Sunday, January 27, 2008

Cloned business and law enforcement vehicles used as a smuggling tool


(Picture of "toy" Border Patrol vehicle courtesy of SpongeBob22 at Flickr)

It appears that the criminals exploiting our notoriously "not very secure" Southern border have a new tool in their arsenal.

Vehicles bearing fake logos of the Border Patrol, Fedex, DirecTV and everyone's favorite source of outsourced goods, "Walmart" are being used to smuggle illicit merchandise and human beings across the border.

Brian Ross (ABC News) reports:

A fake U.S. Border Patrol van was found to be carrying 31 illegal aliens in Casa Grande, Ariz.

An alert agent recognized that the "H" in the van's serial number is a letter used only on U.S. Border Patrol Jeep Wranglers. It should have been a "P."

"Neither emergency service vehicles nor any government vehicles are exempt from terrorist or other criminal use," the report warns its law enforcement readers.
The ABC report didn't have much source information about this case so I decided to do a little digging.

I started at the Border Patrol site -- and although a found press releases with an impressive (overwhelming) amount of illegal activity they are catching -- I couldn't find anything on cloned vehicles.

Sadly enough, we are seeing border patrol agents pay the ultimate price trying to defend our borders, and as most people know two of them are in prison for shooting a known drug smuggler.

Digging a little deeper, I found a story on WFAA TV (Dallas) by Rebecca Lopez with more detail on this. Both reports reference a report (I couldn't find) from the Texas Department of Public Safety.

Of note, there is concern that terrorists could use this method to obtain entry (or worse) into the United States. The report referenced has allegedly been passed out to law enforcement agencies nationwide.

The WFAA story also references a cloned vehicles fact sheet put out by National Insurance Crime Bureau. Apparently cloning vehicles is a known method used by auto theft rings to fence their stolen merchandise.

Recently, there was quite a bit of uproar over Mexican truck drivers being given carte blanche access to U.S. roadways. Sadly enough, with cloned vehicles and the easy availability of counterfeit documents (identification) -- it might be difficult to tell which the difference between legitimate and illegitimate truck drivers.

I've covered counterfeit documents, as well as, the ease in which they are obtained frequently on this blog. A lot of these posts reference Suad Leija, who has been covered frequently in the press regarding the assistance she has given the government in exploring the problem we face with counterfeit documents (paper weapons).

Suad assisted the government in their prosecution of the largest counterfeit document cartel operating in this country. The case is still pending in court.

ABC News story by Brian Ross, here. Of note, boingboing, which a much more popular blog than this one linked to the Brian Ross story on this, also.

My daughter and her partner sent me the boingboing link, which inspired me write this rant.

WFAA did a video presentation of this story, which is on YouTube:

Saturday, January 26, 2008

$7 billion rogue trader turns himself in

The $7 billion rogue trader has turned himself in to French authorities.

Nicola Clark of the NY Times just reported:

Jérôme Kerviel, a former trader at Société Générale, surrendered to the police on Saturday as investigators looked into what had caused the bank, one of Europe’s largest, to lose more than $7 billion.

When the story hit the wires, Kerviel's attorney stated that he would be available to speak with judicial authorities.

The $7 billion question for the authorities and the rest of us us:

The bank’s management has come under increasing pressure from French officials to provide a more detailed accounting of how Mr. Kerviel could have racked up such enormous losses by himself, over a year, without raising any red flags among either his supervisors or the bank’s internal auditors.

Many familiar with the situation are speculating that the recent problems with the stock market caused the losses to unexpectedly grow, which led to them becoming transparent.

NY Times story, here.

My original post on this (probably historical case), here.

Scientology taken on by anon hackers

There seems to be a growing controversy with Scientology recently. Not sure why, it didn't exactly appear on the scene yesterday. Besides that most of us are supposed to believe in "freedom of religion."

Well .... I guess the word "most" doesn't necessarily mean "all?"

A lot of people seem to be harmed in the name of religion! When this occurs there seems to be a lot of disagreement on what the "word" actually is.

I try to be one of those people, who believes in freedom of religion so I'm not going to come to any conclusions in this post and merely document the phenomenon.

The most recent twist to the public focus on Scientology is that "anonymous" hackers reportedly shut down their site with a DDOS attack.

CNet (Robert Vamosi) did an interesting article about the conflict this anonymous group has with the Scientologists.

In it he writes:

A group of vigilantes--calling themselves Anonymous, or Anon--are escalating their attacks against the Church of Scientology in what they consider to be Internet censorship by issuing new video challenges.

The CNet article reference a YouTube video posted by this anon group (still up and running).

The article references a website called "Project Chanology," which appears not to be accessible at the present time. I wonder if the Scientology folks counterattacked?

Interestingly enough, I checked and the Scientology.org is up and running as of this writing.

Undaunted I did a little more digging and found a decent "Wikipedia" write-up on Project Chanology, here.

Here is a snippet from Wikipedia on the latest attack by Anon:

Calling the action by the Church of Scientology a form of Internet censorship, a series of DDoS attacks against Scientology websites, prank calls, and black faxes to Scientology centers were organized. They call for this to continue until they have "total and complete destruction of the present form of the Church of Scientology". Members of "Anonymous" were directed via a web site set up for the group to download denial of service software in order to take down the website Scientology.org.

According to the Wiki, a lot of the recent focus on this started after the unauthorized biography on Tom Cruise was published and the "Church" threatened YouTube with a lawsuit over a video showing "a manic-looking Cruise who gushes about his appreciation of Scientology."

Of course, I can remember Tom gushing on Oprah's couch over Katie in what some would consider a manic manner, also. Maybe gushing in a manic manner is part of his personality?

As a disclaimer, I know a lot of guys who have done a little manic gushing over a woman they were in love with. The difference probably is that most of them never get a chance to do it on the Oprah show.

Here is the latest YouTube video from Project Chanology:

Kidnapping scams head North of the Border

Over the years, I've heard stories of illegal immigrants having family members kidnapped, or held in safe (?) houses until they pay up. Sometimes the kidnapping occurs in Mexico -- where kidnappings are common -- and the illegal aliens are compelled to wire money for the release of their loved one(s).

Dane Schiller of the Houston Chronicle recently wrote a interesting article about this with a slightly different twist. In this article, the alleged victim fakes the kidnapping and attempts to collect the money, herself.

From Dane's article:

A chilling voice mail came over Delfino Ramirez Diaz's cell phone: His pregnant and sobbing girlfriend told Ramirez she'd been snatched by kidnappers and only a ransom of $10,000 would stop them from inducing labor and selling their twins on the black market.

