Sunday, March 30, 2008

ICE raid nets 49 illegal security guards in Texas

Looks like the folks at ICE have been busy in Texas going after illegal security providers, some of whom, apparently were armed.

Jason Trahan at the Dallas Morning News reports:

A task force led by U.S. Immigration and Customs Enforcement raided more than two dozen mostly Latino night clubs, restaurants, pool halls and other businesses Saturday night, arresting 49 undocumented immigrants employed as security guards, officials said.

All of those arrested work for two local security companies, which authorities declined to identify Sunday.
The investigation into these security guard providers might be ongoing because in Texas, as in most States, security services are a regulated business for which a license must be obtained.

According to the Texas Department of Public Safety:

Under state law, commissioned security officers must successfully complete a 30-hour school. Once the course is completed, commissioned officers must wear a specific uniform indicating the company by whom they are employed while carrying their weapons.

Applicants for licensing or registration by the Private Security Bureau must have undergone a fingerprint-based state and national criminal history check. Applicants who have been convicted of a felony or a Class A misdemeanor cannot be considered for a license for 20 years. Applicants convicted of a Class B misdemeanor can apply for consideration after 5 years. Some Class B misdemeanors, such as first-time DWI, do not disqualify an applicant from receiving a license or application.

Maybe this is why -- despite the lack of official commentary on the matter -- Craig Watkins the Dallas County District Attorney stated:

Hopefully, this operation will help us send a message that we will not tolerate the falsification of documents for undocumented aliens under the guise of providing security.

Counterfeit documents are a huge problem and enable a lot of illegally placed individuals to obtain employment that they would otherwise be barred from. Given that they are easily available, they are a gateway for all kinds of other criminal activity, also.

This isn't the first time, a story has broken, where counterfeit documents allowed people using an unverified or even someone else's identity to perform duties they never should have been able to.

Although a few miles from Dallas, in November, James Slack of the Daily Mail revealed that 5,000 illegal immigrants were working as security guards in some of the United Kingdom's most sensitive buildings.

In January of 2007, the Herald Tribune reported that 40 illegal immigrants were arrested on military bases by ICE. The same story referenced an earlier story, where 60 illegal immigrants were arrested at Fort Bragg, North Carolina, home of the 82nd Airborne Division and Special Operations Units.

Earlier this month, Neville W. Cramer wrote in Today's Facility Manager about the growing problem from a facility management perspective:

While there are a multitude of economic and social issues surrounding the millions of illegal aliens currently in the U.S., two issues should be of specific concern to facility managers (fms). The first is security, and the second is comprehensive immigration reform. Since the latter is currently hung up in Congress, this article will examine security first.

Federal, state, and municipal law enforcement agencies are well aware that some of the largest employers of illegal aliens are directly and peripherally involved in building services and maintenance. Whether it is the cleaning crews, the janitors, the trash removal workers, or the security guards, illegal immigrants make up a significant portion of the workforce.

While this recent event in Dallas highlights the illegal immigration problem from the South -- there are illegal immigrants from other parts of the World working as security guards -- who likely have been planted in facilities or organizations for the purposes of stealing information.

From the Today's Facility article:

For instance, organized criminals from West Africa (Nigeria, Ghana, Sierra Leone, etc.) are now firmly entrenched nationwide in the security guard business. They are usually educated, well mannered men and women who are willing to work weekends and midnight shifts.

Unfortunately, what is not widely known is that “while guarding the henhouse,” many of these contracted security workers are suspected of stealing employee and customer identity data and company proprietary information. In some instances, these guards are using multiple fraudulent identities themselves, making it almost impossible for law enforcement to catch up with them. Fms should be aware of these emerging trends and, along with law enforcement and security professionals, take whatever steps are necessary to mitigate their risks.

The article sums up it's thoughts with the well known fact that the current Employment Eligibility Employment Verification Form (1-9) is woefully inadequate, especially with all the stolen identities and counterfeit documents that are easily obtained, just about anywhere.

Even with no match SSN legislation forthcoming -- which will require social security numbers to match a name -- the system will probably still be manipulated. There is a lot of stolen information out there, which contains both names and social security numbers, already. The groups counterfeiting documents will just have to make sure everything matches.

This is likely to cause an explosion in the number of identity theft cases, which is already a growing problem.

This legislation, which has been held up by a Federal Judge in San Francisco at the behest of the ACLU and other groups, appears to be poised to be enacted in the near-term. Arizona, which has the highest rate of identity theft in the nation, has already enacted a similar law.

Dallas Morning News story, here.

Well written and informative article by Neville W. Cramer, here.

If you want to learn more about the easy availability of counterfeit documents and how they are being dispensed throughout the U.S. (and probably the World) by organized criminal gangs, I recommend going to Suad Leija's Paper Weapons site. The information on this site has been covered extensively by the mainstream media and is likely being used by government entities to discover the full scope of this scary problem.

Lehman Bros. scammed for $355 million by two dishonest employees

With all the recent problems with Bear Stearns, the news that Lehman Brothers is getting smacked with a $355 million fraud is hardly good news in a gloomy financial market.

The scam in question was allegedly perpetrated by two contract (?) employees of Marubeni Corporation, a Japanese trading house. The deal involved a loan to a company called Asclepius Limited to finance medical leases. Asclepius Limited is now bankrupt.

Although the details are still sketchy, Reuters was able get a comment from an anonymous source:

It is being reported that Lehman is claming that employees of The fraud may have hit other financial institutions as well, according to the source, who spoke on condition of anonymity.

If Lehman's arguments are true, the scamsters perpetrated one of the more sophisticated corporate con jobs since Enron set up a fake trading floor to impress analysts. Lehman believes the scam included forged documents and an imposter.
According to Maurbeni, they've fired the two employees in question and are claiming they were contract employees. Lehman Brothers is stating they intend to file a law suit to recover the money and predictably Maurbeni is claiming they are not liable.

The scam was set up by the two Maurbeni (contract?) employees, who secured the money for the loan in advance from Lehman Brothers. In performing the due diligence on the loan, Lehman met with who they thought was a general manager for Maurbeni, but was actually an impostor.

Reuters is also reporting that the now bankrupt company, Asclepius Limited is under suspicion by the Japanese government for being involved in "illegal dealings."

I wouldn't want to be the the Lehman executive, who was responsible for setting up the due diligence on this deal!

Blogging Stocks, who also covered this story, brought up a scary observation about how this could take a toll on Lehman Brothers:

There has been concern for several weeks that Lehman Brothers (NYSE: LEH) might have problems similar to Bear Stearns (NYSE: BSC). Customers might be worried about Lehman's financial health and, if they were to withdraw large sums of money, the brokerage could face liquidity problems.

There is little doubt that a lot of fraud, or at the very least, "deceptive practices" led to the current financial crisis we are seeing in the mortgage industry. The mortgage crisis and this latest faux pas are clear examples of how the financial services industry needs to wake up and smell the coffee when it comes to how they conduct their daily business.

Since it is Sunday, I guess we'll have to wait until tomorrow to see if this makes a gloomy financial trend, even worse.

Reuters story, here.

Blogging Stocks story, here.

Saturday, March 29, 2008

Lifelock is getting sued, again!

Lifelock -- the identity theft service founded on an identity theft tale that was later deemed not to be very credible -- is now facing another law suit. This one, which is of the class action variety, alleges that their advertising is misleading and they don't necessarily protect a person from all the different varieties of identity theft.

From the press release on the Hagens Berman LLC site:

Today an Arizona consumer filed a proposed class-action lawsuit against LifeLock, a heavily promoted company that claims to protect consumers against identity theft. The lawsuit alleges that the three-year-old company defrauds customers by offering services it cannot legally perform, and by touting a $1 million guarantee that the suit alleges is wildly misleading.
The suit also alleges that Lifelock doesn't protect a person from all the forms of identity theft citing a case where -- Lifelock's flamboyant CEO (Todd Davis) who plasters his social security number everywhere as a marketing tool -- had his own identity stolen.

The press release didn't mention that the case was dropped after Davis employed a PI, along with a film crew to obtain a confession from the identity thief. Reportedly, the reason the case was dropped is because of a legal term called, "coercion."

