theft via stolen credit card numbers. Now we’ve all heard about these for years, but the article is very interesting as it details some of the methods used to swipe (pun intended) the numbers, including skimmers.

But notice the introductory case: when salespeople at a high-end fashion retailer weren’t ringing up customers, they were surfing the web–apparently right on the POS device! This happens all day long across America, and owners/supervisors galore are familiar with the irritation. But in this case an employee, who was, no doubt, checking her Facebook page (or maybe MyLaptopGPS’ new Facebook page?) and tootling around the web, managed to download a virus that included a keylogger.

The rest is history.

Employee behavior is perhaps one of the most dangerous threats a business faces–it’s the gateway to most actual threats. Take it seriously now, or take it seriously later, but rest assured you’ll have to take it seriously whether you’d like to or not.

This weeks’ Rip of the Week concerns two devices stolen from the health department in Detroit. Thanks go to Redemtech for the alert. Freep.com reports that, first, a flash drive containing a trove of data from birth certificates was stolen from the car of an employee. The information was not encrypted. Then, a thief broke into the Herman Kiefer Health Complex and stole an unencrypted desktop computer containing Medicare and Medicaid flu vaccine billing information.

In all, an estimated 10,000 people have been breached, with data including Social Security Numbers and birth dates. They have been offered one year of free credit monitoring, the standard stop-gap.

The drum beat rolls on…

He says, “I call them Dear John data letters, because of the bad news they bring and their decidedly warm and fuzzy tone.”

Indeed!

His article shows the apparent disconnect between consumers, the letters, and the consequences. According to Sullivan, “About one in nine consumers receives a Dear John data letter each year, and nearly half of all consumers have received at least one since the year 2000, when California law forced these kinds of disclosures on corporations and government agencies, according to a new study.”

But, he says:

“That same study shows consumers who receive such a notice are four times more likely to be hit with identity theft than members of the general population.

In fact, U.S. adults who get a Dear John data letter have a one in five chance of being victimized in the next 12 months, according to the survey, conducted by financial services research firm Javelin Research.

The researchers have concluded that consumers don’t take the notices seriously enough.”

It appears that lots of people get these letters (that we knew), few of them take them seriously, and most do not realize that their identities really are likely in jeopardy.

This will need to change, for certain.

Newsday.com reports on the theft of 2,246 Bernie Madoff victims’ PII thanks to an unsecured laptop computer belonging to AlixPartners LLP, the consulting firm that had been processing the victims’ claims. To be clear, then:

1. Victims lose their life savings (thankfully not in all cases) due to one of the most egregious cases of fraud by an individual in history.
2. Victims hope to receive some restitution, even minimally.
3. Firm chosen to assist by processing claims fails to protect PII on its own laptops.
4. Firm experiences the same thing 2.6 million others did last year: laptop theft.
5. Firm claims information was “password protected” (sound familiar?). That is, the data is wide open.
6. Firm delays two months before notifying the victim-victims.

Obviously it’s doubly sad that victims experienced double jeopardy. And it’s made worse by the fact that this story is just like almost every other one, including the response by AlixPartners that “the information was password protected” and “[they] have no reason to believe it has been compromised.”

I must admit that I did a double-take when I read the spokesman’s statement, however:

“The names, addresses, Social Security numbers and some Madoff account information on 2,246 investors was contained in a computer stolen from the car of an employee of AlixPartners Llp, the consulting firm that has been processing victims’ claims in the Ponzi scheme, a company spokesman, Tim Yost, said Tuesday.”

That’s right: his name is Yost. And no, we are not related, by anything more than a common appreciation for laptop theft and its consequences, which one of us learned the hard way.

As a result, “hundreds” of former students and faculty members may be at risk for identity theft, since the machines contained the typical slew of names, addresses, and Social Security Numbers.

No encryption. No tracking (presumably). No remote data deletion. No hope for protection at this point, essentially.

It sounds like this thief made off with a pretty stout take, however–14 units to sell or dig for PII. Our thanks go to Redemtech for the initial alert.

“The information included patient names, treatment dates, short medical treatment summaries and medical record numbers. No home addresses, billing information and Social Security numbers were stored on the laptop.” Or, so says the report.

Here are our standard elements:

1. The laptop was stolen from a parked car.
2. The breaching organization says that the information was “password protected,” insinuating that that constitutes some bona fide protection.
3. The breaching organization claims ID theft is unlikely.

All of these are standard boilerplate for such a breach, but there’s no mention of trackability, remote data deletion, or encryption.

For those affected, OHSU says you’re not at much risk. Hopefully that’s a comfort to you. Hopefully.

The message: Distinguish yourself with our lovely Audi Q5… because you’ll be the only person ever to own it and you’ll never get it confused with another car… not even another Audi Q5.

It might not be a great commercial for a car, but think about it: Slightly tweaked, it would be a great commercial for identity theft.

Because think about it — identity theft affects everyone. With another laptop being stolen every 12 seconds, it’s only a matter of time before you or a loved one or a friend of a loved one will be affected.

Really, you WILL eventually know someone whose laptop gets stolen. And what does that mean for you?

Well, unfortunately that means there is likely a lot of personal data up for grabs. And then, BAM: identity theft.

The point is, protect your laptop. The best-case scenario is you’ll have protected it with MyLaptopGPS, and we can get it back to you in one piece. If you don’t, though, you’re putting yourself at risk for identity theft. You get vaccinated for chicken pox and all those other diseases, you have home owner’s insurance, you pay a car insurance bill every month. In other words, you’ve protected every other aspect of your life. Why not protect your laptop? It’s got some of your most valuable information on it.