Friday, November 25, 2005

US Military Hacked, Sober Worm Goes Worldwide, What Next?

Military installations being attacked from China in what is being called; The new Trojan war, Chinese hackers breach US military defenses. The worst computer worm of the year is being spread by bogus e-mails from the FBI and CIA, Computer Worm Poses as E-Mail From FBI, CIA. Meanwhile, there are stories of the military removing word documents from the internet after it was discovered that sensitive information had been compromised, US military security defeated by copy and paste CNET News.com.

If this were fiction, it would be the makings of a best selling thriller.

Reading all these stories in the past few days and considering the implications made me consider how high the stakes in internet crime really are. At this point, it is unknown, specifically who the attackers are (at least to the general public). Organized criminals, unfriendly governments and even terrorists could theoretically be the culprits.

The Chinese (who seem to be behind the most recent attack on the military) have been suspected of selling technology (including nuclear) to governments, who might be dangerous to world peace. All one has to do is read the story of AQ Khan, who developed nuclear weapons for Pakistan and admitted selling secrets to North Korea, Libya and Iran. There is a lot of speculation that he obtained a lot of his knowledge from the Chinese, who were caught stealing nuclear secrets from us during the Clinton Administration, Online NewsHour: Spies Among Us -- June 9, 1999.

Meanwhile, the worm attack dubbed as "Sober X" has spread so far and fast that both the CIA and FBI have placed prominent warnings on their websites.

Besides attacks throughout the United States, there have been similar attacks in Europe. Bogus e-mails impersonating law enforcement and intelligence agencies are being used to trick unsuspecting users into downloading the virus. Video clips of popular celebrities have been used also.

The Internet Crime Complaint Center received more than 4,000 reports on Monday alone, per the FBI. Symantec stated that this worm has the ability to compromise personal information and McAfee reported 73,000 customers found the worm on their system. A British company (MessageLabs) reported intercepting more than 2.7 million copies of the "Sober X" worm and it's mutations (Sober X, Y, Z).

One security vendor, MXLogic is now reporting that one in every eight e-mails is infected. Thus far, the experts can only speculate what the intent of this massive attack is.

In another shocking revelation, there are reports that the military is removing Word documents off the internet after it discovered that when they obscured parts of documents that were classified on (Word and Adobe documents), they could be recovered and read by simply "cutting and pasting" them on to another document.

This was discovered after classified information about an incident in Iraq was posted on the internet.

Unless the private citizen and our governments take these massive attacks seriously, we could stand to lose more than our identities and bank accounts. National security and financial systems could eventually be at stake! Diplomacy and being politically correct need to be thrown out the window and replaced by swift action that includes severe consequences for individuals and governments found guilty of engaging in this activity.

My best guess is, failure to do so, could have grave implications.

Cyber Criminals Attack Technorati Bloggers

There are some who take bloggers seriously and some who don't. Here is evidence that the murky world of cyber crime does and that they are attempting to profit from Blogs.

Paul Young, who writes prying1, notified me of this activity and has also put a warning on his blog about it.

Posted by Niall Kennedy on November 23, 2005. Tags:

"It recently came to our attention that the Technorati brand name is being used in an attempt to inject a virus onto Windows computers. Although I personally have not received these emails, Technorati takes these false emails seriously.

The email in question states that Technorati has suspended your email account, lists some reasons why this may have happened, and invites you to open an attached file for more details on how to reactivate your Technorati account. The attached file, "important-details.zip," contains the W32.Mytob.MC@mm virus, opening a back door on your computer, lowering security settings, and allowing your computer to be used by the attackers for local access or distributing other content online.

Technorati's support and feedback departments as a rule do not send non-image attachments to its users. We will sometimes include a screenshot to better illustrate instructions. We also address each support request personally and attach our name to the message to let you know there is a real human on the other end.

We recommend investing in anti-virus software for your computers. Two of the most popular home software solutions are Norton AntiVirus and McAfee VirusScan. McAfee also offers a free scan of your computers for viruses."

Currently, there are over 100 variants of Mytob circulating and some are very hard to remove. Once a computer is infected, the computer can be used remotely, primarily to send Spam messages.

Here is a earlier post I did that shows the full spectrum of this type of activity, McAfee Study on Organized Crime and the Internet.

A further recommendation to help you remove any Mytob cyber nasties, you might discover on your system is the malware removal tool from the White Hats (good guys) at Microsoft.

Thursday, November 24, 2005

The Top (Free) Anti-Fraud Resources Found by Fraud, Phishing and Financial Misdeeds

The official start of the holiday season is upon us. With the rapid growth of e-commerce and the fraud implications thereof, this post represents the top "free" resources I've found that combat Fraud, Phishing and Financial Misdeeds.

Before I start, when we are confronted by scams, it is imperative that we report them to Law Enforcement. The best resource (most detailed) is the link in the preceding line from the folks at Quatloosia, which is a non-profit organization.

In fact, I suspect there are too many of us, who due to time constraints, simply laugh at the attempts to defraud us. Unfortunately, the people (who commit fraud on the internet) can target (thousands) with a click of the mouse. Reporting this activity protects the innocent, who might have their entire holiday season ruined by one of these fraudulent schemes.

A quick (easy) way to report suspicious activity online is the Internet Fraud Complaint Center.

If you are are victim, I highly recommend Annie McGuire's site, FraudAid, which has been serving the public since 2000. This site is literally full of great information on how to avoid becoming a victim and how to repair the damage that has been done. In fact, I've had the pleasure of chatting with Annie and she is a fine person, who truly does this to help people.

The Federal Trade Commission (FTC) is also a great resource. Recently, they published tips in Spanish, Alerta en Línea. Of course, they also have a lot of fantastic information in English and here are their Holiday Tips, the FTC's Holiday shopping alert [Text] [PDF].

