Saturday, April 05, 2008

Identity theft victim branded a paedophile still suffering after proven innocent!

This isn't the first time, I've written about Operation Ore, where a lot of British citizens were wrongfully accused of viewing child pornography.

Operation Ore was the result of an investigation conducted in the United States (Operation Avalanche), where a lot of credit card details being used to view child pornography were provided to the British authorities. It eventually led to a lot of people, including Pete Townsend of the Who, being charged with viewing child pornography.

It was later revealed that a large number of the credit card numbers obtained in the Avalanche search warrant had been stolen in one of the data breaches we read about, too frequently. In my original post on this story, I wrote about the data breach that caused this:

54,348 of the credit card numbers discovered in the U.S. search warrant were identified as having been stolen from Levenger Incorporated, a luxury goods company. Of course, Levenger declined to comment on how the information was stolen.

This case showed how an innocent person can be charged with a crime after becoming an identity theft victim.

The BBC just did a personal account of one person, who was victimized by being wrongfully accused, where they wrote:

With ID fraud on the rise, the assumption is you'll lose money which can be claimed back. But Simon Bunce lost his job, and his father cut off contact, when he was arrested after an ID fraudster used his credit card details on a child porn website.
And Mr. Bunce didn't frequent "fly by night e-commerce sites, either." In his own words his credit card details were stolen from a "trusted" site.

The bottom line is that Mr. Bunce lost his job, was shunned by his own family and branded as a paedophile.

Furthermore, months later when he cleared his name, it took him a long time to get another job earning only a fraction of his previous salary. Even though, he has clearly been proven innocent, Mr. Bunce is still suffering the financial repercussions of identity theft.

While I'm certain that cases like this have made the authorities a little more careful of who they are prosecuting, if a criminal assumes a legitimate identity (complete with documents to support it) this could be happen to any of us.

This case and the personal story of Mr. Bunce clearly shows the dangers everyone is facing from continuing to store too much information in too many not very secure places.

BBC article (highly recommended reading), here.

Attrition.org and PogoWasRight try to document the record amount of everyone's information that is stolen. Please note, there is so much of it being compromised they freely admit they cannot keep track of it all. Of course, the criminals stealing it probably don't reveal all the places they are getting it, either.

Suad Leija's Paper Weapons site shows how easily (extremely convincing) documents can be obtained by just about anyone to use the stolen information. "They are as good as anything in your pocket," according to Suad.

I also try to keep up with some of this on this blog. Here is my original post on Operation Ore, which was called Operation Avalanche in the United States:

British citizens accused of child porn found to be fraud victims

Wednesday, April 02, 2008

NATO Summit and EU Conference address the global reaches of illict cyber activity

On the Internet -- crime, espionage and some say, terrorism can cross a border with the click of a mouse. Because of this, it probably shouldn't be surprising that this is a hot topic at the NATO summit, as well as, a seperate conference conducted by the EU.

The AP is reporting:

At a two-day conference starting Tuesday in Strasbourg, France, the Council of Europe will to review implementation of the international Convention on Cybercrime and discuss ways to improve international cooperation.

Cyber defense also will be on the agenda when heads of state from NATO's 26 member nations gather in Bucharest Wednesday for three days. The leaders are expected to debate new guidelines for coordinating cyber defense.
Cyber defense is increasingly becoming a concern. For instance, there is increasing evidence that the Chinese have been hacking into other government's systems and have a cyber war doctrine being developed.

Last year, there was the much written about attack on the government of Estonia, also.

The EU conference will also address more financially motivated criminal activity on the Internet, also.

The AP article quotes a German University Professor, Marco Gercke, who specializes in computer law as saying:

Compared to regular terror attacks, it is much easier for the offenders to hide their identity. There are at least 10 unique challenges that make it very difficult to fight computer-related crime," said Gercke, one of the conference participants. "The success rate of cybercrime is very high."
While it is unknown, whether or not, these meetings of the minds will yield any results -- the fact is that unless there is greater cooperation and collusion between the good guys -- the problems of undesirable activity being spread with the click of a mouse is likely to continue growing at an alarming rate.

A little more teamwork and forward thinking might go a long way towards solving the problem. Of course, taking some of the players out from the opposition (bad guys) would go a long way, also!

To close this brief post, I would like to point to matters a little closer at home. An American computer law expert recently wrote a forward thinking article on the Hannaford data breach, where hackers stole 4.2 million payment (credit/debit) card numbers and the recent settlement between TJX and the FTC.

In his well thought out article, Ben Wright of SANS writes:

The FTC is well-meaning here, but it is misdirected. By singling out TJX and chastising it with the “unfairness” “bad guy” rhetoric, the FTC distracts the necessary public conversation. It implies that if we can just punish these lazy merchants enough (and force them to comply with the PCI and similar controls), then credit cards will be safe. That’s wrong.

