Saturday, November 17, 2007

Truston Identity Theft Services recognized as a 2008 Hot Companies Finalist

There are very few identity theft protection services that I TRUST one-hundred percent. The reason for this is most of them require that a victim, or even someone who wants to protect themselves from identity theft, provide them with all their personal information.

Some of them even require that you furnish them with a power of attorney, which is even scarier. In the wrong hands, a power of attorney would give the wrong person the ability to do a lot of damage to a name, or financial portfolio.

In the era of outsourcing and phone banks, not giving someone else control over your name and finances is something worthy of consideration. We never seem to know exactly, who is being given access to this information, anymore.

Most identity theft protection services take advantage of free services, which someone who had a fair amount of knowledge could do themselves. The problem is that a lot of people don't have the knowledge, or want something that makes it easy for them.

Truston addresses both these issues by allowing a person to keep their personal information personal and providing a user friendly platform to protect themselves, or if need be, recover from having their identity stolen.

The protection services are always free and if need be, the recovery procedures are a lot cheaper than anything else I've seen on the market. The recovery services are only $10 a month, and only need to be purchased for the time frame they are needed.

The majority of the services out there require a long-term commitment and have clauses (normally written in fine print) covering preexisting conditions.

Because of this, Truston and it's CEO, Tom Fragala have been named as a 2008 Hot Companies finalist by Silicon Valley Communications.

From the press release regarding this matter:

Truston, a provider of award-winning online services for identity theft protection and consumer credit management, announced that it has been named a 2008 Hot Companies finalist by Silicon Valley Communications. Truston was selected after a global analysis of information technology vendors around the world. Truston was chosen based on the "4Ps" selection criteria-Products, People, Performance, and Potential. The 2008 Hot Companies analysis encompassed companies in all areas of information technologies including security, wireless, storage, networking, software and communications.

The Hot Companies 2008 evaluation process also assessed candidates for entrepreneurial spirit, seasoned executives with relevant experience, clear understanding of their IT market segment, products and solutions that are positioned to take advantage of the emerging market opportunities, well developed revenue-growth model and clearly planned expansion strategies.
Tom Fragala, who has a background in the IT world was a identity theft victim himself, which prompted him to design a service that is both effective and privacy friendly.

He has also spent a lot of time as an advocate for identity theft victims and blogs on the subject, here.

Having known him for awhile through our mutual interests, I've done some other posts on Truston (which if anyone is interested) can be viewed, here.

Friday, November 16, 2007

U.S. China Commission Report reveals serious issues that need to be dealt with!

Reports of the Chinese hacking into government systems are nothing new. Along with the constant reports of substandard products being put on our shelves, there is little doubt that the Chinese pose a threat to our safety in a LOT of different ways.

The U.S. China Commission has just released a disturbing report, which indicates some alarming evidence that the Chinese might be a threat to our National security.

The first concern is what appears to be a growing capability to target satellites. I got the following directly from the report, which was provided to Congress:

The hearing was timely, coming only three months after a successful direct-ascent anti satellite test by China that destroyed one of its own aging weather satellites in low-earth orbit. This test was only the third of its kind by any nation in history and served as a useful reference point during the hearing to illustrate not only China’s advances in military capabilities, but also the extent to which China’s decision making process is still very much opaque. This incident raises questions about Chinese intentions in space. The Commission will address these questions as it continues to monitor developments.

In the same realm, it appears that China is actively developing capabilities to conduct "irregular warfare." It should be noted that in addition to this report there have been regular reports of hackers from China specifically targeting government systems.

This is what the current report concluded:

Several experts testified that if China were to find itself in an armed conflict with the United States and its allies such as that resulting from a Taiwan dispute, China is likely to employ an array of irregular warfare strategies against its adversaries. According to Michael Vickers, Senior Vice President for Strategic Studies at the Center for Strategic and Budgetary Assessments, a Chinese attack on Taiwan could entail special operations and cyber attacks on U.S. regional bases in Japan and South Korea, and might even include cyber attacks on the U.S. homeland that target the U.S. financial, economic, energy, and communications infrastructure.

Also covered in the report are previously documented cyber-intrusions into U.S. Government systems:

As evidenced by the trajectory of its military modernization, Chinese defense planners are seeking to accomplish the goal of undermining the U.S. military’s technological edgethrough a variety of disruptive means. Among these is cyber warfare. USSTRATCOM Commander General Cartwright testified before the Commission that China is actively engaging in cyber reconnaissance by probing the computer networks of U.S. government agencies as well as private companies. The data collected from these computer reconnaissance campaigns can be used for myriad purposes, including identifying weak points in the networks, understanding how leaders in the United States think, discovering the communication patterns of American government agencies and private companies, and attaining valuable information stored throughout the networks. General Cartwright testified that this information is akin to that which in times past had to be gathered by human intelligence over a much longer period of time. He went on to say that in today’s information environment, the exfiltration that once took years can be accomplished in a matter of minutes in one download session.
The report also concludes that the Chinese have been building up their more traditional military capabilities since 1992.