The Better Business Bureau also has a lot of information. On their main page is an article "Shopping Online For The Holidays: "Twelve Tips To Protect Yourself From Cyber Grinches, Scams And Schemes (full story)."

When deciding who to give our business to, a good resource is the Bad Business Bureau, which publishes the Rip-Off Report. This is a consumer driven site, where people write in and share their bad shopping experiences.

Before doing any shopping online, a good (free) resource for research is the TrustWatch Search Engine. "Sites that can be verified receive a green "verified" rating; sites that do not have enough data to be verified, but are not known to be fraudulent, receive a yellow "not verified" rating; and known fraudulent sites display a red "warning" rating. If a site is deemed to be both verified and secure for the exchange of confidential data, it receives a lock icon next to the green verification rating."

For those of us shopping on line, we face having spyware/adware loaded on our systems without our knowledge. Please note, many legitimate businesses load this on your computer in the name of marketing. SpyCop has an interesting e-book for those, who desire to learn how to protect themselves: http://www.nospyzone.com/. It points out that besides Spyware and Adware programs being easily accessible, a lot of so-called programs touted as protection are no better than some of the free programs out there. One of the best free programs is Spybot Search and Destroy (S&D).

Here is a link describing the difference between spyware and adware from Webopedia, The Difference Between Adware & Spyware.

Another annoyance this season will be our e-mailboxes filling up with Spam. The worst sort of Spam entails phishing attempts, where one it lured to a fake (faux) website in order to be tricked into giving up personal and financial information to be used in identity theft. With pharming and the use of keyloggers, this activity is becoming more automated and posing a significantly higher risk to all of us. A great resource to learn about this is the Anti-Phishing Working Group (APWG), which has educational resources on how to avoid these scams.

Many of us will use an increasingly popular method of shopping, which are auction sites. A lot of people have become victims on these sites and e-Bay is the largest player. I prefer the warning information on CraigsList. Craig Newmark (allegedly himself) put this together, "cashier check & wire transfer scams and avoid recalled items. Craigslist gets 3 billion page views a month and although they do charge for certain things (rarely), most of it is free. Furthermore, Craigs provides not only an auction site, but a lot of resources to help people, which again are mostly free.

Anyway, the Richardson Family (Ted, Mrs. and Leigh, who is sometimes Ted's personal technical advisor") wish everyone a safe, sane and financially prosperous holiday shopping season. Remember that being AWARE is the best protection against "financial misdeeds" and educating others to be AWARE protects the innocent, which is a kind thing to do.

After all, isn't kindness what the season is supposed to be about?

To share this information with those you care about, click on the envelope (below) and the post can be forwarded via e-mail. It won't bring you bad luck if you don't, but it might make someone else a little luckier.

Wednesday, November 23, 2005

Birmingham Bank UK, Another Faux Site

I signed up for Websense Security Alerts. Here is one of particular interest involving a totally fake financial institution, Birmingham Bank UK.

"Websense® Security Labs(TM) has received several reports of a new phishing attack that does not target any particular financial or ecommerce brand. Users receive an email from the bank welcoming them as a customer, and claiming that they are the beneficiary to funds from the Alliance Security and Finance Company in Amsterdam. The email includes a URL to the bank and a username and password to log into their "account."

Upon accessing the bank website, an option is provided to log in to their account with this bank, using the login information provided in the email. When the user logs in, the account information is displayed, along with a balance of more than 9 (nine) million dollars.

The website then requests that the user transfer the funds to their own bank account and requests that details of that account be entered in order to perform the transfer.

The phishing site is hosted in the UK and was up at the time of this alert."

The use of fake websites is nothing new and I have discussed them extensively on this blog. They are used in charity, e-Bay and PayPal fraud activity and the purpose is normally to steal financial and or personal information to commit identity theft.

If you would like to view the full alert by Websense go to: New Fraudulent Bank / Technique.

Artists Against 419 (US) is a website dedicated to fighting fake bank websites with a humorous twist. If you would like to learn more about these sites, I highly recommend them.

You might even join the Artists in shutting down a few of these sites.

If you are interested in a search engine that helps protect you from fraud (faux) websites, here is a post with a great (free) resource, TrustWatch Search Engine .

Tuesday, November 22, 2005

FTC Publishes Consumer Warnings en Espanol

The Federal Trade Commission is now publishing information in Spanish (Espanol) on internet scams and how to avoid identity theft.

"A recent consumer fraud survey commissioned by the FTC, the nation’s consumer protection agency, found that Hispanics, whether they are Spanish speakers or not, are about twice as likely as non-Hispanic whites to be victims of consumer fraud."

In fact not only Hispanics, but according to this survey, minorities in general are becoming more likely to be victims of internet fraud.

“We found that American Indians and Alaska Natives, African Americans, and Hispanics are more likely to be victims of fraud than non-Hispanic whites,” said Howard Beales, Director of the FTC Bureau of Consumer Protection. "These findings will help us fine-tune our Hispanic Law Enforcement and Outreach Initiative, and explore additional opportunities to target frauds aimed at communities which are at risk."

Could this be because of a lack of communication venues to warn these groups?

The top 10 frauds listed in the report include: "Advance-fee loan scams – 4.55 million victims; Buyers clubs – 4.05 million victims; Credit card insurance – 3.35 million victims;
Credit repair – 2 million victims; Prize promotions – 1.8 million victims; Internet services – 1.75 million victims; Pyramid schemes – 1.55 million victims; Information services – .8 million victims; Government job offers – .65 million victims; and Business opportunities – .45 million victims."

With computer technology and internet services becoming cheaper and more available all the time, the number of potential victims is rising. I think the FTC's actions in making their warnings more accesible (user friendly) is admirable.

After all, internet fraud has become a global problem and is committed in more than one language. Here is a "techie" tool anyone can use to translate text from one language to another, AltaVista Babel Fish.

