Projects

Hmmm … so heres the new initiative (apart from the numerous others which I have taken up and not completed) which I take up now. I am planning to blog about all the projects I am working on, Virtualization (Research Project to eliminate Virtualization. Its 2 months and I haven’t worked on this much!!!!), Astalavista (on a test bed), my other lab test projects and etc, etc, etc. I would start with the Virtualization one. Wait for it! Atleast, if I am persistent on blogging, it would push my work a bit … Why this initiative? I checked this tool PSTOOLs from Microsoft for my project of Astalavista and working on it was fun! So, just thought to share it with everyone.

So lets roll ………………………………

ClubHack 2009: Day 1

Recently, I attended this Hacking and Security conference ClubHack. It was an awesome 3 day experience listening to seminars, workshops and round table conferences by various eminent speakers and hackers from all over the world. The speakers flocked in from various domains: Telecom, US DoD (Department of Defence), Royal Bank of Scotland, McAfee and even from Pune Police, NASSCOM, CID and other eminent law enforcement agencies! I reached the venue at 8:30 AM, leaving from my institute at 715 AM. The venue was 30 kilometres from my institute!!

What: ClubHack 2009, a meeting place for hackers, security professionals, law enforcement agencies, students and all other security enthusiasts.
Where: The Corinthians Club, Pune (The venue was awesome!)
When: Saturday 5th and Sunday 6th December, 2009

ClubHack 2009: Day 1
5th December, 2009 was Day 1 for ClubHack. The registrations started at around 10 AM (an hour late due to setting up of the venue). There were 3 halls, 2 for the simultaneous talks and the 3rd one for networking, meals and snacks. The day started with the introduction of ClubHack, by Rohit Srivastwa, the founder of ClubHack. This was followed by a small talk by the Chief Guest of the day, Mr. Alok Vijayant, Director Information Group, MHA, Govt. of India. After the keynote speech, the Indian version of BackTrack, Matriux, was launched. A copy of the same distribution was also distributed to all the audience.

Chief Guest at ClubHack 2009

Matriux Launch

After a small round of snacks and networking, the attendees split up in two halls, according to their interest in the talk. The schedule for the same was:

from	to	Room1	Room 2
1000	1100	Registration
1100	1200	Keynote & Matriux Launch by Mr. Alok Vijayant. Director Information Dominance Group, MHA, Govt of India
1200	1300	Rohas Nagpal – Indian IT Act 2000 vs 2009	Manindra Kishore – Incident Handling and Log Analysis for Web Based Incidents
1300	1400	Anant Kochar – Revealing the Secrets: Source Code Disclosure, Techniques and Impacts	Abhijit Tannu – Facilitate Collaboration with Information Rights Management
1400	1530	Lunch
1530	1630	Nikhil Wagholikar in abstentia of K K Mookhey – Risk Based Penetration Testing	Suhas Desai – Open source for securing data with advanced Crypto-Steganography technology
1630	1730	Vinoo Thomas & Rahul Mohandas – India Cyber Crime Scene – Caught in the Crossfire	Lavakumar Kuppan - Lust 2.0 – Desire for free WiFi and the threat of the Imposter
1730	1830	Kush Wadhwa – Advance Computer Forensic concepts (windows)	Gursev Singh Kalra – Mobile Application Security Testing

Another superb thing was the “Internet Bakra”. Running sslstrip and dsniff on the free internet which was provided for the day, all the passwords were sniffed and later at the end of the talks, were shown to people (just the 1st two characters of the password) to explain them that entering personal information in free connections can be harmful. While this did

After all the talks, ClubHack threw a party (on invitation) for the speakers, the volunteers and a few attendees. The party was in Dolally, the only microbrewery in Pune. Dolally is an awesome place (for people who drink beer). It has a wide variety of beers which they brew in house. They also showed us how beer was brewed from around 10 different wheat types. It takes around 20 days to brew beer!! It also has a DJ which plays on-demand music for free!! It was fun discussing informal things with the people whom you saw in formals the whole day! At one particular incident, I couldn’t recognize Mr. Nikhil Wagholikar (from NII Consulting) in the party. He was totally in formals in the day time, and in the evening, total informals!! Dinner was in the same hotel, having a buffet with all the speakers, the volunteers and other guests.

ClubHack Day 1 Party at Doolally

The day ended at around 11 PM (for me, since had to reach my institute before the gates closed for us!!).

