Sunday, January 06, 2008

Democratic fundraiser Norman Hsu sentenced to three years

Norman Hsu, who used to be a major fundraiser for Hillary Clinton and the Democratic party has been sentenced to three years for fraud.

John Coté at SFGate reports:

Disgraced Democratic fundraiser Norman Hsu, who became a prolific political moneyman even as he was a fugitive from justice, was sentenced Friday to three years in state prison in a San Mateo County grand theft case that dates from the early 1990s.

Hsu was sentenced in Redwood City more than 15 years after he skipped out on his original court date and fled to Asia.
And this isn't the end of it:

He will now be transferred to federal custody to face new criminal charges in New York, where he is accused of bilking investors across the country out of at least $20million. Hsu allegedly funneled some of the money to political campaigns, including that of Sen. Hillary Rodham Clinton, while living a lavish lifestyle.
Now here is the kicker (his legal defense):

Hsu's attorneys had sought to have the 1990s case dismissed or to allow Hsu to withdraw his no contest plea, saying his right to a speedy trial had been violated because authorities made little attempt to locate him - even as he attended fundraising events and was photographed with political candidates.
His attorney is planning to appeal this conviction. Hopefully, a judge won't grant him bail again as I would guess he is probably a flight risk.

The good news is that we are starting to see a trend, where money isn't the primary factor dictating who will become the next leader.

SF Gate story by John Coté, here.



New IRS rules dictate stricter controls on how personal information is marketed by preparers!

Last year, a large amount of fraud cases were reported when people claimed refund anticipation loans using fraudulent information.

In many instances, these fraudulent returns were filed using the earned income tax credit. The earned income tax credit returns a portion, or all of the taxes people pay, who are below a certain income level when they file their yearly tax return.

While an honorable practice in principle, the credit is targeted by fraudsters, who submit fake W-2 information and claim large refunds that they were not entitled to.

W-2's can be purchased in just about any office supply store, or even over the Internet.

Another growing trend noted -- with all the stolen identities and counterfeit identification out there -- are fraudulent tax returns being filed using other people's information. RAL refunds can net several thousand dollars each, which make them prime targets for financial fraud.

Low income people are also often recruited to go in and get these loans using "made up" information.

Guess who ends up getting caught if the IRS discovers the fraud in most instances? I'll give you a hint, it probably won't be the person who talked them into doing it.

I'm not sure if all the tax refund fraud and reported identity theft last year inspired the recently announced IRS rules, but it's probably a good guess that it had something to do with it.

The IRS is now giving taxpayers more control over their personal and financial information. They are also examining whether certain restrictions should be placed on refund anticipation loans.

The IRS press release states:

Federal law already strictly prohibits the IRS from making disclosures of taxpayer return information within its control to third parties except with taxpayer consent or in circumstances set by Congress. The final rules have no effect on the strict protection of return information in the IRS’s hands and apply only to tax return information held by income tax return preparers.

Among the new rules:

Generally, preparers must obtain taxpayer consent, either by paper or electronically depending on how the return is being filed, before tax return information can be disclosed to any third party or used for any purpose other than filing the return.

If the taxpayer consents to the disclosure and use of his information, the consent must identify the intended purpose of the disclosure, identify the recipients and describe the particular authorized disclosure or use of the information.

Mandatory language informs individual taxpayers that they are not required to sign the consent; that if they sign the consent, federal law may not protect their information from further disclosure; and that if they sign the consent, they can set a time period for the duration of that consent. If taxpayers fail to set a time period, the consent is valid for a maximum of one year.

To prevent consent requests from individual taxpayers from bring buried in fine print, the rules require the paper consent documents to be in 12-point type on 81/2 by 11 inch paper and require electronic consent requests to be in the same type as the Web site’s standard text, all to prevent consent requests from being too difficult to read for individual taxpayers.

If a taxpayer declines to provide consent for an unrelated tax preparation disclosure or use request, the preparer cannot make a similar consent request. The intent is to protect taxpayers from being pressured with repeated consent requests regarding the same issue.