For the FTC's information in Spanish, go to Alerta en Línea.

For those of us, who want some relevant holiday tips on how to avoid becoming victims of the cyber grinches in English, go to the FTC's Holiday shopping alert [Text] [PDF].

Personal Data and Security Act Moves Forward

I read some great news this morning about the Personal Data and Security Act, modeled after a California law (SB1386). SB1386 is now considered a trend setter in requiring companies to notify people when their personal information has been stolen. It now appears that the Personal Data and Security Act (S1789) is gaining ground in the Senate.

This law will provide the same protection nationally, that SB1386 has provided for California.

In an earlier post, Congress Tries to Silence Identity Theft Initiatives, it appeared that Congress was trying to replace S 1789 with what I consider a far weaker version, HR 4127.

Here is the article, I read written by Grant Gross of the IDG News Service and later published in PCWorld and Yahoo News:

"WASHINGTON-- The Senate Judiciary Committee has approved a bill that would require companies with data breaches to notify affected customers, and would set up rules for the U.S. government's use of private databases.

The Personal Data Privacy and Security Act, sponsored by committee Chairman Arlen Specter, a Pennsylvania Republican, and Senator Patrick Leahy, a Vermont Democrat, would also require data brokers to allow U.S. residents to correct their personal data, and it would require businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.

Businesses that do not implement security plans could be fined up to $35,000 a day if found in violation of the requirement."

The entire article can be viewed by going to the link below:

http://news.yahoo.com/s/pcworld/20051121/tc_pcworld/123624

I would also like to add (because they weren't mentioned in this article) that senators, Dianne Feinstein (D-California) and Russ Feingold (D-Wisconsin) have also actively pushed for S1789.

In the past year, massive amounts of personal and financial data have been stolen (often with little technical expertise). These acts have exposed millions of people to the possibility of having their identities stolen. Big businesses, who have made considerable profits buying and selling our personal information need to ensure that they are diligent in protecting people's personal information. Should they fail to do so, they also need to at least let the people (who will potentially be victimized) know they are at risk.

We deserve and should accept, no less!

Sunday, November 20, 2005

Tis the Season of Stealing

Tis the "Season of Stealing" with the official start of the holiday season less than a week away. All over the world, cyber criminals are getting ready to hide behind the sales volume and take advantage of people trying to make their loved ones happy on limited resources.

As always, most scams start with a common theme, "An offer of something that is too good to be true." When you are approached with something that seems to be too good of a deal, it is best to use extreme caution and take a careful look at it before spending any of your hard earned money.

The Better Business Bureau has issued some excellent tips on what to be AWARE of:

Know who you're dealing with. Check out unfamiliar sellers with the Better Business Bureau and your state or local consumer protection agency. If you're buying gifts on an online auction site that provides a feedback forum, check the track record of the seller before you bid. Don't buy things in response to unsolicited emails from unknown companies, since these may be fraudulent.

Get all the details. Check the name and physical address of the seller; how much the product or service costs; what is included for that price; whether there are shipping charges; the delivery time, if any; the seller's privacy policy; and the cancellation and return policy.

Look for signs that online purchases are secure. At the point that you are providing your payment information, the beginning of the Web site address should change from http to shttp or https, indicating that the information is being encrypted - turned into code that can only be read by the seller. Your browser may also signal that the information is secure with a symbol, such as a broken key that becomes whole or a padlock that closes.

Pay the safest way. It's best to use a credit card, especially when you're purchasing something that will be delivered later, because under federal law you can dispute the charges if you don't get what you were promised. You also have dispute rights if there are unauthorized charges on your credit card, and many card issues have "zero liability" policies under which you pay nothing if someone steals your credit card number and uses it.

Never enter your personal information in a pop-up screen. When you visit a company's Web site, an unauthorized pop-up screen created by an identity thief could appear, with blanks for you to provide your personal information. Legitimate companies don't ask for personal information via pop-up screens. Install pop-up blocking software to avoid this type of scam.

Keep documentation of your order. When you've completed the online order process, there may be a final confirmation page and/or you might receive confirmation by email. Print that information and keep it handy in case you need it later.

Know your rights. Federal law requires orders made by mail, phone or online to be shipped by the date promised or, if no delivery time was stated, within 30 days. If the goods aren't shipped on time, you can cancel and demand a refund. There is no general three-day cancellation right, but you do have the right to reject merchandise if it's defective or was misrepresented. Otherwise, it's the company's policies that determine if you can cancel the purchase and whether you can get a refund or credit.

Be suspicious if someone contacts you unexpectedly and asks for your personal information. Identity thieves send out bogus emails about problems with consumers' accounts to lure them into providing their personal information. Legitimate companies don't operate that way.

Check your credit card and bank statements carefully. Notify the bank immediately if there are unauthorized charges or debits, if you were charged more than you should have been, or if there are any other problems.

Keep your computer secure for safe shopping and other online activities. Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date. Go to http://www.staysafeonline.org/ and http://www.onguardonline.gov/ to learn more about how to keep your computer secure.

Beware of emails offering loans or credit, even if you have credit problems. Con artists take advantage of cash-strapped consumers during the holidays to offer personal loans or credit cards for a fee upfront. These scammers simply take the money and run.

Contact the seller promptly about any problems with your order. Check the company's Web site for a customer service page, "contact us" link, email address, or phone number to get your complaint addressed or questions answered. If you can't resolve the problem, contact the Better Business Bureau or your state or local consumer protection agency for help.

Of course, as always, if you determine someone is trying to scam you, please take the time to report them to the relevant consumer agency and or law enforcement. By doing this, you could very well prevent someone else's holiday season from being ruined and thwart the efforts of the "cyber grinches."

A great place to complain/investigate is the Better Business Bureau. If you want to go to their website, click on the title of this post.

