Saturday, December 08, 2007

FTC tutorial on how to protect sensitive business information

The FTC has released a training tool designed to help businesses protect sensitive information, which might be stolen to commit identity theft or fraud.

After taking a look at it, I found it to be simple, straight forward and effective way for a business to evaluate how well they are protecting information.

From the FTC release on this new tool:

Protecting the personal information of customers, clients, and employees is good business. The Federal Trade Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost ways to keep data secure.

The tutorial, “Protecting Personal Information: A Guide for Business,” at, takes a plain-language, interactive approach to the security of sensitive information. Although the specifics depend on the type of company and the kind of information it keeps, the basic principles are the same: any business or office that keeps personal information needs to take stock, scale down, lock it, pitch it, and plan ahead. The tutorial explains each of these principles, and includes checklists of steps to take to improve data security.

The tutorial supplements brochures, slide presentations, and articles on information security already on the Web site and available from the FTC for free. The agency is encouraging businesses and other organizations to share this important information with employees who handle personal information such as Social Security numbers, credit card numbers, financial account numbers, and other sensitive personal information.
Interestingly enough, I just did a post on a new report released by the IT Compliance Policy Group. Their findings were the organizations that suffer the fewest incidents of information theft have a few things in common, which is they keep their programs simple, and pick out the most critical items with a focus on risk. The organizations with the fewest incidents of data theft inspect these critical items more frequently, also.

The FTC tutorial gives some great guidance on how to identify the most critical items that are risk focused in an organization.

Common sense often is the best way to approach ensuring competent security.

Materials can be ordered for presentation purposes by following the link listed in the press release.

FTC press release, here.

A video presentation of this infomation can be seen, here.

Private Eyes charged with aggravated identity theft

This isn't the first time private investigators have been caught using social engineering techniques to steal personal information. The Hewlett Packard case raised caused quite a bit of uproar about this last September.

Here is another case involving private investigators using illegal techniques to data mine information for their clients:

Ten people were indicted by a federal grand jury in Seattle in connection with a scheme to illegally obtain confidential information on more than 12,000 citizens across the country. To obtain confidential tax, medical and employment information, workers at BNT Investigations in Belfair, Washington, would pose as another individual to get government agencies including the IRS, the Social Security Administration, and various state employment security offices to provide confidential information. The year-long investigation dubbed, “Operation Dialing for Dollars,” also revealed that some workers posed as representatives of doctors’ offices to get medical or pharmacy records.
The private investigators used "pretexting," which is a social engineering technique designed to trick people into giving up personal and financial information. Criminals use the same technique to steal people's identities.

In fact, phishing, where an e-mail is sent impersonating a trusted or authority figure with the intent of stealing personal information is a form of "pretexting."

In this case, we might term what these private eyes did as "vishing," which is phishing using the telephone.

It appears that the U.S. Attorney's office agrees that this is little difference in the techniques used by these private eyes and is charging them all with aggravated identity theft.

The ten defendants are charged with Conspiracy and Wire Fraud. Seven of the defendants are charged with Fraudulent Elicitation of Social Security Administration Information. Six of the defendants are charged with Solicitation of Federal Tax Information. All ten defendants are charged with Aggravated Identity Theft. The three Washington defendants are scheduled to appear in U.S. District Court in Tacoma at 2:30 today.

These are the defendants indicted by the grand jury:

EMILIO TORRELLA, 36, Belfair, Washington
BRANDY N. TORRELLA, 27, Belfair, Washington
STEVEN W. BERWICK, 22, Belfair, Washington
VICTORIA J. TADE, 52, San Diego, California
MEGAN OSOSKE, 40, Beaverton, Oregon
DARCI P. TEMPLETON, 55, Houston, Texas
ESAUN G. PINTO, Sr., 33, Brooklyn, New York
PATRICK A. BOMBINO, 58, Brooklyn, New York
ROBERT GRIEVE, 67, Houston, Texas
ZIAD N. SAKHLEH, 26, Houston, Texas

The Torellas, who own BNT investigations, allegedly are the "phishy-investigators" who were selling this illegally obtained information to their peers nationwide.