One point of contention in the law suit is that the $1 million guarantee Lifelock promises is deceptive and laden with fine print:

Its advertisements prominently feature a supposed $1 million guarantee. In one commercial, Todd Davis, a founder and CEO of LifeLock, announces to a crowd of individuals, "If anything happens for any reason while you're a client of LifeLock, we will cover all losses and all expenses up to one million dollars." On its Web site, LifeLock makes similar statements, claiming that it will "do whatever it takes" to restore a member's good name.

According to the complaint, the fine print says otherwise: LifeLock will not pay any losses directly to the consumer and does not cover consequential or incidental damages to identity theft. The guarantee is limited to fixing failures or defects in the LifeLock services and paying other professionals to attempt to restore losses.

In this first paragraph of this post, I mentioned that Lifelock is getting sued again. Recently, one of the big three credit bureaus (Experian) filed a law suit for the costs of placing and replacing alerts on people's credit files.

In this post, I covered that the fact the credit bureaus are also in the identity theft protection business and that other companies (Debix, TrustedID) offer essentially the same service that Lifelock does.

This brings about speculation that both of these actions against Lifelock have the potential to set legal precedents and might bring about additional actions in the future. There has also been speculation that there is a "turf war" going on between Lifelock and the big three credit bureaus.

There is no guarantee what will become of all of this. The sad fact is that identity theft is a growing problem. Because of this, there are a lot of people getting involved in the identity theft protection business. The last time I checked, the industry was showing double-digit growth. This alone is quite remarkable considering the current state of the economy.

Given the fact that this is an "unregulated" industry involved in assisting victims of crime, everyone involved in it needs to take a hard look at the product they are offering to ensure it passes the "smell" test.

If they fail to do so, they will probably subject themselves to bad press, litigation and potentially government intervention (regulation).

They need to remember that identity theft victims are people, who fell victim to a crime that happened because their information was stored in too many places and WAS NOT protected properly. Of course, saying that, the people buying and selling information make a lot of money from doing it, also.

The sad truth is everyone is making money from this except the identity theft victim.

The post, I did on the first Lifelock law suit contains links to free resources to protect yourself and recover from identity theft. It also highlights a few of the organizations that are actively trying to do something about the overall problem identity theft has become without making a profit off it.

That post can be seen, here.

How did hackers plant malware at Hannaford Bros. and steal 4.2 million payment card numbers?

Hannford Brothers, the latest retailer to be compromised in a large scale data breach is reporting that hackers using malware breached their systems.

The next million dollar question (literally) is how was the malware (sometimes referred to as crimeware) dropped on their system? A lot of people are looking at this carefully because the company had been certified as meeting PCI (Payment Card Industry) data protection standards.

Ross Kerber at the Boston Globe, who gets the hat tip for breaking this latest development in the story wrote:

Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks. In previous breaches, such as the record-setting intrusion at TJX Cos. of Framingham, where as many as 100 million card numbers were compromised, hackers took advantage of merchants who stored customer names and card data - sometimes in violation of payment industry standards - at central locations in their computer networks.

In contrast, Hannaford says it did not store customer information. The hackers who struck Hannaford mined a stream of data that the merchant and banks were not responsible for protecting under industry rules, industry specialists said.
Because hackers, criminals and misfits rarely give up their latest hacks, we'll have to be content with speculation from the experts.

Jaikumar Vijayan at ComputerWorld was able to get some expert speculation from "Mike Paquette, chief strategy officer at Top Layer Networks, a vendor of intrusion-prevention systems in Westboro, Mass." Bill Brenner at SearchSecurity.com wrote about increasing speculation that a dishonest insider planted the malware on Hannaford's network.

The insider theory intrigues me because it seems that most security breaches can be traced to a social cause. A dishonest human --who has been given access to a system -- can defeat a lot (most) computer security.

Going further into all the speculation has come about from the Hannaford announcement, I decided to see what the blogosphere had to say.

Securosis.com gives a lot of interesting perspective in their post, Picking Apart The Hannaford Breach- What Might Have Happened .

The post points out some interesting thoughts, such as that credit card numbers are useless without names (Hannaford claims no names, or social security numbers were stolen) and that the breach was most likely discovered at financial instiutions when customers complained about fraudulent transactions on their cards.

rmogull summed up his "admitted" speculation with:
In conclusion, it looks like some sort of a network breach (which could be anything from phishing/malware to compromise from a retail location to a full network hack). A sniffer was possibly installed, since it seems they don’t keep credit card information (again, assuming statements are true). The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain. Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part.
There are also some interesting comments with more speculation at the bottom of the post. From what I can gather a lot IT types read this blog.

In the end, as long as there is lack of transparency in data breaches, the best anyone can do is speculate. The reasons for a lack of transparency in data breaches are a mile long, encompassing everything from protecting ongoing investigative efforts to avoiding the financial pitfalls of all the litigation that arises after a data breach.

Of course, in more simple terms, it might also mean that no one is really sure?

Given that, I wonder if anyone can be really sure that their personal information is safe? Your guess is probably as good as mine!

Previous posts on this blog about the Hannaford Data Breach:

Security vendor removes Hannaford as a client on their site after data breach is revealed!

Hannaford Brothers data breach might reveal current security standards are outdated

Saturday, March 22, 2008

Barack, Hillary John - Does anyone know where our (your) privacy has gone?

About a week ago, I wrote a post about Britney having her privacy "jacked" by a bunch of "naughty" hospital employees. This occurred at one of the most respected medical and institutions of higher learning in the world, the University of California, Los Angeles.

Ironically, it's now been revealed that another highly respected institution, the State Department had some "naughty" employees "jack" the privacy of the three major presidential candidates, Barack, Hillary and John.

While a lot of us take Britney's exploits with a grain of salt, it's another example where too many people are being given access to too much sensitive information. Even if we take most of Britney's adventures in a not very serious light -- she is a human being and therefore worthy of a little respect and privacy in her personal affairs.

This should be especially true when someone is seeking medical attention of a sensitive nature.

The official spin in both instances is that these events were caused by naughty employees, who were snooping where they shouldn't have been. While it appears there was no sinister intent in all of this, it points to the fact that none of us can count on a little respect or privacy, anymore.

Maybe we have too many databases containing highly personal information that the wrong people have been given access to? You can spend millions on security, but no amount of it will prevent something from being compromised if the wrong person has been given access to it.

Of course, the there is a financial motive to not wanting to fix the problem anytime in the near future. It's no secret that selling personal information is a multi-billion dollar business. Implementing technology is a multi-billion dollar venture, also. It shouldn't surprise us that there is a lobby (with a lot of money), who wants to keep things the way they are.

Because of this, it shouldn't surprise us that we see criminals exploiting the loopholes in protecting information, either. After all, they're making a lot of money off it, also.

If naughty employees with a penchant for snooping could obtain the personal information of three political candidates, it isn't a far stretch that someone with more sinister intentions could have accomplished the same thing. I wonder, who failed to notice that we are now granting "contract employees" access to information of this nature?

After all, this isn't the first time a contract employee, government or otherwise, has compromised sensitive information.

I guess private businesses aren't the only entities outsourcing jobs (and a lot of people's personal information) in the process. We seem to live in a world, where in order to save a little on the bottom line, we seem to ignore basic principles (like need to know) when protecting information.

Perhaps, if we stopped storing sensitive information in too many places with little regard to who can look at it, we would stop being "shocked" when it's compromised?

All a reasonably intelligent person would have to do is look at the number of reported compromises involving sensitive information that occur and then wonder how many more there are that no one knows about? I threw that in because most people, who do something wrong normally don't disclose what they did to third parties.

After a compromise occurs, we all seem content that security enhancements will prevent the next one. Sadly, most of the enhancements introduced so far haven't put a dent in the problem and the saga goes on. In fact, it normally doesn't take very long before we hear about the latest security enhancement being defeated.

Maybe the problem needs to be taken to a more simple level? Perhaps if we weren't storing information in places -- where too many people have access to it -- we would see less of it being compromised?