A good place to report internet crime is the Internet Fraud Complaint Center .

Saturday, November 19, 2005

Nigerians convicted in $242 Million Fraud Scam

The Nigerian Government is trying to improve it's image, especially in Advance fee fraud (419) scams. According to the Associated Press two Nigerians were convicted in an international fraud scheme that led to the collapse of a Brazilian Bank. The amount of this scheme allegedly is $247 million. An insider at the bank illegally transferred funds, up to $4.75 million in one transaction at a time, to accounts specified by Frank Nwude and Nzeribe Okuli (the Nigerian defendants).

According to the AP, "Okoli was sentenced to four years in prison, while Nwude received five five-year sentences, to be served concurrently, and was ordered to pay the bank $110 million as well as a $10 million fine, said Ibrahim Lamode, a top official at the Economic and Financial Crimes Commission. A third defendant was convicted earlier in the scheme."

Let's see, $247 million minus $110 million equals $137 million still missing. Since the definition of concurrently in legal terms means together, Okoli will serve only five years and Nwudi four. If they were to split up the time (minus a $10 million fine for the Nigerian goverment), this equates to $14.1 million profit per year for each year they serve. Not too shabby in a country, where the average person can barely afford to eat.

I wonder if there sentences will include "time off for good behavior?" With the amount of money left over, it probably would be easy to arrange in a country, which is notorious for corruption.

The sad fact is the majority of Nigerians live in an extreme state of poverty, despite being a member of OPEC and the eleventh largest producer of petroleum in the world. A select few in Nigeria (along with foreign companies) have been the recipients of massive profits, yet the majority of the country lives in poverty.

No wonder there are so many willing recruits into the seedy world of 419.

I'm glad the Nigerian government is going after some of this, but to me this case is merely an attempt at publicity. They and the foreign companies doing business there need to realize that providing a better standard of living for the eighty percent (who live in severe poverty) is the only thing that will make a lasting change against the rampant corruption and violence that exists in Nigeria today.

To understand the situation in Nigeria, all one needs to do is read the CIA's analysis: U.S. State Department's Travel Warning - Nigeria.

For further reading, here is a previous post, I did on 419 in Nigeria, 419 From the Other Side of the Fence.

Friday, November 18, 2005

Secret Shoppers Scammed

I'm sure we've all seen advertisements on how you can make a lot of money, get free merchandise and meals and even take cruises as a "Secret Shopper." We've also seen numerous services (questionable) that will sell you information on how to do it.

Although, there are numerous companies, who do this for legitimate businesses, very few people make much money by being a secret shopper. So far as the services selling you a package to do it, I would recommend that you stay away from them. Quite simply, they aren't necessary and you are probably paying for something that you could have got for free. All one needs to do is look up the companies, (Secret Shopper) online and apply directly to the company.

On a much scarier note, I read a report from the Minneapolis Star Tribune that "Secret Shopping" is the latest ploy to attract victims into Advance fee fraud (419 scams).

Here is how this latest scam works as reported in the Minneapolis Star Tribune:

"John McCullough, business coordinator for the Financial Crimes Task Force, said the perpetrators ran an ad in the Star Tribune classified section last month luring readers with an offer to be "Secret Shoppers" for "$100/hr. guaranteed" and "no experience necessary."

People who responded to the ad were sent a letter congratulating them on being selected and instructing them to cash a $2,830 check at their bank or other institution, to keep $200 for themselves, and to send most of the rest to the Canadian address. The check-cashing task is described in the letter as an "assignment" to "evaluate the effectiveness and efficiency of a payment system called 'Moneygram' which is available at all Wal-Mart (sic)."

Moneygram and Western Union offer wire transfer services, which aren't insured by the FDIC. In many advance fee scams, the ploy is to get someone else to cash a fraudulent instrument and wire the money (normally overseas) before the instrument is discovered as a fraud.

"The letterhead is topped with the Web address (secretshopper.ca) of an apparently legitimate operation in Canada that employs people to shop and evaluate retail establishments. Other legitimate operations include secretshoppercompany.com in Gainesville, Ga., and secretshopper.com in Minneapolis."

As I am constantly saying, Advance Fee is a continuously mutating animal. The Secret Shopper twist is new and if history proves correct, we will see this version of the scam travel quickly in the borderless environment of the internet.

Some good advice from the article is, "beware of checks made out for more than the selling price of an advertised item, checks delivered via overnight delivery service, checks drawn on an account in a name that is different from the person buying the item, and instructions to wire money to a large U.S. city or to another country such as Canada, England or Nigeria.

Other things to watch for are payment of a "commission" for facilitating money transfers through personal accounts, and e-mails requesting the receiver to "confirm, update or provide" personal banking account information."

Note that people, who fall victims to these scams are normally held financially responsible. In some instances, some of them have even been arrested for attempting to pass fraudulent financial instruments.

Should you suspect you are being solicited on any internet scam, the best thing to do is to report it to the authorities. There are numerous links throughout this blog and in my "links" on how to do so!

Wednesday, November 16, 2005

Keylogger Attacks Up 65 Percent, Is Your Personal Information Safe?

I've written a lot about Keyloggers. Here is a pretty scary statistic from iDefense, which is a leading and well respected computer security company.

iDefense reports that in 2000 there were 300 known attacks, last year there were 3,753 attacks and this year, there has been 6,191 attacks so far this year. This represents a 65 percent increase in activity, which illustrates that this could be a nasty trend.

"Keyloggers, silently installed programs that record a victim’s keystrokes and sends them to hackers, put tens of millions of Internet users’ finances, personal data and account information at risk. Largely distributed by organized cyber theft groups, they are typically packaged with phishing emails or spyware – malicious code that than tracks victims’ online activity – often eluding traditional security defenses like anti-virus software and firewalls."