The Volunteering Team

• Pankit Thakkar
• Abhijeet Patil
• Murtuja Bharmal
• Aseem Jakhar (founder www.null.co.in)
• Tushar Dalvi
• Pradnya
• Antariksh Shah
• Prashant Mahajan
• Anish
• Ajit Hatti
• and a few more … Kudos to them for a successful Day 1 (and simultaneously, Day 2 and 3!!)

Finally, saying goodbye to everyone, we left for our college at around 11:30 PM (the gate closing ceremony of Symbiosis Infotech Campus, Hinjewadi takes place at 11:30 PM!! we were late!!). Thanks a lot to Mr. Dinesh O’Bareja for giving us a lift till Wakad. We finally reached the campus at around 12:30 AM, went to sleep, just to wake up in another 4 hours for the fully informative, knowledge filled next day of ClubHack: the workshops.

ClubHack 2009!

ClubHack 2009

ClubHack is back! India’s own International Hacker’s Convention is back with its 3rd version with the aim to enable the dissemination, discussion and sharing of deep knowledge in the field of information security and cyber crime investigation.

What: ClubHack 2009, a meeting place for hackers, security professionals, law enforcement agencies, students and all other security enthusiats.
When: Saturday 5th and Sunday 6th December, 2009
Where: ICC or Estique
Registration: Opens in October, 2009. http://clubhack.com/2009/Registration

Rohit Srivastwa

Founder: Rohit Srivastwa
Rohit Srivastwa is a well known security evangelist. He has an expertise in cyber crime investigation and IT infrastructure management. Rohit is actively involved advising several military agencies, law enforcement personnel, media, corporate and Government bodies in these fields. Along with assisting these organizations solving there cases, Rohit is also involved in teaching the related subjects to them. Rohit has trained the police departments of Pune, Mauritius and Malaysia. Rohit Srivastwa is also the founder of ClubHack, a member driven community to spread the security awareness. As his last assignment Rohit was Director Technology at Commonwealth Games Pune (2008) where he delivered the complete technology of games and managed everything which comes under the umbrella of technology.
Currently he is Director Technology and Network Operations for Commonwealth Games to be held in Delhi in year 2010.

ClubHack, India’s Own Hacker’s Convention enters its 3rd version on the 5th and 6th of December, 2009. Previously, it was held successfully in December 2007 and 2008.

ClubHack 2009: Call for Papers
SUBMISSION: ClubHack2009 is expecting a good deep knowledge technical presentations/demonstrations on topics from the world of Information Security. These presentations are expected to be of 40 minutes each. The schedule time for each presenter would be 50 minutes out of which 40 minutes are for the presentation & 10 for the question-answer sessions. We’d request you to submit the papers keeping the time constraint in mind.

TOPICS: The following list is made keeping in mind the most interesting topics in hacking & security. This is more of an indicative list, the papers submission can be on other topics also but have to be close to this & the theme of the event.

• Protocol / Application based vulnerability in networks and computers
• Firewall Evasion techniques
• Intrusion detection/prevention
• SPAM fighting
• Data Recovery and Incident Response
• Mobile Security (cellular technologies)
• Virus and Worms
• WLAN and Bluetooth Security
• Analysis of malicious code
• Cryptography and Cryptanalysis
• Computer forensics
• File system security
• Secure coding & code analysis
• Hardware modification
• Patch writing for vulnerabilities
• Open source hacking toolkit
• Cyber Crime & law

Dates:
Opening: 15th August 2009
Closing: 15th October 2009

For more information, check out http://www.clubhack.com/2009

Me in ClubHack Workshop

ClubHack session in progress

Cop-Tech Forum

Recently, a few months ago, on the 30th of June, 2009, Cop-Tech Forum was launched. It is a joint initiative of Pune Police, NASSCOM (The National Association of Software and Services Companies) and the DSCI (Digital Security Council of India).

Purpose:
The main objective behind this forum was to increase sharing of ideas and knowledge on cyber security between the Police and the IT Industry. As Commissioner of Police, Dr. Satya Pal Singh, phrased it: “Cop-Tech is solemnization of the marriage between the Police and the IT Industry“. It is an initiative which calls for contribution of the IT professionals to help develop the Police force to serve the people better.

