Saturday, January 05, 2008

Sears site violates people's privacy!

Ran into this story on the Truston blog. Tom Fragala, CEO of Truston writes:

The internet retailer you choose just might, without disclosure, install software on your computer to snoop on your web browsing. Brian Krebs at the Security Fix blog has this story. Would you believe it could be one of the country's oldest retailers though?

"Sears is having a bit of a rough day with the privacy community. The company got off to a rocky start with revelations that many customers who gave Sears their personal details after shopping at the company's Web site also were giving away their online Web browsing habits to marketers, thanks to snooping software silently installed (and ill-documented) by a Sears marketing partner."
Even worse, as revealed in Brian Krebs interesting blog post is that:

The discovery comes from Ben Edelman, an assistant professor at the Harvard Business School and a privacy expert whose research has done much to raise public awareness about the intersection of big business and shady advertising practices.

Sears offers no security whatsoever to prevent any user from retrieving a third party's purchase history, Edelman said, which violates its own privacy policy with such disclosures, no part of which "grants Sears the right to share users' purchases with the general public."

I guess this means that anyone can violate a Sears customer's privacy by using their website as a tool?

Please note that Professor Edelman has shown some pretty good evidence that regular and not just e-commerce customers can be compromised, also.

Going back to Professor Edelman's contention that snooping software was spying on customers -- spyware and adware are used on a lot of sites. In fact, I highly recommend scanning your system on a regular basis using reputable software. I'm always amazed at how much of it I find when I do.

My opinion is that that when information is data mined, there needs to be a transparent way a customer opts-in (authorizes) an entity to use their information.

Current opt-out options are often deceptive and laden with a lot of small print.

So far as Sears, until they disclose what they are doing to fix this (at least answer Mr. Krebs), I'm going to make sure I avoid using their shopping facilities!

DOJ charges 11 in pump and dump stock spamming operation

The Department of Justice has just announced the arrests of 11 spammers involved in a pump and dump stock spam scheme.

Pump and dump schemes victimize people -- lured by the expectation of too good to be true money -- who buy the stocks at artificially inflated prices. They normally lose money when the value suddenly drops because the people behind the scheme sell off their artificially inflated shares.

One of those arrested, an Alan Ralsky is considered one of the biggest spammers around by Spamhaus, which is an organization dedicated to tracking spam.

From the press release:

A federal grand jury indictment was unsealed today in Detroit charging 11 persons, including Alan M. Ralsky, his son-in-law Scott K. Bradley, and Judy M. Devenow, of Michigan, and eight others, including a dual national of Canada and Hong Kong and individuals from Russia, California, and Arizona, in a wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing, or "spamming."

This investigation was conducted over a three year period conducted by the FBI, Postal Inspectors and the Internal Revenue Service. The people involved used all the standard spam diversions including falsified domains and e-mail headers, social engineering lures and good old false advertising.

The release also states that they (tried?) to use botnets to send the spam:

The indictment also alleges that the defendants tried to send their spam by utilizing a cybercrime tool known as a “botnet,” which is a network of “robot” computers that have been infected with malicious software code that in turn would instruct the infected computers to send spam. The indictment charges that the defendants earned profits when recipients responded to the spam and purchased the touted products and services. Hui’s primary role in the scheme was to act as a conduit for Chinese companies who wanted their stocks pumped by the scheme. Ultimately, investigators estimate that the defendants earned approximately $3 million during the summer of 2005 alone as a result of their illegal spamming activities.

Recently, the FBI arrested a lot of Internet misfits in what they termed Operation Bot Roast and Operation Bot Roast II.

Botnets have become a major vehicle in which spam is circulated using zombie computers taken over using spam e-mail containing malicious software. Because the owner of the computer normally isn't aware their computer has been turned into a "spam spewing zombie," it also confuses investigative efforts to track the spam to it's source.

It should also be noted that here again, we see another "Chinese connection" in cybercrime. It's pretty interesting that publically held Chinese companies were working with these spammers to have the price of their stock artifically inflated.

Russian nationals were also arrested in this recent case. Eastern European types seem to be heavily involved in the world of cybercrime.

Here are a list of the laws the government is using to bring the spammers to justice:

The 41-count indictment covers three distinct, but interrelated, conspiracies to capture this evolution in their business practices. The indictment charges the defendants with the commission of several federal criminal offenses, including conspiracy, fraud in connection with electronic mail (CAN SPAM), computer fraud, mail fraud, wire fraud, and money laundering. It also charges the defendants with criminal asset forfeiture, as well as charging one defendant with making false statements to law enforcement.