"Help me, my love! Help me!" Maria Isabel Puente said in Spanish. "They said they are going to give me an herb to remove my babies," she continued. "I love you so much. Whatever happens, I love you so much."

The incident, which police said played out quietly in Houston last week, turned out to be a scam.

The article quotes a retired FBI agent, who is now the mayor of a town in Texas as saying:

Retired FBI agent Raul Salinas, who taught anti-kidnapping courses to Mexican police and is now mayor of the border city of Laredo, said kidnapping scams are so common in Mexico that there is a term for them — autosecuestro — which basically translates as "self-kidnapping."

"I handled a couple in Mexico City — they would claim they were kidnapped and they were just trying to extort their families," Salinas said.
Going back to the alleged kidnapping in the article found the so-called victim in an apartment and arrested her.

Interesting article from the Houston Chronicle, here.

When I first started writing this post, I referenced I few personal instances of hearing about illegal immigrants being kidnapped, or having family members held for ransom. I decided to run a Google search, "illegal immigrants kidnapping," and a lot of references to this subject. If you would like to see for yourself, the search results are here.

Since illegal immigrants are generally fearful of reporting things to the authorities, it makes me wonder how much of this might be going on?

No matter what side of the immigration debate you are on (one thing is for certain) a lot of criminal activity is hidden within this growing issue.

Friday, January 25, 2008

The $7 Billion Fraudster


(Photo courtesy of Zorg at Flickr)

Jerome Kerviel -- who may have cost his employer somewhere around $7 billion -- might prove that no security system is flawless, especially when the person compromising it has been given access to it.

Molly Moore of the Washington Post reports:

For five years, Jérôme Kerviel toiled in the back offices of Societe Generale, learning the intricacies of the six-layer security system that France's second-largest bank used to protect its money, investors and customers from fraud, according to bank officials here.

Kerviel then made an unusual career move. He was promoted to trader -- becoming one of the very employees the security systems are designed to oversee and keep honest.
Of course, no exact details (they seldom are for obvious reasons) are being given as to how Jerome pulled this off, but he is being described as a "computer genius."

I did notice in the Washington Post article that Jerome was keeping two sets of books, which is an age-old method of committing white collar crime. Jerome was also voiding transactions to cover up questionable transactions, which is hardly a new method of fraud, either.

The trader maintained two sets of books, one in which he kept accounts of his successful investments, and a secret parallel book where he was "voiding his losing positions," Bouton said.

"He knew when controls were going to take place," Bouton said, because "over the years he had become an expert in controls." Bouton said Kerviel managed to outmaneuver six levels of controls and firewalls intended to detect and prevent fraud.
Most high tech fraud is based on tried and true (even historical) methods of deception. Too often, organizations rely on computerized detection systems that might be a little too predictable. This is especially true when dealing with someone, who has been given access to them and understands how they work.

All too often, organizations are sold one form of technical protection only to find out that in a given period of time, someone has figured out how to circumvent them. Once this occurs, they need to buy another system, which might be circumvented over time, also.

Human beings are very adept at figuring out how to circumvent (hack) systems. In fact, there seems to be communities of people dedicated to hacking whatever new technology comes out.

If Jerome was able to cost his employer $7 billion dollars, he has set a new record. The person, who set the previous record is mentioned in the Post artice, and even made a quote from prison:

If confirmed, the losses at the bank would be the largest ever caused by an individual trader. They are far higher than the $1.4 billion run up by trader Nick Leeson in the mid-1990s in Singapore. His fraud caused the collapse of the institution where he worked, Britain's 233-year-old Barings Bank.

Leeson, now living in Ireland after serving a prison sentence in Singapore, told the BBC that he was not shocked such a fraud had happened again, but that "the thing that really shocked me was the size of it."

Maybe we shouldn't be so shocked? Perhaps the problem is an over reliance on systems to prevent fraud without enough human interface? Computers only do what they are told to do and it takes a human being to circumvent them.

Technology is a wonderful thing and a great tool, but when it comes to protecting anything, common sense and the human factor need to be considered carefully, also!

The Washington Post article also has some interesting speculation on how this might have had an effect on global markets. The article can be seen, here.

Tuesday, January 22, 2008

Symantec reports sighting drive-by pharming in the wild



We hear a lot about phishing, but we don't see a whole lot written about pharming. According to a blog post on Symantec's blog by Zulfikar Ramzan, we might start seeing pharming mentioned a lot more than it has been in the past.

According to Zuftikar, the first instances of drive by pharming are being seen in the wild (on the Internet). This means a computer can be infected by merely viewing a e-mail, or website without clicking on a attachment, or link.

"Pharming (pronounced farming) is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software," according to Wikipedia.

In Zuftikar's own words:

In a previous blog entry posted almost a year ago, I talked about the concept of a drive-by pharming attack. With this sort of attack, all a victim would have to do to be susceptible is simply view the attacker’s malicious HTML or JavaScript code, which could be placed on a Web page or embedded in an email. The attacker’s malicious code could change the DNS server settings on the victim’s home broadband router (whether or not it’s a wireless router). From then on, all future DNS requests would be resolved by the attacker’s DNS server, which meant that the attacker effectively could control the victim’s Internet connection.

Here is a further description of the activity seen in the wild, which reveals how deceptive (not to mention deadly) this type of pharming attack could be:

In one real-life variant that we observed, the attackers embedded the malicious code inside an email that claimed it had an e-card waiting for you at the Web site gusanito.com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site.

Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen.
Please note that many users fail to change preset (factory) passwords, which leaves hardware vulnerable to being compromised. These preset passwords aren't very difficult for those with malicious intent to get their greedy paws on. I've even run into preset passwords on technical manuals posted on the Internet.

What is SCARY in this instance is that the specific router targeted in this attack didn't need a password to compromise the system.

Quite simply, the router didn't authenticate the request.

The malicious code which makes this attack possible can be inserted on the inside of a e-mail message, or directly off a web page. It isn't necessary to click on something to start the execution (pardon the pun) process.

Once this occurs, the hacker controls your router and can send you anywhere they want to.

Zuftikar offers a lot of sound recommendations on how to protect yourself from pharming attacks.

Note that he still recommends changing the factory preset passwords on any router you might own. The problem in the instance observed occurred with a particular type (brand) of router.

To view these recommendations, I recommend you read his interesting post, which can be seen, here.

Truston Identity Theft Services recognized in Javelin Report as standing apart from the competition

Tom Fragala, CEO of Truston just dropped me a line about his "privacy friendly" identity theft protection and recovery service being mentioned in the most recent Javelin report.

In Tom's own words:

Truston was featured in a Javelin Strategy & Research research report entitled "Identity Fraud Protection Services: Double Digit Growth to Continue."

