Out of Cache
TECHNOLOGY by Francis X. Gilpin | Associate Editor
Kevin J. Klim is scared. Scarier still, he's an agent with the Federal Bureau of Investigation.
Investigating computer crime out of the bureau's Clearwater office has made Klim extremely cautious about his own financial affairs. He suggests businesses follow his example.
"It's growing faster than we can imagine," Klim says of identity theft. "Faster than we can keep up with."
Klim recently cited a list of the bad things that can happen when business owners don't protect their assets against hackers and con artists. But, along with local business technology consultant Andy Swenson, Klim also offered financial executives meeting in Tampa a few pointers on minding the store.
At least once a day, Klim sits down, activates a series of antivirus and spyware-detection programs, and then warily ventures out from behind three firewalls he has installed for his personal computer to go online to check for suspicious activity in his bank, credit card and investment accounts.
"Am I paranoid? I work for the FBI," Klim told the Tampa Bay chapter of Financial Executives International. "Our motto is quite simply: 'In God we trust, everybody else we wiretap.'"
Even with all of the precautions, Klim says his wife, who is also an FBI agent, sustained an unauthorized charge of $3,700 on her credit card. Klim says he noticed it within 24 hours during his daily online checks and immediately cancelled the charge account, without penalty to his family.
No laptop with latte
Klim ran down some of the practical advice with which Americans have become familiar in the Information Age.
Don't leave sensitive envelopes in a roadside mailbox with the red flag up for the postal carrier.
Buy a shredder. Klim loves the $69 model he bought at Staples and brags that it is more durable than the one at his FBI office.
But he passed along a third tip that is less frequently heard. "I don't go and use public kiosks," Klim says. "I don't use Internet cafes. Am I paranoid? Yep."
Swenson, director of information security and infrastructure at Tribridge Inc. in Tampa, says he isn't quite as paranoid as Klim. But Swenson agrees with the FBI agent that firewalls and encryption software might not be enough to protect laptop users in public wireless hot spots.
Klim says he would never type passwords or other identifying information onto a keyboard in a public place.
That's because of spyware. The more sinister variety can be attached to a wireless network before unwitting laptop users arrive in an airport terminal or coffee shop. Such programs are capable of capturing keystrokes or recreating screen images after laptop users have logged off and gone on their way.
Encryption software doesn't always foil this type of security threat, according to Klim and Swenson.
That guy who hangs out at Starbucks all day with a notepad computer may be doing something other than just appearing to be cool. He could be trying to grab everything transmitted wirelessly out of the cafe, whether from a laptop, mobile phone or personal digital assistant.
Installing antivirus, encryption or other security software will ward off some cyber-intruders because there are so many other unprotected computer users to pick on, according to Swenson. "Most hackers are lazy," says Swenson. "They're going to take the low-hanging fruit."
An audience member asked if the desktop computers available to guests in hotel business centers are safer.
"Do you know what the guy before you did? That's the problem," Swenson says. "If you don't control it, you have no concept of it. If you do control it, you have a limited concept of what's on your machine."
Spyware that stores keystroke and Web address data makes business travelers vulnerable, even on hard-wired hotel PCs. "The people before you," says Swenson, "they can install that spyware and the people after you can look at it, even with Internet caching."
Swenson should know. His employer, Tribridge, does something similar when assisting business clients with forensic investigations.
A company hired Tribridge because executives suspected a former employee had departed for a competitor with proprietary information. Tribridge was able to recreate screen images and email exchanges from the ex-employee's PC. Sure enough, Swenson says among the emails were some with attachments containing the confidential information and the ex-worker's contract with the new employer.
"Straight out of cache," says Swenson, referring to a PC memory bank.
The FBI's Klim, who has become a connoisseur of computer security devices, says there are a handful of software products that do a pretty fair job of flagging intrusive programs that have been surreptitiously downloaded onto a PC.
One class of software Klim won't endorse: programs that claim to wipe clean a hard drive before a PC is discarded. Klim says the data can still be recovered, even after the use of a digital eraser. He recommends something a little less modern: A sledgehammer, suggesting to "take your hard drive and smash it to pieces."
Safer can mean
Andy Swenson, director of information security and infrastructure at Tribridge Inc., says businesses that do a good job of protecting their data gain an inherent competitive advantage. They should promote any state-of-the-art security features so customers feel confident about doing business with them, Swenson says.
A former chief information officer at Tampa-based Sykes Enterprises Inc. and Palm Harbor-based ABR Information Services Inc., Swenson recommends business owners take these steps to safeguard their data and systems:
• Top management should set an example (no scrawling passwords on Post-it notes around the office);
• Background check all employees before hiring;
• Assess every risk inside and outside the workplace;
• Implement a defense against hackers and other threats;
• Set up an incident management process, in case the worst happens;
• Put the company policy on data security in writing.