Mandatory consent from taxpayers also is required if the tax information is going to be disclosed to a tax preparer located outside the United States. This provision is intended to ensure taxpayers are informed if their tax information is being sent off-shore for return preparation. The individual taxpayer’s Social Security Number also must be redacted.
The press release also states:

One issue that was raised during the comment period was the use by tax return preparers of tax return information to market Refund Anticipation Loans (RALs) to taxpayers. The issue of marketing RALs and similar products, such as Refund Anticipation Checks and Audit Insurance, was not specifically addressed in the proposed regulations.

The Treasury Department and the IRS are concerned that RALs and similar products may provide preparers with a financial incentive to take improper tax return positions in order to inflate refund claims inappropriately. In order to give the public an opportunity to comment on this issue, the Treasury Department and the IRS are issuing an Advance Notice of Proposed Rulemaking (ANPRM) that announces they are considering a proposal that tax return preparers be prohibited from disclosing or using taxpayer return information for the purpose of selling products such as RALs and similar products.
Last year it came to light that a Jackson Hewitt franchise owner with a lot of branches was being charged by the federal government for enabling this type of fraud. The dollar amount of the fraud was calculated by the government at about $70 million.

Here is the post, I wrote about this particular incident:

Is tax fraud being enabled by too many dishonest preparers?

While the Jackson Hewitt allegations were major news, it probably only accounts for a small portion of the overall fraud committed with tax returns. In previous years, we've even seen prisoners file phony tax returns from behind bars.

Dishonest preparers also sometimes try to get their customers to claim questionable exemptions. This can lead to the customer ending up in a lot of trouble at a later date.

The IRS has a educational document to educate taxpayers about this problem, here.

If you happen to know of anyone committing any of these tax frauds, the IRS has a place where it can be reported, here.

Press release on the new rules and possible restrictions on RAL products, here.

There are articles circulating in the mainstream media with more information on how this might hurt the profitability of the tax preparation industry. I'll include the one from Reuters written by Jonathan Stempel, here.

Saturday, January 05, 2008

Sears site violates people's privacy!

Ran into this story on the Truston blog. Tom Fragala, CEO of Truston writes:

The internet retailer you choose just might, without disclosure, install software on your computer to snoop on your web browsing. Brian Krebs at the Security Fix blog has this story. Would you believe it could be one of the country's oldest retailers though?

"Sears is having a bit of a rough day with the privacy community. The company got off to a rocky start with revelations that many customers who gave Sears their personal details after shopping at the company's Web site also were giving away their online Web browsing habits to marketers, thanks to snooping software silently installed (and ill-documented) by a Sears marketing partner."
Even worse, as revealed in Brian Krebs interesting blog post is that:

The discovery comes from Ben Edelman, an assistant professor at the Harvard Business School and a privacy expert whose research has done much to raise public awareness about the intersection of big business and shady advertising practices.

Sears offers no security whatsoever to prevent any user from retrieving a third party's purchase history, Edelman said, which violates its own privacy policy with such disclosures, no part of which "grants Sears the right to share users' purchases with the general public."

I guess this means that anyone can violate a Sears customer's privacy by using their website as a tool?

Please note that Professor Edelman has shown some pretty good evidence that regular and not just e-commerce customers can be compromised, also.

Going back to Professor Edelman's contention that snooping software was spying on customers -- spyware and adware are used on a lot of sites. In fact, I highly recommend scanning your system on a regular basis using reputable software. I'm always amazed at how much of it I find when I do.

My opinion is that that when information is data mined, there needs to be a transparent way a customer opts-in (authorizes) an entity to use their information.

Current opt-out options are often deceptive and laden with a lot of small print.

So far as Sears, until they disclose what they are doing to fix this (at least answer Mr. Krebs), I'm going to make sure I avoid using their shopping facilities!