We live in a world, where technology has made things easier and more productive. The problem is that "easy and productive" is taking a toll on what should be a basic human right, privacy.

The bottom line is that it has become too easy to compromise information and technology makes both good and bad people, more productive.

Saying all that, the three candidates are on record, when it comes to privacy. In July of 2006, Hillary Clinton spoke to a lot of same issues in a speech, where she said:

Privacy is at the crossroads of all these issues, and modern life makes many things easier… and many things easier to know. And yet, privacy is somehow caught in the crosshairs of these changes.

Our economy is increasingly data driven. We have dramatically ramped up surveillance in our efforts to fight terrorists who hide among innocent civilians.

But every day the news contains a story of how the records of millions of consumers, veterans, patients have been compromised.

At all levels, the privacy protections for ordinary citizens are broken, inadequate and out of date.

Likewise, Barack Obama has the following statement about this issue on his site:

Dramatic increases in computing power, decreases in storage costs and huge flows of information that characterize the digital age bring enormous benefits, but also create risk of abuse. We need sensible safeguards that protect privacy in this dynamic new world. As president, Barack Obama will strengthen privacy protections for the digital age and will harness the power of technology to hold government and business accountable for violations of personal privacy.
John McCain (as part of a bipartisan committee) has expressed frustration on the privacy issue, also. Here is what he was quoted as saying in a CNet story after a FTC report was released on the state of the state on privacy:

A bipartisan group of senators led by Sen. John McCain, R-Ariz., said it is determined to pass new laws restricting the ability of Web sites to collect and use information from a visitor without that person's consent.

For the last several years, Web sites have operated under a form of self-regulation, and industry groups have touted the ever-increasing number of sites posting privacy policies. However, members of the Senate Commerce Committee today decried those steps as inadequate and cited polls showing that the vast majority of consumers opposed industry self-regulation.
There is no doubt that by this point in the game, most of our politicians have made a statement on the privacy issue. Despite these statements, most of the legislation presented in Washington hasn't been passed yet?

In fact if memory serves me correctly, the last time we tried to pass some federal legislation, the end result was that it would have watered down more proactive laws already passed into law at the State level.

I know everyone is busy with the campaign underway so I'm going to include a reference to an article (with an interactive map) showing what State laws on this issue have already been enacted. Included on the map is a interactive flag over the District of Columbia showing which federal laws have not.

Well put together article by csoonline.com, here.

In case anyone reading this can't keep up with the record number of data breaches, Attrition.org had a chronology, here.

PogoWasRight is another place that helps me keep up with the record number of compromises, also.

Friday, March 21, 2008

OCCRP reports on Eastern European/Eurasian organized crime


(Photo courtesy of the OCCRP site)

Eastern European/Eurasian organized groups seem to have their hands in a wide variety of organized criminal activity. They are often mentioned when referring to anything from auction fraud to payment (credit/debit) card skimming and computer crimes.

eBay claims there are entire towns in Romania making a living via auction fraud on it's well known site.

A new site called the Organized Crime and Corruption Reporting Project has been launched by a group of journalists to cover this activity, which seems to have to have a global reach.

In their own words, here is their vision:

The Organized Crime and Corruption Reporting Project (OCCRP) is a joint program of the Center for Investigative Reporting in Sarajevo, Romanian Center for Investigative Journalism, Bulgarian Investigative Journalism Center, Media Focus, the Caucasus Media Investigation Center, Novaya Gazeta and a network of investigative journalists in Montenegro, Albania, Moldova, Ukraine, Macedonia and Georgia.

Our goal is to help the people of the region better understand how organized crime and corruption affect their lives. OCCRP seeks to provide in-depth investigative stories as well as the latest news pertaining to organized crime and corruption activities in the Eastern Europe and Eurasia. In addition to the stories, OCCRP is building an online resource center of documents related to organized crime including court records, laws, reports, studies, company records, etc that will be an invaluable resource center for the journalists and public alike.
The site has been given financial support by the Foundation Open Society Institute (FOSI) and the United Nations Democracy Fund.

Although many of the journalists aren't well known in Western Europe and North America, they have been recognized as putting out some award winning work:

Recently, the program’s first project on energy traders was awarded the Global Network of Investigative Journalists “Global Shining Light Award” for quality investigative journalism under adverse conditions. The project was done in cooperation with SCOOP.

Journalists who have participated in projects published on this website have included Stanimir Vaglenov, Alison Knezevich, Boris Mrkela, Sorin Ozon, Eldina Pleho, Beth Kampschror, Stefan Candea, Roman Shleynov, Mirsad Brkić, Michael Mehen, Mubarek Asani, Paul Cristian Radu, Milorad Ivanović, Vitalie Calugareanu, Vlad Lavrov, Michael Mehen and Altin Raxhimi. The Editors are Rosemary Armao, Paul Radu and Drew Sullivan.
The site covers a wide variety of organized criminal activity (besides what I mentioned above) coming out the the area. Some of these activities include narcoterrorism, illegal arms sales, shell companies and even tobacco smuggling.

Interestingly enough, by reading through the site, I discovered that organized crime even has it's hands in the energy business in the region.

This subject, or the underlying causes of it aren't covered in depth when we read about this phenomenon in the West. Normally, we hear rumors pointing to mysterious Eastern European gangs associated with a sophisticated scam that has surfaced in our own back yard.

In scam circles, some of these people are referred to as "Vlads," which refer to Vlad Tepes, who as the inspiration for the Dracula story. Recently, a person who goes by the name of "Vladuz" has given eBay and the authorities considerable grief when hacking into their system.

Given that this activity reaches far beyond Eastern Europe and Eurasia, this has always amazed me. If you live in any major city in North America or Western Europe, Eastern European/Eurasian organized crime groups are probably operating not very far from where you live.

As the site matures, my guess is that it will provide evidence to ties between these groups and terrorist organizations, also. In fact, if you read what is on the site, some of the evidence I mention is already being written about.

The OCCRP is an excellent and well-written resource for the lay person and professional writer to learn more about a problem, which has become International in nature. Furthermore, since it is written by journalists from the Region, it is a great research tool for anyone interested in the subject.

OCCRP site, here.

Wednesday, March 19, 2008

Security vendor removes Hannaford as a client on their site after data breach is revealed!

I ran into an interesting development in the Hannaford data breach on geeksaresexy.net. Allegedly, their IT security vendor of choice (Rapid7) decided to disavow all knowledge of their relationship with Hannaford right after the breach was made public.

From the blog post on geeksaresexy.net:

Instead, Rapid7 scrubbed all mentions of Hannaford from their client list. Rapid7 obviously didn’t want to be associated with one of the largest data loss incidents in history, and they certainly didn’t want to sully the name of their flagship appliance, the “neXpose” which is a vulnerability scanning device.

This information is from Attrition.Org, an online security community that has been around since the predawn of the dot-com boom. They have an outstanding article, with screenshots here, where they are much less kind to Rapid7 in light of their cowardly actions.

Atttition.org is one of the trusted sources on data breaches, so I decided to see what they had found:

You are a security vendor. You sell the mightiest security doohickey the world has ever seen. It does it all, including "...ensuring your network is safe from hackers..." and amazingly it "...scans for Web site and database vulnerabilities that hackers can use to capture credit card information without you being aware". Since your doohickey does what no others have ever successfully managed to do, you can tout your client list proudly, and pimp your customer implementations liberally.

Attrition.org did an excellent job showing (complete with compelling screenshots) how Rapid7 removed all the information on the Internet showing they were Hannaford's cyber-guardians.

To see all the evidence, which is convincingly presented on Attrition.org, I've provided a link:

Abandon Ship! Data Loss Ahoy!

As of this writing, Rapid7 has replaced the information on their site showing Hannaford as a client.

I decided to run a query on Google News and discovered that so far the Boston Globe is one of the few mainstream e-rags reporting this so far.

The Boston Globe was able to get a comment from the marketing VP at Rapid7. Here is the "official explanation" from the article:

Was it damage control? Embarrassment about being linked to the breach? An admission that its software failed?

A Rapid7 executive says none of the above.