The private investigators had been hired by attorneys, insurance companies and collection agencies to investigate the backgrounds of opposing parties, witnesses and benefit claimants, and to uncover assets or income. The TORRELLAs promoted their services to the private investigators.

BNT investigations targeted financial institutions and government agencies to get the information they were selling.

This makes me wonder how much the people paying for these services knew and to what extent they might be held liable?

Although, it doesn't appear that more sophisticated spying (identity theft?) techniques were used in this case, in the Hewlett Packard case investigators dropped software (malicious?) on computer systems to monitor the people they were "investigating."

Press release from the Western Washington U.S. Attorney's Office, here.

Friday, December 07, 2007

Has hacking become too easy? Ask the child predator who just got 110 years for doing it!

Here is a hacker, who ended up in a lot of trouble after using malware to blackmail underage girls into creating pornography of themselves. The problem is it was probably a little too easy for him to obtain the tools, he used to pull his "hack" off!

This leads me to be slightly cynical that putting one person behind bars for 110 years is going to solve the overall problem, we are facing with the irresponsible use of technology.

Picked up this up from Sharon Gaudin (Computer World) courtesy of the NY Times:

A North Carolina man last week was sentenced to 110 years in prison after admitting that he and a co-conspirator hacked into computers used by young girls and used illicitly gained data to blackmail them.

Ivory D. Dickerson, 33, a civil engineer, admitted that he conspired with the other person to send emails or instant messages to underage girls as part of a scheme to trick them into opening a file containing the Bifrost trojan horse. The malware would give Dickerson and his co-conspirator control over the victim's computer, and they tried to use hacked information to coerce the girls into creating and then electronically sending them lurid photos of themselves, prosecutors said.

Dickerson used all the normal techniques to monitor his victims, such as keylogging software. He also had a tool, which enabled him to hack into web cameras and record what was going on.

This concerned me from a privacy perspective so I decided to see what would pop-up if I Googled "hacking webcams." To my utter amazement, I found some shocking results, which are pretty scary.

In fact, one site has a tutorial on how to hack webcams, using a Google search string.

In most instances, this can be prevented by password protecting whatever camera system you install.

Please note that criminals could use your cameras against you in a variety of ways that threaten both your privacy and safety.

Going back to the article about our hacker using BiFrost malware, a Sophos rep is quoted as saying:

The Bifrost malware, "is relatively easy to obtain," said Richard Wang, manager of SophosLabs U.S. "It's not something you need to pay for. Since we first saw it in April of 2005, we've seen over 1,200 different versions of this Trojan. The guys who write them are always trying to put up new versions to hide them from anti-virus software."

I'm guessing that Mr. Wang means the malware can be obtained from one of the hacking forums that seem to be out there (pretty easy to access) on the Internet.

So far as Mr. Dickerson, lock him up and throw the key away, preferably on a deserted island. Saying that, here is yet another example that it doesn't take a whole lot of skill to be a hacker nowadays. In fact, it seems to be a little too EASY!

It's a shame that parents now have to become computer security experts to ensure the safety of their children. Maybe the answer is to take a hard look at all the enabling factors we seem to see too much of these days?

ComputerWorld article (courtesy of the NY Times), here.

Fox News has a pretty telling video about the subject of webcam hacking, which can be seen, here.

Thursday, December 06, 2007

Word of mouth is fraud's worst enemy!

FraudAid, a website dedicated to helping fraud victims has a saying, "Silence is fraud's best friend. Word of mouth is fraud's worst enemy. Pass the word!"

In a world, where fraud victims have a hard time getting anyone to even talk to them this saying makes a lot of sense.

FraudAid was conceived by a woman by the name of Annie McGuire, who fell victim to a fraud scheme, herself. Her personal story, which is told in great detail on the site proves that just about ANYONE can become a fraud victim.

In my personal dealings with victims, you would be surprised who has been scammed.