Pratap Reddy, an IPS officer who was an advisor (cyber security) to NASSCOM, listed down the things which Cop-Tech has to take care of:

• Develop the Control Room of Pune Police to make it state-of-art which can cater to all those who dial 100 in a proper, structured way. This would also involve Fleet Management to keep track of police vehicles on the field
• Cyber crime, computer security awareness among the students, non-IT professionals and the citizens in general
• Usage of CCTVs from different locations. This would also involve Video and Image Analysis. For this, IT professionals who work in this area were called for help.
• Training the Police staff in Cyber Security, Cyber Crime Investigation, Forensic Investigation, Computer Security in general, trainings on using of different tools (like GPS). This is to ensure that the state-of-art devices which would be used in the Control Rooms would be used efficiently and effectively by the policemen
• Forensic Investigation. There are many cases which are shutdown since Police do not have proper evidence or direction to work on. Here, the IT professionals can help (voluntarily) in Forensic Investigation

After this, the discussion was thrown out to the audience who are ready to contribute to this CopTech Forum. It was good to see a number of professionals from Infosys, Delloit, IBM, Null Security Community, Press, etc, who were ready to help in their own way. An Infosys guy was ready to design, develop, code and implement a database system for Cyber Crime cell and Control Room. As is going on for many months now, Null Security Community is already into spreading security awareness among the citizens of Pune, which has now extended to Banglore. They were also interested in helping for Cyber Crime Investigations and Forensics.

Pic:
Pratap Reddy (2nd from Right)
Dr. Satya Pal Singh (Lighting the lamp)

There was a good suggestion from one of the attendees. What he suggested was to look at the whole Cyber Crime as a business. A business which would involve 3 steps, including the actual crime and the monetization of that crime (like selling the data/information, selling the method to perform the crime in form of exploits, etc). If in some way, one of the 3 steps could be interfered and cause hamper, the whole cyber crime process would fall. But, since this Cop-Tech forum has a narrow scope (as of now) to those listed above, this suggestion was left for future scope. There were many other inputs from the audience volunteering for Image and Video Analysis, Forensics, etc.

In short, it was good to see a bunch of around 60-70 individuals as well as a few groups like Null to have participated in this and who are ready to contribute. But, looking at the facts of Pune being the “IT hub of India” or the Silicon Valley of the East, 60 – 70 was a very small number. Till date, people have always questioned the government for not doing a good job, but when it comes to helping/contribution/volunteering, only a bunch of people are there at the disposal of the government, even when the government has taken the first step. This is a humble request to all IT Professionals to help the Police and the Cyber Cell to make it better so that they are able to serve us in a better way.

To get in touch with CopTech and Cyber Cell Pune, you can pay a visit to Cyber Cell branch at Sadhu Vasvani Road, Camp, Pune-1.

Dr. Satya Pal Singh’s Blog: http://drsatyapalsingh.blogspot.com/

Chat Protocol …

Scenario 1: You forgot(or don’t want) to go offline and you are projecting your screen on projector with some serious discussion in a busy conference room and bang! an old friend messages you on messenger “Hi Sexy”

Scenario 2: You are sitting with someone say Mr. A and another friend say Mr. B sends you a message about Mr. A. You know what kind of message I’m talking about

These kind of sudden and uninvited chat messages can disturbing at times. So in one of my previous organization we had a protocol for chatting. I found it very helpful and slowly many of my friends have started following it.

Here’s how it goes, PLEASE try to follow the same when chatting with me and may be others too. This will make the online life bit comfortable for you and your friends

[?] To start a conversation, send a question mark only. Yes a simple ” ? ” only. This can mean anything as per your understanding like “Can we chat?” or “are you there?”.

Now the answer to this question can be yes no or later

[Y] So if the answer is YES, the person replies ” y “. Which means “I’m comfortable chatting with you at this moment, tell me”

[N] If the answer is NO for reasons like “I’m busy”, or “Can’t chat” or whatever, the person replies ” n “. If you get a ” n ” DO NOT send any more message, not even “OK, I’ll ping you later” It like saying DO NOT DISTURB

[5] or for that matter any number like ” 10 ” – “15 ” means busy right now, lets talk after 5 (or 10-15) minutes. This comes very handy when you want to chat but because you are preoccupied in something which you can’t leave in between.

[ ] If in case there is no reply from the other side, there can be 2 reasons. Too busy to say a ” n ” or not near the computer. The best option in this case is treat it as ” n ” and DO NOT disturb

Looking at so many shortcuts, we devised another shortcut. It was ” b ” this time which means BYE that comes at the end of conversation.