The criminal warfare directed at the credit card system is more powerful than the theory behind PCI. The whole credit card system needs to change. As a society we need to focus on beating the criminals, and stop flogging victims like TJX as unfair privacy infringers.

To me, this means that instead of spending all our resources on inadequate security and filing litigation against the "unlucky targets" of organized cyber crime, we need to start addressing the root of the problem. I'll give anyone reading this one guess, who that might be?

Tuesday, April 01, 2008

Royal Canadian Mounted Police computers turned into spam spewing zombies by employee!

While the fact that the RCMP (Royal Canadian Mounted Police) computers were exposed to badware because an employee was doing some "unauthorized surfing" makes good press -- it highlights what can happen to any business, or government system when human beings use them to go to the murkier waters of the Internet.

Trust me, the RCMP isn't the only organization that has had an employee compromise their system in this manner.

Robert Koopmans, Kamloops Daily News (courtesy of the Vancouver Sun) reports:

The security of RCMP computers used to process evidence for a looming multimillion-dollar trial was breached from outside the agency, exposing sensitive files to the possibility of theft and tampering, Crown documents reveal.

The police computers were also used to view pornography and download music and illegal software, a letter from senior Kamloops Crown prosecutor Don Mann states.
Apparently, these computers were also turned into spam spewing zombies, or became part of a botnet as a result of some of the malware downloaded on them. Botnets are "a jargon term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of zombie computers controlled remotely," according to Wikipedia.

More from the article in the Vancouver Sun:

The Crown document reveals the computers were hooked to the Internet in October 2003 and remained connected until May 2005, when Shaw notified the RCMP that the police agency's computers were spamming e-mail to the Internet. The breach was discovered and the connection to the Internet shut down.

Since spam is the preferred vehicle of Internet scammers, it's possible the computers were "inadvertantly" being used to commit crimes, themselves.

There are many examples of employees downloading undesirable items on a system, but here is another example of one, where a Japanese law enforcement type essentially did the same thing.

If anyone is interested in the dangers employees can pose to a system ZDNet did an excellent white paper on this subject:

The Top Six Risks of Employee Internet Use and How to Stop Them

Full story on this recent matter published in the Vancouver Sun, here.

Sunday, March 30, 2008

ICE raid nets 49 illegal security guards in Texas

Looks like the folks at ICE have been busy in Texas going after illegal security providers, some of whom, apparently were armed.

Jason Trahan at the Dallas Morning News reports:

A task force led by U.S. Immigration and Customs Enforcement raided more than two dozen mostly Latino night clubs, restaurants, pool halls and other businesses Saturday night, arresting 49 undocumented immigrants employed as security guards, officials said.

All of those arrested work for two local security companies, which authorities declined to identify Sunday.
The investigation into these security guard providers might be ongoing because in Texas, as in most States, security services are a regulated business for which a license must be obtained.

According to the Texas Department of Public Safety:

Under state law, commissioned security officers must successfully complete a 30-hour school. Once the course is completed, commissioned officers must wear a specific uniform indicating the company by whom they are employed while carrying their weapons.

Applicants for licensing or registration by the Private Security Bureau must have undergone a fingerprint-based state and national criminal history check. Applicants who have been convicted of a felony or a Class A misdemeanor cannot be considered for a license for 20 years. Applicants convicted of a Class B misdemeanor can apply for consideration after 5 years. Some Class B misdemeanors, such as first-time DWI, do not disqualify an applicant from receiving a license or application.

Maybe this is why -- despite the lack of official commentary on the matter -- Craig Watkins the Dallas County District Attorney stated:

Hopefully, this operation will help us send a message that we will not tolerate the falsification of documents for undocumented aliens under the guise of providing security.

Counterfeit documents are a huge problem and enable a lot of illegally placed individuals to obtain employment that they would otherwise be barred from. Given that they are easily available, they are a gateway for all kinds of other criminal activity, also.

This isn't the first time, a story has broken, where counterfeit documents allowed people using an unverified or even someone else's identity to perform duties they never should have been able to.

Although a few miles from Dallas, in November, James Slack of the Daily Mail revealed that 5,000 illegal immigrants were working as security guards in some of the United Kingdom's most sensitive buildings.

In January of 2007, the Herald Tribune reported that 40 illegal immigrants were arrested on military bases by ICE. The same story referenced an earlier story, where 60 illegal immigrants were arrested at Fort Bragg, North Carolina, home of the 82nd Airborne Division and Special Operations Units.

