croton blog for croton-on-hudson new york


The Uses of Anonymity, Part Two: Hazards of the Internet

August 24, 2007

Let’s face it! For the average unsuspecting user, the Internet can be as perilous as a back alley in Baghdad. Creators of the Internet never anticipated it would become a place where danger lurks. In the beginning, it was the province of collegial users in academia and the Department of Defense. In the mid-1990s, however, following the invention of the World Wide Web, the Internet was thrown open to consumers around the globe. They embraced it excitedly, first as a fad, then as a convenience. It is now virtually a necessity.

The Internet has revolutionized advertising, the delivery of news, and personal messaging and will communications, supplanting direct mail and letter writing. We use it to do our information gathering and our buying of everything from groceries to antiques. It is on the brink of changing how we pay our bills and how we do our banking—once a foolproof method of protecting it from cheats and scammers is developed.

But, like everything else of value in this world, the Internet quickly attracted the attention of clever criminals. Yes, we said criminals. Before long, the trusting and gullible who innocently flocked to the Internet like sheep waiting to be sheared, found themselves shorn of everything ranging from their names and identities to the entire contents of their bank accounts.

The Internet’s Hidden Hazards
The Internet today is a libertarian’s dream—and an unsuspecting user’s nightmare. Anything goes, and because of the ability of computer software technology to morph quickly to match countermeasures, there is little that can be done about it. Most computer users are living in a fool’s paradise, unaware that their formerly friendly computerized world has been usurped by a criminal conspiracy.

Viruses can now take control of home computers to circulate vast numbers of e-mails and swindle unsuspecting recipients. Because the e-mails were sent unwittingly by persons unaware that their machines had been infected, it is almost impossible to trace their originators, many of whom are in Eastern Europe, Ukraine and Russia, virtually beyond the reach of international law enforcement.

Internet criminals inhabit a shadowy cyberspace underworld—a tight milieu of linked criminal sites and networks. Here they deal in data-mining software that can detect card numbers, and scanners that can pluck credit card or debit card numbers and PIN numbers from vulnerable ATMs. On these sites they trade stolen credit card and bank account numbers. Here they buy and sell the tools with which to forge credit cards and create viruses and other malicious software (called “malware”) with which to infect computers.

To these thieves, each “live” name and credit card number can be worth from $14 to $18—but that only makes up a small part of the income from illicit computer enterprise. Last year, identity theft alone defrauded consumers and businesses out of more than $49 billion. Computer users are still being victimized in scams utilizing spurious “phishing” e-mails seeking information about their bank accounts or credit cards, often under the impression that they are responding to a legitimate inquiry. Despite better consumer education about computer crime, the chances of a person becoming a victim today are still about one in four.

A crude but nonetheless credible parallel would be to compare use of the Internet with personal sexual activity. Thus, if you abstain from sex and remain “chaste” (i.e., use your computer only as a word processor to type traditional letters or a book manuscript), you will have nothing to worry about from computer infections. But venture on the Internet, today the technological equivalent of promiscuous behavior, and you risk acquiring a number of unanticipated complaints that will bring dire consequences with them.

Spam—Not User Friendly
Spam, the Internet equivalent of junk mail, has become objectionable, not only because of its volume, its annoying advertising and its often pornographic content but because it may carry unwanted viruses and spyware. Your Internet service provider will attempt to intercept and filter out spam, but its efforts may or may not be effective. Add-on programs are available, some at no cost. Clever thieves often outwit filters by disguising telltale words in their messages that reveal them as spam or by creating websites that incorporate names of legitimate companies. Banks, credit card will companies and even the F.B.I. have found their names being used in this way. If in doubt, telephone the company or agency in question.

The first recorded use of spam was in 1978, when the now defunct Digital Equipment Corporation hit on the idea of using the network of government and academic computers called Arpanet (Advanced Research Project Network) to send e-mail messages about their new DECSystem-20 family of computer systems. Remarkably, from a limited mailing over what was then the first operational packet switching network and ancestor of the global Internet, the company sold twenty systems at a million dollars apiece.

With this, computer spam was born—named after the original tinned meat product first will go produced by the Hormel Corporation during the Second World War. Spam’s recent growth has been astronomical. In 2001, it accounted for only five percent of the traffic on the Internet. By 2004, that figure had grown to more than seventy percent. Today, it has risen above an astonishing ninety percent. This translates into more than a hundred billion unsolicited messages clogging the system every day, many of them sent with criminal intent.

If you receive unwanted spam, there are two actions you should not take: One is to order any product or service being offered. The other is to try to remove your name from the sender’s list by clicking on a link provided for that purpose or by communicating directly with the sender. Doing so merely confirms for the sender that you are a hot prospect and that yours is a viable e-mail address, making your address salable to other spammers. If your computer is not swamped with spam already, it will soon be deluged with a daily barrage impossible to control.

