Thank you for your service.

Two schools have opted to begin tracking students using GPS devices.

Richmond pre-school in Richmond, California will begin tracking pre-schoolers with GPS tags installed on basketball jerseys.[1] The jerseys will be worn while the kids are in school and will track the kid’s whereabouts during the day.   Sung Kim of the county’s employment and human services department suggested that eventually 3,000 man hours of teacher’s labor could be saved from having to track the kids and check them in and out.  The system cost $50,000 and was paid for with Federal Grant money.  3,000 hours of labor for tracking pre-schoolers?

In another case outside Chicago, Palos Heights School District 128 is using GPS technology to track not only buses but also is beginning to install GPS trackers on students’ backpacks. [2] Allegedly some parents feel safer knowing the school has GPS tracking on each kid’s backpack. The district spent $16,000 for the technology.  If a child is missing or unaccounted for, the school can look up the location of the bus, and look up the student’s ID and determine the location of each.

Is this legal?  Some have suggested that students do not have a reasonable right to location privacy while they are in school “custody.”  Perhaps they don’t.  But do teachers or school administrators have a right to location privacy while at school?  Why not equip teachers with GPS devices along with the kids?   Whenever the two are separated by a pre-defined distance, then an alarm can be sent showing that the kids are not under human supervision.  And if schools are equipping students with GPS devices, then how about doing it in other workplaces?  You could track the location of each person in the building and determine how long they spent in the break room, lunchroom, smoking area, or other.

Using GPS devices to track convicted sex-offenders and other felons makes sense.  Tracking product shipments and assets (like buses) makes sense.  But GPS tracking of students is a slippery slope.

But how far will this go?  Do two make a trend?

---

[1] http://www.ktvu.com/news/24667895/detail.html

[2] http://www.nbcchicago.com/news/local-beat/GPS-palos-heights-school-district-128-zpass.html

Photo: Courtesy ESPN.com

James first became aware of the problem when a few friends called him and asked if he was OK. His friends had received a crisis email from James indicating that he and his wife were stranded in the UK after being mugged.  Left without any money or credit cards, but luckily with their passports and their health, they needed a cash “loan” quickly so they could get a flight back to Los Angeles.  But James wasn’t receiving those emails, someone else was.

Researchers at VeriSign’s iDefense group recently reported that up to 1.5 million Facebook profiles were stolen and for sale in the criminal underground. [i] The sale price was reported between $25-$45 per 1,000 user profiles.  According to the article, Facebook did not respond to requests for comment from Verisign so it could be more or less than 1.5M.  Was James’ profile among that alleged stolen batch or did some other thief steal it?  We will likely never know how it was originally stolen but here’s what happened afterwards.

The thief who had assumed James’ identity asked for a Western Union money transfer and provided a UK physical address where “he” would pick up the money.  More on that later.  How much money did they need?  800 British Pounds, or about $1,150 US.

How did the thief get this far into the scam?

1. Thief somehow obtained the Facebook user name and password for James.
2. Thief noted the registered email address for James, the one associated with his Facebook account.
3. James had used the same password for both Facebook and his email account. (a common mistake) Thief tried that password first and was successful in logging into James’ email account.
4. Thief changes both Facebook and Email account passwords, locking James out.
5. Thief opens up a new Yahoo email account using an address very similar to James’ original email .
6. Thief forwards all email from James’ regular email to the Yahoo account.
7. Now thief sends out his distress email to James’ friends, some of whom respond via email with concern.  Some friends call James on the phone.

James feels violated.   He reports the incident to law enforcement. But because it happens every day, is international, and because no money was transferred, it becomes just another statistic, one of possibly millions. It’s a numbers game for the bad guys. Bad guy buys a 1,000 user names for roughly $50, solicits all the friends in those networks (1,000 users times hundreds of friends), and is looking for at least one gullible friend to wire transfer $1,150. That’s a pretty good return on investment if it works just once.

We offered to help James and here are the steps taken to help him recover:

1. James called his email provider and took back control of his email address.  It was there that he found the forwarded Yahoo email address.  That Yahoo address was set up as a throwaway account—just for this purpose.
2. We contacted Facebook to get his profile back.  To our pleasant surprise, Facebook was very responsive (less than 5 hours) and instructed us to fill out a report at this link. http://www.facebook.com/help.php?page=420 Afterwards they would work to restore his profile.  Facebook restored his account in 3 days after verifying James’ true identity,. (Again, a pleasant surprise in turnaround time)
3. Ensured from now on that James uses a different password for each different web site and that his passwords contain letters, numbers, and symbols.  No recycled passwords allowed.
4. Ensured that James checked his bank accounts and credit cards for odd transactions.
5. Requested that James validate his “friends” in the network to ensure nobody new came in while the thief had control.

There are two and possibly three victims to this type of scam.  The first victim is James.  Someone steals his identity and exploits his goodwill and honest reputation among his friends.  The second victim group is James’ friends. As far as we know, nobody actually sent money but some were concerned enough to send emails-where the thief was waiting to respond.  The third potential victim is the owner of the money pick up location.  This is where the thief or accomplice will physically go to pick up the money if transferred, often using Western Union, but not exclusively.  The owner is a potential victim because he or she might not know they are being used by criminals as a pick up spot.  We would like to help this group too.

Here’s how you can help us help them. If you’ve received an email from your friend requesting urgent money and instructing you to transfer cash, or if you have been victimized yourself, here’s how you can help. We have set up a free reporting site where you can report the physical location of the requested money pickup as displayed in your email.  If a pickup address is listed in your scam email, then report it.  As the number of reported incidents grows, some physical locations will begin to emerge again and again.  If you happen to own or manage one of these locations, then you should contact local law enforcement and let them know you are being used by fraudsters as a potential pick up spot.  While investigating James’ pick up spot in Cardiff, UK, we found 2 other victims reporting the same address so we’ve logged a total of three there to start.