Earlier this month, Neville W. Cramer wrote in Today's Facility Manager about the growing problem from a facility management perspective:

While there are a multitude of economic and social issues surrounding the millions of illegal aliens currently in the U.S., two issues should be of specific concern to facility managers (fms). The first is security, and the second is comprehensive immigration reform. Since the latter is currently hung up in Congress, this article will examine security first.

Federal, state, and municipal law enforcement agencies are well aware that some of the largest employers of illegal aliens are directly and peripherally involved in building services and maintenance. Whether it is the cleaning crews, the janitors, the trash removal workers, or the security guards, illegal immigrants make up a significant portion of the workforce.

While this recent event in Dallas highlights the illegal immigration problem from the South -- there are illegal immigrants from other parts of the World working as security guards -- who likely have been planted in facilities or organizations for the purposes of stealing information.

From the Today's Facility article:

For instance, organized criminals from West Africa (Nigeria, Ghana, Sierra Leone, etc.) are now firmly entrenched nationwide in the security guard business. They are usually educated, well mannered men and women who are willing to work weekends and midnight shifts.

Unfortunately, what is not widely known is that “while guarding the henhouse,” many of these contracted security workers are suspected of stealing employee and customer identity data and company proprietary information. In some instances, these guards are using multiple fraudulent identities themselves, making it almost impossible for law enforcement to catch up with them. Fms should be aware of these emerging trends and, along with law enforcement and security professionals, take whatever steps are necessary to mitigate their risks.

The article sums up it's thoughts with the well known fact that the current Employment Eligibility Employment Verification Form (1-9) is woefully inadequate, especially with all the stolen identities and counterfeit documents that are easily obtained, just about anywhere.

Even with no match SSN legislation forthcoming -- which will require social security numbers to match a name -- the system will probably still be manipulated. There is a lot of stolen information out there, which contains both names and social security numbers, already. The groups counterfeiting documents will just have to make sure everything matches.

This is likely to cause an explosion in the number of identity theft cases, which is already a growing problem.

This legislation, which has been held up by a Federal Judge in San Francisco at the behest of the ACLU and other groups, appears to be poised to be enacted in the near-term. Arizona, which has the highest rate of identity theft in the nation, has already enacted a similar law.

Dallas Morning News story, here.

Well written and informative article by Neville W. Cramer, here.

If you want to learn more about the easy availability of counterfeit documents and how they are being dispensed throughout the U.S. (and probably the World) by organized criminal gangs, I recommend going to Suad Leija's Paper Weapons site. The information on this site has been covered extensively by the mainstream media and is likely being used by government entities to discover the full scope of this scary problem.

Lehman Bros. scammed for $355 million by two dishonest employees

With all the recent problems with Bear Stearns, the news that Lehman Brothers is getting smacked with a $355 million fraud is hardly good news in a gloomy financial market.

The scam in question was allegedly perpetrated by two contract (?) employees of Marubeni Corporation, a Japanese trading house. The deal involved a loan to a company called Asclepius Limited to finance medical leases. Asclepius Limited is now bankrupt.

Although the details are still sketchy, Reuters was able get a comment from an anonymous source:

It is being reported that Lehman is claming that employees of The fraud may have hit other financial institutions as well, according to the source, who spoke on condition of anonymity.

If Lehman's arguments are true, the scamsters perpetrated one of the more sophisticated corporate con jobs since Enron set up a fake trading floor to impress analysts. Lehman believes the scam included forged documents and an imposter.
According to Maurbeni, they've fired the two employees in question and are claiming they were contract employees. Lehman Brothers is stating they intend to file a law suit to recover the money and predictably Maurbeni is claiming they are not liable.

The scam was set up by the two Maurbeni (contract?) employees, who secured the money for the loan in advance from Lehman Brothers. In performing the due diligence on the loan, Lehman met with who they thought was a general manager for Maurbeni, but was actually an impostor.

Reuters is also reporting that the now bankrupt company, Asclepius Limited is under suspicion by the Japanese government for being involved in "illegal dealings."

I wouldn't want to be the the Lehman executive, who was responsible for setting up the due diligence on this deal!

Blogging Stocks, who also covered this story, brought up a scary observation about how this could take a toll on Lehman Brothers:

There has been concern for several weeks that Lehman Brothers (NYSE: LEH) might have problems similar to Bear Stearns (NYSE: BSC). Customers might be worried about Lehman's financial health and, if they were to withdraw large sums of money, the brokerage could face liquidity problems.

There is little doubt that a lot of fraud, or at the very least, "deceptive practices" led to the current financial crisis we are seeing in the mortgage industry. The mortgage crisis and this latest faux pas are clear examples of how the financial services industry needs to wake up and smell the coffee when it comes to how they conduct their daily business.

Since it is Sunday, I guess we'll have to wait until tomorrow to see if this makes a gloomy financial trend, even worse.

Reuters story, here.

Blogging Stocks story, here.