Saturday, July 21, 2007

Task Force puts child predator away for 10 years

There is nothing that disgusts me more than crimes against children, or crimes against the elderly. The anonymous nature of the Internet has made it easier for criminals to distribute child pornography, as well as, for child predators to have access to our young.

I happened to see a Department of Justice (DOJ) press release about one of these predators getting 10 years in prison for being involved in child pornograpy.

On Jan. 3, 2007, Thomas Lane pleaded guilty in U.S. District Court for the Southern District of Indiana in Indianapolis to one count of possession of child pornography. The government's evidence showed that the defendant possessed images and binders with photos of children engaged in sexually explicit conduct. The majority of the images, printed out and organized in the binders, also contained links to Internet Web site addresses. Lane had been previously convicted in 1998 for receipt of child pornography.


DOJ press release, here.

This was accomplished (investigated and prosecuted)by the Internet Crimes Against Children Task Force (ICAC).

Apparently, it was brought about as a result of Project Safe Childhood, which was put in place by Attorney General Alberto R. Gonzales in 2006.

Besides investigating this type of crime, they have a pretty good (my opinion) educational resource to educate all of us on this problem.

The DOJ website can be viewed, here.

Child pornography has been tied into organized crime, identity theft and payment card (credit/debit) card fraud. Here is a previous post, I did about how this occurs:

British citizens accused of child porn found to be fraud victims

In case you haven't seen it, the To Catch a Predator series (Dateline) made a lot of people aware of how serious a problem child predators are. Chris Hansen, who hosts the show, has a blog about the series, here.

If you suspect a crime against a child, it can be reported, here.

Wednesday, July 18, 2007

The battle over who is going to pay for data breaches heats up

The TJX data breach (45 million records and counting) is rapidly turning out to be the straw that broke the camel's back. Everyone seems to be worried about, who is going to bear the financial burden that data breaches are causing.

Cleve Doty at PrivacySpot.com writes:

Retailers will be forced to pay for data compromises when they violate industry standards of data protection under a new Minnesota law, detailed here. California and Texas are considering similar legislation, as noted here and here. The Minnesota law adopts Payment Card Industry Association (PCIA) data protection standards, which require that companies not retain data from a card, including security codes, PINs, and magnetic strip data, for more than 48 hours after a transaction is approved. If a data breach occurs and the retailer failed to comply with the card security protocol, then they will have to pay costs including: refunds for unauthorized purchases, reissuing cards, notifying cardholders, and closing and reopening accounts.
The article also stipulates that retailers could be charged for excessive fraud transactions that occur on their premises.

This interested me, especially given the recent criticism Target -- who has it's headquarters in Minnesota -- recently received for not verifying credit card transactions. Will this make them change their policy of ONLY relying on electronic data (magnetic stripe info) when accepting payment cards? Currently, they do not train their employees to check cards, or ask for identification.

The other strange thing at Target is that, although they've tightened up their return policy, they will gladly look up your payment card number (credit/debit) card to assist you in completing a refund. One of the basics of protecting a lot of this information is that it isn't stored for a long time?

One of the more common and most publicized losses by retailers are when thieves commit fraudulent refunds. I wonder how much merchandise is being stolen using fraudulent payment devices, then refunded?

Today, I'm picking on retailers, but the fact is that data breaches are occurring at a lot of places. For instance, institutions of higher learning, seem to be breached all the time. Furthermore, if you follow what tracking is available on data breaches (Privacy Rights Clearinghouse, Attrition.org, PogoWasRight), the financial services sector has had their share of breaches, also.

It amazes me that since the TJX breach, there has been a lot of focus on merchants. Sadly enough, this legislation will probably hurt smaller merchants more than it will larger ones.

Merchants feel strongly that the credit card companies have been unfairly charging them for a lot of things, including fraud. Recently, I did a post about a Merchant Bill of Rights, where merchants are banding together to fight for a better deal when dealing with the credit card industry.

Meanwhile, the deadline is looming for federal agencies to come up with a plan to address data breaches. Government agencies seem to be having their share of breaches, also.

We'll probably see a lot of infighting between all the different sectors being breached. Everyone seems to be worried about, who gets to pay for all of it, and how it might detract from all the money they've been making off people's personal information.

Maybe it would be better if everyone involved started working as a team and going after the real problem, which is that information is too easy to access and criminals are making too much money by stealing it.


Full story from PrivacySpot.com, here.

Tuesday, July 17, 2007

A look into labor abuses in the aftermath of Hurricane Katrina


Photo courtesy of Ruffit at Flickr

It never ceases to amaze me that we keep seeing additional allegations of abuse, fraud and waste come to light as a result of the Katrina hurricane, and it's aftermath.

Brian Beutler of the Media Consortium (courtesy of AlterNet) wrote a pretty telling article of the abuses dealt to laborers, who went to New Orleans to assist in the reconstruction/clean-up effort.

Brian reports:

In the two years since the disaster, there have been thousands of testimonials -- issued to both government officials and private advocates -- about a wide taxonomy of abuses.The most frequent complaint workers cite is withheld wages, but almost as numerous are accusations of employee intimidation, toxic and hazardous working conditions, immigrant abuse, trafficking, exploitation and monetary extortion.

