I think this is big news and will be a great benefit to REALTORS and the
people they serve.

The FTC has received thousands of real estate-related identity theft
complaints. Many consumers first learn they are victims of identity theft
when they are in the process of renting or buying a home, derailing their
real estate dreams while they work to rebuild their good name and destroyed
credit. Identity thieves may also rent or purchase a home fraudulently.
Identity theft is an important issue impacting both home buyers and real
estate professionals across the nation.

NAR is now working with the FTC on a new nationwide campaign to educate
consumers on how to minimize risk of identity theft and quickly fight back
if they become a victim: AvoID Theft: Deter, Detect, Defend . Preparing for
its official launch by early summer, the new initiative aims to educate and
empower consumers to protect themselves against identity theft and to
minimize the damage it can cause.

On behalf of our industry, NAR plans to play a key role in the fight against
identity theft by reaching consumers with much-needed information at points
where financial investments and credit is top-of-mind. To arm our members
with the materials necessary to join this effort, NAR, in cooperation with
FTC, will have numerous resources available to make it easy for any REALTOR
to communicate about identity theft to existing and potential customers.

Use these resources and help your clients, and yourself. For more info on
this go to:

http://www.realtor.org/idtheft

Saul

Saul Klein
President, InternetCrusade

US-CERT National Cyber Alert System
ST05-006-Recovering from Viruses, Worms, and Trojan Horses

Unfortunately, many users are victims of viruses, worms, or Trojan horses. If your computer gets infected with malicious code, there are steps you can take to recover. 

How do you know your computer is infected?
Unfortunately, there is no particular way to identify that your computer has been infected with malicious code. Some infections may completely destroy files and shut down your computer, while others may only subtly affect your computer's normal operations. Be aware of any unusual or unexpected behaviors. If you are running anti-virus software, it may alert you that it has found malicious code on your computer. The anti-virus software may be able to clean the malicious code automatically, but if it can't, you will need to take additional steps.

What can you do if you are infected?

Minimize the damage - If you are at work and have access to an IT department, contact them immediately. The sooner they can investigate and clean your computer, the less damage to your computer and other computers on the network. If you are on your home computer or a laptop, disconnect your computer from the internet. By removing the internet connection, you prevent an attacker or virus from being able to access your computer and perform tasks such as locating personal data, manipulating or deleting files, or using your computer to attack other computers.

Remove the malicious code - If you have anti-virus software installed on your computer, update the virus definitions (if possible), and perform a manual scan of your entire system. If you do not have anti-virus software, you can purchase it at a local computer store (see Understanding Anti-Virus Software for more information). If the software can't locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk that is often supplied with a new computer. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer.

How can you reduce the risk of another infection?
Dealing with the presence of malicious code on your computer can be a frustrating experience that can cost you time, money, and data. The following recommendations will build your defense against future infections:

• use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current (see Understanding Anti-Virus Software for more information).
• change your passwords - Your original passwords may have been compromised during the infection, so you should change them. This includes passwords for web sites that may have been cached in your browser. Make the passwords difficult for attackers to guess (see Choosing and Protecting Passwords for more information).
• keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.
• install or enable a firewall - Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer (see Understanding Firewalls for more information). Some operating systems actually include a firewall, but you need to make sure it is enabled.
• use anti-spyware tools - Spyware is a common source of viruses, but you can minimize the number of infections by using a legitimate program that identifies and removes spyware (see Recognizing and Avoiding Spyware for more information).
• follow good security practices - Take appropriate precautions when using email and web browsers so that you reduce the risk that your actions will trigger an infection (see other US-CERT security tips for more information).

Author: Mindi McDowell

Copyright 2005 Carnegie Mellon University.

Cyber Security Tip ST05-012 
 
Supplementing Passwords
Passwords are common form of protecting information, but passwords alone may not provide adequate security. For the best protection, look for sites that have additional ways to verify your identity. 

Why aren't passwords sufficient?
Passwords are beneficial as a first layer of protection, but they are susceptible to being guessed or intercepted by attackers. You can increase the effectiveness of your passwords by using tactics such as avoiding passwords that are based on personal information or words found in the dictionary; using a combination of numbers, special characters, and lowercase and capital letters; and not sharing your passwords with anyone else (see Choosing and Protecting Passwords for more information). However, despite your best attempts, an attacker may be able to obtain your password. If there are no additional security measures in place, the attacker may be able to access your personal, financial, or medical information.

What additional levels of security are being used?
Many organizations are beginning to use other forms of verification in addition to passwords. The following practices are becoming more and more common:

two-factor authentication - With two-factor authentication, you use your password in conjunction with an additional piece of information. An attacker who has managed to obtain your password can't do anything without the second component. The theory is similar to requiring two forms of identification or two keys to open a safe deposit box. However, in this case, the second component is commonly a "one use" password that is voided as soon as you use it. Even if an attacker is able to intercept the exchange, he or she will still not be able to gain access because that specific combination will not be valid again.

personal web certificates - Unlike the certificates used to identify web sites (see Understanding Web Site Certificates for more information), personal web certificates are used to identify individual users. A web site that uses personal web certificates relies on these certificates and the authentication process of the corresponding public/private keys to verify that you are who you claim to be (see Understanding Digital Signatures and Understanding Encryption for more information). Because information identifying you is embedded within the certificate, an additional password is unnecessary. However, you should have a password to protect your private key so that attackers can't gain access to your key and represent themselves as you. This process is similar to two-factor authentication, but it differs because the password protecting your private key is used to decrypt the information on your computer and is never sent over the network.

What if you lose your password or certificate?
You may find yourself in a situation where you've forgotten your password or you've reformatted your computer and lost your personal web certificate. Most organizations have specific procedures for giving you access to your information in these situations. In the case of certificates, you may need to request that the organization issue you a new one. In the case of passwords, you may just need a reminder. No matter what happened, the organization needs a way to verify your identity. To do this, many organizations rely on "secret questions."

When you open a new account (email, credit card, etc.), some organizations will prompt you to provide them with the answer to a question. They may ask you this question if you contact them about forgetting your password or you request information about your account over the phone. If your answer matches the answer they have on file, they will assume that they are actually communicating with you. While the theory behind the secret question has merit, the questions commonly used ask for personal information such as mother's maiden name, social security number, date of birth, or pet's name. Because so much personal information is now available online or through other public sources, attackers may be able to discover the answers to these questions without much effort.

Realize that the secret question is really just an additional passwordwhen setting it up, you don't have to supply the actual information as your answer. In fact, when you are asked in advance to provide an answer to this type of question that will be used to confirm your identity, dishonesty may be the best policy. Choose your answer as you would choose any other good password, store it in a secure location, and don't share it with other people (see Choosing and Protecting Passwords for more information).

While the additional security practices do offer you more protection than a password alone, there is no guarantee that they are completely effective. Attackers may still be able to access your information, but increasing the level of security does make it more difficult. Be aware of these practices when choosing a bank, credit card company, or other organization that will have access to your personal information. Don't be afraid to ask what kind of security practices the organization uses.

Link to full article
--------------------------------------------------------------------------------
Authors: Mindi McDowell, Chad Dougherty, Jason Rafail
--------------------------------------------------------------------------------
Copyright 2005 Carnegie Mellon University