I strongly recommend all my friends to use this protocol while starting a chat with me. Share the protocol with your friends and see the difference.

Original Post: http://blog.rohit11.com/2009/02/chat-protocol.html
Thanks to Rohit Shrivastva, from whose blog I copied this.

VAPT … Day 1

First day into my VAPT – Vulnerability Assessment and Penetration Testing, (Hacking, in short) was a blunder. I had not contacted my mentor that I was going to start from 15th of April. I forgot . Neither did I know his time of arrival to the office, so that I could reach just on time to talk to him and get the project details.

Anyways, reached xyz (the company for whom I work) at around 9:10 am. I contacted my mentor, Mr Danny Nagdev just before reaching their. He asked me to come at 10, since he was in a meeting. Passed my time on Level 9, started my laptop, and began playing Burnout Paradise … believe me, its a superb game, with all the stunts and races and what not … cool cars, great graphics … ok, later, back to the topic.

I was re-directed to another office of xyz, after meeting Mr. Danny, where the security administrator used to work from. Finally, after having a chai with Mr. Namit Kasliwal, the Security Administrator of xyz, I got my project. I did have a choice of skipping office since that was the first day, but I started off with my job, due to 2 reasons, 1) no friends on the campus and 2) i am a workaholic.

The Project:
I was asked to Hack into the xyz servers. Yo. That would be fun! Lets start off. The project was going to be a Black Box type, i.e. the company would provide me with no information, its me who has to find out everything! Imagine, EVERYTHING!!!! Fine, lets go ahead.

Starting off with the Project:
The company people were good enough to provide me with an ethernet cable to connect to their internal network. Good, atleast that would help me find some more information about them!

The only thing I knew about the company (other than its name, and the 2 people I met), was the website. After connecting to the local internet, I found the basic information:
- the subnet I was connected to (IP address and the subnet mask)
- the DNS used by the company
- the default gateway

After this, the logical step was to find out the final gateway of the company, i.e. the final server which connected xyz the world, the Internet. So, for that, I did a traceroute to the google and orkut servers and from there. Traceroute gives you a list of all the hops on the way to the servers. Looking (DNS Lookup) up each one of them, I came to know of the last internal ip address which would take all the requests of xyz to the Internet. Hence, found the NAT Server!

The next step which I took, was in the Internet side. I queried the Whois database for information on the company’s website. Finding a few fields which were unknown to me, I went on to look for details of the fields which are included in the Whois query answer. I found this wonderful site http://www.apnic.net/db/ref/attributes/attributes-inetnum.html which listed all the fields and their descriptions. Having queried the Whois database, I found a lot many details about the company, like the Name of the contact person for the website, the address of the registrant, phone numbers, email addresses, and the most important, the DNS records!! I dont know why the whois database is open for all; well, good for people like me .

For the Whois query, I used www.samspade.org for the same. I haven’t tried finding how it queries the Whois database, but I did find out how to query the samspade whois database.
www.samspade.org/whois?query=;server=auto. This URL would take you to the Whois page of the IP/Domain.

Also, from the Whois query, I came to know that xyz hosted its website on a public domain, and it wasnt in their servers … wow … pretty intelligent!

Having found the DNS records from the Whois page, the next step was to find the subdomains and the other domains, if registered.

Since it was the first day, I din’t want to go into much of details, and so used the tools on the page http://member.dnsstuff.com/pages/tools.php to get more information on the web server. Using the Whois wouldnt have made much of a difference, since all the whois queries would return the same answer!

Used all the tools available on that page to check what all information I get my hands on.

After all this, I sat surfing their website, looking for more information about the company; their products, services, addresses …. anything, everything.

There is a pretty good addon to firefox, “Extract Links”. It would extract all the links from the specified page and print it on a new tab, separating all the links and the domains. Through this, I found various sub domains of the company xyz. Pretty neat. I dint have to use much of the DNS tools to get the sub domains

There is one more addon, External IP Address. This shows the public IP Address which you are using to connect to the Internet. Through this, I got the IP Address range which the company xyz uses! Simple, huh

Lastly, having certain restrictions on surfing the web, I found the page www.torproject.org. I installed a client for this and started surfing without any problems! Yo!

Cheers

What are REAL IT policies vs. What is actually enforced…

(Evil Sysadmin laugh) Silly Users! You cannot escape my domain! I have been getting a whole lot of questions regarding… “Can I do this at work” or “Will I get caught if I am downloading…” and my all time favorite “If I look at a little pron will I get caught?”