David Precopio, the company's vice president of marketing, said Hannaford asked Rapid7 to remove its name from the site once the data breach was made public. But after some sharp-eyed observers spotted the deletion (including the security website attrition.org) Precopio said Rapid7 asked Hannaford to let it repost the company’s name.

The Boston Globe was unable to get a comment from Hannaford about this matter.

I guess I'll have to leave it to the reader's imagination what the true intention in all of this was?

Tuesday, March 18, 2008

Hannaford Brothers data breach might reveal current security standards are outdated

Hannaford Bros. Co., a grocery retailer based in the Eastern United States is the latest corporation to be victimized by a substantial data breach. Saying that, customers of Hannaford Bros. are going to be victimized, also. So will a lot of financial institutions, who have to deal with the fraud claims and trying to prevent the information from being used.

Whenever a data breach of this magnitude occurs, there are a lot of victims.

This breach occurred despite that fact Hannaford Bros. had met the payment card industry (PCI) standards for data protection and were not using wireless technology to transmit unencrypted data. Both of these factors were said to have caused the now infamous TJX breach, where approximately 98 million records were compromised.

This time only a reported 4.2 million records have been stolen, but it's still early in the game and historically these estimates tend to blossom with time.

A press release from Hannaford revealed that no personal information was stolen in this occurrence and that only payment card (credit/debit) card numbers are at risk.

Additionally, there have been 1800 reported cases of fraud tied into this data breach thus far.

Today, the AP was able to get a comment from their corporate headquarters:

It was during the card approval process that more than 4 million customer accounts at grocery stores in the Northeast and Florida were exposed to fraud, even though the company meets the latest standards for data security, a spokeswoman said Tuesday.

Hannaford Bros. Co. doesn't yet know how the breach — which began Dec. 7 and ended March 10 — occurred, said Carol Eleazer, vice president of marketing for Hannaford, based in Scarborough.

About 4.2 million credit and debit card numbers were exposed and at least 1,800 stolen during the seconds it takes for that information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines, Eleazer said.

Brian Krebs of the Washington Post, who does the Security Fix blog quoted an industry expert, Bryan Sartin at Cybertrust as stating:

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.
If the theory in Security Fix is pans out (probably will), some precedents might exist for the basic method the hackers used. The incidents, I will reference don't sound as sophisticated as what Mr. Sartin is describing, but they happened about a year ago and hacking methods tend to mature with age.

Stop and Shop was the subject of a data breach a little over a year ago. In this case, PIN pads were being replaced with "look-alike" devices that captured all the payment card details. This hardware was later removed to download all the information that had been captured when unsuspecting customers swiped their cards.

Shortly thereafter, another compromise of this type was reported in Edmonton, Canada. In this case, a blue tooth device was used to transmit the information to a waiting car in the parking lot.

The trend with PIN pad replacement continued with a smaller breach at a grocer in the San Francisco Bay area, Albertsons in April of 2007. At the time, I had the pleasure of speaking with Blanca Torres, who was doing an article on the story.

Interestingly enough, up North in Canada, where payment card skimming has increased six-fold in recent years, an announcement was made that they plan to introduce a smart card. This technology, which is known as "chip and PIN" is already in use in Great Britain and France.

The AHN story about this by Vittorio Hernandez included (what I consider) a sage comment:

But Peter Woolford of the Retail Council of Canada is wary that although the smart cards appear to be effective in reducing incidents of fraud, sinister minds may one day find a way to hack the smart chips. "Anything the human brain puts together, another human brain can take apart," Woolford pointed out.
Sadly, once this all pans out, it will likely reveal that PCI data protection standards can and will be compromised in the future. The reason, I say sad is because a lot of retailers have spent a lot of money becoming compliant.

Throw in all the finger pointing and litigation between the different parties in all these breaches and I fear we're going to be fighting a very costly battle over what is becoming a too common item in the news.

I'll sum this post up with a rant, I wrote when the TJX breach was attracting a lot of attention:

While everyone sues TJX, the criminals are laughing all the way to the bank

Press release from Hannaford about the breach, here. They list a telephone number on it, where more information can be obtained if you think you've become a statistic.

Sunday, March 16, 2008

The latest nightmare with RFID

A few days ago, it was reported that one-billion RFID access devices could be compromised by hackers. These devices (using the MiFare RFID chip) are currently deployed as an access device used for mass transit systems, and of far greater concern, secure government facilities.

Please note, ComputerWorld has now revised the estimate of MiFare RFID chips in use to two-billion. For the final tally, we'll have to wait until a more detailed report is published.

According to news sources, this report will be issued on Wednesday.

One person, claiming to be able to hack the RFID devices is a University of Virginia student by the name of Karsten Nohl, according to ComputerWorld. Nohl claims that all he would need now is a latop, scanner and a "few minutes" to start duplicating cards using the chip.

The article cites a computer security consultant, Ken van Wyk of KRvW Associates, as saying at least one European country has dispatched guards to secure facilities where this chip was used in access systems.

From the ComputerWorld article by Sharon Gaudin:

It turns out it's a pretty huge deal," said van Wyk. "There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it's used in sensitive government facilities — and I know for a fact it's being used in sensitive government facilities."

Van Wyk told Computerworld that one European country has deployed military soldiers to guard some government facilities that use the MiFare Classic chip in their smart door key cards. "Deploying guards to facilities like that is not done lightly," he added. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." He declined to identify the European country.

While it probably is a good idea to be very specific about what sensitive government facilties use the card, Engadget mentioned some general places that use this particular RFID chip. They include, "London (Oyster Card, Boston, Netherlands (OV-Chipkaart Minneapolis / St. Paul, South Korea (Upass, T-money, Mybi), Hong Kong, Beijing, Milan, Madrid (Sube-T), Australia (Smartrider), Sao Paulo (Bilhete Unico), Rio de Janeiro (RioCard), Bangkok and New Delhi."

They also put up a YouTube video showing how easily these cards could be compromised. This video was created by the Digital Security section of the Radboud Nijmegen University in the Netherlands.



Full ComputerWorld story on this by Sharon Gaudin, here.

Other posts, I written about RFID nightmares, here.

Naughty UCLA employees peek at Britney's medical information

The LA Times is reporting that UCLA Medical Center employees were caught "peeking at" Britney Spears' medical records when she was recently hospitalized in their psychiatric unit.

I wonder if a total lack of privacy might be one of the underlying reasons Britney was admitted to this particular unit?

Charles Ornstein reports:

UCLA Medical Center is taking steps to fire at least 13 employees and has suspended at least six others for snooping in the confidential medical records of pop star Britney Spears during her recent hospitalization in its psychiatric unit, a person familiar with the matter said Friday.

In addition, six physicians face discipline for peeking at her computerized records, the person said.

The article states that this was the second time Britney's records were compromised at the UCLA Medical Center.

UCLA used stronger verbiage when reporting that their computer records were compromised in December of 2006.

As reported at the time by UCLA's Office of Public Relations:

UCLA is alerting approximately 800,000 people that their names and certain personal information are contained in a restricted database that was illegally and fraudulently accessed by a sophisticated computer hacker.

It should be noted that "illegally and fraudulently accessed" and "computer hacker" are stronger terms than "peeking" and "snooping." Maybe this is because the hacker is an outside entity and we can speculate they had a financial motivation when accessing information they weren't supposed to?

As long as we are speculating -- let me bring up another point -- which is there are a lot of people obviously making a lot of money from the Britney Spears saga. Her personal medical details might be worth a lot of money to the people, I'm referring to.

Recently, it was reported that People Magazine paid $4 million for the first pictures of Brad Pitt and Angelia Jolie's baby. Maybe a little privacy was one of the reasons they went to a remote place in Africa to have the baby?

Now I'd better get back to the larger problem, we face from too much information being stored in too many (not very secure) databases.

The problem is that with so many databases out there -- coupled with all the publicly disclosed data breaches -- tracking any one case of a person's information being compromised is nearly impossible.

Just ask anyone, who has actually investigated a case of identity theft. Most of the time, the best that can be done is to speculate where the information was actually compromised.