You might be amazed that "keyloggers" are legal, here is one site of many (do a search on your favorite search engine), Keyloggers.com :: Professional keylogger (key logger) and surveillance software :: Overview .

Keyloggers are "marketed" as an efficient means to spy on your spouse, child, boss, or employees. Unfortunately, they can be used to commit crimes and espionage, also.

Of course, for a price, you can protect yourself (maybe), Professional anti-keylogging and anti-spyware software :: Anti-keylogger :: Overview . Please note, I can't endorse any of these products as I'm not certain how effective they are. Making sure all your computer protections are "up to date" is probably the best advice, I can give.

As this menace increases, I'm certain we will learn more.

It's a crying shame that these programs are for sale all over the internet. Examples, such as this, reveal why internet crime is growing rapidly. To me, not only is it scandalous that this technology is openly available to criminals, but it is even more scandalous that companies are allowed to market it and then market the means to protect against it.

Sunday, November 13, 2005

Congress Tries to Silence Identity Theft Initiatives

After reading an article by Robert Vamosi at CNet, I'm fighting mad!

"Congressman Cliff Stearns (R-Florida) is pushing through changes to HR 4127, the Data Accountability and Trust Act (DATA). Stearns's press release states, "This bill will help ensure that personal data are accounted for, secured, and actively protected against breaches by empowering consumers and businesses to promote the notion that security sells."

Although, this sounds good, in reality, it is deceptive because HR 4127 effectively silences a lot of the forward progress started with a ground breaking law passed in California, SB 1386.

California's SB 1386 set the standard forcing companies to make their customer's aware when their data had been breached. This inspired a national version S 1789, "sponsored by senators Arlen Specter (R-Pennsylvania), Dianne Feinstein (D-California), Patrick Leahy (D-Virginia), and Russ Feingold (D-Wisconsin), S 1789 would set a national standard and effectively punishes corporations that fail to comply.

Unfortunately S 1789, seems to be going nowhere soon and we now face a real danger that HR 4127 will preempt it.

HR 4127 has dangerous consequences for consumers. Here are the two most glaring items:

The company, who has incurred the data breach would decide if the customers needed to be notified because their was a significant risk of identity theft (with some minor exceptions).

Congressman Stearns has also put in the law that you will be unable to sue a company that leaks your information. Recently, he introduced legislation, which was made into law, banning lawsuits against firearm manufacturers.

Mr. Vamosi states the very reason data breaches are important to communicate to individual compromised, "they're an important insight into the unregulated data warehouse industry, where your purchases at Wal-Mart, combined with your driving history and online newsgroup postings, could someday determine whether you get a job or get that promotion you've long deserved."

Let's face it, SB 1386 has done a lot of good and exposed numerous security flaws in the world of big business. Laws should be made to protect the people versus protecting "big business" at the people's expense. The corporations/politicians supporting HR 4127 need to take a look at how "data breaches" occur and take action to prevent them. Should they fail to do do, they should be held accountable.

I would recommend that anyone concerned with this issue write, Arlen Specter (R-Pennsylvania), Dianne Feinstein (D-California), Patrick Leahy (D-Virginia), and Russ Feingold (D-Wisconsin) and urge them to push through S 1789, which is a far better law.

To my friends in the State of Florida, where I have two loved ones residing, let Congressman Cliff Stearns (R-Florida) know how you feel and remember this when you cast your vote.

To write any of these representatives and let them know how you feel, go to: http://www.house.gov/writerep/.

For the very informative and (inspirational) article by Robert Vamosi, click on the title of this post!

Saturday, November 12, 2005

RFID, How Effective for the Long Term and What is the Cost?

Back in the nineties, EAS (Electronic article surveillance ) tags were upgraded to explode with ink to prevent shoplifting. At first, they did have an impact in reducing pilferage, but eventually the criminal element and even teenagers started freezing the tags before breaking them off. This made the technology a lot less effective and didn't take a tremendous amount of skill.

If you are like me, someone has left one of those tags on an article that you've purchased. When you left the store, the alarm didn't go off (they often don't, or are set off by something other than the tag) and when you got home it was a major inconvenience. Likewise, the alarm sounding as you are walking out the door (because of a malfunction, or a clerk forgetting to remove a tag) can be quite embarrassing (annoying), also.

Historically EAS, in all it's forms, seems to have a lot of similarities to RFID (Radio Frequency ID). RFID seems to be the replacement for EAS in retail environments and libraries, but as technology progresses there are differences.

Although, extremely inconvenient and sometimes embarrassing, one can recover from this (EAS problems) rather quickly. With RFID (Radio Frequency ID), the potential inconvenience and embarrassment can be long term, especially if one's identity is stolen, or it is used to spy on their personal life. Additionally, where EAS tags are supposed to be removed, RFID stays with whatever it was implanted in and with wireless technology, it can be read from afar.

Like EAS, RFID was initially pushed by security firms to be sold to the retail industry. There are people making a lot of money off this technology, especially now as governments are becoming customers.

There has been a recurring theme of technology being used for the wrong purpose in the name of security, or marketing. Furthermore, it seems that legislation (which is normally mired down in red tape by special interests) has had a hard time keeping up in the internet age. Examples would be all the Spyware, Adware and Keyloggers, all of which were developed for business purposes (questionable) and now are routinely used by criminals to commit fraud. Another example would be with the information industry, which (for years) has gathered all our personal details and then made them available for sale. The problem being that sometimes our information is being sold to, or easily accessed by criminals, who then victimize us for their personal profit.

To make matters more bizarre, this creates more opportunity for (probably some of the same people) to develop products to counter the products that are being abused. This translates into the poor "Joe" on the street paying for the products to counter the products they profited from (and Joe paid for) in the first place. Few of these counter-products are given away free and someone is making a pretty profit from them. In the not too distant future will be paying for products to counter the abuses of RFID?

