Sunday, April 06, 2008

Model Networking Site (Babe Warehouse) being used to scam aspiring models

This summary is not available. Please click here to view the post.

Sensitive infared cameras discovered bound for China at LAX

Dangerous and counterfeit products, hacking government systems and espionage all have one thing in common, they are likely to originate from China.

The latest example of this is being reported by the AP:

Two men attempting to board a plane to China with nearly a dozen sensitive infrared cameras in their luggage were arrested on Saturday, a federal official said.

Federal agents stopped the pair on the jetway as they were preparing to board the flight to Beijing.

The men had been in the United States for about a week, said Rick Weir, assistant special agent in charge of the Los Angeles office of the Department of Commerce's Bureau of Industry and Security.

Yong Guo Zhi, a Chinese national, and Tah Wei Chao, a naturalized U.S. citizen, were arrested for investigation of trying to take thermal imaging cameras with potential military use to China without the proper export licenses, Weir said.
In February of this year, the FBI highlighted two high profile cases involving Chinese espionage.

Again, whether it involves defective goods, hacking or stealing military secrets -- the Chinese seem to be having a field day victimizing the citizens of the United States and the World.

Is the cheap labor they provide for a lot companies worth all the risks we are taking by allowing them "free trade status?"

Additional examples of Chinese espionage, hacking and defective products written about on this blog can be seen, here.

Full AP story on this latest development in the ongoing saga, here.

Saturday, April 05, 2008

Identity theft victim branded a paedophile still suffering after proven innocent!

This isn't the first time, I've written about Operation Ore, where a lot of British citizens were wrongfully accused of viewing child pornography.

Operation Ore was the result of an investigation conducted in the United States (Operation Avalanche), where a lot of credit card details being used to view child pornography were provided to the British authorities. It eventually led to a lot of people, including Pete Townsend of the Who, being charged with viewing child pornography.

It was later revealed that a large number of the credit card numbers obtained in the Avalanche search warrant had been stolen in one of the data breaches we read about, too frequently. In my original post on this story, I wrote about the data breach that caused this:

54,348 of the credit card numbers discovered in the U.S. search warrant were identified as having been stolen from Levenger Incorporated, a luxury goods company. Of course, Levenger declined to comment on how the information was stolen.

This case showed how an innocent person can be charged with a crime after becoming an identity theft victim.

The BBC just did a personal account of one person, who was victimized by being wrongfully accused, where they wrote:

With ID fraud on the rise, the assumption is you'll lose money which can be claimed back. But Simon Bunce lost his job, and his father cut off contact, when he was arrested after an ID fraudster used his credit card details on a child porn website.
And Mr. Bunce didn't frequent "fly by night e-commerce sites, either." In his own words his credit card details were stolen from a "trusted" site.

The bottom line is that Mr. Bunce lost his job, was shunned by his own family and branded as a paedophile.

Furthermore, months later when he cleared his name, it took him a long time to get another job earning only a fraction of his previous salary. Even though, he has clearly been proven innocent, Mr. Bunce is still suffering the financial repercussions of identity theft.

While I'm certain that cases like this have made the authorities a little more careful of who they are prosecuting, if a criminal assumes a legitimate identity (complete with documents to support it) this could be happen to any of us.

This case and the personal story of Mr. Bunce clearly shows the dangers everyone is facing from continuing to store too much information in too many not very secure places.

BBC article (highly recommended reading), here.

Attrition.org and PogoWasRight try to document the record amount of everyone's information that is stolen. Please note, there is so much of it being compromised they freely admit they cannot keep track of it all. Of course, the criminals stealing it probably don't reveal all the places they are getting it, either.

Suad Leija's Paper Weapons site shows how easily (extremely convincing) documents can be obtained by just about anyone to use the stolen information. "They are as good as anything in your pocket," according to Suad.

I also try to keep up with some of this on this blog. Here is my original post on Operation Ore, which was called Operation Avalanche in the United States:

British citizens accused of child porn found to be fraud victims

Wednesday, April 02, 2008

NATO Summit and EU Conference address the global reaches of illict cyber activity

On the Internet -- crime, espionage and some say, terrorism can cross a border with the click of a mouse. Because of this, it probably shouldn't be surprising that this is a hot topic at the NATO summit, as well as, a seperate conference conducted by the EU.

