Saturday, January 21, 2006

Bill and Microsoft are Impacting Cyber Crime

(Bill in 1983)

There are many out there, who like to bash Microsoft relevant to security. While no one is perfect, Bill and company are actually doing quite a bit to apprehend those who would commit fraud, phishing and financial misdeeds.

Perhaps some of their peers should take notice and join in.

Bill and his better half are also doing a lot of activities designed to make the world a better place. Time recognized this by naming him and Melinda as "persons" of the year. Persons of the Year -- Dec. 26, 2005 -- Page 1

I found this on Phishspot (click on title of this post), courtesy of the Wilmington Star:

"To date Microsoft has supported more than 325 phishing and spam enforcement actions worldwide, including civil lawsuits by the company as well as actions taken by law enforcement or government agencies for which Microsoft provided substantial support or referrals. The company also has released a new Microsoft Phishing Filter Add-in for MSN Search Toolbar and the upcoming Windows Vista and Internet Explorer 7 to help protect customers from dangerous Web sites. In addition, the company blocks more than 3.4 billion spam messages per day from reaching the inboxes of MSN Hotmail customers."

To me, that's an example of taking some pretty direct action in the war against cyber fraudsters. Let's face it, apprehending and holding people accountable is the most effective deterrent against this activity.

In fact, Bill and company (in my opinion) and attacking the root of the problem, which is that crime on the internet is borderless. Politics, jurisdictions and the egos that go along with it hinder the efforts against the cyber-criminals. In fact, in their highly organized hierarchies, they use this (social reality) to defeat efforts to stop and prosecute their activities.

Microsoft is taking the efforts to apprehend and prosecute across borders.

Most recently (in the news), they helped the authorities in Bulgaria squash a phishing gang that I'm certain wasn't targeting Bulgarians.

Here is the press release from Microsoft:

Microsoft Praises Bulgarian Authorities on Investigation and Arrest of ...

Does Fraud Impact the Economy

(Osama at Oxford circa 1971, far left)

Militant attacks on oil facilities in Nigeria and a message from Osama Bin Laden caused oil prices to go up. As a result, the stock market is going down. Here is a story from the LA Times:

Stocks Dive on Fears of a Faltering Economy

Of course, disappointing earnings also contributed, but what I thought was interesting was a report that the Japanese Stock Market is hurting because of alleged fraud at a popular internet company.

In a story from MediaCorp:

"Japanese prosecutors will question the whiz-kid founder of major Internet firm Livedoor in the coming week in connection with a fraud scandal that has sparked market chaos, a news report said.

The reported decision came after investigators questioned chief associates of Livedoor president Takafumi Horie, 33, over alleged violations of securities laws. "Horie is suspected of having been involved in the alleged disclosure of false information regarding corporate acquisitions, as well as falsification of financial statements," the Nihon Keizai Shimbun said."

Apparently, this revelation caused the Tokyo Stock Exchange to close early as the was a massive rush to sell, which threatened to shut down it's computer systems.

Here is the full story from MediaCorp:

Japanese prosecutors to grill Livedoor president over alleged fraud

Recently, when we get bad economic news there seems to be two consistent reasons, dishonest corporate activity and oil prices going up.

Remember the recent reports of gas gouging in the wake of Katrina and a call for investigations? Prices shot up before the hurricane even hit land. Here is a story from the AP on that issue:

BREITBART.COM - Thousands Complain to Feds on Gas Gouging

Not that I'm an expert, but it seems that energy costs skyrocket with any excuse, whether there is any actual damage, or not. It also seems that there are a lot of companies out there with less than honest intentions being caught.

The oil companies and their OPEC partners seem to be raking in the dough. No one has attacked anyone and before this Osama hadn't spoken since the U.S. election. So far as Nigeria, there have been problems there for a long time and the oil companies doing business there invest heavily in security.

In other words, the risk and activity over there is nothing new.

My personal opinion is that we should have been working harder on alternative energy sources since the 70's and OPEC drove up prices the first time.

In fact, what is sad is that Osama is from one of the OPEC countries and the Bin Laden fortune (although it came from construction) was financed by oil. In actuality, his recent tape probably will bolster the economy of his homeland, Saudi Arabia and those fortunate enough to have their money invested in the oil industry.

Bin Laden needs to be caught, brought to justice AND maybe someone should take a strong look at where he got and probably continues to get his financing.