The report, released December 2007, provides a comprehensive analysis of the key identity theft protection services and is based in Javelin's leading consumer survey data. According to the report, "MyTruston stands apart from other identity protection vendors in this space."

Other companies featured include Equifax, Experian, TransUnion, Fair Isaac, LifeLock, Debix, FraudStop (Identity Safeguards), Identity Guard (Intersections,Inc.) and TrustedID. Read the report brochure here (PDF) and our press release.

Truston stands apart from the other services because it is privacy friendly. Other services require that you give them all your personal information to be maintained in (my guess) another data base. The other feature Truston offers is free prevention tools. A customer only pays for recovering IF and when they become a victim.

The report mentions that there is double digit growth in this industry despite reports showing that identity theft has been on the decline for the past three years.

Please note that a lot of people, watching the identity theft problem, don't necessarily agree with this statement. Maybe this is one of the underlying reasons for the double-digit growth?

One of the biggest problems in compiling accurate statistics is that not all identity theft is reported. A large portion of it is simply written off as a loss by financial institutions, and never reported outside these institutions to the organizations putting together the statistics.

Tom is also a blogger and writes about identity theft. His blog can be seen, here.

Sunday, January 20, 2008

Do secure storage/destruction facilities really protect information from theft?

Information by it's very nature is hard to inventory. Let's face it, it isn't cash or precious gems and it can be copied in a LOT of different ways.

This fact also gives the entity losing it a lot of deniability. Most of the time, it's impossible to be 100 percent sure what happened to any information discovered missing.

Could a tape gone missing at a secure storage facility owned by Iron Mountain containing 650,000 customer files reveal that these facilities provide us with a false sense of security?

Robert McMillian at Computer World is reporting the latest information on this story:

A backup tape containing credit-card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud.

GE Money, which manages in-store credit-card programs for the majority of U.S. retailers, first realized that the tape was missing from an Iron Mountain secure storage facility in October, said Richard Jones, a company spokesman. "We were informed that one of the tapes could not be located. But at the same time there was no record of it ever having been checked out," he said.

The tape contained in-store credit-card information on 650,000 retail customers, including those of J.C. Penney, he said. GE Money employees are also affected by the breach.
Please note, there are reports that 230 retailers lost information and JC Penny is just one of them.

Secure storage/information destruction businesses have seen explosive growth due to all the compliance regulations we've seen enacted in recent years.

Many of them, including Iron Mountain advertise state of the art physical security standards. I did take the time to watch the videos on this at the Iron Mountain site, and although they are impressive, the measures they take are pretty common at most secure buildings.

Secure buildings have been burglarized before.

I would also guess that even if external compromise was ruled out, it can be stolen by anyone who has been given access to it. Again, we are dealing with a commodity that is hard to inventory and can be reproduced (copied) in a lot of different ways.

Another point to reflect on is that a lot of this information is brought to these facilities to be destroyed. Since the information being destroyed isn't inventoried, it's probably impossible to go back and verify whether the information was actually destroyed.

My guess is that the biggest threat to information stored at these facilities are human beings, who make mistakes or can intentionally commit wrongdoing.

How valuable would a plant, or a recruit be to a identity theft gang in one of these facilities? My guess also is that as long as they were not very greedy, they could probably operate for a long time and never get caught.

Again, it is very hard to inventory information, which make theft detection difficult, also.

When watching Iron Mountain's security videos, they mention that they put their employees through extensive background tests. In today's world, with all the stolen identities and counterfeit documents available, the effectiveness of background checks is questionable, also.

To support this, I would point to the fact that millions of illegal immigrants seem to have no problem passing them.

Please note, I'm not worried about the illegal immigrants trying to make a better life for themselves. The problem is all the criminals, who hide in the camouflage the illegal immigration phenomenon provides.

So far as the people coming here to earn a decent living, they wouldn't be here if there weren't a lot of jobs available to them.

I don't want to pick on Iron Mountain too much. They aren't the only players in this growth industry. In fact, the security they provide is probably as good, or better than most of their competition.

The problem is that in actuality, they are just one more place information can be compromised. By their very nature these facilities are a point of consolidation for sensitive information. This makes them a lucrative target for those in the information theft business.

A wise man once said, the best way to protect information is to not store it in too many places in the first place. Unfortunately, as long as information is worth a lot of money, we will probably continue to ignore this sage advice.

The good news is that in this case, we know what information was stolen. This means that measures can be taken to prevent it from being used to commit crimes.

Computer World article by Robert McMillan, here.

Saturday, January 19, 2008

A rumor of electrical power grids being hacked via the Internet

Here is a scary report -- electrical power grids shut off by hackers demanding money using the Internet.

Ted Bridis of the AP is reporting:

Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference.

All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States."

"In at least one case, the disruption caused a power outage affecting multiple cities," Donahue said in a statement. "We do not know who executed these attacks or why, but all involved intrusions through the Internet."
Unfortunately, the CIA doesn't seem to want to verify where this happened at.

I did a Google news search and there are power outages being reported all over, but most notably in Africa and Pakistan.

If anyone else cares to speculate, a link to Google and power outages can be seen, here.

Problem is power outages happen all the time and I'm not sure if the search reveals any unusual activity.

Of course, the CIA will not confirm or deny exactly which outages were caused by hackers.

Apparently, the CIA official announced this at a SANS conference in New Orleans on Thursday. Information Week has more information on this, here.

Nonetheless, if power grids can be shut down using the Internet, it makes me wonder how secure we really are sometimes?

Last summer shutting down power grids was part of the plot in the movie, "Live Free or Die Hard" starring Bruce Willis.

AP article (courtesy of SF Gate), here.

January Symantec Report reveals questionable blogs, polls and Nigerian Scam restitution schemes

If you ever want to know what criminals and other misfits are up to on the Internet, watching spam traffic can reveal a few clues.

After all, spam is the vehicle most cybercriminals use to pass along whatever scheme they are behind designed to part people with their hard-earned money.

Symantec noted in December that close to 75 percent of all e-mail being sent is spam.

A little over a week ago, they issued their January report, which showed spam levels peaking towards the end of December to 83 percent.

Highlights noted in the January report are:

Holiday Spam Spikes: Spam levels reached new levels as spammers inserted holiday-oriented keywords into everything from subject lines to images.

Spammers Get Honest? Not So Fast: Spammers tried a new twist on an old scam, falsely promising past spam victims restitution of $100,000.

As Oil Prices Hike, Spammers Strike: This new spam claims to identify gas stations that fraudulently tamper with pump prices.

Not-So-Happy New Year: Recipients were invited to download a fun New Year’s song and dance, but instead found themselves downloading something far more malicious.