At this point in the game, a lot of people have been compromised in more than one location.

I would also speculate that there are even a greater number of data breaches out there that no one knows about. My guess is that the people, who steal information, would prefer to remain anonymous. Transparency has never been in the best interest of information thieves.

This brings up another problem that ties into this, or what is known as medical identity theft. While medical identity theft hardly ties into Britney Spears getting her information "peeked at," it has become a huge problem. The tie would be the ease in which naughty employees, with no business looking at it, were able to do so.

In the end, UCLA is a highly respected institution. They do seem to care that this happened and are taking the standard measures to prevent it from happening again. The problem here is that time and time again, it appears that some of these measures don't work very well.

The bottom line is that if things like this can happen at a respected institution of higher learning's medical center, it's probably happening at more places that we realize!

Speaking of this happening at more places than we realize, it was recently reported (3-12-08) that Harvard is one of the latest institutions to be victimized by a data breach.

As long as we rationalize things away by using terms like "peeking," I doubt the problem is going to get fixed in the near future. UCLA is probably only following standard data compromise protocol. Read the press releases after any compromise of data and there is a lot of rationalization and speculation.

This probably means we need to do a little less rationalizing and going beyond mere speculation when addressing what has become a serious issue. This will entail taking a hard look at the core reasons this keeps happening, one of which is, an ever increasing lack of privacy in the world today.

If you would like to see why UCLA isn't the only one who has had a problem with this issue, Attrition.org and PogoWasRight do a great (transparent) job of reporting the known spectrum of the problem.

If you want to read more about medical identity theft, the World Privacy Forum is an excellent resource.

Thursday, March 13, 2008

London e-crime conference suggests that hackers are becoming more organized and politically motivated

In the past several years, we've seen a lot of corporate and government systems compromised by hackers. With corporate systems, we assume the intent is financial, however more and more, we hear the term, "corporate espionage" being used. In the global economy, information is often worth more than money.

With regards to government systems being hacked, it's hard to speculate that the attack was financially motivated.

Mandy Clark of Voice of America wrote an interesting article on this subject, while covering an International e-crime congress in London:

British opposition lawmaker David Davis warned an e-crime conference in London that the danger of cyber terrorism is real.

"In America, hackers have already broken into the Pentagon's computer systems; in India, into government ministers' files; in Germany, into the chancellor's," Davis said. "Such attacks could be designed to compromise safety systems, critical national infrastructure, to overwhelm communication systems, or even to cause a run on the bank."

Included in the VOA article is a video containing a lot of commentary from experts from both the government and private sectors:

Cyber Threat report / Broadband - Download (WM)

Cyber Threat report / Broadband - Watch (WM)



Unfortunately, many consider this type of activity open to speculation, or point out that it might be mere propoganda. In the end -- IF this activity is caused by organized crime or those with more political intentions -- it's going to be hard to get the people behind it to comment.

Political misfits, criminals, spies and hackers normally want to keep their activity confidential because transparency often compromises whatever goal they are trying to achieve.

Nonetheless, a lot of experts and lay people agree that we are seeing more of this type of activity and that it is becoming a lot more sophisticated than it used to be.

VOA article by Mandy Clark, here.

United Press International covered this story from a NATO cyber warfare perspective, here.

The Dirty Dozen Tax Scams of 2008

The IRS has been in the news recently because it's name has been impersonated (spoofed) to phish personal and financial information from people tricked into believing the IRS was going to send them money.

Another recent phishing lure spoofing the IRS name was the upcoming economic stimulus package being promised to the tax paying public. In this case, (too good to be true) promises of money were being sent out by spam spewing zombie computers before the details were finalized in the halls of Congress.

These spam spewing zombie computers are part of a botnet. Botnets are controlled by bot-herders, who are known to rent their services to a wide variety of Internet misfits. Bot-herders often use their botnets to commit criminal activity themselves, also.

Zombie computers are created after their owner clicks on a link in a spam e-mail containing malicious software engineered to take control of their system. In the recent past, there have even been examples of malware being injected into a system after just visiting an infected site.

Please note that most of these phishing ploys are designed to clean out your bank account, run up your credit cards, and or allow a criminal to use your good name to obtain additional lines of credit. The fact that they often turn your computer into a zombie is considered an add-on value to the criminal, who can then use your system to deliver spam (scams) to other unsuspecting people.

Today, the IRS issued it's yearly Dirty Dozen Tax Schemes. Since Internet scammers have been so fond of using the IRS's name, I thought this would be a good subject to blog about.

Please note that from time to time, I get anonymous inquiries about where to report tax fraud in the comments section. I've included information oh how to do this at the bottom if this post.

The IRS is sometimes willing to pay a reward for information leading to the successful resolution of an investigation. Your identity is protected if you choose to remain anonymous, also.

From the press release:

The Internal Revenue Service today issued its 2008 list of the 12 most egregious tax schemes and scams, highlighted by Internet phishing scams and several frivolous tax arguments.

Topping this year’s list of scams is phishing, which encompasses numerous Internet-based ploys to steal financial information from taxpayers. New to the “Dirty Dozen” this year is a scheme, which IRS auditors discovered, that relates to unreasonable and/or excessive fuel tax credit claims.

Here is the Dirty Dozen hot off the official press release:


1. Phishing

Phishing is a tactic used by Internet-based thieves to trick unsuspecting victims into revealing personal information they can then use to access the victims’ financial accounts. These criminals use the information obtained to empty the victims’ bank accounts, run up credit card charges and apply for loans or credit in the victims’ names. Phishing scams often take the form of an e-mail that appears to come from a legitimate source. Some scam e-mails falsely claim to come from the IRS. To date, taxpayers have forwarded more than 33,000 of these scam e-mails, reflecting more than 1,500 different schemes, to the IRS. The IRS never uses e-mail to contact taxpayers about their tax issues. Taxpayers who receive unsolicited e-mail that claims to be from the IRS can forward the message to a special electronic mailbox, phishing@irs.gov, using instructions contained in an article titled “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes.” Remember: the only official IRS Web site is located at www.irs.gov.

2. Scams Related to the Economic Stimulus Payment

Some scam artists are trying to trick individuals into revealing personal financial information that can be used to access their financial accounts by making promises relating to the economic stimulus payment, often called a “rebate.” To obtain the payment, eligible individuals in most cases will not have to do anything more than file a 2007 federal tax return. But some criminals posing as IRS representatives are trying to trick taxpayers into revealing their personal financial information by falsely telling them they must provide information to get a payment. For instance, a potential victim is told by phone or e-mail that he or she is eligible for a rebate but must provide a bank account number (or similar information) to get the payment. If the target is unwilling, the victim is then told that he cannot receive the rebate unless the information is provided. Individuals should remember that the only way to get a stimulus payment is to file a 2007 tax return. The IRS urges taxpayers to be extra-vigilant. The IRS will not contact taxpayers by phone or e-mail about their stimulus payment.

3. Frivolous Arguments

Promoters of frivolous schemes encourage people to make unreasonable and unfounded claims to avoid paying the taxes they owe. Most recently, the IRS expanded its list of frivolous legal positions that taxpayers should stay away from. Taxpayers who file a tax return or make a submission based on one of these positions on the list are subject to a $5,000 penalty. The most recent update of the list of frivolous positions includes: misinterpretation of the 9th Amendment to the U.S. Constitution regarding objections to military spending, erroneous claims that taxes are owed only by persons with a fiduciary relationship to the United States, a nonexistent “Mariner’s Tax Deduction” related to invalid deductions for meals and the misuse of the fuel tax credit (see below). The complete list of frivolous arguments is on the IRS Web site at IRS.gov.

4. Fuel Tax Credit Scams

The IRS is receiving claims for the fuel tax credit that are unreasonable. Some taxpayers, such as farmers who use fuel for off-highway business purposes, may be eligible for the fuel tax credit. But some individuals are claiming the tax credit for nontaxable uses of fuel when their occupation or income level makes the claim unreasonable. Fraud involving the fuel tax credit was recently added to the list of frivolous tax claims, potentially subjecting those who improperly claim the credit to a $5,000 penalty.