A prudent man once said, if you want to discover the truth follow the money.

Until then, I guess the rest of us will just have to keep tightening our belts.

Friday, January 20, 2006

FBI Computer Crime Survey

The FBI released it's Computer Crime Survey today. Here are the key findings:

"Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year's time; 20% of them indicated they had experienced 20 or more attacks.

Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.

Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.

Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.

Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.

Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of
InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing."

This is a pretty interesting study and illustrates (to me anyway) that stealing information is often the motivation for these attacks.

Here is a relevant story that occurred earlier in the year, where a major industrial espionage ring was discovered in Israel:

Industrial Trojan Fraud (Espionage) Discovered

For the full survey, courtesy of the FBI, click on the title of this post.

San Francisco's Cable Car Woes

San Francisco's famous cable cars seem to be having some issues from within. Here is a story I read in the San Francisco Chronicle:

"San Francisco Mayor Gavin Newsom said Wednesday he is convinced some cable car conductors are stealing fare money -- and that the Municipal Railway needs to change the way it collects cash to stop the thefts.

Newsom said he believes conductors are skimming fares from cash-paying riders because on three occasions he rode the cable cars and handed over his $5 cash fare but never received the required receipt."

For the full story from the Chronicle:

S.F. MAYOR: CABLE CAR FARE THEFTS / He thinks some conductors are pocketing cash from riders

Last year, two of the conductors were fired for stealing fares. This resulted in a strike by the employees and the conductors were reinstated. They have since retired with full benefits.

If the activity is so blatant that Mayor Newsom is seeing it, why is there no effort to conduct an investigation and apprehend those responsible for doing it? How much payroll does Muni spend protecting their assets and where are those resources when he needs them?

According to Irwin Lum, who is the president of the union representing the workers, "failure to provide a receipt isn't proof of theft and that the problem of stealing is, at most, sporadic."

Everyone blames the potential on an antiquated fare system, where their cash flow can't be tracked. Last year, Muni had to cut service and raise fares and they still are facing a $4.1 million dollar deficit.

If these guys were in the private sector and ran their business this way, they would go bankrupt. Additionally, if people are stealing why does there appear to be no effort other than the Mayor's observations and statements to stop it?

After all (even with their antiquated system) it would be rather easy (with the technology available today) to install hidden cameras and catch the dishonest red handed. Even without technology, I would imagine money could be marked and tracked through their accounting system to establish theft.

Trust me, people are caught this way stealing money all the time.

Let me see, they're losing money, people might be stealing, we have a lot of excuses about antiquated accounting systems and even when two people are caught nothing comes of it.

If I were Mayor Newsom, who was elected to represent the people that are ultimately paying for all this incompetence, I would be looking at holding some senior people and the people charged with protecting their assets accountable.

Even sadder is Muni's statement that if they actually do catch someone, the only consequence is that they will be fired. They deserve to go to jail!

Perhaps that would be a much more effective deterrent.

I admire the Mayor's courage in taking this obvious issue on.

Thursday, January 19, 2006

India Takes Action to Improve Security in Outsourcing

I recently wrote a post on: What are the Security Implications of Outsourcing.

To sum my thoughts up, fraud is growing all around the world. With the rapid growth of the IT industry in India, the corporations (making record profits from it all) have a moral obligation to their customers and even the workers in India to ensure their security standards are up to par.

Failure to do so would only make India a target for criminals to perform their misdeeds. With the personal and financial information of people from all over the world, we can expect no less.

Secondary victims of this would also be the honest workers in India, who could lose employment due to bad press.

Many in India realize that these "security breaches" could be deadly to the industry and here is an example that they are taking proactive measures to address it (courtesy of ZDNet):

With worker database, India aims to fight fraud

Tuesday, January 17, 2006

Phishing for a Mac

John Leyden of the Register reported:

"Email fraudsters are targeting Apple fans in a change of tactic from standard phishing attacks. Commonly bogus emails that form the basis of phishing attacks pose as security messages from online banks in an attempt to dupe a tiny proportion of recipients, who happen to be customers of the bank, into visiting a bogus site on handing over account information.

eBay account details are also often targeted in a similar way but the latest scam emails, sent out last weekend, target Apple IDs. Armed with an Apple ID and password, fraudsters have access to user's iTunes Music Store account and their AppleStore account, information that might allow them to buy computers, software, peripherals under a false identity."