Going into the reasons why China has been able to accomplish this, the report states:

China’s policies of market liberalization have resulted in rapid export-led economic growth prompting increased foreign investment; development of China’s manufacturing capabilities; and integration into the global supply chain. China’s abundant and inexpensive labor supply has made that country an obvious place for multinational companies to expand their production. However, as Dr. Peter Navarro, Professor of Business at the University of California, Irvine, observed in his testimony, five of eight factors identified as major drivers of China’s comparative advantage—i.e., its ability to undercut the prices of global competitors—are considered unfair trading practices. These include its undervalued currency, counterfeiting and piracy, export industry subsidies, and lax health, safety, and environmental regulations. These practices violate China’s WTO commitments, especially regarding workers’ rights, market access, currency manipulation, subsidies, and the protection of intellectual property rights. These violations and unfair practices also contribute to a growing U.S. trade deficit with China, one that U.S. Census Bureau statistics confirm increased 177 percent in the past six years from $83.8 billion in 2000 to $232.5 billion in 2006.

Granting China a "Permanent Normal Trading Relationship" six years ago was sold to the American public as a means of making China a better place (more democratic) place for it's people.

Instead, we have seen a lot of questionable government activity, which includes a variety of criminal enterprises when we consider all the hacking, counterfeiting and piracy that can be directly traced back to that country.

The lack of safe manufacturing practices and counterfeiting also poses a threat to our safety. It should be noted that according to International Anticounterfeiting Coalition, counterfeiting is a $600 billion a year problem, worldwide.

There are no figures on how much of this comes from China, although most experts on this subject speculate a lot of it does. Additionally, there is a lot of evidence that a lot of counterfeit merchandise is present in our supply chain. This evidence would include products of a consumable nature such as drugs, also.

The FDA estimates that 10 percent of the drugs in our supply system are counterfeit.

A lot of this probably tied into another phenomenon traced to the Chinese known as corporate (industrial) espionage. Of course, there is probably less of a need for the Chinese to plant spies in our industrial complexes anymore. With the amount of outsourcing going on, they probably never have to set foot out of China to steal a lot of secrets from us.

According to the Washington Post, American companies are even outsourcing the manufacture of military parts:

The Pentagon is increasingly buying planes, weapons and military vehicles from private contractors that outsource the manufacturing to plants in China and elsewhere in Asia, the report said. But when questioned by the commission, defense officials admitted that they do not have the ability to track where the components of military equipment are made.

To me, given all the recent implications of Chinese intentions, this makes the least sense!

All of these factors have led to a loss of jobs within our country as corporations take advantage of cheap labor, which is often the greatest expense in any business.

This translates into record profits for the Chinese and a select few people in the West.

Given the safety, National security and economic implications, continuing down this road doesn't seem to be in the best interests of the average person.

The full report from the U.S. China Commission can be viewed, here.

Thursday, November 15, 2007

Former Nevada State employee claims he was fired for revealing data breach

(Photo courtesy of wazzywooze at Flickr)

It never ceases to amaze me how a lack of information security translates into official statements that no one is aware of any identity theft that has occurred.

With as many people, we know have been compromised, and accounting for episodes like the one below where we probably aren't sure, who really knows?

The State of Nevada has a possible compromise, where no one seems to be certain, whether or not, a lot of people were compromised.

From the article written about this by

Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years.

That's the word from state Personnel Director Todd Rich, who says the system has been tightened to prevent unauthorized people from getting employee information.

Rich says his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He says as many as 470 are still missing, but his agency has NOT been notified of any identity theft as a result.

The powers that be have since instituted putting a password on the CDs, along with a requirement that they be signed for.

The person, Jim Elste, who revealed the fact that the CDs were missing was fired. He claims it was for revealing this matter, but the State is claiming his employment was terminated for "poor management and lack of anger control."

There have been so many data breaches and so many people compromised, if they were to become an identity theft victim, it might be nearly impossible to figure out where the crook got their information.

No wonder, whenever a suspected breach occurs, no one is SURE if anyone has become a victim of identity theft. The only thing we can be sure of is that there are a lot of victims out there and the number is growing.

Reno Gazette-Journal story, here.

If you would like to see how many people have been compromised -- the list grows VERY frequently -- the Privacy Rights Clearinghouse tracks reported breaches, here.

As of this writing, this one isn't listed as a breach yet!

Sunday, November 11, 2007

Digital gangsters can buy everything they need to commit fraud right on the Internet!