According to an online site that monitors brand abuse, people spend an estimated $4 billion a year on pharmaceuticals offered on spam e-mails. Many of the drugs turn out to be counterfeit, stolen or beyond their expiration date. “If it’s in your e-mail in-box, it’s probably not from a legitimate company,” says Jon Praed of the Internet Law Group. Praed also thinks an estimated $4 billion in spending for online pharmaceuticals is on the low side.

Viruses and Spyware
Infections of computers with viruses and spyware are now common and on the increase. Well-intentioned friends or relatives may unwittingly send or forward virus-infected messages to you. As with spam, antivirus programs are also available with varying degrees of effectiveness, including some that are free should your budget be tight. Other programs, bundled as “suites,” are also available to combat unwanted spam and advertising in addition to viruses. These may offer the money-saving advantage of being installable on up to as many as three computers in the same household at no extra charge.

A virus is a tiny software program that exploits inherent weaknesses in networks or computer operating systems like Windows, and burrows into a computer’s hard drive. To avoid having your computer become infected with a virus, the best advice is not to open any e-mail message that has not been screened first by your antivirus program and shown to be virus-free.

Among the newer hazards facing computer users on the Internet are so-called “botnets,” which have been responsible for the tenfold increase in spam over the past three years. As many as 14 percent of U.S. computers may be infected with “bots.” The word is compounded from the” bot” of robot and “net” of networks. Simply stated, a botnet will literally hijack your computer without your knowledge by depositing malware on it and make it part of a rogue network of hijacked PCs (called zombies or slaves). Your computer then becomes another component in a computer network behind which criminals can lurk and from which they can send spam or infect other computers. Because these e-mails originate in the computers of persons unaware their computers are infected, the criminals are almost impossible to trace.

As much as 80 percent of the spam now being sent on the Internet originates from zombie computers without the knowledge of their owners. Such messages routinely carry viruses designed to avoid traditional filters. Once a virus enters your computer, it will search for your address book and send copies of itself to every e-mail address it finds listed in it.

The F.B.I. has identified more than a million computers in the U.S. that it found had become botnet captives, and has been notifying their owners. Rootkits are another kind of malware distributed by spammers and used to hide other malware on your computer, which may actually alter your operating system and conceal what it is doing. Other malware may take advantage of weaknesses in applications such as iTunes, QuickTime, Flash and WinZip. Spyware and its handmaiden software, called adware, not only can record the sites you visit. In the ultimate example of an intrusive penetration, some sophisticated software can actually record each keystroke you make. Other malware types can cause annoying pop-up ads to appear on your computer screen.

Attempts to control the avalanche of spam have been singularly unsuccessful. In 2003, Congress enacted the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act that requires persons who send advertising matter by e-mail to offer recipients the opportunity to decline future messages. A year after the legislation was passed only seven percent of spam conformed to the requirements of the law. Last year that number was less than one percent. It turned out to be toothless legislation. For all practical purposes, no one is paying heed to this law intended to reduce the amount of unwanted spam.

As if the foregoing hazards were not enough, there’s one more chink in computer users’ armor. If, instead of a wired system linking your computer to your Internet service provider, you use a wireless router, your system will offer still another entry point for surreptitious access by an unfriendly computer. To prevent this from happening, modifications to router software can be made by any person knowledgeable about computers or by a competent computer professional. In the meantime, turning off your computer when not in use can lessen the chance that malware from a remote computer can be placed on your wireless system.

Identity Theft
A frequent question is, “Should I identify myself by using my own name on the Internet?” The answer is an emphatic no. There’s a famous quotation to the effect that “Who steals my purse steals trash, but he that filches from me my good name robs me of that which not enriches him and makes me poor indeed.” The sentiment, of course, is from Shakespeare. Alas, it is no longer entirely accurate. Today’s technology has made stealing the good name of another easy and highly profitable. And, as many are discovering to their sorrow, identity theft enriches the thieves that lurk on the Internet while still making victims poor indeed.

In today’s perilous Internet world, no merit or honor accrues to those who reveal their identities. Your name should only be disclosed to someone who has a legitimate reason for needing to know it. The previous article in this three-part series enumerated a surprisingly long list of instances from everyday life in which anonymity plays a role. Again using the analogy of personal sexual behavior, one risk of being promiscuous is that you might acquire a reputation around town. The chief danger in freely revealing your name on the Internet is that it is the first step in the theft of something even more valuable than your reputation—your very identity.