Many workers, who went to New Orleans were paid a small percentage of what they were promised:

On December 30, 2005, Wilson received $865 in pay for the 94 hours of work he did from November 20, through Dec 7. For a similar stretch between January 5 and January 18, he was paid only $206.10. In each case, he should have been paid about $1,500.

According to the article, the Bush Administration suspended affirmative action and documentation requirements for immigrant workers. They also removed the requirement to pay "prevailing wages."

The end result of this was that visiting American citizens and local residents were underbid by foreign workers, who probably weren't legal. Of course, no one can say this for sure because it wasn't checked out (very well) at the time. However if this wasn't the case why did Senator Mary Landrieu (Democrat LA)request that ICE agents be dispatched to look into the problem?

This resulted in even more people doing a dirty job not getting paid:

The result was astounding. On payday, subcontractors, faced with undocumented workers seeking cash, often called ICE to report their own operations, causing frightened workers to either scatter or face deportation to their home countries without pay.

Likewise, employee recruiters, dispatched by subcontractors to foreign countries, would offer often-destitute men and women the promise of good work and fair wages at any number of reconstruction jobs in New Orleans.
Congressman Dennis Kucinich held hearings into this to determine, whether or not the Department of Labor (DOL), did their job in controlling some of this abuse.

Many believe, they did not.

For those, who like me continue to be fascinated by the social issues in the Katrina disaster, Brian's full article can be read, here.

My personal opinion is that they need to be studied, carefully. A lot of citizens (and apparently non citizens) suffered, not because of a lack of resources, but because of what appears to be a "few greedy people."

I've written quite a bit about Katrina (in my own personal study of what went wrong). My previous posts can be read, here.

Another great place to learn more about the social issues surrounding Katrina is Margaret Saizan's Beyond Katrina.

Sunday, July 15, 2007

Are passwords and codes, available in too many places, enabling crime?

Wired News (Kevin Poulsen) reported another instance, where an ATM was easily reprogrammed to think it was dispensing $1 bill instead of 20's.

The same thing happened in Virginia Beach last September.

Wired News reports:

Police in Derry, Pennsylvania are baffled by a June ATM robbery in which an unidentified man wearing flip flops and shorts strolled into Mastrorocco's Market and reprogrammed the cash machine to think it was dispensing dollar bills when it was actually spewing twenties.

In this instance, the factory code not removed from the ATM was "123456" and programming manuals are available on-line.

Wired story, here.

Of course, the ATM company in the article accepts no liability. Somewhere in their technical manual, they warned the buyer to remove the code.

Unfortunately, this doesn't only apply to ATM machines, and it's not the first time I've seen a factory code as simple as "123456."

Hackers love to target people, who forget to change default codes. The reason for this is because it is easy, and a surprising number of businesses fail to change them.

In the technology driven society of today, default codes are put into cell phones, point-of-sale equipment, alarm systems, and even safes. The list of devices using codes, or passwords could go on and on.

I even found instructions on how to hack a soda machine, using their default code on Google. As a matter of fact, besides technical manuals posting their default codes online, hackers seem more than happy to share this kind of information and post it (online), also.

In many of the data breaches, we read about too frequently, default codes, or not very strong passwords might have enabled hackers to breach a system containing financial information. Visa listed this as one of the top three vulnerabilities in point-of-sale systems in a November CISP bulletin.

If you are interested you can read Visa's CISP bulletin regarding this, here.

The bulletin is focused on merchant systems, and not banking ones? Does that mean there are no vulnerabilities in banking systems?

Of course, most of the information from banks is stolen via phishing -- where a person is tricked into giving up their information (passwords highly desirable) by social engineering methods, or more and more frequently -- (at least according to the last APWG report) by downloading malware (crimeware). When malware is downloaded, no more human interface is needed, and the information is stolen (normally with keylogging software).

Maybe, we are making it too easy to hack systems? Whether we call it a code, or a password, both of these are used to open something. Essentially, they are a key, which opens up the lock of whatever you are trying to keep locked (secure). Is the problem that we've created too many different keys?

At least with keys, you have to go to a little more trouble to duplicate them. It's hard to post them online, and a little more difficult to write them down, or even memorize them.

My best advice to the less technical people out there -- dealing with layers of passwords, or default codes -- is to read the technical manuals, carefully. It might also be a good idea to consult with the salesperson selling you the device on how to make it 100 percent secure, also.

Of course, it also might be a good idea, to see what is being posted online and not to hand out your keys to the wrong person.

I recently did a post on Dariusz Grabowski, a Polish immigrant, who describes himself as the "eBay king of stolen cars." As part of his plea bargain agreement, he disclosed information on how he was stealing a lot of cars and made the statement:

You go online, you find anything you need," Grabowski told the investigators in the videotaped interview. "You can go on eBay at this point and purchase any of the equipment you need. Of course, I might pick this up easier than other people.
Maybe if some of the people selling the devices, protected the keys a little better, the information wouldn't be so easily picked up?

R. Lee Ermey, who played Senior Drill Instructor Gunnery Sergeant Hartman in Full Metal Jacket might have have said it best in a scene from the now classic movie.


Courtesy of YouTube and Warner Home Video