5. Hiding Income Offshore

Individuals continue to try to avoid paying U.S.taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore debit cards, credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance plans. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions.

6. Abusive Retirement Plans
The IRS continues to uncover abuses in retirement plan arrangements, including Roth Individual Retirement Arrangements (IRAs). The IRS is looking for transactions that taxpayers are using to avoid the limitations on contributions to Roth IRAs. Taxpayers should be wary of advisers who encourage them to shift appreciated assets into Roth IRAs or companies owned by their Roth IRAs at less than fair market value. In one variation of the scheme, a promoter has the taxpayer move a highly appreciated asset into a Roth IRA at cost value, which is below annual contribution limits even though the fair market value far exceeds the amount allowed.

7. Zero Wages

Filing a phony wage- or income-related information return to replace a legitimate information return has been used as an illegal method to lower the amount of taxes owed. Typically, a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 is used as a way to improperly reduce taxable income to zero. The taxpayer also may submit a statement rebutting wages and taxes reported by a payer to the IRS. Sometimes fraudsters even include an explanation on their Form 4852 that cites statutory language on the definition of wages or may include some reference to a paying company that refuses to issue a corrected Form W-2 for fear of IRS retaliation. Taxpayers should resist any temptation to participate in any of the variations of this scheme.

8. False Claims for Refund and Requests for Abatement

This scam involves a request for abatement of previously assessed tax using Form 843, “Claim for Refund and Request for Abatement.” Many individuals who try this have not previously filed tax returns. The tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses Form 843 to list reasons for the request. Often, one of the reasons given is "Failed to properly compute and/or calculate Section 83-Property Transferred in Connection with Performance of Service."

9. Return Preparer Fraud

Dishonest tax return preparers can cause many problems for taxpayers who fall victim to their schemes. These scam artists make their money by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Some preparers promote the filing of fraudulent claims for refunds on items such as fuel tax credits to recover taxes paid in prior years. Taxpayers should choose carefully when hiring a tax preparer, especially one who promises something that seems too good to be true.

10. Diguised Corporate Ownership

Some people are going as far as forming domestic shell corporations in certain states for the purpose of disguising the ownership of a business or financial activity. Once formed, these anonymous entities can be used to facilitate underreporting of income, non-filing of tax returns, engaging in listed transactions, money laundering, financial crimes and even terrorist financing. The IRS is working with state authorities to identify these entities and to bring the owners of these entities into compliance.

11. Misuse of Trusts

For years, unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

12. Abuse of Charitable Organizations and Deductions

The IRS continues to observe the misuse of tax-exempt organizations. Misuse includes arrangements to improperly shield income or assets from taxation, attempts by donors to maintain control over donated assets or income from donated property and overvaluation of contributed property. In addition, IRS examiners are seeing an upturn in instances where taxpayers try to disguise private tuition payments as contributions to charitable or religious organizations.

As promised above, here is how you can report one of these scams:

Suspected tax fraud can be reported to the IRS using IRS Form 3949-A, Information Referral. Form 3949-A is available for download from the IRS Web site at IRS.gov. The completed form or a letter detailing the alleged fraudulent activity should be addressed to the Internal Revenue Service, Fresno, CA 93888. The mailing should include specific information about who is being reported, the activity being reported, how the activity became known, when the alleged violation took place, the amount of money involved and any other information that might be helpful in an investigation. The person filing the report is not required to self-identify, although it is helpful to do so. The identity of the person filing the report can be kept confidential.

Whistleblowers also could provide allegations of fraud to the IRS and may be eligible for a reward by filing Form 211, Application for Award for Original Information, and following the procedures outlined in Notice 2008-4, Claims Submitted to the IRS Whistleblower Office under Section 7623.

Full press release on the 2008 Dirty Dozen Scams, here.

Sunday, March 09, 2008

When will we realize how serious the problem of counterfeit devices has become?

On March 6th, Queens District Attorney, Richard Brown announced a series of indictments against a major counterfeiting ring. Although based in New York City, the group was operating nationwide. The ring was obtained skimmed card information from hackers in China. Subsequent news reports have stated that skimmed information was obtained from hackers in the Ukraine, also.

From the press release:

Queens District Attorney Richard A. Brown, joined by Police Commissioner Raymond W. Kelly, today announced that a forged credit card and identity theft ring based in Queens County and with roots in the Far East has been successfully dismantled following the indictment this week of thirty-eight individuals. The ring was allegedly responsible for stealing the personal credit information of scores of American consumers and costing these individuals, financial institutions and retail businesses more than $1 million in losses over the past year.
Counterfeit identification documents to match the counterfeit financial devices were being produced, also.

DA Brown explains why this is of greater concern than mere financial crime:

Many of the defendants charged today are accused of going on nationwide shopping sprees, purchasing tens of thousands of dollars worth of high-end electronics, handbags and jewelry with forged credit cards that contained the account information of unsuspecting consumers. Particularly disturbing is the fact that, in a number of cases, the defendants are charged with using bogus documents to purchase airline tickets and then using those documents as identification to board commercial aircraft. In the hands of terrorists such documents could have easily undermined the efforts of homeland security and other law enforcement officials intent on keeping our borders and citizens safe.

Given that the scope of this crime potentially crosses three continents, it probably demonstrates different organized crime groups are working together. The potential these items might be sold to people with twisted political and or religious motives isn't too far a stretch.

It has been reported that Al Qaeda training manuals teach their minions to use credit card fraud as a means of financing their activities.

I doubt if most of these criminals could care less, who they are selling them to. Even if they did, the full intent of the purchaser might not be readily apparent.

Suad Leija -- who has been providing information on a major counterfeiting cartel to the government -- says that this was the reason she turned on her family members running the cartel.

This latest example shows that despite a lot of focus on security to prevent terrorist attacks, counterfeit documents are a clear threat to all of us.

Prior to Suad turning against her family, her husband says he tried to get the cartel to let the government use their database as a tool to identify potential terrorists, who might have already crossed our border.

I'm sad to report that the database was never accessed and that the criminal case against the cartel is facing some serious challenges at the present time.

This series of indictments also shows how the Internet is being used to fence a lot of stolen merchandise. Normally, we hear about it happening on auction sites, such as eBay or Craigslist; however in this instance this group had an e-commerce website of their own. This website, Easttrades.com, is still up and running at the time I am writing this.

I decided to run the domain through "Whois" and it’s registered right here in the United States.

Maybe it’s just me, but it appears that we need to take the counterfeiting problem a little more seriously. They appear to be easy to produce and are available to too many people.

They are a gateway for criminals, or worse to commit all sorts of illegal activity. I would love to ask the political candidates running in the current election what they think about this problem.

Unfortunately, my guess is that no one is going to ask them and that this is an issue they would rather not talk about.

Queens District Attorney press release on this, here.

Girl Scouts get scammed with fake $100 bill


(Courtesy of the Pasco County, Florida Sheriff's website)

If you are like me, you've already bought too many cookies from the Girl Scouts. Everywhere I go, there is a table selling them and it's hard for me to say no to them.

After all, supporting organizations like the Girl Scouts has long been considered an honorable endeavor.

It's sad to say that at least one scammer has ripped them off with a fake (counterfeit) $100.00 bill in front of a local Walmart in Texas.

Marianne Martinez Lewisville (CBS 11 News) reports:

The girls were selling cookies in front of the discount store on Wednesday evening when a man said he wanted to buy two boxes. He promptly gave a 100-dollar-bill to the mother of one of the children. After getting his $93 in change, the man left without getting his cookies.


Realizing the man had left his purchase the girls tried to find him, but were unable to. In the meantime, the mother realized the bill was fake but it was too late.


Police say the crook bleached a $5-bill and printed over it to make it look like a $100-bill. Officers say at first glance the bill looks real. "It's the real paper used by the Department of Treasury. Ya know, it has the appearance of a real bill," said Lewisville Police Department Captain Kevin Deaver.
This particular counterfeit $100.00 bill version has been making the rounds for the past few years. Although, it defeats some of the anti-counterfeiting detection devices out there -- largely because the paper is real -- it can be easily caught by the human eye.