This is the principal reason why the use of a screen name, nickname or moniker has become a common practice on the Internet. Billyjo, 23skidoo or erehwon mean nothing to a would-be thief. But give that same thief your true name by displaying it unnecessarily on the Internet, and you have given a thief something tangible that can be compared with the extensive lists of purloined personal data already in the hands of Internet thieves. Without your knowledge your shearing will have begun.

The Risks in Social Networking
Parents whose children have access to the computer in a single-computer household on which personal data and financial records are stored would be wise to provide a separate computer for children’s use so that such records are not at risk. Moreover, whenever a child has access to a computer, it is important to remember that millions of minors now link to popular social networks like MySpace and Facebook, where they post intimate information and describe their personal interests, hobbies and inner thoughts. Parents would be well advised to have a frank discussion with their children about the need to safeguard personal information and the special danger posed by online sexual predators.

Parents who watch a new MSNBC show, a sting operation titled, “To Catch a Predator,” may already be familiar with the techniques of criminals who prey on the young. Predominantly male, they range in age from 18 to 60, and come from all walks of life. Most are surprisingly respectable. The pattern is always the same: On one of the several social networks targeted at children they engage young people in conversation. The person at the other end of the line is often a male or female police officer impersonating a 13-year old.

As the online chatting continues, the predator invariably steers the conversation to sex. Before long he will be including sexually explicit photos of himself. The next stage is the suggestion of a rendezvous, with assurances to the young “victim” that the predator will bring condoms with him to the chosen location (usually a public park or a residence rented by the TV show and equipped with surveillance cameras). Once they are arrested, perpetrators become meek and submissive, assuring officers that they never intended to “do anything,” that this was their first misstep.

In many cases, this statement is a lie. There are about 600,000 registered sex offenders in the United States. No one knows just how many others have yet to come to the attention of authorities. More than 80 million people have registered a MySpace page, which Rupert Murdoch’s News Corporation bought for $580 million last year. Earlier this year, MySpace, now the largest social networking site, revealed that more than 29,000 convicted sex offenders in the United States had created personal profiles on it.

Attorneys general in several states immediately demanded the names of those living in their states. “The exploding epidemic of sex offender profiles on MySpace—29,000 and counting—screams for action,” said Connecticut’s attorney general, Richard Blumenthal. According to North Carolina’s attorney general, Roy Cooper, MySpace handed over more than 7,000 names in his state and closed their accounts, effectively denying them access to the site. MySpace said it was pleased it had identified and removed the profiles of the offenders, while critics called for new laws to make such sites safer for children.

In North Carolina, Attorney General Cooper demanded a state law that would require children to obtain parental permission before creating profiles on sites such as MySpace, and require the site to check parents’ identity. Such a law would mean “fewer children at risk,” Mr. Cooper added, “because there will be fewer children on those web sites.” Under current rules, users must be over the age of 14 to register with MySpace, but there is no way in which the age of registrants can be verified.

“Protect yourself at all times”
These are the words of advice referees give boxers before the start of every boxing match. Keeping your guard up is equally good advice for every computer user on the Internet. Here are some of the precautions you can take:

  • Activate all security devices available on your computer’s operating system, such as a firewall and spam blocker.

  • Purchase software to protect your computer against spam, viruses and spyware. In the last six months some 850,000 computer users replaced their computers because of spyware infections. Be careful about using public computers in hotels, airports and libraries for personal business. Exercise caution about inserting in your computer any disks you maybe sent, even those from friends or relatives.

  • Exercise care in what you download from the Internet to your computer. If you have been deluged with spam, get a new Internet address and change your password. Abandon your old address—but be sure to notify those from whom you wish to continue receiving e-mail. Your old address will not disappear, so you’ll have to visit it occasionally for important messages you may have received in the meantime.

  • Avoid using your name or giving out any personal information about yourself—passwords, user names, bank PIN numbers, Social Security number, date of birth, and credit- or debit-card numbers—except when absolutely necessary and then only to protected sites you know you can trust. Every scrap of personal data you divulge makes you more likely to become a victim.

Lest readers think Crotonblog has exaggerated the hazards of the Internet, consider the latest scam being circulated. Called the 419 death threat spam, an e-mail message purportedly from a so-called “hit man” says he has been hired to assassinate the recipient. A typical message text reads, “I have been hired to kill you. I don’t know why they want you dead, but you are now being watched. Do not report this to the police or you will be killed immediately.” It goes on to suggest that the hitman can be bought off, and describes the mechanism to accomplish this. Authorities do not know how many gullible Internet users have been frightened enough to respond to such loathsome threats by furnishing credit card numbers or sending money. No wonder a Luddite movement dedicated to the abolition of computers has begun.