DOJ charges 11 in pump and dump stock spamming operation

The Department of Justice has just announced the arrests of 11 spammers involved in a pump and dump stock spam scheme.

Pump and dump schemes victimize people -- lured by the expectation of too good to be true money -- who buy the stocks at artificially inflated prices. They normally lose money when the value suddenly drops because the people behind the scheme sell off their artificially inflated shares.

One of those arrested, an Alan Ralsky is considered one of the biggest spammers around by Spamhaus, which is an organization dedicated to tracking spam.

From the press release:

A federal grand jury indictment was unsealed today in Detroit charging 11 persons, including Alan M. Ralsky, his son-in-law Scott K. Bradley, and Judy M. Devenow, of Michigan, and eight others, including a dual national of Canada and Hong Kong and individuals from Russia, California, and Arizona, in a wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing, or "spamming."

This investigation was conducted over a three year period conducted by the FBI, Postal Inspectors and the Internal Revenue Service. The people involved used all the standard spam diversions including falsified domains and e-mail headers, social engineering lures and good old false advertising.

The release also states that they (tried?) to use botnets to send the spam:

The indictment also alleges that the defendants tried to send their spam by utilizing a cybercrime tool known as a “botnet,” which is a network of “robot” computers that have been infected with malicious software code that in turn would instruct the infected computers to send spam. The indictment charges that the defendants earned profits when recipients responded to the spam and purchased the touted products and services. Hui’s primary role in the scheme was to act as a conduit for Chinese companies who wanted their stocks pumped by the scheme. Ultimately, investigators estimate that the defendants earned approximately $3 million during the summer of 2005 alone as a result of their illegal spamming activities.

Recently, the FBI arrested a lot of Internet misfits in what they termed Operation Bot Roast and Operation Bot Roast II.

Botnets have become a major vehicle in which spam is circulated using zombie computers taken over using spam e-mail containing malicious software. Because the owner of the computer normally isn't aware their computer has been turned into a "spam spewing zombie," it also confuses investigative efforts to track the spam to it's source.

It should also be noted that here again, we see another "Chinese connection" in cybercrime. It's pretty interesting that publically held Chinese companies were working with these spammers to have the price of their stock artifically inflated.

Russian nationals were also arrested in this recent case. Eastern European types seem to be heavily involved in the world of cybercrime.

Here are a list of the laws the government is using to bring the spammers to justice:

The 41-count indictment covers three distinct, but interrelated, conspiracies to capture this evolution in their business practices. The indictment charges the defendants with the commission of several federal criminal offenses, including conspiracy, fraud in connection with electronic mail (CAN SPAM), computer fraud, mail fraud, wire fraud, and money laundering. It also charges the defendants with criminal asset forfeiture, as well as charging one defendant with making false statements to law enforcement.

Sadly enough, spammers have been bold enough to spoof all three investigative agencies involved in this case in the recent past. These spamming incidents normally are what are known as phishing attempts, where the intent of the spammer is to steal personal and financial information using social engineering techniques or malicious software.

The FTC released a report on spam a few days ago. One of the findings was that the people behind this activity are best addressed by agencies that have go after criminal activity.

This action and Operation Bot Roast indicate that these actions are already underway.

On the DOJ site right below the header on this press release is a warning about the DOJ itself being impersonated (spoofed).

A lot of people view spam as an annoying phenomenon in their inbox. If you really examine it, spam is the vehicle for just about every annoying and illegal activity on the Internet.

The full press release, including all the names of the spammers being charged can be seen, here.

Friday, January 04, 2008

CALPIRG does consumer study revealing that privacy laws are being ignored in California

Many believe that the reason behind the identity theft crisis is the irresponsible data mining and selling of people's personal and financial information. This information then gets stored in places, where it is obtained (bought or stolen) by people, who have more than a "marketing" interest in it.

The buying and selling of people's personal information is a multi-billion dollar business.

Given this, a lot of people and consumer groups now are questioning how this done and how the information is protected.

