Saturday, January 28, 2006

Government Warns Corporate America to Protect Customer Data

There have been a record amount of data breaches in the past couple of years. Millions of people have had their personal information compromised. It only makes sense that the government (who are supposed to protect the people) are looking into the reasons why it occurred.

The FTC has determined that Consumer data broker (Choice Point) failed to protect the information of 163,000 people.

In the FTC press release it states:

"At Least 800 Cases of Identity Theft Arose From Company’s Data Breach.

Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026."

“The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

Here is the full press release, Choicepoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 ....

For years, corporations (notably the credit bureaus) have made billions off of selling our information. Here is a message that failing to take security seriously in their quest for profit may cost them dearly at a later date.

For all of us little people, you can now stop (slow down) information brokers from getting your personal information at By "opting out" the credit bureaus can no longer sell your personal data.

Chase Customers Being Phished?

This e-mail was discovered floating around yesterday. When I reported it to Chase, a person in their security department admitted to me that they already knew about it.

If you read below the mail directs you to a site, which asks for your login information and password. This is something no bank will do.

This appears to be a phishing attack directed towards Chase customers to steal their personal and financial information. Phishing is becoming one of the main ways personal and financial information is stolen, which makes people victims of identity theft.

Here is a copy of the e-mail, note I have disabled the link and I wouldn't recommend trying to look at it. There is no telling what malicious software (malware), also know as scumware someone could get if they weren't properly protected.

From: "Chase Team"

Date: Fri, 27 Jan 2006 10:13:10 -0600 (CST)

Dear Chase Member,

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your Chase account and to ensure a safe Chase experience. We require all flagged accounts to v erify their information on file with us. To verify your Information at this time, please visit our secure server webform by clicking the hyperlink below:

xxxx// login

(https disabled for safety reasons)

Thank you for using Chase Manhattan Bank!The Chase Manhattan Bank Team
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Chase account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here.

Chase Email ID PP478

This e-mail also made it past the Spam Filter of the person, who received it.

I've sent this into a couple of the security labs for analysis. Since Chase confirmed to me they knew about it and no one will ever solicit anyone for their log in information and password via a e-mail, I decided to send this out.

My question is if Chase knows about it, what are they doing to warn their customers?

Here is an excellent resource from the Anti Phishing Working Group (APWG) on how to avoid being phished: How to Avoid Phishing Scams.

Thursday, January 26, 2006

Borderless is the Future of Fighting Cyber Crime

Robert S. Mueller, III Director, Federal Bureau of Investigation gave a speech at the U.S. Chamber of Commerce in Washington, D.C. on January 19, 2006.

He made some interesting comments, which make a lot of sense to me.

"Turning from the transformation of the FBI in the wake of September 11 to threats to our national security and partnerships. When the FBI was established 97 years ago, it was because crime had begun to cross state lines. Today, criminal activity not only crosses state lines, it traverses international boundaries with the click of a mouse.

"Like your businesses, law enforcement has also been affected by globalization. While technology and travel have made the world smaller, crime is more diverse than ever before—from terrorism to telemarketing fraud to the trafficking of human beings."

Here is the entire speech: Director Mueller’s speech.

Here are some great resources found on the Federal Bureau of Investigation (FBI)'s site for corporations and good citizens to share information in the fight against borderless criminal activity.

Submit tips about crimes that may impact your company and report cyber attacks and scams through the Internet Crime Complaint Center;

Learn how to join
InfraGard, a joint FBI and private sector initiative that battles cyber crimes and other threats through information sharing;

Get details on how to protect your business from
economic espionage and receive unclassified national security threat information through our Awareness of National Security Issues and Response program;

Browse our
Be Crime Smart website, which has a full range of tips and suggestions for protecting your business from fraud, workplace violence, and other threats;

Read about how our
Anti-Piracy Warning Seal can help prevent copyright theft on music recordings, movies, software, and more;

Learn about our
criminal history checks for employment and licensing; and

Find out
how to do business with the FBI.

There is no doubt that with borderless crime, the solution is teamwork and breaking down barriers. This is a good example of how this is happening AND the result will be a better society for us all.

Hatch Fails to Survive Court

This just came out from the Associated Press (Ray Henry):

"Richard Hatch, who won $1 million in the debut season of the reality show "Survivor," was found guilty Wednesday of failing to pay taxes on his winnings and taken straight to jail.
Hatch remained calm as the court clerk read the verdict. He waved goodbye to family members, then was handcuffed and taken into custody after U.S. District Judge Ernest Torres said he was a potential flight risk.

The charges carry up to 13 years in prison. Torres said he expected a sentence of between 33 months and 41 months, but it could be longer because prosecutors accuse Hatch of committing perjury during his testimony. Sentencing was scheduled for April 28.

Hatch, 44, was also convicted of evading taxes on $327,000 he earned as co-host of a Boston radio show and $28,000 in rent on property he owned."

It never ceases to amaze me when someone, who comes into, or already has a lot of money is caught cheating. Perhaps, Money is the "root of all evil."

What a shame for someone, who seemed to have a good thing going.

For another version of the story on E Online, go to:

Jurors Extinguish Richard Hatch's Torch

You can also view the story from the AP by clicking on the title of this post.

Wednesday, January 25, 2006

Porn Virus Hits Over a Half Million Users

Surfing porn sites has an added danger lately. Over a half a million computers have already picked up some Malware (malicious software) a.k.a. the "Kama Sutra" worm.

Malware is also sometime referred to as scumware.

According to

"A new email worm that spreads under the guise of pornographic content has jumped to the top of the worldwide virus charts.

When run on a Windows PC, the worm copies itself to shared network locations and sends itself to email addresses found on the target computer. The pest includes a timed attack that attempts to disable antivirus and firewall software and delete certain files - including Office documents - on the third day of the month, according to antivirus software vendor F-Secure.