The AP is reporting:

At a two-day conference starting Tuesday in Strasbourg, France, the Council of Europe will to review implementation of the international Convention on Cybercrime and discuss ways to improve international cooperation.

Cyber defense also will be on the agenda when heads of state from NATO's 26 member nations gather in Bucharest Wednesday for three days. The leaders are expected to debate new guidelines for coordinating cyber defense.
Cyber defense is increasingly becoming a concern. For instance, there is increasing evidence that the Chinese have been hacking into other government's systems and have a cyber war doctrine being developed.

Last year, there was the much written about attack on the government of Estonia, also.

The EU conference will also address more financially motivated criminal activity on the Internet, also.

The AP article quotes a German University Professor, Marco Gercke, who specializes in computer law as saying:

Compared to regular terror attacks, it is much easier for the offenders to hide their identity. There are at least 10 unique challenges that make it very difficult to fight computer-related crime," said Gercke, one of the conference participants. "The success rate of cybercrime is very high."
While it is unknown, whether or not, these meetings of the minds will yield any results -- the fact is that unless there is greater cooperation and collusion between the good guys -- the problems of undesirable activity being spread with the click of a mouse is likely to continue growing at an alarming rate.

A little more teamwork and forward thinking might go a long way towards solving the problem. Of course, taking some of the players out from the opposition (bad guys) would go a long way, also!

To close this brief post, I would like to point to matters a little closer at home. An American computer law expert recently wrote a forward thinking article on the Hannaford data breach, where hackers stole 4.2 million payment (credit/debit) card numbers and the recent settlement between TJX and the FTC.

In his well thought out article, Ben Wright of SANS writes:

The FTC is well-meaning here, but it is misdirected. By singling out TJX and chastising it with the “unfairness” “bad guy” rhetoric, the FTC distracts the necessary public conversation. It implies that if we can just punish these lazy merchants enough (and force them to comply with the PCI and similar controls), then credit cards will be safe. That’s wrong.

The criminal warfare directed at the credit card system is more powerful than the theory behind PCI. The whole credit card system needs to change. As a society we need to focus on beating the criminals, and stop flogging victims like TJX as unfair privacy infringers.

To me, this means that instead of spending all our resources on inadequate security and filing litigation against the "unlucky targets" of organized cyber crime, we need to start addressing the root of the problem. I'll give anyone reading this one guess, who that might be?

Tuesday, April 01, 2008

Royal Canadian Mounted Police computers turned into spam spewing zombies by employee!

While the fact that the RCMP (Royal Canadian Mounted Police) computers were exposed to badware because an employee was doing some "unauthorized surfing" makes good press -- it highlights what can happen to any business, or government system when human beings use them to go to the murkier waters of the Internet.

Trust me, the RCMP isn't the only organization that has had an employee compromise their system in this manner.

Robert Koopmans, Kamloops Daily News (courtesy of the Vancouver Sun) reports:

The security of RCMP computers used to process evidence for a looming multimillion-dollar trial was breached from outside the agency, exposing sensitive files to the possibility of theft and tampering, Crown documents reveal.

The police computers were also used to view pornography and download music and illegal software, a letter from senior Kamloops Crown prosecutor Don Mann states.
Apparently, these computers were also turned into spam spewing zombies, or became part of a botnet as a result of some of the malware downloaded on them. Botnets are "a jargon term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of zombie computers controlled remotely," according to Wikipedia.

More from the article in the Vancouver Sun:

The Crown document reveals the computers were hooked to the Internet in October 2003 and remained connected until May 2005, when Shaw notified the RCMP that the police agency's computers were spamming e-mail to the Internet. The breach was discovered and the connection to the Internet shut down.

Since spam is the preferred vehicle of Internet scammers, it's possible the computers were "inadvertantly" being used to commit crimes, themselves.

There are many examples of employees downloading undesirable items on a system, but here is another example of one, where a Japanese law enforcement type essentially did the same thing.

If anyone is interested in the dangers employees can pose to a system ZDNet did an excellent white paper on this subject:

The Top Six Risks of Employee Internet Use and How to Stop Them

Full story on this recent matter published in the Vancouver Sun, here.