CALPIRG, the California Public Interest Research Group has just released an "interesting" report on this subject and is making some recommendations to the California legislature to make the practice of buying and selling people's personal information more transparent.

From the press release on the CALPIRG site:

California’s consumers are “Still in the Dark” when it comes to who has access to their personal information according to a privacy report released today by the California Public Interest Research Group (CALPIRG).

“This holiday shopping season millions of consumers surrendered their personal information to retailers across the country with no idea how or with whom that information is shared” said Pedro Morillas, CALPIRG Consumer Advocate. “Fortunately there is light at the end of the tunnel. California already has some good policies regarding this issue. A few additions to the existing policies will give consumers the tools they need to safeguard their personal information.”
Currently, California law requires that if a consumer requests to find out where their information went a company must reveal where the information went for the past calendar year, or provide a no cost "opt-out" opportunity.

The report -- which includes a survey of customers trying to to discover where their information went -- revealed that over one-third of the requests were ignored.

Even worse, in addition to not getting a response, many of the customers were given the run around by being sent to other places within an organization or getting responses that had nothing to do with their original request.

CALPIRG is now calling that the California Legislature make the laws stronger with additional measures. They are calling out that the following additions should be made to existing laws:

Companies that do business with California consumers to respond to privacy requests, regardless of whether they share information with third parties.

Companies to both disclose the personal informa¬tion shared, and the third parties with which it is shared, and provide consumers with an opportunity to opt out of future sharing.

Companies to place a box on their Web sites’ privacy pages allowing consumers to opt out of information sharing.

Companies to get an affirmative “opt-in” from consumers before sharing their information with third parties, as opposed to the current practice of requiring consumers to opt out in order to protect their privacy.

The full report from CALPIRG can be read, here.

Opting out and privacy notices with an abundance of fine print have been criticized as not being effective, or consumer friendly for awhile now. Here are two other posts, I've written on this subject:

How does a telemarketer get your unlisted number?

Not answering a Privacy Notice gives the sender permission to sell your personal/financial information

Thursday, January 03, 2008

Lou Dobbs' audience responds to Hillary's allegation that he is full of hot air!

My wife, who is a die hard Lou Dobbs fan brought to my attention that Hillary Clinton had recently called him "full of hot air."

In the response to this statement, Lou and crew ran this poll on their show yesterday.

The question they asked was:

Do you believe presidential candidates who support open borders, illegal alien amnesty, and outsourcing of middle class American jobs to cheap overseas labor markets are full of "hot air"?
I decided to check the results this morning and 95 percent of the people responding felt that the presidential candidates supporting open borders, illegal alien amnesty and outsourcing were "full of hot air."

Strangely enough -- if I remember one of the debates correctly -- it seems difficult to get Hillary to commit herself on some of the above listed issues.

Would that make some believe that her responses to these issues are full of hot air?

With the primarys starting today in Iowa, it will be interesting to see what the voice of the American people will be!

You can see the results of Lou's poll on his site, here.

You can also see the article that reported Hillary calling Lou full of "hot air" at Iowa State University (courtesy of NewsDay.com), here.

If you would like to revisit Hillary's stunning reversal on the driver's licenses for illegal aliens issue (within 2 minutes) in the State she represents, the Captain's Quarters blog has commentary, here.

Tuesday, January 01, 2008

IT Policy Compliance Group looks back at what was important in 2007

The IT Policy Compliance Group issued a great year end analysis of the important events that took place in the world of IT security in 2007.

Lamont Wood wrote this interesting analysis and leads into it by saying:

Looking back, those who specialize in the history of corporate and cultural debacles may one day hail 2007 as the year when the dusty topic of document retention became a matter of corporate life and death. Thanks to the pervasiveness of networked computers, corporate data proved again and again that it could not only leak into the wild, but, once there, take on a life of its own-and do enormous harm to its parent.

The essay covers some interesting subjects like Data Breaches, PCI DSS Folies, CyberWars and the The Dark Side.