A glaring example of this would be our three major credit bureaus and some others (financial institutions), who indexed, sold and bought our personal information for years, (they made billions from this). They are now marketing a new product "identity theft protection/insurance," which is a growing business.

If one were to follow recent data intrusions (where untold amounts of personal and financial information were stolen) to the company concerned, you would find many of them selling this product (identity theft/protection insurance). In many instances, it was alleged that the data theft(s) were accomplished due to a lack of , or substandard security practices. Their solution is to continue selling your information and add value to their bottom lines by making you pay for the security (protection).

Now we are headed down the RFID road. There are many legitimate uses for RFID, but can it be defeated and what are potential abuses, when it is routinely for sale over the internet?

Here is an interesting article from Forbes, Forbes.com: A Hacker's Guide To RFID . Although it primarily expresses how easy it might be to defeat RFID in a retail environment, government applications are relatively new.

Stop RFID - RFID privacy issues and news. This site is an excellent resource on the implications, (loss of privacy) that RFID will create.

What concerns me even more is that when I ran some simple searches on Google, such as RFID "Phreak, Hack and Crack," I came up with some pretty astonishing results. The bottom line is there seems to be (even though RFID is a new technology) people developing ways to defeat it and if the "search" results on Google are remotely accurate, we are in trouble.

Even without the hackers working fastidiously, there are other ways defeat RFID besides technology. This is especially in the identification arena, which is one of the most controversial. For years, people have obtained identification with other fake identification/documents. Unless all identification/documents are RFID protected, criminals and even illegal immigrants will be using this method to defeat RFID technology.

We are all paying for RFID, both in the cost of increased prices and in taxes. In addition to this, there are other hidden costs, such as our rights to privacy to consider, as well as, future costs we might be asked to bear. Hopefully, those who are proponents of this technology are being diligent and protecting the interests of their customers and citizenry.

Should they fail to do this, I recommend the citizenry and the customers speak loudly with their vote and their shopping preferences.

Here are some previous posts, I've done on RFID; RFID, Abuse in the Private Sector? and RFID, A Necessary Evil; or an Invasion of Privacy?

Friday, November 11, 2005

Google, Yahoo, now Microsoft..under Attack

In the past three days, the "big three" internet services have come under attack. First Google, then Yahoo and now Microsoft.

Here is the latest alert from our friends at Websense:

"Websense® Security Labs™ has received reports of a email scam disguised as a Microsoft Security Update for Explorer.exe. Users receive a spoofed email message instructing them to click on a link to immediately download and install a bugfix from Microsoft.

The link in the email takes the user to a fraudulent website, designed to appear as the legitimate Microsoft Windows update site. The security update hosted on this page is actually a backdoor Trojan horse . Upon execution, the backdoor sends an HTTP request with the IP address of the infected computer and then waits for a connection from the malware author.

The site hosting the malicious file is in the United States, the site where the IP address is reported is hosted in Germany. Both were online at the time of this alert."

Although not specific, my guess is that the intent in this attack is to capture a computer for use in a botnet. Criminals use botnets to send SPAM and further their various criminal activities, including identity and financial information theft.

Here are few posts, I've done on botnet activity, Zotob Hackers Caught, Attack of the Worms and More Arrests in Zotob Case .

It appears that the criminal element is gearing up for their traditional activities during the holiday season, which is to steal as much as they can using the sales volume (created by the holiday season) as a smoke screen.

For the full alert from Websense, along with screen shots, click on the title of this post.

Vigilantes on the Internet

Recently in the mainstream press, there has been a lot of news and commentary regarding Vigilantes on the southern borders of the United States. Vigilantism against cybercriminals is also becoming an organized effort on the internet via websites, who play along with the scams in order to waste the time of the fraudsters. This post is dedicated to those involved in fighting 419 (Advance fee fraud) activity.

These groups are organized by websites, such as 419Eater.com. Here in their own words is how they play the game, "So what is scambaiting? Well, put simply, you enter into a dialogue with scammers, simply to waste their precious time and resources. Whilst you are doing this, you will be helping to keep the scammers away from real potential victims and screwing around with the minds of gutless thieves."

There are a lot of these sites out there, here are some of them;

Scamorama.com, great collection of information and scambaits
419 Eater, one of the most famous scambaiting sites
419 Eater's scam baiting community - Forum
The Nigerian Letters
Ebola Monkey Man: Pissing Off Nigerian Scammers
(This one is very amusing)
Frank Rizzo and the 419 Zeros - Scamming the Scammers Without Mercy!
P-P-P-Powerbook, scammer ripped off with really fake Apple laptop
thescambaiter.com, many famous freight-baits originated here
Artists Against 419 - Home of the fake bank database and the FlashMob
scammers-exposed.com - notorious 419 scammers revealed by scam baiters
Conversations with a Nigerian Bank Scammer

One that I visited recently, (which is a Yahoo Group) is "Romance Scam 419 Yahoo Group (US)." When I signed up for this group, I started getting more than 200 e-mails daily from them forcing me to "unsubscribe" due to other commitments. They (as many of the sites do) post pictures of their scammers for everyone to see. I did see evidence that they report activity to the authorities and they claim that law enforcement does monitor the site for intelligence purposes.

Many of these sites do expose fake financial and credit services and I would imagine they have the potential to be a intelligence conduit for law enforcement.

Before engaging in any of this, there are dangers to consider. Here is a warning from 419.Eater.com:

"Please remember that these people are CRIMINALS and should be treated as such.

Under no circumstances must you enter into any communications with these people unless you feel you are adequately prepared to deal with them.

Under NO CIRCUMSTANCES give them ANY real private information about yourself. These guys may appear dumb and clueless, but I suspect it wouldn't be so funny if you were to come face-to-face with one of them, although I'll be the first to admit the chances of this happening are astronomical - unless of course you are dumb enough to fly over to meet them in person, in which case you need to be sectioned ASAP!