The problem is that most people -- especially those who think they should have known better -- rarely report that they have become a victim of fraud. FraudAid strives to educate all of us that the lack of communication enables fraudsters to victimize people (who if they have been made AWARE) might not be have been taken in by a fraud scheme.

Thus, the reason there seems to be so much fraud and the experts compiling all the statistics disagree on how much fraud exists. After all, "Silence is fraud's best friend."

The FTC just released their estimate of identity theft victims, which has raised a lot of speculation about how accurate their number is.

I have no doubt that the FTC did the best they could, but if fraud isn't reported, it's hard to quantify.

The FraudAid site is a wealth of information for someone, who is trying to seek help after becoming a victim. Of the greatest importance (in my opinion) is how to deal with the authorities.

One page on the site shows the average person how to write a narrative that will get the Police interested in going after your case.

It also goes into great detail on what law enforcement agency specializes in what type of fraud. This can be confusing for someone dealing with being victimized for the first time.

The site also addresses a growing phenomenon, which is how to avoid getting arrested after becoming a victim. With all the auction fraud and stolen financial information being sold wholesale, fraudsters have developed a need to launder the proceeds of their illicit transactions.

The way they do this is by tricking people to do it for them. This is accomplished by hiring them under "false pretenses" to negotiate all their illicit transactions and wire the money to them. This scam is often referred to as a work-at-home, job, or check-cashing scam.

Another variation, known as a reshipping-scam, tricks people into reshipping stolen merchandise.

In reality the victim is taking all the risk for the scammer -- and more and more often -- the rap for them when they get caught. Sadly enough, the end result is almost certain financial ruin and possibly being charged with a host of crimes including, check fraud, money laundering and receiving stolen goods.

Some of detailed information on the different scams that can be found on FraudAid include investment, Nigerian (419), sweetheart/romance, lottery sweepstakes, lottery, work-at-home, visa/green card, counterfeit check/money order and reshipping/package processing scams.

Also covered on the site is how to protect yourself and recover from identity theft. Many fraud victims later become a victim of identity theft when a fraudster sells all the information they've data-mined off them.

The site even contains information on child safety and human trafficking.

Backing all this up are a host of research tools for fraud, where to report it and how to take political action.

Annie is now backed up by a group of volunteers, one of whom, Karrie Brothers, assisted me with a lot of information on the current going-ons at FraudAid.

To grow this effort, Karrie and Annie are actively seeking volunteers to assist them. Being one of the few resources where a victim can turn to, they are getting a lot of business!

FraudAid gives a good explanation of why volunteers are needed and they are trying to grow their organization:

Fraud, by every measure, is one of biggest and fastest growing industries in the world.

One study values worldwide corporate fraud at over two trillion dollars. This is not counting consumer and Internet frauds for which there is no reliable assessment. Another study estimates that 6% of global product is laundered money.

The fraud industry is run by many, many skilled professionals. The anti-fraud industry is small and, by comparison, run by very few skilled professionals.

That's why if you have the skills you can make a real difference!

Fraud Aid, Inc. is a volunteer anti-fraud organization. We, as all other anti-fraud organizations, are out-numbered and need your help.

We have the frauds. Do you have the time?

To grow the organization, they are recruiting a wide range of volunteers with law enforcement, legal, IT and education experience. There are also opportunities for people with no experience, also.

Even if you think you are aware of all the fraud schemes out there, FraudAid is a great place to learn more about them. After all, if people weren't being taken in by the schemes, fraud would probably disappear pretty quickly!

If you want to learn more about FraudAid, the site can be seen, here.

Tuesday, December 04, 2007

IT Policy Compliance Group issues study on data breaches and information theft

Today, the IT Policy Compliance Group released an interesting report on the state of compliance and how it relates to the growing phenomenon of information theft and data breaches.

The IT compliance group is a non-profit organization supported by the Computer Security Institute, Institute of Internal Auditors, ISACA, IT Governance Institute, Protiviti and Symantec. The report reflects the findings of more than 450 organizations that were surveyed.