Presidential Polling Scam: Promising gift cards in exchange for opinions, spammers leverage the US presidential primaries to collect personal information.

Beware of Blogs: The use of blogs within spams appears to be on the rise, particularly in China where simplified character sets are common.
I found the 419 restitution activity interesting. In case you've never heard the term "419," it is the penal code in Nigeria for the infamous Advance Fee scam.

Here is what the report said:

419 spammers who have traditionally used stories about African dictators to defraud individuals have recently changed their approach to these types of emails. Certain 419 scams observed by Symantec this month claim to offer compensation to victims of 419 scams. The scam states that payments will be supervised by UN officials and about 150 scam victims will be paid compensation of $100,000 each. It provides some URL links as a reference to money that was successfully recovered by 419 scam victims. At the bottom of the email, it explains how the money may be recovered and the fraudulent background of such emails may be observed.

Interestingly enough, the Economic and Financial Crimes Commission (EFCC)of Nigeria has made real victims whole with funds seized from 419 scammers. You can see some real examples of this on their site.

The most recent time, I've mentioned the EFCC on this blog is when they were part of an International task force that intercepted large quantities of counterfeit checks at post offices in several countries. These counterfeit checks are normally used in advance fee scams, where people are tricked into cashing them and wiring the proceeds back to the criminal(s) sending them.

This led to a major press campaign and new website dedicated to educating the public about these checks called FakeChecks.org. The United States Postal Inspection Service, who worked with the EFCC on the task force, is one of the major sponsors of this site.

Most advance fee scams can be traced to a spam e-mail.

So far as the other trends noted, spammers and scammers are very adept of using what is popular or newsworthy to spread their deceit on the Internet.

It's probably not a surprise that they are taking advantage of the rise in oil prices, or political polls to lure people into their web.

If you would like to read more about this, the January report from Symantec can be read in full, here.

Why Walmart might be looking for a few good spies

Ran into a interesting story alleging that large corporations -- in this instance Wal-Mart -- are hiring former government intelligence types to work in their corporate security departments.

The story that I found in RINF.com, which states that they monitor the "surveillance society," focused on Wal-Mart delving into the personal details of two of their former executives.

Apparently, the personal details of an affair became public, when one of the executives was being investigated for a conflict of interest with a advertising agency. The article also states that the executive being investigated got the other executive her job.

In all fairness -- despite the article's focus on privacy concerns -- conflicts of interest and intellectual property crimes are becoming a growing problem for corporations. The fact that one person got another person a job based on a personal relationship might be a little questionable, also?

Here is what the article, written by Douglas Frantz, had to say about former goverments running this investigation:

Largely overlooked in the furor was the role that Wal-Mart’s internal security department had played in digging up the salacious details. This department, a global operation, was headed by a former senior security officer for the Central Intelligence Agency and staffed by former agents from the C.I.A., the Federal Bureau of Investigation, and other government agencies. (See our Spy Slang guide) A person familiar with the episode said in an interview that an ex-C.I.A. computer specialist was involved in piecing together the email evidence—which included copies of Womack’s private Gmail messages, provided by his estranged wife—and that another former government agent had supervised the overall investigation.

Ex-government agents appear to be Wal-Mart’s investigators of choice. The retailer has emailed job listings to members of the Association for Intelligence Officers as well as posted ads on its site seeking to hire “global threat analysts” with backgrounds in intelligence. The job description for the analysts, who would have reported to a former Army intelligence officer, entailed collecting information from “professional contacts” to gauge threats from “suspect individuals and groups.” In practice, their responsibilities would have extended to gathering information about Wal-Mart employees, suppliers, and customers; Wal-Mart monitors shoppers for suspicious or potentially criminal activity. A Wal-Mart spokesman said the company does not comment on security matters.

Ex-government agents appear to be Wal-Mart’s investigators of choice. The retailer has emailed job listings to members of the Association for Intelligence Officers as well as posted ads on its site seeking to hire “global threat analysts” with backgrounds in intelligence. The job description for the analysts, who would have reported to a former Army intelligence officer, entailed collecting information from “professional contacts” to gauge threats from “suspect individuals and groups.” In practice, their responsibilities would have extended to gathering information about Wal-Mart employees, suppliers, and customers; Wal-Mart monitors shoppers for suspicious or potentially criminal activity. A Wal-Mart spokesman said the company does not comment on security matters.
While the article seems to target activity at Walmart, it alleges that their is a substantial market for this type of service:

The best estimate is that several hundred former intelligence agents now work in corporate espionage, including some who left the C.I.A. during the agency turmoil that followed 9/11. They quickly joined private-investigation firms whose U.S. corporate clients were planning to expand into Russia, China, and other countries with opaque business practices and few public records, and who needed the skinny on international partners or rivals.

With outsourcing becoming the norm for large corporations, I would imagine that experts in the espionage field might be a prudent investment for some of these corporations.

One reason might be counterfeiting, which the International Anticounterfeiting Association estimates to be a $600 billion dollar a year problem.

Intellectual property theft is being touted the crime of this century. While just about everything you can imagine is being counterfeited, technology seems to be targeted, most frequently.

In fact, IPhones, which were last years big tech item, were being cloned and sold on eBay by the time the product was rolled out in the United Kingdom.

There are constant reports of Chinese involvement in espionage from the corporate level to hackers breaking into government systems. Couple this with large corporations having their a lot of products manufactured in China and it's no wonder the services of a few good former spies might be prudent.

We probably shouldn't be surprised that corporations are turning to espionage experts to protect their assets. In fact in the age of the global economy and outsourcing, we are going probably going to see a growing demand for this type of expertise in the private sector.

RINF.com article, here.

IAAC White Paper on intellectual property theft, here.

The FBI did an interesting (my opinion) press release showing a little corporate espionage with a Chinese connection in 2006, which can be seen by clicking here.

Thursday, January 17, 2008

Adopting a homeless critter is a better idea than taking a chance of being scammed on the Internet!


(Billboard calling out puppy mill abuse in Pennsylvania courtesy of Star Cat at Flickr)


The fact that there are so many homeless dogs and cats is a sad thing to ponder. If you are like me (and a few humans I know) a trip to the local pound can be a heart breaking experience.

With so many homeless animals in the world, it amazes me that anyone would buy one. Nonetheless for whatever reason -- people do and the result is a lot of abuse and a fair amount of scam activity -- especially when the "I word" (Internet) is involved.

I happened to run into a pretty good article by Marissa Maroff published on eHow on how to avoid getting scammed, and in a lot of instances (also avoid) supporting, animal abuse.