Sadly enough, spammers have been bold enough to spoof all three investigative agencies involved in this case in the recent past. These spamming incidents normally are what are known as phishing attempts, where the intent of the spammer is to steal personal and financial information using social engineering techniques or malicious software.

The FTC released a report on spam a few days ago. One of the findings was that the people behind this activity are best addressed by agencies that have go after criminal activity.

This action and Operation Bot Roast indicate that these actions are already underway.

On the DOJ site right below the header on this press release is a warning about the DOJ itself being impersonated (spoofed).

A lot of people view spam as an annoying phenomenon in their inbox. If you really examine it, spam is the vehicle for just about every annoying and illegal activity on the Internet.

The full press release, including all the names of the spammers being charged can be seen, here.

Friday, January 04, 2008

CALPIRG does consumer study revealing that privacy laws are being ignored in California

Many believe that the reason behind the identity theft crisis is the irresponsible data mining and selling of people's personal and financial information. This information then gets stored in places, where it is obtained (bought or stolen) by people, who have more than a "marketing" interest in it.

The buying and selling of people's personal information is a multi-billion dollar business.

Given this, a lot of people and consumer groups now are questioning how this done and how the information is protected.

CALPIRG, the California Public Interest Research Group has just released an "interesting" report on this subject and is making some recommendations to the California legislature to make the practice of buying and selling people's personal information more transparent.

From the press release on the CALPIRG site:

California’s consumers are “Still in the Dark” when it comes to who has access to their personal information according to a privacy report released today by the California Public Interest Research Group (CALPIRG).

“This holiday shopping season millions of consumers surrendered their personal information to retailers across the country with no idea how or with whom that information is shared” said Pedro Morillas, CALPIRG Consumer Advocate. “Fortunately there is light at the end of the tunnel. California already has some good policies regarding this issue. A few additions to the existing policies will give consumers the tools they need to safeguard their personal information.”
Currently, California law requires that if a consumer requests to find out where their information went a company must reveal where the information went for the past calendar year, or provide a no cost "opt-out" opportunity.

The report -- which includes a survey of customers trying to to discover where their information went -- revealed that over one-third of the requests were ignored.

Even worse, in addition to not getting a response, many of the customers were given the run around by being sent to other places within an organization or getting responses that had nothing to do with their original request.

CALPIRG is now calling that the California Legislature make the laws stronger with additional measures. They are calling out that the following additions should be made to existing laws:

Companies that do business with California consumers to respond to privacy requests, regardless of whether they share information with third parties.

Companies to both disclose the personal informa¬tion shared, and the third parties with which it is shared, and provide consumers with an opportunity to opt out of future sharing.

Companies to place a box on their Web sites’ privacy pages allowing consumers to opt out of information sharing.

Companies to get an affirmative “opt-in” from consumers before sharing their information with third parties, as opposed to the current practice of requiring consumers to opt out in order to protect their privacy.

The full report from CALPIRG can be read, here.

Opting out and privacy notices with an abundance of fine print have been criticized as not being effective, or consumer friendly for awhile now. Here are two other posts, I've written on this subject:

How does a telemarketer get your unlisted number?

Not answering a Privacy Notice gives the sender permission to sell your personal/financial information

Thursday, January 03, 2008

Lou Dobbs' audience responds to Hillary's allegation that he is full of hot air!

My wife, who is a die hard Lou Dobbs fan brought to my attention that Hillary Clinton had recently called him "full of hot air."

In the response to this statement, Lou and crew ran this poll on their show yesterday.

The question they asked was:

Do you believe presidential candidates who support open borders, illegal alien amnesty, and outsourcing of middle class American jobs to cheap overseas labor markets are full of "hot air"?
I decided to check the results this morning and 95 percent of the people responding felt that the presidential candidates supporting open borders, illegal alien amnesty and outsourcing were "full of hot air."

Strangely enough -- if I remember one of the debates correctly -- it seems difficult to get Hillary to commit herself on some of the above listed issues.

Would that make some believe that her responses to these issues are full of hot air?

With the primarys starting today in Iowa, it will be interesting to see what the voice of the American people will be!

You can see the results of Lou's poll on his site, here.

You can also see the article that reported Hillary calling Lou full of "hot air" at Iowa State University (courtesy of, here.

If you would like to revisit Hillary's stunning reversal on the driver's licenses for illegal aliens issue (within 2 minutes) in the State she represents, the Captain's Quarters blog has commentary, here.