For the full story, read: Phishing fraudsters target Apple.

It appears Apple is the latest victim of being popular, which is what these scams seem to target.

In case you want to learn more about how to avoid a phishing scam, the Anti Phishing Working Group has an excellent page on their site: How to Avoid Phishing Scams.

The APWG (Anti Phishing Working Group) home page can be viewed by clicking on the title of this post.

Monday, January 16, 2006

Hurricane Audits

In the wake of Katrina, Rita and Wilma hurricanes, we saw a lot of instances of fraud being committed against the government and charitable organizations.

Apparently, the government (President's Council) is looking into some of the potential fraud and to quote Scott Amey, General Counsel of the Project for Government Oversight (POGO), “Some of the audit findings confirm our worst fears -- agencies were ill-prepared to meet the country’s contracting needs. These audits ensure that contractors did not exploit mistakes that may have been made in the chaotic rush following the hurricanes.”

Here is the report from Pogo: Investigations into Katrina Waste and Fraud Detailed.

In the rash of disasters (especially these and the Tsunami) fraud seem to occur from individuals making false claims to organized phishing scams and fake charity sites being set up.

I wrote a lot of posts regarding fraud at the time of Katrina. In case anyone is interested:

Being Prudent in Donating Money (Katrina)

Katrina Fraud Status

Fraud Relating to Katrina in Full Swing

Status of Fraud in Katrina

Advance Fee Scams with Katrina

Katrina Fraud Far and Wide

Katrina Commission

Identity Theft/Check Fraud in Katrina

FBI Reports Fraudulent Activity on Internet Related to Hurricane ...

With all the evidence of people lacking any morals taking advantage of the hardships these disasters created, it is a prudent move to investigate and (hopefully) prosecute these actions.

It's a rotten thing to take advantage of people's hardships and undermine efforts to help them. They deserve whatever punishment is handed down to them.

Here is POGO's website: Beth Daley - Government Oversight.

From Russia With Cash?

Advance fee fraud (419) scams never seem to go away. They mutate into another form and move forward. The news media and internet trace these scams to shady internet cafes in Lagos (Nigeria), but there is a lot of evidence that Nigeria isn't the only place they comes from.

The latest version is a solicitation to make a "cool" $45 million for helping a jailed Russian Billionaire invest some money. Of course, the end result for anyone who gets involved in this is having your account cleaned out.

Here is the latest twist as reported by Alex Nicholson from the Associated Press:

"Russia has more in common with Nigeria these days than just oil. Following up on the politically charged jailing of oil tycoon Mikhail Khodorkovsky, a wave of scam e-mails in the style of Nigeria's notorious spammers have been popping up in inboxes from Moscow to Kentucky."

Here is the full story: Russian Tycoon Is Spammers' New Target.

We can't even blame Nigeria for inventing the scam. The evolution of Advance Fee started with letters from (allegedly) rich merchants during the middle ages AND "a rash of Russian Letters that appeared in the 1920s, with money supposedly needed to rescue people held by the Bolsheviks."

Here is another mutation of the scam that stereotypically, we blame on Russians:

The internet is full of stories of Russian Romance Scams, where men and women are duped into sending money to someone they meet in a chatroom, or dating site. If you were to talk to the people at Romance Scam 419 Yahoo Group (US), my guess is that they would tell you that the scams not only originate from Nigeria and Russia, but several other places, also.

With the evolution of the internet, scams inducing people to send money in advance of a promise (which never materializes) are becoming epidemic. The original letter scam has led to romance, lottery, auction, check cashing and job scams. Undoubtedly, it will continue to mutate into different varieties as new events occur and different things become popular.

They are also no longer exclusively from Nigeria and Russia, but can come from anywhere. Recently, Canada and the Netherlands seems to be fertile breeding grounds AND in the future, who knows?

The internet with it's borderless environment has caused an explosion in this activity. Furthermore, with computers and internet access becoming cheaper all the time, more are more potential victims are getting on-line daily.

The reason why this scam continues to work is that it plays on human emotion and recognizing that is key to teaching people how to avoid being victims.

"If it seems to good to be true, it isn't."

For a good resource on definitions on all the various mutations of Advance Fee, Wikipedia does a pretty good job in their Internet fraud section.