To sum up the main findings in the report:

The most recent benchmark research conducted by the IT Policy Compliance Group (IT PCG) reveals an intimate relationship between financial outcomes, sustained competitive advantage, data protection, and regulatory compliance.

The core competencies for protecting sensitive data are the result of this research and show the practices, procedures, and organizational strategies being implemented by organizations with the least loss and theft of sensitive data. A company’s ability to sustain its competitive advantage is enabled by protecting its sensitive data, resulting in better customer retention while protecting the brand and reputation of the firm. Protecting sensitive data helps a company avoid revenue loss, market capitalization loss, and unnecessary expenses.

The findings in the report show that a lot of organizations are struggling with high rates of data loss and theft. 87 percent of them suffer data losses, or theft 3-12+ times a year. The remaining 13 percent with three or less occurrences have something in common - an efficient and workable compliance program.
The organizations with the fewest occurrences focus on 30 or fewer control objectives. This is in stark contrast to the organizations with a higher occurrence rate, who focus on 80 or more control objectives.

These organizations (with the fewest occurrences) have examined their control points, carefully selected the most important ones and remain focused on them.

Organizations with the fewest occurrences inspect their control points more frequently. The most compliant organizations with the fewest occurrences inspect them an average of every 19 days. Those organizations with the most occurrences inspect their control points on an average of every 230 days.

Data breaches and information theft are getting more and more expensive for the organizations, who suffer the unfortunate experience of having one happen to them:

Financial outcomes from the loss or theft of sensitive data include customer defections, revenue declines, declines in stock price for publicly traded firms, and additional expenses (see Why Compliance Pays: Reputations and Revenues at Risk, IT PCG, July 2007). Additional financial risk results from expenses incurred for litigation, litigation settlements, consumer credit counseling, investigations, data restoration, and necessary(and after-the-fact) get-well efforts. Averaging nearly 8 percent of revenue, the expected losses from benchmarks conducted with hundreds of organizations are mirrored by actual experience.

The report points out that one shoe doesn't fit all when a data breach occurs -- but there is little doubt that the cost is rising and will continue to do so -- as more public awareness is created from all the play some of these breaches get in the media.

Also acknowledged is that despite the large amount of reported data breaches, there are many more that are never discovered.

Information is worth money, whether it is used to commit financial crimes or gain a competitive edge over another organization. These undiscovered occurrences are more valuable to the people stealing the information because nothing has been done to counter the fact that they have it.

The recent TJX data breach -- which is now being estimated by some sources at up to 100 million records lost -- has already caused TJX to claim a $118 million loss in their second quarter earnings.

A key finding in the report includes the importance of the human factor. Anyone who has studied information theft, or data breaches knows that the human factor is often what compromises information.

I've often written that no amount of security is going to stop a motivated person, who has been given access to the information.

Social engineering techniques are also used by criminals to trick employees into either giving up the information, or downloading software to compromise it by more technical means.

A good example of this is a recent study issued by the Treasury Inspector General for Tax Administration's Office. The report revealed that 60 percent of the IRS employees tested compromised sensitive information via social engineering techniques routinely employed by criminals.

According to the ITPCG report, here are the different causes of data breaches/information theft revealed by the study:

The conduits through which sensitive data is being lost and stolen include data residing on PCs, laptops, and mobile devices; data leaking through email, instant messaging, and other electronic channels; and data that is accessed through applications and databases.
Notably, most of the methods listed above require some human interface to occur.

It never ceases to amaze me when I see another report, where a laptop, tape, or disc is lost containing sensitive information. Even worse, we still see occurrences where the information was even encrypted.

A case to point would be the recent occurrence in the United Kingdom, where unprotected discs containing the information of 25 million children were being sent snail mail.