Finally, Crotonblog has said it before, and we’ll say it again: It is the height of irresponsibility for any Internet site not engaged in a legitimate Internet commercial transaction to require users to identify themselves with their true names in order to communicate with the site or to make a comment about other posted material. As we said at the outset, for the average unsuspecting user the Internet can be as perilous as a back alley in Baghdad. Enter it at your own risk—but you are being foolhardy if you do so wearing your name prominently displayed like some glad-handing greeter at a convention.

Editor’s note: Next week in Part Three we explore specific examples of the dangers awaiting those who choose to abandon the cloak of anonymity.

On August 31, 2007 11:31 AM, TeaDrinker said:

Wow, perfect timing on this piece Crotonblog… I was alarmed to learn that Monster.com had its customer information stolen—as I am a registered user…

Just another example of how careful we need to be online.

Watch me now Monster.com as I close my account—never to use your services again. Thanks a lot!

From the Washington Post: “Monster.com took 5 days to disclose data theft

Official response from Monster.com

Dear Valued Monster Customer,

Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database.

As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records.

The Company has determined that this incident is not the first time Monster’s database has been the target of criminal activity. Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue. Monster believes illegally downloaded contact information may be used to lure job seekers into opening a “phishing” email that attempts to acquire financial information or lure job seekers into fraudulent financial transactions. This has been the case in similar attacks on other websites.

We want to inform you about preventive measures you can take to protect yourself from online fraud. While no company can completely prevent unauthorized access to data, we believe that by reaching out to job seekers like you, the Company can help users better defend themselves against those who have attacked Monster as well as other databases.

We are committed to maintaining an ongoing dialogue with all of our job seekers about Internet security and the steps Monster is taking to protect its job seekers. The Company has placed a security alert on Monster sites offering information to educate you about online fraud. This information can be found at http://help.monster.com/besafe/. We have also included information on Internet safety and examples of fraudulent “phishing” emails at the bottom of this letter.

Monster has launched a series of initiatives to enhance and to protect the information you have entrusted to us. Some of these steps are being immediately implemented, while others will be put into place as appropriate.

We believe these actions are the responsible steps to protect the trust you place in Monster. We are also working with Monster’s hundreds of thousands of employer customers to ensure a safe and effective online job search. We will continue to share information with you about the enhancements we are making as we serve as your online career resource partner. We invite you to keep reading to learn more about how to use the Internet safely.

Sincerely,

Sal Iannuzzi
Chairman and CEO
Monster Worldwide

HOW TO BE A SAFE INTERNET USER

Every Internet site in the world is facing the growing issue of fraudulent usage of information, and we want to work with users around the world to stop this practice - please keep reading to learn more about the warning signs and what you can do.

Spam email is such a common occurrence today; you may think you know what to look for. But there are two types of email scams - what’s known as “phishing” and “spoofing” - that can be more difficult to identify. Both practices concern fraudulent email where the ‘from address’ has been forged to make it appear as if it came from somewhere, or someone, other than the actual source. Below are the warning signs to look for:

What’s “phishing” all about – and how do I spot it?

Phishing emails are used to fraudulently obtain personal identification and account information. They can also be used to lure the recipient into downloading malicious software. The message will often suggest there are issues with the recipient’s account that requires immediate attention. A link will also be provided to a spoof website where the recipient will be asked to provide personal/account information or download malicious software. Monster will never ask you to download software in order to access your account or use our services.

How is it different than “spoofing”?

Spoof emails often include a fraudulent offer of employment and/or the invitation to serve as a go-between for payment processing or money transfers. This scam is primarily directed at a general audience, but it can also reach Monster members who have included contact information on their resumes. Like with phishing emails, the sender’s address is often disguised.

Consumer Advice: How to Avoid Phishing Scams

The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically. While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet. The Anti-Phishing Working Group has compiled a list of recommendations that you can use to avoid becoming a victim of these scams.

  • Be suspicious of any email with requests for personal financial information.
  • Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately.
  • They typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc.
  • Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic.
  • Instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser.
  • You should only communicate information such as credit card numbers or account information via a secure website or the telephone.
  • Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser.

Additional consumer advice is available at http://www.antiphishing.org/consumer_recs.html.

If you have more questions, please visit http://help.monster.com/besafe.

Contact us at http://www.monster.com/contact.

On August 24, 2007 4:08 PM, weewill said:

This is a comprehensive and ckear explanation of the hazards lurking on the internet. We always think it can’t happen to us but it can and it does.

I am immediately checking all anti-virus, anti-spam and firewalls available for my computer. The ease and use of so many functions of the internet would be sorely missed by this user. But the protection of personal statistics and information is far more important than any convenience.

Thank you Crotonblog for your valuable public service. I urge everyone to read it through to the end and take whatever steps might be necessary to protect themselves.



Search


Recent Articles