There is a lot of technology with questionable applications being sold on the Internet. Of course, this is merely my opinion, but I have my reasons for believing this.

Robert McMillan, IDG News Service wrote an INTERESTING article about spyware being sold on eBay that has questionable applications.

From his article:

Think your wife may be cheating on you? Wondering who your boss might be talking to? "Learn the truth. Spy today."

So reads an ad for "Bluetooth Spy Pro-Edition," one of nearly 200 mobile phone spyware products currently listed for sale on eBay.

The software, which costs as little as US$3.99, can be used to view photographs, messages and files on the phone, listen into phone conversations, and even make calls from the phone being spied upon.

Security experts are concerned, because while these products aren't illegal, installing them without authorization to spy on someone else most definitely is.
Of course, eBay wasn't able to be reached for comment.

In August, I did a post called, Self service stamp machines targeted by credit card thieves. When writing it, I saw a quote that some of the stolen stamps were being sold on eBay and decided to see for myself. What I found was a lot of stamps for sale for what seemed to be too good to be true prices.

To be completely fair, eBay isn't the only one selling questionable merchandise on the Internet. The problem exists on auction sites in general and there are e-commerce companies that specialize in selling devices, which are marketed specifically as tools to violate other people's privacy.

In the wrong hands, these devices can be used for more sinister purposes, also.

A good example of this is keylogging software, which is is a favorite tool of cybercriminals to steal people's personal and financial information. Keylogging software is legal and easy to purchase in a variety of places, including the Internet.

Another example, which is similar to Robert McMillan's story concerns a company called FlexiSpy. I did a post on this company, who sells technology designed to spy on Smart Phone users.

In the post, I wrote:

There is already a lot of "buzz" that mobile phones, especially those of the smarter variety will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Despite all the controversy at the time, FlexiSpy seems to be alive and selling their product to anyone with the money to buy it.

To end this post, I will refer to the worst site of this type (my opinion) out there. is a one stop e-commerce shop selling technology and a host of manuals that could be used to commit a host of financial crimes.

I covered this website in a post entitled:

It is no wonder why skimming (credit/debit card fraud) is becoming a nasty problem!

Here is the websites legal disclaimer:

We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country., who has the motto "they make it we break it" is up and running at the time of this writing and boasting they've been in business for eleven years.

While there might be legitimate uses for some of this technology being marketed on the Internet, you would think at the VERY least we might want to put a few controls on who it is being sold to?

When I say some of this technology MIGHT have legitimate uses, there is also some that I can think of no legitimate use for!

Unfortunately, until laws are enacted that hold the sellers accountable, little can be done about this.

One thing to remember is that even though the sellers aren't being held accountable, the buyers will be if they are caught using them in a manner deemed to be illegal. Just because it appears easy to buy doesn't mean that using it won't land a person in a lot of trouble.

It's safe to say that we could find people in correctional institutions that could attest to this fact.

IDG News Service story (courtesy of PC World), here.

Major cybercrime and identity theft group smashed in NYC

It appears that the Manhattan District Attorney and the United States Secret Service have dealt a significant blow to a Internet crime ring dealing in stolen credit card information, cybercrime and identity theft.

The New York/New Jersey Electronic Crimes Task Force and a host of other agencies assisted in the investigation, also.

From the DANY press release:
Manhattan District Attorney Robert M. Morgenthau announced today the indictment of seventeen individuals and one corporation on charges related to global trafficking in stolen credit card numbers, cybercrime, and identity theft. Three defendants will be arraigned today.

The three defendants to be arraigned today are VADIM VASSILENKO, YELENA BARYSHEVA and JOHN WASHINGTON.

Six other defendants – TETYANA GOLOBORODKO, DOUGLAS LATTA, ANGELA PEREZ, KOSTAS KAPSIS, LYNDON ROACH and KEITH CUMMINGS – were arraigned earlier. Two defendants, EDUARD KHOLSTININ and OLEKSIY YARNE, are in custody in other states on unrelated charges and six other defendants are still being sought.

Also indicted is WESTERN EXPRESS INTERNATIONAL, INC., a corporation formerly headquartered in mid-town Manhattan at 555 Eighth Avenue. Western Express’s corporate officers are VADIM VASSILENKO and YELENA BARYSHEVA. TETYANA GOLOBORODKO was the manager of WESTERN EXPRESS.

Although not specified in the press release, most of the surnames of the indivduals involved appear to be Russian, or Eastern European. Most experts concede that Russian and Eastern European organized crime organizations are the major players in the stolen payment card information business.