Here’s a clue, most of the time, if we have the capabilities of remote monitoring, we’re not using them. Unless you do something to draw the Evil Eye of a Sysadmin, we just don’t care, we’ve got other things to worry about.

Now that being said, if you DO happen to do something to draw our attention, you’re dead in the water if you’re doing something wrong.

Here is a list of things that most Sysadmins don’t really care about:

• Light Porn surfing (if it’s playboy type stuff) up to say 10-15 minutes a day, we just don’t care. We might be a bit entertained by your old woman or tranny fetish, but chances are, nothing to really worry about. Unless you owe us money. Just be aware, we know what you’re doing.

• Reading news sites, or shopping online. Again, we just don’t care. Most of our days are spent in one of two modes; putting out fires, or preventing fires.

• Circumventing the proxy to go watch that really funny YouTube video your brother sent you in your corporate email. If you’re smart enough to do it, more power to you. If you didn’t do it exactly right, the Evil Eye is turning your way right now. If it’s just a funny YouTube video, no big deal. If you’re logging into hardcore pr0n sites to download videos, and eating all the T1 bandwith, your fapping is about to be seriously interrupted. It might even be something like total computer failure, which we will conveniently be able to pin to the pr0n you were downloading.

If you have thus far managed to evade the Evil Eye, good job! Here are some things that will draw down the Striking Hammer Of God:

• Illegal pr0n. If she could be your daughter, or our kid sister, you are toast. We don’t just get you fired, we call the FBI and let them arrest you. If you (sick bastards) are unlucky enough to get a Sysadmin like me, you first get the living shit beat out of you, then you get to deal with the Feds.

• Illegal pr0n. If the “man” of the pr0n is named fido, we call the FBI and again, probably beat the crap out of you for good measure. We definitely make sure that EVERYONE in the company (and likely your spouse, and/or family) know what you were doing, and why the men in suits have come to take you away.

• Downloading illegal music. Not cool man. Not at work. Yeah we have a T1, but it’s not your personal playground. Expect to have the music mysteriously disappear from your machine overnight, and forget being able to do anything like that in the future, we just demoted you to the Guest account.

• Listening to streaming music. Ok, so yeah it’s not illegal. But you and your 10 brethren have just filled our T1, and effectively DoS’d the email server. If you want music, bring it from home on a portable hard drive, and don’t copy it to the machines. Just play it from the hard drive.

• Installing or running any port scanners, or downloading anything that might be considered a “hack” tool. Congratulations, you just pissed IT off, and will likely be locked out of the network shortly. I’ve got enough to do without wrangling your script kiddie ass too.

• Heavy pr0n surfing. Like 5-6 hours a day heavy. Dude, just stop. You are likely going to be visiting some websites that are, ummm, less than legit, to get in that amount of pr0n every day. You are going to end up getting that machine infested with virii and spyware. You might even actually inadvertently compromise the corporate network. If that happens, do you really think that anyone is going to let that slide? I’ve actually had to explain to the boss why you need to be fired before your little problem destroys the network, and I don’t really care to discuss what you’ve been looking at (you mean there’s more than one person that looks at THAT?!?!?) with my boss.

Even if I’ve been cool enough not to filter out web content, the boss is going to want to know how you were able to view this stuff. Rather than blow it for everyone, I am going to do the right thing. I am going to lie my ass off. You must be a hacker, because you’ve been able to circumvent every filtering method I’ve set up, and I have logs to prove it (believe me, I have logs to prove ANYTHING).

The short answer is, if we’re watching you, there is no escape. Between hardware keyloggers, and specialty software that is designed to be undetectable (which is extremely hard to find even to buy), we will catch you.

If you are doing something that is in a grey area, take your Sysadmin out for lunch a couple times, or for a beer, and find out what the real policy is (the one that gets enforced, not the one in the manual). Hell if we like you, we’ll let you get away with alot more than if you’re a dick to us in the hall.

ORIGINAL POST: http://www.asktheadmin.com/2008/12/what-are-real-it-policies-vs-what-is-actually-enforced.html

ClubHack

It was 8:30 in the morning of 7th day of December when I, as usual, woke up and went down to the mess for my breakfast. After picking up my plate and taking bread-butter-tea, I reached the table where my class mates were sitting. It was a normal day for all! Then came up Utkarsh’s question, “We have a workshop on hacking, are you interested to join me?” I could not believe what he just said, and so I asked him to repeat what he said … “Are you interested to attend a hacking workshop with me?” “Of course I am! I am all ready for it, just tell me the time and the place.” … “Be ready by 11am, we will leave by the 11:15 bus” … “sure! “.