These bills are actually $5 bills that have been washed and reproduced as $100 bills. Although at first glance they look and feel legitimate, the way to spot them is by their security features. On the washed (fake) bill the hologram on the right side -- seen by holding the bill up to light -- is Abraham Lincoln. On a real $100 bill, the image is Benjamin Franklin. Additionally, the embedded strips on either side of the bill will say they are $5 bills instead of $100 bills.

Criminals do this by bleaching the bills, then photocopying the $100 bill over it. Unfortunately, portable printing and photocopying technology has made it easy for all sorts of documents to be counterfeited.

For additional ways to determine real money from fake money, the United States Secret Service has an excellent page about it, here.

Another good resource is:

http://www.moneyfactory.gov/

Both of these sites offer training materials for businesses. Using them might be a good option for charitable organizations, also.

Although, no date is set yet, the government plans to issue redesigned $100 bill sometime in the near future. News reports indicate the reason for the redesign is directly related to how many of these washed bills have been seen in recent years.

Saturday, March 08, 2008

Symantec releases March Spam and Scam Trends

Even though scams don't all originate on the Internet, a great majority of them do. If you ever want to figure out what scams are making their rounds, taking a look at spam analysis is a pretty good way of doing it.

Spam is the vehicle that most cyber misfits seem to prefer when trying to pull a fast one on the unwary. Fortunately, most of them are far from geniuses and all it takes is a little awareness to foil their attempts at trickery.

Of course, providing a little body armor for your system is highly recommended, also. Especially, if you are a Windows user.

Please note that when providing body armor for your system to make sure you are buying it from a reliable vendor. I see spam come-ons for so-called computer security software that might turn your system into a spam spewing zombie, steal all the information from it, or a combination of both.

Last week, Symantec released their March report. This report is a good resource to use to see what is going on in the wild world of spam, scams and malicious software.

Kelly Conley writes:

Social engineering was the driving force behind spammers during the month of February. While overall spam volume hovered steadily at 78.5% of email and tactics remained relatively the same, the use of events, big brands, and public figures drove spam campaigns during the month. The March State of Spam report highlights several of these.

Kelly brings up another point -- which is that despite the fact that scams frequently use technology as a tool -- they also rely on a healthy a dose of social engineering (trickery) to accomplish their intentional misdeed.

Predictably, the presidential candidates are a big lure:

Last month, spammers began to spread bogus links purporting to show a Hillary Clinton speech, but in actuality the links were cloaking a malicious Trojan. Most recently we’ve seen spammers leveraging the last remaining front-runners of the 2008 presidential elections; Obama, McCain, and Huckabee. Just what are spammers linking the candidates with? Everything from Viagra, porn, get-rich-quick schemes, and portable dewrinkle machines.

If you think about it, this shouldn't surprise very many of us. After all, the candidates are filling up our mailboxes with a lot of political spin and requests for financial support, also.

It's probably a good idea to be careful when clicking on a link in any unsolicited messages. Especially, when over 75 percent of all e-mail sent is spam.

Of course, politicians aren't the only human lures spammers use. Celebrities are pretty good "spam fodder," also.

The presidential candidates aren’t the only targets. Also seen were high profile names such as Michael Jackson, Heather Mills, and Indiana Jones to name a few. Spammers are using these names to spread malicious links to videos and the names being circulated are all currently high profile. Who hasn’t heard of the McCartney/Mills divorce or Britney Spears’ woes? The spammer is banking that you want to know more about these celebrities and are therefore leveraging their names to tempt you into opening the malicious link. These are fairly easy to spot because in most cases the names are misspelled. I wonder what Paul McCartney would think of his name more closely resembling a martini (Maccartni)?
It never ceases to amaze me that spammers can't spell. A common demoninator in most scam letters is that a lot of words are misspelled. Especially, the variety that orginate out of Internet cafes in third world countries.

Other notable trends in the lures being used are International Women's Day and (too good to be true) offers of free tickets from Southwest Airlines.

The monthly reports normally includes an amusing, or not so amusing (reader's choice) "hall of shame" category. This month the mortgage crisis is being used, with a sick twist:

As economic conditions have slowed in recent months, Symantec has observed a torrent of spam messages encouraging users to “refinance before its too late,” ”take out a mortgage for the lowest APR ever,” or “this is the time to be the proud owner of your house.” While the deluge of finance spam continues, spammers have also decided to diversify their sales portfolio to include the buying and selling of burial plots. Talk about an idea to get out from being buried, no pun intended. As the message indicates, the U.S. national average price for a burial plot in 1978 was $200 and this has risen to $4500 in 2008. “Get started today” – adverts say – “because tomorrow could be too late”.
In case you missed the link to the full report (above), it can be seen (with some interesting screenshots), here.

Wednesday, March 05, 2008

Fine Wine and Identity Theft?

What do fine wine and identity theft have in common? According to the FTC's top cities for identity theft, the answer is Napa, California.

Christopher Null blogged about this on Yahoo:

While you're sipping Chardonnay and enjoying the beauty of the wine country, crooks may be busy swiping your identity. According to a Federal Trade Commission study, Napa, California, earned the title of worst town for identity theft, with over 300 consumer complaints per 100,000 residents in 2007.

Madera, California, (280 complaints per 100,000 residents) and Greeley, Colorado, (228 complaints) followed Napa on the list. On a state level, California (120 complaints) was surpassed by only Arizona, which had the worst per-capita trouble with identity theft (137 complaints).
I decided to go to a more local Northern California source and found that Channel 10 News out of Sacramento/Stockton/Modesto covered the story, also.

Cornell Barnard (News 10) reports:

Stockton ranks number 21 out of 50 on the Federal Trade Commission's list of the worst cities for identity theft complaints.

Stockton Police can't pinpoint why their city ranks so high, but the valley's trade take part of the blame, a constant hunger for cash.

"It's all connected. It's a brutal crime for those victimized," said Stockton Police spokesman Pete Smith.In addition to Stockton, Northern California is well-represented on the FTC list. Napa tops the list of U.S. metropolitan areas for identity theft consumer complaints, logging over 302 complaints for every 100,000 residents during 2007. Nearbly Vallejo and Fairfield rank sixth while the Yuba City area comes in 11th.
Interestingly enough, Vallejo and Fairfield are just over the hill from Napa and one of the entry points for the San Francisco Bay area. Yuba City is roughly just North of the Napa Valley. These cities aren't very far from Stockton, either.

Maybe this means, there is a higher incidence of Identity Theft in Northern California? Napa might be the worst because it is an affluent area and the better a person's credit is -- the more lucrative their identity is to a criminal.

Being a fifth generation, or so Northern California type (a lot of this blog is written from there), I'd like to point out that Northern California also hosts a lot of information to combat the identity theft problem. In fact, some of the best resources to protect and educate people originate from the area.

Sacramento, which didn't make the list is the State Capital. The Office of Privacy Protection is one of the better written information sources to educate people about the problem of identity theft. Please note the information on this site is available in English, Espanol and Chinese.

For the more frugal, this page contains all the information needed to protect a person without paying for one of those services with an alleged $1 million guarantee.

Interestingly enough, the State of California is also known as being pretty proactive when it comes to protecting the rights of victims. Many of the privacy laws enacted in California have had a worldwide impact.

A great place to read more about the problem is a document outlining Governor Schwarzenegger's 2005 Identity Theft Summit. This document includes a lot of perspective from privacy groups, law enforcement and business groups on the problem.

Last, but not least, a University of Berkeley professor, Chris Hoofnagle just issued an interesting paper based off information culled from the FTC about which financial institutions are most prone to making their customers a victim of identity theft. Professor Hoofnagle openly admits that the results might be jaded because they are only from a consumer complaint point of view and that most financial institutions seem to prefer not to release these statistics.

If your a more "visual type," Cornell Barnard's newscast on this story can be seen, here.

If you are one of those more "scholarly types," the full FTC report on this can be viewed, here.

Saturday, March 01, 2008

Will counterfeit documents enable the next terrorist attack?


