Saturday, December 16, 2006

Boeing Holds Employee Accountable in Laptop Theft

Laptops are stolen all the time - and far too often - they contain personal and financial information that can be used for identity theft purposes.

The Boeing Company announced Thursday that they fired the employee, who had their laptop stolen and compromised 400,000 people's personal information. This wasn't the first Boeing employee that lost a laptop containing sensitive information.

Boeing is saying that the computer was "password protected," and they believe the intent of the thief was to steal the laptop rather than breach the information on it. They are also saying that there is no evidence of identity theft, but are "assuming the worst case scenario."

I sometimes wonder if the same public relations firm prepares all these statements. They all say about the same thing - that there is no evidence the information has been used to commit "identity theft."

Of course, with all the attention brought upon this, even if the original motive was to steal a laptop, the thief probably is now aware the laptop contains a lot of information that can be sold for a price.

It's become pretty easy to find a place to sell stolen information with carder forums designed to do so operating on the Internet. Previous post, here.

The employee was terminated (fired) for not having the information "encrypted" per Boeing policy, which was implemented because of the earlier "laptop thefts."

Even if the information were encrypted - in theory at least - encrypted data can still be hacked by someone with the knowledge to do so. Another problem is that if information can be downloaded, it can be compromised by a dishonest insider, or with a "compromised password."

Just last week, the media was awash with stories of IT students being "courted" to work for organized criminal groups - which more and more - seem to be getting involved in technology based crimes, including "identity theft."

I did a post with my thoughts on this matter, here.

In all fairness, Boeing isn't the only organization losing laptops with personal information on them. The Privacy Rights Clearinghouse, which maintains a chronology of "known data-breaches," hit the 100 million mark this week (number of people compromised in the U.S., alone). Just this week, they documented eight "known" breaches.

Note, they can only document the "known breaches" and breaches that previously were "unknown" seem to be appearing, all too often.

Encryption and computer security measures are only one part of the solution. It's the information that the bad guys are after and we need to stop keeping it in places where it's too easily stolen.

Firing one employee is unlikely to have any impact on the overall problem.

James Wallace, Seattle PI has an extensive article about the Boeing story, here.

Discarded Computers might still have a lot of Sensitive Information on them

One of the ways identities are compromised is when computers are discarded without properly "washing" the hard-drive with specialized software, or destroying the hard-drive, itself.

I did a post in about this, here.

Bill Lambrecht of the St. Louis Post - Dispatch wrote an interesting article, where they purchased several old computers in Nigeria and were able to get a lot of information from them.

Interestingly enough, he quotes a prominent Nigerian, Oladele Osibanjo, who is a regional coordinator for the Basel Convention - a global treaty intended to protect people from the mishandling of hazardous materials as saying:

"The e-waste you are exporting is coming back to you in the form of cyber-crime. Maybe when Americans realize what is happening, they will be a little more careful."

While Mr. Osibanjo is trying to warn us about identity theft, I'm certain his true concerns lie more with hazardous materials that are damaging people's health in other countries. When I went to their site, the fact that this occurs, alarmed me.

St. Louis Post - Dispatch article, here.

Although the article is extremely informative - and there is ample proof of fraud coming from Nigeria - I continue to be amazed at the amount of press they receive about it.

With the recent ABC 20 20 story brought about by a certain former politician, who is behind bars and might be Chelsea Clinton's father-in-law someday, Nigerian fraud is again making headlines.

Stealing and using information is a worldwide problem and there are criminals involved in the "trade" in a lot of places.

So far as Chelsea, it must be hard to be Bill and Hillary's daughter, and she certainly doesn't seem to get in as much trouble as some twins, who were in South America recently.

Saying that, the story calls attention to what I consider the potential of a huge problem. Companies and organizations are constantly upgrading their computers and a lot of them get discarded.

Besides identity theft, there is a huge potential that "sensitive information" could be sifted from these hard-drives that would compromise trade secrets, or even government information.

Friday, December 15, 2006

Romanian Second-Chance eBay Scammers Busted

The federal authorities are charging twenty-one Romanian fraudsters, who scammed a lot of people in second chance auction scams. According to the federal authorities, the scam was active for about three years and a lot of the victims lived in the Chicago area.

From the article, it was one of the (now) notorious second-chance scams, where a person is given a second chance to win an auction and asked to wire money to a distant locale (in this instance Romania).

Of course, once the money is wired, the person who sent it, never receives "fair value" for their hard-earned money. Please note that wiring money is a "common ploy" in all sorts of Internet scams. I would take a deep breath, when asked to wire money on a transaction (normally overseas) that seems a little "too good to be true."