While going back to my room, I just pondered over the thing I have always wanted. I wanted a group, a group with whom I could learn new things (related to hacking and security, of course). A group with whom I could sit all day and night sitting in front of the laptop and doing “geeky” stuff, with whom I could share all my hacks and “cracks”. Well, seems here is a start for me.

(hey ClubHack people, dont read this part):
On the way to the destination, I was told that we are going in for free, thanks to one volunteer, Amit Tripathi, my senior. I attended around 4 lectures that day (where each cost Rs. 1000!), whereas Utkarsh seemed to be bored of just one. Believe me, it was great to attend the workshop, it was ultimate to be around those superb people of whom I had only dreamt! The same day, I met Mr. Rohit Srivastwa. Asked him how to join ClubHack. I was surprised to hear the reply, “… there is no “membership” here. Its just like a friend circle, without any boundary. If you want to join a security and hacking community, theres Null, a Network Security group …”. He introduced me to Mr. Aseem Jakhar, the founder of Null. I decided to attend the Null meet the next day, after listening to him.

The workshop spanned 2 days, first day was for theoretical knowledge, the 2nd for practical things. After reaching home the first night, I called up my dad to get Rs. 1000 for the next day (of course you cant expect them to allow me free entry 2 days!!) Getting dad’s green signal (thanks a lot ) I went into the workshop the next day full excited (well, I did skip my breakfast that day). Got my registration done, got a T Shirt, and went into the first practical seminar. This was followed by the Null meet. There were quite a few people, around 10.

After that workshop, I attended a lot many workshops by different groups, OpenSocial Developer Garage, Null Event (i was a volunteer) …. etc, etc, etc.

In short, these two days have been the best of my life. I got to know a lot many people here, Vipul Kalia, Tushar Dalvi, Tara, Aseem, Murtuja, Rohit, Ajit, Priyank, Vishal…. many, many … and got to know about many groups of Pune too, PLUG, POCC, etc, etc, etc. This “friend group” without a boundary seems to be a superb one. Everyone seems to be getting along with each other pretty well! (Except for Vishal, he robbed me of my Google Cap!!! I will kill you, Vishal)

Thanks a lot Utkarsh …

Protect your identity … Identity Theft Labs’ advices

It is in everyday newspaper that we read about the theft of credit card information, but do we do anything to prevent it? In countries like USA and UK, people do not give their Credit Cards to the cashier to swipe it; instead, they do it on their own, least the cashier swipes the credit card for his own interest in some other device. When can this be started in India?

Given below is a blog post from http://www.business-opportunities.biz/2008/12/23/identity-theft-labs-shares-some-advice-on-how-you-can-protect-yourself/. Read it; its important for all of you using credit cards …

Although it is not strictly business related, identity theft is no stranger in the world. It is a problem that has hit a variety of people within all income levels. Unfortunately many people don’t realize what they should do until after it is too late. If you do the work, there are ways that you can protect yourself. However, if you don’t have the time or patience, there are paid services available that can do the work for you.

I recently spoke with John Armstrong, the owner of Identity Theft Labs, about identity theft and what we can do to protect ourselves.

What are some of the top tricks that thieves have used to steal someone’s identity?

To steal someone’s identity you must first obtain their private information and identity thieves use all sorts of tactics from dumpster diving, shoulder surfing, credit card skimming, stealing – purses – wallets – laptops – data storage devices, phony websites, phishing, impersonation, break and enters – house and car, hacking and viruses.

The most interesting case, in my view, just happened recently in Europe. Even the Wall Street Journal did an article on this one. A Pakistan identity theft ring placed a 4 ounce card capable of wireless communication under the motherboard of credit card readers made in China and distributed throughout Europe. It captured credit and debit card details including passwords and uploaded the information to a server in Pakistan. This was a very sophisticated ring that luckily got broken up due to the curiosity of one person otherwise it may have been undetected for a long time. The device included an intelligent program that sent the information sporadically and could even be told to lay dormant to avoid detection. An initial investigation found hundreds of these devices that could only be detected by weight as there were no visual clues of a tampered credit card reader.