(Cartoon by Suad Leija. Suad is the artist, however the political opinions are those of her husband. More cartoons can be seen on her new site, here.)

With the 2008 election in full swing, most of the candidates seem content to dodge the issue of border security.

Tied into another controversial issue, which is illegal immigration, discussing it is probably considered a no-win situation. It's probably likely that no matter what stance they take, it will cost them votes.

Perhaps, the reason it's so controversial is that we are a country of immigrants and most of our ancestors came to this country to seek a better life.

In most cases, what we consider poverty in this country, is a far better standard of living than where they are coming from.

Businesses take advantage of this "cheap labor" (payroll is always a key expense in any business) and because of their illegal status, illegal immigrants don't tend to complain about low wages and no benefits.

Since illegal immigrants are human beings and get sick etc., the taxpayer normally ends up paying for all the social costs associated with their employment. This is a pretty good deal for the employers using this "in-sourced" form of labor.

If you really wanted to solve the illegal immigration problem, it would probably be pretty simple. All you'd have to do is go after the businesses hiring them.

If the process were more transparent, they would probably have to take care of the people, who work for them a little better, also.

The biggest problem with illegal immigration is that all sorts of criminals, and some say, people with political agendas (terrorists) can easily camouflage themselves in the worldwide exodus of people from poor and war-torn countries. The illegal immigration process is controlled by organized criminals, who only care if the person they are bringing in has the money to pay them.

If you think illegal immigration consists of only people from Mexico, this is no longer the case. More and more, they are coming from a lot of different places and illegal immigration is hardly a problem just in the United States.

Whether they are here to find work, commit crimes or plan the next 9/11 -- the first thing someone entering a country illegally needs to do is make themselves appear to be legal. The way they do this is by using counterfeit documents to establish a (seemingly)legitimate identity.

In the hands of terrorists, counterfeit documents are an enabler to murder innocent people because they were at the wrong place at the wrong time. Given that Atta and the 9/11 crew used counterfeit documents to establish themselves in the U.S., it amazes me that as I write this, the business in them is booming.

The story of Suad Leija has been covered extensively in the mainstream media. Suad is the stepdaughter of one of the prominent leaders of an organized counterfeit document cartel operating throughout North America. Suad met and eventually married an American businessman, with alleged ties to the intelligence community.

The businessman then tried to strike a deal with Suad's family to use their database to identify potential terrorists -- who had been provided counterfeit documents -- in exchange for the release of a prominent member of the family, who had been arrested in Chicago.

The operation took a turn when the cartel refused to provide this information and Suad ended up assisting the authorities in identifying the main players in the cartel, as well as, the scope of their operation throughout the United States.

There have been 38 arrests and the court case is still underway.

Please note that ties to an intelligence operation have not been confirmed by a government source. Nonetheless, if you've followed the story, this is probably a fairly good deduction.

I wouldn't expect the government to confirm, or deny this story. Revealing details about intelligence operations compromises their efforts. This is probably why the intelligence community is and always will be the unsung heroes in the "War against Terror."

Charlie Wilson's War, the Tom Hanks movie, although probably a little "Hollywood" in nature is probably a good example of how a few good intelligence types can make a big difference. True stories, such as this one, normally are only officially confirmed years after the fact.

Just the other day, Newsweek released an update to the Suad story, with more details about the operation.

Joe Contreras (Newsweek) writes:

When federal prosecutors indicted 22 members of the Leija Sánchez counterfeit ID organization in Chicago last April, they described the arrests as "a significant setback" to one of the largest criminal enterprises of its kind ever to operate in the United States. But they made no mention of Suad Leija and the remarkable tale of how her marriage to an undercover American agent and her choice of country over family led to the downfall of the fake-document ring. Suad began cooperating with the U.S. Immigration and Customs Enforcement (ICE) agency in January 2006 and gave investigators the names and addresses of her stepfather's siblings and top lieutenants, who had been photographed while under surveillance by the Feds. Her decision to aid ICE officials, she says, grew out of concern that the fake green cards, driver's licenses and Social Security cards churned out by her family's document mills could be used by terrorists to stage another devastating attack on American soil. "Just as I wouldn't help a drug peddler sell narcotics to kids, there's no way I'd do it for terrorists who want to use fake identification produced by my family," Suad told NEWSWEEK in a phone interview from an undisclosed location. "If another September 11 were to happen and I'd done nothing to stop my family, then I would be just as guilty."

The Newsweek story also points out that these counterfeit documents are hardly being only sold to illegal immigrants, who want them to get a job:

Senior ICE officials also see the booming fraudulent documents business as a bona fide threat to national security. The industry generates annual revenues in the hundreds of millions of dollars, and its primary markets are the estimated 12 to 20 million foreigners living illegally in the United States and teenagers wanting to sneak into a bar. But some of the 9/11 hijackers obtained legitimate ID documents under false pretenses, and a terrorist suspect linked to Al Qaeda named Nabil al-Marabh allegedly produced fake ID documents at his uncle's print shop in Toronto prior to the attacks on New York and Washington. Though the clientele of the Leija Sánchez ring was overwhelmingly Latin American in origin, federal prosecutors say that documents were sold to Algerians, other Arabs and Pakistanis. "That's where the vulnerability is," says James Spero, a deputy assistant director in the ICE office of investigations. "You can buy a set of documents that will make it appear you are legally in the U.S. for as little as $100, and nobody in these organizations does background checks on their customers."

The article ends with the conclusion by Mr. Contreras based on interviews with ICE officials:

ICE agents have arrested 38 members of the Leija Sánchez organization to date, and from his Mexican prison cell Manuel is currently fighting extradition to the U.S. His old business associate Pedro Castorena was flown from Mexico to Denver last month to stand trial later this year on fraud, conspiracy and money-laundering charges, and Suad is expected to testify for the prosecution. But as the decline and fall of Pablo Escobar's Colombian Medellin cartel proved in the 1990s, the decapitation of a criminal organization's leadership will not disrupt the industry as long as there is strong demand for its product. And as of this week, ICE officials reported no decline in the availability of bogus documents on the streets of any major U.S. city.

Not mentioned in the Newsweek article is that the lead ICE agent on this case, Cory Voorhis, was arrested and is being charged with "exceeding his unauthorized access to a federal criminal database."

Voorhis and his legal team contend that he was only exposing plea bargain practices that allowed illegal immigrants charged with serious crimes to not be deported by the Denver DA's office.

Please note the crimes in question are a little more serious than just crossing the border without the right documentation.

Some are comparing this case to another case, which has received a lot more attention in the media. As stated on his legal defense site:

There are troubling parallels with the 2005 prosecution in El Paso, Texas of two Border Patrol agents, Ignacio Ramos and Jose Compean. Ramos and Compean were convicted of shooting a fleeing drug smuggler primarily on the testimony of the drug smuggler himself, who was granted immunity by the US Attorney. It has since been revealed that the US Attorney knew of the smuggler’s long criminal history yet succeeded in withholding this evidence from the jury.

A news release from his legal defense site stated that this might jeopardize the current prosecution of the Castorena-Leija counterfeit documents cartel.

From the news release:

The federal prosecution of Cory Voorhis, the Immigration and Customs Enforcement (ICE) agent who is charged in a high-profile case with three federal misdemeanors for allegedly illegally accessing a restricted database, could lead to the dismissal of charges or to drastically reduced charges for the alleged head of the notorious Mexico-based criminal Castorena Family Organization (CFO), some say.
The Suad Leija story isn't over yet and only time will tell what the final outcome will be. The full story of Operation Paper Tiger can be purchased (which includes actual wiretap transcripts) on the Paper Weapons site.

The most recent Newsweek story written by Joe Contreras can be seen in full (recommended), here.

In case you are interested in the Cory Voorhis case, a lot of information can be seen on his legal defense site, here.

Suad has also put up a new site, to further her personal interests once this story comes to a conclusion. Please note that Suad is only 23 years old and hopefully has other things in her life to pursue once this drama is over.

Below is another example of her work, which can be seen on her site (linked above). Please note that she is only the artist and the expressed views of those of her husband.