Marissa writes:

Buying a new pet on the Internet is usually not a good idea. In addition to unscrupulous dealers and puppy mills selling their “stock” to unsuspecting buyers—online scammers use elaborate websites and fabricated stories to bilk substantial amounts of money out of people for pets that don't even exist. And the pets that do exist, very often have serious, if not fatal health problems. Here are ways to keep from getting duped by online pet sellers.

If you insist on getting a pet via the Internet, the full article can be read, here.

The Puppy scam is also known in the Advance Fee (419) scam circles, also. Basically this variation of the advance fee (419) scam entails free pure bred puppies, or pure bred puppies at a "too good to be true" price. After a few e-mails to hook the victim into believing the deal is for real, shipping fees are sent (normally Western Union or MoneyGram) and the puppy never arrives.

Please note that the media loves to attribute all this activity to Nigeria (it makes good press), but Nigeria isn't the only point of origin for these types of scams. Scams can orginate from just about anywhere.

Going back to my original thought in writing this post, there are a lot of lovable animals out there waiting to be adopted that really are free. These animals, who need a good home can be found at your local pound, the SPCA, numerous rescue organizations, or even your local Petsmart on weekends.

On a personal level, I highly recommend you start there before looking for a paid companion on the Internet. In the long run, you will receive some good karma and probably avoid (not support?) a lot of pain and suffering.

I'm dedicating this post to Raleigh, Ellen, Carole, Kim, Scott, Frank, Dave, Michael, Sam (1, 2 and 3), Olivia and Dr. Marylou Randour, who is the author of Animal Grace.

Animal Grace
is a book that explores the spiritual relationship we share with furry critters of all kinds.

Wednesday, January 16, 2008

Your computer will not love this Valentine

The Storm Worm, which turns systems into spam spewing zombies without their owner's knowledge is taking a predicted twist and using Valentine's Day as a lure.

Websense is reporting:

Websense® Security Labs™ has received reports and confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Valentine's Day twist in its attempts to infect users with malicious code. For more details on how we protect against Storm attacks, see http://www.websense.com/securitylabs/blog/blog.php?BlogID=141.
Websense (full) alert with screenshots, here.

Most recently, we've seen the Storm Botnet leased by the phishermen to steal people's personal and financial details.

CNet (Robert Vamosi) did a good write-up on this latest Storm phenomenon, here.

The best way to protect your computer from this (besides having good security software) is to simply "just say delete" to any unsolicited Valentines you receive!

Previous posts I've written about the Storm Worm can be seen, here.

Sunday, January 13, 2008

Blogger exposes security flaws on TSA site

Since 9-11, we've spent billions upgrading security. Here is a sad report about how the TSA (Transportation Security Agency) put up a NOT very secure site with some of the money earmarked for making the nation more secure.

Even worse, it seems it wasn't the TSA didn't even discover the problem themselves. The problem was brought to light by a blogger!

Here is some commentary from the government report that examines this problem:

In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft.

After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain.

At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information. As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight.

The report reveals that the contract for the website was awarded without taking competitive bids to a company by a TSA employee, who was a former employee of the company designing the site. Even worse, it took months for the security flaws to be noticed and when they were, it was a blogger that brought them to everyone's attention!
The "hat tip" on this one belongs to a Chris Soghoian, who is a Ph.D. student at the University of Indiana’s School of Informatics. He used to write on the blog, "Slight Paranoia."

The first time Chris was considered "notorious" was when he put a fake boarding pass generator on the Internet. This attracted a lot of attention in the press, as well as that of the FBI.

Chris recently moved his blog to a CNet address, which can be seen, here.

Chris recently blogged about this report and added a comment about the lack of spell check being used on the TSA site, "Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers."

The official government conclusion is:

There were multiple factors that contributed to security vulnerabilities in the TSA traveler redress website. They included poor procurement practices, conflicts of interest, and weak oversight. The result of these shortcomings was that an insecure website collected sensitive personal information from American travelers for months without detection by TSA.

This led me to wonder if the TSA employees involved still have their jobs?

Much to my chagrin, I found my answer on the Committee on Government Oversight and Reforms press release on this matter:

Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.
Full government report (PDF version, here.

It's unlikely the IRS is outsourcing tax preparation services to Russia!

Looks like with the start of tax season, the phishermen are again pretending to be the IRS.

Using a badge of authority in phishing is nothing new. In the past, we've seen the FBI, Interpol, DOJ and a lot of other official agencies spoofed (impersonated) to trick people into giving up their personal and financial details.

Here is a phishmail that got past my spam filter yesterday:


Date: Fri, 11 Jan 2008 16:02:36 -0500

From: "Internal Revenue Service" Add to Address Book Add Mobile Alert

Subject: IRS Annual Calculations - Tax Refund Internal Revenue Service United States Department of the Treasury

Dear Applicant:

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $270,25.

Please submit the tax refund request and allow us 2 business days in order to
process it.

To access the form for your tax refund, please click here (link removed).

The links on these spam e-mails are designed to entice the unwary to give up their personal and financial details (later used to commit financial crimes)through social engineering techniques (trickery). Just clicking on a link can download malicious software designed to steal information from your computer (which will also be used in financial crimes) or it will turn your computer into a spam spewing zombie.

If you hover (don't click) your mouse on a link and read the address that shows up on the bottom of your screen, it will show the true address. In the above example, it reveals and address of a Russian domain (astrasong.ru).

It's unlikely that the IRS is outsourcing tax preparation services to the Russian Union!

I went to the IRS site and discovered that they just updated their Suspicious e-Mails and Identity Theft page the same day I received this phishmail.

The page has links to all their previous warnings and information on where to report phishing activity involving the IRS. Also included are government educational resources (recommended reading if you haven't seen them before).

Tuesday, January 08, 2008

Sears faces class action for violating customer privacy on their site

A few days ago, I wrote about a post on the Truston blog concerning Sears being taken to task by a Harvard professor and the Washington Post (Brian Krebs) for violating customer privacy on their site.

Not only was information being data mined for marketing purposes, but the site allowed third parties (anyone) access to it.

Now it appears lawyers have gotten together a class action against Sears.

In an update, Brian Krebs is reporting:

In a complaint filed Friday in Cook County, Illinois -- where Sears is headquartered -- the plaintiffs allege that the lack of privacy protections at Sears's managemyhome.com site violated its own privacy promises to consumers, and in so doing ran afoul of the Illinois Consumer Fraud Act, which prohibits "unfair and deceptive practices."

The complaint seeks class-action status, and more than $5 million in damages, including attorneys' fees. A copy of the complaint is linked here (PDF).

The suit was filed by KamberEdelson, the same New York City based law firm that successfully pursued Sony BMG Music Entertainment after the media giant shipped millions of music CDs that included spyware.