Here is another well put together page on Advance fee activity from Caslon Analytics (Australia): the 419 Scam: basis, statistics, regulation.

Sunday, January 15, 2006

What are the Security Implications of Outsourcing

Let's face it, many corporations are now outsourcing work to India and in doing so are making available personal and financial information that can be stolen.

BBC News (Zubair Ahmed) reported that employees from a outsourcing firm (Mphasis) were recently implicated in a $400,000 fraud in which four Americans were the victims. Mr. Ahmed brought up other concerns in the article, such as the lack of screening of personnel working at some of these firms (10-25 percent submit fake information) to obtain employment. This "fake information" includes, phony credentials and diplomas; which can be bought in India.

He also cited a source that 80 percent of the companies don't use integrated security management tools in India, which allowed the most recent fraud to occur. For the entire story, please read: BBC NEWS Business Outsourcing exposes firms to fraud.

According to the article, there are fears that if too many of these episodes come to light, it could hurt the industry as a whole.

BUT what if all the fraud isn't being reported? After all, in most (individual) cases of identity theft, the point of compromise is never found. With the borderless aspects of internet crime, information is transmitted with a click of the mouse.

There are also cultural considerations to consider. Having lived in Pakistan and traveled in India, I learned very quickly that one needs to pay money (baksheesh) to get a lot of things done.

"Baksheesh" (roughly translated as bribe money) is a cultural aspect of South Asian society. Although written in a humorous vein, here is an article written by Melvin Durai (who is himself of Indian descent): Humor: Corruption in India.

Mr. Durai writes in his satirical essay:

"Yes, corruption is a serious problem, but despite what some believe, India is not the most corrupt country in the world. That distinction belongs to Bangladesh, which finished dead last among 91 countries surveyed for the 2002 Corruption Perceptions Index of Transparency International. India ranked 71st, while Pakistan was 79th, allowing Indian politicians to brag that they're more honest than their neighbors. "If you want to see real corruption, just cross the border. Even husbands have to bribe wives just to have children."

For a more serious look at (not only India), but corruption everywhere, here is the Global Corruption Report 2005 by Transparency International.

A little "baksheesh" in South Asia can go a long way and can open a lot of doors. I've heard this can even be true with law enforcement, who like many underpaid South Asians view it as a means of survival.

In another vein, since there is a perceived lack of security procedures at these firms, could they become greater targets for criminal activity? There is growing evidence that a lot of this sort of crime is being done by organized "international gangs." It would seem logical that if it is easier and safer to steal the information in India, we are going to see them take their activity there.

BUT should we blame corruption (AND the potential for information theft) in India on the Indians, or the corporations themselves? My guess would be the corporations, who in their quest for profit are exposing our personal information without ensuring it is properly protected. After all, India is a poor country, where we have been told (for years) that some don't even get enough to eat. The corporations, who enjoy the vastly reduced payroll costs, are making record profits by outsourcing work to India.

From a different perspective, these jobs have helped created a new and more prosperous middle-class within India. I cannot and will not argue against bringing up the standard of a people that historically have gone without some of the things we enjoy and in fact (my opinion) sometimes take for granted. There is no shortage of corrupt people in the West, either.

Internal plants, fake documents and fraud aren't only a problem in India. There is plenty of this activity to go around and with technology, it seems to be getting worse throughout the world.

The goal needs to be to protecting people from becoming victims, EVERYWHERE! If we are going to be business partners with these firms, it is imperative, we assist them in bringing their security infastructures up to par with ours. Otherwise, we expose them as easy targets.

With the Sarbanes-Oxley act in full swing (United States), outsourcing to far-away places might become more attractive. Compliance costs money and to some, it might be counterproductive to their primary focus, which is profit. After all, Sarbanes-Oxley and similar legislation ensures the very due diligence, I refer to. Perhaps, the answer is to enact further legislation forcing corporations to adhere to the same standards that have to be in place here, as well as, India.

In a perfect world, corporations would do this on their own, but sometimes laws are necessary for the good of all.

In fact, it seems to me that the international corporation of the future will need to consider security as more of a "customer service" and "profit protection" entity rather than a necessary evil. In the long run, should they fail to do so, they will lose the trust of their customer (who in the end) is the one who dictates their future.

Last, but not least, I would like to acknowledge my friend, Paul Young (author of prying1), who sent me a note with an article on this that inspired me to write this post.