The report goes into more depth on how information theft occurs and states:

After user error, the most common contributions to data loss and theft include violations of policy, Internet threats and attacks, lost and stolen laptops, IT vulnerabilities, and insufficient controls in IT. These sources of data loss and theft can be countered with a combination of policy violation sanctions and procedural and technical controls.
The report sums it's findings up with the sources of compliance deficiencies. It's findings were that five areas are directly related to IT security, three areas are related to IT function and may relate to IT security, and two others that are directly related to procedures and may or may not involve IT.

Today, besides people, IT technology is what runs most organizations. The reason for this is obvious, it reduces costs and makes things run more efficiently. Given this, when IT technology is used improperly it has made criminals more efficient and provides them with new avenues to commit crimes.

Saying that, this report has a lot of valuable information for anyone developing a compliance program to protect this asset (information).

The report cites the data loss archive as a resource. This is also a valuable resource for anyone looking at the growing phenomenon of data breaches/information theft.

Here is statement of purpose for the IT Policy Compliance Group from their site:

The web site is dedicated to promoting the development of actionable, fact-based findings that will help professionals to better meet the policy and regulatory compliance goals of their organizations. Supported by members such as the Institute of Internal Auditors, the Computer Security Institute, and Symantec (collectively known as the IT-Policy Compliance Group), the web site focuses on delivering information that will assist in improving IT compliance results based on primary benchmark research.

The full report is available on the site.

Sunday, December 02, 2007

Are criminal to criminal (C2C) networks making cyber crime too easy?

With the FBI's announcement of Operation Bot Roast II detailing the arrests of several bot-herders infecting computer systems on an International basis, it's become apparent that a lot of crime is going on with the click of a mouse.

One of the more amazing revelations to come forward from Operation Bot Roast II was that a teenager was described in the media as a "cyber crime kingpin." Most of the people arrested were under 30. This led me to wonder if our young people are getting smarter, or cyber crime is getting a lot easier to commit?

I ran into an article from ZDNet entitled, "The new battleground in cyber crime." It covered a lot of things, I already knew, but perhaps it hits on the reason cyber crime is growing at an explosive rate.

From the article written by Yuval Ben-Itzhak (originally published on

In an age where "data equals money," fortune has replaced fame as hackers' key motivation. Criminals are willing to pay top dollar for personal, financial, and corporate data collected by Trojans and other "crimeware."

The evidence is out there. Price lists discovered on the black market reveal that criminals are willing to pay $5,000 for a financial report, $500 for a credit card with PIN, and $150 for a driver's license ID.

With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it.
The criminal to criminal (C2C) business model was a new term for me, but after thinking about it -- it describes exactly what we keep hearing is going on out there.

Yuval made another statement in his article, which is something I've tried to point out numerous times:

The cybercrime equation is simple: the longer the crimeware remains undetected, the higher the profit for the attackers.

When I say I've tried to point this thought out before, it was in reference to all the data breaches we see in the news. Once a data breach becomes transparent, the information probably isn't of very much use in the C2C business model, anymore.

Maybe that is why after a data breach, we rarely see anyone get caught using the information?

If this is true, the more we can monitor the C2C business model in real time, the more effective we will be in attacking the criminals behind it?

While investing a lot of resources dealing with the data breaches is probably necessary, it does little to solve the overall problem. The statistics are that once a data breach becomes transparent the information rarely gets used, if at all.

With litigation arising from some of these data breaches, the cost of revealing one is becoming cumbersome, also. I wonder what would happen if we started spending more money up-front going after what is going on right now? We might spend a lot less money cleaning up the mess, after the fact.

Unfortunately, the monetary resources allocated by most organizations to fight cyber, financial and information crime are often considered a necessary evil. The result is that the people dedicated to protecting us from these types of crimes are often some pretty over-worked individuals.

Please note that this is true in both the private and public sectors.

Couple this with certain marketing practices that make committing some of these crimes fairly easy and it's no wonder, we are facing an ever growing problem.

Perhaps, we should start rethinking how we go after this problem?

Yuval's article (which I consider an interesting read) can be seen, here.

Some of the reference material, he used in writing his article came from the security research people at Finjan. The interesting information in this report is available on the Internet, and can be seen by linking, here.