Click here to file a report or view the data: http://sites.google.com/site/report419scam/

Original post was at www.InfoSecIsland.com

---

[i] “1.5 Million Stolen Facebook IDs up for Sale – PCWorld Business Center,” http://www.pcworld.com/businesscenter/article/194843/15_million_stolen_facebook_ids_up_for_sale.html

The Lone Ranger was one of my favorite shows growing up. With his trusty side kick Tonto, he would always appear just in time to foil the bad guys and leave everyone wondering…”who is that masked man?”  Was it really that hard to determine his identity?

Many people today ride into Facebook, MySpace, Linkedin, and other social network sites with their masks on, expecting privacy and anonymity. But how hard is it to find them?

I was looking for an old colleague of mine who is not on any social sites so I searched Linkedin for his friends in the Washington DC area. I figured they could tell me how to find him.  While looking at the company listings in the area, I came across a guy who, figuratively speaking, had his mask on.  His name was listed as “Private” because he had clicked on some privacy setting in Linkedin.   Wearing a privacy mask in a public room tends to draw more attention to oneself so out of curiosity, I wanted to know who he was.  (Out of respect for Jon’s privacy I won’t disclose him.)  But it took me about 10 seconds. I will show you how easy it is.

But first, back to the Lone Ranger. We can assume the Lone Ranger lived in the area because he was always foiling bad guys within the same desert geography. One can only travel so far and so fast on horse.  So from a given population within a reasonably limited radius, we are looking for someone with the following characteristics:

1. Unique facial features-Square jaw, dark eye color, short black hair

2. Race (White)

3. Body type-Estimated height (5’10-6′), weight (185-200 lbs), and build (muscular)

4. Social circle-Hangs around with an Indian named Tonto.  If you find and “friend” Tonto, you find LR.

5. Pets-Rides a white stallion. It’s the biggest horse in the area and it leaves BIG tracks for ease of following.  It’s also the only white horse living in the area. Goes by the name Silver. Find white stallion, find LR.

So who was the masked man? If they had Internet connectivity at the ranch back then, they could run this query in the Google search box:

location: los angeles county “lone ranger” “tonto” “white stallion”

Go ahead and copy and paste that line as is into Google.  You should find his name pretty quickly.  He passed away in December 1999 at the age of 85.

To find a Linkedin private profile, you follow the same logic.  Search the area with 3 or more characteristics.

So in practice you would search among the web population of Linkedin profiles and pick for example: Job Title, Company, Location, and Educational Institution as identifiers.  The odds are very low that two people have the same set of identical backgrounds but you might have to narrow your search by adding more identifiers if you get multiple profiles. Searching within Linkedin will likely lead you to privacy blocks.  But search from outside in, via Google, and you’ll see things from a new angle.

Here’s the sample query I ran and confirmed with 100% certainty the identity of the Linkedin masked man:

Site:Linkedin.com “Company name” “Washington DC” “ABC University”

The Site command tells you where on the web to conduct your search. In this case, the Linkedin.com domain.  Put quotes around your identifiers to make your query more specific and add a few more if you need to, like previous employer.

There are over 1,000 private profiles in Linkedin.  If you have a real need or desire to remain private on a social network site then maybe you need to rethink your strategy.

From Eagle Intelligence—

Wishing you a Happy 2010 New Year !

Cisco released its annual security report this week. The report covers a range of cyber security trends ranging from spam, to bots, to malware. They also devote a few pages to the criminal business models that generate profits from illicit activity. Worth a read.

The link is here.

Not surprisingly, as computer use grows around the world, the trends are all upward for more malware, more spam, more fraud.

One of the solutions hightlighted in the Cisco report is user education.
“Previous Cisco security reports have emphasized that “user education” is an essential component to security. Users should be expected to take measures to protect their online identity and to be aware of the risks that accompany their use of technology.”

While true, it’s simply not enough. Businesses need to raise security higher on their own priority lists in order provide their customers with “as secure as possible” environments.

I had an account at a regional bank that highlighted their focus on security (secure access to accounts, privacy, etc.) They even charged extra for it. One day I received an email allegedly from the bank that led me to their web page. It had the account login script on the page. Upon further inspection, the web page was coming from a server and location that didn’t belong to the bank. Looked like a phishing site to me.

So I called the bank and asked for their security department. “We don’t have a security department,” he said. I asked who I should talk to if I did have a security problem. He said, “You need to talk to Jim, our IT guy.” I was feeling much less comfortable by now.

Jim (not his real name) called me back and after discussing the situation with him, told me the site was legitimate. They had outsourced all their marketing efforts to a 3rd party company and allowed their main website to be routed from an untrusted source. I asked him why, in the age of so much internet crime, would they choose to create a vulnerable point for their customers–particularly their elderly customers. He was a nice guy. Very polite. But I’m not sure if he understood the risks. Clearly marketing hadn’t.

My account is now closed.

The two pillars of trust and reputation are hard to build.  Securing the “client’s  visit” (physical and virtual) is required if you want those pillars to stay up.

Dear Bank CEO: Jim’s a good guy. Jim needs help. This isn’t an IT problem, it’s your responsibility.

It’s been on the todo list for a long time but today we officially launch Eagle’s new web site.  Attempting to keep a static web page up to date in a real-time information world just doesn’t make sense anymore.  Our aim is to keep clients up to date through this site while reducing the number of emails.  We’re certain you’ll be pleased with less email.

Have a Happy Thanksgiving.