In this instance, the federal authorities are asking for people, who think they might have been victims to come forward:

Anyone who believes they may have been a victim may e-mail inquiries to usailn.victim.witness@usdoj.gov. Include your name, address, phone number, 10-digit Western Union Money Transfer Control Number, amount transmitted, date funds were provided and the name of the individual to whom the funds were sent. Victims may also call a toll-free hotline number for updates about the case – (866) 364-2621.

Second chance scams have been active on auction sites - you can read all about them on Google, here.

Western Union has a page warning people about wiring money to people they don't really know, here.

I read about this on CBS2chicago.com, who has more details on this story, here.

Tuesday, December 12, 2006

Another Record Set for Phishing and it appears Anti-Phishing Measures are being Defeated

Brian Krebs of the Washington Post did an interesting post on his blog about how phishing is increasing (again) and how anti-phishing measures (some recently marketed to users) are failing already.

Brian writes:

The Anti-Phishing Working Group reports that 52 percent more phishing sites were recorded on the Internet than a month earlier and nine times as many as were spotted in October 2005. The steep increase coincides with a massive spike in the volume of spam circulating on the Internet. According to e-mail security firm Postini, 90 percent of all e-mail these days is spam.

Brian's post, here.

Also mentioned is "Rockphishing," which takes advantage of zombie computers formed into botnets. The result is that it is making phishing extremely hard to trace.

Brian did an excellent job in his post - and I highly recommend reading it.

I wrote recently about how technology isn't winning the war against cybercrime. It seems like a lot of expensive anti-phishing software is proving this all over again.

Maybe a better approach would be to follow the money instead? After all - I'm pretty sure that is what the cybercrimals are really after.

Will We Ever Discover the True Losses in the Katrina Disaster?

The Government Accountability Office (GAO) has issued another report stating that the fraud losses in Katrina and Rita are a lot higher than previously disclosed to the public.

The report states:
  • Almost $20 million in double payments was paid to people claiming damage to the same property in both hurricanes (Katrina and Rita).
  • Almost $17 million in improper or fraudulent "rental assistance" payments given to people already receiving free housing.
  • 500 foreign students received $3 million in aid.
  • $156,000 was given to foreign workers on temporary visas.

Sadly enough, the report indicates that FEMA disabled a system (edit check in NEMIS) that would have caught people using duplicate information (social security numbers) to make claims in both hurricanes. In five of the six cases examined, the claimants didn't even have to provide proof that they had conducted repairs after receiving money for the first claim.

I have no personal experience with "edit check in NEMIS," but computers run pretty fast in today's world, and it doesn't make sense to me that an entire system designed to detect fraud was disabled?

Didn't we have enough personnel to do a manual check when duplicate social security numbers were noted? And even if this were so - why didn't FEMA take action (themselves) to identify the issues before the GAO investigated?

The use of other people's social security numbers is nothing new and probably could have been anticipated, fairly easily.

There is also a lot of missing equipment. The report shows that 34 percent of the property purchased to aid efforts has either been lost, or stolen. In the case of 2o flat bottom boats purchased - only two remain missing - however twice the retail price was paid to a vendor, who also failed to pay for 11 of the boats he sold to the government.

Even scarier, the report indicates that FEMA overstated the amount of found property reported in July hearings to Congress. This was based on an e-mail sent by DHS (Department of Homeland Security) on the eve of the hearings.

FEMA's estimate of the monetary impact of fraud in Katrina was $290 million, however if one is to believe the GAO report, the real losses surpass $1 billion.

With the stories that surfaced about prison inmates making claims and stolen information (social security numbers) being used in claims for addresses that were vacant lots - it's entirely possible that there is additional fraud that hasn't, or never will be discovered.

There were also a lot of stories of charities being defrauded and even fake charities being set-up. The GAO report only addresses the fraud losses incurred by the government.

GAO report, here.

Report Fraud, Waste and Abuse to the GAO, here.

FraudNET (Report Fraud, Waste and Abuse)

One might come to the conclusion that we wasted a lot of money on Katrina, but this is far from being true. In fact, a lot of people are still suffering as a result of these disasters, and the truth is that the money could have been used for better purposes.