The tips below are for INFORMATION ONLY. I cannot be held responsible for what you decide to do with the information.

If you are unsure of what you are doing please LEAVE WELL ALONE!"

I would like to add that as technology increases, anyone involved in this activity should become well-versed on the dangers of malware, which is used fraudulent internet activity. Malware can be executed against one's computer system via e-mail and even IM's (instant messaging).

In theory (if not protected properly) this could lead to the scammer turning the tables on the scam baiter and stealing information from their personal computer and even worse, identifying the scambaiter.

There is also the potential in this for sites, or people to be damaged, if wrongfully identified. This has happened in the case of similar sites, which go after sexual predators.

These sites do serve a purpose in fighting fraud and their efforts in most instances are admirable. They can also be used to provide valuable intelligence to law enforcement, who have the resources and expertise to verify the criminal activity and deal with it. If they are simply used for cybersport, then it will confuse and frustrate the scammer, but only temporarily. Nonetheless, these sites serve to raise awareness, which is key in the fight with 419. Besides that sometimes a little revenge is "Chicken Soup for the Soul."

Here is a link, courtesy of my friends at Quatloos, where you can find a lot of resources to report any activity to Law Enforcement.

For the last word from the Ebola Monkey Man, click on the title of this post.

Thursday, November 10, 2005

Yesterday Google, Today Yahoo Users Targeted in Phishing Attack

Yesterday, the good name of Google was being used by the fraudsters to "phish" financial information. Today, Google's main competition "Yahoo" is under attack. Yahoo users are getting instant messages (IM's) telling them their account will be blocked unless they respond to a terms of service (TOS) violation.

The uninformed (unfortunate) person (who responds to this) will be tricked into clicking on a URL that takes them to a malicious (fraudulent) website, where they are asked to provide their login and password information.

This latest scam was discovered by the IMlogic Threat Center, who named it "IM.Marphish.Yahoo."

It's not clear what information will be stolen once this occurs, but that probably depends on what can be accessed on an individual (Yahoo) account. Normally, the goal in these scams is to steal personal and or financial information.

In my humble opinion, the best resource to learn more about phishing and how to protect yourself is the Anti-Phishing Working Group (APWG).

On their website, they have a link that is well worth reading for anyone who wants to learn how to protect themselves; How to Avoid Phishing Scams.

For anyone interested in reading the specific report from the IMlogic Threat Center, feel free to click on the title of this post.

Wednesday, November 09, 2005

Phishing Scam Promises $400 from Google

When something is popular, such as Google, the scammers pick it to perform their misdeeds. Here is a current (site allegedly still active) warning regarding a phishing scam spoofing Google from our friends at "Websense."

"Websense® Security Labs™ has received reports of a new phishing attack that targets users of Google's search engine. Users are redirected to a spoofed copy of Google's front page with a large message claiming "You WON $400.00 !!!". Users are presented with instructions for collecting their prize money. These instructions direct users to enter their credit card number and shipping address. Once the information has been collected, users are directed to Google's legitimate website."

If anyone is interested in protection against rogue websites and phishing, here is a pretty good resource, I mentioned in an earlier post; TrustWatch Search Engine .

For screen shots of what this scam looks like, click on the title of this post.

Sunday, November 06, 2005

Deb Radcliff, Cybercrime Educator/Author

Recently, I have had the honor of corresponding with Deb Radcliff (pictured on right), who has an impressive background as an educator/author. What I like about her style is that she has a "no holds barred" approach and doesn't worry about being "politically correct." Deb also seems to hit a key point in her writing, which is the solution to this type of crime cannot only be technical, but that the social issues must be addressed also.

Some of her accomplishments include:

"Winner of several awards, including two Jesse H. Neal Awards, one for best individual feature, Class B sized magazine for cover story, "Hackers, Terrorists and Spies" (Software Magazine, 1998) and for group reporting, best news story, Computerworld, "Wireless LANs: Trouble in the Air," 2003, by the American Business Press.

Annual speaker at West Point Military Academy, Dept. of Computer Science and Engineering.

Launched a "Hack of the Month" column for Computerworld in 1999.

The FBI requested reprint rights to "Barbarians at the Firewall," Byte, 1996, to train its new cyber crime unit investigators.

Her stories are now posted on more than 500 news, business, hacker, government and consumer sites (many on CNN and The Register) and are also used in training materials, guidebooks and college textbooks, including McGraw-Hill's Violence and Terrorism, 2003/2004."

Although Deb writes for a lot of different publications, she recently accepted an assignment with Network Life, which is owned by Network World. She also does several blogs, Security Chief, Security Awareness and Online Crime Bytes.

Deb is a must read for anyone interested in the constantly changing world of computer/internet crime. With these types of crimes constantly mutating, she is also probably one of the best resources for a person to be educated against the perils that face us from this menace today.

To view Deb's personal website, you can click on the title of this post.

Saturday, November 05, 2005

New PayPal Phishing Scam Mutation

My internet friend, Paul Young (author of a blog, which is a great read, prying1), sent me some interesting information of value to anyone doing business with PayPal. PayPal, E-Bay and other auction related sites are continuous targets for all sorts of internet fraud, particularly 419 (Advance fee fraud) and phishing.

Paul is pictured on the right.

Here is his post, which preceded most of the mainstream media reports on this:

"Websense Security Labs has received reports of a new attack that targets users of PayPal. The attack begins with a spoofed email phishing message that provides a link to download the executable "PayPal security tool" file.

The executable, named 'PayPal-2.5.200-MSWin32-x86-2005.exe', is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself. All future requests for 'paypal.com' will be transparently redirected to a phishing website. This same DNS server could also be used to redirect requests for additional websites, but it currently appears to only redirect 'paypal.com'.