It also includes a summary of the regulations that businesses had to learn to deal with in 2007.

I'm going to refrain from commenting further to direct people to these interesting observations, here.

I did another post on a report from the ITPCG entitled, IT Policy Compliance Group issues study on data breaches and information theft.

This report revealed that focusing on fewer risk focused control points, and then inspecting them more frequently made an organization less likely to suffer data breaches/information theft.

If you haven't read the report yet, it is a worthwhile read, also.

In case you are unfamiliar with the IT Policy Compliance Group, here is their mission (in their own words):

The ITpolicycompliance.com web site is dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. Specifically, this site focuses on assisting organizations to improve compliance results by providing reports based on primary research as well as other related information and resources.

Here is who supports this site:

CSI (Computer Security Institute), The IIA (The Institute of Internal Auditors), ISACA (Information Systems Audit and Control Association), the IT Governance Institute, Protiviti, and acknowledge Symantec for providing the financial support to make this site possible.

FTC issues report on Malicious Spam and Phishing

The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.

Interestingly enough, it points out that spammers are criminals.

While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?

Here is what the press release had to say:

During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.
The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.

Going deeper into the problem the report discusses a phenomenon called fast flux:

With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.
The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.

Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.

The report also give some statistical information on what this is costing all of us:

A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.
Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.

Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.

Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:

Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.

In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.

The full report can be viewed, here.

Discovering a record amount of information theft only solves half the problem

Has anyone besides me noticed that when data breaches are reported, we see an official statement that the information hasn't been used by identity thieves?

After thinking on that one for awhile, it makes sense that criminals would stop using the information from a data breach after it has been reported.

So far as information used before the breach is discovered, it's pretty hard to prove where the information came from in an identity theft case. With so much compromised information out there, it's nearly impossible to figure out where the point-of-compromise is in any individual case.

When a data breach occurs, a lot of accounts are closed down and everyone who has been compromised runs out and checks their credit reports. Most of the time, free identity theft monitoring is made available to those who have been breached, also.

My guess is that once the stolen information is made public, it's probably dangerous to use. At the very least, it probably doesn't hold the same profit value that it had when no one knew it had been stolen.

For the past week, the news has been awash with the year end statistics on data breaches. By all the recent news accounts, 2007 was a record year.

While reporting data breaches is painful and costly, reporting them probably makes the information a lot harder to exploit for criminal purposes.

Although 2007 was a record number for reported data breaches, very few of criminals stealing the information got caught. Organizations losing the information are starting to be held accountable, but it would be nice to see more of criminals stealing the information brought to justice.

Another thing to consider is that data breaches aren't putting organizations out of business. True, they are costly, but in the end the cost is normally passed on to everyone using their services.

In the end, we are all paying for the cost of fixing data breaches.

And while a record number of data breaches were reported, there would have to be some that no one (except the criminals) know about.

My guess is that there is a lot information theft that is never detected. I would also surmise that this is considered the most valuable information being sold and used by criminals.

Compromised information is normally most effective when the person who it belongs to doesn't know it's being used.

Until we impact both sides of the equation -- the people losing information and punishing the people stealing it -- we are probably going to see news reports reflecting record statistics on the amount of data breaches occurring.

To do this, we need to focus more resources on catching the people stealing the information and enact laws that make it hurt when they get caught.

The last statistic I saw was that less than 1 percent of them get caught, and if they do, they normally get a slap on the wrist. A lot of the reasons for this are insufficient resources to investigate fraud and a lot of cases that are never reported by both organizations and individuals.

AP article (courtesy of the Washington Post) on 2007 data breach trends, here.

Update: Dissent from the Chronicles of Dissent and PogoWasRight left a good comment on this post pointing out that a lot of people did get caught this year. He is right and I did posts on a number of them.

The people out there catching the crooks stealing the data would be able to do a lot more if they were given more resources!

The Chronicles of Dissent has an excellent article on this subject that I highly recommend to anyone interested in the phenomenon of data breaches, here.