Tuesday, January 01, 2008

IT Policy Compliance Group looks back at what was important in 2007

The IT Policy Compliance Group issued a great year end analysis of the important events that took place in the world of IT security in 2007.

Lamont Wood wrote this interesting analysis and leads into it by saying:

Looking back, those who specialize in the history of corporate and cultural debacles may one day hail 2007 as the year when the dusty topic of document retention became a matter of corporate life and death. Thanks to the pervasiveness of networked computers, corporate data proved again and again that it could not only leak into the wild, but, once there, take on a life of its own-and do enormous harm to its parent.

The essay covers some interesting subjects like Data Breaches, PCI DSS Folies, CyberWars and the The Dark Side.

It also includes a summary of the regulations that businesses had to learn to deal with in 2007.

I'm going to refrain from commenting further to direct people to these interesting observations, here.

I did another post on a report from the ITPCG entitled, IT Policy Compliance Group issues study on data breaches and information theft.

This report revealed that focusing on fewer risk focused control points, and then inspecting them more frequently made an organization less likely to suffer data breaches/information theft.

If you haven't read the report yet, it is a worthwhile read, also.

In case you are unfamiliar with the IT Policy Compliance Group, here is their mission (in their own words):

The web site is dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. Specifically, this site focuses on assisting organizations to improve compliance results by providing reports based on primary research as well as other related information and resources.

Here is who supports this site:

CSI (Computer Security Institute), The IIA (The Institute of Internal Auditors), ISACA (Information Systems Audit and Control Association), the IT Governance Institute, Protiviti, and acknowledge Symantec for providing the financial support to make this site possible.

FTC issues report on Malicious Spam and Phishing

The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.

Interestingly enough, it points out that spammers are criminals.

While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?

Here is what the press release had to say:

During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.
The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.

Going deeper into the problem the report discusses a phenomenon called fast flux:

With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.
The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.

Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.

The report also give some statistical information on what this is costing all of us:

A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.
Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.

Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.

Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:

Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.

In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.

The full report can be viewed, here.

Discovering a record amount of information theft only solves half the problem

Has anyone besides me noticed that when data breaches are reported, we see an official statement that the information hasn't been used by identity thieves?

After thinking on that one for awhile, it makes sense that criminals would stop using the information from a data breach after it has been reported.

So far as information used before the breach is discovered, it's pretty hard to prove where the information came from in an identity theft case. With so much compromised information out there, it's nearly impossible to figure out where the point-of-compromise is in any individual case.

When a data breach occurs, a lot of accounts are closed down and everyone who has been compromised runs out and checks their credit reports. Most of the time, free identity theft monitoring is made available to those who have been breached, also.

My guess is that once the stolen information is made public, it's probably dangerous to use. At the very least, it probably doesn't hold the same profit value that it had when no one knew it had been stolen.

For the past week, the news has been awash with the year end statistics on data breaches. By all the recent news accounts, 2007 was a record year.

While reporting data breaches is painful and costly, reporting them probably makes the information a lot harder to exploit for criminal purposes.

Although 2007 was a record number for reported data breaches, very few of criminals stealing the information got caught. Organizations losing the information are starting to be held accountable, but it would be nice to see more of criminals stealing the information brought to justice.

Another thing to consider is that data breaches aren't putting organizations out of business. True, they are costly, but in the end the cost is normally passed on to everyone using their services.

In the end, we are all paying for the cost of fixing data breaches.

And while a record number of data breaches were reported, there would have to be some that no one (except the criminals) know about.

My guess is that there is a lot information theft that is never detected. I would also surmise that this is considered the most valuable information being sold and used by criminals.

Compromised information is normally most effective when the person who it belongs to doesn't know it's being used.

Until we impact both sides of the equation -- the people losing information and punishing the people stealing it -- we are probably going to see news reports reflecting record statistics on the amount of data breaches occurring.

To do this, we need to focus more resources on catching the people stealing the information and enact laws that make it hurt when they get caught.

The last statistic I saw was that less than 1 percent of them get caught, and if they do, they normally get a slap on the wrist. A lot of the reasons for this are insufficient resources to investigate fraud and a lot of cases that are never reported by both organizations and individuals.

AP article (courtesy of the Washington Post) on 2007 data breach trends, here.

Update: Dissent from the Chronicles of Dissent and PogoWasRight left a good comment on this post pointing out that a lot of people did get caught this year. He is right and I did posts on a number of them.

The people out there catching the crooks stealing the data would be able to do a lot more if they were given more resources!

The Chronicles of Dissent has an excellent article on this subject that I highly recommend to anyone interested in the phenomenon of data breaches, here.