The worm, dubbed W32/Nyxem-E by F-Secure, arrives attached to an email message. It uses a variety of subject lines, including "School girl fantasies gone bad". The body text also varies but it can include references to the Kama Sutra, the ancient Sanskrit book with pictures and explanations about different sexual positions."

For the full alert from read:

'Porn' virus worms its way into 510,000 systems

With the potential of having your address book compromised, this worm might cause some embarasment depending on what is mailed out from your ID.

Porn sites are notorious for downloading scumware on systems. Should one to choose to view these sites, it is highly recommended you have the best protection available.

Tuesday, January 24, 2006

Tax Season Brings Out the Low Tech Fraudsters

The news is awash with high tech types of crime. With tax season here, less sophisticated criminals will be out stealing mail in their quest for tax refund checks to steal.

I might term them as less "sophisticated" in a technical sense, but they can do a lot of damage.

With counterfeit identification and assumed identities (many criminals assume someone else's identity and get legitimate ID), cashing some of these items is easier than most people think.

You may now report suspected mail theft or a false change of address directly to the Postal Inspectors.

Although, the tax season brings these criminals out in ever greater numbers, tax refunds aren't the only thing they are looking for in their quest to commit financial misdeeds.

Stealing mail has been around since the postal service started doing business. One of the ways criminals use checks that are already written out is to "wash" them chemically and change the information on them.

Here is an excerpt from a warning published on the Better Business Bureau's site:

"Using a process known as check washing, mail snatchers erase the ink on a check with chemicals found in common household cleaning products or on the shelves of your local stores and then rewrite the checks to themselves, increasing the amount payable by hundreds and even thousands of dollars."

According to the National Check Fraud Center, check washing in the United States is a 815 million dollar a year business.

To view their site:

Facts from the National Check Fraud Center

If you want to view the entire warning, read: Welcome to the Better Business Bureau.

With all the offers of credit people receive, stolen mail is also a lucrative means of committing credit card and loan fraud. All of these tie into identity theft, which creates 9 million victims and costs us 53 billion dollars a year in the United States, alone.

Here are some helpful tips from the Better Business Bureau to protect yourself from mail theft:

Don't leave outgoing mail in an unlocked box. Take it to work, drop it in a collection box, hand it to a letter carrier or take it directly to the post office.

If you have to leave outgoing mail in your box, do it immediately before the letter carrier comes, and don't raise the mailbox flag.

Avoid leaving mail in a box on Sundays and holidays, when letter carriers don't work.

Install a lock on your box. This can be done by placing the lock on your mailbox and then cutting a small slit in the mailbox that is large enough to slide mail through, but which is not big enough for a hand to fit in. Residents also can purchase a mailbox with a lock already on it for roughly $20 at a hardware store. In both cases, you will not be able to have outgoing mail picked up.

Criminals use other means than computers to commit their crimes. In fact, although the news blames technology for recent increases in fraud, it is the human mind and the creative resources of such that commits wrongdoing.

It also the human mind that will find the means to defeat those who choose to victimize the innocent.

In closing, I've worked around fraud for years and trust me, the Postal Inspectors (who are sometimes underrated) are some of the best minds in the war against Fraud, Phishing and Financial Misdeeds.

Monday, January 23, 2006

Yahoo IM Users Phished/Websense Announces Blog and Crimeware Threat Map

Websense reported today that Yahoo users are being targeted in the latest phishing scam. Customers are being sent instant messages instructing them to go to the website (pictured above) and give up their Yahoo ID and password.

Anyone doing this will receive error message and their information is transmitted to the criminals behind this.

In another announcement: Websense Security Labs Launches Global Phishing and Crimeware Threat Map and Security Blog. The information on the map will be updated within 15 minutes of discovery. Here is more information on this from Websense:

"In conjunction with the availability of the Threat Map on the map will also be viewable through the Anti-phishing Working Group (APWG) at"

"The APWG is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.

Starting in June 2005, Websense Security Labs, in conjunction with the APWG, started Project Crimeware. The APWG defines crimeware as a genus of technology distinguished from adware, spyware and malware by the fact that it is, by design, developed for the single purpose of facilitating a financial or business crime."

To read the alert on Yahoo from Websense:

Yahoo! Account Compromise through Yahoo! Messenger

In case you, or someone you care about would like to know how to avoid being phished. The APWG has an excellent document on their site:

How to Avoid Phishing Scams

Websense not only develops products for sale, but endeavors to protect all of us through communication. In my opinion, their actions model what "corporate responsibility" is all about. In the age of massive information theft via the internet, we can be thankful for their efforts and if you are in the market for security products, I highly recommend them because of this.

Sunday, January 22, 2006

Wells Fargo Phishing Scam

Not sure if this is going to turn into something big, but with the internet a phishing scam can travel across borders with a click of a mouse. The current attack is against Wells Fargo customers. Since Wells Fargo is major player in the banking industry, there is the potential for this to spread.

The Huron Plainsman in South Dakota reported:

"Computer users are being warned by Huron police to be wary of a legitimate-looking e-mail request by Wells Fargo to update their bank accounts.The so-called “phishing scam” asks account holders to update their online information to reduce the instance of fraud on the bank’s Web site. But the e-mail itself is fraudulent. Wells Fargo never contacts account holders by e-mail, but by phone or mail, police said."

For the full story, please read:

Scam warning issued

In case you want to learn more about how to avoid a phishing scam, the Anti Phishing Working Group has an excellent page on their site: How to Avoid Phishing Scams.

The APWG has consistently reported phishing activity to be on the rise and getting more sophisticated all the time.

The APWG (Anti Phishing Working Group) home page can be viewed by clicking on the title of this post.