The same law firm is also seeking plantiffs for a second class action against Sears for installing tracking software on customer's computers after they made a purchase on their site. This might set an interesting legal precedent given all the tracking sofware being used out there.

After all, there is a lot of customer espionage going on out there (my opinion).

So far as me personally, this story has made me extremely wary of shopping at Sears, whether in a mall or on the Internet.

Full story from Brian Krebs on the Security Fix blog, here.

Sunday, January 06, 2008

Democratic fundraiser Norman Hsu sentenced to three years

Norman Hsu, who used to be a major fundraiser for Hillary Clinton and the Democratic party has been sentenced to three years for fraud.

John Coté at SFGate reports:

Disgraced Democratic fundraiser Norman Hsu, who became a prolific political moneyman even as he was a fugitive from justice, was sentenced Friday to three years in state prison in a San Mateo County grand theft case that dates from the early 1990s.

Hsu was sentenced in Redwood City more than 15 years after he skipped out on his original court date and fled to Asia.
And this isn't the end of it:

He will now be transferred to federal custody to face new criminal charges in New York, where he is accused of bilking investors across the country out of at least $20million. Hsu allegedly funneled some of the money to political campaigns, including that of Sen. Hillary Rodham Clinton, while living a lavish lifestyle.
Now here is the kicker (his legal defense):

Hsu's attorneys had sought to have the 1990s case dismissed or to allow Hsu to withdraw his no contest plea, saying his right to a speedy trial had been violated because authorities made little attempt to locate him - even as he attended fundraising events and was photographed with political candidates.
His attorney is planning to appeal this conviction. Hopefully, a judge won't grant him bail again as I would guess he is probably a flight risk.

The good news is that we are starting to see a trend, where money isn't the primary factor dictating who will become the next leader.

SF Gate story by John Coté, here.



New IRS rules dictate stricter controls on how personal information is marketed by preparers!

Last year, a large amount of fraud cases were reported when people claimed refund anticipation loans using fraudulent information.

In many instances, these fraudulent returns were filed using the earned income tax credit. The earned income tax credit returns a portion, or all of the taxes people pay, who are below a certain income level when they file their yearly tax return.

While an honorable practice in principle, the credit is targeted by fraudsters, who submit fake W-2 information and claim large refunds that they were not entitled to.

W-2's can be purchased in just about any office supply store, or even over the Internet.

Another growing trend noted -- with all the stolen identities and counterfeit identification out there -- are fraudulent tax returns being filed using other people's information. RAL refunds can net several thousand dollars each, which make them prime targets for financial fraud.

Low income people are also often recruited to go in and get these loans using "made up" information.

Guess who ends up getting caught if the IRS discovers the fraud in most instances? I'll give you a hint, it probably won't be the person who talked them into doing it.

I'm not sure if all the tax refund fraud and reported identity theft last year inspired the recently announced IRS rules, but it's probably a good guess that it had something to do with it.

The IRS is now giving taxpayers more control over their personal and financial information. They are also examining whether certain restrictions should be placed on refund anticipation loans.

The IRS press release states:

Federal law already strictly prohibits the IRS from making disclosures of taxpayer return information within its control to third parties except with taxpayer consent or in circumstances set by Congress. The final rules have no effect on the strict protection of return information in the IRS’s hands and apply only to tax return information held by income tax return preparers.

Among the new rules:

Generally, preparers must obtain taxpayer consent, either by paper or electronically depending on how the return is being filed, before tax return information can be disclosed to any third party or used for any purpose other than filing the return.

If the taxpayer consents to the disclosure and use of his information, the consent must identify the intended purpose of the disclosure, identify the recipients and describe the particular authorized disclosure or use of the information.

Mandatory language informs individual taxpayers that they are not required to sign the consent; that if they sign the consent, federal law may not protect their information from further disclosure; and that if they sign the consent, they can set a time period for the duration of that consent. If taxpayers fail to set a time period, the consent is valid for a maximum of one year.

To prevent consent requests from individual taxpayers from bring buried in fine print, the rules require the paper consent documents to be in 12-point type on 81/2 by 11 inch paper and require electronic consent requests to be in the same type as the Web site’s standard text, all to prevent consent requests from being too difficult to read for individual taxpayers.

If a taxpayer declines to provide consent for an unrelated tax preparation disclosure or use request, the preparer cannot make a similar consent request. The intent is to protect taxpayers from being pressured with repeated consent requests regarding the same issue.

Mandatory consent from taxpayers also is required if the tax information is going to be disclosed to a tax preparer located outside the United States. This provision is intended to ensure taxpayers are informed if their tax information is being sent off-shore for return preparation. The individual taxpayer’s Social Security Number also must be redacted.
The press release also states:

One issue that was raised during the comment period was the use by tax return preparers of tax return information to market Refund Anticipation Loans (RALs) to taxpayers. The issue of marketing RALs and similar products, such as Refund Anticipation Checks and Audit Insurance, was not specifically addressed in the proposed regulations.

The Treasury Department and the IRS are concerned that RALs and similar products may provide preparers with a financial incentive to take improper tax return positions in order to inflate refund claims inappropriately. In order to give the public an opportunity to comment on this issue, the Treasury Department and the IRS are issuing an Advance Notice of Proposed Rulemaking (ANPRM) that announces they are considering a proposal that tax return preparers be prohibited from disclosing or using taxpayer return information for the purpose of selling products such as RALs and similar products.
Last year it came to light that a Jackson Hewitt franchise owner with a lot of branches was being charged by the federal government for enabling this type of fraud. The dollar amount of the fraud was calculated by the government at about $70 million.

Here is the post, I wrote about this particular incident:

Is tax fraud being enabled by too many dishonest preparers?

While the Jackson Hewitt allegations were major news, it probably only accounts for a small portion of the overall fraud committed with tax returns. In previous years, we've even seen prisoners file phony tax returns from behind bars.

Dishonest preparers also sometimes try to get their customers to claim questionable exemptions. This can lead to the customer ending up in a lot of trouble at a later date.

The IRS has a educational document to educate taxpayers about this problem, here.

If you happen to know of anyone committing any of these tax frauds, the IRS has a place where it can be reported, here.

Press release on the new rules and possible restrictions on RAL products, here.

There are articles circulating in the mainstream media with more information on how this might hurt the profitability of the tax preparation industry. I'll include the one from Reuters written by Jonathan Stempel, here.

Saturday, January 05, 2008

Sears site violates people's privacy!

Ran into this story on the Truston blog. Tom Fragala, CEO of Truston writes:

The internet retailer you choose just might, without disclosure, install software on your computer to snoop on your web browsing. Brian Krebs at the Security Fix blog has this story. Would you believe it could be one of the country's oldest retailers though?