The next time the user attempts to visit the PayPal website, they will instead arrive at a phishing site. The web address shown in the browser's toolbar will appear to be correct. Upon log in, the phishing site will request the user update their account. They are prompted to enter the following information: Name, Credit/ATM Card, Billing Address, Phone Number, Social Security Number, Mother's Maiden Name, Date of Birth, Driver's License, and Bank Account/Routing Numbers.The Trojan Horse is currently not detected by any anti-virus vendors. The malicious DNS server is hosted in Romania while the phishing server is hosted in India. Both were online at the time of this alert."

People become victims daily via internet scams on auction sites and financial service sites. As the post from Paul states, "the DNS server and phishing server for this latest scam mutation are still active." This fact illustrates how vulnerable, we all are with criminals operating in a "borderless" environment. In fact in this "borderless environment," those with the swords often unable to react quickly enough to solve the problem. This isn't their fault as they are also forced to operate in borderless environments, (where red tape and politics hamper their efforts). Paul is using the other weapon that can prevent someone from becoming victimized in the first place.

Paul's weapon of choice is the pen, which might be (currently) the most effective means of dealing with this worldwide problem. Awareness and communication can and will defeat most of these dastardly deeds.

I salute Paul and his efforts!

For the initial alert from Websense on this, click on the title of this post.

Thursday, November 03, 2005

The Impact of Sarbanes Oxley

The Sarbanes-Oxley Act came into play in the wake of a series of scandals that put a few CEO's and company officers behind bars.

I've done a few posts on these fine individuals of "means" that ruined people's employment and bilked their investors of hundreds of millions, if not billions of dollars.

All Criminals are the Same

The Road to Justice is Slow for Aunt Millie

Farewell Mr. Ebbers (Former WorldCom CEO)

Today, I read an interesting press release on how effective Sarbanes Oxley has been.

"Oversight Systems Inc. today announced the findings of the "2005 Oversight Systems Report on Corporate Fraud," a survey of certified fraud examiners. The report explains that most fraud examiners view Sarbanes-Oxley (SOX) as an effective tool in fraud identification, though few think it will change the culture of business leaders."

In the press release fraud examiners were polled on recent cases on whether the defendants were guilty, or not.

"The percentage of respondents who thought the following executives are guilty of the charges against them is listed below:

John Rigas, Adelphia Communications - 95 percent, Jeffrey K. Skilling, Enron - 95 percent, Kenneth L. Lay, Enron - 96 percent, Richard Scrushy, HealthSouth - 93 percent, Martha Stewart Living Omnimedia - 72 percent, L. Dennis Kozlowski, Tyco International - 96 percent and Bernard J. Ebbers, WorldCom - 97 percent."

They also present some interesting statistics on identity theft.

"Identity theft is one of the more prevalent forms of fraud known by the average American. A February 2005 Federal Trade Commission report stated that for the year 2004, the commission received more than 635,000 reports of consumer fraud and identity theft, with identity theft accounting for 246,570 of the complaints (39 percent).


The "2005 Oversight Systems Report on Corporate Fraud" revealed that 22 percent of respondents think the justice system must get tougher on the identification and prosecution of identity thieves. Additionally, 19 percent believe that the federal government needs to pass national identity-theft-protection legislation, and another 19 percent feel regulators and consumers must work together to manage consumer information.

Some respondents believe that individuals are the first and most important line of defense. Taking ownership of one's own personal information was identified by 16 percent of respondents as the best way to reduce identity theft."

The survey was done by 208 certified fraud examiners at a conference for the Association of Certified Fraud Examiners. On one hand, it shows that these issues are very much in the public eye, but I find it concerning that 208 professionals are predicting that the positive changes might only be of a temporary nature.

Of course, being in the business of fraud myself, I would also say that certified fraud examiners make their living off of fraud and this very fact could sway their predictions. After all, it's how they earn a paycheck.

On the other hand, fraud has been on the rise for years and there is still a lot of work to do. Raising awareness and harnessing the collective voice of those, who have, or could be made victims is key to changing laws that will make permanent change.

The full survey can be viewed by clicking on the title of this post.

You can voice your opinion on these statistics by leaving a comment on this post.


Tuesday, November 01, 2005

Consumer Confidence in E-Commerce Declining

Less than a year ago, all the experts were saying that that e-commerce had and was growing at a rapid pace. Based on a survey conducted by Consumer Reports Webwatch, this might be changing and one of the reasons is the fear of identity theft.

Here is some background information on Consumer Reports Webwatch:

"Consumer Reports WebWatch is a project of Consumers Union, the non-profit publisher of Consumer Reports magazine and ConsumerReports.org, and is funded by The Pew Charitable Trusts and the John S. and James L. Knight Foundation and the Open Society Institute. The Consumer Reports WebWatch site is not-for-profit and its content is free."

The survey revealed, the following trends:

"KEY FINDINGS
Consumer Reports WebWatch obtained telephone
interviews with 1,501 U.S.-based adult Internet
users and discovered:

■ Nine out of 10 U.S Internet users over 18
have made changes to their behavior due to
fear of identity theft.

■ Of those changes, 30 percent say they have
reduced their overall use of the Internet.

■ 25 percent say they stopped buying things
online.

■ Among those who shop online, 29 percent say
have cut back on how often they buy things."

Consumer Reports Webwatch has an excellent website, which can be viewed at: http://www.consumerwebwatch.org/index.cfm.

The actual report, which covers a lot more than identity theft concerns can be viewed by clicking on the title of this post.

These statistics indicate to me that fraud on the internet is causing more than direct financial losses. In fact, if it is causing a loss in "sales" to retailers, it is now showing the ability to have a negative effect on the economy in general.

Large corporations are and should continue to increase consumer confidence in the way they protect their customer's information. Should they fail to do this, it is likely to take a toll on their bottom lines.