The activity involved in this appears to highly organized, and technically sophisticated:

The Western Express Cybercrime Group carried out its criminal operations through a structure consisting of “vendors,” “buyers,” “cybercrime services providers,” and “money movers.” The “vendors” were individuals who sold large volumes of stolen credit card numbers and other personal identifying information through the internet. The “buyers” used the internet to purchase that information from the “vendors,” for the purpose of committing additional crimes such as larceny and identity theft. The “cybercrime services providers” promoted, facilitated, and aided in the purchase, sale and fraudulent use of stolen credit card numbers and other personal identifying information through various computer services that they provided to the “vendors” and the “buyers.” Finally, other defendants operated as “money movers.” Those defendants provided financial services and conducted financial transactions for other participants in the criminal enterprise in order to move funds and launder the proceeds of criminal activity. The “money movers” relied on anonymous digital currencies, such as Egold and Webmoney, to buy, sell, and launder the proceeds of criminal transactions, and conducted their business online, using websites, instant messaging, and email. Some of the defendants charged in the indictment played more than one role.

Those involved in the Western Express Cybercrime Group interacted and communicated through “carding” websites – that is, websites devoted to trafficking in stolen credit card and personal identifying information. They relied on the use of nicknames, false identities, anonymous instant messenger accounts, anonymous email accounts, and anonymous digital currency accounts to conceal the existence and purpose of the criminal enterprise, to avoid detection by law enforcement and regulatory agencies, and to maintain their anonymity.

The entire operation was set up under a business in Manhattan known as Western Express. This business appears to have been nothing more than a sophisticated money laundering operation:

The corporate defendant WESTERN EXPRESS INTERNATIONAL, INC., through its managerial agents VADIM VASSILENKO, YELENA BARYSHEVA, and TETYANA GOLOBORODKO, provided financial services designed to conceal the source and destination of funds earned through the trafficking of stolen credit card numbers and other personal identifying information, as well as the identity of individuals engaged in such transactions. They used conventional banks and money transmitters to move large sums of money for their clients, thus permitting their clients to remain anonymous and insulated from reporting requirements. They also provided information and assistance to other members of the group through the WESTERN EXPRESS websites and

Apparently, this business had about $35 million flow through it's various accounts and is responsible for a known $4 million in credit card fraud. The investigation also revealed that they trafficked over 95,000 credit card numbers.

The press release stipulates that this is only what has been identifed thus far.

In February 2006, Western Express was also indicted for running an illegal check cashing/wire transfer service. Through it's various websites it offered one-stop financial services enabling Eastern European customers to do business in the United States and vice-versa.

This business was also a front for laundering the proceeds of a lot of fraud activity:

The investigation has revealed that their clients were involved in widespread illegality beyond the mere receipt of funds under fictitious aliases and addresses, including a variety of cyber-crimes such as “re-shipping” schemes and “phishing,” “spoofing” and spamming.
DANY press release, here.

Botnet owner faces 60 years in prison and a $1.75 million fine

Until recently, botnet owners seemed to be able to trash people's systems without having to face very many consequences. And in a lot of instances, more than a system gets trashed when it is compromised by a botnet owner.

Friday, the Central California U.S. Attorney's office announced the prosecution of one of these botnet owners. Of interest, the botnet owner, John Schiefer admitted to compromising up to 250,000 computers with malware (malicious software).

In the first prosecution of its kind in the nation, a well-known member of the “botnet underground” was charged today with using “botnets” – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications.

The criminal information and plea agreement filed this morning in United States District Court in Los Angeles outline a series of schemes in which Schiefer and several associates developed malicious computer code and distributed that code to vulnerable computers. Schiefer and the others used the illicitly installed code to assemble armies of up to 250,000 infected computers, which they used to engage in a variety of identity theft schemes. Schiefer also used the compromised computers to defraud a Dutch advertising company.

According to the press release, Schiefer and crew seemed to prefer harvesting eBay and PayPal information:

In his plea agreement, Schiefer acknowledged installing malicious computer code, or “malware,” that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into “zombies,” they continued to use their computers to engage in commercial activities. Schiefer used the malware, which he called a “spybot,” to intercept electronic communications being sent over the Internet from those zombie computers to and other websites. Once in possession of those intercepted communications, Schiefer and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords, Schiefer and the others accessed bank accounts to make purchases without the consent of the true owners. Schiefer also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others. It is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets.

It appears that the FBI's Cyber Division might have had something to do with catching Mr. Schiefer and crew.

In June, they announced a nationwide initiative against botnet owners called Operation Bot Roast.

Mr. Schiefer isn't mentioned in the release about Operation Bot Roast, but it appears that the FBI is starting to take this activity seriously and is making it more dangerous for botner owners to operate.

When Schiefer pleads guilty to all of this on November 28th, he will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million.

Full press release from the United States Attorney's Office Central District of California, here.

If you have been a victim of a botnet owner, who turned your computer into a zombie you can assist the FBI by reporting the matter at the Internet Crime Complaint Center.

They also have some information on how to avoid having your computer turned into a zombie, here.