"Sears is having a bit of a rough day with the privacy community. The company got off to a rocky start with revelations that many customers who gave Sears their personal details after shopping at the company's Web site also were giving away their online Web browsing habits to marketers, thanks to snooping software silently installed (and ill-documented) by a Sears marketing partner."
Even worse, as revealed in Brian Krebs interesting blog post is that:

The discovery comes from Ben Edelman, an assistant professor at the Harvard Business School and a privacy expert whose research has done much to raise public awareness about the intersection of big business and shady advertising practices.

Sears offers no security whatsoever to prevent any user from retrieving a third party's purchase history, Edelman said, which violates its own privacy policy with such disclosures, no part of which "grants Sears the right to share users' purchases with the general public."

I guess this means that anyone can violate a Sears customer's privacy by using their website as a tool?

Please note that Professor Edelman has shown some pretty good evidence that regular and not just e-commerce customers can be compromised, also.

Going back to Professor Edelman's contention that snooping software was spying on customers -- spyware and adware are used on a lot of sites. In fact, I highly recommend scanning your system on a regular basis using reputable software. I'm always amazed at how much of it I find when I do.

My opinion is that that when information is data mined, there needs to be a transparent way a customer opts-in (authorizes) an entity to use their information.

Current opt-out options are often deceptive and laden with a lot of small print.

So far as Sears, until they disclose what they are doing to fix this (at least answer Mr. Krebs), I'm going to make sure I avoid using their shopping facilities!

DOJ charges 11 in pump and dump stock spamming operation

The Department of Justice has just announced the arrests of 11 spammers involved in a pump and dump stock spam scheme.

Pump and dump schemes victimize people -- lured by the expectation of too good to be true money -- who buy the stocks at artificially inflated prices. They normally lose money when the value suddenly drops because the people behind the scheme sell off their artificially inflated shares.

One of those arrested, an Alan Ralsky is considered one of the biggest spammers around by Spamhaus, which is an organization dedicated to tracking spam.

From the press release:

A federal grand jury indictment was unsealed today in Detroit charging 11 persons, including Alan M. Ralsky, his son-in-law Scott K. Bradley, and Judy M. Devenow, of Michigan, and eight others, including a dual national of Canada and Hong Kong and individuals from Russia, California, and Arizona, in a wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing, or "spamming."

This investigation was conducted over a three year period conducted by the FBI, Postal Inspectors and the Internal Revenue Service. The people involved used all the standard spam diversions including falsified domains and e-mail headers, social engineering lures and good old false advertising.

The release also states that they (tried?) to use botnets to send the spam:

The indictment also alleges that the defendants tried to send their spam by utilizing a cybercrime tool known as a “botnet,” which is a network of “robot” computers that have been infected with malicious software code that in turn would instruct the infected computers to send spam. The indictment charges that the defendants earned profits when recipients responded to the spam and purchased the touted products and services. Hui’s primary role in the scheme was to act as a conduit for Chinese companies who wanted their stocks pumped by the scheme. Ultimately, investigators estimate that the defendants earned approximately $3 million during the summer of 2005 alone as a result of their illegal spamming activities.

Recently, the FBI arrested a lot of Internet misfits in what they termed Operation Bot Roast and Operation Bot Roast II.

Botnets have become a major vehicle in which spam is circulated using zombie computers taken over using spam e-mail containing malicious software. Because the owner of the computer normally isn't aware their computer has been turned into a "spam spewing zombie," it also confuses investigative efforts to track the spam to it's source.

It should also be noted that here again, we see another "Chinese connection" in cybercrime. It's pretty interesting that publically held Chinese companies were working with these spammers to have the price of their stock artifically inflated.

Russian nationals were also arrested in this recent case. Eastern European types seem to be heavily involved in the world of cybercrime.

Here are a list of the laws the government is using to bring the spammers to justice:

The 41-count indictment covers three distinct, but interrelated, conspiracies to capture this evolution in their business practices. The indictment charges the defendants with the commission of several federal criminal offenses, including conspiracy, fraud in connection with electronic mail (CAN SPAM), computer fraud, mail fraud, wire fraud, and money laundering. It also charges the defendants with criminal asset forfeiture, as well as charging one defendant with making false statements to law enforcement.

Sadly enough, spammers have been bold enough to spoof all three investigative agencies involved in this case in the recent past. These spamming incidents normally are what are known as phishing attempts, where the intent of the spammer is to steal personal and financial information using social engineering techniques or malicious software.

The FTC released a report on spam a few days ago. One of the findings was that the people behind this activity are best addressed by agencies that have go after criminal activity.

This action and Operation Bot Roast indicate that these actions are already underway.

On the DOJ site right below the header on this press release is a warning about the DOJ itself being impersonated (spoofed).

A lot of people view spam as an annoying phenomenon in their inbox. If you really examine it, spam is the vehicle for just about every annoying and illegal activity on the Internet.

The full press release, including all the names of the spammers being charged can be seen, here.

Friday, January 04, 2008

CALPIRG does consumer study revealing that privacy laws are being ignored in California

Many believe that the reason behind the identity theft crisis is the irresponsible data mining and selling of people's personal and financial information. This information then gets stored in places, where it is obtained (bought or stolen) by people, who have more than a "marketing" interest in it.

The buying and selling of people's personal information is a multi-billion dollar business.

Given this, a lot of people and consumer groups now are questioning how this done and how the information is protected.

CALPIRG, the California Public Interest Research Group has just released an "interesting" report on this subject and is making some recommendations to the California legislature to make the practice of buying and selling people's personal information more transparent.

From the press release on the CALPIRG site:

California’s consumers are “Still in the Dark” when it comes to who has access to their personal information according to a privacy report released today by the California Public Interest Research Group (CALPIRG).

“This holiday shopping season millions of consumers surrendered their personal information to retailers across the country with no idea how or with whom that information is shared” said Pedro Morillas, CALPIRG Consumer Advocate. “Fortunately there is light at the end of the tunnel. California already has some good policies regarding this issue. A few additions to the existing policies will give consumers the tools they need to safeguard their personal information.”
Currently, California law requires that if a consumer requests to find out where their information went a company must reveal where the information went for the past calendar year, or provide a no cost "opt-out" opportunity.

The report -- which includes a survey of customers trying to to discover where their information went -- revealed that over one-third of the requests were ignored.

Even worse, in addition to not getting a response, many of the customers were given the run around by being sent to other places within an organization or getting responses that had nothing to do with their original request.