Joel F. Brenner, the U.S. government’s top counterintelligence officer said “Pretty small but intelligent criminal organizations are pulling off transnational, multi-continent heists that only a foreign intelligence service would have been able to do a few years ago.”

It is important to realize that Identity Theft is big business costing the US economy $50 billion a year. Identity thieves vary from the low life criminals going through your trash to sophisticated multi-national criminal organizations.

Do you have any tricks that someone could use on their own to help prevent this from happening?

The single biggest tip I could give is to become aware of the problem of identity theft and start safeguarding your personal information in every way possible, especially your Social Security number. Only give this out where necessary.

Unfortunately, even if you followed an extensive list of tips to protect your identity, your information may still get in to the hands of a criminal. Data Breaches in the United States have exposed the private information of over 200 Million Americans in the last three years and breaches occur weekly if not daily.

Obviously, you still want to reduce your risk and so I advise everyone to shred personal documents, make sure your online activities are secure and most importantly order and review your credit reports for any discrepancies. Additionally, a fraud alert is a simple yet effective tool to protect your credit.

What should they look for in a paid service? Why might this be a better option?

Though a paid service can help protect you in ways you cannot many of the services they provide can be done for free if you are willing to do some legwork. One of the big advantages of a service is that you are provided identity theft insurance or a service guarantee. There is no way to fully protect your identity so this is a big plus and gives many consumers peace of mind and financial security.

There are essentially three types of paid services that can be divided up by their main means of identity protection ? fraud alerts, credit monitoring, database scanning. The best companies usually combine two of these options and this is something I would definitely look for in choosing a company. Other things to consider are the guarantee or insurance provided, what is done on your behalf if you do become a victim, what exact steps are taken to prevent your identity and credit from being stolen. If you are looking at a credit monitoring service make sure they monitor all three bureaus daily.

What actions would put someone at a higher risk of having their identity stolen?

Again it comes to awareness and making a conscious decision to protect your personal information. A lot of people, companies and institutions still use the Social Security number as a means of identification. This has got to stop as it a key piece of information for identity thieves and the exposure of your SSN can put you at great risk.

What kind of information may we find when we visit your website?

Identity Theft Labs is a great resource for tips on identity theft prevention as well as information on the risks that are out there. We pride ourselves on providing unbiased reviews of the best identity protection companies and we point out the differences in each to aid the consumer in choosing the right service for themselves and their loved ones.

Before someone pays for a service, what are some of the most important features they should look for in a company?

The most important features are: fraud alerts or credit monitoring, a guarantee or insurance, support ? preferably trained Americans, credit reports, black market internet scanning, database scanning and identity restoration services.

I understand that Identity Theft Labs is not an actual service on its own, but helps others by recommending some of the companies available. What are some of the companies that you represent?

We review LifeLock, TrustedID, Identity Guard, Debix, Identity Truth and some credit monitoring services from the credit bureaus. We continue to monitor dozens of identity protection companies but only include what we deem to be the best services on our website located at http://www.identitytheftlabs.com. For most services we provide discounts as well.

Do you think you’ll enter into any other form of business or is this it for you?

Identity Theft Labs is a business and a passion for me. I do not see myself leaving this venture for a long time but at the same time would not rule out diving in to something else if the right opportunity came along. The problem with new ventures is that they are often very time consuming and I would prefer to find an opportunity that could co-exist with what I am doing now.

What has your business taught you?

Entrepreneurs either know or quickly find out that there is no limit to the number of tasks that need to get done. No matter how fast or hard you work there is always more. As such we quickly learn to prioritize our tasks to make sure we are focusing on what matters most or the tasks that will have the most impact. We also learn that at times you have to take a step back to evaluate and recharge your batteries. It took me a while to realize that we have to do this in life as well. As a husband, father and friend there are always a lot of expectations concerning your time. By prioritizing based on what is truly important and taking the time on occasion to look at the bigger picture and rejuvenate yourself I believe you become a better person, husband and father.

If you had the opportunity to retire tomorrow, would you? Have you done everything in business that you’ve wanted to do so far?

In my younger days I always stated that if I won the lottery I would retire. You know, the old you work to live not live to work philosophy. I hate to go back on those words but I would not retire tomorrow, earlier yes, but not right away. Right now I am passionate about business, about internet marketing and about Identity Theft Labs, it is enjoyable, and a large part of me wants to see it through to the end. I think a large part of this is that I have set out to accomplish certain goals and have a strong desire to achieve them.