I plan to explore this more in detail in future posts, but for now, I'll pass on a site that is devoted to the real victims in these disasters:

Beyond Katrina: The Voice of Hurricane & Disaster Recovery

Monday, December 11, 2006

Hotmail Accounts being held for Ransom

Websense sent out an alert showing how Hotmail accounts are being held for ransom. Here's the warning (courtesy of Websense):

Websense® Security LabsTM has received reports of a new form of cyber-extortion. Unlike previously documented cases (where end-users were infected with malicious code, certain file types were encoded or encrypted, and a ransom message was left on the machine), this attack compromises users' online web mail accounts. When end-users logged into their web mail accounts (in this case Hotmail), they noticed that all their 'sent' and 'received' emails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back.

In this case, the end-users had recently visited an Internet cafe where their credentials may have been compromised.

The email, which was poorly written in Spanish, roughly translates in English to:

"If you want to know where your contacts and your emails are then pay us or if you prefer to lose everything then don't write soon!"

Websense alert, here.

Computers at Internet cafes and libraries have been known to contain all kinds of malware, and or crimeware.

It's probably best to be extremely careful when entering any sort of personal information on them.

Organized Crime in North America

Despite stories of organized criminal "types" becoming more and more involved in Internet crime, organized crime (itself) is a phenomenon that's been around for a long time.

The Internet is merely another "avenue" for "organized criminals" to commit their misdeeds.

I happened to read an interesting article by Joan Delaney of the Epoch Times in Canada about the Triads (Chinese Mafia), which have been operating in North America since we imported a lot of Chinese nationals in the 1850s to work the gold fields and build the railroads.

The article states:

A 2004 Criminal Intelligence Service Canada (CISC) report stated that Asian organized crime presents a major threat in Canada because of its many widespread and well-run criminal operations. CISC said Asian-based street gang violence is on the rise in several cities, and that the street gangs have connections with more sophisticated Asian organized crime groups—in other words, the Triads.

At a local level, Asian gangs are involved in a long list of criminal activities: credit card fraud, luxury car theft, prostitution, home invasions, staged vehicle accidents, contract killings, assaults, welfare and employment insurance fraud, drug trafficking, software piracy, loan-sharking, and illegal gaming. While scattered from coast to coast, Asian gangs are most active in Vancouver, Calgary, Edmonton, and Toronto, the CISC report said.

Epoch story, here.

Interestingly enough the article also cites the Triads as being tied to the Vietnamese gangs and even the Hells Angels.

Note that these "outfits," probably expanded their activities to Canada from the United States.

Going to the CISC report, which I found published on the Internet, I found a lot of interesting information about organized criminal activity in North America and even a pretty good "analysis" of potential ties to terrorist groups.

CISC report, here.

Note that the report references a lot more that Asian crime and is a pretty interesting "read" for anyone interested in the subject.

Sunday, December 10, 2006

Should We Trust Computers to be the Voice of the People?

If you were to ask Christine Jennings -- and a lot of voters in Sarasota County -- the answer is "no."

Does it make sense that 18,000 voters in Sarasota County, Florida - most of whom used a computer to vote - would go to the polls and fail to pick a candidate for the House of Representatives?

Hundreds of voters have signed affidavits attesting to the fact that when they checked to see if their votes tabulated properly - their vote for Ms. Jennings didn't record properly.

A reasonable person might deduct - the computers were flawed - and a lot of people failed to check the fifteen page ballot. Voters shouldn't have to go through a fifteen page ballot to look for programming flaws!

MIT professor, Charles Stewart, claims that the possibility of an undervote of this size occurring is 1 in 5 million.

Here is an opportunity to discover the truth behind all these allegations, which worry a lot of us. Forty percent of the voters were forced to vote on electronic machines in the last election - with no paper trail to back up the results.

With all the pre-election "buzz" in the media about the dangers of electronic voting, perhaps we all might benefit from an opportunity to discover the truth?

Some of us are getting tired of hearing that our votes didn't count and then seeing the whole matter "downplayed" (supposedly) in the best interests of the people.

Perhaps there is more at stake than one election in Florida? Maybe this is an opportunity to explore this issue (electronic voting with no paper audit trail) a little more deeply?

Maybe that's why Arnold Schwarzenegger - a Republican - mandated that California's electronic machines be backed up with a paper trail. For more information on this from verifiedvotingFoundation.org - link here.

And Senator Feinstein has introduced legislation requiring that electronic voting systems have a verifiable audit trail, here.

This isn't a matter that should be dictated by partisan politics. After all the voice of the people is what made this country great and that voice should be considered "sacred."

For an interview with Sandy Powers, a senior citizen with 25 years using a computer (courtesy of YouTube), link here. This was in response to allegations that this entire matter was the result of voters being computer illiterate.