CALPIRG is now calling that the California Legislature make the laws stronger with additional measures. They are calling out that the following additions should be made to existing laws:

Companies that do business with California consumers to respond to privacy requests, regardless of whether they share information with third parties.

Companies to both disclose the personal informa¬tion shared, and the third parties with which it is shared, and provide consumers with an opportunity to opt out of future sharing.

Companies to place a box on their Web sites’ privacy pages allowing consumers to opt out of information sharing.

Companies to get an affirmative “opt-in” from consumers before sharing their information with third parties, as opposed to the current practice of requiring consumers to opt out in order to protect their privacy.

The full report from CALPIRG can be read, here.

Opting out and privacy notices with an abundance of fine print have been criticized as not being effective, or consumer friendly for awhile now. Here are two other posts, I've written on this subject:

How does a telemarketer get your unlisted number?

Not answering a Privacy Notice gives the sender permission to sell your personal/financial information

Thursday, January 03, 2008

Lou Dobbs' audience responds to Hillary's allegation that he is full of hot air!

My wife, who is a die hard Lou Dobbs fan brought to my attention that Hillary Clinton had recently called him "full of hot air."

In the response to this statement, Lou and crew ran this poll on their show yesterday.

The question they asked was:

Do you believe presidential candidates who support open borders, illegal alien amnesty, and outsourcing of middle class American jobs to cheap overseas labor markets are full of "hot air"?
I decided to check the results this morning and 95 percent of the people responding felt that the presidential candidates supporting open borders, illegal alien amnesty and outsourcing were "full of hot air."

Strangely enough -- if I remember one of the debates correctly -- it seems difficult to get Hillary to commit herself on some of the above listed issues.

Would that make some believe that her responses to these issues are full of hot air?

With the primarys starting today in Iowa, it will be interesting to see what the voice of the American people will be!

You can see the results of Lou's poll on his site, here.

You can also see the article that reported Hillary calling Lou full of "hot air" at Iowa State University (courtesy of NewsDay.com), here.

If you would like to revisit Hillary's stunning reversal on the driver's licenses for illegal aliens issue (within 2 minutes) in the State she represents, the Captain's Quarters blog has commentary, here.

Tuesday, January 01, 2008

IT Policy Compliance Group looks back at what was important in 2007

The IT Policy Compliance Group issued a great year end analysis of the important events that took place in the world of IT security in 2007.

Lamont Wood wrote this interesting analysis and leads into it by saying:

Looking back, those who specialize in the history of corporate and cultural debacles may one day hail 2007 as the year when the dusty topic of document retention became a matter of corporate life and death. Thanks to the pervasiveness of networked computers, corporate data proved again and again that it could not only leak into the wild, but, once there, take on a life of its own-and do enormous harm to its parent.

The essay covers some interesting subjects like Data Breaches, PCI DSS Folies, CyberWars and the The Dark Side.

It also includes a summary of the regulations that businesses had to learn to deal with in 2007.

I'm going to refrain from commenting further to direct people to these interesting observations, here.

I did another post on a report from the ITPCG entitled, IT Policy Compliance Group issues study on data breaches and information theft.

This report revealed that focusing on fewer risk focused control points, and then inspecting them more frequently made an organization less likely to suffer data breaches/information theft.

If you haven't read the report yet, it is a worthwhile read, also.

In case you are unfamiliar with the IT Policy Compliance Group, here is their mission (in their own words):

The ITpolicycompliance.com web site is dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. Specifically, this site focuses on assisting organizations to improve compliance results by providing reports based on primary research as well as other related information and resources.

Here is who supports this site:

CSI (Computer Security Institute), The IIA (The Institute of Internal Auditors), ISACA (Information Systems Audit and Control Association), the IT Governance Institute, Protiviti, and acknowledge Symantec for providing the financial support to make this site possible.

FTC issues report on Malicious Spam and Phishing

The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.

Interestingly enough, it points out that spammers are criminals.

While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?

Here is what the press release had to say:

During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.
The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.

Going deeper into the problem the report discusses a phenomenon called fast flux:

With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.
The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.

Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.

The report also give some statistical information on what this is costing all of us:

A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.
Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.

Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.

Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:

Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.

In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.

The full report can be viewed, here.

Discovering a record amount of information theft only solves half the problem

Has anyone besides me noticed that when data breaches are reported, we see an official statement that the information hasn't been used by identity thieves?

After thinking on that one for awhile, it makes sense that criminals would stop using the information from a data breach after it has been reported.

So far as information used before the breach is discovered, it's pretty hard to prove where the information came from in an identity theft case. With so much compromised information out there, it's nearly impossible to figure out where the point-of-compromise is in any individual case.

When a data breach occurs, a lot of accounts are closed down and everyone who has been compromised runs out and checks their credit reports. Most of the time, free identity theft monitoring is made available to those who have been breached, also.

My guess is that once the stolen information is made public, it's probably dangerous to use. At the very least, it probably doesn't hold the same profit value that it had when no one knew it had been stolen.

For the past week, the news has been awash with the year end statistics on data breaches. By all the recent news accounts, 2007 was a record year.

While reporting data breaches is painful and costly, reporting them probably makes the information a lot harder to exploit for criminal purposes.

Although 2007 was a record number for reported data breaches, very few of criminals stealing the information got caught. Organizations losing the information are starting to be held accountable, but it would be nice to see more of criminals stealing the information brought to justice.

Another thing to consider is that data breaches aren't putting organizations out of business. True, they are costly, but in the end the cost is normally passed on to everyone using their services.

In the end, we are all paying for the cost of fixing data breaches.

And while a record number of data breaches were reported, there would have to be some that no one (except the criminals) know about.

My guess is that there is a lot information theft that is never detected. I would also surmise that this is considered the most valuable information being sold and used by criminals.

Compromised information is normally most effective when the person who it belongs to doesn't know it's being used.

Until we impact both sides of the equation -- the people losing information and punishing the people stealing it -- we are probably going to see news reports reflecting record statistics on the amount of data breaches occurring.

To do this, we need to focus more resources on catching the people stealing the information and enact laws that make it hurt when they get caught.

The last statistic I saw was that less than 1 percent of them get caught, and if they do, they normally get a slap on the wrist. A lot of the reasons for this are insufficient resources to investigate fraud and a lot of cases that are never reported by both organizations and individuals.

AP article (courtesy of the Washington Post) on 2007 data breach trends, here.

Update: Dissent from the Chronicles of Dissent and PogoWasRight left a good comment on this post pointing out that a lot of people did get caught this year. He is right and I did posts on a number of them.

The people out there catching the crooks stealing the data would be able to do a lot more if they were given more resources!

The Chronicles of Dissent has an excellent article on this subject that I highly recommend to anyone interested in the phenomenon of data breaches, here.